[Pkg-samba-maint] r1565 - branches/samba/sarge/debian/patches
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Wed Nov 14 00:11:51 UTC 2007
Author: vorlon
Date: 2007-11-14 00:11:51 +0000 (Wed, 14 Nov 2007)
New Revision: 1565
Removed:
branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch
branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch
Log:
remove duplicate patches; these names would be more consistent with the other
patch names in the tree, but don't match what the Security Team actually
uploaded, so...
Deleted: branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch 2007-11-13 23:33:54 UTC (rev 1564)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch 2007-11-14 00:11:51 UTC (rev 1565)
@@ -1,97 +0,0 @@
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_lsa.c samba-3.0.14a/source/rpc_parse/parse_lsa.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_lsa.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_lsa.c 2007-05-11 12:15:38.000000000 -0400
-@@ -962,12 +962,17 @@
- &trn->num_entries2))
- return False;
-
-+ if (trn->num_entries2 != trn->num_entries) {
-+ /* RPC fault */
-+ return False;
-+ }
-+
- if (UNMARSHALLING(ps)) {
-- if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
-+ if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
- return False;
- }
-
-- if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
-+ if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
- return False;
- }
- }
-@@ -1818,7 +1823,7 @@
-
- static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *r_c, prs_struct *ps, int depth)
- {
-- uint32 i;
-+ uint32 i, dummy;
-
- prs_debug(ps, depth, desc, "lsa_io_privilege_set");
- depth++;
-@@ -1826,7 +1831,7 @@
- if(!prs_align(ps))
- return False;
-
-- if(!prs_uint32("count", ps, depth, &r_c->count))
-+ if(!prs_uint32("count", ps, depth, &dummy))
- return False;
- if(!prs_uint32("control", ps, depth, &r_c->control))
- return False;
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_prs.c samba-3.0.14a/source/rpc_parse/parse_prs.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_prs.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_prs.c 2007-05-11 12:15:38.000000000 -0400
-@@ -151,7 +151,7 @@
- {
- char *ret = NULL;
-
-- if (size) {
-+ if (size && count) {
- /* We can't call the type-safe version here. */
- #if defined(PARANOID_MALLOC_CHECKER)
- ret = talloc_zero_array_(ps->mem_ctx, size, count);
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_sec.c samba-3.0.14a/source/rpc_parse/parse_sec.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_sec.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_sec.c 2007-05-11 12:16:29.000000000 -0400
-@@ -122,7 +122,7 @@
- for you as it reads them.
- ********************************************************************/
-
--BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
-+static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
- {
- unsigned int i;
- uint32 old_offset;
-@@ -165,13 +165,11 @@
- return False;
-
- if (UNMARSHALLING(ps)) {
-- /*
-- * Even if the num_aces is zero, allocate memory as there's a difference
-- * between a non-present DACL (allow all access) and a DACL with no ACE's
-- * (allow no access).
-- */
-- if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
-- return False;
-+ if (psa->num_aces) {
-+ if((psa->ace =
-+ PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
-+ return False;
-+ }
- }
-
- for (i = 0; i < psa->num_aces; i++) {
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_spoolss.c samba-3.0.14a/source/rpc_parse/parse_spoolss.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_spoolss.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_spoolss.c 2007-05-11 12:15:38.000000000 -0400
-@@ -245,6 +245,9 @@
-
- if (type->count2 != type->count)
- DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
-+ if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
-+ return False;
-+ }
-
- /* parse the option type data */
- for(i=0;i<type->count2;i++)
Deleted: branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch 2007-11-13 23:33:54 UTC (rev 1564)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch 2007-11-14 00:11:51 UTC (rev 1565)
@@ -1,252 +0,0 @@
-diff -ur samba-3.0.14a.unch/source/lib/charcnv.c samba-3.0.14a/source/lib/charcnv.c
---- samba-3.0.14a.unch/source/lib/charcnv.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/lib/charcnv.c 2007-05-11 10:29:58.000000000 -0400
-@@ -1376,5 +1376,5 @@
- /* We're hosed - we don't know how big this is... */
- DEBUG(10,("next_mb_char_size: unknown size at string %s\n", s));
- conv_silent = False;
-- return 1;
-+ return (size_t)-1;
- }
-diff -ur samba-3.0.14a.unch/source/lib/smbrun.c samba-3.0.14a/source/lib/smbrun.c
---- samba-3.0.14a.unch/source/lib/smbrun.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/lib/smbrun.c 2007-05-11 10:38:53.000000000 -0400
-@@ -55,7 +55,7 @@
- outfd (or discard it if outfd is NULL).
- ****************************************************************************/
-
--int smbrun(char *cmd, int *outfd)
-+int smbrun_internal(char *cmd, int *outfd, BOOL sanitize)
- {
- pid_t pid;
- uid_t uid = current_user.uid;
-@@ -172,13 +172,36 @@
- }
- #endif
-
-- execl("/bin/sh","sh","-c",cmd,NULL);
-+ {
-+ const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
-+ if (!newcmd) {
-+ exit(82);
-+ }
-+ execl("/bin/sh","sh","-c",newcmd,NULL);
-+ }
-
- /* not reached */
-- exit(82);
-+ exit(83);
- return 1;
- }
-
-+/****************************************************************************
-+ Use only in known safe shell calls (printing).
-+****************************************************************************/
-+
-+int smbrun_no_sanitize(const char *cmd, int *outfd)
-+{
-+ return smbrun_internal(cmd, outfd, False);
-+}
-+
-+/****************************************************************************
-+ By default this now sanitizes shell expansion.
