[Pkg-samba-maint] r1565 - branches/samba/sarge/debian/patches

vorlon at alioth.debian.org vorlon at alioth.debian.org
Wed Nov 14 00:11:51 UTC 2007


Author: vorlon
Date: 2007-11-14 00:11:51 +0000 (Wed, 14 Nov 2007)
New Revision: 1565

Removed:
   branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch
   branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch
Log:
remove duplicate patches; these names would be more consistent with the other
patch names in the tree, but don't match what the Security Team actually
uploaded, so...



Deleted: branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch	2007-11-13 23:33:54 UTC (rev 1564)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-2446.patch	2007-11-14 00:11:51 UTC (rev 1565)
@@ -1,97 +0,0 @@
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_lsa.c samba-3.0.14a/source/rpc_parse/parse_lsa.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_lsa.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_lsa.c	2007-05-11 12:15:38.000000000 -0400
-@@ -962,12 +962,17 @@
- 			       &trn->num_entries2))
- 			return False;
- 
-+		if (trn->num_entries2 != trn->num_entries) {
-+		    /* RPC fault */
-+		    return False;
-+		}
-+
- 		if (UNMARSHALLING(ps)) {
--			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries)) == NULL) {
-+			if ((trn->name = PRS_ALLOC_MEM(ps, LSA_TRANS_NAME, trn->num_entries2)) == NULL) {
- 				return False;
- 			}
- 
--			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries)) == NULL) {
-+			if ((trn->uni_name = PRS_ALLOC_MEM(ps, UNISTR2, trn->num_entries2)) == NULL) {
- 				return False;
- 			}
- 		}
-@@ -1818,7 +1823,7 @@
- 
- static BOOL lsa_io_privilege_set(const char *desc, PRIVILEGE_SET *r_c, prs_struct *ps, int depth)
- {
--	uint32 i;
-+	uint32 i, dummy;
- 
- 	prs_debug(ps, depth, desc, "lsa_io_privilege_set");
- 	depth++;
-@@ -1826,7 +1831,7 @@
- 	if(!prs_align(ps))
- 		return False;
-  
--	if(!prs_uint32("count", ps, depth, &r_c->count))
-+	if(!prs_uint32("count", ps, depth, &dummy))
- 		return False;
- 	if(!prs_uint32("control", ps, depth, &r_c->control))
- 		return False;
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_prs.c samba-3.0.14a/source/rpc_parse/parse_prs.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_prs.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_prs.c	2007-05-11 12:15:38.000000000 -0400
-@@ -151,7 +151,7 @@
- {
- 	char *ret = NULL;
- 
--	if (size) {
-+	if (size && count) {
- 		/* We can't call the type-safe version here. */
- #if defined(PARANOID_MALLOC_CHECKER)
- 		ret = talloc_zero_array_(ps->mem_ctx, size, count);
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_sec.c samba-3.0.14a/source/rpc_parse/parse_sec.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_sec.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_sec.c	2007-05-11 12:16:29.000000000 -0400
-@@ -122,7 +122,7 @@
-  for you as it reads them.
- ********************************************************************/
- 
--BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
-+static BOOL sec_io_acl(const char *desc, SEC_ACL **ppsa, prs_struct *ps, int depth)
- {
- 	unsigned int i;
- 	uint32 old_offset;
-@@ -165,13 +165,11 @@
- 		return False;
- 
- 	if (UNMARSHALLING(ps)) {
--		/*
--		 * Even if the num_aces is zero, allocate memory as there's a difference
--		 * between a non-present DACL (allow all access) and a DACL with no ACE's
--		 * (allow no access).
--		 */
--		if((psa->ace = PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces+1)) == NULL)
--			return False;
-+	    if (psa->num_aces) {
-+		if((psa->ace = 
-+		    PRS_ALLOC_MEM(ps, SEC_ACE, psa->num_aces)) == NULL)
-+		    return False;
-+	    }
- 	}
- 
- 	for (i = 0; i < psa->num_aces; i++) {
-diff -ur samba-3.0.14a.unch/source/rpc_parse/parse_spoolss.c samba-3.0.14a/source/rpc_parse/parse_spoolss.c
---- samba-3.0.14a.unch/source/rpc_parse/parse_spoolss.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/rpc_parse/parse_spoolss.c	2007-05-11 12:15:38.000000000 -0400
-@@ -245,6 +245,9 @@
- 	
- 	if (type->count2 != type->count)
- 		DEBUG(4,("What a mess, count was %x now is %x !\n", type->count, type->count2));
-+	if (type->count2 > MAX_NOTIFY_TYPE_FOR_NOW) {
-+	    return False;
-+	}
- 
- 	/* parse the option type data */
- 	for(i=0;i<type->count2;i++)

