[Pkg-samba-maint] r1438 - in branches/samba/sarge: . patches
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Sat Jun 2 10:14:51 UTC 2007
Author: bubulle
Date: 2007-06-02 10:14:51 +0000 (Sat, 02 Jun 2007)
New Revision: 1438
Added:
branches/samba/sarge/patches/sarge-CVE-2007-2446.patch
branches/samba/sarge/patches/sarge-CVE-2007-2447.patch
Modified:
branches/samba/sarge/changelog
Log:
Release 3.0.14a-3sarge6
Modified: branches/samba/sarge/changelog
===================================================================
--- branches/samba/sarge/changelog 2007-05-31 19:10:58 UTC (rev 1437)
+++ branches/samba/sarge/changelog 2007-06-02 10:14:51 UTC (rev 1438)
@@ -1,9 +1,17 @@
+samba (3.0.14a-3sarge6) oldstable-security; urgency=high
+
+ * Fix typo in patch for CVE-2007-2447 that would cause segfaults
+ when performing string comparisons.
+
+ -- Noah Meyerhans <noahm at debian.org> Mon, 14 May 2007 11:06:08 -0400
+
samba (3.0.14a-3sarge5) oldstable-security; urgency=high
- * Fix heap overflow in NDR parsing code. (CVE-2007-2446)
- * Fix lack of proper escaping of arguments to /bin/sh (CVE-2007-2447)
+ * Non-maintainer upload by the Security Team
+ * Fix heap overflow in NDR parsing code. (CVE-2007-2446)
+ * Fix lack of proper escaping of arguments to /bin/sh (CVE-2007-2447)
- -- Christian Perrier <bubulle at debian.org> Fri, 11 May 2007 20:24:27 +0200
+ -- Noah Meyerhans <noahm at debian.org> Fri, 11 May 2007 12:18:20 -0400
samba (3.0.14a-3sarge4) stable-security; urgency=high
Added: branches/samba/sarge/patches/sarge-CVE-2007-2446.patch
===================================================================
--- branches/samba/sarge/patches/sarge-CVE-2007-2446.patch (rev 0)
+++ branches/samba/sarge/patches/sarge-CVE-2007-2446.patch 2007-06-02 10:14:51 UTC (rev 1438)
@@ -0,0 +1,97 @@
+diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_lsa.c samba-3.0.14a/source/rpc_parse/parse_lsa.c
+--- samba-3.0.14a.unch/source/rpc_parse/parse_lsa.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/rpc_parse/parse_lsa.c 2007-05-11 12:15:38.000000000 -0400
+@@ -962,12 +962,17 @@
+ &trn->num_entries2))
+ return False;
+
++ if (trn->num_entries2 != trn->num_entries) {
++ /* RPC fault */
++ return False;
++ }
++
+ if (UNMARSHALLING(ps)) {
+- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
++ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
+ return False;
+ }
+
+- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
++ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
+ return False;
+ }
+ }
+@@ -1818,7 +1823,7 @@
+
+ static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *r_c, prs_struct *ps, int depth)
+ {
+- uint32 i;
++ uint32 i, dummy;
+
+ prs_debug(ps, depth, desc, "lsa_io_privilege_set");
+ depth++;
+@@ -1826,7 +1831,7 @@
+ if(!prs_align(ps))
+ return False;
+
+- if(!prs_uint32("count", ps, depth, &r_c->count))
++ if(!prs_uint32("count", ps, depth, &dummy))
+ return False;
+ if(!prs_uint32("control", ps, depth, &r_c->control))
+ return False;
+diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_prs.c samba-3.0.14a/source/rpc_parse/parse_prs.c
+--- samba-3.0.14a.unch/source/rpc_parse/parse_prs.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/rpc_parse/parse_prs.c 2007-05-11 12:15:38.000000000 -0400
+@@ -151,7 +151,7 @@
+ {
+ char *ret = NULL;
+
+- if (size) {
++ if (size && count) {
+ /* We can't call the type-safe version here. */
+ #if defined(PARANOID_MALLOC_CHECKER)
+ ret = talloc_zero_array_(ps->mem_ctx, size, count);
+diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_sec.c samba-3.0.14a/source/rpc_parse/parse_sec.c
+--- samba-3.0.14a.unch/source/rpc_parse/parse_sec.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/rpc_parse/parse_sec.c 2007-05-11 12:16:29.000000000 -0400
+@@ -122,7 +122,7 @@
+ for you as it reads them.
