[Pkg-samba-maint] r2909 - in branches/samba/lenny/debian: . patches

[bubulle at alioth.debian.org]

Author: bubulle
Date: 2009-06-23 07:15:53 +0000 (Tue, 23 Jun 2009)
New Revision: 2909

Added:
   branches/samba/lenny/debian/patches/security-CVE-2009-1888.patch
Modified:
   branches/samba/lenny/debian/changelog
   branches/samba/lenny/debian/patches/series
Log:
Add patch for CVE ID 2009-1888


Modified: branches/samba/lenny/debian/changelog
===================================================================
--- branches/samba/lenny/debian/changelog	2009-06-23 06:38:23 UTC (rev 2908)
+++ branches/samba/lenny/debian/changelog	2009-06-23 07:15:53 UTC (rev 2909)
@@ -1,6 +1,7 @@
 samba (2:3.2.5-4lenny6) UNRELEASED; urgency=low
 
   * CVE 2009-1886: Fix Formatstring vulnerability in smbclient
+  * CVE 2009-1888: Fix uninitialized read of a data value
 
  -- Christian Perrier <bubulle at debian.org>  Tue, 23 Jun 2009 08:37:27 +0200
 

Added: branches/samba/lenny/debian/patches/security-CVE-2009-1888.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2009-1888.patch	                        (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2009-1888.patch	2009-06-23 07:15:53 UTC (rev 2909)
@@ -0,0 +1,106 @@
+Goal: Fix uninitialized read of a data value
+
+Fixes: Upstream security fix. CVE-2009-1888
+
+Status wrt upstream: Fixed in 3.2.13
+
+Author: Jeremy Allison <jra at samba.org>
+
+Note: an uninitialized read of a data value can potentially affect access
+      control when "dos filemode" is set to "yes".
+
+Index: lenny/source/smbd/posix_acls.c
+===================================================================
+--- lenny.orig/source/smbd/posix_acls.c	2009-06-23 09:10:19.426962965 +0200
++++ lenny/source/smbd/posix_acls.c	2009-06-23 09:13:58.522961540 +0200
+@@ -2368,24 +2368,22 @@
+ ****************************************************************************/
+ 
+ static bool acl_group_override(connection_struct *conn,
+-				gid_t prim_gid,
++				SMB_STRUCT_STAT *psbuf,
+ 				const char *fname)
+ {
+-	SMB_STRUCT_STAT sbuf;
+-
+ 	if ((errno != EPERM) && (errno != EACCES)) {
+ 		return false;
+ 	}
+ 
+ 	/* file primary group == user primary or supplementary group */
+ 	if (lp_acl_group_control(SNUM(conn)) &&
+-			current_user_in_group(prim_gid)) {
++			current_user_in_group(psbuf->st_gid)) {
+ 		return true;
+ 	}
+ 
+ 	/* user has writeable permission */
+ 	if (lp_dos_filemode(SNUM(conn)) &&
+-			can_write_to_file(conn, fname, &sbuf)) {
++			can_write_to_file(conn, fname, psbuf)) {
+ 		return true;
+ 	}
+ 
+@@ -2396,7 +2394,7 @@
+  Attempt to apply an ACL to a file or directory.
+ ****************************************************************************/
+ 
+-static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, gid_t prim_gid, bool *pacl_set_support)
++static bool set_canon_ace_list(files_struct *fsp, canon_ace *the_ace, bool default_ace, SMB_STRUCT_STAT *psbuf, bool *pacl_set_support)
+ {
+ 	connection_struct *conn = fsp->conn;
+ 	bool ret = False;
+@@ -2575,7 +2573,7 @@
+ 				*pacl_set_support = False;
+ 			}
+ 
+-			if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
++			if (acl_group_override(conn, psbuf, fsp->fsp_name)) {
+ 				int sret;
+ 
+ 				DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
+@@ -2606,7 +2604,7 @@
+ 				*pacl_set_support = False;
+ 			}
+ 
+-			if (acl_group_override(conn, prim_gid, fsp->fsp_name)) {
++			if (acl_group_override(conn, psbuf, fsp->fsp_name)) {
+ 				int sret;
+ 
+ 				DEBUG(5,("set_canon_ace_list: acl group control on and current user in file %s primary group.\n",
+@@ -3565,7 +3563,7 @@
+ 			 */
+ 
+ 			if (acl_perms && file_ace_list) {
+-				ret = set_canon_ace_list(fsp, file_ace_list, False, sbuf.st_gid, &acl_set_support);
++				ret = set_canon_ace_list(fsp, file_ace_list, False, &sbuf, &acl_set_support);
+ 				if (acl_set_support && ret == False) {
+ 					DEBUG(3,("set_nt_acl: failed to set file acl on file %s (%s).\n", fsp->fsp_name, strerror(errno) ));
+ 					free_canon_ace_list(file_ace_list);
+@@ -3576,7 +3574,7 @@
+ 
+ 			if (acl_perms && acl_set_support && fsp->is_directory) {
+ 				if (dir_ace_list) {
+-					if (!set_canon_ace_list(fsp, dir_ace_list, True, sbuf.st_gid, &acl_set_support)) {
++					if (!set_canon_ace_list(fsp, dir_ace_list, True, &sbuf, &acl_set_support)) {
+ 						DEBUG(3,("set_nt_acl: failed to set default acl on directory %s (%s).\n", fsp->fsp_name, strerror(errno) ));
+ 						free_canon_ace_list(file_ace_list);
+ 						free_canon_ace_list(dir_ace_list); 
+@@ -3591,7 +3589,7 @@
+ 					if (SMB_VFS_SYS_ACL_DELETE_DEF_FILE(conn, fsp->fsp_name) == -1) {
+ 						int sret = -1;
+ 
+-						if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
++						if (acl_group_override(conn, &sbuf, fsp->fsp_name)) {
+ 							DEBUG(5,("set_nt_acl: acl group control on and "
+ 								"current user in file %s primary group. Override delete_def_acl\n",
+ 								fsp->fsp_name ));
+@@ -3638,7 +3636,7 @@
+ 
+ 					if(SMB_VFS_CHMOD(conn,fsp->fsp_name, posix_perms) == -1) {
+ 						int sret = -1;
+-						if (acl_group_override(conn, sbuf.st_gid, fsp->fsp_name)) {
++						if (acl_group_override(conn, &sbuf, fsp->fsp_name)) {
+ 							DEBUG(5,("set_nt_acl: acl group control on and "
+ 								"current user in file %s primary group. Override chmod\n",
+ 								fsp->fsp_name ));

Modified: branches/samba/lenny/debian/patches/series
===================================================================
--- branches/samba/lenny/debian/patches/series	2009-06-23 06:38:23 UTC (rev 2908)
+++ branches/samba/lenny/debian/patches/series	2009-06-23 07:15:53 UTC (rev 2909)
@@ -31,3 +31,4 @@
 bug_522907_upstream_6279.patch
 bug_526229-upstream_6301.patch
 security-CVE-2009-1886.patch
+security-CVE-2009-1888.patch