[Pkg-samba-maint] r3082 - in branches/samba/lenny/debian: . patches

bubulle at alioth.debian.org bubulle at alioth.debian.org
Sat Oct 10 07:34:35 UTC 2009


Author: bubulle
Date: 2009-10-10 07:34:24 +0000 (Sat, 10 Oct 2009)
New Revision: 3082

Added:
   branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch
   branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch
   branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch
   branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch
Modified:
   branches/samba/lenny/debian/changelog
   branches/samba/lenny/debian/patches/series
Log:
Candidate patches for a security update


Modified: branches/samba/lenny/debian/changelog
===================================================================
--- branches/samba/lenny/debian/changelog	2009-10-07 19:31:10 UTC (rev 3081)
+++ branches/samba/lenny/debian/changelog	2009-10-10 07:34:24 UTC (rev 3082)
@@ -1,3 +1,16 @@
+samba (2:3.2.5-4lenny7) stable-security; urgency=high
+
+  * Security update. Fixes the following issues:
+    - CVE-2009-2813: fix information leak with misconfigured 
+                     /etc/passwd file
+    - CVE-2009-2906: remote DoS against smbd on authenticated
+                     connections
+    - CVE-2009-2948: information disclosure by setuid mount.cifs
+  * Thanks to Nico Golde for helping with upstream patch backport
+    for CVE-2009-2948 and CVE-2009-2906
+
+ -- Christian Perrier <bubulle at debian.org>  Mon, 28 Sep 2009 22:34:10 +0200
+
 samba (2:3.2.5-4lenny6) stable-security; urgency=low
 
   * The former upload (2:3.2.5-4lenny5) was made to the wrong

Added: branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch	                        (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2813.patch	2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,57 @@
+Goal: Fix information disclosure with misconfigured /etc/passwd file
+
+Fixes: Upstream security fix. CVE-2009-2813
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Apple and Jeremy Allison <jra at samba.org>
+
+diff --git a/source/param/loadparm.c b/source/param/loadparm.c
+index 4556d0b..6df94e1 100644
+--- a/source/param/loadparm.c
++++ b/source/param/loadparm.c
+@@ -5827,6 +5827,11 @@ bool lp_add_home(const char *pszHomename, int iDefaultService,
+ {
+ 	int i;
+ 
++	if (pszHomename == NULL || user == NULL || pszHomedir == NULL ||
++			pszHomedir[0] == '\0') {
++		return false;
++	}
++
+ 	i = add_a_service(ServicePtrs[iDefaultService], pszHomename);
+ 
+ 	if (i < 0)
+@@ -7777,7 +7782,7 @@ static void lp_add_auto_services(char *str)
+ 
+ 		home = get_user_home_dir(talloc_tos(), p);
+ 
+-		if (home && homes >= 0)
++		if (home && home[0] && homes >= 0)
+ 			lp_add_home(p, homes, p, home);
+ 
+ 		TALLOC_FREE(home);
+diff --git a/source/smbd/service.c b/source/smbd/service.c
+index 1c8ffbd..5d9b9df 100644
+--- a/source/smbd/service.c
++++ b/source/smbd/service.c
+@@ -55,6 +55,10 @@ bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
+ 	const char *s = connectpath;
+         bool start_of_name_component = true;
+ 
++	if (connectpath == NULL || connectpath[0] == '\0') {
++		return false;
++	}
++
+ 	destname = SMB_STRDUP(connectpath);
+ 	if (!destname) {
+ 		return false;
+@@ -327,7 +331,7 @@ int add_home_service(const char *service, const char *username, const char *home
+ {
+ 	int iHomeService;
+ 
+-	if (!service || !homedir)
++	if (!service || !homedir || homedir[0] == '\0')
+ 		return -1;
+ 
+ 	if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {

