Package: samba
Version: 2:3.4.0-3
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu lucid ubuntu-patch



*** /tmp/tmpUnTGqJ
In Ubuntu, we've applied the attached patch in our current releases:

  * SECURITY UPDATE: privilege escalation via mount.cifs race
    - debian/patches/security-CVE-2009-3297.patch: validate mount point and
      perform mount in "." to prevent race in source3/client/mount.cifs.c.
    - CVE-2009-3297

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-12-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -u samba-3.4.0/debian/changelog samba-3.4.0/debian/changelog
diff -u samba-3.4.0/debian/patches/series samba-3.4.0/debian/patches/series
--- samba-3.4.0/debian/patches/series
+++ samba-3.4.0/debian/patches/series
@@ -24,0 +25 @@
+security-CVE-2009-3297.patch
only in patch2:
unchanged:
--- samba-3.4.0.orig/debian/patches/security-CVE-2009-3297.patch
+++ samba-3.4.0/debian/patches/security-CVE-2009-3297.patch
@@ -0,0 +1,58 @@
+Description: fix privilege escalation via mount.cifs race
+Origin: backport, http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80
+Origin: backport, http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=6853
+
+diff -Nur samba-3.4.0/source3/client/mount.cifs.c samba-3.4.0.new/source3/client/mount.cifs.c
+--- samba-3.4.0/source3/client/mount.cifs.c	2010-01-26 15:00:45.000000000 -0500
++++ samba-3.4.0.new/source3/client/mount.cifs.c	2010-01-26 15:02:02.000000000 -0500
+@@ -1043,6 +1043,36 @@
+ 		MOUNT_CIFS_VENDOR_SUFFIX);
+ }
+ 
++/*
++ * This function borrowed from fuse-utils...
++ *
++ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
++ * newlines embedded within the text fields. To make sure no one corrupts
++ * the mtab, fail the mount if there are embedded newlines.
++ */
++static int check_newline(const char *progname, const char *name)
++{
++    char *s;
++    for (s = "\n"; *s; s++) {
++        if (strchr(name, *s)) {
++            fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
++                    progname, *s);
++            return EX_USAGE;
++        }
++    }
++    return 0;
++}
++
++static int check_mtab(const char *progname, const char *devname,
++			const char *dir)
++{
++	if (check_newline(progname, devname) == -1 ||
++	    check_newline(progname, dir) == -1)
++		return EX_USAGE;
++	return 0;
++}
++
++
+ int main(int argc, char ** argv)
+ {
+ 	int c;
+@@ -1463,7 +1493,11 @@
+ 	if (verboseflag)
+ 		fprintf(stderr, "\n");
+ 
+-	if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
++	rc = check_mtab(thisprogram, dev_name, mountpoint);
++	if (rc)
++		goto mount_exit;
++
++	if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
+ 		switch (errno) {
+ 		case ECONNREFUSED:
+ 		case EHOSTUNREACH:

Reply via email to