+ ********************************************************************/
+
+-BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
++static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
+ {
+ unsigned int i;
+ uint32 old_offset;
+@@ -165,13 +165,11 @@
+ return False;
+
+ if (UNMARSHALLING(ps)) {
+- /*
+- * Even if the num_aces is zero, allocate memory as there's a difference
+- * between a non-present DACL (allow all access) and a DACL with no ACE's
+- * (allow no access).
+- */
+- if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
+- return False;
++ if (psa->num_aces) {
++ if((psa->ace =
++ PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
++ return False;
++ }
+ }
+
+ for (i = 0; i < psa->num_aces; i++) {
+diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_spoolss.c samba-3.0.14a/source/rpc_parse/parse_spoolss.c
+--- samba-3.0.14a.unch/source/rpc_parse/parse_spoolss.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/rpc_parse/parse_spoolss.c 2007-05-11 12:15:38.000000000 -0400
+@@ -245,6 +245,9 @@
+
+ if (type->count2 != type->count)
+ DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
++ if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
++ return False;
++ }
+
+ /* parse the option type data */
+ for(i=0;i<type->count2;i++)
Added: branches/samba/sarge/patches/sarge-CVE-2007-2447.patch
===================================================================
--- branches/samba/sarge/patches/sarge-CVE-2007-2447.patch (rev 0)
+++ branches/samba/sarge/patches/sarge-CVE-2007-2447.patch 2007-06-02 10:14:51 UTC (rev 1438)
@@ -0,0 +1,252 @@
+diff -ur samba-3.0.14a.unch/source/lib/charcnv.c samba-3.0.14a/source/lib/charcnv.c
+--- samba-3.0.14a.unch/source/lib/charcnv.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/lib/charcnv.c 2007-05-11 10:29:58.000000000 -0400
+@@ -1376,5 +1376,5 @@
+ /* We're hosed - we don't know how big this is... */
+ DEBUG(10,("next_mb_char_size: unknown size at string %s\n", s));
+ conv_silent = False;
+- return 1;
++ return (size_t)-1;
+ }
+diff -ur samba-3.0.14a.unch/source/lib/smbrun.c samba-3.0.14a/source/lib/smbrun.c
+--- samba-3.0.14a.unch/source/lib/smbrun.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/lib/smbrun.c 2007-05-11 10:38:53.000000000 -0400
+@@ -55,7 +55,7 @@
+ outfd (or discard it if outfd is NULL).
+ ****************************************************************************/
+
+-int smbrun(char *cmd, int *outfd)
++int smbrun_internal(char *cmd, int *outfd, BOOL sanitize)
+ {
+ pid_t pid;
+ uid_t uid = current_user.uid;
+@@ -172,13 +172,36 @@
+ }
+ #endif
+
+- execl("/bin/sh","sh","-c",cmd,NULL);
++ {
++ const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
++ if (!newcmd) {
++ exit(82);
++ }
++ execl("/bin/sh","sh","-c",newcmd,NULL);
++ }
+
+ /* not reached */
+- exit(82);
++ exit(83);
+ return 1;
+ }
+
++/****************************************************************************
++ Use only in known safe shell calls (printing).
++****************************************************************************/
++
++int smbrun_no_sanitize(const char *cmd, int *outfd)
++{
++ return smbrun_internal(cmd, outfd, False);
++}
++
++/****************************************************************************
++ By default this now sanitizes shell expansion.
++****************************************************************************/
++
++int smbrun(const char *cmd, int *outfd)
++{
++ return smbrun_internal(cmd, outfd, True);
++}
+
+ /****************************************************************************
+ run a command being careful about uid/gid handling and putting the output in
+@@ -294,7 +317,7 @@
+ #endif
+
+ execl("/bin/sh", "sh", "-c", cmd, NULL);
+-
++
+ /* not reached */
+ exit(82);
+ return 1;
+diff -ur samba-3.0.14a.unch/source/lib/util_str.c samba-3.0.14a/source/lib/util_str.c
+--- samba-3.0.14a.unch/source/lib/util_str.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/lib/util_str.c 2007-05-11 10:34:18.000000000 -0400
+@@ -2114,3 +2114,166 @@
+ *num += 1;
+ return True;
+ }
++
++
++/*******************************************************************
++ Add a shell escape character '\' to any character not in a known list
++ of characters. UNIX charset format.
