Changeset 617


Ignore:
Timestamp:
Aug 2, 2011, 10:40:58 AM (14 years ago)
Author:
Herwig Bauernfeind
Message:

Samba 3.5: Update trunk to 3.5.10

Location:
trunk/server
Files:
9 edited

Legend:

Unmodified
Added
Removed
  • trunk/server/WHATSNEW.txt

    r599 r617  
     1                   ==============================
     2                   Release Notes for Samba 3.5.10
     3                           July 26, 2011
     4                   ==============================
     5
     6
     7This is a security release in order to address
     8CVE-2011-2522 (Cross-Site Request Forgery in SWAT) and
     9CVE-2011-2694 (Cross-Site Scripting vulnerability in SWAT).
     10
     11
     12o  CVE-2011-2522:
     13   The Samba Web Administration Tool (SWAT) in Samba versions
     14   3.0.x to 3.5.9 are affected by a cross-site request forgery.
     15
     16
     17o  CVE-2011-2694:
     18   The Samba Web Administration Tool (SWAT) in Samba versions
     19   3.0.x to 3.5.9 are affected by a cross-site scripting
     20   vulnerability.
     21
     22Please note that SWAT must be enabled in order for these
     23vulnerabilities to be exploitable. By default, SWAT
     24is *not* enabled on a Samba install.
     25
     26
     27Changes since 3.5.9:
     28--------------------
     29
     30
     31o   Kai Blin <kai@samba.org>
     32    * BUG 8289: SWAT contains a cross-site scripting vulnerability.
     33    * BUG 8290: CSRF vulnerability in SWAT.
     34
     35
     36######################################################################
     37Reporting bugs & Development Discussion
     38#######################################
     39
     40Please discuss this release on the samba-technical mailing list or by
     41joining the #samba-technical IRC channel on irc.freenode.net.
     42
     43If you do report problems then please try to send high quality
     44feedback. If you don't provide vital information to help us track down
     45the problem then you will probably be ignored.  All bug reports should
     46be filed under the Samba 3.5 product in the project's Bugzilla
     47database (https://bugzilla.samba.org/).
     48
     49
     50======================================================================
     51== Our Code, Our Bugs, Our Responsibility.
     52== The Samba Team
     53======================================================================
     54
     55
     56Release notes for older releases follow:
     57----------------------------------------
     58
    159                   =============================
    260                   Release Notes for Samba 3.5.9
     
    143201
    144202
    145 Release notes for older releases follow:
    146 ----------------------------------------
     203----------------------------------------------------------------------
     204
    147205
    148206                   =============================
  • trunk/server/packaging/RHEL-CTDB/samba.spec

    r599 r617  
    66Packager: Samba Team <samba@samba.org>
    77Name:         samba
    8 Version:      3.5.9
     8Version:      3.5.10
    99Release:      1GITHASH
    1010Epoch:        0
  • trunk/server/packaging/RHEL/makerpms.sh

    r599 r617  
    2121USERID=`id -u`
    2222GRPID=`id -g`
    23 VERSION='3.5.9'
     23VERSION='3.5.10'
    2424REVISION=''
    2525SPECFILE="samba.spec"
  • trunk/server/packaging/RHEL/samba.spec

    r599 r617  
    66Packager: Samba Team <samba@samba.org>
    77Name:         samba
    8 Version:      3.5.9
     8Version:      3.5.10
    99Release:      1
    1010Epoch:        0
  • trunk/server/source3/VERSION

    r599 r617  
    2626SAMBA_VERSION_MAJOR=3
    2727SAMBA_VERSION_MINOR=5
    28 SAMBA_VERSION_RELEASE=9
     28SAMBA_VERSION_RELEASE=10
    2929
    3030########################################################
  • trunk/server/source3/web/cgi.c

    r596 r617  
    2020#include "includes.h"
    2121#include "web/swat_proto.h"
     22#include "secrets.h"
     23#include "../lib/util/util.h"
    2224
    2325#define MAX_VARIABLES 10000
     
    4345static char *pathinfo;
    4446static char *C_user;
     47static char *C_pass;
    4548static bool inetd_server;
    4649static bool got_request;
     
    323326        }
    324327
    325         setuid(0);
     328        C_user = SMB_STRDUP(user);
     329
     330        if (!setuid(0)) {
     331                C_pass = secrets_fetch_generic("root", "SWAT");
     332                if (C_pass == NULL) {
     333                        char *tmp_pass = NULL;
     334                        tmp_pass = generate_random_str(talloc_tos(), 16);
     335                        if (tmp_pass == NULL) {
     336                                printf("%sFailed to create random nonce for "
     337                                       "SWAT session\n<br>%s\n", head, tail);
     338                                exit(0);
     339                        }
     340                        secrets_store_generic("root", "SWAT", tmp_pass);
     341                        C_pass = SMB_STRDUP(tmp_pass);
     342                        TALLOC_FREE(tmp_pass);
     343                }
     344        }
    326345        setuid(pwd->pw_uid);
    327346        if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
     
