Björn Jacke [Thu, 4 Aug 2011 14:25:08 +0000 (16:25 +0200)]
s3/swat: use strlcat instead of strncat to fix build on old Linux distros
SLES 9's glibc for example had weird macros where the use of strncat resulted
in the use of strcat which we don't allow.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Björn Jacke <bj@sernet.de>
Autobuild-Date: Thu Aug 4 17:50:24 CEST 2011 on sn-devel-104
s3:web/swat: use strtoll() instead of atoi/atol/atoll
This is more portable, as we have a strtoll replacement
in lib/replace.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Aug 6 11:55:45 CEST 2011 on sn-devel-104
(cherry picked from commit a6be0820d09b3f3eabfbb5f4356add303aa8a494)
Fix bug #8347 (CVE-2011-2522 regression for HP-UX, AIX and OSF).
Kai Blin [Tue, 12 Jul 2011 06:08:24 +0000 (08:08 +0200)]
s3 swat: Create random nonce in CGI mode
In CGI mode, we don't get access to the user's password, which would
reduce the hash used so far to parameters an attacker can easily guess.
To work around this, read the nonce from secrets.tdb or generate one if
it's not there.
Also populate the C_user field so we can use that for token creation.
Signed-off-by: Kai Blin <kai@samba.org>
The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
(cherry picked from commit 3973cfa50024983618a44ffdb9f756b642b85be7)
Kai Blin [Thu, 7 Jul 2011 08:03:33 +0000 (10:03 +0200)]
s3 swat: Fix possible XSS attack (bug #8289)
Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
against SWAT, the Samba Web Administration Tool. The attack uses reflection to
insert arbitrary content into the "change password" page.
This patch fixes the reflection issue by not printing user-specified content on
the website anymore.
s3:nmbd_packets: return the used number of sockets in create_listen_fdset() (bug #8276)
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open)
(commit feb3fcd0fa4bda0967b881315595d7702f4d1752) changed the bahavior,
so that we skipped some sockets.
Karolin Seeger [Sun, 27 Feb 2011 17:28:29 +0000 (18:28 +0100)]
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
(cherry picked from commit 724e44eed299c618066dec411530aa9f156119ec)
Jeremy Allison [Thu, 9 Sep 2010 13:43:07 +0000 (15:43 +0200)]
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df1c76e2275068d1006e82a4a21d42b58175268b)
Jeremy Allison [Fri, 11 Jun 2010 10:57:25 +0000 (12:57 +0200)]
s3-smbd: Fix memory corruption vulnerability.
Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
and address CVE-2010-2063.
(cherry picked from commit 86ab436a0da958914f99dc8b7e88b10db4692d98)
Jeremy Allison [Tue, 9 Feb 2010 23:23:38 +0000 (15:23 -0800)]
Fix bug #7122 - Reading a large browselist fails (server returns invalid values in subsequent SMBtrans replies)
There are two problems:
1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.
Jeremy Allison [Thu, 18 Feb 2010 20:21:10 +0000 (12:21 -0800)]
Fix bug #7155 - valgrind Conditional jump or move depends on uninitialised value(s) error when "mangling method = hash"
The charset array allocated in init_chartest() is allocated
by MALLOC, but only some elements of it being set after allocation. Fix is to
memset to zero after allocation.
Jeremy Allison [Wed, 17 Feb 2010 18:46:21 +0000 (10:46 -0800)]
Fix bug #6557 - Do not work VFS full_audit
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeremy Allison [Fri, 12 Feb 2010 00:09:59 +0000 (16:09 -0800)]
Fixes issue with preexec scripts creating a share directory, and problems if a smb.conf reload turns wide links back on after a connection is establised.
Jeremy Allison [Sat, 6 Feb 2010 00:22:27 +0000 (16:22 -0800)]
Fix bug 7104 - "wide links" and "unix extensions" are incompatible.
Change parameter "wide links" to default to "no".
Ensure "wide links = no" if "unix extensions = yes" on a share.
Fix man pages to refect this.
Remove "within share" checks for a UNIX symlink set - even if
widelinks = no. The server will not follow that link anyway.
