[Pkg-samba-maint] r1570 - in branches/samba/sarge/debian: . patches
vorlon at alioth.debian.org
vorlon at alioth.debian.org
Thu Nov 15 17:08:48 UTC 2007
Author: vorlon
Date: 2007-11-15 17:08:48 +0000 (Thu, 15 Nov 2007)
New Revision: 1570
Added:
branches/samba/sarge/debian/patches/security-CVE-2007-4572.patch
branches/samba/sarge/debian/patches/security-CVE-2007-5398.patch
Modified:
branches/samba/sarge/debian/changelog
Log:
New oldstable-security release for two embargoed security issues,
CVE-2007-5398 and CVE-2007-4572.
Modified: branches/samba/sarge/debian/changelog
===================================================================
--- branches/samba/sarge/debian/changelog 2007-11-15 01:47:45 UTC (rev 1569)
+++ branches/samba/sarge/debian/changelog 2007-11-15 17:08:48 UTC (rev 1570)
@@ -1,3 +1,12 @@
+samba (3.0.14a-3sarge7) oldstable-security; urgency=low
+
+ * Fix a remote code execution vulnerability when running nmbd as a
+ WINS server. (CVE-2007-5398)
+ * Fix a buffer overflow in nmbd when running as a domain controller
+ during the processing GETDC logon server requests. (CVE-2007-4572)
+
+ -- Steve Langasek <vorlon at debian.org> Tue, 13 Nov 2007 16:15:31 -0800
+
samba (3.0.14a-3sarge6) oldstable-security; urgency=high
* Fix typo in patch for CVE-2007-2447 that would cause segfaults
Added: branches/samba/sarge/debian/patches/security-CVE-2007-4572.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-4572.patch (rev 0)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-4572.patch 2007-11-15 17:08:48 UTC (rev 1570)
@@ -0,0 +1,302 @@
+Index: samba/source/lib/charcnv.c
+===================================================================
+--- samba/source/lib/charcnv.c (revision 25137)
++++ samba/source/lib/charcnv.c (working copy)
+@@ -841,16 +841,19 @@
+ * </dl>
+ *
+ * @param dest_len the maximum length in bytes allowed in the
+- * destination. If @p dest_len is -1 then no maximum is used.
++ * destination.
+ **/
+ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
+ {
+ size_t src_len = strlen(src);
+ pstring tmpbuf;
++ size_t ret;
+
+- /* treat a pstring as "unlimited" length */
+- if (dest_len == (size_t)-1)
+- dest_len = sizeof(pstring);
++ /* No longer allow a length of -1. */
++ if (dest_len == (size_t)-1) {
++ smb_panic("push_ascii - dest_len == -1");
++ return (size_t)0;
++ }
+
+ if (flags & STR_UPPER) {
+ pstrcpy(tmpbuf, src);
+@@ -861,7 +864,11 @@
+ if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
+ src_len++;
+
+- return convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True);
++ ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, True);
++ if (ret == (size_t)-1) {
++ return 0;
++ }
++ return ret;
+ }
+
+ size_t push_ascii_fstring(void *dest, const char *src)
+Index: samba/source/libsmb/ntlmssp_parse.c
+===================================================================
+--- samba/source/libsmb/ntlmssp_parse.c (revision 25137)
++++ samba/source/libsmb/ntlmssp_parse.c (working copy)
+@@ -152,7 +152,8 @@
+ break;
+ case 'C':
+ s = va_arg(ap, char *);
+- head_ofs += push_string(NULL, blob->data+head_ofs, s, -1,
++ n = str_charnum(s) + 1;
++ head_ofs += push_string(NULL, blob->data+head_ofs, s, n,
+ STR_ASCII|STR_TERMINATE);
+ break;
+ }
+Index: samba/source/nmbd/nmbd_processlogon.c
+===================================================================
+--- samba/source/nmbd/nmbd_processlogon.c (revision 25137)
++++ samba/source/nmbd/nmbd_processlogon.c (working copy)
+@@ -95,7 +95,7 @@
+ DEBUG(4,("process_logon_packet: Logon from %s: code = 0x%x\n", inet_ntoa(p->ip), code));
+
+ switch (code) {
+- case 0:
++ case 0:
+ {
+ fstring mach_str, user_str, getdc_str;
+ char *q = buf + 2;
+@@ -135,7 +135,9 @@
