* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2c8de1c98a91f7afeafa575f040c1d76af502f7c
@ 2026-05-20 15:21 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2026-05-20 15:21 UTC (permalink / raw)
To: ipfire-scm
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 2c8de1c98a91f7afeafa575f040c1d76af502f7c (commit)
via bdcb1ace56946b1fec877c93c7502c75e14239eb (commit)
via 721406a500dae6371d2040711b69b9e8dcfb2f3d (commit)
via d91d4d3a251c2fa0d488137ffd524e2bc21ae7e6 (commit)
via b1b83979b7839c374c98ddfb2fc9412c2a8774ee (commit)
via 3bdac5995e4d2b9f1424e2df2b2b075915fa8b4c (commit)
via 6d3a3709d4766a98ffc6379ebf5b13a6627a9387 (commit)
via 0a634bf539610d9aa6e4e974c65bec853116c5f1 (commit)
via 9c65846ad50851ee6de91b1ddf47d662a4390183 (commit)
via da1960a8f38d1a1d1ae5855703b8f60432389f1e (commit)
via 1f2ea92214879acc6292dfcdbb103e3210eed4cc (commit)
from 3e87dd46609182c5d4e3e8828e4b938c31169cf6 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 2c8de1c98a91f7afeafa575f040c1d76af502f7c
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 16:17:32 2026 +0100
core203: Ship header.pl
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit bdcb1ace56946b1fec877c93c7502c75e14239eb
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 16:15:44 2026 +0100
sambactrl: Fix local priviledge escalation
From the reporter:
LPE in /usr/local/bin/sambactrl 'join' action
File: src/misc-progs/sambactrl.c, lines 117-126.
All other actions call is_valid_argument_alnum() on argv[2]. The
'join' branch skips it entirely and feeds argv[2]/argv[3] into
snprintf + safe_system (which is /bin/sh -c). Binary is installed
-m 4750 -g nobody (src/misc-progs/Makefile:41), so any nobody-context
process can invoke it and escalate to root.
Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit 721406a500dae6371d2040711b69b9e8dcfb2f3d
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 16:04:25 2026 +0100
samba: Fix shell command execution vulnerability in join operation
From the reporter:
File: html/cgi-bin/samba.cgi, lines 96-98 and 790-798.
joindomain() builds @options = ("/usr/local/bin/sambactrl","join",
$username, $password) and runs qx(@options). In Perl, qx(@array)
joins with $" and passes the result to /bin/sh -c. POST parameters
USERNAME and PASSWORD reach this with no validation on the 'join'
code path. RCE as the web user (nobody).
Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit d91d4d3a251c2fa0d488137ffd524e2bc21ae7e6
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 16:00:33 2026 +0100
header.pl: Escape titles for openbox()
Reported-by: valent1 <gooads612@gmail.com>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
commit b1b83979b7839c374c98ddfb2fc9412c2a8774ee
Merge: 3e87dd466 3bdac5995
Author: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed May 20 15:20:34 2026 +0000
Merge remote-tracking branch 'origin/master' into next
-----------------------------------------------------------------------
Summary of changes:
config/backup/backup.pl | 8 ++++++++
config/cfgroot/header.pl | 3 ++-
config/etc/logrotate.conf | 8 +++++---
config/rootfiles/common/suricata | 2 ++
config/rootfiles/core/203/filelists/files | 1 +
config/rootfiles/oldcore/202/filelists/files | 1 +
html/cgi-bin/ovpnmain.cgi | 2 +-
html/cgi-bin/samba.cgi | 8 +++++---
lfs/suricata | 4 ++--
src/misc-progs/sambactrl.c | 21 ++++++++++++++++++---
10 files changed, 45 insertions(+), 13 deletions(-)
Difference in files:
diff --git a/config/backup/backup.pl b/config/backup/backup.pl
index 9a54b50d3..8dd77b3ee 100644
--- a/config/backup/backup.pl
+++ b/config/backup/backup.pl
@@ -108,6 +108,14 @@ restore_backup() {
-s /bin/false \
-u 52 dhcpcd
+ # create unbound user
+ groupadd -g 103 unbound
+ useradd -c 'unbound User' \
+ -d /var/empty \
+ -g unbound \
+ -s /bin/false \
+ -u 103 unbound
+
# Run converters
# Outgoing Firewall
diff --git a/config/cfgroot/header.pl b/config/cfgroot/header.pl
index 6e65f4137..a1a39bb4e 100644
--- a/config/cfgroot/header.pl
+++ b/config/cfgroot/header.pl
@@ -336,7 +336,8 @@ sub openbox {
my $width = shift;
my $align = shift;
- my $title = shift;
+ # Escale the title
+ my $title = &Header::escape(shift);
my @classes = ("section", "is-box", @_);
diff --git a/config/etc/logrotate.conf b/config/etc/logrotate.conf
index 2f79de933..c5f9883c7 100644
--- a/config/etc/logrotate.conf
+++ b/config/etc/logrotate.conf
@@ -29,12 +29,14 @@ include /etc/logrotate.d
}
/var/log/suricata/*.log {
- daily
+ weekly
copytruncate
- notifempty
+ compress
+ ifempty
missingok
- sharedscripts
postrotate
+ /bin/find /var/log/suricata -path '/var/log/suricata/[0-9]*' -prune -exec /bin/rm -rf {} \;
