[samba4/f17] Fixes CVE-2013-0213 and CVE-2013-0214.

asn asn at fedoraproject.org
Thu Jan 31 10:29:33 UTC 2013 

commit 36a256c1a61ad9f6fd89e7c6a47ba0bd10d90b4d
Author: Andreas Schneider <asn at cryptomilk.org>
Date:   Thu Jan 31 11:28:52 2013 +0100

    Fixes CVE-2013-0213 and CVE-2013-0214.
    
    resolves: #906003
    resolves: #905700
    resolves: #905704

 samba4-CVE-2013-0213.patch |   34 +++++++++++++
 samba4-CVE-2013-0214.patch |  116 ++++++++++++++++++++++++++++++++++++++++++++
 samba4.spec                |   14 +++++-
 3 files changed, 162 insertions(+), 2 deletions(-)
---
diff --git a/samba4-CVE-2013-0213.patch b/samba4-CVE-2013-0213.patch
new file mode 100644
index 0000000..987ce64
--- /dev/null
+++ b/samba4-CVE-2013-0213.patch
@@ -0,0 +1,34 @@
+From 72672f8074c0a65918756ad89a8ecc2befc72cf0 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Fri, 18 Jan 2013 23:11:07 +0100
+Subject: [PATCH] swat: Use X-Frame-Options header to avoid clickjacking
+
+Jann Horn reported a potential clickjacking vulnerability in SWAT where
+the SWAT page could be embedded into an attacker's page using a frame or
+iframe and then used to trick the user to change Samba settings.
+
+Avoid this by telling the browser to refuse the frame embedding via the
+X-Frame-Options: DENY header.
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source3/web/swat.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/source3/web/swat.c b/source3/web/swat.c
+index 90e4af9..1eb191d 100644
+--- a/source3/web/swat.c
++++ b/source3/web/swat.c
+@@ -269,7 +269,8 @@ static void print_header(void)
+ 	if (!cgi_waspost()) {
+ 		printf("Expires: 0\r\n");
+ 	}
+-	printf("Content-type: text/html\r\n\r\n");
++	printf("Content-type: text/html\r\n");
++	printf("X-Frame-Options: DENY\r\n\r\n");
+ 
+ 	if (!include_html("include/header.html")) {
+ 		printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
+-- 
+1.7.0.4
+
diff --git a/samba4-CVE-2013-0214.patch b/samba4-CVE-2013-0214.patch
new file mode 100644
index 0000000..413e167
--- /dev/null
+++ b/samba4-CVE-2013-0214.patch
@@ -0,0 +1,116 @@
+From 052dfd720dbd83c9dbfab78b42230f1aa4544781 Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai at samba.org>
+Date: Mon, 28 Jan 2013 23:13:43 +0100
+Subject: [PATCH] swat: Use additional nonce on XSRF protection
+
+If the user had a weak password on the root account of a machine running
+SWAT, there still was a chance of being targetted by an XSRF on a
+malicious web site targetting the SWAT setup.
+
+Use a random nonce stored in secrets.tdb to close this possible attack
+window. Thanks to Jann Horn for reporting this issue.
+
+Signed-off-by: Kai Blin <kai at samba.org>
+---
+ source3/web/cgi.c        |   39 ++++++++++++++++++++++++++-------------
+ source3/web/swat.c       |    2 ++
+ source3/web/swat_proto.h |    1 +
+ 3 files changed, 29 insertions(+), 13 deletions(-)
+
+Index: samba-4.0.0alpha18/source3/web/cgi.c
+===================================================================
+--- samba-4.0.0alpha18.orig/source3/web/cgi.c
++++ samba-4.0.0alpha18/source3/web/cgi.c
+@@ -48,6 +48,7 @@ static const char *baseurl;
+ static char *pathinfo;
+ static char *C_user;
+ static char *C_pass;
++static char *C_nonce;
+ static bool inetd_server;
+ static bool got_request;
+ 
+@@ -329,20 +330,7 @@ static void cgi_web_auth(void)
+ 	C_user = SMB_STRDUP(user);
+ 
+ 	if (!setuid(0)) {
+-		C_pass = secrets_fetch_generic("root", "SWAT");
+-		if (C_pass == NULL) {
+-			char *tmp_pass = NULL;
+-			tmp_pass = generate_random_password(talloc_tos(),
+-							    16, 16);
+-			if (tmp_pass == NULL) {
+-				printf("%sFailed to create random nonce for "
+-				       "SWAT session\n<br>%s\n", head, tail);
+-				exit(0);
+-			}
+-			secrets_store_generic("root", "SWAT", tmp_pass);
+-			C_pass = SMB_STRDUP(tmp_pass);
+-			TALLOC_FREE(tmp_pass);
+-		}
++		C_pass = SMB_STRDUP(cgi_nonce());
+ 	}
+ 	setuid(pwd->pw_uid);
+ 	if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+@@ -464,6 +452,30 @@ char *cgi_user_pass(void)
+ }
+ 
+ /***************************************************************************
++return a ptr to the nonce
++  ***************************************************************************/
++char *cgi_nonce(void)
++{
++	const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
++	const char *tail = "</BODY></HTML>\r\n";
++	C_nonce = secrets_fetch_generic("root", "SWAT");
++	if (C_nonce == NULL) {
++		char *tmp_pass = NULL;
++		tmp_pass = generate_random_str(talloc_tos(), 16);
++		if (tmp_pass == NULL) {
++			printf("%sFailed to create random nonce for "
++			       "SWAT session\n<br>%s\n", head, tail);
++			exit(0);
++		}
++		secrets_store_generic("root", "SWAT", tmp_pass);
++		C_nonce = SMB_STRDUP(tmp_pass);
++		TALLOC_FREE(tmp_pass);
++	}
++	return(C_nonce);
++}
++
++
++/***************************************************************************
+ handle a file download
+   ***************************************************************************/
+ static void cgi_download(char *file)
+Index: samba-4.0.0alpha18/source3/web/swat.c
+===================================================================
+--- samba-4.0.0alpha18.orig/source3/web/swat.c
++++ samba-4.0.0alpha18/source3/web/swat.c
+@@ -156,6 +156,7 @@ void get_xsrf_token(const char *username
+ 	struct MD5Context md5_ctx;
+ 	uint8_t token[16];
+ 	int i;
++	char *nonce = cgi_nonce();
+ 
+ 	token_str[0] = '\0';
+ 	ZERO_STRUCT(md5_ctx);
+@@ -169,6 +170,7 @@ void get_xsrf_token(const char *username
+ 	if (pass != NULL) {
+ 		MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
+ 	}
++	MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
+ 
+ 	MD5Final(token, &md5_ctx);
+ 
+Index: samba-4.0.0alpha18/source3/web/swat_proto.h
+===================================================================
+--- samba-4.0.0alpha18.orig/source3/web/swat_proto.h
++++ samba-4.0.0alpha18/source3/web/swat_proto.h
+@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const ch
+ bool am_root(void);
+ char *cgi_user_name(void);
+ char *cgi_user_pass(void);
++char *cgi_nonce(void);
+ void cgi_setup(const char *rootdir, int auth_required);
+ const char *cgi_baseurl(void);
+ const char *cgi_pathinfo(void);
diff --git a/samba4.spec b/samba4.spec
index 234d9e6..2e0cd06 100644
--- a/samba4.spec
+++ b/samba4.spec
@@ -1,4 +1,4 @@
-%define main_release 59
+%define main_release 60
 
