[Pkg-samba-maint] (forw) [Samba-pkg-sec] [Fwd: [SAMBA] GETDC mailslot processing buffer overrun in nmbd]
Steve Langasek
vorlon at debian.org
Wed Nov 28 10:32:04 UTC 2007
I don't like this game. :/
On Sun, Nov 25, 2007 at 01:02:21PM +0000, Steve Kemp wrote:
> On Sat Nov 24, 2007 at 02:49:13 -0800, Steve Langasek wrote:
> > And there's one more regression still present, which was just brought to my
> > attention. I've grabbed the fix from upstream and am pushing updated
> > packages straight to security.debian.org; I don't see any point in the extra
> > churn of having *three* DSAs for the same issue when we know in advance that
> > the regression is present.
> Agreed. I really intended to mention the regression in the orginal
> advisory, but I didn't. Too much of a rush.
> I'm still waiting for more buildds to complete, but if they're not
> done by early evening I'll release and add later.
A grave regression *introduced* by the partial patch pulled from Samba
3.0.27a has turned up in the most recent security packages, beyond the other
regression already identified. Attached is the debdiff for yet another
revision. :(
I've gotten confirmation from two testers that this patch fixes the latest
regression, and my review of the patch indicates that it doesn't introduce
any new behavior changes. samba 3.0.14a-3sarge10 is uploaded to
security-master now, and 3.0.24-6etch8 will follow it ASAP.
Time for a -3 draft of the DSA? :/
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
diff -u samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch
--- samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch
+++ samba-3.0.24/debian/patches/security-CVE-2007-4572_part2.patch
@@ -74,12 +74,21 @@
===================================================================
--- samba-3.0.24.orig/source/smbd/trans2.c
+++ samba-3.0.24/source/smbd/trans2.c
+@@ -1047,7 +1047,7 @@
+ char *path_mask,uint32 dirtype,int info_level,
+ int requires_resume_key,
+ BOOL dont_descend,char **ppdata,
+- char *base_data, int space_remaining,
++ char *base_data, char *end_data, int space_remaining,
+ BOOL *out_of_space, BOOL *got_exact_match,
+ int *last_entry_off, struct ea_list *name_list, TALLOC_CTX *ea_ctx)
+ {
@@ -1225,7 +1225,7 @@
p += 23;
nameptr = p;
p += align_string(outbuf, p, 0);
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE);
if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
if (len > 2) {
SCVAL(nameptr, -1, len - 2);
@@ -88,7 +97,7 @@
p += 27;
nameptr = p - 1;
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE | STR_NOALIGN);
if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
if (len > 2) {
len -= 2;
@@ -100,7 +109,7 @@
+ p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list);
nameptr = p;
- len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN);
-+ len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN);
++ len = srvstr_push(outbuf, p + 1, fname, PTR_DIFF(end_data, p+1), STR_TERMINATE | STR_NOALIGN);
if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) {
if (len > 2) {
len -= 2;
@@ -109,7 +118,7 @@
}
p += 2 + 24;
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q,0,len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -118,7 +127,7 @@
SOFF_T(p,0,allocation_size); p += 8;
SIVAL(p,0,nt_extmode); p += 4;
- len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p + 4, fname, PTR_DIFF(end_data, p+4), STR_TERMINATE_ASCII);
SIVAL(p,0,len);
p += 4 + len;
SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -127,7 +136,7 @@
p +=4;
}
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q, 0, len);
p += len;
@@ -136,7 +145,7 @@
/* this must *not* be null terminated or w2k gets in a loop trying to set an
acl on a dir (tridge) */
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(p, -4, len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -145,7 +154,7 @@
SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q, 0, len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -154,7 +163,7 @@
SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */
SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE_ASCII);
SIVAL(q,0,len);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
@@ -163,11 +172,61 @@
p+= 8;
- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE);
-+ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE);
++ len = srvstr_push(outbuf, p, fname, PTR_DIFF(end_data, p), STR_TERMINATE);
p += len;
SIVAL(p,0,0); /* Ensure any padding is null. */
-@@ -2229,7 +2229,7 @@
+@@ -1625,6 +1625,7 @@
+ requested. */
+ char *params = *pparams;
+ char *pdata = *ppdata;
++ char *data_end;
+ uint32 dirtype = SVAL(params,0);
+ int maxentries = SVAL(params,2);
+ uint16 findfirst_flags = SVAL(params,4);
+@@ -1754,6 +1755,7 @@
+ return ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
+ pdata = *ppdata;
++ data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+
+ /* Realloc the params space */
+ *pparams = SMB_REALLOC(*pparams, 10);
+@@ -1798,7 +1800,7 @@
+ inbuf, outbuf,
+ mask,dirtype,info_level,
+ requires_resume_key,dont_descend,
+- &p,pdata,space_remaining, &out_of_space, &got_exact_match,
++ &p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ &last_entry_off, ea_list, ea_ctx);
+ }
+
+@@ -1892,6 +1894,7 @@
+ requested. */
+ char *params = *pparams;
+ char *pdata = *ppdata;
++ char *data_end;
+ int dptr_num = SVAL(params,0);
+ int maxentries = SVAL(params,2);
+ uint16 info_level = SVAL(params,4);
+@@ -2006,6 +2009,7 @@
+ }
+
+ pdata = *ppdata;
++ data_end = pdata + max_data_bytes + DIR_ENTRY_SAFETY_MARGIN - 1;
+
+ /* Realloc the params space */
+ *pparams = SMB_REALLOC(*pparams, 6*SIZEOFWORD);
+@@ -2097,7 +2101,7 @@
+ inbuf, outbuf,
+ mask,dirtype,info_level,
+ requires_resume_key,dont_descend,
+- &p,pdata,space_remaining, &out_of_space, &got_exact_match,
++ &p,pdata,data_end,space_remaining, &out_of_space, &got_exact_match,
+ &last_entry_off, ea_list, ea_ctx);
+ }
+
+@@ -2229,7 +2233,7 @@
* this call so try fixing this by adding a terminating null to
* the pushed string. The change here was adding the STR_TERMINATE. JRA.