Added: branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch	                        (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2906.patch	2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,97 @@
+Goal: Fix remote DoS against smbd on authenticated
+      connections
+
+Fixes: Upstream security fix. CVE-2009-2906
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Jeremy Allison
+
+diff -Nurad samba-3.2.5.orig/source/include/smb.h samba-3.2.5/source/include/smb.h
+--- samba-3.2.5.orig/source/include/smb.h	2009-10-09 17:24:51.000000000 +0200
++++ samba-3.2.5/source/include/smb.h	2009-10-09 17:25:26.000000000 +0200
+@@ -758,6 +758,7 @@
+ 	struct timeval request_time; /* When was this first issued? */
+ 	struct timeval end_time; /* When does this time out? */
+ 	bool encrypted;
++	bool processed;
+ 	DATA_BLOB buf;
+ 	DATA_BLOB private_data;
+ };
+diff -Nurad samba-3.2.5.orig/source/smbd/process.c samba-3.2.5/source/smbd/process.c
+--- samba-3.2.5.orig/source/smbd/process.c	2009-10-09 17:24:51.000000000 +0200
++++ samba-3.2.5/source/smbd/process.c	2009-10-09 17:31:16.000000000 +0200
+@@ -434,6 +434,7 @@
+ 	msg->request_time = request_time;
+ 	msg->end_time = end_time;
+ 	msg->encrypted = req->encrypted;
++	msg->processed = false;
+ 
+ 	if (private_data) {
+ 		msg->private_data = data_blob_talloc(msg, private_data,
+@@ -489,6 +490,14 @@
+ 		DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
+ 			(unsigned int)msg_mid ));
+ 		if (mid == msg_mid) {
++			if (pml->processed) {
++				/* A processed message should not be
++				 * rescheduled. */
++				DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
++							"message mid %u was already processed\n",
++							(unsigned int)msg_mid ));
++				continue;
++			}
+ 			DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
+ 				mid ));
+ 			pml->end_time.tv_sec = 0;
+@@ -503,7 +512,7 @@
+ }
+ 
+ /****************************************************************************
+- Return true if this mid is on the deferred queue.
++ Return true if this mid is on the deferred queue and was not yet processed.
+ ****************************************************************************/
+ 
+ bool open_was_deferred(uint16 mid)
+@@ -511,7 +520,7 @@
+ 	struct pending_message_list *pml;
+ 
+ 	for (pml = deferred_open_queue; pml; pml = pml->next) {
+-		if (SVAL(pml->buf.data,smb_mid) == mid) {
++		if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
+ 			return True;
+ 		}
+ 	}
+@@ -778,6 +787,10 @@
+ 			/* We leave this message on the queue so the open code can
+ 			   know this is a retry. */
+ 			DEBUG(5,("receive_message_or_smb: returning deferred open smb message.\n"));
++
++			/* Mark the message as processed so this is not
++			 * re-processed in error. */
++			msg->processed = true;
+ 			return NT_STATUS_OK;
+ 		}
+ 	}
+@@ -1469,6 +1482,7 @@
+ 
+ static void construct_reply(char *inbuf, int size, size_t unread_bytes, bool encrypted)
+ {
++	struct pending_message_list *pml = NULL;
+ 	uint8 type = CVAL(inbuf,smb_com);
+ 	connection_struct *conn;
+ 	struct smb_request *req;
+@@ -1484,6 +1498,13 @@
+ 
+ 	conn = switch_message(type, req, size);
+ 
++	/* If this was a deferred message and it's still there and
++	 * was processed, remove it. */
++	pml = get_open_deferred_message(req->mid);
++	if (pml && pml->processed) {
++		remove_deferred_open_smb_message(req->mid);
++	}
++
+ 	if (req->unread_bytes) {
+ 		/* writeX failed. drain socket. */
+ 		if (drain_socket(smbd_server_fd(), req->unread_bytes) !=

Added: branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch	                        (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2948-1.patch	2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,60 @@
+Goal: Fix information disclosure by setuid mount.cifs. 1/2
+
+Fixes: Upstream security fix. CVE-2009-2948
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Jeff Layton <jlayton at redhat.com>
+        Nico Golde <nion at pool.math.tu-berlin.de> (backport to 3.2.5)
+
+From e4bd1535a1ccf085ccc8f03c2bac307c34f0fd37 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at redhat.com>
+Date: Fri, 25 Sep 2009 07:03:44 -0400
+Subject: [PATCH] mount.cifs: check access of credential files before opening
+
+It's possible for an unprivileged user to pass a setuid mount.cifs a
+credential or password file to which he does not have access. This can cause
+mount.cifs to open the file on his behalf and possibly leak the info in the
+first few lines of the file.
+
+Check the access permissions of the file before opening it.
+
+Reported-by: Ronald Volgers <r.c.volgers at student.utwente.nl>
+Signed-off-by: Jeff Layton <jlayton at redhat.com>
+Acked-by: Steve French <sfrench at us.ibm.com>
+---
+ source/client/mount.cifs.c |   11 +++++++++++
+ 1 files changed, 11 insertions(+), 0 deletions(-)
+
+diff --git a/source/client/mount.cifs.c b/source/client/mount.cifs.c
+index d05115b..cee9188 100644
+--- a/source/client/mount.cifs.c
++++ b/source/client/mount.cifs.c
+@@ -199,6 +199,11 @@ static int open_cred_file(char * file_name)
+ 	char * temp_val;
+ 	FILE * fs;
+ 	int i, length;
++
++	i = access(file_name, R_OK);
++	if (i)
++		return i;
++
+ 	fs = fopen(file_name,"r");
+ 	if(fs == NULL)
+ 		return errno;
+@@ -321,6 +326,12 @@ static int get_password_from_file(int file_descript, char * filename)
+ 	}
+ 
+ 	if(filename != NULL) {
++		rc = access(filename, R_OK);
++		if (rc) {
++			fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
++					filename, strerror(errno));
++			exit(2);
++		}
+ 		file_descript = open(filename, O_RDONLY);
+ 		if(file_descript < 0) {
+ 			printf("mount.cifs failed. %s attempting to open password file %s\n",
+-- 
+1.6.0.6
+

