[SCM] Samba Shared Repository - branch v4-8-stable updated
Karolin Seeger
kseeger at samba.org
Mon Apr 8 07:31:14 UTC 2019
The branch, v4-8-stable has been updated
via b7e91b13d4d VERSION: Disable GIT_SNAPSHOT for the 4.8.11 release.
via b6093764277 WHATSNEW: Add release notes for Samba 4.8.11.
via 9a3ee861e43 CVE-2019-3880 s3: rpc: winreg: Remove implementations of SaveKey/RestoreKey.
via 2d67f62153b VERSION: Bump version up to 4.8.11...
from 4575c88005d VERSION: Disable GIT_SNAPSHOT for the 4.8.10 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-stable
- Log -----------------------------------------------------------------
commit b7e91b13d4db1ca4237077c307c4b868ba553da2
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Apr 5 09:25:57 2019 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.8.11 release.
CVE-2019-3880 (Save registry file outside share as unprivileged user)
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit b609376427757331a3adaad7ee06ab8c86249de3
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Apr 5 09:24:49 2019 +0200
WHATSNEW: Add release notes for Samba 4.8.11.
CVE-2019-3880 (Save registry file outside share as unprivileged user)
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 9a3ee861e43f84d48ef47998ceeb3bbf29f0c948
Author: Jeremy Allison <jra at samba.org>
Date: Thu Mar 21 14:51:30 2019 -0700
CVE-2019-3880 s3: rpc: winreg: Remove implementations of SaveKey/RestoreKey.
The were not using VFS backend calls and could only work
locally, and were unsafe against symlink races and other
security issues.
If the incoming handle is valid, return WERR_BAD_PATHNAME.
[MS-RRP] states "The format of the file name is implementation-specific"
so ensure we don't allow this.
As reported by Michael Hanselmann.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d67f62153b6961df4b0172231dc5508031f8861
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Apr 4 12:05:08 2019 +0200
VERSION: Bump version up to 4.8.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 260a15bd57c52c49234b606062763e10bf77c03e)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 58 ++++++++++++++++++-
source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
3 files changed, 61 insertions(+), 91 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 5f6857a28b9..355fb3a99a5 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=8
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cc9123ee246..b51ba11f813 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,57 @@
+ ==============================
+ Release Notes for Samba 4.8.11
+ April 8, 2019
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2019-3880 (Save registry file outside share as unprivileged user)
+
+
+=======
+Details
+=======
+
+o CVE-2018-14629:
+ Authenticated users with write permission
+ can trigger a symlink traversal to write
+ or detect files outside the Samba share.
+
+For more details and workarounds, please refer to the security advisory.
+
+
+Changes since 4.8.10:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
==============================
Release Notes for Samba 4.8.10
April 4, 2019
@@ -109,8 +163,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.8.9
diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
index d9ee8d0602d..816c6bb2a12 100644
--- a/source3/rpc_server/winreg/srv_winreg_nt.c
+++ b/source3/rpc_server/winreg/srv_winreg_nt.c
@@ -639,46 +639,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
return (ret == 0) ? WERR_OK : WERR_ACCESS_DENIED;
}
-/*******************************************************************
- ********************************************************************/
-
-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
-{
- char *p = NULL;
- int num_services = lp_numservices();
- int snum = -1;
- const char *share_path = NULL;
- char *fname = *pp_fname;
-
- /* convert to a unix path, stripping the C:\ along the way */
-
- if (!(p = valid_share_pathname(ctx, fname))) {
- return -1;
- }
-
- /* has to exist within a valid file share */
-
- for (snum=0; snum<num_services; snum++) {
- if (!lp_snum_ok(snum) || lp_printable(snum)) {
- continue;
- }
-
- share_path = lp_path(talloc_tos(), snum);
-
- /* make sure we have a path (e.g. [homes] ) */
- if (strlen(share_path) == 0) {
- continue;
- }
-
- if (strncmp(share_path, p, strlen(share_path)) == 0) {
- break;
- }
- }
-
- *pp_fname = p;
- return (snum < num_services) ? snum : -1;
-}
-
/*******************************************************************
_winreg_RestoreKey
********************************************************************/
@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
struct winreg_RestoreKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
- "\"%s\"\n", regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
- return WERR_BAD_PATHNAME;
-
- /* user must posses SeRestorePrivilege for this this proceed */
-
- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
- return WERR_ACCESS_DENIED;
- }
-
- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_restorekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
struct winreg_SaveKey *r)
{
struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
- char *fname = NULL;
- int snum = -1;
- if ( !regkey )
+ if ( !regkey ) {
return WERR_INVALID_HANDLE;
-
- if ( !r->in.filename || !r->in.filename->name )
- return WERR_INVALID_PARAMETER;
-
- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
- if (!fname) {
- return WERR_NOT_ENOUGH_MEMORY;
}
-
- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
- regkey->key->name, fname));
-
- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
- return WERR_BAD_PATHNAME;
-
- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
-
- return reg_savekey(regkey, fname);
+ return WERR_BAD_PATHNAME;
}
/*******************************************************************
--
Samba Shared Repository
More information about the samba-cvs
mailing list