[SCM] Samba Shared Repository - branch v3-6-stable updated
Karolin Seeger
kseeger at samba.org
Mon Nov 11 02:48:53 MST 2013
The branch, v3-6-stable has been updated
via 12598a7 WHATSNEW: Add release notes for Samba 3.6.20.
via 14d4813 Fix bug #10229 - No access check verification on stream files.
from c18329b WHATSNEW: Start release notes for Samba 3.6.20.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable
- Log -----------------------------------------------------------------
commit 12598a76c0330ea1067c4b11b295ab3473e93f15
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Nov 7 12:49:34 2013 +0100
WHATSNEW: Add release notes for Samba 3.6.20.
Bug 10235 - CVE-2013-4475: No access check verification on stream files.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 14d48130870579541c07f5a0f64638e635ddce95
Author: Jeremy Allison <jra at samba.org>
Date: Thu Oct 31 13:48:42 2013 -0700
Fix bug #10229 - No access check verification on stream files.
https://bugzilla.samba.org/show_bug.cgi?id=10229
We need to check if the requested access mask
could be used to open the underlying file (if
it existed), as we're passing in zero for the
access mask to the base filename.
Signed-off-by: Jeremy Allison <jra at samba.org>
Fix Bug #10235 - CVE-2013-4475: No access check verification on stream files.
https://bugzilla.samba.org/show_bug.cgi?id=10235
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 31 +++++++++++++++++++++----
source3/smbd/open.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 87 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d30b702..d6b1ebd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,20 +1,41 @@
==============================
Release Notes for Samba 3.6.20
- November 06, 2013
+ November 11, 2013
==============================
-This is is the latest maintenance release of Samba 3.6.
+This is a security release in order to address
+CVE-2013-4475 (ACLs are not checked on opening an alternate
+data stream on a file or directory).
-Please note that this will probably be the last maintenance release
-of the Samba 3.6 release series. With the release of Samba 4.1.0, the
-3.6 release series will be turned into the "security fixes only" mode.
+o CVE-2013-4475:
+ Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x,
+ 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying
+ file or directory ACL when opening an alternate data stream.
+
+ According to the SMB1 and SMB2+ protocols the ACL on an underlying
+ file or directory should control what access is allowed to alternate
+ data streams that are associated with the file or directory.
+
+ By default no version of Samba supports alternate data streams
+ on files or directories.
+
+ Samba can be configured to support alternate data streams by loading
+ either one of two virtual file system modues (VFS) vfs_streams_depot or
+ vfs_streams_xattr supplied with Samba, so this bug only affects Samba
+ servers configured this way.
+
+ To determine if your server is vulnerable, check for the strings
+ "streams_depot" or "streams_xattr" inside your smb.conf configuration
+ file.
Changes since 3.6.19:
---------------------
o Jeremy Allison <jra at samba.org>
+ * BUGs 10234 + 10229: CVE-2013-4475: Fix access check verification on stream
+ files.
######################################################################
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 447de80..441b8cd 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -152,6 +152,48 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
}
/****************************************************************************
+ Ensure when opening a base file for a stream open that we have permissions
+ to do so given the access mask on the base file.
+****************************************************************************/
+
+static NTSTATUS check_base_file_access(struct connection_struct *conn,
+ struct smb_filename *smb_fname,
+ uint32_t access_mask)
+{
+ uint32_t access_granted = 0;
+ NTSTATUS status;
+
+ status = smbd_calculate_access_mask(conn, smb_fname,
+ false,
+ access_mask,
+ &access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("smbd_calculate_access_mask "
+ "on file %s returned %s\n",
+ smb_fname_str_dbg(smb_fname),
+ nt_errstr(status)));
+ return status;
+ }
+
+ if (access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) {
+ uint32_t dosattrs;
+ if (!CAN_WRITE(conn)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ dosattrs = dos_mode(conn, smb_fname);
+ if (IS_DOS_READONLY(dosattrs)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+
+ return smbd_check_open_rights(conn,
+ smb_fname,
+ access_mask,
+ &access_granted);
+}
+
+/****************************************************************************
fd support routines - attempt to do a dos_open.
****************************************************************************/
@@ -3227,6 +3269,25 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
if (SMB_VFS_STAT(conn, smb_fname_base) == -1) {
DEBUG(10, ("Unable to stat stream: %s\n",
smb_fname_str_dbg(smb_fname_base)));
+ } else {
+ /*
+ * https://bugzilla.samba.org/show_bug.cgi?id=10229
+ * We need to check if the requested access mask
+ * could be used to open the underlying file (if
+ * it existed), as we're passing in zero for the
+ * access mask to the base filename.
+ */
+ status = check_base_file_access(conn,
+ smb_fname_base,
+ access_mask);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("Permission check "
+ "for base %s failed: "
+ "%s\n", smb_fname->base_name,
+ nt_errstr(status)));
+ goto fail;
+ }
}
/* Open the base file. */
--
Samba Shared Repository
More information about the samba-cvs
mailing list