Added: branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch	                        (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-2948-2.patch	2009-10-10 07:34:24 UTC (rev 3082)
@@ -0,0 +1,100 @@
+Goal: Fix information disclosure by setuid mount.cifs. 2/2
+
+Fixes: Upstream security fix. CVE-2009-2948
+
+Status wrt upstream: Fixed in 3.2.15
+
+Author: Jeff Layton <jlayton at redhat.com>
+        Nico Golde <nion at pool.math.tu-berlin.de> (backport to 3.2.5)
+
+diff -Nurad samba-3.2.5/source/client/mount.cifs.c samba-3.2.5.new/source/client/mount.cifs.c
+--- samba-3.2.5/source/client/mount.cifs.c	2008-11-18 16:17:17.000000000 +0100
++++ samba-3.2.5.new/source/client/mount.cifs.c	2009-10-07 16:01:17.000000000 +0200
+@@ -371,9 +371,6 @@
+ 		return 1;
+ 	data = *optionsp;
+ 
+-	if(verboseflag)
+-		printf("parsing options: %s\n", data);
+-
+ 	/* BB fixme check for separator override BB */
+ 
+ 	if (getuid()) {
+@@ -460,17 +457,26 @@
+ 		} else if (strncmp(data, "pass", 4) == 0) {
+ 			if (!value || !*value) {
+ 				if(got_password) {
+-					printf("\npassword specified twice, ignoring second\n");
++					fprintf(stderr, "\npassword specified twice, ignoring second\n");
+ 				} else
+ 					got_password = 1;
+-			} else if (strnlen(value, 17) < 17) {
+-				if(got_password)
+-					printf("\nmount.cifs warning - password specified twice\n");
+-				got_password = 1;
++			} else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) {
++				if (got_password) {
++					fprintf(stderr, "\nmount.cifs warning - password specified twice\n");
++				} else {
++					mountpassword = strndup(value, MOUNT_PASSWD_SIZE);
++					if (!mountpassword) {
++						fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM));
++						SAFE_FREE(out);
++						return 1;
++					}
++					got_password = 1;
++				}
+ 			} else {
+-				printf("password too long\n");
++				fprintf(stderr, "password too long\n");
+ 				return 1;
+ 			}
++			goto nocopy;
+ 		} else if (strncmp(data, "sec", 3) == 0) {
+ 			if (value) {
+ 				if (!strcmp(value, "none"))
+@@ -1336,15 +1342,6 @@
+ 			strlcat(options,domain_name,options_size);
+ 		}
+ 	}
+-	if(mountpassword) {
+-		/* Commas have to be doubled, or else they will
+-		look like the parameter separator */
+-/*		if(sep is not set)*/
+-		if(retry == 0)
+-			check_for_comma(&mountpassword);
+-		strlcat(options,",pass=",options_size);
+-		strlcat(options,mountpassword,options_size);
+-	}
+ 
+ 	strlcat(options,",ver=",options_size);
+ 	strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size);
+@@ -1357,12 +1354,26 @@
+ 		strlcat(options,",prefixpath=",options_size);
+ 		strlcat(options,prefixpath,options_size); /* no need to cat the / */
+ 	}
+-	if(verboseflag)
+-		printf("\nmount.cifs kernel mount options %s \n",options);
+ 
+ 	/* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */
+ 	replace_char(dev_name, '\\', '/', strlen(share_name));
+ 
++	if(verboseflag)
++		fprintf(stderr, "\nmount.cifs kernel mount options: %s", options);
++
++	if (mountpassword) {
++		/*
++		 * Commas have to be doubled, or else they will
++		 * look like the parameter separator
++		 */
++		if(retry == 0)
++			check_for_comma(&mountpassword);
++		strlcat(options,",pass=",options_size);
++		strlcat(options,mountpassword,options_size);
++		if (verboseflag)
++			fprintf(stderr, ",pass=********");
++	}
++
+ 	if(mount(dev_name, mountpoint, "cifs", flags, options)) {
+ 	/* remember to kill daemon on error */
+ 		switch (errno) {

Modified: branches/samba/lenny/debian/patches/series
===================================================================
--- branches/samba/lenny/debian/patches/series	2009-10-07 19:31:10 UTC (rev 3081)
+++ branches/samba/lenny/debian/patches/series	2009-10-10 07:34:24 UTC (rev 3082)
@@ -32,3 +32,8 @@
 bug_526229-upstream_6301.patch
 security-CVE-2009-1886.patch
 security-CVE-2009-1888.patch
+security-CVE-2009-2813.patch
+security-CVE-2009-2906.patch
+security-CVE-2009-2948-1.patch
+security-CVE-2009-2948-2.patch
+




More information about the Pkg-samba-maint mailing list