[Pkg-samba-maint] [samba] 01/03: add patch for CVE-2013-4475

Ivo De Decker idd-guest at moszumanska.debian.org
Mon Dec 9 09:15:36 UTC 2013 

This is an automated email from the git hooks/post-receive script.

idd-guest pushed a commit to branch wheezy
in repository samba.

commit 0f535855878d4b6b34f37348b59c70c3cac61bee
Author: Ivo De Decker <ivo.dedecker at ugent.be>
Date:   Sun Dec 1 18:37:42 2013 +0100

    add patch for CVE-2013-4475
    
    ACLs are not checked on opening an alternate data stream on a file or directory
---
 debian/changelog                            |   8 +++
 debian/patches/security-CVE-2013-4475.patch | 100 ++++++++++++++++++++++++++++
 debian/patches/series                       |   1 +
 3 files changed, 109 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 467697c..bb06420 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.6.6-6+deb7u2) UNRELEASED; urgency=low
+
+  * Security update
+  * CVE-2013-4475: ACLs are not checked on opening an alternate data stream on
+    a file or directory
+
+ -- Ivo De Decker <ivo.dedecker at ugent.be>  Sun, 01 Dec 2013 18:24:42 +0100
+
 samba (2:3.6.6-6+deb7u1) wheezy; urgency=low
 
   * Security update
diff --git a/debian/patches/security-CVE-2013-4475.patch b/debian/patches/security-CVE-2013-4475.patch
new file mode 100644
index 0000000..17d58f8
--- /dev/null
+++ b/debian/patches/security-CVE-2013-4475.patch
@@ -0,0 +1,100 @@
+From 928910f01f951657ea4629a6d573ac00646d16f8 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Thu, 31 Oct 2013 13:48:42 -0700
+Subject: [PATCH] Fix bug #10229 - No access check verification on stream
+ files.
+
+https://bugzilla.samba.org/show_bug.cgi?id=10229
+
+We need to check if the requested access mask
+could be used to open the underlying file (if
+it existed), as we're passing in zero for the
+access mask to the base filename.
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+---
+ source3/smbd/open.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 447de80..441b8cd 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -152,6 +152,48 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
+ }
+ 
+ /****************************************************************************
++ Ensure when opening a base file for a stream open that we have permissions
++ to do so given the access mask on the base file.
++****************************************************************************/
++
++static NTSTATUS check_base_file_access(struct connection_struct *conn,
++				struct smb_filename *smb_fname,
++				uint32_t access_mask)
++{
++	uint32_t access_granted = 0;
++	NTSTATUS status;
++
++	status = smbd_calculate_access_mask(conn, smb_fname,
++					false,
++					access_mask,
++					&access_mask);
++	if (!NT_STATUS_IS_OK(status)) {
++		DEBUG(10, ("smbd_calculate_access_mask "
++			"on file %s returned %s\n",
++			smb_fname_str_dbg(smb_fname),
++			nt_errstr(status)));
++		return status;
++	}
++
++	if (access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) {
++		uint32_t dosattrs;
++		if (!CAN_WRITE(conn)) {
++			return NT_STATUS_ACCESS_DENIED;
++		}
++		dosattrs = dos_mode(conn, smb_fname);
++ 		if (IS_DOS_READONLY(dosattrs)) {
++			return NT_STATUS_ACCESS_DENIED;
++		}
++	}
++
++
++	return smbd_check_open_rights(conn,
++				smb_fname,
++				access_mask,
++				&access_granted);
++}
++
++/****************************************************************************
+  fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+ 
+@@ -3227,6 +3269,25 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
+ 		if (SMB_VFS_STAT(conn, smb_fname_base) == -1) {
+ 			DEBUG(10, ("Unable to stat stream: %s\n",
+ 				   smb_fname_str_dbg(smb_fname_base)));
++		} else {
++			/*
++			 * https://bugzilla.samba.org/show_bug.cgi?id=10229
++			 * We need to check if the requested access mask
++			 * could be used to open the underlying file (if
++			 * it existed), as we're passing in zero for the
++			 * access mask to the base filename.
++			 */
++			status = check_base_file_access(conn,
++							smb_fname_base,
++							access_mask);
++
++			if (!NT_STATUS_IS_OK(status)) {
++				DEBUG(10, ("Permission check "
++					"for base %s failed: "
++					"%s\n", smb_fname->base_name,
++					nt_errstr(status)));
++				goto fail;
++			}
+ 		}
+ 
+ 		/* Open the base file. */
+-- 
+1.8.4.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 8758648..f4d0e31 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -25,3 +25,4 @@ only_export_public_symbols.patch
 security-CVE-2013-0213.patch
 security-CVE-2013-0214.patch
 security-CVE-2013-4124.patch
+security-CVE-2013-4475.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git

More information about the Pkg-samba-maint mailing list