[SCM] Samba Shared Repository - branch v3-4-test updated
Karolin Seeger
kseeger at samba.org
Mon Apr 30 12:58:41 MDT 2012
The branch, v3-4-test has been updated
via c81bb58 WHATSNEW: Start release notes for 3.4.18.
via 8fdbc38 VERSION: Bump version number up to 3.4.18.
via 1e048b7 Fix self granting privileges in security=ads.
via 4fbba69 WHATSNEW: Release notes 3.4.17.
from 209d28d WHATSNEW: Fix typo.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test
- Log -----------------------------------------------------------------
commit c81bb58764e8af42dca3cfd2f5e90d8baebb9af0
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Apr 30 20:53:59 2012 +0200
WHATSNEW: Start release notes for 3.4.18.
Karolin
(cherry picked from commit 4c0ff855799ffd2067768869f379d2d2e3d3b514)
commit 8fdbc38cdabcddbcb893fecc934d82686cba774e
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Apr 30 20:51:55 2012 +0200
VERSION: Bump version number up to 3.4.18.
Karolin
(cherry picked from commit 195943b7bf95e4a85795f86dda0cf71170c7c2de)
commit 1e048b78fb1647ac1cc11936db6275f6c2b6f545
Author: Jeremy Allison <jra at samba.org>
Date: Tue Apr 17 16:39:00 2012 -0700
Fix self granting privileges in security=ads.
CVE-2012-2111
(cherry picked from commit 55045f52181e5448c2aeefabde047128158d7c2e)
commit 4fbba692d86a04e5f929cc72eaa510ed6ab4a5d7
Author: Karolin Seeger <kseeger at samba.org>
Date: Sat Apr 28 18:58:03 2012 +0200
WHATSNEW: Release notes 3.4.17.
Karolin
(cherry picked from commit a78242b544ab1a7b486856b87824050deca661dc)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 59 +++++++++++++++++++++++++++++++++++---
source3/VERSION | 2 +-
source3/rpc_server/srv_lsa_nt.c | 42 +++++++++++++++++++++++++--
3 files changed, 93 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 41685fc..4283231 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,19 +1,20 @@
==============================
- Release Notes for Samba 3.4.17
+ Release Notes for Samba 3.4.18
, 2012
==============================
This is a security release in order to address
-CVE- ().
+CVE-2012- ().
-o
+o CVE-2012-:
-Changes since 3.4.16
+
+Changes since 3.4.17
--------------------
-o Stefan Metzmacher <metze at samba.org>
+o Jeremy Allison <jra at samba.org>
######################################################################
@@ -40,6 +41,54 @@ Release notes for older versions follow:
----------------------------------------
==============================
+ Release Notes for Samba 3.4.17
+ April 30, 2012
+ ==============================
+
+
+This is a security release in order to address
+CVE-2012-2111 (Incorrect permission checks when granting/removing
+privileges can compromise file server security).
+
+o CVE-2012-2111:
+ Samba 3.4.x to 3.6.4 are affected by a
+ vulnerability that allows arbitrary users
+ to modify privileges on a file server.
+
+
+Changes since 3.4.16
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * Fix incorrect permission checks when granting/removing
+ privileges (CVE-2012-2111).
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+----------------------------------------------------------------------
+
+
+ ==============================
Release Notes for Samba 3.4.16
April 10, 2012
==============================
diff --git a/source3/VERSION b/source3/VERSION
index 4d0a96b..20dd4aa 100644
--- a/source3/VERSION
+++ b/source3/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=17
+SAMBA_VERSION_RELEASE=18
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index f187432..a405dd2 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -1579,6 +1579,15 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
{
struct lsa_info *handle;
struct lsa_info *info;
+ uint32 des_access = r->in.access_mask;
+ uint32 acc_granted;
+ uint32 owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+ DELETE_ACCESS));
+ SEC_DESC *psd = NULL;
+ size_t sd_size;
+ NTSTATUS status;
/* find the connection policy handle. */
if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
@@ -1600,6 +1609,27 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
if ( is_privileged_sid( r->in.sid ) )
return NT_STATUS_OBJECT_NAME_COLLISION;
+ /* Work out max allowed. */
+ map_max_allowed_access(p->server_info->ptok, &des_access);
+
+ /* map the generic bits to the lsa policy ones */
+ se_map_generic(&des_access, &lsa_policy_mapping);
+
+ /* get the generic lsa policy SD until we store it */
+ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping,
+ r->in.sid, owner_access);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = access_check_object(psd, p->server_info->ptok,
+ NULL, 0, des_access,
+ &acc_granted, "_lsa_CreateAccont" );
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
/* associate the user/group SID with the (unique) handle. */
info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info);
@@ -1608,7 +1638,7 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p,
}
info->sid = *r->in.sid;
- info->access = r->in.access_mask;
+ info->access = acc_granted;
info->type = LSA_HANDLE_ACCOUNT_TYPE;
/* get a (unique) handle. open a policy on it. */
@@ -1631,6 +1661,10 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p,
size_t sd_size;
uint32_t des_access = r->in.access_mask;
uint32_t acc_granted;
+ uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
+ ~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
+ LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
+ STD_RIGHT_DELETE_ACCESS));
NTSTATUS status;
/* find the connection policy handle. */
@@ -1653,7 +1687,7 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p,
/* get the generic lsa account SD until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ r->in.sid, owner_access);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2070,7 +2104,7 @@ NTSTATUS _lsa_AddAccountRights(pipes_struct *p,
/* get the generic lsa account SD for this SID until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ NULL, 0);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
@@ -2141,7 +2175,7 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p,
/* get the generic lsa account SD for this SID until we store it */
status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
&lsa_account_mapping,
- r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
+ NULL, 0);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list