mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-05-07 05:10:20 +00:00
Code Issues Projects Releases Wiki Activity

samba: Security Advisory - CVE-2013-4475

Browse Source 
Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1,
when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote
attackers to bypass intended file restrictions by leveraging ACL
differences between a file and an associated alternate data stream
(ADS).

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4475

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Chong Lu <Chong.Lu@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
This commit is contained in:
Chong.Lu@windriver.com
2014-06-13 14:12:58 +08:00
committed by Martin Jansa
parent 69e765c464
commit 18e196f16e
2 changed files with 103 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch
+102
View File
@@ -0,0 +1,102 @@
Upstream-Status: Backport
From 928910f01f951657ea4629a6d573ac00646d16f8 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Thu, 31 Oct 2013 13:48:42 -0700
Subject: [PATCH] Fix bug #10229 - No access check verification on stream
files.
https://bugzilla.samba.org/show_bug.cgi?id=10229
We need to check if the requested access mask
could be used to open the underlying file (if
it existed), as we're passing in zero for the
access mask to the base filename.
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/open.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 447de80..441b8cd 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -152,6 +152,48 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn,
}
/****************************************************************************
+ Ensure when opening a base file for a stream open that we have permissions
+ to do so given the access mask on the base file.
+****************************************************************************/
+
+static NTSTATUS check_base_file_access(struct connection_struct *conn,
+ struct smb_filename *smb_fname,
+ uint32_t access_mask)
+{
+ uint32_t access_granted = 0;
+ NTSTATUS status;
+
+ status = smbd_calculate_access_mask(conn, smb_fname,
+ false,
+ access_mask,
+ &access_mask);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("smbd_calculate_access_mask "
+ "on file %s returned %s\n",
+ smb_fname_str_dbg(smb_fname),
+ nt_errstr(status)));
+ return status;
+ }
+
+ if (access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) {
+ uint32_t dosattrs;
+ if (!CAN_WRITE(conn)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ dosattrs = dos_mode(conn, smb_fname);
+ if (IS_DOS_READONLY(dosattrs)) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+
+ return smbd_check_open_rights(conn,
+ smb_fname,
+ access_mask,
+ &access_granted);
+}
+
+/****************************************************************************
fd support routines - attempt to do a dos_open.
****************************************************************************/
@@ -3227,6 +3269,25 @@ static NTSTATUS create_file_unixpath(connection_struct *conn,
if (SMB_VFS_STAT(conn, smb_fname_base) == -1) {
DEBUG(10, ("Unable to stat stream: %s\n",
smb_fname_str_dbg(smb_fname_base)));
+ } else {
+ /*
+ * https://bugzilla.samba.org/show_bug.cgi?id=10229
+ * We need to check if the requested access mask
+ * could be used to open the underlying file (if
+ * it existed), as we're passing in zero for the
+ * access mask to the base filename.
+ */
+ status = check_base_file_access(conn,
+ smb_fname_base,
+ access_mask);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10, ("Permission check "
+ "for base %s failed: "
+ "%s\n", smb_fname->base_name,
+ nt_errstr(status)));
+ goto fail;
+ }
}
/* Open the base file. */
--
1.8.4.1
meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
+1
View File
@@ -34,6 +34,7 @@ SRC_URI += "\
file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \ file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \
file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \ file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \
file://samba-3.6.16-CVE-2013-4124.patch;patchdir=.. \ file://samba-3.6.16-CVE-2013-4124.patch;patchdir=.. \
file://samba-3.6.19-CVE-2013-4475.patch;patchdir=.. \
" "
SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be" SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"
SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de" SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"