[samba4] Security Release, fixes CVE-2012-2111

Simo Sorce simo at fedoraproject.org
Mon Apr 30 14:45:28 UTC 2012 

commit b5838a50ba15026250e194240ea55a961cf391e9
Author: Günther Deschner <gd at samba.org>
Date:   Fri Apr 27 17:13:10 2012 +0200

    Security Release, fixes CVE-2012-2111
    
    resolves: #817551

 samba4-CVE-2012-2111.patch |   74 ++++++++++++++++++++++++++++++++++++++++++++
 samba4.spec                |    8 ++++-
 2 files changed, 81 insertions(+), 1 deletions(-)
---
diff --git a/samba4-CVE-2012-2111.patch b/samba4-CVE-2012-2111.patch
new file mode 100644
index 0000000..d85e591
--- /dev/null
+++ b/samba4-CVE-2012-2111.patch
@@ -0,0 +1,74 @@
+From fc21652aca3b1fb8d1373b54a8ccdf5c7bc9509b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Tue, 17 Apr 2012 12:30:15 -0700
+Subject: [PATCH] Fix bug #8873 - self granting privileges in security=ads.
+
+---
+ source3/rpc_server/lsa/srv_lsa_nt.c |   16 ++++++++++++----
+ 1 files changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
+index 48bdfdb..f1605af 100644
+--- a/source3/rpc_server/lsa/srv_lsa_nt.c
++++ b/source3/rpc_server/lsa/srv_lsa_nt.c
+@@ -2725,6 +2725,10 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
+ 	uint32_t acc_granted;
+ 	struct security_descriptor *psd;
+ 	size_t sd_size;
++	uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
++			~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
++			LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
++			SEC_STD_DELETE));
+ 
+ 	/* find the connection policy handle. */
+ 	if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&handle))
+@@ -2750,7 +2754,7 @@ NTSTATUS _lsa_CreateAccount(struct pipes_struct *p,
+ 
+ 	status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
+ 				    &lsa_account_mapping,
+-				    r->in.sid, LSA_POLICY_ALL_ACCESS);
++				    r->in.sid, owner_access);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		return status;
+ 	}
+@@ -2791,6 +2795,10 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
+ 	size_t sd_size;
+ 	uint32_t des_access = r->in.access_mask;
+ 	uint32_t acc_granted;
++	uint32_t owner_access = (LSA_ACCOUNT_ALL_ACCESS &
++			~(LSA_ACCOUNT_ADJUST_PRIVILEGES|
++			LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
++			SEC_STD_DELETE));
+ 	NTSTATUS status;
+ 
+ 	/* find the connection policy handle. */
+@@ -2815,7 +2823,7 @@ NTSTATUS _lsa_OpenAccount(struct pipes_struct *p,
+ 	/* get the generic lsa account SD until we store it */
+ 	status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
+ 				&lsa_account_mapping,
+-				r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
++				r->in.sid, owner_access);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		return status;
+ 	}
+@@ -3174,7 +3182,7 @@ NTSTATUS _lsa_AddAccountRights(struct pipes_struct *p,
+         /* get the generic lsa account SD for this SID until we store it */
+         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
+                                 &lsa_account_mapping,
+-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
++				NULL, 0);
+         if (!NT_STATUS_IS_OK(status)) {
+                 return status;
+         }
+@@ -3245,7 +3253,7 @@ NTSTATUS _lsa_RemoveAccountRights(struct pipes_struct *p,
+         /* get the generic lsa account SD for this SID until we store it */
+         status = make_lsa_object_sd(p->mem_ctx, &psd, &sd_size,
+                                 &lsa_account_mapping,
+-                                r->in.sid, LSA_ACCOUNT_ALL_ACCESS);
++				NULL, 0);
+         if (!NT_STATUS_IS_OK(status)) {
+                 return status;
+         }
+-- 
+1.7.7.3
+
diff --git a/samba4.spec b/samba4.spec
index a204db4..5f35ccb 100644
--- a/samba4.spec
+++ b/samba4.spec
@@ -1,4 +1,4 @@
-%define main_release 43
+%define main_release 44
 
 %define samba_version 4.0.0
 %define talloc_version 2.0.7
@@ -77,6 +77,7 @@ Patch3: samba4-waf_target.patch
 Patch4: samba4-external_ldap_callback.patch
 Patch5: samba4-4.0.0-alpha19-CVE-2012-1182.patch
 Patch6: samba4-4.0.0-alpha20-lib-private.patch
+Patch7: samba4-CVE-2012-2111.patch
 
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
@@ -346,6 +347,7 @@ link against the SMB, RPC and other protocols.
 %patch4 -p1 -b .external_callback
 %patch5 -p1 -b .CVE-2012-1182
 %patch6 -p1 -b .private-lib
+%patch7 -p1 -b .CVE-2012-2111
 
 %build
 %define _talloc_lib %nil
@@ -1208,6 +1210,10 @@ rm -rf %{buildroot}
 %endif # with_libwbclient
 
 %changelog
+* Mon Apr 30 2012 Guenther Deschner < gdeschner at redhat.com> - 4.0.0-44.alpha18
+- Security Release, fixes CVE-2012-2111
+- resolves: #817551
+
 * Tue Apr 24 2012 Andreas Schneider <asn at redhat.com> - 4.0.0-43.alpha18
 - Move libraries to samba4-libs so it doesn't depend on samba4-common.

More information about the scm-commits mailing list