*/
@@ -176,7 +235,7 @@
SCVAL(pdata,l2_vol_cch,len);
data_len = l2_vol_szVolLabel + len;
DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n",
-@@ -2251,14 +2251,14 @@
+@@ -2251,14 +2255,14 @@
SIVAL(pdata,4,255); /* Max filename component length */
/* NOTE! the fstype must *not* be null terminated or win98 won't recognise it
and will think we can't do long filenames */
@@ -193,7 +252,7 @@
data_len = 4 + len;
SIVAL(pdata,0,len);
break;
-@@ -2273,7 +2273,7 @@
+@@ -2273,7 +2277,7 @@
SIVAL(pdata,8,str_checksum(lp_servicename(snum)) ^
(str_checksum(get_local_machine_name())<<16));
@@ -202,7 +261,7 @@
SIVAL(pdata,12,len);
data_len = 18+len;
DEBUG(5,("call_trans2qfsinfo : SMB_QUERY_FS_VOLUME_INFO namelen = %d, vol=%s serv=%s\n",
-@@ -3232,7 +3232,7 @@
+@@ -3232,7 +3236,7 @@
if(!mangle_is_8_3(short_name, True, SNUM(conn))) {
mangle_map(short_name,True,True,SNUM(conn));
}
@@ -211,7 +270,7 @@
data_size = 4 + len;
SIVAL(pdata,0,len);
break;
-@@ -3242,7 +3242,7 @@
+@@ -3242,7 +3246,7 @@
/*
this must be *exactly* right for ACLs on mapped drives to work
*/
@@ -220,7 +279,7 @@
DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n"));
data_size = 4 + len;
SIVAL(pdata,0,len);
-@@ -3283,7 +3283,7 @@
+@@ -3283,7 +3287,7 @@
pdata += 24;
SIVAL(pdata,0,ea_size);
pdata += 4; /* EA info */
@@ -229,7 +288,7 @@
SIVAL(pdata,0,len);
pdata += 4 + len;
data_size = PTR_DIFF(pdata,(*ppdata));
-@@ -3472,7 +3472,7 @@
+@@ -3472,7 +3476,7 @@
if (len == -1)
return(UNIXERROR(ERRDOS,ERRnoaccess));
buffer[len] = 0;
@@ -238,11 +297,11 @@
pdata += len;
data_size = PTR_DIFF(pdata,(*ppdata));
-diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
-index 05a5962..058faed 100644
---- a/source/smbd/sesssetup.c
-+++ b/source/smbd/sesssetup.c
-@@ -68,9 +68,9 @@ static int add_signature(char *outbuf, char *p)
+Index: samba-3.0.24/source/smbd/sesssetup.c
+===================================================================
+--- samba-3.0.24.orig/source/smbd/sesssetup.c
++++ samba-3.0.24/source/smbd/sesssetup.c
+@@ -62,9 +62,9 @@
fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
diff -u samba-3.0.24/debian/changelog samba-3.0.24/debian/changelog
--- samba-3.0.24/debian/changelog
+++ samba-3.0.24/debian/changelog
@@ -1,3 +1,10 @@
+samba (3.0.24-6etch8) stable-security; urgency=low
+
+ * Fix for yet another regression in the fix for CVE-2007-4572 due to one
+ other missed patch in the 3.0.27a diff. Closes: #453050.
+
+ -- Steve Langasek <vorlon at debian.org> Tue, 27 Nov 2007 23:27:42 -0800
+
samba (3.0.24-6etch7) stable-security; urgency=low
* Fix for one final regression related to the fix for CVE-2007-4572,
More information about the Pkg-samba-maint
mailing list