aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2006-05-31 22:33:41 +0000
committerColin Percival <cperciva@FreeBSD.org>2006-05-31 22:33:41 +0000
commite682749bfb2aea2de7b883ef0ce478f5bc6b0820 (patch)
tree675044486d11ba0ec44ec6432b40c5e5ae5daaba
parentde7242811fa5d383ece9325e6864e857b2997f20 (diff)
downloadsrc-e682749bfb2aea2de7b883ef0ce478f5bc6b0820.tar.gz
src-e682749bfb2aea2de7b883ef0ce478f5bc6b0820.zip
Enable inadvertantly disabled "securenet" access controls in ypserv. [1]
Correct a bug in the handling of backslash characters in smbfs which can allow an attacker to escape from a chroot(2). [2] Approved by: so (cperciva) Security: FreeBSD-SA-06:15.ypserv [1] Security: FreeBSD-SA-06:16.smbfs [2]
Notes
Notes: svn path=/releng/5.5/; revision=159118
-rw-r--r--UPDATING10
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/fs/smbfs/smbfs_vnops.c9
-rw-r--r--usr.sbin/ypserv/yp_access.c37
4 files changed, 41 insertions, 17 deletions
diff --git a/UPDATING b/UPDATING
index 1fc5809b7ff1..155d7d94728c 100644
--- a/UPDATING
+++ b/UPDATING
@@ -8,6 +8,16 @@ Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20060531: p1 FreeBSD-SA-06:15.ypserv, FreeBSD-SA-06:16.smbfs
+ Enable inadvertantly disabled "securenet" access controls in
+ ypserv. [06:15]
+
+ Correct a bug in the handling of backslash characters in smbfs
+ which can allow an attacker to escape from a chroot(2). [06:16]
+
+20060525:
+ FreeBSD 5.5-RELEASE
+
20060127:
The i386 loader(8) now defaults to the serial speed set by the
previous boot stage, if the comconsole is already in use. If
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 8fe2604c5c5f..d3b715511966 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="5.5"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"
diff --git a/sys/fs/smbfs/smbfs_vnops.c b/sys/fs/smbfs/smbfs_vnops.c
index 3ac2ffdca0d9..0102ee0f7446 100644
--- a/sys/fs/smbfs/smbfs_vnops.c
+++ b/sys/fs/smbfs/smbfs_vnops.c
@@ -1038,11 +1038,18 @@ smbfs_advlock(ap)
static int
smbfs_pathcheck(struct smbmount *smp, const char *name, int nmlen, int nameiop)
{
- static const char *badchars = "*/\\:<>;?";
+ static const char *badchars = "*/:<>;?";
static const char *badchars83 = " +|,[]=";
const char *cp;
int i, error;
+ /*
+ * Backslash characters, being a path delimiter, are prohibited
+ * within a path component even for LOOKUP operations.
+ */
+ if (index(name, '\\') != NULL)
+ return ENOENT;
+
if (nameiop == LOOKUP)
return 0;
error = ENOENT;
diff --git a/usr.sbin/ypserv/yp_access.c b/usr.sbin/ypserv/yp_access.c
index b9063092c2cc..30ce7407c6e5 100644
--- a/usr.sbin/ypserv/yp_access.c
+++ b/usr.sbin/ypserv/yp_access.c
@@ -87,12 +87,6 @@ const char *yp_procs[] = {
"ypproc_maplist"
};
-#ifdef TCP_WRAPPER
-void
-load_securenets(void)
-{
-}
-#else
struct securenet {
struct in_addr net;
struct in_addr mask;
@@ -177,7 +171,6 @@ load_securenets(void)
fclose(fp);
}
-#endif
/*
* Access control functions.
@@ -219,11 +212,12 @@ yp_access(const char *map, const struct svc_req *rqstp)
#endif
{
struct sockaddr_in *rqhost;
- int status = 0;
+ int status_securenets = 0;
+#ifdef TCP_WRAPPER
+ int status_tcpwrap;
+#endif
static unsigned long oldaddr = 0;
-#ifndef TCP_WRAPPER
struct securenet *tmp;
-#endif
const char *yp_procedure = NULL;
char procbuf[50];
@@ -274,21 +268,34 @@ not privileged", map, inet_ntoa(rqhost->sin_addr), ntohs(rqhost->sin_port));
}
#ifdef TCP_WRAPPER
- status = hosts_ctl("ypserv", STRING_UNKNOWN,
+ status_tcpwrap = hosts_ctl("ypserv", STRING_UNKNOWN,
inet_ntoa(rqhost->sin_addr), "");
-#else
+#endif
tmp = securenets;
while (tmp) {
if (((rqhost->sin_addr.s_addr & ~tmp->mask.s_addr)
| tmp->net.s_addr) == rqhost->sin_addr.s_addr) {
- status = 1;
+ status_securenets = 1;
break;
}
tmp = tmp->next;
}
-#endif
- if (!status) {
+#ifdef TCP_WRAPPER
+ if (status_securenets == 0 || status_tcpwrap == 0) {
+#else
+ if (status_securenets == 0) {
+#endif
+ /*
+ * One of the following two events occured:
+ *
+ * (1) The /var/yp/securenets exists and the remote host does not
+ * match any of the networks specified in it.
+ * (2) The hosts.allow file has denied access and TCP_WRAPPER is
+ * defined.
+ *
+ * In either case deny access.
+ */
if (rqhost->sin_addr.s_addr != oldaddr) {
yp_error("connect from %s:%d to procedure %s refused",
inet_ntoa(rqhost->sin_addr),