+
+ fstrcpy(reply_name, "\\\\");
+ fstrcat(reply_name, my_name);
+- push_ascii_fstring(q, reply_name);
++ push_ascii(q,reply_name,
++ sizeof(outbuf)-PTR_DIFF(q, outbuf),
++ STR_TERMINATE);
+ q = skip_string(q, 1); /* PDC name */
+
+ SSVAL(q, 0, token);
+@@ -143,7 +145,7 @@
+
+ dump_data(4, outbuf, PTR_DIFF(q, outbuf));
+
+- send_mailslot(True, getdc_str,
++ send_mailslot(True, getdc_str,
+ outbuf,PTR_DIFF(q,outbuf),
+ global_myname(), 0x0,
+ mach_str,
+@@ -159,7 +161,7 @@
+ char *q = buf + 2;
+ char *machine = q;
+
+- if (!lp_domain_master()) {
++ if (!lp_domain_master()) {
+ /* We're not Primary Domain Controller -- ignore this */
+ return;
+ }
+@@ -231,7 +233,9 @@
+ q += 2;
+
+ fstrcpy(reply_name,my_name);
+- push_ascii_fstring(q, reply_name);
++ push_ascii(q, reply_name,
++ sizeof(outbuf)-PTR_DIFF(q, outbuf),
++ STR_TERMINATE);
+ q = skip_string(q, 1); /* PDC name */
+
+ /* PDC and domain name */
+@@ -239,8 +243,15 @@
+ /* Make a full reply */
+ q = ALIGN2(q, outbuf);
+
+- q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */
+- q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True); /* Domain name*/
++ q += dos_PutUniCode(q, my_name,
++ sizeof(pstring) - PTR_DIFF(q, outbuf),
++ True); /* PDC name */
++ q += dos_PutUniCode(q, lp_workgroup(),
++ sizeof(pstring) - (q-outbuf),
++ True); /* Domain name*/
++ if (sizeof(pstring) - PTR_DIFF(q, outbuf) < 8) {
++ return;
++ }
+ SIVAL(q, 0, 1); /* our nt version */
+ SSVAL(q, 4, 0xffff); /* our lmnttoken */
+ SSVAL(q, 6, 0xffff); /* our lm20token */
+@@ -376,9 +387,15 @@
+
+ q += 2;
+
+- q += dos_PutUniCode(q, reply_name,sizeof(pstring), True);
+- q += dos_PutUniCode(q, ascuser, sizeof(pstring), True);
+- q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True);
++ q += dos_PutUniCode(q, reply_name,
++ sizeof(pstring) - PTR_DIFF(q, outbuf),
++ True);
++ q += dos_PutUniCode(q, ascuser,
++ sizeof(pstring) - PTR_DIFF(q, outbuf),
++ True);
++ q += dos_PutUniCode(q, lp_workgroup(),
++ sizeof(pstring) - PTR_DIFF(q, outbuf),
++ True);
+ }
+ #ifdef HAVE_ADS
+ else {
+@@ -393,7 +410,10 @@
+
+ get_mydnsdomname(domain);
+ get_myname(hostname);
+-
++
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
++ return;
++ }
+ if (SVAL(uniuser, 0) == 0) {
+ SIVAL(q, 0, SAMLOGON_AD_UNK_R); /* user unknown */
+ } else {
+@@ -406,6 +426,9 @@
+ q += 4;
+
+ /* Push Domain GUID */
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < UUID_FLAT_SIZE) {
++ return;
++ }
+ if (False == secrets_fetch_domain_guid(domain, &domain_guid)) {
+ DEBUG(2, ("Could not fetch DomainGUID for %s\n", domain));
+ return;
+@@ -421,12 +444,20 @@
+ q1 = q;
+ while ((component = strtok(dc, "."))) {
+ dc = NULL;
+- size = push_ascii(&q[1], component, -1, 0);
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
++ return;
++ }
++ size = push_ascii(&q[1], component,
++ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
++ 0);
+ SCVAL(q, 0, size);
+ q += (size + 1);
+ }
+
+ /* Unk0 */
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
++ return;
++ }
+ SCVAL(q, 0, 0);
+ q++;
+
+@@ -436,44 +467,74 @@
+ q += 2;
+
+ /* Hostname */
+- size = push_ascii(&q[1], hostname, -1, 0);
++ size = push_ascii(&q[1], hostname,
++ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
++ 0);
+ SCVAL(q, 0, size);
+ q += (size + 1);
++
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 3) {
++ return;
++ }
++
+ SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
+ SCVAL(q, 1, str_offset & 0xFF);
+ q += 2;
+
+ /* NETBIOS of domain */
+- size = push_ascii(&q[1], lp_workgroup(), -1, STR_UPPER);
++ size = push_ascii(&q[1], lp_workgroup(),
++ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
++ STR_UPPER);
+ SCVAL(q, 0, size);