++*******************************************************************/
++
++#define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
++#define INSIDE_DQUOTE_LIST "$`\n\"\\"
++
++char *escape_shell_string(const char *src)
++{
++ size_t srclen = strlen(src);
++ char *ret = SMB_MALLOC((srclen * 2) + 1);
++ char *dest = ret;
++ BOOL in_s_quote = False;
++ BOOL in_d_quote = False;
++ BOOL next_escaped = False;
++
++ if (!ret) {
++ return NULL;
++ }
++
++ while (*src) {
++ size_t c_size = next_mb_char_size(src);
++
++ if (c_size == (size_t)-1) {
++ SAFE_FREE(ret);
++ return NULL;
++ }
++
++ if (c_size > 1) {
++ memcpy(dest, src, c_size);
++ src += c_size;
++ dest += c_size;
++ next_escaped = False;
++ continue;
++ }
++
++ /*
++ * Deal with backslash escaped state.
++ * This only lasts for one character.
++ */
++
++ if (next_escaped) {
++ *dest++ = *src++;
++ next_escaped = False;
++ continue;
++ }
++
++ /*
++ * Deal with single quote state. The
++ * only thing we care about is exiting
++ * this state.
++ */
++
++ if (in_s_quote) {
++ if (*src == '\'') {
++ in_s_quote = False;
++ }
++ *dest++ = *src++;
++ continue;
++ }
++
++ /*
++ * Deal with double quote state. The most
++ * complex state. We must cope with \, meaning
++ * possibly escape next char (depending what it
++ * is), ", meaning exit this state, and possibly
++ * add an \ escape to any unprotected character
++ * (listed in INSIDE_DQUOTE_LIST).
++ */
++
++ if (in_d_quote) {
++ if (*src == '\\') {
++ /*
++ * Next character might be escaped.
++ * We have to peek. Inside double
++ * quotes only INSIDE_DQUOTE_LIST
++ * characters are escaped by a \.
++ */
++
++ char nextchar;
++
++ c_size = next_mb_char_size(&src[1]);
++ if (c_size == (size_t)-1) {
++ SAFE_FREE(ret);
++ return NULL;
++ }
++ if (c_size > 1) {
++ /*
++ * Don't escape the next char.
++ * Just copy the \.
++ */
++ *dest++ = *src++;
++ continue;
++ }
++
++ nextchar = src[1];
++
++ if (nextchar && strchr(INSIDE_DQUOTE_LIST, (int)nextchar)) {
++ next_escaped = True;
++ }
++ *dest++ = *src++;
++ continue;
++ }
++
++ if (*src == '\"') {
++ /* Exit double quote state. */
++ in_d_quote = False;
++ *dest++ = *src++;
++ continue;
++ }
++
++ /*
++ * We know the character isn't \ or ",
++ * so escape it if it's any of the other
++ * possible unprotected characters.
++ */
++
++ if (strchr(INSIDE_DQUOTE_LIST, (int)*src)) {
++ *dest++ = '\\';
++ }
++ *dest++ = *src++;
++ continue;
++ }
++
++ /*
++ * From here to the end of the loop we're
++ * not in the single or double quote state.
++ */
++
++ if (*src == '\\') {
++ /* Next character must be escaped. */
++ next_escaped = True;
++ *dest++ = *src++;
++ continue;
++ }
++
++ if (*src == '\'') {
++ /* Go into single quote state. */
++ in_s_quote = True;
++ *dest++ = *src++;
++ continue;
++ }
++
++ if (*src == '\"') {
++ /* Go into double quote state. */
++ in_d_quote = True;
++ *dest++ = *src++;
++ continue;
++ }
++
++ /* Check if we need to escape the character. */
++
++ if (!strchr(INCLUDE_LIST, (int)*src)) {
++ *dest++ = '\\';
++ }
++ *dest++ = *src++;
++ }
++ *dest++ = '\0';
++ return ret;
++}
+diff -ur samba-3.0.14a.unch/source/printing/print_generic.c samba-3.0.14a/source/printing/print_generic.c
+--- samba-3.0.14a.unch/source/printing/print_generic.c 2007-05-11 10:29:20.000000000 -0400
++++ samba-3.0.14a/source/printing/print_generic.c 2007-05-11 10:29:58.000000000 -0400
+@@ -57,7 +57,7 @@
+ if ( do_sub && snum != -1 )
+ standard_sub_snum(snum,syscmd,sizeof(syscmd));
+
+- ret = smbrun(syscmd,outfd);
++ ret = smbrun_no_sanitize(syscmd,outfd);
+
+ DEBUG(3,("Running the command `%s' gave %d\n",syscmd,ret));
+
More information about the Pkg-samba-maint
mailing list