From 4209efabe3d1e66961362255f2be68d1bd939571 Mon Sep 17 00:00:00 2001 From: Felix Fietkau Date: Tue, 5 Jan 2016 11:01:00 +0000 Subject: samba36: add three CVE patches from 2015-12-16 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a patch for CVE-2015-5252, CVE-2015-5296 and CVE-2015-5299. A patchset for these vulnerabilities was published on 16th December 2015. Signed-off-by: Jan Čermák Backport of r48133 git-svn-id: svn://svn.openwrt.org/openwrt/branches/chaos_calmer@48134 3c298f89-4303-0410-b956-a3cf2f4a3e73 --- .../samba36/patches/010-patch-cve-2015-5252.patch | 43 ++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 package/network/services/samba36/patches/010-patch-cve-2015-5252.patch (limited to 'package/network/services/samba36/patches/010-patch-cve-2015-5252.patch') diff --git a/package/network/services/samba36/patches/010-patch-cve-2015-5252.patch b/package/network/services/samba36/patches/010-patch-cve-2015-5252.patch new file mode 100644 index 0000000000..8922a6e505 --- /dev/null +++ b/package/network/services/samba36/patches/010-patch-cve-2015-5252.patch @@ -0,0 +1,43 @@ +From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Thu, 9 Jul 2015 10:58:11 -0700 +Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file + access outside the share). + +Ensure matching component ends in '/' or '\0'. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395 + +Signed-off-by: Jeremy Allison +Reviewed-by: Volker Lendecke +--- + source3/smbd/vfs.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c +index 6c56964..bd93b7f 100644 +--- a/source3/smbd/vfs.c ++++ b/source3/smbd/vfs.c +@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) + if (!allow_widelinks || !allow_symlinks) { + const char *conn_rootdir; + size_t rootdir_len; ++ bool matched; + + conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname); + if (conn_rootdir == NULL) { +@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname) + } + + rootdir_len = strlen(conn_rootdir); +- if (strncmp(conn_rootdir, resolved_name, +- rootdir_len) != 0) { ++ matched = (strncmp(conn_rootdir, resolved_name, ++ rootdir_len) == 0); ++ if (!matched || (resolved_name[rootdir_len] != '/' && ++ resolved_name[rootdir_len] != '\0')) { + DEBUG(2, ("check_reduced_name: Bad access " + "attempt: %s is a symlink outside the " + "share path\n", fname)); +-- +2.5.0 -- cgit v1.2.3