]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/samba/CVE-2015-7560-v3-6.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'next' of ssh://git.ipfire.org/pub/git/ipfire-2.x into next-suricata
[ipfire-2.x.git] / src / patches / samba / CVE-2015-7560-v3-6.patch
1 From eb27f9b7bf9c1dc902d9545eecf805831bd4e46c Mon Sep 17 00:00:00 2001
2 From: Jeremy Allison <jra@samba.org>
3 Date: Tue, 5 Jan 2016 11:18:12 -0800
4 Subject: [PATCH 1/8] CVE-2015-7560: s3: smbd: Add refuse_symlink() function
5 that can be used to prevent operations on a symlink.
6
7 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
8
9 Signed-off-by: Jeremy Allison <jra@samba.org>
10 Reviewed-by: Michael Adam <obnox@samba.org>
11 ---
12 source3/smbd/trans2.c | 28 ++++++++++++++++++++++++++++
13 1 file changed, 28 insertions(+)
14
15 diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
16 index 26b6523..7f47579 100644
17 --- a/source3/smbd/trans2.c
18 +++ b/source3/smbd/trans2.c
19 @@ -51,6 +51,34 @@ static char *store_file_unix_basic_info2(connection_struct *conn,
20 files_struct *fsp,
21 const SMB_STRUCT_STAT *psbuf);
22
23 +/****************************************************************************
24 + Check if an open file handle or pathname is a symlink.
25 +****************************************************************************/
26 +
27 +static NTSTATUS refuse_symlink(connection_struct *conn,
28 + const files_struct *fsp,
29 + const char *name)
30 +{
31 + SMB_STRUCT_STAT sbuf;
32 + const SMB_STRUCT_STAT *pst = NULL;
33 +
34 + if (fsp) {
35 + pst = &fsp->fsp_name->st;
36 + } else {
37 + int ret = vfs_stat_smb_fname(conn,
38 + name,
39 + &sbuf);
40 + if (ret == -1) {
41 + return map_nt_error_from_unix(errno);
42 + }
43 + pst = &sbuf;
44 + }
45 + if (S_ISLNK(pst->st_ex_mode)) {
46 + return NT_STATUS_ACCESS_DENIED;
47 + }
48 + return NT_STATUS_OK;
49 +}
50 +
51 /********************************************************************
52 Roundup a value to the nearest allocation roundup size boundary.
53 Only do this for Windows clients.
54 --
55 2.5.0
56
57
58 From f5b1bcc51e18bc85f376701bb4ae6894d97addfd Mon Sep 17 00:00:00 2001
59 From: Jeremy Allison <jra@samba.org>
60 Date: Tue, 5 Jan 2016 10:38:28 -0800
61 Subject: [PATCH 2/8] CVE-2015-7560: s3: smbd: Refuse to get an ACL from a
62 POSIX file handle on a symlink.
63
64 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
65
66 Signed-off-by: Jeremy Allison <jra@samba.org>
67 Reviewed-by: Michael Adam <obnox@samba.org>
68 ---
69 source3/smbd/nttrans.c | 6 ++++++
70 1 file changed, 6 insertions(+)
71
72 diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
73 index 4c145e0..7255600 100644
74 --- a/source3/smbd/nttrans.c
75 +++ b/source3/smbd/nttrans.c
76 @@ -1925,6 +1925,12 @@ NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
77 return NT_STATUS_ACCESS_DENIED;
78 }
79
80 + if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
81 + DEBUG(10, ("ACL get on symlink %s denied.\n",
82 + fsp_str_dbg(fsp)));
83 + return NT_STATUS_ACCESS_DENIED;
