[Pkg-samba-maint] r1666 - in branches/samba/etch/debian: . patches
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Mon Dec 10 18:29:57 UTC 2007
Author: vorlon
Date: 2007-12-10 18:29:56 +0000 (Mon, 10 Dec 2007)
New Revision: 1666
Added:
branches/samba/etch/debian/patches/security-CVE-2007-6015.patch
Modified:
branches/samba/etch/debian/changelog
branches/samba/etch/debian/patches/series
Log:
releasing version 3.0.24-6etch9
Modified: branches/samba/etch/debian/changelog
===================================================================
--- branches/samba/etch/debian/changelog 2007-12-10 18:28:44 UTC (rev 1665)
+++ branches/samba/etch/debian/changelog 2007-12-10 18:29:56 UTC (rev 1666)
@@ -1,3 +1,11 @@
+samba (3.0.24-6etch9) stable-security; urgency=high
+
+ * debian/patches/security-CVE-2007-6015.patch: fix a remote code
+ execution vulnerability when running as a domain logon server (PDC or
+ BDC). (CVE-2007-6015)
+
+ -- Steve Langasek <vorlon at debian.org> Mon, 10 Dec 2007 01:32:21 -0800
+
samba (3.0.24-6etch8) stable-security; urgency=low
* Fix for yet another regression in the fix for CVE-2007-4572 due to one
Added: branches/samba/etch/debian/patches/security-CVE-2007-6015.patch
===================================================================
--- branches/samba/etch/debian/patches/security-CVE-2007-6015.patch (rev 0)
+++ branches/samba/etch/debian/patches/security-CVE-2007-6015.patch 2007-12-10 18:29:56 UTC (rev 1666)
@@ -0,0 +1,49 @@
+commit b14aa30006033d9dbaa8120bc419406535d620b8
+Author: Gerald (Jerry) Carter <jerry at samba.org>
+Date: Thu Dec 6 14:46:06 2007 -0600
+
+ Fix from Jeremy for CVE-2007-6015 (send_mailslot() buffer overrun).
+
+ This one fixes cli_send_mailslot() which could be called from the
+ nmbd server code.
+
+diff --git a/source/libsmb/clidgram.c b/source/libsmb/clidgram.c
+index 83ea81d..548ace6 100644
+--- a/source/libsmb/clidgram.c
++++ b/source/libsmb/clidgram.c
+@@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot,
+ /* Setup the smb part. */
+ ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
+ memcpy(tmp,ptr,4);
++
++ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
++ DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n"));
++ return False;
++ }
++
+ set_message(ptr,17,strlen(mailslot) + 1 + len,True);
+ memcpy(ptr,tmp,4);
+
+commit 6a9610ba27f802136f1ca8a94816d552df17a166
+Author: Gerald (Jerry) Carter <jerry at samba.org>
+Date: Thu Dec 6 14:45:13 2007 -0600
+
+ Fix from Volker for CVE-2007-6015 (send_mailslot() buffer overrun).
+
+diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
+index bbcc1ec..1460f7d 100644
+--- a/source/nmbd/nmbd_packets.c
++++ b/source/nmbd/nmbd_packets.c
+@@ -1892,6 +1892,12 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len,
+ /* Setup the smb part. */
+ ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */
+ memcpy(tmp,ptr,4);
++
++ if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) {
++ DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n"));
++ return False;
++ }
++
+ set_message(ptr,17,strlen(mailslot) + 1 + len,True);
+ memcpy(ptr,tmp,4);
+
Modified: branches/samba/etch/debian/patches/series
===================================================================
--- branches/samba/etch/debian/patches/series 2007-12-10 18:28:44 UTC (rev 1665)
+++ branches/samba/etch/debian/patches/series 2007-12-10 18:29:56 UTC (rev 1666)
@@ -28,3 +28,4 @@
security-CVE-2007-4572.patch
security-CVE-2007-5398.patch
security-CVE-2007-4572_part2.patch
+security-CVE-2007-6015.patch
More information about the Pkg-samba-maint
mailing list