+ /bin/find /var/log/suricata -name 'fast.log.*' -mtime +28 -exec /bin/rm -rf {} \;
/bin/kill -HUP `cat /var/run/suricata.pid 2> /dev/null` 2> /dev/null || true
endscript
}
diff --git a/config/rootfiles/common/suricata b/config/rootfiles/common/suricata
index 2d77b74a9..8b6b21cf7 100644
--- a/config/rootfiles/common/suricata
+++ b/config/rootfiles/common/suricata
@@ -23,6 +23,7 @@ usr/share/suricata
#usr/share/suricata/reference.config
#usr/share/suricata/rules
#usr/share/suricata/rules/app-layer-events.rules
+#usr/share/suricata/rules/bittorrent-events.rules
#usr/share/suricata/rules/decoder-events.rules
#usr/share/suricata/rules/dhcp-events.rules
#usr/share/suricata/rules/dnp3-events.rules
@@ -46,6 +47,7 @@ usr/share/suricata
#usr/share/suricata/rules/rfb-events.rules
#usr/share/suricata/rules/smb-events.rules
#usr/share/suricata/rules/smtp-events.rules
+#usr/share/suricata/rules/snmp-events.rules
#usr/share/suricata/rules/ssh-events.rules
#usr/share/suricata/rules/stream-events.rules
#usr/share/suricata/rules/tls-events.rules
diff --git a/config/rootfiles/core/203/filelists/files b/config/rootfiles/core/203/filelists/files
index 41dded32e..4df3e2d0e 100644
--- a/config/rootfiles/core/203/filelists/files
+++ b/config/rootfiles/core/203/filelists/files
@@ -1 +1,2 @@
etc/rc.d/helper/aws-setup
+var/ipfire/header.pl
diff --git a/config/rootfiles/oldcore/202/filelists/files b/config/rootfiles/oldcore/202/filelists/files
index 93b6ac948..47b2a5a0b 100644
--- a/config/rootfiles/oldcore/202/filelists/files
+++ b/config/rootfiles/oldcore/202/filelists/files
@@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/proxy.cgi
srv/web/ipfire/cgi-bin/services.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/lib/firewall/rules.pl
+var/ipfire/backup/bin/backup.pl
var/ipfire/backup/include
var/ipfire/dns/dnsbl.json
var/ipfire/general-functions.pl
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index ab91eec57..4e3cc7f50 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -3187,7 +3187,7 @@ END
$users[$uid]{'BytesSent'} = &General::formatBytes($match[4]);
$users[$uid]{'Since'} = $match[5];
- my $address = (split ':', $users[$uid]{'RealAddress'})[0];
+ my $address = (split ':', $users[$uid]{'RealAddress'})[1];
$users[$uid]{'RealAddress'} = $address;
$users[$uid]{'Country'} = &Location::Functions::lookup_country_code($address);
$uid++;
diff --git a/html/cgi-bin/samba.cgi b/html/cgi-bin/samba.cgi
index 5a23bf044..f3b092da8 100644
--- a/html/cgi-bin/samba.cgi
+++ b/html/cgi-bin/samba.cgi
@@ -791,8 +791,10 @@ sub joindomain {
my $username = shift;
my $password = shift;
- my @options = ("/usr/local/bin/sambactrl", "join", $username, $password);
- my $output = qx(@options);
+ my @output = &General::system_output(
+ "/usr/local/bin/sambactrl", "join", $username, $password,
+ );
- return $output;
+ # Join together the output
+ return join("\n", @output);
}
diff --git a/lfs/suricata b/lfs/suricata
index 6ef15b468..992128d9d 100644
--- a/lfs/suricata
+++ b/lfs/suricata
@@ -24,7 +24,7 @@
include Config
-VER = 8.0.4
+VER = 8.0.5
THISAPP = suricata-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = a6c1958d82bb8c288c8d551d99851d19a89073397bda38bc90907950d17c35e40eb4845e9a88913bafc5c56bdad8c026e0fb665c494b102861c2b8f210c72d7f
+$(DL_FILE)_BLAKE2 = b8250ecfa2658e780624eaf2812c8bb758602efce8bce2b216efa8338544c2df4c4909cc23a8ddeca5889cc26b7cc147f3d19646b6894c7d259b13b5c056c91e
install : $(TARGET)
diff --git a/src/misc-progs/sambactrl.c b/src/misc-progs/sambactrl.c
index 38c26089c..11b0b4e01 100644
--- a/src/misc-progs/sambactrl.c
+++ b/src/misc-progs/sambactrl.c
@@ -11,6 +11,9 @@
char command[BUFFER_SIZE];
int main(int argc, char *argv[]) {
+ char who[BUFFER_SIZE];
+ int r;
+
if (!(initsetuid()))
exit(1);
@@ -116,9 +119,21 @@ int main(int argc, char *argv[]) {
} else if (strcmp(argv[1], "join") == 0) {
if (argc == 4) {
- snprintf(command, BUFFER_SIZE - 1, "/usr/bin/net join -U \"%s%%%s\"",
- argv[2], argv[3]);
- return safe_system(command);
+ // Format who is joining
+ r = snprintf(who, sizeof(who), "%s%%%s", argv[2], argv[3]);
+ if (r < 0)
+ return r;
+
+ // Compose command line
+ char* args[] = {
+ "join",
+ "-U",
+ who,
+ NULL,
+ };
+
+ // Run the operation
+ return run("/usr/bin/net", args);
} else {
fprintf(stderr, "Wrong number of arguments. Need username and password.\n");
return 1;
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2026-05-20 15:21 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-20 15:21 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 2c8de1c98a91f7afeafa575f040c1d76af502f7c Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox