[SCM] Samba Shared Repository - branch v4-0-test updated

Karolin Seeger kseeger at samba.org
Wed Jan 30 03:56:52 MST 2013 

The branch, v4-0-test has been updated
       via  4eadddc VERSION: Bump version number up to 4.0.3.
       via  baacf3e Merge commit 'samba-4.0.2' into v4-0-test
       via  1c2abd4 VERSION: Bump version number up to 4.0.2.
       via  0b40842 WHATSNEW: Update release notes for Samba 4.0.2.
       via  6762959 swat: Use additional nonce on XSRF protection
       via  4f24f1c swat: Use X-Frame-Options header to avoid clickjacking
      from  7ba52a1 Regression test for bug #9571 - Unlink after open causes smbd to panic

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test


- Log -----------------------------------------------------------------
commit 4eadddcfecc22fd2d5b71a0e2d019aa8d201d735
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Jan 30 11:55:47 2013 +0100

    VERSION: Bump version number up to 4.0.3.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>
    
    Karolin

commit baacf3e951628be656c2a624f683db53a6bbfdca
Merge: 7ba52a12bb930cfaddc3092cac291e4f7d503c05 1c2abd4cffe63bdc95449d97c9e823e96de04a8e
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Jan 30 11:54:45 2013 +0100

    Merge commit 'samba-4.0.2' into v4-0-test

-----------------------------------------------------------------------

Summary of changes:
 VERSION                  |    2 +-
 WHATSNEW.txt             |   70 ++++++++++++++++++++++++++++++++++++++++++++-
 source3/web/cgi.c        |   39 ++++++++++++++++---------
 source3/web/swat.c       |    5 ++-
 source3/web/swat_proto.h |    1 +
 5 files changed, 99 insertions(+), 18 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index e3efbd7..8f3a310 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=0
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c69ca9..0711f96 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,70 @@
                    =============================
+                   Release Notes for Samba 4.0.2
+                         January 30, 2013
+                   =============================
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o  CVE-2013-0213:
+   All current released versions of Samba are vulnerable to clickjacking in the
+   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
+   a malicious web page via a frame or iframe and then overlaid by other content,
+   an attacker could trick an administrator to potentially change Samba settings.
+
+   In order to be vulnerable, SWAT must have been installed and enabled
+   either as a standalone server launched from inetd or xinetd, or as a
+   CGI plugin to Apache. If SWAT has not been installed or enabled (which
+   is the default install state for Samba) this advisory can be ignored.
+
+o  CVE-2013-0214:
+   All current released versions of Samba are vulnerable to a cross-site
+   request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+   user's password and then tricking a user who is authenticated with SWAT into
+   clicking a manipulated URL on a different web page, it is possible to manipulate
+   SWAT.
+
+   In order to be vulnerable, the attacker needs to know the victim's password.
+   Additionally SWAT must have been installed and enabled either as a standalone
+   server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
+   not been installed or enabled (which is the default install state for Samba)
+   this advisory can be ignored.
+
+
+Changes since 4.0.1:
+====================
+
+o   Kai Blin <kai at samba.org>
+    * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+    * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.0 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.0.1
                           January 15, 2013
                    =============================
@@ -51,8 +117,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.0.0
diff --git a/source3/web/cgi.c b/source3/web/cgi.c
index b97ed25..0192e7d 100644
--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
@@ -49,6 +49,7 @@ static const char *baseurl;
 static char *pathinfo;
 static char *C_user;
 static char *C_pass;
+static char *C_nonce;
 static bool inetd_server;
 static bool got_request;
 
@@ -330,20 +331,7 @@ static void cgi_web_auth(void)
 	C_user = SMB_STRDUP(user);
 
 	if (!samba_setuid(0)) {
-		C_pass = secrets_fetch_generic("root", "SWAT");
-		if (C_pass == NULL) {
-			char *tmp_pass = NULL;
-			tmp_pass = generate_random_password(talloc_tos(),
-							    16, 16);
-			if (tmp_pass == NULL) {
-				printf("%sFailed to create random nonce for "
-				       "SWAT session\n<br>%s\n", head, tail);
-				exit(0);
-			}
-			secrets_store_generic("root", "SWAT", tmp_pass);
-			C_pass = SMB_STRDUP(tmp_pass);
-			TALLOC_FREE(tmp_pass);
-		}
+		C_pass = SMB_STRDUP(cgi_nonce());
 	}
 	samba_setuid(pwd->pw_uid);
 	if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
@@ -465,6 +453,29 @@ char *cgi_user_pass(void)
 }
 
 /***************************************************************************
+return a ptr to the nonce
+  ***************************************************************************/
+char *cgi_nonce(void)
+{
+	const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
+	const char *tail = "</BODY></HTML>\r\n";
+	C_nonce = secrets_fetch_generic("root", "SWAT");
+	if (C_nonce == NULL) {
+		char *tmp_pass = NULL;
+		tmp_pass = generate_random_password(talloc_tos(), 16, 16);
+		if (tmp_pass == NULL) {
+			printf("%sFailed to create random nonce for "
+			       "SWAT session\n<br>%s\n", head, tail);
+			exit(0);
+		}
+		secrets_store_generic("root", "SWAT", tmp_pass);
+		C_nonce = SMB_STRDUP(tmp_pass);
+		TALLOC_FREE(tmp_pass);
+	}
+	return(C_nonce);
+}
+
+/***************************************************************************
 handle a file download
   ***************************************************************************/
 static void cgi_download(char *file)
diff --git a/source3/web/swat.c b/source3/web/swat.c
index 90e4af9..cc90f21 100644
--- a/source3/web/swat.c
+++ b/source3/web/swat.c
@@ -156,6 +156,7 @@ void get_xsrf_token(const char *username, const char *pass,
 	struct MD5Context md5_ctx;
 	uint8_t token[16];
 	int i;
+	char *nonce = cgi_nonce();
 
 	token_str[0] = '\0';
 	ZERO_STRUCT(md5_ctx);
@@ -169,6 +170,7 @@ void get_xsrf_token(const char *username, const char *pass,
 	if (pass != NULL) {
 		MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
 	}
+	MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
 
 	MD5Final(token, &md5_ctx);
 
@@ -269,7 +271,8 @@ static void print_header(void)
 	if (!cgi_waspost()) {
 		printf("Expires: 0\r\n");
 	}
-	printf("Content-type: text/html\r\n\r\n");
+	printf("Content-type: text/html\r\n");
+	printf("X-Frame-Options: DENY\r\n\r\n");
 
 	if (!include_html("include/header.html")) {
 		printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
index 424a3af..fe51b1f 100644
--- a/source3/web/swat_proto.h
+++ b/source3/web/swat_proto.h
@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name);
 bool am_root(void);
 char *cgi_user_name(void);
 char *cgi_user_pass(void);
+char *cgi_nonce(void);
 void cgi_setup(const char *rootdir, int auth_required);
 const char *cgi_baseurl(void);
 const char *cgi_pathinfo(void);


-- 
Samba Shared Repository

More information about the samba-cvs mailing list