samba: Security Advisory - CVE-2013-4475

Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS). http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4475 Signed-off-by: Yue Tao <Yue.Tao@windriver.com> Signed-off-by: Chong Lu <Chong.Lu@windriver.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
author: Chong.Lu@windriver.com <Chong.Lu@windriver.com> 2014-06-13 14:12:58 +0800
committer: Martin Jansa <Martin.Jansa@gmail.com> 2014-06-21 19:22:25 +0200
commit: 18e196f16e63b87fad7ed2b971f8e48879d60e4e (patch)
tree: 4d704b216cfe7191a180881c55468832a4f1f9e1 /meta-oe/recipes-connectivity/samba
parent: 69e765c4645f018506325312a42a53f984dbb6e8 (diff)
download: meta-openembedded-18e196f16e63b87fad7ed2b971f8e48879d60e4e.tar.gz
2 files changed, 103 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch
new file mode 100644
index 000000000..a435c08b5
--- /dev/null
+++ b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch
@@ -0,0 +1,102 @@
+Upstream-Status: Backport
+From 928910f01f951657ea4629a6d573ac00646d16f8 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 31 Oct 2013 13:48:42 -0700
+Subject: [PATCH] Fix bug #10229 - No access check verification on stream
+ files.
+https://bugzilla.samba.org/show_bug.cgi?id=10229
+We need to check if the requested access mask
+could be used to open the underlying file (if
+it existed), as we're passing in zero for the
+access mask to the base filename.
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/smbd/open.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 61 insertions(+)
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 447de80..441b8cd 100644
+--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
+@@ -152,6 +152,48 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
+ }
+ 
+ /****************************************************************************
+ Ensure when opening a base file for a stream open that we have permissions
+ to do so given the access mask on the base file.
+****************************************************************************/
+
+static NTSTATUS check_base_file_access(struct connection_struct *conn,
+                               struct smb_filename *smb_fname,
+                               uint32_t access_mask)
+{
+       uint32_t access_granted = 0;
+       NTSTATUS status;
+
+       status = smbd_calculate_access_mask(conn, smb_fname,
+                                       false,
+                                       access_mask,
+                                       &access_mask);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(10, ("smbd_calculate_access_mask "
+                       "on file %s returned %s\n",
+                       smb_fname_str_dbg(smb_fname),
+                       nt_errstr(status)));
+               return status;
+       }
+
+       if (access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) {
+               uint32_t dosattrs;
+               if (!CAN_WRITE(conn)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+               dosattrs = dos_mode(conn, smb_fname);
+               if (IS_DOS_READONLY(dosattrs)) {
+                       return NT_STATUS_ACCESS_DENIED;
+               }
+       }
+
+
+       return smbd_check_open_rights(conn,
+                               smb_fname,
+                               access_mask,
+                               &access_granted);
+}
+
+/****************************************************************************
+  fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+ 
+@@ -3227,6 +3269,25 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
+                if (SMB_VFS_STAT(conn, smb_fname_base) == -1) {
+                        DEBUG(10, ("Unable to stat stream: %s\n",
+                                   smb_fname_str_dbg(smb_fname_base)));
+               } else {
+                       /*
+                        * https://bugzilla.samba.org/show_bug.cgi?id=10229
+                        * We need to check if the requested access mask
+                        * could be used to open the underlying file (if
+                        * it existed), as we're passing in zero for the
+                        * access mask to the base filename.
+                        */
+                       status = check_base_file_access(conn,
+                                                       smb_fname_base,
+                                                       access_mask);
+
+                       if (!NT_STATUS_IS_OK(status)) {
+                               DEBUG(10, ("Permission check "
+                                       "for base %s failed: "
+                                       "%s\n", smb_fname->base_name,
+                                       nt_errstr(status)));
+                               goto fail;
+                       }
+                }
+ 
+                /* Open the base file. */
+-- 
+1.8.4.1
diff --git a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
index 331796cb3..cf13a0f58 100644
--- a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
+++ b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
@@ -34,6 +34,7 @@ SRC_URI += "\
    file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \
    file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \
    file://samba-3.6.16-CVE-2013-4124.patch;patchdir=.. \
+    file://samba-3.6.19-CVE-2013-4475.patch;patchdir=.. \
 "
 SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"
 SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"
author	Chong.Lu@windriver.com <Chong.Lu@windriver.com>	2014-06-13 14:12:58 +0800
committer	Martin Jansa <Martin.Jansa@gmail.com>	2014-06-21 19:22:25 +0200
commit	18e196f16e63b87fad7ed2b971f8e48879d60e4e (patch)
tree	4d704b216cfe7191a180881c55468832a4f1f9e1 /meta-oe/recipes-connectivity/samba
parent	69e765c4645f018506325312a42a53f984dbb6e8 (diff)
download	meta-openembedded-18e196f16e63b87fad7ed2b971f8e48879d60e4e.tar.gz

