The last 12 patches address bug #8815 (PIDL based autogenerated code allows
overwriting beyond of allocated array; CVE-2012-1182).
(cherry picked from commit 9123504f2b6f9af458510721416cb25993959a31)
Björn Jacke [Thu, 4 Aug 2011 14:25:08 +0000 (16:25 +0200)]
s3/swat: use strlcat instead of strncat to fix build on old Linux distros
SLES 9's glibc for example had weird macros where the use of strncat resulted
in the use of strcat which we don't allow.
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User: Björn Jacke <bj@sernet.de>
Autobuild-Date: Thu Aug 4 17:50:24 CEST 2011 on sn-devel-104
(cherry picked from commit d3b4d75364210e2d2a4a1cd806f28b0021f22909)
s3:web/swat: use strtoll() instead of atoi/atol/atoll
This is more portable, as we have a strtoll replacement
in lib/replace.
metze
Autobuild-User: Stefan Metzmacher <metze@samba.org>
Autobuild-Date: Sat Aug 6 11:55:45 CEST 2011 on sn-devel-104
(cherry picked from commit a6be0820d09b3f3eabfbb5f4356add303aa8a494)
Fix bug #8347 (CVE-2011-2522 regression for HP-UX, AIX and OSF).
Kai Blin [Tue, 12 Jul 2011 06:08:24 +0000 (08:08 +0200)]
s3 swat: Create random nonce in CGI mode
In CGI mode, we don't get access to the user's password, which would
reduce the hash used so far to parameters an attacker can easily guess.
To work around this, read the nonce from secrets.tdb or generate one if
it's not there.
Also populate the C_user field so we can use that for token creation.
Signed-off-by: Kai Blin <kai@samba.org>
The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
(cherry picked from commit a4922192d9b95e79bb31c54ca820a9b876a1bbe9)
Kai Blin [Thu, 7 Jul 2011 08:03:33 +0000 (10:03 +0200)]
s3 swat: Fix possible XSS attack (bug #8289)
Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
against SWAT, the Samba Web Administration Tool. The attack uses reflection to
insert arbitrary content into the "change password" page.
This patch fixes the reflection issue by not printing user-specified content on
the website anymore.
s3:nmbd_packets: return the used number of sockets in create_listen_fdset() (bug #8276)
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open)
(commit feb3fcd0fa4bda0967b881315595d7702f4d1752) changed the bahavior,
so that we skipped some sockets.
David Disseldorp [Wed, 16 Feb 2011 16:23:25 +0000 (17:23 +0100)]
s3: increase the log level for missing PIDs on SIGCHLD
Since the fix for bso#7836, the parent smbd is responsible for
maintaining an up-to-date printcap cache. It does this by forking a
child process to asynchronously fetch printcap data from CUPS.
When the child process exits after fetching all printcap data, the
parent smbd is sent SIGCHLD. This triggers smbd_sig_chld_handler() which
looks for the exited process PID on a "children" list.
Child smbd process PIDs are added to the "children" list to ensure
cleanup on unclean shutdown and log level change notification messages.
Printcap update process PIDs are not added to the list as they do not
maintain any state that requires cleanup, nor do they wait on tevent for
messages.
Autobuild-User: Volker Lendecke <vlendec@samba.org>
Autobuild-Date: Thu Feb 17 11:11:45 CET 2011 on sn-devel-104
(cherry picked from commit 9c12232f1ae36e00d04114ad73edd8ba3c2c6a5c)
There is currently a lot of duplicate code included for processing
responses to CUPS_GET_PRINTERS and CUPS_GET_CLASSES requests. This
change splits this code into a separate function.
David Disseldorp [Tue, 24 May 2011 09:46:25 +0000 (11:46 +0200)]
s3-printing: use printcap IDL for IPC
Use printcap IDL for marshalling and unmarshalling messages between cups
child and parent smbd processes. This simplifies the IPC and ensures
the parent is notified of cups errors encountered by the child.
David Disseldorp [Tue, 24 May 2011 09:34:59 +0000 (11:34 +0200)]
s3-printing: an empty cups printer list is treated as an error
cups_async_callback() is called to receive new printcap data from a
child process which requests the information from cupsd.