    392411                        /* Save the users name */
    393412                        C_user = SMB_STRDUP(user);
     413                        C_pass = SMB_STRDUP(user_pass);
    394414                        TALLOC_FREE(pass);
    395415                        return True;
     
    426446}
    427447
     448/***************************************************************************
     449return a ptr to the users password
     450  ***************************************************************************/
     451char *cgi_user_pass(void)
     452{
     453        return(C_pass);
     454}
    428455
    429456/***************************************************************************
  • trunk/server/source3/web/statuspage.c

    r414 r617  
    248248        bool waitup = False;
    249249        TALLOC_CTX *ctx = talloc_stackframe();
     250        const char form_name[] = "status";
    250251
    251252        smbd_pid = pid_to_procid(pidfile_pid("smbd"));
     253
     254        if (!verify_xsrf_token(form_name)) {
     255                goto output_page;
     256        }
    252257
    253258        if (cgi_variable("smbd_restart") || cgi_variable("all_restart")) {
     
    327332        initPid2Machine ();
    328333
     334output_page:
    329335        printf("<H2>%s</H2>\n", _("Server Status"));
    330336
    331337        printf("<FORM method=post>\n");
     338        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
    332339
    333340        if (!autorefresh) {
  • trunk/server/source3/web/swat.c

    r599 r617  
    3030#include "includes.h"
    3131#include "web/swat_proto.h"
     32#include "../lib/crypto/md5.h"
    3233
    3334static int demo_mode = False;
     
    5152#define ENABLE_USER_FLAG "enable_user_flag"
    5253#define RHOST "remote_host"
     54#define XSRF_TOKEN "xsrf"
     55#define XSRF_TIME "xsrf_time"
     56#define XSRF_TIMEOUT 300
    5357
    5458#define _(x) lang_msg_rotate(talloc_tos(),x)
     
    138142        return parmname;
    139143}
     144
     145void get_xsrf_token(const char *username, const char *pass,
     146                    const char *formname, time_t xsrf_time, char token_str[33])
     147{
     148        struct MD5Context md5_ctx;
     149        uint8_t token[16];
     150        int i;
     151
     152        token_str[0] = '\0';
     153        ZERO_STRUCT(md5_ctx);
     154        MD5Init(&md5_ctx);
     155
     156        MD5Update(&md5_ctx, (uint8_t *)formname, strlen(formname));
     157        MD5Update(&md5_ctx, (uint8_t *)&xsrf_time, sizeof(time_t));
     158        if (username != NULL) {
     159                MD5Update(&md5_ctx, (uint8_t *)username, strlen(username));
     160        }
     161        if (pass != NULL) {
     162                MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
     163        }
     164
     165        MD5Final(token, &md5_ctx);
     166
     167        for(i = 0; i < sizeof(token); i++) {
     168                char tmp[3];
     169
     170                snprintf(tmp, sizeof(tmp), "%02x", token[i]);
     171                strncat(token_str, tmp, sizeof(tmp));
     172        }
     173}
     174
     175void print_xsrf_token(const char *username, const char *pass,
     176                      const char *formname)
     177{
     178        char token[33];
     179        time_t xsrf_time = time(NULL);
     180
     181        get_xsrf_token(username, pass, formname, xsrf_time, token);
     182        printf("<input type=\"hidden\" name=\"%s\" value=\"%s\">\n",
     183               XSRF_TOKEN, token);
     184        printf("<input type=\"hidden\" name=\"%s\" value=\"%lld\">\n",
     185               XSRF_TIME, (long long int)xsrf_time);
     186}
     187
     188bool verify_xsrf_token(const char *formname)
     189{
     190        char expected[33];
     191        const char *username = cgi_user_name();
     192        const char *pass = cgi_user_pass();
     193        const char *token = cgi_variable_nonull(XSRF_TOKEN);
     194        const char *time_str = cgi_variable_nonull(XSRF_TIME);
     195        time_t xsrf_time = 0;
     196        time_t now = time(NULL);
     197
     198        if (sizeof(time_t) == sizeof(int)) {
     199                xsrf_time = atoi(time_str);
     200        } else if (sizeof(time_t) == sizeof(long)) {
     201                xsrf_time = atol(time_str);
     202        } else if (sizeof(time_t) == sizeof(long long)) {
     203                xsrf_time = atoll(time_str);
     204        }
     205
     206        if (abs(now - xsrf_time) > XSRF_TIMEOUT) {
     207                return false;
     208        }
     209
     210        get_xsrf_token(username, pass, formname, xsrf_time, expected);
     211        return (strncmp(expected, token, sizeof(expected)) == 0);
     212}
     213
    140214
    141215/****************************************************************************
     