Deleted: branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch	2007-11-13 23:33:54 UTC (rev 1564)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-2447.patch	2007-11-14 00:11:51 UTC (rev 1565)
@@ -1,252 +0,0 @@
-diff -ur samba-3.0.14a.unch/source/lib/charcnv.c samba-3.0.14a/source/lib/charcnv.c
---- samba-3.0.14a.unch/source/lib/charcnv.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/lib/charcnv.c	2007-05-11 10:29:58.000000000 -0400
-@@ -1376,5 +1376,5 @@
- 	/* We're hosed - we don't know how big this is... */
- 	DEBUG(10,("next_mb_char_size: unknown size at string %s\n", s));
- 	conv_silent = False;
--	return 1;
-+	return (size_t)-1;
- }
-diff -ur samba-3.0.14a.unch/source/lib/smbrun.c samba-3.0.14a/source/lib/smbrun.c
---- samba-3.0.14a.unch/source/lib/smbrun.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/lib/smbrun.c	2007-05-11 10:38:53.000000000 -0400
-@@ -55,7 +55,7 @@
- outfd (or discard it if outfd is NULL).
- ****************************************************************************/
- 
--int smbrun(char *cmd, int *outfd)
-+int smbrun_internal(char *cmd, int *outfd, BOOL sanitize)
- {
- 	pid_t pid;
- 	uid_t uid = current_user.uid;
-@@ -172,13 +172,36 @@
- 	}
- #endif
- 
--	execl("/bin/sh","sh","-c",cmd,NULL);  
-+	{
-+		const char *newcmd = sanitize ? escape_shell_string(cmd) : cmd;
-+		if (!newcmd) {
-+			exit(82);
-+		}
-+		execl("/bin/sh","sh","-c",newcmd,NULL);  
-+	}
- 	
- 	/* not reached */
--	exit(82);
-+	exit(83);
- 	return 1;
- }
- 
-+/****************************************************************************
-+ Use only in known safe shell calls (printing).
-+****************************************************************************/
-+
-+int smbrun_no_sanitize(const char *cmd, int *outfd)
-+{
-+	return smbrun_internal(cmd, outfd, False);
-+}
-+
-+/****************************************************************************
-+ By default this now sanitizes shell expansion.
-+****************************************************************************/
-+
-+int smbrun(const char *cmd, int *outfd)
-+{
-+	return smbrun_internal(cmd, outfd, True);
-+}
- 
- /****************************************************************************
- run a command being careful about uid/gid handling and putting the output in
-@@ -294,7 +317,7 @@
- #endif
- 
- 	execl("/bin/sh", "sh", "-c", cmd, NULL);  
--	
-+
- 	/* not reached */
- 	exit(82);
- 	return 1;
-diff -ur samba-3.0.14a.unch/source/lib/util_str.c samba-3.0.14a/source/lib/util_str.c
---- samba-3.0.14a.unch/source/lib/util_str.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/lib/util_str.c	2007-05-11 10:34:18.000000000 -0400
-@@ -2114,3 +2114,166 @@
- 	*num += 1;
- 	return True;
- }
-+
-+
-+/*******************************************************************
-+ Add a shell escape character '\' to any character not in a known list
-+ of characters. UNIX charset format.
-+*******************************************************************/
-+
-+#define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
-+#define INSIDE_DQUOTE_LIST "$`\n\"\\"
-+
-+char *escape_shell_string(const char *src)
-+{
-+	size_t srclen = strlen(src);
-+	char *ret = SMB_MALLOC((srclen * 2) + 1);
-+	char *dest = ret;
-+	BOOL in_s_quote = False;
-+	BOOL in_d_quote = False;
-+	BOOL next_escaped = False;
-+
-+	if (!ret) {
-+		return NULL;
-+	}
-+
-+	while (*src) {
-+		size_t c_size = next_mb_char_size(src);
-+
