diff options
Diffstat (limited to 'meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch')
-rw-r--r-- | meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch | 160 |
1 files changed, 0 insertions, 160 deletions
diff --git a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch b/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch deleted file mode 100644 index cccb34127a..0000000000 --- a/meta-oe/recipes-connectivity/samba/samba/samba-3.6.11-CVE-2013-0213-CVE-2013-0214.patch +++ /dev/null @@ -1,160 +0,0 @@ -Upstream-Status: Backport - -From 71225948a249f079120282740fcc39fd6faa880e Mon Sep 17 00:00:00 2001 -From: Kai Blin <kai@samba.org> -Date: Fri, 18 Jan 2013 23:11:07 +0100 -Subject: [PATCH 1/2] swat: Use X-Frame-Options header to avoid clickjacking - -Jann Horn reported a potential clickjacking vulnerability in SWAT where -the SWAT page could be embedded into an attacker's page using a frame or -iframe and then used to trick the user to change Samba settings. - -Avoid this by telling the browser to refuse the frame embedding via the -X-Frame-Options: DENY header. - -Signed-off-by: Kai Blin <kai@samba.org> - -Fix bug #9576 - CVE-2013-0213: Clickjacking issue in SWAT. ---- - source3/web/swat.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/source3/web/swat.c b/source3/web/swat.c -index 1f6eb6c..ed80c38 100644 ---- a/source3/web/swat.c -+++ b/source3/web/swat.c -@@ -266,7 +266,8 @@ static void print_header(void) - if (!cgi_waspost()) { - printf("Expires: 0\r\n"); - } -- printf("Content-type: text/html\r\n\r\n"); -+ printf("Content-type: text/html\r\n"); -+ printf("X-Frame-Options: DENY\r\n\r\n"); - - if (!include_html("include/header.html")) { - printf("<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 3.2//EN\">\n"); --- -1.7.7 - - -From 91f4275873ebeda8f57684f09df67162ae80515a Mon Sep 17 00:00:00 2001 -From: Kai Blin <kai@samba.org> -Date: Mon, 28 Jan 2013 21:41:07 +0100 -Subject: [PATCH 2/2] swat: Use additional nonce on XSRF protection - -If the user had a weak password on the root account of a machine running -SWAT, there still was a chance of being targetted by an XSRF on a -malicious web site targetting the SWAT setup. - -Use a random nonce stored in secrets.tdb to close this possible attack -window. Thanks to Jann Horn for reporting this issue. - -Signed-off-by: Kai Blin <kai@samba.org> - -Fix bug #9577: CVE-2013-0214: Potential XSRF in SWAT. ---- - source3/web/cgi.c | 40 ++++++++++++++++++++++++++-------------- - source3/web/swat.c | 2 ++ - source3/web/swat_proto.h | 1 + - 3 files changed, 29 insertions(+), 14 deletions(-) - -diff --git a/source3/web/cgi.c b/source3/web/cgi.c -index ef1b856..861bc84 100644 ---- a/source3/web/cgi.c -+++ b/source3/web/cgi.c -@@ -48,6 +48,7 @@ static const char *baseurl; - static char *pathinfo; - static char *C_user; - static char *C_pass; -+static char *C_nonce; - static bool inetd_server; - static bool got_request; - -@@ -329,20 +330,7 @@ static void cgi_web_auth(void) - C_user = SMB_STRDUP(user); - - if (!setuid(0)) { -- C_pass = secrets_fetch_generic("root", "SWAT"); -- if (C_pass == NULL) { -- char *tmp_pass = NULL; -- tmp_pass = generate_random_password(talloc_tos(), -- 16, 16); -- if (tmp_pass == NULL) { -- printf("%sFailed to create random nonce for " -- "SWAT session\n<br>%s\n", head, tail); -- exit(0); -- } -- secrets_store_generic("root", "SWAT", tmp_pass); -- C_pass = SMB_STRDUP(tmp_pass); -- TALLOC_FREE(tmp_pass); -- } -+ C_pass = SMB_STRDUP(cgi_nonce()); - } - setuid(pwd->pw_uid); - if (geteuid() != pwd->pw_uid || getuid() != pwd->pw_uid) { -@@ -459,6 +447,30 @@ char *cgi_user_pass(void) - } - - /*************************************************************************** -+return a ptr to the nonce -+ ***************************************************************************/ -+char *cgi_nonce(void) -+{ -+ const char *head = "Content-Type: text/html\r\n\r\n<HTML><BODY><H1>SWAT installation Error</H1>\n"; -+ const char *tail = "</BODY></HTML>\r\n"; -+ C_nonce = secrets_fetch_generic("root", "SWAT"); -+ if (C_nonce == NULL) { -+ char *tmp_pass = NULL; -+ tmp_pass = generate_random_password(talloc_tos(), -+ 16, 16); -+ if (tmp_pass == NULL) { -+ printf("%sFailed to create random nonce for " -+ "SWAT session\n<br>%s\n", head, tail); -+ exit(0); -+ } -+ secrets_store_generic("root", "SWAT", tmp_pass); -+ C_nonce = SMB_STRDUP(tmp_pass); -+ TALLOC_FREE(tmp_pass); -+ } -+ return(C_nonce); -+} -+ -+/*************************************************************************** - handle a file download - ***************************************************************************/ - static void cgi_download(char *file) -diff --git a/source3/web/swat.c b/source3/web/swat.c -index ed80c38..f8933d2 100644 ---- a/source3/web/swat.c -+++ b/source3/web/swat.c -@@ -154,6 +154,7 @@ void get_xsrf_token(const char *username, const char *pass, - MD5_CTX md5_ctx; - uint8_t token[16]; - int i; -+ char *nonce = cgi_nonce(); - - token_str[0] = '\0'; - ZERO_STRUCT(md5_ctx); -@@ -167,6 +168,7 @@ void get_xsrf_token(const char *username, const char *pass, - if (pass != NULL) { - MD5Update(&md5_ctx, (uint8_t *)pass, strlen(pass)); - } -+ MD5Update(&md5_ctx, (uint8_t *)nonce, strlen(nonce)); - - MD5Final(token, &md5_ctx); - -diff --git a/source3/web/swat_proto.h b/source3/web/swat_proto.h -index 424a3af..fe51b1f 100644 ---- a/source3/web/swat_proto.h -+++ b/source3/web/swat_proto.h -@@ -32,6 +32,7 @@ const char *cgi_variable_nonull(const char *name); - bool am_root(void); - char *cgi_user_name(void); - char *cgi_user_pass(void); -+char *cgi_nonce(void); - void cgi_setup(const char *rootdir, int auth_required); - const char *cgi_baseurl(void); - const char *cgi_pathinfo(void); --- -1.7.7 - |