[Pkg-samba-maint] (forw) [Samba-pkg-sec] [Fwd: [SAMBA] GETDC mailslot processing buffer overrun in nmbd]

Sat Nov 24 10:49:13 UTC 2007

On Wed, Nov 21, 2007 at 10:02:53PM +0000, Steve Kemp wrote:
> On Sat Nov 17, 2007 at 01:02:39 -0800, Steve Langasek wrote:

> > > FYI, there's a regression reported upstream as a result of the DoS fix

>   :(

> > Updated packages, source+binary signed, are available at
> > <http://people.debian.org/~vorlon/samba/>.  I'll leave it up to the security
> > team to decide whether to accept these immediately, or push out the earlier
> > builds first.

>   Thanks.  I've been expectantly busy this week, so I'd rather
>  release the regression first.  I'll do that ASAP tomorrow morning,
>  then start the buildds too.  Ideally I'll get that out Thursday
>  so the window of breakage isn't too large.

And there's one more regression still present, which was just brought to my
attention.  I've grabbed the fix from upstream and am pushing updated
packages straight to security.debian.org; I don't see any point in the extra
churn of having *three* DSAs for the same issue when we know in advance that
the regression is present.

Debdiff for -6etch7 is attached.  I don't have -3sarge9 done yet, but you
can expect it soon with the same fix.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/
-------------- next part --------------
diff -u samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch

--- samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch
+++ samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch
@@ -240,0 +241,17 @@
+diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
+index 05a5962..058faed 100644
+--- a/source/smbd/sesssetup.c
++++ b/source/smbd/sesssetup.c
+@@ -68,9 +68,9 @@ static int add_signature(char *outbuf, char *p)
+ 
+ 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
+ 
+-	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+-	p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
+-	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
++	p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++	p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++	p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
+ 
+ 	return PTR_DIFF(p, start);
+ }
diff -u samba-3.0.24/debian/changelog samba-3.0.24/debian/changelog
--- samba-3.0.24/debian/changelog
+++ samba-3.0.24/debian/changelog
@@ -1,3 +1,11 @@
+samba (3.0.24-6etch7) stable-security; urgency=low
+
+  * Fix for one final regression related to the fix for CVE-2007-4572,
+    pulled from upstream.  Thanks to Santiago Garcia Mantinan
+    <manty at debian.org> for catching this.
+
+ -- Steve Langasek <vorlon at debian.org>  Sat, 24 Nov 2007 02:17:06 -0800
+
 samba (3.0.24-6etch6) stable-security; urgency=high
 
   * debian/patches/security-CVE-2007-4572_part2.patch: fix a regression
