aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStefan Reiff <kroko87@hotmail.com>2019-04-16 19:07:56 +0000
committerLeonardo Arena <rnalrd@alpinelinux.org>2019-04-17 08:33:43 +0000
commitdd592906931a0d72d098e6385832a370bbb221c2 (patch)
treea80e63ac3ae952aae31d4927edef7e90f2aefd18
parente0bf68014c8449196d77264ba2cc6a040051be9a (diff)
downloadaports-dd592906931a0d72d098e6385832a370bbb221c2.tar.gz
aports-dd592906931a0d72d098e6385832a370bbb221c2.tar.bz2
aports-dd592906931a0d72d098e6385832a370bbb221c2.tar.xz
main/samba: security fix (CVE-2019-3880)
Fixes #10249 Signed-off-by: Leonardo Arena <rnalrd@alpinelinux.org>
-rw-r--r--main/samba/0012-CVE-2019-3880.patch151
-rw-r--r--main/samba/APKBUILD6
2 files changed, 156 insertions, 1 deletions
diff --git a/main/samba/0012-CVE-2019-3880.patch b/main/samba/0012-CVE-2019-3880.patch
new file mode 100644
index 0000000000..d96cf804c5
--- /dev/null
+++ b/main/samba/0012-CVE-2019-3880.patch
@@ -0,0 +1,151 @@
+From 0a392c982aca2150c8350582148abd7b2af782f8 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 21 Mar 2019 14:51:30 -0700
+Subject: [PATCH] CVE-2019-3880 s3: rpc: winreg: Remove implementations of
+ SaveKey/RestoreKey.
+
+The were not using VFS backend calls and could only work
+locally, and were unsafe against symlink races and other
+security issues.
+
+If the incoming handle is valid, return WERR_BAD_PATHNAME.
+
+[MS-RRP] states "The format of the file name is implementation-specific"
+so ensure we don't allow this.
+
+As reported by Michael Hanselmann.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13851
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source3/rpc_server/winreg/srv_winreg_nt.c | 92 ++-----------------------------
+ 1 file changed, 4 insertions(+), 88 deletions(-)
+
+diff --git a/source3/rpc_server/winreg/srv_winreg_nt.c b/source3/rpc_server/winreg/srv_winreg_nt.c
+index d9ee8d0602d..816c6bb2a12 100644
+--- a/source3/rpc_server/winreg/srv_winreg_nt.c
++++ b/source3/rpc_server/winreg/srv_winreg_nt.c
+@@ -640,46 +640,6 @@ WERROR _winreg_AbortSystemShutdown(struct pipes_struct *p,
+ }
+
+ /*******************************************************************
+- ********************************************************************/
+-
+-static int validate_reg_filename(TALLOC_CTX *ctx, char **pp_fname )
+-{
+- char *p = NULL;
+- int num_services = lp_numservices();
+- int snum = -1;
+- const char *share_path = NULL;
+- char *fname = *pp_fname;
+-
+- /* convert to a unix path, stripping the C:\ along the way */
+-
+- if (!(p = valid_share_pathname(ctx, fname))) {
+- return -1;
+- }
+-
+- /* has to exist within a valid file share */
+-
+- for (snum=0; snum<num_services; snum++) {
+- if (!lp_snum_ok(snum) || lp_printable(snum)) {
+- continue;
+- }
+-
+- share_path = lp_path(talloc_tos(), snum);
+-
+- /* make sure we have a path (e.g. [homes] ) */
+- if (strlen(share_path) == 0) {
+- continue;
+- }
+-
+- if (strncmp(share_path, p, strlen(share_path)) == 0) {
+- break;
+- }
+- }
+-
+- *pp_fname = p;
+- return (snum < num_services) ? snum : -1;
+-}
+-
+-/*******************************************************************
+ _winreg_RestoreKey
+ ********************************************************************/
+
+@@ -687,36 +647,11 @@ WERROR _winreg_RestoreKey(struct pipes_struct *p,
+ struct winreg_RestoreKey *r)
+ {
+ struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+- char *fname = NULL;
+- int snum = -1;
+
+- if ( !regkey )
++ if ( !regkey ) {
+ return WERR_INVALID_HANDLE;
+-
+- if ( !r->in.filename || !r->in.filename->name )
+- return WERR_INVALID_PARAMETER;
+-
+- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+- if (!fname) {
+- return WERR_NOT_ENOUGH_MEMORY;
+ }
+-
+- DEBUG(8,("_winreg_RestoreKey: verifying restore of key [%s] from "
+- "\"%s\"\n", regkey->key->name, fname));
+-
+- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1)
+- return WERR_BAD_PATHNAME;
+-
+- /* user must posses SeRestorePrivilege for this this proceed */
+-
+- if ( !security_token_has_privilege(p->session_info->security_token, SEC_PRIV_RESTORE)) {
+- return WERR_ACCESS_DENIED;
+- }
+-
+- DEBUG(2,("_winreg_RestoreKey: Restoring [%s] from %s in share %s\n",
+- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+- return reg_restorekey(regkey, fname);
++ return WERR_BAD_PATHNAME;
+ }
+
+ /*******************************************************************
+@@ -727,30 +662,11 @@ WERROR _winreg_SaveKey(struct pipes_struct *p,
+ struct winreg_SaveKey *r)
+ {
+ struct registry_key *regkey = find_regkey_by_hnd( p, r->in.handle );
+- char *fname = NULL;
+- int snum = -1;
+
+- if ( !regkey )
++ if ( !regkey ) {
+ return WERR_INVALID_HANDLE;
+-
+- if ( !r->in.filename || !r->in.filename->name )
+- return WERR_INVALID_PARAMETER;
+-
+- fname = talloc_strdup(p->mem_ctx, r->in.filename->name);
+- if (!fname) {
+- return WERR_NOT_ENOUGH_MEMORY;
+ }
+-
+- DEBUG(8,("_winreg_SaveKey: verifying backup of key [%s] to \"%s\"\n",
+- regkey->key->name, fname));
+-
+- if ((snum = validate_reg_filename(p->mem_ctx, &fname)) == -1 )
+- return WERR_BAD_PATHNAME;
+-
+- DEBUG(2,("_winreg_SaveKey: Saving [%s] to %s in share %s\n",
+- regkey->key->name, fname, lp_servicename(talloc_tos(), snum) ));
+-
+- return reg_savekey(regkey, fname);
++ return WERR_BAD_PATHNAME;
+ }
+
+ /*******************************************************************
+--
+2.11.0
+
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index d138288555..9d3436b0e9 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
pkgver=4.7.6
-pkgrel=2
+pkgrel=3
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="http://www.samba.org"
arch="all"
@@ -73,6 +73,7 @@ source="https://us1.samba.org/samba/ftp/stable/$pkgname-$pkgver.tar.gz
0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch
0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
+ 0012-CVE-2019-3880.patch
$pkgname.initd
$pkgname.confd
@@ -82,6 +83,8 @@ pkggroups="winbind"
builddir="$srcdir/$pkgname-$pkgver"
# secfixes:
+# 4.7.6-r3:
+# - CVE-2019-3880
# 4.7.6-r2:
# - CVE-2018-14629
# - CVE-2018-16841
@@ -573,6 +576,7 @@ a856ee2ff97caf6201bab768b4187fb80b693d9be9e7c45252e938f0371b678fd28e549f4bd1f7c3
69c53b2b74e411feb9de6841f07566ba61a981eb28e5d38328f7099e36be541e2f9f52455fc1f7202440242551dae1bef15868079f43607ca236770f8adeb6f6 0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
558fb5112eba24b987c298e5e29811c8124d8eac46e5e8352caa035f765e9b94e8861a72718de9020dfb601a5293a2d8c9ffa9d5f8f827344ac8fd069ca918bd 0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch
e88f1c34154fbf91a9c2fca253c0d46ddf9dd2a678119dde9e46c0b41d61529ac087f33e9f03f3b95fbe56e9ba4b211e639779b7e7565e06d0e56be0eebf6495 0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
+1ca243614cef2c7061d914356475c629cd07e6e2c25a680bb65a18e6e4f3b948f19eae887fba9b006f1cbb02407ab4dd420aa6e05a48cdb5a7c1548cdbe0b072 0012-CVE-2019-3880.patch
6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf samba.initd
4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6 samba.confd
f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053 samba.logrotate"