Changeset 774

Timestamp:

Jul 2, 2013, 8:03:46 PM (12 years ago)

Author:

Herwig Bauernfeind

Message:

Samba Server 3.5: Update branch to 3.5.21

Location:

branches/samba-3.5.x

Files:

• WHATSNEW.txt (modified) (2 diffs)
• packaging/RHEL-CTDB/samba.spec (modified) (1 diff)
• packaging/RHEL/makerpms.sh (modified) (1 diff)
• packaging/RHEL/samba.spec (modified) (1 diff)
• source3/VERSION (modified) (1 diff)
• source3/web/cgi.c (modified) (3 diffs)
• source3/web/swat.c (modified) (3 diffs)
• source3/web/swat_proto.h (modified) (1 diff)

branches/samba-3.5.x/WHATSNEW.txt

@@ +1 @@
+                   ==============================
+                   Release Notes for Samba 3.5.21
+                         January 30, 2013
+                   ==============================
+
+
+This is a security release in order to address
+CVE-2013-0213 (Clickjacking issue in SWAT) and
+CVE-2013-0214 (Potential XSRF in SWAT).
+
+o  CVE-2013-0213:
+   All current released versions of Samba are vulnerable to clickjacking in the
+   Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
+   a malicious web page via a frame or iframe and then overlaid by other content,
+   an attacker could trick an administrator to potentially change Samba settings.
+
+   In order to be vulnerable, SWAT must have been installed and enabled
+   either as a standalone server launched from inetd or xinetd, or as a
+   CGI plugin to Apache. If SWAT has not been installed or enabled (which
+   is the default install state for Samba) this advisory can be ignored.
+
+o  CVE-2013-0214:
+   All current released versions of Samba are vulnerable to a cross-site
+   request forgery in the Samba Web Administration Tool (SWAT). By guessing a
+   user's password and then tricking a user who is authenticated with SWAT into
+   clicking a manipulated URL on a different web page, it is possible to manipulate
+   SWAT.
+
+   In order to be vulnerable, the attacker needs to know the victim's password.
+   Additionally SWAT must have been installed and enabled either as a standalone
+   server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
+   not been installed or enabled (which is the default install state for Samba)
+   this advisory can be ignored.
+
+
+Changes since 3.5.20:
+---------------------
+
+o   Kai Blin <kai@samba.org>
+    * BUG 9576: CVE-2013-0213: Fix clickjacking issue in SWAT.
+    * BUG 9577: CVE-2013-0214: Fix potential XSRF in SWAT.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    ==============================
                    Release Notes for Samba 3.5.20
@@ -52 +118 @@
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================

branches/samba-3.5.x/packaging/RHEL-CTDB/samba.spec

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.5.20
+Version:      3.5.21
 Release:      1GITHASH
 Epoch:        0

branches/samba-3.5.x/packaging/RHEL/makerpms.sh

@@ -21 +21 @@
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.5.20'
+VERSION='3.5.21'
 REVISION=''
 SPECFILE="samba.spec"

branches/samba-3.5.x/packaging/RHEL/samba.spec

@@ -12 +12 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.5.20
+Version:      3.5.21
 Release:      1
 Epoch:        0

branches/samba-3.5.x/source3/VERSION

@@ -26 +26 @@
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=20
+SAMBA_VERSION_RELEASE=21
 
 ########################################################

branches/samba-3.5.x/source3/web/cgi.c

@@ -46 +46 @@
 static char *C_user;
 static char *C_pass;
+static char *C_nonce;
 static bool inetd_server;
 static bool got_request;
@@ -329 +330 @@
 
         if (!setuid(0)) {
-                C_pass = secrets_fetch_generic("root", "SWAT");
-                if (C_pass == NULL) {
-                        char *tmp_pass = NULL;
-                        tmp_pass = generate_random_str(talloc_tos(), 16);
-                        if (tmp_pass == NULL) {
-                                printf("%sFailed to create random nonce for "
-                                       "SWAT session\n<br>%s\n", head, tail);
-                                exit(0);
-                        }
-                        secrets_store_generic("root", "SWAT", tmp_pass);
-                        C_pass = SMB_STRDUP(tmp_pass);
-                        TALLOC_FREE(tmp_pass);
-                }
+                C_pass = SMB_STRDUP(cgi_nonce());
         }
         setuid(pwd->pw_uid);
@@ -453 +442 @@
         return(C_pass);
 }
+
+/***************************************************************************
+return a ptr to the nonce
+  ***************************************************************************/
+char *cgi_nonce(void)
+{
+        const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
+        const char *tail = "</BODY></HTML>\r\n";
+        C_nonce = secrets_fetch_generic("root", "SWAT");
+        if (C_nonce == NULL) {
+                char *tmp_pass = NULL;
+                tmp_pass = generate_random_str(talloc_tos(), 16);
+                if (tmp_pass == NULL) {
+                        printf("%sFailed to create random nonce for "
+                               "SWAT session\n<br>%s\n", head, tail);
+                        exit(0);
+                }
+                secrets_store_generic("root", "SWAT", tmp_pass);
+                C_nonce = SMB_STRDUP(tmp_pass);
+                TALLOC_FREE(tmp_pass);
+        }
+        return(C_nonce);
+}
+
 
 /***************************************************************************

branches/samba-3.5.x/source3/web/swat.c

@@ -149 +149 @@
         uint8_t token[16];
         int i;
+        char *nonce = cgi_nonce();
 
         token_str[0] = '\0';
@@ -162 +163 @@
                 MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
         }
+        MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
 
         MD5Final(token, &md5_ctx);
@@ -261 +263 @@
                 printf("Expires: 0\r\n");
         }
-        printf("Content-type: text/html\r\n\r\n");
+        printf("Content-type: text/html\r\n");
+        printf("X-Frame-Options: DENY\r\n\r\n");
 
         if (!include_html("include/header.html")) {

branches/samba-3.5.x/source3/web/swat_proto.h

@@ -33 +33 @@
 char *cgi_user_name(void);
 char *cgi_user_pass(void);
+char *cgi_nonce(void);
 void cgi_setup(const char *rootdir, int auth_required);
 const char *cgi_baseurl(void);