Univention Bugzilla – Attachment 7542 Details for
Bug 40921
samba: Security issue (ES 3.1)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2015-7560-v3-6.patch
CVE-2015-7560-v3-6.patch (text/plain), 9.44 KB, created by
Arvid Requate
on 2016-03-17 17:29 CET
(
hide
)
Description:
CVE-2015-7560-v3-6.patch
Filename:
MIME Type:
Creator:
Arvid Requate
Created:
2016-03-17 17:29 CET
Size:
9.44 KB
patch
obsolete
>From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:18:12 -0800 >Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function > that can be used to prevent operations on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++ > 1 file changed, 28 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 26b6523..7f47579 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn, > files_struct *fsp, > const SMB_STRUCT_STAT *psbuf); > >+/**************************************************************************** >+ Check if an open file handle or pathname is a symlink. >+****************************************************************************/ >+ >+static NTSTATUS refuse_symlink(connection_struct *conn, >+ const files_struct *fsp, >+ const char *name) >+{ >+ SMB_STRUCT_STAT sbuf; >+ const SMB_STRUCT_STAT *pst = NULL; >+ >+ if (fsp) { >+ pst = &fsp->fsp_name->st; >+ } else { >+ int ret = vfs_stat_smb_fname(conn, >+ name, >+ &sbuf); >+ if (ret == -1) { >+ return map_nt_error_from_unix(errno); >+ } >+ pst = &sbuf; >+ } >+ if (S_ISLNK(pst->st_ex_mode)) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ return NT_STATUS_OK; >+} >+ > /******************************************************************** > Roundup a value to the nearest allocation roundup size boundary. > Only do this for Windows clients. >-- >2.5.0 > > >From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 10:38:28 -0800 >Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a > POSIX file handle on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/nttrans.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c >index 4c145e0..7255600 100644 >--- a/source3/smbd/nttrans.c >+++ b/source3/smbd/nttrans.c >@@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn, > return NT_STATUS_ACCESS_DENIED; > } > >+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) { >+ DEBUG(10, ("ACL get on symlink %s denied.\n", >+ fsp_str_dbg(fsp))); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ > if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER| > SECINFO_GROUP|SECINFO_SACL)) { > /* Don't return SECINFO_LABEL if anything else was >-- >2.5.0 > > >From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 10:52:50 -0800 >Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a > POSIX file handle on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/nttrans.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c >index 7255600..d2102ca 100644 >--- a/source3/smbd/nttrans.c >+++ b/source3/smbd/nttrans.c >@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd, > return NT_STATUS_OK; > } > >+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) { >+ DEBUG(10, ("ACL set on symlink %s denied.\n", >+ fsp_str_dbg(fsp))); >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ > if (psd->owner_sid == NULL) { > security_info_sent &= ~SECINFO_OWNER; > } >-- >2.5.0 > > >From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:22:12 -0800 >Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a > symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/trans2.c | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 7f47579..2f01e87 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn, > uint16 num_def_acls; > bool valid_file_acls = True; > bool valid_def_acls = True; >+ NTSTATUS status; > > if (total_data < SMB_POSIX_ACL_HEADER_SIZE) { > return NT_STATUS_INVALID_PARAMETER; >@@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn, > return NT_STATUS_INVALID_PARAMETER; > } > >+ status = refuse_symlink(conn, fsp, smb_fname->base_name); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ > DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n", > smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp), > (unsigned int)num_file_acls, >-- >2.5.0 > > >From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:24:36 -0800 >Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a > symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/trans2.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 2f01e87..3a098d1 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn, > uint16 num_file_acls = 0; > uint16 num_def_acls = 0; > >+ status = refuse_symlink(conn, >+ fsp, >+ smb_fname->base_name); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ > if (fsp && fsp->fh->fd != -1) { > file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp); > } else { >-- >2.5.0 > > >From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:05:48 -0800 >Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows > removal of code duplication. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/trans2.c | 13 +++++-------- > 1 file changed, 5 insertions(+), 8 deletions(-) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 3a098d1..6fdd1da 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > size_t num_names; > ssize_t sizeret = -1; > >+ if (pnames) { >+ *pnames = NULL; >+ } >+ *pnum_names = 0; >+ > if (!lp_ea_support(SNUM(conn))) { >- if (pnames) { >- *pnames = NULL; >- } >- *pnum_names = 0; > return NT_STATUS_OK; > } > >@@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > > if (sizeret == 0) { > TALLOC_FREE(names); >- if (pnames) { >- *pnames = NULL; >- } >- *pnum_names = 0; > return NT_STATUS_OK; > } > >-- >2.5.0 > > >From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:29:38 -0800 >Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's > available on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/trans2.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 6fdd1da..8b6e4b2 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > char **names, **tmp; > size_t num_names; > ssize_t sizeret = -1; >+ NTSTATUS status; > > if (pnames) { > *pnames = NULL; >@@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn, > return NT_STATUS_OK; > } > >+ status = refuse_symlink(conn, fsp, fname); >+ if (!NT_STATUS_IS_OK(status)) { >+ /* >+ * Just return no EA's on a symlink. >+ */ >+ return NT_STATUS_OK; >+ } >+ > /* > * TALLOC the result early to get the talloc hierarchy right. > */ >-- >2.5.0 > > >From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001 >From: Jeremy Allison <jra@samba.org> >Date: Tue, 5 Jan 2016 11:33:48 -0800 >Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648 > >Signed-off-by: Jeremy Allison <jra@samba.org> >Reviewed-by: Michael Adam <obnox@samba.org> >--- > source3/smbd/trans2.c | 7 +++++++ > 1 file changed, 7 insertions(+) > >diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c >index 8b6e4b2..98fd2af 100644 >--- a/source3/smbd/trans2.c >+++ b/source3/smbd/trans2.c >@@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp, > const struct smb_filename *smb_fname, struct ea_list *ea_list) > { > char *fname = NULL; >+ NTSTATUS status; > > if (!lp_ea_support(SNUM(conn))) { > return NT_STATUS_EAS_NOT_SUPPORTED; >@@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp, > return NT_STATUS_ACCESS_DENIED; > } > >+ status = refuse_symlink(conn, fsp, smb_fname->base_name); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ > /* For now setting EAs on streams isn't supported. */ > fname = smb_fname->base_name; > >-- >2.5.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7542">View the attachment on a separate page</a>.</b>
Actions:
View
|
Diff
Attachments on
bug 40921
: 7542