diff --git a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch new file mode 100644 index 000000000..a435c08b5 --- /dev/null +++ b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch
@@ -0,0 +1,102 @@
		1	Upstream-Status: Backport
		2
		3	From 928910f01f951657ea4629a6d573ac00646d16f8 Mon Sep 17 00:00:00 2001
		4	From: Jeremy Allison <jra@samba.org>
		5	Date: Thu, 31 Oct 2013 13:48:42 -0700
		6	Subject: [PATCH] Fix bug #10229 - No access check verification on stream
		7	files.
		8
		9	https://bugzilla.samba.org/show_bug.cgi?id=10229
		10
		11	We need to check if the requested access mask
		12	could be used to open the underlying file (if
		13	it existed), as we're passing in zero for the
		14	access mask to the base filename.
		15
		16	Signed-off-by: Jeremy Allison <jra@samba.org>
		17	---
		18	source3/smbd/open.c \| 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
		19	1 file changed, 61 insertions(+)
		20
		21	diff --git a/source3/smbd/open.c b/source3/smbd/open.c
		22	index 447de80..441b8cd 100644
		23	--- a/source3/smbd/open.c
		24	+++ b/source3/smbd/open.c
		25	@@ -152,6 +152,48 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
		26	}
		27
		28	/****************************************************************************
		29	+ Ensure when opening a base file for a stream open that we have permissions
		30	+ to do so given the access mask on the base file.
		31	+****************************************************************************/
		32	+
		33	+static NTSTATUS check_base_file_access(struct connection_struct *conn,
		34	+ struct smb_filename *smb_fname,
		35	+ uint32_t access_mask)
		36	+{
		37	+ uint32_t access_granted = 0;
		38	+ NTSTATUS status;
		39	+
		40	+ status = smbd_calculate_access_mask(conn, smb_fname,
		41	+ false,
		42	+ access_mask,
		43	+ &access_mask);
		44	+ if (!NT_STATUS_IS_OK(status)) {
		45	+ DEBUG(10, ("smbd_calculate_access_mask "
		46	+ "on file %s returned %s\n",
		47	+ smb_fname_str_dbg(smb_fname),
		48	+ nt_errstr(status)));
		49	+ return status;
		50	+ }
		51	+
		52	+ if (access_mask & (FILE_WRITE_DATA\|FILE_APPEND_DATA)) {
		53	+ uint32_t dosattrs;
		54	+ if (!CAN_WRITE(conn)) {
		55	+ return NT_STATUS_ACCESS_DENIED;
		56	+ }
		57	+ dosattrs = dos_mode(conn, smb_fname);
		58	+ if (IS_DOS_READONLY(dosattrs)) {
		59	+ return NT_STATUS_ACCESS_DENIED;
		60	+ }
		61	+ }
		62	+
		63	+
		64	+ return smbd_check_open_rights(conn,
		65	+ smb_fname,
		66	+ access_mask,
		67	+ &access_granted);
		68	+}
		69	+
		70	+/****************************************************************************
		71	fd support routines - attempt to do a dos_open.
		72	****************************************************************************/
		73
		74	@@ -3227,6 +3269,25 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
		75	if (SMB_VFS_STAT(conn, smb_fname_base) == -1) {
		76	DEBUG(10, ("Unable to stat stream: %s\n",
		77	smb_fname_str_dbg(smb_fname_base)));
		78	+ } else {
		79	+ /*
		80	+ * https://bugzilla.samba.org/show_bug.cgi?id=10229
		81	+ * We need to check if the requested access mask
		82	+ * could be used to open the underlying file (if
		83	+ * it existed), as we're passing in zero for the
		84	+ * access mask to the base filename.
		85	+ */
		86	+ status = check_base_file_access(conn,
		87	+ smb_fname_base,
		88	+ access_mask);
		89	+
		90	+ if (!NT_STATUS_IS_OK(status)) {
		91	+ DEBUG(10, ("Permission check "
		92	+ "for base %s failed: "
		93	+ "%s\n", smb_fname->base_name,
		94	+ nt_errstr(status)));
		95	+ goto fail;
		96	+ }
		97	}
		98
		99	/* Open the base file. */
		100	--
		101	1.8.4.1
		102


diff --git a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb index 331796cb3..cf13a0f58 100644 --- a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb +++ b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
@@ -34,6 +34,7 @@ SRC_URI += "\
34	file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \	34	file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \
35	file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \	35	file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \
36	file://samba-3.6.16-CVE-2013-4124.patch;patchdir=.. \	36	file://samba-3.6.16-CVE-2013-4124.patch;patchdir=.. \
		37	file://samba-3.6.19-CVE-2013-4475.patch;patchdir=.. \
37	"	38	"
38	SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"	39	SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"
39	SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"	40	SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"