    612686{
    613687        int full_view=0;
     688        const char form_name[] = "viewconfig";
     689
     690        if (!verify_xsrf_token(form_name)) {
     691                goto output_page;
     692        }
    614693
    615694        if (cgi_variable("full_view")) {
     
    617696        }
    618697
     698output_page:
    619699        printf("<H2>%s</H2>\n", _("Current Config"));
    620700        printf("<form method=post>\n");
     701        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
    621702
    622703        if (full_view) {
     
    638719{
    639720        unsigned int parm_filter = FLAG_WIZARD;
     721        const char form_name[] = "wizard_params";
    640722
    641723        /* Here we first set and commit all the parameters that were selected
     
    643725
    644726        printf("<H2>%s</H2>\n", _("Wizard Parameter Edit Page"));
     727
     728        if (!verify_xsrf_token(form_name)) {
     729                goto output_page;
     730        }
    645731
    646732        if (cgi_variable("Commit")) {
     
    649735        }
    650736
     737output_page:
    651738        printf("<form name=\"swatform\" method=post action=wizard_params>\n");
     739        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
    652740
    653741        if (have_write_access) {
     
    685773        int HomeExpo = 0;
    686774        int SerType = 0;
     775        const char form_name[] = "wizard";
     776
     777        if (!verify_xsrf_token(form_name)) {
     778                goto output_page;
     779        }
    687780
    688781        if (cgi_variable("Rewrite")) {
     
    775868
    776869        role = lp_server_role();
    777        
     870
     871output_page:
    778872        /* Here we go ... */
    779873        printf("<H2>%s</H2>\n", _("Samba Configuration Wizard"));
    780874        printf("<form method=post action=wizard>\n");
     875        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
    781876
    782877        if (have_write_access) {
     
    847942        unsigned int parm_filter = FLAG_BASIC;
    848943        int mode = 0;
     944        const char form_name[] = "globals";
    849945
    850946        printf("<H2>%s</H2>\n", _("Global Parameters"));
     947
     948        if (!verify_xsrf_token(form_name)) {
     949                goto output_page;
     950        }
    851951
    852952        if (cgi_variable("Commit")) {
     
    862962                mode = 1;
    863963
     964output_page:
    864965        printf("<form name=\"swatform\" method=post action=globals>\n");
     966        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
    865967
    866968        ViewModeBoxes( mode );
     
    9021004        unsigned int parm_filter = FLAG_BASIC;
    9031005        size_t converted_size;
     1006        const char form_name[] = "shares";
     1007
     1008        printf("<H2>%s</H2>\n", _("Share Parameters"));
     1009
     1010        if (!verify_xsrf_token(form_name)) {
     1011                goto output_page;
     1012        }
    9041013
    9051014        if (share)
    9061015                snum = lp_servicenumber(share);
    9071016
    908         printf("<H2>%s</H2>\n", _("Share Parameters"));
    9091017
    9101018        if (cgi_variable("Commit") && snum >= 0) {
     
    9321040        }
    9331041
    934         printf("<FORM name=\"swatform\" method=post>\n");
    935 
    936         printf("<table>\n");
    937 
    9381042        if ( cgi_variable("ViewMode") )
    9391043                mode = atoi(cgi_variable_nonull("ViewMode"));
     
    9421046        if ( cgi_variable("AdvMode"))
    9431047                mode = 1;
     1048
     1049output_page:
     1050        printf("<FORM name=\"swatform\" method=post>\n");
     1051        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
     1052
     1053        printf("<table>\n");
    9441054
    9451055        ViewModeBoxes( mode );
     
    11221232                printf("<p>");
    11231233                if (rslt == True) {
    1124                         printf(_(" The passwd for '%s' has been changed."), cgi_variable_nonull(SWAT_USER));
    1125                         printf("\n");
     1234                        printf("%s\n", _(" The passwd has been changed."));
    11261235                } else {
    1127                         printf(_(" The passwd for '%s' has NOT been changed."), cgi_variable_nonull(SWAT_USER));
    1128                         printf("\n");
     1236                        printf("%s\n", _(" The passwd has NOT been changed."));
    11291237                }
    11301238        }
     
