[Pkg-samba-maint] r1663 - in branches/samba/sarge/debian: . patches

vorlon at alioth.debian.org vorlon at alioth.debian.org
Mon Dec 10 18:27:11 UTC 2007 

Author: vorlon
Date: 2007-12-10 18:27:11 +0000 (Mon, 10 Dec 2007)
New Revision: 1663

Added:
   branches/samba/sarge/debian/patches/security-CVE-2007-6015.patch
Modified:
   branches/samba/sarge/debian/changelog
Log:
* debian/patches/security-CVE-2007-6015.patch: fix a remote code
  execution vulnerability when running as a domain logon server (PDC or
  BDC).  (CVE-2007-6015)

Modified: branches/samba/sarge/debian/changelog
===================================================================
--- branches/samba/sarge/debian/changelog	2007-12-05 02:52:39 UTC (rev 1662)
+++ branches/samba/sarge/debian/changelog	2007-12-10 18:27:11 UTC (rev 1663)
@@ -1,3 +1,11 @@
+samba (3.0.14a-3sarge11) oldstable-security; urgency=high
+
+  * debian/patches/security-CVE-2007-6015.patch: fix a remote code
+    execution vulnerability when running as a domain logon server (PDC or
+    BDC).  (CVE-2007-6015)
+
+ -- Steve Langasek <vorlon at debian.org>  Mon, 10 Dec 2007 01:52:08 -0800
+
 samba (3.0.14a-3sarge10) oldstable-security; urgency=low
 
   * Fix for yet another regression in the fix for CVE-2007-4572 due to one

Added: branches/samba/sarge/debian/patches/security-CVE-2007-6015.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-6015.patch	                        (rev 0)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-6015.patch	2007-12-10 18:27:11 UTC (rev 1663)
@@ -0,0 +1,49 @@
+commit b14aa30006033d9dbaa8120bc419406535d620b8
+Author: Gerald (Jerry) Carter <jerry at samba.org>
+Date:   Thu Dec 6 14:46:06 2007 -0600
+
+    Fix from Jeremy for CVE-2007-6015 (send_mailslot() buffer overrun).
+    
+    This one fixes cli_send_mailslot() which could be called from the
+    nmbd server code.
+
+diff --git a/source/libsmb/clidgram.c b/source/libsmb/clidgram.c
+index 83ea81d..548ace6 100644
+--- a/source/libsmb/clidgram.c
++++ b/source/libsmb/clidgram.c
+@@ -63,6 +62,12 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot,
+ 	/* Setup the smb part. */
+ 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
+ 	memcpy(tmp,ptr,4);
++
++	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
++		DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
++		return False;
++	}
++
+ 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
+ 	memcpy(ptr,tmp,4);
+ 
+commit 6a9610ba27f802136f1ca8a94816d552df17a166
+Author: Gerald (Jerry) Carter <jerry at samba.org>
+Date:   Thu Dec 6 14:45:13 2007 -0600
+
+    Fix from Volker for CVE-2007-6015 (send_mailslot() buffer overrun).
+
+diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
+index bbcc1ec..1460f7d 100644
+--- a/source/nmbd/nmbd_packets.c
++++ b/source/nmbd/nmbd_packets.c
+@@ -1888,6 +1888,12 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
+ 	/* Setup the smb part. */
+ 	ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
+ 	memcpy(tmp,ptr,4);
++
++	if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
++		DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
++		return False;
++	}
++
+ 	set_message(ptr,17,strlen(mailslot) + 1 + len,True);
+ 	memcpy(ptr,tmp,4);
+

More information about the Pkg-samba-maint mailing list