-+****************************************************************************/
-+
-+int smbrun(const char *cmd, int *outfd)
-+{
-+ return smbrun_internal(cmd, outfd, True);
-+}
-
- /****************************************************************************
- run a command being careful about uid/gid handling and putting the output in
-@@ -294,7 +317,7 @@
- #endif
-
- execl("/bin/sh", "sh", "-c", cmd, NULL);
--
-+
- /* not reached */
- exit(82);
- return 1;
-diff -ur samba-3.0.14a.unch/source/lib/util_str.c samba-3.0.14a/source/lib/util_str.c
---- samba-3.0.14a.unch/source/lib/util_str.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/lib/util_str.c 2007-05-11 10:34:18.000000000 -0400
-@@ -2114,3 +2114,166 @@
- *num += 1;
- return True;
- }
-+
-+
-+/*******************************************************************
-+ Add a shell escape character '\' to any character not in a known list
-+ of characters. UNIX charset format.
-+*******************************************************************/
-+
-+#define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
-+#define INSIDE_DQUOTE_LIST "$`\n\"\\"
-+
-+char *escape_shell_string(const char *src)
-+{
-+ size_t srclen = strlen(src);
-+ char *ret = SMB_MALLOC((srclen * 2) + 1);
-+ char *dest = ret;
-+ BOOL in_s_quote = False;
-+ BOOL in_d_quote = False;
-+ BOOL next_escaped = False;
-+
-+ if (!ret) {
-+ return NULL;
-+ }
-+
-+ while (*src) {
-+ size_t c_size = next_mb_char_size(src);
-+
-+ if (c_size == (size_t)-1) {
-+ SAFE_FREE(ret);
-+ return NULL;
-+ }
-+
-+ if (c_size > 1) {
-+ memcpy(dest, src, c_size);
-+ src += c_size;
-+ dest += c_size;
-+ next_escaped = False;
-+ continue;
-+ }
-+
-+ /*
-+ * Deal with backslash escaped state.
-+ * This only lasts for one character.
-+ */
-+
-+ if (next_escaped) {
-+ *dest++ = *src++;
-+ next_escaped = False;
-+ continue;
-+ }
-+
-+ /*
-+ * Deal with single quote state. The
-+ * only thing we care about is exiting
-+ * this state.
-+ */
-+
-+ if (in_s_quote) {
-+ if (*src == '\'') {
-+ in_s_quote = False;
-+ }
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ /*
-+ * Deal with double quote state. The most
-+ * complex state. We must cope with \, meaning
-+ * possibly escape next char (depending what it
-+ * is), ", meaning exit this state, and possibly
-+ * add an \ escape to any unprotected character
-+ * (listed in INSIDE_DQUOTE_LIST).
-+ */
-+
-+ if (in_d_quote) {
-+ if (*src == '\\') {
-+ /*
-+ * Next character might be escaped.
-+ * We have to peek. Inside double
-+ * quotes only INSIDE_DQUOTE_LIST
-+ * characters are escaped by a \.
-+ */
-+
-+ char nextchar;
-+
-+ c_size = next_mb_char_size(&src[1]);
-+ if (c_size == (size_t)-1) {
-+ SAFE_FREE(ret);
-+ return NULL;
-+ }
-+ if (c_size > 1) {
-+ /*
-+ * Don't escape the next char.
-+ * Just copy the \.
-+ */
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ nextchar = src[1];
-+
-+ if (nextchar && strchr(INSIDE_DQUOTE_LIST, (int)nextchar)) {
-+ next_escaped = True;
-+ }
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ if (*src == '\"') {
-+ /* Exit double quote state. */
-+ in_d_quote = False;
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ /*
-+ * We know the character isn't \ or ",
-+ * so escape it if it's any of the other
-+ * possible unprotected characters.
-+ */
-+
-+ if (strchr(INSIDE_DQUOTE_LIST, (int)*src)) {
-+ *dest++ = '\\';
-+ }
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ /*
-+ * From here to the end of the loop we're
-+ * not in the single or double quote state.
-+ */
-+
-+ if (*src == '\\') {
-+ /* Next character must be escaped. */
-+ next_escaped = True;
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ if (*src == '\'') {
-+ /* Go into single quote state. */
-+ in_s_quote = True;
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ if (*src == '\"') {
-+ /* Go into double quote state. */
-+ in_d_quote = True;
-+ *dest++ = *src++;
-+ continue;
-+ }
-+
-+ /* Check if we need to escape the character. */
-+
-+ if (!strchr(INCLUDE_LIST, (int)*src)) {
-+ *dest++ = '\\';
-+ }
-+ *dest++ = *src++;
-+ }
-+ *dest++ = '\0';
-+ return ret;
-+}
-diff -ur samba-3.0.14a.unch/source/printing/print_generic.c samba-3.0.14a/source/printing/print_generic.c
---- samba-3.0.14a.unch/source/printing/print_generic.c 2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/printing/print_generic.c 2007-05-11 10:29:58.000000000 -0400
-@@ -57,7 +57,7 @@
- if ( do_sub && snum != -1 )
- standard_sub_snum(snum,syscmd,sizeof(syscmd));
-
-- ret = smbrun(syscmd,outfd);
-+ ret = smbrun_no_sanitize(syscmd,outfd);
-
- DEBUG(3,("Running the command `%s' gave %d\n",syscmd,ret));
-
More information about the Pkg-samba-maint
mailing list