    11391247{
    11401248        const char *new_name = cgi_user_name();
    1141 
    1142         /*
    1143          * After the first time through here be nice. If the user
    1144          * changed the User box text to another users name, remember it.
    1145          */
    1146         if (cgi_variable(SWAT_USER)) {
    1147                 new_name = cgi_variable_nonull(SWAT_USER);
    1148         }
     1249        const char passwd_form[] = "passwd";
     1250        const char rpasswd_form[] = "rpasswd";
    11491251
    11501252        if (!new_name) new_name = "";
     
    11531255
    11541256        printf("<FORM name=\"swatform\" method=post>\n");
     1257        print_xsrf_token(cgi_user_name(), cgi_user_pass(), passwd_form);
    11551258
    11561259        printf("<table>\n");
     
    11921295         * requested. It could be this is the first time through this
    11931296         * code, so there isn't anything to do.  */
    1194         if ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
    1195             (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG))) {
     1297        if (verify_xsrf_token(passwd_form) &&
     1298           ((cgi_variable(CHG_S_PASSWD_FLAG)) || (cgi_variable(ADD_USER_FLAG)) || (cgi_variable(DELETE_USER_FLAG)) ||
     1299            (cgi_variable(DISABLE_USER_FLAG)) || (cgi_variable(ENABLE_USER_FLAG)))) {
    11961300                chg_passwd();           
    11971301        }
     
    12001304
    12011305        printf("<FORM name=\"swatform\" method=post>\n");
     1306        print_xsrf_token(cgi_user_name(), cgi_user_pass(), rpasswd_form);
    12021307
    12031308        printf("<table>\n");
     
    12321337         * is the first time through this code, so there isn't
    12331338         * anything to do.  */
    1234         if (cgi_variable(CHG_R_PASSWD_FLAG)) {
     1339        if (verify_xsrf_token(passwd_form) && cgi_variable(CHG_R_PASSWD_FLAG)) {
    12351340                chg_passwd();           
    12361341        }
     
    12491354        int mode = 0;
    12501355        unsigned int parm_filter = FLAG_BASIC;
     1356        const char form_name[] = "printers";
     1357
     1358        if (!verify_xsrf_token(form_name)) {
     1359                goto output_page;
     1360        }
    12511361
    12521362        if (share)
    12531363                snum = lp_servicenumber(share);
    1254 
    1255         printf("<H2>%s</H2>\n", _("Printer Parameters"));
    1256  
    1257         printf("<H3>%s</H3>\n", _("Important Note:"));
    1258         printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
    1259         printf("%s",_("are autoloaded printers from "));
    1260         printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
    1261         printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
    12621364
    12631365        if (cgi_variable("Commit") && snum >= 0) {
     
    12891391        }
    12901392
    1291         printf("<FORM name=\"swatform\" method=post>\n");
    1292 
    12931393        if ( cgi_variable("ViewMode") )
    12941394                mode = atoi(cgi_variable_nonull("ViewMode"));
     
    12971397        if ( cgi_variable("AdvMode"))
    12981398                mode = 1;
     1399
     1400output_page:
     1401        printf("<H2>%s</H2>\n", _("Printer Parameters"));
     1402
     1403        printf("<H3>%s</H3>\n", _("Important Note:"));
     1404        printf("%s",_("Printer names marked with [*] in the Choose Printer drop-down box "));
     1405        printf("%s",_("are autoloaded printers from "));
     1406        printf("<A HREF=\"/swat/help/smb.conf.5.html#printcapname\" target=\"docs\">%s</A>\n", _("Printcap Name"));
     1407        printf("%s\n", _("Attempting to delete these printers from SWAT will have no effect."));
     1408
     1409
     1410        printf("<FORM name=\"swatform\" method=post>\n");
     1411        print_xsrf_token(cgi_user_name(), cgi_user_pass(), form_name);
    12991412
    13001413        ViewModeBoxes( mode );
  • trunk/server/source3/web/swat_proto.h

    r414 r617  
    3232bool am_root(void);
    3333char *cgi_user_name(void);
     34char *cgi_user_pass(void);
    3435void cgi_setup(const char *rootdir, int auth_required);
    3536const char *cgi_baseurl(void);
     
    6768
    6869const char *lang_msg_rotate(TALLOC_CTX *ctx, const char *msgid);
     70void get_xsrf_token(const char *username, const char *pass,
     71                    const char *formname, time_t xsrf_time, char token_str[33]);
     72void print_xsrf_token(const char *username, const char *pass,
     73                      const char *formname);
     74bool verify_xsrf_token(const char *formname);
    6975
    7076#endif /*  _SWAT_PROTO_H_  */
Note: See TracChangeset for help on using the changeset viewer.