diff --git a/SOURCES/samba-4.1.9-file_open.patch b/SOURCES/samba-4.1.9-file_open.patch new file mode 100644 index 0000000..e4bf77d --- /dev/null +++ b/SOURCES/samba-4.1.9-file_open.patch @@ -0,0 +1,116 @@ +From d038b70b159fd133060ead0bed8d70b654594b03 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 24 Jun 2014 14:19:30 -0700 +Subject: [PATCH 1/2] s3: smbd - Prevent file truncation on an open that fails + with share mode violation. + +Fix from Volker, really - just tidied up a little. +The S_ISFIFO check may not be strictly neccessary, +but doesn't hurt (might make the code a bit more complex +than it needs to be). + +Fixes bug #10671 - Samba file corruption as a result of failed lock check. + +https://bugzilla.samba.org/show_bug.cgi?id=10671 + +Signed-off-by: Jeremy Allison +Reviewed-by: Volker Lendecke +Reviewed-by: David Disseldorp +(cherry picked from commit 31b3427a417217e5e869baafdf63e633efc39d12) +[ddiss@samba.org: 4.1 backport] +--- + source3/smbd/open.c | 22 ++++++++++++++++++++-- + 1 file changed, 20 insertions(+), 2 deletions(-) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 5f7bff9..72b8b59 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -839,8 +839,11 @@ static NTSTATUS open_file(files_struct *fsp, + } + } + +- /* Actually do the open */ +- status = fd_open_atomic(conn, fsp, local_flags, ++ /* ++ * Actually do the open - if O_TRUNC is needed handle it ++ * below under the share mode lock. ++ */ ++ status = fd_open_atomic(conn, fsp, local_flags & ~O_TRUNC, + unx_mode, p_file_created); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(3,("Error opening file %s (%s) (local_flags=%d) " +@@ -2646,6 +2649,21 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn, + return status; + } + ++ /* Should we atomically (to the client at least) truncate ? */ ++ if (!new_file_created) { ++ if (flags2 & O_TRUNC) { ++ if (!S_ISFIFO(fsp->fsp_name->st.st_ex_mode)) { ++ int ret = vfs_set_filelen(fsp, 0); ++ if (ret != 0) { ++ status = map_nt_error_from_unix(errno); ++ TALLOC_FREE(lck); ++ fd_close(fsp); ++ return status; ++ } ++ } ++ } ++ } ++ + grant_fsp_oplock_type(fsp, + oplock_request, + got_level2_oplock, +-- +1.8.4.5 + + +From 906812aad2d1fec04076259f1d5332220b95221a Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Wed, 25 Jun 2014 08:36:47 +0000 +Subject: [PATCH 2/2] smbd: Remove 2 indentation levels + +Signed-off-by: Volker Lendecke +Reviewed-by: David Disseldorp +(cherry picked from commit 1dc5c20c8f7d8aa96fa0601bf5bf6dc69fb79d9f) +--- + source3/smbd/open.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 72b8b59..16d4307 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -2650,17 +2650,17 @@ static NTSTATUS open_file_ntcreate(connection_struct *conn, + } + + /* Should we atomically (to the client at least) truncate ? */ +- if (!new_file_created) { +- if (flags2 & O_TRUNC) { +- if (!S_ISFIFO(fsp->fsp_name->st.st_ex_mode)) { +- int ret = vfs_set_filelen(fsp, 0); +- if (ret != 0) { +- status = map_nt_error_from_unix(errno); +- TALLOC_FREE(lck); +- fd_close(fsp); +- return status; +- } +- } ++ if ((!new_file_created) && ++ (flags2 & O_TRUNC) && ++ (!S_ISFIFO(fsp->fsp_name->st.st_ex_mode))) { ++ int ret; ++ ++ ret = vfs_set_filelen(fsp, 0); ++ if (ret != 0) { ++ status = map_nt_error_from_unix(errno); ++ TALLOC_FREE(lck); ++ fd_close(fsp); ++ return status; + } + } + +-- +1.8.4.5 + diff --git a/SOURCES/samba-CVE-2014-3560.patch b/SOURCES/samba-CVE-2014-3560.patch new file mode 100644 index 0000000..e510f01 --- /dev/null +++ b/SOURCES/samba-CVE-2014-3560.patch @@ -0,0 +1,30 @@ +From fb1d325d96dfe9bc2e9c4ec46ad4c55e8f18f4a2 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Tue, 22 Jul 2014 07:02:00 +0200 +Subject: [PATCH] fix unstrcpy + +Signed-off-by: Volker Lendecke +Reviewed-by: Jeremy Allison + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=10735 +CVE-2014-3560: unstrcpy macro length is invalid +--- + lib/util/string_wrappers.h | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/lib/util/string_wrappers.h b/lib/util/string_wrappers.h +index 5f9d568..243fafc 100644 +--- a/lib/util/string_wrappers.h ++++ b/lib/util/string_wrappers.h +@@ -51,7 +51,7 @@ do { \ + #define unstrcpy(d,s) \ + do { \ + const char *_unstrcpy_src = (const char *)(s); \ +- strlcpy((d),_unstrcpy_src ? _unstrcpy_src : "",sizeof(fstring)); \ ++ strlcpy((d),_unstrcpy_src ? _unstrcpy_src : "",sizeof(unstring)); \ + } while (0) + + #ifdef HAVE_COMPILER_WILL_OPTIMIZE_OUT_FNS +-- +1.7.0.4 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index fcf3257..59a950a 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -1,7 +1,7 @@ # Set --with testsuite or %bcond_without to run the Samba torture testsuite. %bcond_with testsuite -%define main_release 35 +%define main_release 37 %define samba_version 4.1.1 %define talloc_version 2.0.8 @@ -118,6 +118,8 @@ Patch29: samba-4.1.6-ipv6_workaround.patch Patch30: samba-CVE-2014-0244.patch Patch31: samba-CVE-2014-3493.patch Patch32: samba-CVE-2014-0178.patch +Patch33: samba-4.1.9-file_open.patch +Patch34: samba-CVE-2014-3560.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -556,6 +558,8 @@ module necessary to communicate to the Winbind Daemon %patch30 -p1 -b .samba-CVE-2014-0244.patch %patch31 -p1 -b .samba-CVE-2014-3493.patch %patch32 -p1 -b .samba-CVE-2014-0178.patch +%patch33 -p1 -b .samba-4.1.9-file_open.patch +%patch34 -p1 -b .samba-CVE-2014-3560.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1622,6 +1626,12 @@ rm -rf %{buildroot} %{_mandir}/man8/pam_winbind.8* %changelog +* Fri Aug 01 2014 - Guenther Deschner - 4.1.1-37 +- resolves: #1126013 - CVE-2014-3560: remote code execution in nmbd. + +* Wed Jul 02 2014 - Guenther Deschner - 4.1.1-36 +- resolves: #1115490 - Fix potential Samba file corruption. + * Wed Jun 11 2014 - Guenther Deschner - 4.1.1-35 - resolves: #1105504 - CVE-2014-0244: DoS in nmbd. - resolves: #1108844 - CVE-2014-3493: DoS in smbd with unicode path names.