The branch, v3-4-test has been updated via c81bb58 WHATSNEW: Start release notes for 3.4.18. via 8fdbc38 VERSION: Bump version number up to 3.4.18. via 1e048b7 Fix self granting privileges in security=ads. via 4fbba69 WHATSNEW: Release notes 3.4.17. from 209d28d WHATSNEW: Fix typo.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-4-test - Log ----------------------------------------------------------------- commit c81bb58764e8af42dca3cfd2f5e90d8baebb9af0 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Apr 30 20:53:59 2012 +0200 WHATSNEW: Start release notes for 3.4.18. Karolin (cherry picked from commit 4c0ff855799ffd2067768869f379d2d2e3d3b514) commit 8fdbc38cdabcddbcb893fecc934d82686cba774e Author: Karolin Seeger <ksee...@samba.org> Date: Mon Apr 30 20:51:55 2012 +0200 VERSION: Bump version number up to 3.4.18. Karolin (cherry picked from commit 195943b7bf95e4a85795f86dda0cf71170c7c2de) commit 1e048b78fb1647ac1cc11936db6275f6c2b6f545 Author: Jeremy Allison <j...@samba.org> Date: Tue Apr 17 16:39:00 2012 -0700 Fix self granting privileges in security=ads. CVE-2012-2111 (cherry picked from commit 55045f52181e5448c2aeefabde047128158d7c2e) commit 4fbba692d86a04e5f929cc72eaa510ed6ab4a5d7 Author: Karolin Seeger <ksee...@samba.org> Date: Sat Apr 28 18:58:03 2012 +0200 WHATSNEW: Release notes 3.4.17. Karolin (cherry picked from commit a78242b544ab1a7b486856b87824050deca661dc) ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 59 +++++++++++++++++++++++++++++++++++--- source3/VERSION | 2 +- source3/rpc_server/srv_lsa_nt.c | 42 +++++++++++++++++++++++++-- 3 files changed, 93 insertions(+), 10 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 41685fc..4283231 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,19 +1,20 @@ ============================== - Release Notes for Samba 3.4.17 + Release Notes for Samba 3.4.18 , 2012 ============================== This is a security release in order to address -CVE- (). +CVE-2012- (). -o +o CVE-2012-: -Changes since 3.4.16 + +Changes since 3.4.17 -------------------- -o Stefan Metzmacher <me...@samba.org> +o Jeremy Allison <j...@samba.org> ###################################################################### @@ -40,6 +41,54 @@ Release notes for older versions follow: ---------------------------------------- ============================== + Release Notes for Samba 3.4.17 + April 30, 2012 + ============================== + + +This is a security release in order to address +CVE-2012-2111 (Incorrect permission checks when granting/removing +privileges can compromise file server security). + +o CVE-2012-2111: + Samba 3.4.x to 3.6.4 are affected by a + vulnerability that allows arbitrary users + to modify privileges on a file server. + + +Changes since 3.4.16 +-------------------- + + +o Jeremy Allison <j...@samba.org> + * Fix incorrect permission checks when granting/removing + privileges (CVE-2012-2111). + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.4 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================== Release Notes for Samba 3.4.16 April 10, 2012 ============================== diff --git a/source3/VERSION b/source3/VERSION index 4d0a96b..20dd4aa 100644 --- a/source3/VERSION +++ b/source3/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=4 -SAMBA_VERSION_RELEASE=17 +SAMBA_VERSION_RELEASE=18 ######################################################## # Bug fix releases use a letter for the patch revision # diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index f187432..a405dd2 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -1579,6 +1579,15 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, { struct lsa_info *handle; struct lsa_info *info; + uint32 des_access = r->in.access_mask; + uint32 acc_granted; + uint32 owner_access = (LSA_ACCOUNT_ALL_ACCESS & + ~(LSA_ACCOUNT_ADJUST_PRIVILEGES| + LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| + DELETE_ACCESS)); + SEC_DESC *psd = NULL; + size_t sd_size; + NTSTATUS status; /* find the connection policy handle. */ if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle)) @@ -1600,6 +1609,27 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, if ( is_privileged_sid( r->in.sid ) ) return NT_STATUS_OBJECT_NAME_COLLISION; + /* Work out max allowed. */ + map_max_allowed_access(p->server_info->ptok, &des_access); + + /* map the generic bits to the lsa policy ones */ + se_map_generic(&des_access, &lsa_policy_mapping); + + /* get the generic lsa policy SD until we store it */ + status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_policy_mapping, + r->in.sid, owner_access); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + status = access_check_object(psd, p->server_info->ptok, + NULL, 0, des_access, + &acc_granted, "_lsa_CreateAccont" ); + + if (!NT_STATUS_IS_OK(status)) { + return status; + } + /* associate the user/group SID with the (unique) handle. */ info = TALLOC_ZERO_P(p->mem_ctx, struct lsa_info); @@ -1608,7 +1638,7 @@ NTSTATUS _lsa_CreateAccount(pipes_struct *p, } info->sid = *r->in.sid; - info->access = r->in.access_mask; + info->access = acc_granted; info->type = LSA_HANDLE_ACCOUNT_TYPE; /* get a (unique) handle. open a policy on it. */ @@ -1631,6 +1661,10 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p, size_t sd_size; uint32_t des_access = r->in.access_mask; uint32_t acc_granted; + uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS & + ~(LSA_ACCOUNT_ADJUST_PRIVILEGES| + LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS| + STD_RIGHT_DELETE_ACCESS)); NTSTATUS status; /* find the connection policy handle. */ @@ -1653,7 +1687,7 @@ NTSTATUS _lsa_OpenAccount(pipes_struct *p, /* get the generic lsa account SD until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + r->in.sid, owner_access); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2070,7 +2104,7 @@ NTSTATUS _lsa_AddAccountRights(pipes_struct *p, /* get the generic lsa account SD for this SID until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + NULL, 0); if (!NT_STATUS_IS_OK(status)) { return status; } @@ -2141,7 +2175,7 @@ NTSTATUS _lsa_RemoveAccountRights(pipes_struct *p, /* get the generic lsa account SD for this SID until we store it */ status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size, &lsa_account_mapping, - r->in.sid, LSA_ACCOUNT_ALL_ACCESS); + NULL, 0); if (!NT_STATUS_IS_OK(status)) { return status; } -- Samba Shared Repository