diff options
author | Stefan Reiff <kroko87@hotmail.com> | 2019-04-16 19:07:56 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-04-17 09:19:32 +0000 |
commit | 95d4fe44472f363becdee360ad5713584a061db8 (patch) | |
tree | cc99a5ae5f6b5a439ebaaf8207b5b66b05bd830f | |
parent | ef2dd8d40fec766b73bb686c015aa9e2a52b378b (diff) | |
download | aports-95d4fe44472f363becdee360ad5713584a061db8.tar.bz2 aports-95d4fe44472f363becdee360ad5713584a061db8.tar.xz |
main/samba: security fix (CVE-2019-3880)
Fixes #10250
Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
-rw-r--r-- | main/samba/0012-CVE-2019-3880.patch | 151 | ||||
-rw-r--r-- | main/samba/APKBUILD | 6 |
2 files changed, 156 insertions, 1 deletions
diff --git a/main/samba/0012-CVE-2019-3880.patch b/main/samba/0012-CVE-2019-3880.patch new file mode 100644 index 0000000000..d96cf804c5 --- /dev/null +++ b/main/samba/0012-CVE-2019-3880.patch @@ -0,0 +1,151 @@ +From 0a392c982aca2150c8350582148abd7b2af782f8 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Thu, 21 Mar 2019 14:51:30 -0700 +Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of + SaveKey/RestoreKey. + +The were not using VFS backend calls and could only work +locally, and were unsafe against symlink races and other +security issues. + +If the incoming handle is valid, return WERR_BAD_PATHNAME. + +[MS-RRP] states "The format of the file name is implementation-specific" +so ensure we don't allow this. + +As reported by Michael Hanselmann. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851 + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +--- + source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++----------------------------- + 1 file changed, 4 insertions(+), 88 deletions(-) + +diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c +index d9ee8d0602d..816c6bb2a12 100644 +--- a/source3/rpc_server/winreg/srv_winreg_nt.c ++++ b/source3/rpc_server/winreg/srv_winreg_nt.c +@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p, + } + + /******************************************************************* +- ********************************************************************/ +- +-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname ) +-{ +- char *p = NULL; +- int num_services = lp_numservices(); +- int snum = -1; +- const char *share_path = NULL; +- char *fname = *pp_fname; +- +- /* convert to a unix path, stripping the C:\ along the way */ +- +- if (!(p = valid_share_pathname(ctx, fname))) { +- return -1; +- } +- +- /* has to exist within a valid file share */ +- +- for (snum=0; snum<num_services; snum++) { +- if (!lp_snum_ok(snum) || lp_printable(snum)) { +- continue; +- } +- +- share_path = lp_path(talloc_tos(), snum); +- +- /* make sure we have a path (e.g. [homes] ) */ +- if (strlen(share_path) == 0) { +- continue; +- } +- +- if (strncmp(share_path, p, strlen(share_path)) == 0) { +- break; +- } +- } +- +- *pp_fname = p; +- return (snum < num_services) ? snum : -1; +-} +- +-/******************************************************************* + _winreg_RestoreKey + ********************************************************************/ + +@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p, + struct winreg_RestoreKey *r) + { + struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle ); +- char *fname = NULL; +- int snum = -1; + +- if ( !regkey ) ++ if ( !regkey ) { + return WERR_INVALID_HANDLE; +- +- if ( !r->in.filename || !r->in.filename->name ) +- return WERR_INVALID_PARAMETER; +- +- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); +- if (!fname) { +- return WERR_NOT_ENOUGH_MEMORY; + } +- +- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from " +- "\"%s\"\n", regkey->key->name, fname)); +- +- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1) +- return WERR_BAD_PATHNAME; +- +- /* user must posses SeRestorePrivilege for this this proceed */ +- +- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) { +- return WERR_ACCESS_DENIED; +- } +- +- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n", +- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); +- +- return reg_restorekey(regkey, fname); ++ return WERR_BAD_PATHNAME; + } + + /******************************************************************* +@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p, + struct winreg_SaveKey *r) + { + struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle ); +- char *fname = NULL; +- int snum = -1; + +- if ( !regkey ) ++ if ( !regkey ) { + return WERR_INVALID_HANDLE; +- +- if ( !r->in.filename || !r->in.filename->name ) +- return WERR_INVALID_PARAMETER; +- +- fname = talloc_strdup(p->mem_ctx, r->in.filename->name); +- if (!fname) { +- return WERR_NOT_ENOUGH_MEMORY; + } +- +- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n", +- regkey->key->name, fname)); +- +- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 ) +- return WERR_BAD_PATHNAME; +- +- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n", +- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) )); +- +- return reg_savekey(regkey, fname); ++ return WERR_BAD_PATHNAME; + } + + /******************************************************************* +-- +2.11.0 + diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD index f763aa71ec..6f4e07dec1 100644 --- a/main/samba/APKBUILD +++ b/main/samba/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=samba pkgver=4.6.16 -pkgrel=0 +pkgrel=1 pkgdesc="Tools to access a server's filespace and printers via SMB" url="http://www.samba.org" arch="all" @@ -49,6 +49,7 @@ source="https://us1.samba.org/samba/ftp/stable/$pkgname-$pkgver.tar.gz getpwent_r.patch netdb-defines.patch netapp.patch + 0012-CVE-2019-3880.patch $pkgname.initd $pkgname.confd @@ -58,6 +59,8 @@ pkggroups="winbind" builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 4.6.16-r1: +# - CVE-2019-3880 # 4.6.16-r0: # - CVE-2018-10858 # - CVE-2018-10919 @@ -535,6 +538,7 @@ b43809d7ecbf3968f5154c2ded6ed47dae36921f1895ea98bcce50557eb2ad39b736345ffb421465 0d4fd9862191554dc9c724cec0b94fd19afbfd0c4ed619e4c620c075e849cb3f3d44db1e5f119d890da23a3dd0068d9873703f3d86c47b91310521f37356208b getpwent_r.patch 1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8 netdb-defines.patch 202667cb0383414d9289cd67574f5e1140c9a0ff63bb82a746a59b2397a00db15654bfb30cb5ec1cd68a097899be0f849d9aab4c0d210152386c9e66c640f0c0 netapp.patch +1ca243614cef2c7061d914356475c629cd07e6e2c25a680bb65a18e6e4f3b948f19eae887fba9b006f1cbb02407ab4dd420aa6e05a48cdb5a7c1548cdbe0b072 0012-CVE-2019-3880.patch 6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf samba.initd 4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6 samba.confd f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053 samba.logrotate" |