-+		if (c_size == (size_t)-1) {
-+			SAFE_FREE(ret);
-+			return NULL;
-+		}
-+
-+		if (c_size > 1) {
-+			memcpy(dest, src, c_size);
-+			src += c_size;
-+			dest += c_size;
-+			next_escaped = False;
-+			continue;
-+		}
-+
-+		/*
-+		 * Deal with backslash escaped state.
-+		 * This only lasts for one character.
-+		 */
-+
-+		if (next_escaped) {
-+			*dest++ = *src++;
-+			next_escaped = False;
-+			continue;
-+		}
-+
-+		/*
-+		 * Deal with single quote state. The
-+		 * only thing we care about is exiting
-+		 * this state.
-+		 */
-+
-+		if (in_s_quote) {
-+			if (*src == '\'') {
-+				in_s_quote = False;
-+			}
-+			*dest++ = *src++;
-+			continue;
-+		}
-+
-+		/* 
-+		 * Deal with double quote state. The most
-+		 * complex state. We must cope with \, meaning
-+		 * possibly escape next char (depending what it
-+		 * is), ", meaning exit this state, and possibly
-+		 * add an \ escape to any unprotected character
-+		 * (listed in INSIDE_DQUOTE_LIST).
-+		 */
-+
-+		if (in_d_quote) {
-+			if (*src == '\\') {
-+				/* 
-+				 * Next character might be escaped.
-+				 * We have to peek. Inside double
-+				 * quotes only INSIDE_DQUOTE_LIST
-+				 * characters are escaped by a \.
-+				 */
-+
-+				char nextchar;
-+
-+				c_size = next_mb_char_size(&src[1]);
-+				if (c_size == (size_t)-1) {
-+					SAFE_FREE(ret);
-+					return NULL;
-+				}
-+				if (c_size > 1) {
-+					/*
-+					 * Don't escape the next char.
-+					 * Just copy the \.
-+					 */
-+					*dest++ = *src++;
-+					continue;
-+				}
-+
-+				nextchar = src[1];
-+
-+				if (nextchar && strchr(INSIDE_DQUOTE_LIST, (int)nextchar)) {
-+					next_escaped = True;
-+				}
-+				*dest++ = *src++;
-+				continue;
-+			}
-+
-+			if (*src == '\"') {
-+				/* Exit double quote state. */
-+				in_d_quote = False;
-+				*dest++ = *src++;
-+				continue;
-+			}
-+
-+			/*
-+			 * We know the character isn't \ or ",
-+			 * so escape it if it's any of the other
-+			 * possible unprotected characters.
-+			 */
-+
-+	       		if (strchr(INSIDE_DQUOTE_LIST, (int)*src)) {
-+				*dest++ = '\\';
-+			}
-+			*dest++ = *src++;
-+			continue;
-+		}
-+
-+		/* 
-+		 * From here to the end of the loop we're
-+		 * not in the single or double quote state.
-+		 */
-+
-+		if (*src == '\\') {
-+			/* Next character must be escaped. */
-+			next_escaped = True;
-+			*dest++ = *src++;
-+			continue;
-+		}
-+
-+		if (*src == '\'') {
-+			/* Go into single quote state. */
-+			in_s_quote = True;
-+			*dest++ = *src++;
-+			continue;
-+		}
-+
-+		if (*src == '\"') {
-+			/* Go into double quote state. */
-+			in_d_quote = True;
-+			*dest++ = *src++;
-+			continue;
-+		}
-+
-+		/* Check if we need to escape the character. */
-+
-+	       	if (!strchr(INCLUDE_LIST, (int)*src)) {
-+			*dest++ = '\\';
-+		}
-+		*dest++ = *src++;
-+	}
-+	*dest++ = '\0';
-+	return ret;
-+}
-diff -ur samba-3.0.14a.unch/source/printing/print_generic.c samba-3.0.14a/source/printing/print_generic.c
---- samba-3.0.14a.unch/source/printing/print_generic.c	2007-05-11 10:29:20.000000000 -0400
-+++ samba-3.0.14a/source/printing/print_generic.c	2007-05-11 10:29:58.000000000 -0400
-@@ -57,7 +57,7 @@
- 	if ( do_sub && snum != -1 )
- 		standard_sub_snum(snum,syscmd,sizeof(syscmd));
- 		
--	ret = smbrun(syscmd,outfd);
-+	ret = smbrun_no_sanitize(syscmd,outfd);
- 
- 	DEBUG(3,("Running the command `%s' gave %d\n",syscmd,ret));
- 




More information about the Pkg-samba-maint mailing list