2 files changed, 161 insertions, 0 deletions
diff --git a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch
new file mode 100644
index 0000000000..cccb34127a
--- /dev/null
+++ b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch
@@ -0,0 +1,160 @@
+Upstream-Status: Backport
+From 71225948a249f079120282740fcc39fd6faa880e Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Fri, 18 Jan 2013 23:11:07 +0100
+Subject: [PATCH 1/2] swat: Use X-Frame-Options header to avoid clickjacking
+Jann Horn reported a potential clickjacking vulnerability in SWAT where
+the SWAT page could be embedded into an attacker's page using a frame or
+iframe and then used to trick the user to change Samba settings.
+Avoid this by telling the browser to refuse the frame embedding via the
+X-Frame-Options: DENY header.
+Signed-off-by: Kai Blin <kai@samba.org>
+Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
+---
+ source3/web/swat.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+diff --git a/source3/web/swat.c b/source3/web/swat.c
+index 1f6eb6c..ed80c38 100644
+--- a/source3/web/swat.c
+++ b/source3/web/swat.c
+@@ -266,7 +266,8 @@ static void print_header(void)
+        if (!cgi_waspost()) {
+                printf("Expires: 0\r\n");
+        }
+-       printf("Content-type: text/html\r\n\r\n");
+       printf("Content-type: text/html\r\n");
+       printf("X-Frame-Options: DENY\r\n\r\n");
+ 
+        if (!include_html("include/header.html")) {
+                printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
+-- 
+1.7.7
+From 91f4275873ebeda8f57684f09df67162ae80515a Mon Sep 17 00:00:00 2001
+From: Kai Blin <kai@samba.org>
+Date: Mon, 28 Jan 2013 21:41:07 +0100
+Subject: [PATCH 2/2] swat: Use additional nonce on XSRF protection
+If the user had a weak password on the root account of a machine running
+SWAT, there still was a chance of being targetted by an XSRF on a
+malicious web site targetting the SWAT setup.
+Use a random nonce stored in secrets.tdb to close this possible attack
+window. Thanks to Jann Horn for reporting this issue.
+Signed-off-by: Kai Blin <kai@samba.org>
+Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.
+---
+ source3/web/cgi.c        |   40 ++++++++++++++++++++++++++--------------
+ source3/web/swat.c       |    2 ++
+ source3/web/swat_proto.h |    1 +
+ 3 files changed, 29 insertions(+), 14 deletions(-)
+diff --git a/source3/web/cgi.c b/source3/web/cgi.c
+index ef1b856..861bc84 100644
+--- a/source3/web/cgi.c
+++ b/source3/web/cgi.c
+@@ -48,6 +48,7 @@ static const char *baseurl;
+ static char *pathinfo;
+ static char *C_user;
+ static char *C_pass;
+static char *C_nonce;
+ static bool inetd_server;
+ static bool got_request;
+ 
+@@ -329,20 +330,7 @@ static void cgi_web_auth(void)
+        C_user = SMB_STRDUP(user);
+ 
+        if (!setuid(0)) {
+-               C_pass = secrets_fetch_generic("root", "SWAT");
+-               if (C_pass == NULL) {
+-                       char *tmp_pass = NULL;
+-                       tmp_pass = generate_random_password(talloc_tos(),
+-                                                           16, 16);
+-                       if (tmp_pass == NULL) {
+-                               printf("%sFailed to create random nonce for "
+-                                      "SWAT session\n<br>%s\n", head, tail);
+-                               exit(0);
+-                       }
+-                       secrets_store_generic("root", "SWAT", tmp_pass);
+-                       C_pass = SMB_STRDUP(tmp_pass);
+-                       TALLOC_FREE(tmp_pass);
+-               }
+               C_pass = SMB_STRDUP(cgi_nonce());
+        }
+        setuid(pwd->pw_uid);
+        if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) {
+@@ -459,6 +447,30 @@ char *cgi_user_pass(void)
+ }
+ 
+ /***************************************************************************
+return a ptr to the nonce
+  ***************************************************************************/
+char *cgi_nonce(void)
+{
+       const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
+       const char *tail = "</BODY></HTML>\r\n";
+       C_nonce = secrets_fetch_generic("root", "SWAT");
+       if (C_nonce == NULL) {
+               char *tmp_pass = NULL;
+               tmp_pass = generate_random_password(talloc_tos(),
+                                                   16, 16);
+               if (tmp_pass == NULL) {
+                       printf("%sFailed to create random nonce for "