 %define samba_version 4.0.0
 %define talloc_version 2.0.7
@@ -81,6 +81,8 @@ Patch7: samba4-CVE-2012-2111.patch
 Patch8: samba4-4.0.0-beta1-fix-s3-daemon-memory-leaks.patch
 Patch9: samba4-4.0.0beta1-fix-python-version-parsing.patch
 Patch10: samba4-CVE-2013-0172.patch
+Patch11: samba4-CVE-2013-0213.patch
+Patch12: samba4-CVE-2013-0214.patch
 
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 
@@ -371,6 +373,8 @@ link against the SMB, RPC and other protocols.
 %patch8 -p1 -b .daemon_mem_leaks
 %patch9 -p1 -b .python_version_parsing
 %patch10 -p1 -b .CVE-2013-0172
+%patch11 -p1 -b .CVE-2013-0213
+%patch12 -p1 -b .CVE-2013-0214
 
 %build
 %define _talloc_lib %nil
@@ -1241,7 +1245,13 @@ rm -rf %{buildroot}
 %endif # with_libwbclient
 
 %changelog
-* Tue Jan 15 2013 - Andreas Schneider <asn at redhat.com>
+* Thu Jan 31 2013 - Andreas Schneider <asn at redhat.com> - - 2:4.0.0-60.alpha18
+- Fixes CVE-2013-0213 and CVE-2013-0214.
+- resolves: #906003
+- resolves: #905700
+- resolves: #905704
+
+* Tue Jan 15 2013 - Andreas Schneider <asn at redhat.com> - 2:4.0.0-59.alpha18
 - Fixes CVE-2013-0172
 
 * Thu Jul 12 2012 Andreas Schneider <asn at redhat.com> - 2:4.0.0-58.alpha18

More information about the scm-commits mailing list