Jeremy Allison [Thu, 9 Sep 2010 13:54:23 +0000 (15:54 +0200)]
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
Addresses bug #7459 (after upgrade to samba 3.4 and 3.5 lose ability to control duplex
for normal domain user).
(cherry picked from commit 286f4b53993fab0ffc53e5619e2987dfb13b0ec2)
Björn Jacke [Fri, 28 May 2010 23:40:21 +0000 (01:40 +0200)]
s3: fix check for pie compiler flags
some compilers (HP and Sun e.g.) output warning messages on stderr for unknown
options and we ended up partly using some unwanted random compile flags we
did't intend to use.
(cherry picked from commit e8468ab02b201885b6a211c4b27913014ee9a5a2)
Björn Jacke [Mon, 24 May 2010 21:34:00 +0000 (23:34 +0200)]
s3:configure: turn "error warnings" into errors
By default "Missing argument(s)" is just an "error warning" for xlc :-)
The change to turn "error warnings" into errors should fix bug #7427.
(cherry picked from commit ff0872d59d78ad42212c88313ef924ea4eb7a8a1)
Matthieu Patou [Fri, 21 May 2010 07:57:29 +0000 (11:57 +0400)]
s3: Allow previous password to be stored and use it to check tickets
This patch is to fix bug 7099. It stores the current password in the
previous password key when the password is changed. It also check the
user ticket against previous password.
Signed-off-by: Günther Deschner <gd@samba.org>
Fix bug #7099 (Every Thursday at 11:08-11:15am Windows Client
Connections break with Kerberos errors).
(cherry picked from commit 89eea1fa9154c67ae4d3e729a8db7ad17ec9b9d7)
Günther Deschner [Tue, 25 May 2010 12:13:20 +0000 (14:13 +0200)]
s3-selftest: enable RPC-WINREG against s3.
Guenther
The last 4 patches address bug #7453 (winreg: QueryValue crashes on NULL pointer
dereference).
(cherry picked from commit 73d413524e62796fdcfa4ac06a6499ecd6b9978f)
Jeremy Allison [Thu, 20 May 2010 21:30:44 +0000 (14:30 -0700)]
Fix what looks like a cut-and-paste error in our read_negTokenInit() function.
We should never be calling asn1_push_XXX functions inside an asn1
reading function. Change asn1_push_tag() -> asn1_start_tag() and
asn1_pop_tag() -> asn1_end_tag(). This allows us to connect to a
NetApp filer at the Microsoft plugfest.
Jeremy Allison [Thu, 20 May 2010 18:36:47 +0000 (11:36 -0700)]
Fix bug #7410 - samba sends "raw" inode number as uniqueid with unix extensions.
Move to a consistent get_FileIndex() function for all inode returns,
that checks if st_dev on the file is identical to the top directory
dev_t of the exported share, and if so uses the raw 64-bit inode
number. If it isn't (we've traversed a mount point) - return what
we used to do for Windows which is the concatination of the bottom
32-bits of the inode with the 32-bit device number. We can get more
creative with this over time (hashing?) if we want as now all inode returns go
through this single function.
Günther Deschner [Fri, 14 May 2010 22:34:35 +0000 (00:34 +0200)]
s3-kerberos: temporary fix for ipv6 in print_kdc_line().
Currently no krb5 lib supports "kdc = ipv6 address" at all, so for now just fill
in just the kdc_name if we have it and let the krb5 lib figure out the
appropriate ipv6 address
Jeff Layton [Wed, 12 May 2010 11:05:10 +0000 (07:05 -0400)]
mount.cifs: check for NULL addr pointer before handling scopeid
Signed-off-by: Jeff Layton <jlayton@redhat.com>
Fix bug #7315 (mount.cifs segfaults after upgrade to 2.6.33).
(cherry picked from commit 78a6eb582d28d92db5ffab6ded40785be54cf540)
Karolin Seeger [Wed, 12 May 2010 09:24:57 +0000 (11:24 +0200)]
s3-docs: Move -D option to the right paragraph in man winbindd.
Fix bug #7260 (Command line option documentation in wrong place in winbindd man
page.). Thanks to Ged Haywood <samba@jubileegroup.co.uk> for reporting!
Björn Jacke [Wed, 5 May 2010 18:17:39 +0000 (20:17 +0200)]
s3:configure: not simply check for "ld" but for the linker used by $CC
this hopefully fixes Solaris' gcc build which uses the system ld by default.
All in all we should clean up most of the compiler and linker flags depending
on the actual compilers and linkers we use. Only some tweaks are OS-specific.
A cleanup in this area should be done along with the move to a new build
system (whensoever that will be ...).