Newly received printcap information is stored in a temporary printcap
cache (tmp_pcap_cache). Once the child process closes the printcap IPC
file descriptor, the system printcap cache is replaced with the newly
populated tmp_pcap_cache, however this only occurs if tmp_pcap_cache is
non null (has at least one printer).
If the printcap cache is empty, which is the case when cups is not
exporting any printers, the printcap cache is not replaced resulting in
stale data.
David Disseldorp [Mon, 17 Jan 2011 15:09:32 +0000 (16:09 +0100)]
s3-printing: remove pcap_cache_loaded asserts
pcap_cache_loaded() assertions were added to the (re)load_printers()
functions, to ensure the caller had called pcap_cache_reload() prior to
reloading printer shares.
The problem is, pcap_cache_loaded() returns false if the the pcap_cache
contains no printer entries. i.e. pcap_cache_reload() has run but not
detected any printers.
Remove these assertions, correct call ordering is already enforced.
Signed-off-by: Günther Deschner <gd@samba.org>
The last 3 patches address bug #7836 (A newly added printer isn't visbile to
clients).
Jeremy Allison [Sun, 27 Feb 2011 17:16:20 +0000 (18:16 +0100)]
Fix denial of service - memory corruption.
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
(cherry picked from commit 43babef991feedbe2acb77d27254d302ab107fa8)
David Disseldorp [Mon, 10 Jan 2011 13:08:07 +0000 (14:08 +0100)]
s3-printing: update parent smbd pcap cache
If a client connects to a samba share and while connected a printer is
added, the client will see the new printer share after a maximum of
'printcap cache time' seconds.
smbd's forked for new client connections inherit printcap information
from the parent (listener) smbd, which does not perform updates on
printcap cache time expiry. Therefore newly connected clients may
initially be presented with stale printer shares.
Add a housekeeping function to the parent smbd to ensure newly connected
clients see up to date printer shares.
The last 2 patches address bug #7836 (A newly added printer isn't visbile to
clients).
David Disseldorp [Sun, 19 Dec 2010 18:52:08 +0000 (19:52 +0100)]
s3-printing: reload shares after pcap cache fill
Since commit eada8f8a, updates to the cups pcap cache are performed
asynchronously - cups_cache_reload() forks a child process to request
cups printer information and notify the parent smbd on completion.
Currently printer shares are reloaded immediately following the call to
cups_cache_reload(), this occurs prior to smbd receiving new cups pcap
information from the child process. Such behaviour can result in stale
print shares as outlined in bug 7836.
This fix ensures print shares are only reloaded after new pcap data has
been received.
Pair-Programmed-With: Lars Müller <lars@samba.org>
Volker Lendecke [Sat, 18 Dec 2010 15:02:09 +0000 (16:02 +0100)]
s3: Fix bug 7066 -- wbcAuthenticateEx gives unix times
We might eventually want to change this, but right now we get unix times
out of the winbind pipe struct
(cherry picked from commit 993923880e213136de89b5b8d59f6f32a51b94b7)
Volker Lendecke [Sun, 12 Dec 2010 17:55:06 +0000 (18:55 +0100)]
s3: Add an async smbsock_connect
This connects to 445 and after 5 milliseconds also to 139. It treats a netbios
session setup failure as equivalent as a TCP connect failure. So if 139 is
faster but fails the nb session setup, the 445 still has the chance to succeed.
Volker Lendecke [Wed, 17 Nov 2010 15:56:28 +0000 (08:56 -0700)]
s3: Make winbind recover from a signing error
When winbind sees a signing error on the smb connection to a DC (for whatever
reason, our bug, network glitch, etc) it should recover properly. The "old"
code in clientgen.c just closed the socket in this case. This is the right
thing to do, this connection is spoiled anyway. The new, async code did not do
this so far, which led to the code in winbindd_cm.c not detect that we need to
reconnect.
Fix bug #7800 (winbind does not recover from smb signing errors).
Jeremy Allison [Thu, 9 Sep 2010 13:48:23 +0000 (15:48 +0200)]
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
(cherry picked from commit df20a300758bc12286820e31fcf573bdfc2147bc)
projects / thirdparty / samba.git / log