+                              "SWAT session\n<br>%s\n", head, tail);
+                       exit(0);
+               }
+               secrets_store_generic("root", "SWAT", tmp_pass);
+               C_nonce = SMB_STRDUP(tmp_pass);
+               TALLOC_FREE(tmp_pass);
+       }
+        return(C_nonce);
+}
+
+/***************************************************************************
+ handle a file download
+   ***************************************************************************/
+ static void cgi_download(char *file)
+diff --git a/source3/web/swat.c b/source3/web/swat.c
+index ed80c38..f8933d2 100644
+--- a/source3/web/swat.c
+++ b/source3/web/swat.c
+@@ -154,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass,
+        MD5_CTX md5_ctx;
+        uint8_t token[16];
+        int i;
+       char *nonce = cgi_nonce();
+ 
+        token_str[0] = '\0';
+        ZERO_STRUCT(md5_ctx);
+@@ -167,6 +168,7 @@ void get_xsrf_token(const char *username, const char *pass,
+        if (pass != NULL) {
+                MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
+        }
+       MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
+ 
+        MD5Final(token, &md5_ctx);
+ 
+diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
+index 424a3af..fe51b1f 100644
+--- a/source3/web/swat_proto.h
+++ b/source3/web/swat_proto.h
+@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name);
+ bool am_root(void);
+ char *cgi_user_name(void);
+ char *cgi_user_pass(void);
+char *cgi_nonce(void);
+ void cgi_setup(const char *rootdir, int auth_required);
+ const char *cgi_baseurl(void);
+ const char *cgi_pathinfo(void);
+-- 
+1.7.7
diff --git a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
index c3e834deff..a5e7dcd180 100644
--- a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
+++ b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
@@ -32,6 +32,7 @@ SRC_URI += "\
    file://configure-libunwind.patch;patchdir=.. \
    file://samba-3.6.22-CVE-2013-4496.patch;patchdir=.. \
    file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \
+    file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \
 "
 SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"
 SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"

diff --git a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch new file mode 100644 index 0000000000..cccb34127a --- /dev/null +++ b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch
@@ -0,0 +1,160 @@
		1	Upstream-Status: Backport
		2
		3	From 71225948a249f079120282740fcc39fd6faa880e Mon Sep 17 00:00:00 2001
		4	From: Kai Blin <kai@samba.org>
		5	Date: Fri, 18 Jan 2013 23:11:07 +0100
		6	Subject: [PATCH 1/2] swat: Use X-Frame-Options header to avoid clickjacking
		7
		8	Jann Horn reported a potential clickjacking vulnerability in SWAT where
		9	the SWAT page could be embedded into an attacker's page using a frame or
		10	iframe and then used to trick the user to change Samba settings.
		11
		12	Avoid this by telling the browser to refuse the frame embedding via the
		13	X-Frame-Options: DENY header.
		14
		15	Signed-off-by: Kai Blin <kai@samba.org>
		16
		17	Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT.
		18	---
		19	source3/web/swat.c \| 3 ++-
		20	1 files changed, 2 insertions(+), 1 deletions(-)
		21
		22	diff --git a/source3/web/swat.c b/source3/web/swat.c
		23	index 1f6eb6c..ed80c38 100644
		24	--- a/source3/web/swat.c
		25	+++ b/source3/web/swat.c
		26	@@ -266,7 +266,8 @@ static void print_header(void)
		27	if (!cgi_waspost()) {
		28	printf("Expires: 0\r\n");
		29	}
		30	- printf("Content-type: text/html\r\n\r\n");
		31	+ printf("Content-type: text/html\r\n");
		32	+ printf("X-Frame-Options: DENY\r\n\r\n");
		33
		34	if (!include_html("include/header.html")) {
		35	printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n");
		36	--
		37	1.7.7
		38
		39
		40	From 91f4275873ebeda8f57684f09df67162ae80515a Mon Sep 17 00:00:00 2001
		41	From: Kai Blin <kai@samba.org>
		42	Date: Mon, 28 Jan 2013 21:41:07 +0100
		43	Subject: [PATCH 2/2] swat: Use additional nonce on XSRF protection
		44
		45	If the user had a weak password on the root account of a machine running
		46	SWAT, there still was a chance of being targetted by an XSRF on a
		47	malicious web site targetting the SWAT setup.
		48
		49	Use a random nonce stored in secrets.tdb to close this possible attack
		50	window. Thanks to Jann Horn for reporting this issue.
		51
		52	Signed-off-by: Kai Blin <kai@samba.org>
		53
		54	Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT.