84 + }
85 +
86 if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
87 SECINFO_GROUP|SECINFO_SACL)) {
88 /* Don't return SECINFO_LABEL if anything else was
89 --
90 2.5.0
91
92
93 From 8bdbe1c90c98efbd08fc70d773d236c4ba00b1ae Mon Sep 17 00:00:00 2001
94 From: Jeremy Allison <jra@samba.org>
95 Date: Tue, 5 Jan 2016 10:52:50 -0800
96 Subject: [PATCH 3/8] CVE-2015-7560: s3: smbd: Refuse to set an ACL from a
97 POSIX file handle on a symlink.
98
99 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
100
101 Signed-off-by: Jeremy Allison <jra@samba.org>
102 Reviewed-by: Michael Adam <obnox@samba.org>
103 ---
104 source3/smbd/nttrans.c | 6 ++++++
105 1 file changed, 6 insertions(+)
106
107 diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
108 index 7255600..d2102ca 100644
109 --- a/source3/smbd/nttrans.c
110 +++ b/source3/smbd/nttrans.c
111 @@ -877,6 +877,12 @@ NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
112 return NT_STATUS_OK;
113 }
114
115 + if (S_ISLNK(fsp->fsp_name->st.st_ex_mode)) {
116 + DEBUG(10, ("ACL set on symlink %s denied.\n",
117 + fsp_str_dbg(fsp)));
118 + return NT_STATUS_ACCESS_DENIED;
119 + }
120 +
121 if (psd->owner_sid == NULL) {
122 security_info_sent &= ~SECINFO_OWNER;
123 }
124 --
125 2.5.0
126
127
128 From 612b032e2dedd3e07bbe79718ecbb3b68ffbb7a5 Mon Sep 17 00:00:00 2001
129 From: Jeremy Allison <jra@samba.org>
130 Date: Tue, 5 Jan 2016 11:22:12 -0800
131 Subject: [PATCH 4/8] CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a
132 symlink.
133
134 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
135
136 Signed-off-by: Jeremy Allison <jra@samba.org>
137 Reviewed-by: Michael Adam <obnox@samba.org>
138 ---
139 source3/smbd/trans2.c | 6 ++++++
140 1 file changed, 6 insertions(+)
141
142 diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
143 index 7f47579..2f01e87 100644
144 --- a/source3/smbd/trans2.c
145 +++ b/source3/smbd/trans2.c
146 @@ -6480,6 +6480,7 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
147 uint16 num_def_acls;
148 bool valid_file_acls = True;
149 bool valid_def_acls = True;
150 + NTSTATUS status;
151
152 if (total_data < SMB_POSIX_ACL_HEADER_SIZE) {
153 return NT_STATUS_INVALID_PARAMETER;
154 @@ -6507,6 +6508,11 @@ static NTSTATUS smb_set_posix_acl(connection_struct *conn,
155 return NT_STATUS_INVALID_PARAMETER;
156 }
157
158 + status = refuse_symlink(conn, fsp, smb_fname->base_name);
159 + if (!NT_STATUS_IS_OK(status)) {
160 + return status;
161 + }
162 +
163 DEBUG(10,("smb_set_posix_acl: file %s num_file_acls = %u, num_def_acls = %u\n",
164 smb_fname ? smb_fname_str_dbg(smb_fname) : fsp_str_dbg(fsp),
165 (unsigned int)num_file_acls,
166 --
167 2.5.0
168
169
170 From 28e6120d14e5a942df386db0444abaa93a764207 Mon Sep 17 00:00:00 2001
171 From: Jeremy Allison <jra@samba.org>
172 Date: Tue, 5 Jan 2016 11:24:36 -0800
173 Subject: [PATCH 5/8] CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a
174 symlink.
175
176 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
177
178 Signed-off-by: Jeremy Allison <jra@samba.org>
179 Reviewed-by: Michael Adam <obnox@samba.org>
180 ---
181 source3/smbd/trans2.c | 7 +++++++
182 1 file changed, 7 insertions(+)
183
184 diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
185 index 2f01e87..3a098d1 100644
186 --- a/source3/smbd/trans2.c
187 +++ b/source3/smbd/trans2.c
188 @@ -4959,6 +4959,13 @@ NTSTATUS smbd_do_qfilepathinfo(connection_struct *conn,
189 uint16 num_file_acls = 0;
190 uint16 num_def_acls = 0;
191
192 + status = refuse_symlink(conn,
193 + fsp,
194 + smb_fname->base_name);
195 + if (!NT_STATUS_IS_OK(status)) {
196 + return status;
197 + }
198 +
199 if (fsp && fsp->fh->fd != -1) {
200 file_acl = SMB_VFS_SYS_ACL_GET_FD(fsp);
201 } else {
202 --
203 2.5.0
204
205
206 From 659bdb80aa65c02cf4f44377cc3bcffb2a817ee0 Mon Sep 17 00:00:00 2001
207 From: Jeremy Allison <jra@samba.org>
208 Date: Tue, 5 Jan 2016 11:05:48 -0800
209 Subject: [PATCH 6/8] CVE-2015-7560: s3: smbd: Set return values early, allows
210 removal of code duplication.
211
212 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
213
214 Signed-off-by: Jeremy Allison <jra@samba.org>
215 Reviewed-by: Michael Adam <obnox@samba.org>
216 ---
217 source3/smbd/trans2.c | 13 +++++--------
218 1 file changed, 5 insertions(+), 8 deletions(-)
219
220 diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
221 index 3a098d1..6fdd1da 100644
222 --- a/source3/smbd/trans2.c
223 +++ b/source3/smbd/trans2.c
224 @@ -210,11 +210,12 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
225 size_t num_names;
226 ssize_t sizeret = -1;
227
228 + if (pnames) {
229 + *pnames = NULL;
230 + }
231 + *pnum_names = 0;
232 +
233 if (!lp_ea_support(SNUM(conn))) {
234 - if (pnames) {
235 - *pnames = NULL;
236 - }
237 - *pnum_names = 0;
238 return NT_STATUS_OK;
239 }
240
241 @@ -264,10 +265,6 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
242
243 if (sizeret == 0) {
244 TALLOC_FREE(names);
245 - if (pnames) {
246 - *pnames = NULL;
247 - }
248 - *pnum_names = 0;
249 return NT_STATUS_OK;
250 }
251
252 --
253 2.5.0
254
255
256 From 4ba5e7cf01b8074b0313ecb7e218355d771df1cc Mon Sep 17 00:00:00 2001
257 From: Jeremy Allison <jra@samba.org>
258 Date: Tue, 5 Jan 2016 11:29:38 -0800
259 Subject: [PATCH 7/8] CVE-2015-7560: s3: smbd: Silently return no EA's
260 available on a symlink.
261
262 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
263
264 Signed-off-by: Jeremy Allison <jra@samba.org>
265 Reviewed-by: Michael Adam <obnox@samba.org>
266 ---
267 source3/smbd/trans2.c | 9 +++++++++
268 1 file changed, 9 insertions(+)
269
270 diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
271 index 6fdd1da..8b6e4b2 100644
272 --- a/source3/smbd/trans2.c
273 +++ b/source3/smbd/trans2.c
274 @@ -209,6 +209,7 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
275 char **names, **tmp;
276 size_t num_names;
277 ssize_t sizeret = -1;
278 + NTSTATUS status;
279
280 if (pnames) {
281 *pnames = NULL;
282 @@ -219,6 +220,14 @@ NTSTATUS get_ea_names_from_file(TALLOC_CTX *mem_ctx, connection_struct *conn,
283 return NT_STATUS_OK;
284 }
285
286 + status = refuse_symlink(conn, fsp, fname);
287 + if (!NT_STATUS_IS_OK(status)) {
288 + /*
289 + * Just return no EA's on a symlink.
290 + */
291 + return NT_STATUS_OK;
292 + }
293 +
294 /*
295 * TALLOC the result early to get the talloc hierarchy right.
296 */
297 --
298 2.5.0
299
300
301 From 9d8c7274ab87a0c07367e872ca1db7fd72886fde Mon Sep 17 00:00:00 2001
302 From: Jeremy Allison <jra@samba.org>
303 Date: Tue, 5 Jan 2016 11:33:48 -0800
304 Subject: [PATCH 8/8] CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
305
306 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
307
308 Signed-off-by: Jeremy Allison <jra@samba.org>
309 Reviewed-by: Michael Adam <obnox@samba.org>
310 ---
311 source3/smbd/trans2.c | 7 +++++++
312 1 file changed, 7 insertions(+)
313
314 diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
315 index 8b6e4b2..98fd2af 100644
316 --- a/source3/smbd/trans2.c
317 +++ b/source3/smbd/trans2.c
318 @@ -584,6 +584,7 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
319 const struct smb_filename *smb_fname, struct ea_list *ea_list)
320 {
321 char *fname = NULL;
322 + NTSTATUS status;
323
324 if (!lp_ea_support(SNUM(conn))) {
325 return NT_STATUS_EAS_NOT_SUPPORTED;
326 @@ -593,6 +594,12 @@ NTSTATUS set_ea(connection_struct *conn, files_struct *fsp,
327 return NT_STATUS_ACCESS_DENIED;
328 }
329
330 + status = refuse_symlink(conn, fsp, smb_fname->base_name);
331 + if (!NT_STATUS_IS_OK(status)) {
332 + return status;
333 + }
334 +
335 +
336 /* For now setting EAs on streams isn't supported. */
337 fname = smb_fname->base_name;
338
339 --
340 2.5.0
341
IPFire 2.x development tree