+ q += (size + 1);
+
+ /* Unk1 */
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 2) {
++ return;
++ }
++
+ SCVAL(q, 0, 0);
+ q++;
+
+ /* NETBIOS of hostname */
+- size = push_ascii(&q[1], my_name, -1, 0);
++ size = push_ascii(&q[1], my_name,
++ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
++ 0);
+ SCVAL(q, 0, size);
+ q += (size + 1);
+
+ /* Unk2 */
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
++ return;
++ }
++
+ SCVAL(q, 0, 0);
+ q++;
+
+ /* User name */
+ if (SVAL(uniuser, 0) != 0) {
+- size = push_ascii(&q[1], ascuser, -1, 0);
++ size = push_ascii(&q[1], ascuser,
++ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
++ 0);
+ SCVAL(q, 0, size);
+ q += (size + 1);
+ }
+
+ q_orig = q;
+ /* Site name */
+- size = push_ascii(&q[1], "Default-First-Site-Name", -1, 0);
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
++ return;
++ }
++ size = push_ascii(&q[1], "Default-First-Site-Name",
++ sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
++ 0);
+ SCVAL(q, 0, size);
+ q += (size + 1);
+
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 18) {
++ return;
++ }
++
+ /* Site name (2) */
+ str_offset = q - q_orig;
+ SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
+@@ -494,6 +555,10 @@
+ }
+ #endif
+
++ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
++ return;
++ }
++
+ /* tell the client what version we are */
+ SIVAL(q, 0, ((ntversion < 11) || (SEC_ADS != lp_security())) ? 1 : 13);
+ /* our ntversion */
+--- samba/source/smbd/lanman.c.orig 2004-12-15 09:33:17.000000000 -0500
++++ samba/source/smbd/lanman.c 2007-10-23 15:25:54.000000000 -0400
+@@ -347,7 +347,7 @@
+ SIVAL(drivdata,0,sizeof drivdata); /* cb */
+ SIVAL(drivdata,4,1000); /* lVersion */
+ memset(drivdata+8,0,32); /* szDeviceName */
+- push_ascii(drivdata+8,"NULL",-1, STR_TERMINATE);
++ push_ascii(drivdata+8,"NULL",32, STR_TERMINATE);
+ PACKl(desc,"l",drivdata,sizeof drivdata); /* pDriverData */
+ }
+
+--- samba-3.0.9/source/nmbd/nmbd_sendannounce.c.orig 2007-10-23 15:48:43.000000000 -0400
++++ samba-3.0.9/source/nmbd/nmbd_sendannounce.c 2007-10-23 15:48:54.000000000 -0400
+@@ -116,7 +116,7 @@
+ SSVAL(p,27,BROWSER_ELECTION_VERSION);
+ SSVAL(p,29,BROWSER_CONSTANT); /* Browse signature. */
+
+- p += 31 + push_string(NULL, p+31, server_comment, -1, STR_ASCII|STR_TERMINATE);
++ p += 31 + push_string(NULL, p+31, server_comment, sizeof(outbuf) - (p + 31 - outbuf), STR_ASCII|STR_TERMINATE);
+
+ send_mailslot(False,BROWSE_MAILSLOT, outbuf, PTR_DIFF(p,outbuf),
+ from_name, 0x0, to_name, to_type, to_ip, subrec->myip,
Added: branches/samba/sarge/debian/patches/security-CVE-2007-5398.patch
===================================================================
--- branches/samba/sarge/debian/patches/security-CVE-2007-5398.patch (rev 0)
+++ branches/samba/sarge/debian/patches/security-CVE-2007-5398.patch 2007-11-15 17:08:48 UTC (rev 1570)
@@ -0,0 +1,27 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
+diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
+index d49c8ba..b78ab5b 100644
+- --- a/source/nmbd/nmbd_packets.c
++++ b/source/nmbd/nmbd_packets.c
+@@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
+ nmb->answers->ttl = ttl;
+
+ if (data && len) {
++ if (len < 0 || len > sizeof(nmb->answers->rdata)) {
++ DEBUG(5,("reply_netbios_packet: "
++ "invalid packet len (%d)\n",
++ len ));
++ return;
++ }
+ nmb->answers->rdlength = len;
+ memcpy(nmb->answers->rdata, data, len);
+ }
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1.4.6 (GNU/Linux)
+
+iD8DBQFHN7DWbzORW2Vot+oRAuVGAKCjVMern41qgbVPeaM5RNNjdZ349wCbB5NJ
+3wPX5IzlWSX5RHZHgyKcPfY=
+=EiYO
+-----END PGP SIGNATURE-----
More information about the Pkg-samba-maint
mailing list