| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
|
|
| |
Thanks to Simo for reporting!
Karolin
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In CGI mode, we don't get access to the user's password, which would
reduce the hash used so far to parameters an attacker can easily guess.
To work around this, read the nonce from secrets.tdb or generate one if
it's not there.
Also populate the C_user field so we can use that for token creation.
Signed-off-by: Kai Blin <kai@samba.org>
The last 12 patches address bug #8290 (CSRF vulnerability in SWAT).
This addresses CVE-2011-2522 (Cross-Site Request Forgery in SWAT).
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
| |
Signed-off-by: Kai Blin <kai@samba.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Nobuhiro Tsuji of NTT DATA SECURITY CORPORATION reported a possible XSS attack
against SWAT, the Samba Web Administration Tool. The attack uses reflection to
insert arbitrary content into the "change password" page.
This patch fixes the reflection issue by not printing user-specified content on
the website anymore.
Signed-off-by: Kai Blin <kai@samba.org>
CVE-2011-2694.
|
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
CVE-2011-0719
Fix bug #7949 (DoS in Winbind and smbd with many file descriptors open).
All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.
A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).
Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.
|
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
|
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
|
| |
Fix bug #7494 (Buffer overrun possible in chain_reply code in 3.3.x and below.)
and address CVE-2010-2063.
|
|
|
|
|
|
|
|
| |
to respond to a read or write."
This reverts commit 153357b9bb4d70a168c81cb9ff2da437eae823fc.
This fixes bug #7222 (All users have full rigths on all shares) (CVE-2010-0728).
|
|
|
|
| |
Karolin
|
|
|
|
| |
Karolin
|
|
|
|
|
| |
Karolin
(cherry picked from commit 550cc063271ff3e1e337207a2e6bc214bc128f40)
|
|
|
|
|
| |
Apparently the AIX compiler can't deal with sizeless array declarations
(cherry picked from commit dd4194bc43cc5efd7517783e5e524d252d1f82c7)
|
|
|
|
|
|
|
|
|
|
|
| |
This way we can endup with silently using builtin_passdb_methods
for an ad domain without an inbound trust.
This fixes bug #7170.
metze
(cherry picked from commit f924b7749280b31ece19885de1c3ad1bd71942ac)
(cherry picked from commit 40f359476d7ec3aec252f79bd2127dd08b305a9f)
|
|
|
|
|
|
|
| |
Karolin
(cherry picked from commit b78de63ef3cde53e3aabbe46654aac5a335f16a8)
(cherry picked from commit d3738dbe1cabb0ad0acf5f8c9b5e8106285ca9a1)
(cherry picked from commit 7e5e74b351ce466f490d6388ceb368bd718fa93d)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
values in subsequent SMBtrans replies)
There are two problems:
1). The server is off-by-one in the end of buffer space test.
2). The server returns 0 in the totaldata (smb_vwv1) and totalparams (smb_vwv0)
fields in the second and subsequent SMBtrans replies.
This patch fixes both.
Jeremy.
(similar to commit b07a14dc37d2899f662e1cf87064f99c0bd10b25)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit de658f95ea12d4c532f309634b9aedb09c5e4d1d)
|
|
|
|
|
|
|
|
| |
Jeremy.
(cherry picked from commit 9ad6f432f3f5844b4b419e7cbaf3c3e70b052d29)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 8cac1af47cad9d40b0ab86cda3674f4420507008)
|
|
|
|
|
|
|
|
|
|
| |
A comparison function for qsort needs to return an 'int'!
Otherwise you'll get random results depending on the compiler
and the architecture...
metze
(cherry picked from commit 1686a5e7e7eb1b411b003cbbde5c0d28741c6d02)
(cherry picked from commit 5d4d547b901986cff378f640e9e22931d77c61b8)
|
|
|
|
|
|
| |
metze
(cherry picked from commit 9b5198dd443a00fdad4faa1f9cdabedd81012d93)
(cherry picked from commit 98399a69d6fc3d30c899588c8846ce19ef974fa3)
|
|
|
|
|
|
|
|
|
|
|
| |
containing a '.'
Fix use of uninitialized variable. This can lead to crashes if
mangling = hash processes names with no '.'.
Jeremy.