Correct DEBUG message in check_reduced_name() to add missing "\n"
so it's really clear when a path is being denied as it's outside
the enclosing share path.
Jeremy Allison [Thu, 28 Jan 2010 01:16:04 +0000 (17:16 -0800)]
Fix bug #7072 - Accounts can't be unlocked from ldap.
Fix suggested by Andy Hanton <andyhanton@gmail.com>. The LOGIN_CACHE
struct contains two time_t entries, but was being written to and
read from via tdb_pack/tdb_unpack functions using explicit 32-bit int specifiers.
This would break on machines with a 64-bit time_t. Use correct int
sizes for tdb_pack/tdb_unpack.
Volker Lendecke [Sat, 16 Jan 2010 12:31:44 +0000 (13:31 +0100)]
s3: Fix a crash in libsmbclient used against the OpenSolaris CIFS server
A user has sent me a sniff where the OpenSolaris CIFS server returns "32" in
totalentries, but the array in ctr only contains 15 entries. Look at the right
delimiter for walking the array.
Fix bug #7046 (libsmbclient crash against OpenSolaris CIFS server).
Jeremy Allison [Sat, 16 Jan 2010 01:52:54 +0000 (17:52 -0800)]
Fix bug 7045 - Bad (non memory copying) interfaces in smbc_setXXXX calls.
In smbc_free_context libsmbclient just called free() on the string options
so it assumes the callers have malloced them before setting them via smbc_set
calls.
Change to correctly malloc/free string options to the library.
Protect against SMB_STRDUP of null.
Jeremy Allison [Wed, 9 Sep 2009 00:22:39 +0000 (17:22 -0700)]
Second part of fix for bug 6696 - smbd 3.3.7 crashes (signal 11) in dns_register_smbd_reply. Restore the code from 3.2 that actually initializes the struct dns_reg_state handle. Jeremy.
Jeremy Allison [Fri, 8 Jan 2010 18:24:34 +0000 (10:24 -0800)]
Re-fix bug 5202 - cannot change ACLs on writable file with "dos filemode=yes"
This bug re-occurred for 3.3.x and above.
The reason is that to change a NT ACL we now have to open the file requesting
WRITE_DAC and WRITE_OWNER access. The mapping from POSIX "w" to NT permissions
in posix_acls doesn't add these bits when "dos filemode = yes", so even though
the permission or owner change would be allowed by the POSIX ACL code, the
NTCreateX call fails with ACCESS_DENIED now we always check NT permissions
first.
Added in the mapping from "w" to WRITE_DAC and WRITE_OWNER access.
Jeremy Allison [Wed, 16 Dec 2009 02:38:06 +0000 (18:38 -0800)]
Second part of fix for 6875 - trans2 FIND_FIRST2 response --> FIND_FIRST2 Data -> Fille Attributes are returned as 0x220 for LANMAN2.1 dial
Ensure dos_mode can return FILE_ATTRIBUTE_NORMAL, then filter the returned attributes by protocol level.
This makes us consistant in returning DOS attrs across all replies. Tested on OS/2 by Günter Kukkukk.
Jeremy.
Kai Blin [Fri, 4 Dec 2009 08:47:25 +0000 (09:47 +0100)]
s3 aclocal.m4: Fix iconv checks, clean up m4 code
The check for iconv requiring giconv.h and libgiconv as well as
the check for iconv requiring biconv.h and libbiconv were using the wrong
variable to check for previous successful test results. This caused the checks
to always fall back to libbiconv on systems where that library was available.
In the course of fixing this, I had to clean up the indentation in that piece of
code, and I also rewrote/added some comments.
Many thanks to Tsurutani Naoki <turutani@scphys.kyoto-u.ac.jp> for the initial
patch and diagnosis.
(cherry picked from commit f5aff324cb9d965bbc75634596c3c40ffc588183)
When idmap backend is specified as
idmap backend = ldap:"ldap://server1 ldap://server2"
then currently "ldap://server1 ldap://server2" was passed to
ldap_initialize including the quotes, leading to an ldap error.
projects / thirdparty / samba.git / log
