diff options
Diffstat (limited to 'meta-oe/recipes-connectivity/samba')
-rw-r--r-- | meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch | 102 | ||||
-rw-r--r-- | meta-oe/recipes-connectivity/samba/samba_3.6.8.bb | 1 |
2 files changed, 103 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch new file mode 100644 index 0000000..a435c08 --- /dev/null +++ b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.19-CVE-2013-4475.patch @@ -0,0 +1,102 @@ +Upstream-Status: Backport + +From 928910f01f951657ea4629a6d573ac00646d16f8 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Thu, 31 Oct 2013 13:48:42 -0700 +Subject: [PATCH] Fix bug #10229 - No access check verification on stream + files. + +https://bugzilla.samba.org/show_bug.cgi?id=10229 + +We need to check if the requested access mask +could be used to open the underlying file (if +it existed), as we're passing in zero for the +access mask to the base filename. + +Signed-off-by: Jeremy Allison <jra@samba.org> +--- + source3/smbd/open.c | 61 +++++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 447de80..441b8cd 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -152,6 +152,48 @@ NTSTATUS smbd_check_open_rights(struct connection_struct *conn, + } + + /**************************************************************************** ++ Ensure when opening a base file for a stream open that we have permissions ++ to do so given the access mask on the base file. ++****************************************************************************/ ++ ++static NTSTATUS check_base_file_access(struct connection_struct *conn, ++ struct smb_filename *smb_fname, ++ uint32_t access_mask) ++{ ++ uint32_t access_granted = 0; ++ NTSTATUS status; ++ ++ status = smbd_calculate_access_mask(conn, smb_fname, ++ false, ++ access_mask, ++ &access_mask); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(10, ("smbd_calculate_access_mask " ++ "on file %s returned %s\n", ++ smb_fname_str_dbg(smb_fname), ++ nt_errstr(status))); ++ return status; ++ } ++ ++ if (access_mask & (FILE_WRITE_DATA|FILE_APPEND_DATA)) { ++ uint32_t dosattrs; ++ if (!CAN_WRITE(conn)) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ dosattrs = dos_mode(conn, smb_fname); ++ if (IS_DOS_READONLY(dosattrs)) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ } ++ ++ ++ return smbd_check_open_rights(conn, ++ smb_fname, ++ access_mask, ++ &access_granted); ++} ++ ++/**************************************************************************** + fd support routines - attempt to do a dos_open. + ****************************************************************************/ + +@@ -3227,6 +3269,25 @@ static NTSTATUS create_file_unixpath(connection_struct *conn, + if (SMB_VFS_STAT(conn, smb_fname_base) == -1) { + DEBUG(10, ("Unable to stat stream: %s\n", + smb_fname_str_dbg(smb_fname_base))); ++ } else { ++ /* ++ * https://bugzilla.samba.org/show_bug.cgi?id=10229 ++ * We need to check if the requested access mask ++ * could be used to open the underlying file (if ++ * it existed), as we're passing in zero for the ++ * access mask to the base filename. ++ */ ++ status = check_base_file_access(conn, ++ smb_fname_base, ++ access_mask); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(10, ("Permission check " ++ "for base %s failed: " ++ "%s\n", smb_fname->base_name, ++ nt_errstr(status))); ++ goto fail; ++ } + } + + /* Open the base file. */ +-- +1.8.4.1 + diff --git a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb index 331796c..cf13a0f 100644 --- a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb +++ b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb @@ -34,6 +34,7 @@ SRC_URI += "\ file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \ file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \ file://samba-3.6.16-CVE-2013-4124.patch;patchdir=.. \ + file://samba-3.6.19-CVE-2013-4475.patch;patchdir=.. \ " SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be" SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de" |