(cherry picked from commit 1969b4acc3fd7c124e288d0495b9b4665d4b42db)
Luca Olivetti [Tue, 4 May 2010 22:07:57 +0000 (15:07 -0700)]
Fix bug #7263 - Unable to print using Samba 3.5.1 and cups-1.1.23-40.46 on SLES10.
Fix cups encryption setting
I had the same problem and it's due to the fact that samba doesn't respect the
"cups encryption" setting since lp_cups_encrypt changes the value: if you set
"cups encryption=no", the first call will change it to HTTP_ENCRYPT_NEVER,
since that is 1 (i.e. true), the next call will change it to
HTTP_ENCRYPT_ALWAYS and after that it'll remain set as HTTP_ENCRYPT_ALWAYS.
This patch fixes this problem.
add_trusted_domain() for a new domain always needs to be followed by a
setup_domain_child(). This was not always done, in particular not when walking
to the forest root for additional trusts.
This is a minimal patch, we need to fix add_trusted_domain().
Based on a patch from Michael Karcher <samba@mkarcher.dialup.fu-berlin.de>.
I think this is the correct fix. It causes cups_job_submit to use
print_parse_jobid(), which I've moved into printing/lpq_parse.c (to allow the
link to work).
It turns out the old print_parse_jobid() was *broken*, in that the pjob
filename was set as an absolute path - not relative to the sharename (due to it
not going through the VFS calls).
This meant that the original code doing a strncmp on the first part of the
filename would always fail - it starts with a "/", not the relative pathname of
PRINT_SPOOL_PREFIX ("smbprn.").
This fix could fix some other mysterious printing bugs - probably the ones
Guenther noticed where job control fails on non-cups backends.
libwbclient: Re-Fix a bug that was fixed with e5741e27c4c
> r21878: Fix a bug with smbd serving a windows terminal server: If winbind
> decides smbd to be idle it might happen that smbd needs to do a winbind
> operation (for example sid2name) as non-root. This then fails to get the
> privileged pipe. When later on on the same connection another authentication
> request comes in, we try to do the CRAP auth via the non-privileged pipe.
>
> This adds a winbindd_priv_request_response() request that kills the existing
> winbind pipe connection if it's not privileged.
The fix for this was lost during the conversion to libwbclient.
Thanks to Ira Cooper <samba@ira.wakeful.net> for pointing this out!
s3:winbindd: fix problems with SIGCHLD handling (bug #7317)
The main problem is that we call CatchChild() within the
parent winbindd, which overwrites the signal handler
that was registered by winbindd_setup_sig_chld_handler().
That means winbindd_sig_chld_handler() and winbind_child_died()
are never triggered when a winbindd domain child dies.
As a result will get "broken pipe" for all requests to that domain.
To reduce the risk of similar bugs in future we call
CatchChild() in winbindd_reinit_after_fork() now.
We also use a full winbindd_reinit_after_fork() in the
cache validation child now instead instead of just resetting
the SIGCHLD handler by hand. This will also fix possible
tdb problems on systems without pread/pwrite and disabled mmap
as we now correctly reopen the tdb handle for the child.
Jeremy Allison [Fri, 9 Apr 2010 03:32:36 +0000 (20:32 -0700)]
Fix bug #7339 - MSDFS is non-functional in 3.5.x
In the refactoring around filename_convert, the split between the functions
resolve_dfspath() and resolve_dfspath_wcard() was lost, leaving us only with
resolve_dfspath_wcard().
Internally resolve_dfspath_wcard() calls dfs_redirect() only with a
"allow_wcards" flag of true, wheras the old resolve_dfspath() would call with a
value of false. The loss of this case causes dfs_redirect to always masquerade
DFS links as directories, even when they are being queried directly by a trans2
QPATHINFO call. We should only masquerade DFS links as directories when called
from a SMBsearch or trans2 findfirst/findnext - which was the intent of the
"allow_wcards" flag.
This patch adds back an allow_wcards bool parameter to
resolve_dfspath_wcard(). This bool is set from the state of the ucf_flags when
filename_convert() is called.
I will follow this up with a new smbclient-based torture test that will prevent
us from ever regressing our DFS support again.
Michael Adam [Mon, 8 Feb 2010 10:01:47 +0000 (11:01 +0100)]
s3:registry: eliminate race condition in creating/scanning sorted subkeys
Called, from key_exists, scan_sorted_subkeys re-creates the sorted
subkeys record of the given key and then searches through it.
The race is that between creation and parsing of the sorted subkey
record, another process that stores some other subkey of the same
parent key will delete the sorted subkey record, resulting in an
WERR_BADFILE of an operation that should actually succeed.
This patch fixes the issue by wrapping the creation and parsing
into a transaction.
projects / thirdparty / samba.git / log