		55	---
		56	source3/web/cgi.c \| 40 ++++++++++++++++++++++++++--------------
		57	source3/web/swat.c \| 2 ++
		58	source3/web/swat_proto.h \| 1 +
		59	3 files changed, 29 insertions(+), 14 deletions(-)
		60
		61	diff --git a/source3/web/cgi.c b/source3/web/cgi.c
		62	index ef1b856..861bc84 100644
		63	--- a/source3/web/cgi.c
		64	+++ b/source3/web/cgi.c
		65	@@ -48,6 +48,7 @@ static const char *baseurl;
		66	static char *pathinfo;
		67	static char *C_user;
		68	static char *C_pass;
		69	+static char *C_nonce;
		70	static bool inetd_server;
		71	static bool got_request;
		72
		73	@@ -329,20 +330,7 @@ static void cgi_web_auth(void)
		74	C_user = SMB_STRDUP(user);
		75
		76	if (!setuid(0)) {
		77	- C_pass = secrets_fetch_generic("root", "SWAT");
		78	- if (C_pass == NULL) {
		79	- char *tmp_pass = NULL;
		80	- tmp_pass = generate_random_password(talloc_tos(),
		81	- 16, 16);
		82	- if (tmp_pass == NULL) {
		83	- printf("%sFailed to create random nonce for "
		84	- "SWAT session\n<br>%s\n", head, tail);
		85	- exit(0);
		86	- }
		87	- secrets_store_generic("root", "SWAT", tmp_pass);
		88	- C_pass = SMB_STRDUP(tmp_pass);
		89	- TALLOC_FREE(tmp_pass);
		90	- }
		91	+ C_pass = SMB_STRDUP(cgi_nonce());
		92	}
		93	setuid(pwd->pw_uid);
		94	if (geteuid() != pwd->pw_uid \|\| getuid() != pwd->pw_uid) {
		95	@@ -459,6 +447,30 @@ char *cgi_user_pass(void)
		96	}
		97
		98	/***************************************************************************
		99	+return a ptr to the nonce
		100	+ ***************************************************************************/
		101	+char *cgi_nonce(void)
		102	+{
		103	+ const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n";
		104	+ const char *tail = "</BODY></HTML>\r\n";
		105	+ C_nonce = secrets_fetch_generic("root", "SWAT");
		106	+ if (C_nonce == NULL) {
		107	+ char *tmp_pass = NULL;
		108	+ tmp_pass = generate_random_password(talloc_tos(),
		109	+ 16, 16);
		110	+ if (tmp_pass == NULL) {
		111	+ printf("%sFailed to create random nonce for "
		112	+ "SWAT session\n<br>%s\n", head, tail);
		113	+ exit(0);
		114	+ }
		115	+ secrets_store_generic("root", "SWAT", tmp_pass);
		116	+ C_nonce = SMB_STRDUP(tmp_pass);
		117	+ TALLOC_FREE(tmp_pass);
		118	+ }
		119	+ return(C_nonce);
		120	+}
		121	+
		122	+/***************************************************************************
		123	handle a file download
		124	***************************************************************************/
		125	static void cgi_download(char *file)
		126	diff --git a/source3/web/swat.c b/source3/web/swat.c
		127	index ed80c38..f8933d2 100644
		128	--- a/source3/web/swat.c
		129	+++ b/source3/web/swat.c
		130	@@ -154,6 +154,7 @@ void get_xsrf_token(const char username, const char pass,
		131	MD5_CTX md5_ctx;
		132	uint8_t token[16];
		133	int i;
		134	+ char *nonce = cgi_nonce();
		135
		136	token_str[0] = '\0';
		137	ZERO_STRUCT(md5_ctx);
		138	@@ -167,6 +168,7 @@ void get_xsrf_token(const char username, const char pass,
		139	if (pass != NULL) {
		140	MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass));
		141	}
		142	+ MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce));
		143
		144	MD5Final(token, &md5_ctx);
		145
		146	diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h
		147	index 424a3af..fe51b1f 100644
		148	--- a/source3/web/swat_proto.h
		149	+++ b/source3/web/swat_proto.h
		150	@@ -32,6 +32,7 @@ const char cgi_variable_nonull(const char name);
		151	bool am_root(void);
		152	char *cgi_user_name(void);
		153	char *cgi_user_pass(void);
		154	+char *cgi_nonce(void);
		155	void cgi_setup(const char *rootdir, int auth_required);
		156	const char *cgi_baseurl(void);
		157	const char *cgi_pathinfo(void);
		158	--
		159	1.7.7
		160


diff --git a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb index c3e834deff..a5e7dcd180 100644 --- a/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb +++ b/meta-oe/recipes-connectivity/samba/samba_3.6.8.bb
@@ -32,6 +32,7 @@ SRC_URI += "\
32	file://configure-libunwind.patch;patchdir=.. \	32	file://configure-libunwind.patch;patchdir=.. \
33	file://samba-3.6.22-CVE-2013-4496.patch;patchdir=.. \	33	file://samba-3.6.22-CVE-2013-4496.patch;patchdir=.. \
34	file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \	34	file://0001-PIDL-fix-parsing-linemarkers-in-preprocessor-output.patch;patchdir=.. \
		35	file://samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch;patchdir=.. \
35	"	36	"
36	SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"	37	SRC_URI[md5sum] = "fbb245863eeef2fffe172df779a217be"
37	SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"	38	SRC_URI[sha256sum] = "4f5a171a8d902c6b4f822ed875c51eb8339196d9ccf0ecd7f6521c966b3514de"