[SCM] Samba Shared Repository - branch v3-6-stable updated
Karolin Seeger
kseeger at samba.org
Mon Apr 30 06:20:57 MDT 2012
The branch, v3-6-stable has been updated
via 5bdabda9 Fix self granting privileges in security=ads.
via 49808d0 WHATSNEW: Release notes for 3.6.5.
from 7a2f530 WHATSNEW: Start release notes for Samba 3.6.5.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable
- Log -----------------------------------------------------------------
commit 5bdabda9e2143b1188f52533a4fa3f838b6066c9
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 17 12:30:15 2012 -0700
Fix self granting privileges in security=ads.
CVE-2012-2111
commit 49808d01df79d67bc98f9c993b38c3ed49e892b4
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Apr 27 20:23:15 2012 +0200
WHATSNEW: Release notes for 3.6.5.
Karolin
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 16 +++++++++++-----
source3/rpc_server/lsa/srv_lsa_nt.c | 16 ++++++++++++----
2 files changed, 23 insertions(+), 9 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 02ed8dd..874cb08 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,20 +1,26 @@
=============================
Release Notes for Samba 3.6.5
- , 2012
+ April 30, 2012
=============================
-This is the latest stable release of Samba 3.6.
+This is a security release in order to address
+CVE-2012-2111 (Incorrect permission checks when granting/removing
+privileges can compromise file server security).
-Major enhancements in Samba 3.6.5 include:
+o CVE-2012-2111:
+ Samba 3.4.x to 3.6.4 are affected by a
+ vulnerability that allows arbitrary users
+ to modify privileges on a file server.
-o
Changes since 3.6.4:
--------------------
-o Stefan Metzmacher <metze at samba.org>
+o Jeremy Allison <jra at samba.org>
+ * Fix incorrect permission checks when granting/removing
+ privileges (CVE-2012-2111).
######################################################################
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index f8c77ba..a7b55e7 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -2448,6 +2448,10 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
uint32_t acc_granted;
struct security_descriptor *psd;
size_t sd_size;
+ uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+ SEC_STD_DELETE));
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
@@ -2473,7 +2477,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_POLICY_ALL_ACCESS);
+ r->in.sid, owner_access);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2514,6 +2518,10 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
size_t sd_size;
uint32_t des_access = r->in.access_mask;
uint32_t acc_granted;
+ uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+ SEC_STD_DELETE));
NTSTATUS status;
/* find the connection policy handle. */
@@ -2538,7 +2546,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
/* get the generic lsa account SD until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ r->in.sid, owner_access);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2886,7 +2894,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
/* get the generic lsa account SD for this SID until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ NULL, 0);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2957,7 +2965,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
/* get the generic lsa account SD for this SID until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ NULL, 0);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list