Hi, El 18/12/15 a las 00:07, Jelmer Vernooij escribió: > Hi Raphael, > > On Wed, Dec 16, 2015 at 10:49:29PM +0100, Raphael Hertzog wrote: > > the Debian LTS team would like to fix the security issues which are > > currently open in the Squeeze version of samba: > > https://security-tracker.debian.org/tracker/CVE-2015-5252 > > https://security-tracker.debian.org/tracker/CVE-2015-5296 > > https://security-tracker.debian.org/tracker/CVE-2015-5299 > > ... > > Thanks for the e-mail. I don't think I will have time to look at > updating squeeze in the near future, so it would be great if somebody > from the LTS team could take care of that. > > I can review patches if you like, but am happy if you upload to > squeeze without my review. Please, find attached the debdiff. I've tested the packages and they seem to work fine, but further review is warmly appreciated. They are available at: deb https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/ deb-src https://people.debian.org/~santiago/debian/ santiago-squeeze-lts/ Cheers, Santiago
diff -Nru samba-3.5.6~dfsg/debian/changelog samba-3.5.6~dfsg/debian/changelog --- samba-3.5.6~dfsg/debian/changelog 2015-02-22 22:32:05.000000000 +0100 +++ samba-3.5.6~dfsg/debian/changelog 2015-12-30 13:54:24.000000000 +0100 @@ -1,3 +1,15 @@ +samba (2:3.5.6~dfsg-3squeeze13~2) santiago-squeeze-lts; urgency=high + + * Non-maintainer upload by the Squeeze LTS Team + * Fix CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside + the share). + * Fix CVE-2015-5296: s3:libsmb: force signing when requiring encryption in + do_connect() + * Fix CVE-2015-5299: s3-shadow-copy2: fix missing access check on + snapdir. + + -- Santiago Ruano Rincón <santiagorr@riseup.net> Sun, 27 Dec 2015 13:09:25 +0100 + samba (2:3.5.6~dfsg-3squeeze12) squeeze-lts; urgency=high * Security update diff -Nru samba-3.5.6~dfsg/debian/NEWS samba-3.5.6~dfsg/debian/NEWS --- samba-3.5.6~dfsg/debian/NEWS 2015-02-22 22:32:05.000000000 +0100 +++ samba-3.5.6~dfsg/debian/NEWS 2015-12-30 13:54:33.000000000 +0100 @@ -1,3 +1,22 @@ +samba (2:3.5.6~dfsg-3squeeze13) squeeze-lts; urgency=high + + * Fix CVE-2015-5296: When creating an encrypted connection, samba did + not ensure that signing was negotiated, making samba susceptible to + a man-in-the-middle attack. To fix this, signing has been made + mandatory when requiring an encrypted connection. + + If samba clients ask for encrypted connections (i.e. smbclient using + the -e argument) to your samba server, you need to enable signing, + disabled by default, in you smb.conf: + + server signing = auto + + Otherwise, the clients will not be able to negotiate the connection. + + Ref: https://www.samba.org/samba/security/CVE-2015-5296.html + + -- Santiago Ruano Rincón <santiagorr@riseup.net> Wed, 30 Dec 2015 13:17:20 +0100 + samba (2:3.5.6~dfsg-3squeeze4) stable-proposed-updates; urgency=low * Please note that upgrading to 3.5.* series, the "map untrusted to diff -Nru samba-3.5.6~dfsg/debian/patches/CVE-2015-5252-v3-6-bso11395.patch samba-3.5.6~dfsg/debian/patches/CVE-2015-5252-v3-6-bso11395.patch --- samba-3.5.6~dfsg/debian/patches/CVE-2015-5252-v3-6-bso11395.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.5.6~dfsg/debian/patches/CVE-2015-5252-v3-6-bso11395.patch 2015-12-27 13:09:06.000000000 +0100 @@ -0,0 +1,44 @@ +From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Thu, 9 Jul 2015 10:58:11 -0700 +Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file + access outside the share). + +Ensure matching component ends in '/' or '\0'. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395 + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Volker Lendecke <vl@samba.org> +Reviewed-by: Santiago R.R <santiagorr@riseup.net> +--- + source3/smbd/vfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +Index: samba/source3/smbd/vfs.c +=================================================================== +--- samba.orig/source3/smbd/vfs.c ++++ samba/source3/smbd/vfs.c +@@ -949,6 +949,8 @@ NTSTATUS check_reduced_name(connection_s + /* Check for widelinks allowed. */ + if (!lp_widelinks(SNUM(conn))) { + const char *conn_rootdir; ++ size_t rootdir_len; ++ bool matched; + + conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname); + if (conn_rootdir == NULL) { +@@ -960,8 +962,11 @@ NTSTATUS check_reduced_name(connection_s + return NT_STATUS_ACCESS_DENIED; + } + +- if (strncmp(conn_rootdir, resolved_name, +- strlen(conn_rootdir)) != 0) { ++ rootdir_len = strlen(conn_rootdir); ++ matched = (strncmp(conn_rootdir, resolved_name, ++ rootdir_len) == 0); ++ if (!matched || (resolved_name[rootdir_len] != '/' && ++ resolved_name[rootdir_len] != '\0')) { + DEBUG(2, ("check_reduced_name: Bad access " + "attempt: %s is a symlink outside the " + "share path\n", fname)); diff -Nru samba-3.5.6~dfsg/debian/patches/CVE-2015-5296-v3-6-bso11536.patch samba-3.5.6~dfsg/debian/patches/CVE-2015-5296-v3-6-bso11536.patch --- samba-3.5.6~dfsg/debian/patches/CVE-2015-5296-v3-6-bso11536.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.5.6~dfsg/debian/patches/CVE-2015-5296-v3-6-bso11536.patch 2015-12-27 13:08:47.000000000 +0100 @@ -0,0 +1,93 @@ +From 25139116756cc285a3a5534834cc276ef1b7baaa Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Wed, 30 Sep 2015 21:17:02 +0200 +Subject: [PATCH 1/2] CVE-2015-5296: s3:libsmb: force signing when requiring + encryption in do_connect() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Jeremy Allison <jra@samba.org> +Reviewed-by: Santiago R.R <santiagorr@riseup.net> +--- + source3/libsmb/clidfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +Index: samba/source3/libsmb/clidfs.c +=================================================================== +--- samba.orig/source3/libsmb/clidfs.c ++++ samba/source3/libsmb/clidfs.c +@@ -93,6 +93,11 @@ static struct cli_state *do_connect(TALL + const char *username; + const char *password; + NTSTATUS status; ++ int signing_state = get_cmdline_auth_info_signing_state(auth_info); ++ ++ if (force_encrypt) { ++ signing_state = Required; ++ } + + /* make a copy so we don't modify the global string 'service' */ + servicename = talloc_strdup(ctx,share); +@@ -127,7 +132,7 @@ static struct cli_state *do_connect(TALL + zero_sockaddr(&ss); + + /* have to open a new connection */ +- if (!(c=cli_initialise_ex(get_cmdline_auth_info_signing_state(auth_info)))) { ++ if (!(c = cli_initialise_ex(signing_state))) { + d_printf("Connection to %s failed\n", server_n); + if (c) { + cli_shutdown(c); +Index: samba/source3/libsmb/libsmb_server.c +=================================================================== +--- samba.orig/source3/libsmb/libsmb_server.c ++++ samba/source3/libsmb/libsmb_server.c +@@ -253,6 +253,7 @@ SMBC_server_internal(TALLOC_CTX *ctx, + const char *username_used; + NTSTATUS status; + char *newserver, *newshare; ++ int signing_state = Undefined; + + zero_sockaddr(&ss); + ZERO_STRUCT(c); +@@ -399,8 +400,12 @@ again: + + zero_sockaddr(&ss); + ++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) { ++ signing_state = Required; ++ } ++ + /* have to open a new connection */ +- if ((c = cli_initialise()) == NULL) { ++ if ((c = cli_initialise_ex(signing_state)) == NULL) { + errno = ENOMEM; + return NULL; + } +@@ -745,6 +750,7 @@ SMBC_attr_server(TALLOC_CTX *ctx, + ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$", + pp_workgroup, pp_username, pp_password); + if (!ipc_srv) { ++ int signing_state = Undefined; + + /* We didn't find a cached connection. Get the password */ + if (!*pp_password || (*pp_password)[0] == '\0') { +@@ -766,6 +772,9 @@ SMBC_attr_server(TALLOC_CTX *ctx, + if (smbc_getOptionUseCCache(context)) { + flags |= CLI_FULL_CONNECTION_USE_CCACHE; + } ++ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) { ++ signing_state = Required; ++ } + + zero_sockaddr(&ss); + nt_status = cli_full_connection(&ipc_cli, +@@ -775,7 +784,7 @@ SMBC_attr_server(TALLOC_CTX *ctx, + *pp_workgroup, + *pp_password, + flags, +- Undefined, NULL); ++ signing_state, NULL); + if (! NT_STATUS_IS_OK(nt_status)) { + DEBUG(1,("cli_full_connection failed! (%s)\n", + nt_errstr(nt_status))); diff -Nru samba-3.5.6~dfsg/debian/patches/CVE-2015-5299-v3-6-bso11529.patch