-From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:18:12 -0800
-Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
- that can be used to prevent operations on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
- 1 file changed, 28 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 26b6523..7f47579 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
- files_struct *fsp,
- const SMB_STRUCT_STAT *psbuf);
-
-+/****************************************************************************
-+ Check if an open file handle or pathname is a symlink.
-+****************************************************************************/
-+
-+static NTSTATUS refuse_symlink(connection_struct *conn,
-+ const files_struct *fsp,
-+ const char *name)
-+{
-+ SMB_STRUCT_STAT sbuf;
-+ const SMB_STRUCT_STAT *pst = NULL;
-+
-+ if (fsp) {
-+ pst = &fsp->fsp_name->st;
-+ } else {
-+ int ret = vfs_stat_smb_fname(conn,
-+ name,
-+ &sbuf);
-+ if (ret == -1) {
-+ return map_nt_error_from_unix(errno);
-+ }
-+ pst = &sbuf;
-+ }
-+ if (S_ISLNK(pst->st_ex_mode)) {
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+ return NT_STATUS_OK;
-+}
-+
- /********************************************************************
- Roundup a value to the nearest allocation roundup size boundary.
- Only do this for Windows clients.
---
-2.5.0
-
-
-From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 10:38:28 -0800
-Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a
- POSIX file handle on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/nttrans.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
-index 4c145e0..7255600 100644
---- a/source3/smbd/nttrans.c
-+++ b/source3/smbd/nttrans.c
-@@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
- return NT_STATUS_ACCESS_DENIED;
- }
-
-+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
-+ DEBUG(10, ("ACL get on symlink %s denied.\n",
-+ fsp_str_dbg(fsp)));
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
- if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
- SECINFO_GROUP|SECINFO_SACL)) {
- /* Don't return SECINFO_LABEL if anything else was
---
-2.5.0
-
-
-From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 10:52:50 -0800
-Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a
- POSIX file handle on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/nttrans.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
-index 7255600..d2102ca 100644
---- a/source3/smbd/nttrans.c
-+++ b/source3/smbd/nttrans.c
-@@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
- return NT_STATUS_OK;
- }
-
-+ if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
-+ DEBUG(10, ("ACL set on symlink %s denied.\n",
-+ fsp_str_dbg(fsp)));
-+ return NT_STATUS_ACCESS_DENIED;
-+ }
-+
- if (psd->owner_sid == NULL) {
- security_info_sent &= ~SECINFO_OWNER;
- }
---
-2.5.0
-
-
-From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:22:12 -0800
-Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a
- symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 7f47579..2f01e87 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
- uint16 num_def_acls;
- bool valid_file_acls = True;
- bool valid_def_acls = True;
-+ NTSTATUS status;
-
- if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
- return NT_STATUS_INVALID_PARAMETER;
-@@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
- return NT_STATUS_INVALID_PARAMETER;
- }
-
-+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
- DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
- smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
- (unsigned int)num_file_acls,
---
-2.5.0
-
-
-From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:24:36 -0800
-Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a
- symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 2f01e87..3a098d1 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
- uint16 num_file_acls = 0;
- uint16 num_def_acls = 0;
-
-+ status = refuse_symlink(conn,
-+ fsp,
-+ smb_fname->base_name);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
- if (fsp && fsp->fh->fd != -1) {
- file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
- } else {
---
-2.5.0
-
-
-From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:05:48 -0800
-Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows
- removal of code duplication.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 3a098d1..6fdd1da 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
- size_t num_names;
- ssize_t sizeret = -1;
-
-+ if (pnames) {
-+ *pnames = NULL;
-+ }
-+ *pnum_names = 0;
-+
- if (!lp_ea_support(SNUM(conn))) {
-- if (pnames) {
-- *pnames = NULL;
-- }
-- *pnum_names = 0;
- return NT_STATUS_OK;
- }
-
-@@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
-
- if (sizeret == 0) {
- TALLOC_FREE(names);
-- if (pnames) {
-- *pnames = NULL;
-- }
-- *pnum_names = 0;
- return NT_STATUS_OK;
- }
-
---
-2.5.0
-
-
-From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:29:38 -0800
-Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's
- available on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 6fdd1da..8b6e4b2 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
- char **names, **tmp;
- size_t num_names;
- ssize_t sizeret = -1;
-+ NTSTATUS status;
-
- if (pnames) {
- *pnames = NULL;
-@@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
- return NT_STATUS_OK;
- }
-
-+ status = refuse_symlink(conn, fsp, fname);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ /*
-+ * Just return no EA's on a symlink.
-+ */
-+ return NT_STATUS_OK;
-+ }
-+
- /*
- * TALLOC the result early to get the talloc hierarchy right.
- */
---
-2.5.0
-
-
-From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001
-From: Jeremy Allison <jra@samba.org>
-Date: Tue, 5 Jan 2016 11:33:48 -0800
-Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
-
-Signed-off-by: Jeremy Allison <jra@samba.org>
-Reviewed-by: Michael Adam <obnox@samba.org>
----
- source3/smbd/trans2.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
-index 8b6e4b2..98fd2af 100644
---- a/source3/smbd/trans2.c
-+++ b/source3/smbd/trans2.c
-@@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
- const struct smb_filename *smb_fname, struct ea_list *ea_list)
- {
- char *fname = NULL;
-+ NTSTATUS status;
-
- if (!lp_ea_support(SNUM(conn))) {
- return NT_STATUS_EAS_NOT_SUPPORTED;
-@@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
- return NT_STATUS_ACCESS_DENIED;
- }
-
-+ status = refuse_symlink(conn, fsp, smb_fname->base_name);
-+ if (!NT_STATUS_IS_OK(status)) {
-+ return status;
-+ }
-+
-+
- /* For now setting EAs on streams isn't supported. */
- fname = smb_fname->base_name;
-
---
-2.5.0
-
projects / ipfire-2.x.git / blobdiff