← Back to branch summary

~ubuntu-branches/ubuntu/maverick/samba/maverick-security

« back to all changes in this revision

Viewing changes to debian/patches/security-CVE-2009-2948.patch

  • Committer: Bazaar Package Importer
  • Author(s): Chuck Short
  • Date: 2010-01-29 06:16:15 UTC
  • mfrom: (0.27.9 upstream) (0.34.4 squeeze)
  • Revision ID: james.westby@ubuntu.com-20100129061615-37hs6xqpsdhjq3ld
Tags: 2:3.4.5~dfsg-1ubuntu1
https://launchpad.net/bugs/462169
https://launchpad.net/bugs/493565
* Merge from debian testing.  Remaining changes:
  + debian/patches/VERSION.patch:
    - set SAMBA_VERSION_SUFFIX to Ubuntu.
  + debian/smb.conf:
    - Add "(Samba, Ubuntu)" to server string.
    - Comment out the default [homes] share, and add a comment about "valid users = %s"
      to show users how to restrict access to \\server\username to only username.
    - Set 'usershare allow guests', so that usershare admins are allowed to create
      public shares in additon to authenticated ones.
    - add map to guest = Bad user, maps bad username to gues access.
  + debian/samba-common.conf:
    - Do not change priority to high if dhclient3 is installed.
    - Use priority medium instead of high for the workgroup question.
  + debian/mksambapasswd.awk:
    - Do not add user with UID less than 1000 to smbpasswd.
  + debian/control: 
    - Make libswbclient0 replace/conflict with hardy's likewise-open.
    - Don't build against ctdb, since its not in main yet.
  + debian/rules:
    - Enable "native" PIE hardening.
    - Add BIND_NOW to maximize benefit of RELRO hardening.
  + Add ufw integration:
    - Created debian/samba.ufw.profile.
    - debian/rules, debian/samba.dirs, debian/samba.files: install
  + Add apoort hook:
    - Created debian/source_samba.py.
    - debian/rules, debian/samba.dirs, debian/samba-common-bin.files: install
  + debian/rules, debian/samba.if-up: allow "NetworkManager" as a recognized address
    family... it's obviously /not/ an address family, but it's what gets
    sent when using NM, so we'll cope for now.  (LP: #462169). Taken from karmic-proposed.
  + debian/control: Recommend keyutils for smbfs (LP: #493565)
  + Dropped patches:
    - debian/patches/security-CVE-2009-3297.patch: No longer needed
    - debian/patches/fix-too-many-open-files.patch: No longer needed

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches/security-CVE-2009-2948.patch
1
 
#
2
 
# Description: fix credentials file disclosure and unauthorized usage via setuid mount.cifs
3
 
# Patch: http://www.samba.org/samba/ftp/patches/security/samba-3.4.1-CVE-2009-2948-1.patch
4
 
# Patch: http://www.samba.org/samba/ftp/patches/security/samba-3.4.1-CVE-2009-2948-2.patch
5
 
#
6
 
diff -Nur samba-3.4.0/source3/client/mount.cifs.c samba-3.4.0.new/source3/client/mount.cifs.c
7
 
--- samba-3.4.0/source3/client/mount.cifs.c     2009-07-03 07:21:14.000000000 -0400
8
 
+++ samba-3.4.0.new/source3/client/mount.cifs.c 2009-09-29 08:34:44.000000000 -0400
9
 
@@ -198,6 +198,11 @@
10
 
        char * temp_val;
11
 
        FILE * fs;
12
 
        int i, length;
13
 
+
14
 
+       i = access(file_name, R_OK);
15
 
+       if (i)
16
 
+               return i;
17
 
+
18
 
        fs = fopen(file_name,"r");
19
 
        if(fs == NULL)
20
 
                return errno;
21
 
@@ -320,6 +325,12 @@
22
 
        }
23
 
 
24
 
        if(filename != NULL) {
25
 
+               rc = access(filename, R_OK);
26
 
+               if (rc) {
27
 
+                       fprintf(stderr, "mount.cifs failed: access check of %s failed: %s\n",
28
 
