1 files changed, 43 insertions, 0 deletions

diff --git a/package/network/services/samba36/patches/010-patch-cve-2015-5252.patch b/package/network/services/samba36/patches/010-patch-cve-2015-5252.patch
new file mode 100644
index 0000000..8922a6e
--- /dev/null
+++ b/package/network/services/samba36/patches/010-patch-cve-2015-5252.patch
@@ -0,0 +1,43 @@
+From 2e94b6ec10f1d15e24867bab3063bb85f173406a Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 9 Jul 2015 10:58:11 -0700
+Subject: [PATCH] CVE-2015-5252: s3: smbd: Fix symlink verification (file
+ access outside the share).
+
+Ensure matching component ends in '/' or '\0'.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11395
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Volker Lendecke <vl@samba.org>
+---
+ source3/smbd/vfs.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/source3/smbd/vfs.c b/source3/smbd/vfs.c
+index 6c56964..bd93b7f 100644
+--- a/source3/smbd/vfs.c
++++ b/source3/smbd/vfs.c
+@@ -982,6 +982,7 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
+ 	if (!allow_widelinks || !allow_symlinks) {
+ 		const char *conn_rootdir;
+ 		size_t rootdir_len;
++		bool matched;
+ 
+ 		conn_rootdir = SMB_VFS_CONNECTPATH(conn, fname);
+ 		if (conn_rootdir == NULL) {
+@@ -992,8 +993,10 @@ NTSTATUS check_reduced_name(connection_struct *conn, const char *fname)
+ 		}
+ 
+ 		rootdir_len = strlen(conn_rootdir);
+-		if (strncmp(conn_rootdir, resolved_name,
+-				rootdir_len) != 0) {
++		matched = (strncmp(conn_rootdir, resolved_name,
++				rootdir_len) == 0);
++		if (!matched || (resolved_name[rootdir_len] != '/' &&
++				 resolved_name[rootdir_len] != '\0')) {
+ 			DEBUG(2, ("check_reduced_name: Bad access "
+ 				"attempt: %s is a symlink outside the "
+ 				"share path\n", fname));
+-- 
+2.5.0