(cherry picked from commit df13b1303a751962d8f7d5298b39e4a7500fef15)
(cherry picked from commit e904ccd25a3b7050a8d1895c9535e42abd0b4d07)
|
|
|
|
|
|
|
|
|
|
|
|
| |
value(s) error when "mangling method = hash"
The charset array allocated in init_chartest() is allocated
by MALLOC, but only some elements of it being set after allocation. Fix is to
memset to zero after allocation.
Jeremy.
(cherry picked from commit a4e8210ba7d6d471cb9f17754244393b9c1e5930)
(cherry picked from commit 80d9663b3635ed7b2e9b3308d27aed08cd1f38fb)
|
|
|
|
|
|
|
|
|
|
|
|
| |
Re-arrange the operations order so SMB_VFS_CONNECT is done
first as root (to allow modules to correctly initialize themselves).
Reviewed modules to check if they needed CONNECT invoked as
a user (which we previously did) and it turns out any of them
that cared needed root permissions anyway.
Jeremy.
(cherry picked from commit 20b6d0406f0f72895f99636beee7a370195147fd)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
a smb.conf reload turns wide links back on after a connection is establised.
Includes git refs :
cd18695fc2e4d09ab75e9eab2f0c43dcc15adf0b
94865e4dbd3d721c9855aada8c55e02be8b3881e
5d92d969dda450cc3564dd2265d2b042d832c542
02a5078f1fe6285e4a0b6ad95a3aea1c5bb3e8cf
a6f402ad87ff0ae14d57d97278d67d0ceaaa1d82
from master.
Jeremy.
Fix bug #7104 ("wide links" and "unix extensions" are incompatible.)
(cherry picked from commit ce04bf60499104c166657df959e4033573b5be5c)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Change parameter "wide links" to default to "no".
Ensure "wide links = no" if "unix extensions = yes" on a share.
Fix man pages to refect this.
Remove "within share" checks for a UNIX symlink set - even if
widelinks = no. The server will not follow that link anyway.
Correct DEBUG message in check_reduced_name() to add missing "\n"
so it's really clear when a path is being denied as it's outside
the enclosing share path.
Jeremy.
(cherry picked from commit c1b05ae4febfba1a419eee0d04c3886de9f5fee0)
|
|
|
|
|
| |
Fix bug #5885 (swat prints a bogus ip-address in smb.conf).
(cherry picked from commit 22ca62f7bb268e3695458d6105b847685112ec0f)
|
|
|
|
|
|
|
| |
Signed-off-by: Bo Yang <boyang@samba.org>
Fix bug #7106.
(cherry picked from commit 0ee0ba83dcd9726244b07c1747e0676a74e1d82f)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we need to do more than one network operation to get the
browse list we need to use the same 'stype' value each time.
metze
(cherry picked from commit c2e4746fa9d68e7601e8e90cc0144d2e65a695b6)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Fix bug #7098 (smbclient -L gives wrong results with a large browse list).
(cherry picked from commit f6484f7febd853122d4b91e52ee896d70686d9d2)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix suggested by Andy Hanton <andyhanton@gmail.com>. The LOGIN_CACHE
struct contains two time_t entries, but was being written to and
read from via tdb_pack/tdb_unpack functions using explicit 32-bit int specifiers.
This would break on machines with a 64-bit time_t. Use correct int
sizes for tdb_pack/tdb_unpack.
We have to fix this properly before 2037 :-).
Contains fixes from master 627fb85092f728065b6d772c41aeb75018154e86
and 69fd8461b8792f4fee1b61db03953044565492c6.
Jeremy.
(cherry picked from commit 0b36486fa7d2689635018c2fc883860251dc8066)
|
|
|
|
|
|
|
|
|
|
|
|
| |
respond to a read or write.
Only works on Linux kernels 2.6.26 and above. Grants CAP_KILL capability
to allow Linux threads under different euids to send signals to each other.
Same as mater commit 899bd0005f56dcc1e95c3988d41ab3f628bb15db.
Jeremy.
(cherry picked from commit cbf09baa90f5c4cfa8a0019ccc79211d72d13629)
|
|
|
|
|
|
|
| |
(cherry picked from commit c531d00ab4444db19ff6ba4c60ebdcc8319949c6)
(cherry picked from commit f21796955e7aa2e84a1c810612f2fdee2bde611c)
(cherry picked from commit 28b3cf328312a26cd72bbc54f3283bc46b51bc32)
(cherry picked from commit e66e5cb6324800d20f5f091a7fb2eba2d751241a)
|