samba-3.5.6~dfsg/debian/patches/CVE-2015-5299-v3-6-bso11529.patch --- samba-3.5.6~dfsg/debian/patches/CVE-2015-5299-v3-6-bso11529.patch 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.5.6~dfsg/debian/patches/CVE-2015-5299-v3-6-bso11529.patch 2015-12-29 19:29:32.000000000 +0100 @@ -0,0 +1,109 @@ +From 8e49de7754f7171a58a1f94dee0f1138dbee3c60 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison <jra@samba.org> +Date: Fri, 23 Oct 2015 14:54:31 -0700 +Subject: [PATCH] CVE-2015-5299: s3-shadow-copy2: fix missing access check on + snapdir + +Fix originally from <partha@exablox.com> + +https://bugzilla.samba.org/show_bug.cgi?id=11529 + +Signed-off-by: Jeremy Allison <jra@samba.org> +Reviewed-by: David Disseldorp <ddiss@samba.org> +Reviewed-by: Santiago R.R <santiagorr@riseup.net> +--- + source3/modules/vfs_shadow_copy2.c | 47 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 47 insertions(+) + +Index: samba/source3/modules/vfs_shadow_copy2.c +=================================================================== +--- samba.orig/source3/modules/vfs_shadow_copy2.c ++++ samba/source3/modules/vfs_shadow_copy2.c +@@ -19,6 +19,8 @@ + */ + + #include "includes.h" ++#include "smbd/globals.h" ++#include "libcli/security/security.h" + + /* + +@@ -652,6 +654,43 @@ static int shadow_copy2_mkdir(vfs_handle + SHADOW2_NEXT(MKDIR, (handle, name, mode), int, -1); + } + ++static bool check_access_snapdir(struct vfs_handle_struct *handle, ++ const char *path) ++{ ++ struct smb_filename smb_fname; ++ int ret; ++ NTSTATUS status; ++ uint32_t access_granted = 0; ++ ++ ZERO_STRUCT(smb_fname); ++ smb_fname.base_name = talloc_asprintf(talloc_tos(), ++ "%s", ++ path); ++ if (smb_fname.base_name == NULL) { ++ return false; ++ } ++ ++ ret = SMB_VFS_NEXT_STAT(handle, &smb_fname); ++ if (ret != 0 || !S_ISDIR(smb_fname.st.st_ex_mode)) { ++ TALLOC_FREE(smb_fname.base_name); ++ return false; ++ } ++ ++ status = smbd_check_open_rights(handle->conn, ++ &smb_fname, ++ SEC_DIR_LIST, ++ &access_granted); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(0,("user does not have list permission " ++ "on snapdir %s\n", ++ smb_fname.base_name)); ++ TALLOC_FREE(smb_fname.base_name); ++ return false; ++ } ++ TALLOC_FREE(smb_fname.base_name); ++ return true; ++} ++ + static int shadow_copy2_rmdir(vfs_handle_struct *handle, const char *fname) + { + SHADOW2_NEXT(RMDIR, (handle, name), int, -1); +@@ -720,6 +759,7 @@ static int shadow_copy2_get_shadow_copy2 + const char *snapdir; + SMB_STRUCT_DIRENT *d; + TALLOC_CTX *tmp_ctx = talloc_new(handle->data); ++ bool ret; + + snapdir = shadow_copy2_find_snapdir(tmp_ctx, handle); + if (snapdir == NULL) { +@@ -729,6 +769,13 @@ static int shadow_copy2_get_shadow_copy2 + talloc_free(tmp_ctx); + return -1; + } ++ ret = check_access_snapdir(handle, snapdir); ++ if (!ret) { ++ DEBUG(0,("access denied on listing snapdir %s\n", snapdir)); ++ errno = EACCES; ++ talloc_free(tmp_ctx); ++ return -1; ++ } + + p = SMB_VFS_NEXT_OPENDIR(handle, snapdir, NULL, 0); + +Index: samba/source4/libcli/security/security.h +=================================================================== +--- samba.orig/source4/libcli/security/security.h ++++ samba/source4/libcli/security/security.h +@@ -42,5 +42,8 @@ struct object_tree { + #include "libcli/security/dom_sid.h" + #include "libcli/security/secace.h" + #include "libcli/security/secacl.h" ++/* Removed since it doesn't exist, and it prevented samba with patch for ++ CVE-2015-5299 to compile + #include "libcli/security/proto.h" ++*/ + #include "libcli/security/security_descriptor.h" diff -Nru samba-3.5.6~dfsg/debian/patches/series samba-3.5.6~dfsg/debian/patches/series --- samba-3.5.6~dfsg/debian/patches/series 2015-02-22 22:32:05.000000000 +0100 +++ samba-3.5.6~dfsg/debian/patches/series 2015-12-27 00:19:55.000000000 +0100 @@ -38,3 +38,6 @@ security-CVE-2013-4124.patch security-CVE-2013-4408.patch security-CVE-2015-0240.patch +CVE-2015-5252-v3-6-bso11395.patch +CVE-2015-5296-v3-6-bso11536.patch +CVE-2015-5299-v3-6-bso11529.patch
Attachment:
signature.asc
Description: PGP signature