Package: samba
Version: 2:3.4.0-3
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu lucid ubuntu-patch
*** /tmp/tmpUnTGqJ
In Ubuntu, we've applied the attached patch in our current releases:
* SECURITY UPDATE: privilege escalation via mount.cifs race
- debian/patches/security-CVE-2009-3297.patch: validate mount point and
perform mount in "." to prevent race in source3/client/mount.cifs.c.
- CVE-2009-3297
We thought you might be interested in doing the same.
-- System Information:
Debian Release: squeeze/sid
APT prefers lucid-updates
APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-12-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u samba-3.4.0/debian/changelog samba-3.4.0/debian/changelog
diff -u samba-3.4.0/debian/patches/series samba-3.4.0/debian/patches/series
--- samba-3.4.0/debian/patches/series
+++ samba-3.4.0/debian/patches/series
@@ -24,0 +25 @@
+security-CVE-2009-3297.patch
only in patch2:
unchanged:
--- samba-3.4.0.orig/debian/patches/security-CVE-2009-3297.patch
+++ samba-3.4.0/debian/patches/security-CVE-2009-3297.patch
@@ -0,0 +1,58 @@
+Description: fix privilege escalation via mount.cifs race
+Origin: backport, http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80
+Origin: backport, http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=6853
+
+diff -Nur samba-3.4.0/source3/client/mount.cifs.c samba-3.4.0.new/source3/client/mount.cifs.c
+--- samba-3.4.0/source3/client/mount.cifs.c 2010-01-26 15:00:45.000000000 -0500
++++ samba-3.4.0.new/source3/client/mount.cifs.c 2010-01-26 15:02:02.000000000 -0500
+@@ -1043,6 +1043,36 @@
+ MOUNT_CIFS_VENDOR_SUFFIX);
+ }
+
++/*
++ * This function borrowed from fuse-utils...
++ *
++ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
++ * newlines embedded within the text fields. To make sure no one corrupts
++ * the mtab, fail the mount if there are embedded newlines.
++ */
++static int check_newline(const char *progname, const char *name)
++{
++ char *s;
++ for (s = "\n"; *s; s++) {
++ if (strchr(name, *s)) {
++ fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
++ progname, *s);
++ return EX_USAGE;
++ }
++ }
++ return 0;
++}
++
++static int check_mtab(const char *progname, const char *devname,
++ const char *dir)
++{
++ if (check_newline(progname, devname) == -1 ||
++ check_newline(progname, dir) == -1)
++ return EX_USAGE;
++ return 0;
++}
++
++
+ int main(int argc, char ** argv)
+ {
+ int c;
+@@ -1463,7 +1493,11 @@
+ if (verboseflag)
+ fprintf(stderr, "\n");
+
+- if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
++ rc = check_mtab(thisprogram, dev_name, mountpoint);
++ if (rc)
++ goto mount_exit;
++
++ if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
+ switch (errno) {
+ case ECONNREFUSED:
+ case EHOSTUNREACH: