[SCM] Samba Shared Repository - branch v4-0-test updated
Karolin Seeger
kseeger at samba.org
Wed Jan 30 03:56:52 MST 2013
The branch, v4-0-test has been updated
via 4eadddc VERSION: Bump version number up to 4.0.3.
via baacf3e Merge commit 'samba-4.0.2' into v4-0-test
via 1c2abd4 VERSION: Bump version number up to 4.0.2.
via 0b40842 WHATSNEW: Update release notes for Samba 4.0.2.
via 6762959 swat: Use additional nonce on XSRF protection
via 4f24f1c swat: Use X-Frame-Options header to avoid clickjacking
from 7ba52a1 Regression test for bug #9571 - Unlink after open causes smbd to panic
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test
- Log -----------------------------------------------------------------
commit 4eadddcfecc22fd2d5b71a0e2d019aa8d201d735
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Jan 30 11:55:47 2013 +0100
VERSION: Bump version number up to 4.0.3.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Karolin
commit baacf3e951628be656c2a624f683db53a6bbfdca
Merge: 7ba52a12bb930cfaddc3092cac291e4f7d503c05 1c2abd4cffe63bdc95449d97c9e823e96de04a8e
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Jan 30 11:54:45 2013 +0100
Merge commit 'samba-4.0.2' into v4-0-test
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 70 ++++++++++++++++++++++++++++++++++++++++++++-
source3/web/cgi.c | 39 ++++++++++++++++---------
source3/web/swat.c | 5 ++-
source3/web/swat_proto.h | 1 +
5 files changed, 99 insertions(+), 18 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index e3efbd7..8f3a310 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c69ca9..0711f96 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
=============================
+ Release Notes for Samba 4.0.2
+ January 30, 2013
+ =============================
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o CVE-2013-0213:
+ All current released versions of Samba are vulnerable to clickjacking in the
+ Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
+ a malicious web page via a frame or iframe and then overlaid by other content,
+ an attacker could trick an administrator to potentially change Samba settings.
+
+ In order to be vulnerable, SWAT must have been installed and enabled
+ either as a standalone server launched from inetd or xinetd, or as a
+ CGI plugin to Apache. If SWAT has not been installed or enabled (which
+ is the default install state for Samba) this advisory can be ignored.
+
+o CVE-2013-0214:
+ All current released versions of Samba are vulnerable to a cross-site
+ request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+ user's password and then tricking a user who is authenticated with SWAT into
+ clicking a manipulated URL on a different web page, it is possible to manipulate
+ SWAT.
+
+ In order to be vulnerable, the attacker needs to know the victim's password.
+ Additionally SWAT must have been installed and enabled either as a standalone
+ server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
+ not been installed or enabled (which is the default install state for Samba)
+ this advisory can be ignored.
+
+
+Changes since 4.0.1:
+====================
+
+o Kai Blin <kai at samba.org>
+ * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+ * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.0.1
January 15, 2013
=============================
@@ -51,8 +117,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.0.0
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index b97ed25..0192e7d 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -49,6 +49,7 @@ static const char *baseurl;
static char *pathinfo;
static char *C_user;
static char *C_pass;
+static char *C_nonce;
static bool inetd_server;
static bool got_request;
@@ -330,20 +331,7 @@ static void cgi_web_auth(void)
C_user = SMB_STRDUP(user);
if (!samba_setuid(0)) {
- C_pass = secrets_fetch_generic("root", "SWAT");
- if (C_pass == NULL) {
- char *tmp_pass = NULL;
- tmp_pass = generate_random_password(talloc_tos(),
- 16, 16);
- if (tmp_pass == NULL) {
- printf("%sFailed to create random nonce for "
- "SWAT session\n<br>%s\n", head, tail);
- exit(0);
- }
- secrets_store_generic("root", "SWAT", tmp_pass);
- C_pass = SMB_STRDUP(tmp_pass);
- TALLOC_FREE(tmp_pass);
- }
+ C_pass = SMB_STRDUP(cgi_nonce());
}
samba_setuid(pwd->pw_uid);
if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
@@ -465,6 +453,29 @@ char *cgi_user_pass(void)
}
/***************************************************************************
+return a ptr to the nonce
+ ***************************************************************************/
+char *cgi_nonce(void)
+{
+ const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
+ const char *tail = "</BODY></HTML>\r\n";
+ C_nonce = secrets_fetch_generic("root", "SWAT");
+ if (C_nonce == NULL) {
+ char *tmp_pass = NULL;
+ tmp_pass = generate_random_password(talloc_tos(), 16, 16);
+ if (tmp_pass == NULL) {
+ printf("%sFailed to create random nonce for "
+ "SWAT session\n<br>%s\n", head, tail);
+ exit(0);
+ }
+ secrets_store_generic("root", "SWAT", tmp_pass);
+ C_nonce = SMB_STRDUP(tmp_pass);
+ TALLOC_FREE(tmp_pass);
+ }
+ return(C_nonce);
+}
+
+/***************************************************************************
handle a file download
***************************************************************************/
static void cgi_download(char *file)
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 90e4af9..cc90f21 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -156,6 +156,7 @@ void get_xsrf_token(const char *username, const char *pass,
struct MD5Context md5_ctx;
uint8_t token[16];
int i;
+ char *nonce = cgi_nonce();
token_str[0] = '\0';
ZERO_STRUCT(md5_ctx);
@@ -169,6 +170,7 @@ void get_xsrf_token(const char *username, const char *pass,
if (pass != NULL) {
MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
}
+ MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
MD5Final(token, &md5_ctx);
@@ -269,7 +271,8 @@ static void print_header(void)
if (!cgi_waspost()) {
printf("Expires: 0\r\n");
}
- printf("Content-type: text/html\r\n\r\n");
+ printf("Content-type: text/html\r\n");
+ printf("X-Frame-Options: DENY\r\n\r\n");
if (!include_html("include/header.html")) {
printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
index 424a3af..fe51b1f 100644
--- a/source3/web/swat_proto.h
+++ b/source3/web/swat_proto.h
@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name);
bool am_root(void);
char *cgi_user_name(void);
char *cgi_user_pass(void);
+char *cgi_nonce(void);
void cgi_setup(const char *rootdir, int auth_required);
const char *cgi_baseurl(void);
const char *cgi_pathinfo(void);
--
Samba Shared Repository
More information about the samba-cvs
mailing list