The branch, v3-6-stable has been updated via 5bdabda9 Fix self granting privileges in security=ads. via 49808d0 WHATSNEW: Release notes for 3.6.5. from 7a2f530 WHATSNEW: Start release notes for Samba 3.6.5.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-stable - Log ----------------------------------------------------------------- commit 5bdabda9e2143b1188f52533a4fa3f838b6066c9 Author: Jeremy Allison <j...@samba.org> Date: Tue Apr 17 12:30:15 2012 -0700 Fix self granting privileges in security=ads. CVE-2012-2111 commit 49808d01df79d67bc98f9c993b38c3ed49e892b4 Author: Karolin Seeger <ksee...@samba.org> Date: Fri Apr 27 20:23:15 2012 +0200 WHATSNEW: Release notes for 3.6.5. Karolin ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 16 +++++++++++----- source3/rpc_server/lsa/srv_lsa_nt.c | 16 ++++++++++++---- 2 files changed, 23 insertions(+), 9 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 02ed8dd..874cb08 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,20 +1,26 @@ ============================= Release Notes for Samba 3.6.5 - , 2012 + April 30, 2012 ============================= -This is the latest stable release of Samba 3.6. +This is a security release in order to address +CVE-2012-2111 (Incorrect permission checks when granting/removing +privileges can compromise file server security). -Major enhancements in Samba 3.6.5 include: +o CVE-2012-2111: + Samba 3.4.x to 3.6.4 are affected by a + vulnerability that allows arbitrary users + to modify privileges on a file server. -o Changes since 3.6.4: -------------------- -o Stefan Metzmacher <me...@samba.org> +o Jeremy Allison <j...@samba.org> + * Fix incorrect permission checks when granting/removing + privileges (CVE-2012-2111). ###################################################################### diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index f8c77ba..a7b55e7 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -2448,6 +2448,10 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p, uint32_t acc_granted; struct security_descriptor *psd; size_t sd_size; + uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS & + ~(LSA_ACCOUNT_ADJUST_PRIVILEGES| + LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| + SEC_STD_DELETE)); /* find the connection policy handle. */ if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) @@ -2473,7 +2477,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p, status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_POLICY_ALL_ACCESS); + r->in.sid, owner_access); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2514,6 +2518,10 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p, size_t sd_size; uint32_t des_access = r->in.access_mask; uint32_t acc_granted; + uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS & + ~(LSA_ACCOUNT_ADJUST_PRIVILEGES| + LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| + SEC_STD_DELETE)); NTSTATUS status; /* find the connection policy handle. */ @@ -2538,7 +2546,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p, /* get the generic lsa account SD until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + r->in.sid, owner_access); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2886,7 +2894,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p, /* get the generic lsa account SD for this SID until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + NULL, 0); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2957,7 +2965,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p, /* get the generic lsa account SD for this SID until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + NULL, 0); if (!NT_STATUS_IS_OK(status)) { return status; } -- Samba Shared Repository