+                                       filename, strerror(errno));
29
 
+                       exit(EX_SYSERR);
30
 
+               }
31
 
                file_descript = open(filename, O_RDONLY);
32
 
                if(file_descript < 0) {
33
 
                        printf("mount.cifs failed. %s attempting to open password file %s\n",
34
 
@@ -379,9 +390,6 @@
35
 
                return 1;
36
 
        data = *optionsp;
37
 
 
38
 
-       if(verboseflag)
39
 
-               printf("parsing options: %s\n", data);
40
 
-
41
 
        /* BB fixme check for separator override BB */
42
 
 
43
 
        if (getuid()) {
44
 
@@ -470,18 +478,27 @@
45
 
                } else if (strncmp(data, "pass", 4) == 0) {
46
 
                        if (!value || !*value) {
47
 
                                if(got_password) {
48
 
-                                       printf("\npassword specified twice, ignoring second\n");
49
 
+                                       fprintf(stderr, "\npassword specified twice, ignoring second\n");
50
 
                                } else
51
 
                                        got_password = 1;
52
 
-                       } else if (strnlen(value, 17) < 17) {
53
 
-                               if(got_password)
54
 
-                                       printf("\nmount.cifs warning - password specified twice\n");
55
 
-                               got_password = 1;
56
 
+                       } else if (strnlen(value, MOUNT_PASSWD_SIZE) < MOUNT_PASSWD_SIZE) {
57
 
+                               if (got_password) {
58
 
+                                       fprintf(stderr, "\nmount.cifs warning - password specified twice\n");
59
 
+                               } else {
60
 
+                                       mountpassword = strndup(value, MOUNT_PASSWD_SIZE);
61
 
+                                       if (!mountpassword) {
62
 
+                                               fprintf(stderr, "mount.cifs error: %s", strerror(ENOMEM));
63
 
+                                               SAFE_FREE(out);
64
 
+                                               return 1;
65
 
+                                       }
66
 
+                                       got_password = 1;
67
 
+                               }
68
 
                        } else {
69
 
-                               printf("password too long\n");
70
 
+                               fprintf(stderr, "password too long\n");
71
 
                                SAFE_FREE(out);
72
 
                                return 1;
73
 
                        }
74
 
+                       goto nocopy;
75
 
                } else if (strncmp(data, "sec", 3) == 0) {
76
 
                        if (value) {
77
 
                                if (!strncmp(value, "none", 4) ||
78
 
@@ -1384,15 +1401,6 @@
79
 
                        strlcat(options,domain_name,options_size);
80
 
                }
81
 
        }
82
 
-       if(mountpassword) {
83
 
-               /* Commas have to be doubled, or else they will
84
 
-               look like the parameter separator */
85
 
-/*             if(sep is not set)*/
86
 
-               if(retry == 0)
87
 
-                       check_for_comma(&mountpassword);
88
 
-               strlcat(options,",pass=",options_size);
89
 
-               strlcat(options,mountpassword,options_size);
90
 
-       }
91
 
 
92
 
        strlcat(options,",ver=",options_size);
93
 
        strlcat(options,MOUNT_CIFS_VERSION_MAJOR,options_size);
94
 
@@ -1405,8 +1413,6 @@
95
 
                strlcat(options,",prefixpath=",options_size);
96
 
                strlcat(options,prefixpath,options_size); /* no need to cat the / */
97
 
        }
98
 
-       if(verboseflag)
99
 
-               printf("\nmount.cifs kernel mount options %s \n",options);
100
 
 
101
 
        /* convert all '\\' to '/' in share portion so that /proc/mounts looks pretty */
102
 
        replace_char(dev_name, '\\', '/', strlen(share_name));
103
 
@@ -1438,6 +1444,25 @@
104
 
                }
105
 
        }
106
 
 
107
 
+       if(verboseflag)
108
 
+               fprintf(stderr, "\nmount.cifs kernel mount options: %s", options);
109
 
+
110
 
+       if (mountpassword) {
111
 
+               /*
112
 
+                * Commas have to be doubled, or else they will
113
 
+                * look like the parameter separator
114
 
+                */
115
 
+               if(retry == 0)
116
 
+                       check_for_comma(&mountpassword);
117
 
+               strlcat(options,",pass=",options_size);
118
 
+               strlcat(options,mountpassword,options_size);
119
 
+               if (verboseflag)
120
 
+                       fprintf(stderr, ",pass=********");
121
 
+       }
122
 
+
123
 
+       if (verboseflag)
124
 
+               fprintf(stderr, "\n");
125
 
+
126
 
        if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
127
 
                switch (errno) {
128
 
                case ECONNREFUSED: