[Pkg-samba-maint] r3589 - in branches/samba/upstream: . docs-xml/smbdotconf/protocol libcli/security packaging/RHEL packaging/RHEL-CTDB source3 source3/include source3/lib source3/libads source3/libsmb source3/smbd
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Tue Sep 14 20:01:42 UTC 2010
Author: bubulle
Date: 2010-09-14 20:01:36 +0000 (Tue, 14 Sep 2010)
New Revision: 3589
Modified:
branches/samba/upstream/WHATSNEW.txt
branches/samba/upstream/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml
branches/samba/upstream/libcli/security/dom_sid.c
branches/samba/upstream/libcli/security/dom_sid.h
branches/samba/upstream/packaging/RHEL-CTDB/samba.spec
branches/samba/upstream/packaging/RHEL/makerpms.sh
branches/samba/upstream/packaging/RHEL/samba.spec
branches/samba/upstream/source3/VERSION
branches/samba/upstream/source3/include/version.h
branches/samba/upstream/source3/lib/util_sid.c
branches/samba/upstream/source3/libads/ldap.c
branches/samba/upstream/source3/libsmb/cliquota.c
branches/samba/upstream/source3/smbd/nttrans.c
Log:
Load samba-3.5.5 into branches/samba/upstream.
Modified: branches/samba/upstream/WHATSNEW.txt
===================================================================
--- branches/samba/upstream/WHATSNEW.txt 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/WHATSNEW.txt 2010-09-14 20:01:36 UTC (rev 3589)
@@ -1,4 +1,59 @@
=============================
+ Release Notes for Samba 3.5.5
+ September 14, 2010
+ =============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o CVE-2010-3069:
+ All current released versions of Samba are vulnerable to
+ a buffer overrun vulnerability. The sid_parse() function
+ (and related dom_sid_parse() function in the source4 code)
+ do not correctly check their input lengths when reading a
+ binary representation of a Windows SID (Security ID). This
+ allows a malicious client to send a sid that can overflow
+ the stack variable that is being used to store the SID in the
+ Samba smbd server.
+
+
+Changes since 3.5.4
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 3.5.4
June 23, 2010
=============================
@@ -88,9 +143,9 @@
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 3.5.3
May 19, 2010
Modified: branches/samba/upstream/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml
===================================================================
--- branches/samba/upstream/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml 2010-09-14 20:01:36 UTC (rev 3589)
@@ -6,7 +6,7 @@
<description>
<para>
This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
- <manvolnum>8</manvolnum></citerefentry>maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum
+ <manvolnum>8</manvolnum></citerefentry> maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum
allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX
ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any
POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and
Modified: branches/samba/upstream/libcli/security/dom_sid.c
===================================================================
--- branches/samba/upstream/libcli/security/dom_sid.c 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/libcli/security/dom_sid.c 2010-09-14 20:01:36 UTC (rev 3589)
@@ -117,6 +117,10 @@
if (sidstr[i] == '-') num_sub_auths++;
}
+ if (num_sub_auths > MAXSUBAUTHS) {
+ return false;
+ }
+
ret->sid_rev_num = rev;
ret->id_auth[0] = 0;
ret->id_auth[1] = 0;
Modified: branches/samba/upstream/libcli/security/dom_sid.h
===================================================================
--- branches/samba/upstream/libcli/security/dom_sid.h 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/libcli/security/dom_sid.h 2010-09-14 20:01:36 UTC (rev 3589)
@@ -40,5 +40,9 @@
const struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
#endif /*_DOM_SID_H_*/
Modified: branches/samba/upstream/packaging/RHEL/makerpms.sh
===================================================================
--- branches/samba/upstream/packaging/RHEL/makerpms.sh 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/packaging/RHEL/makerpms.sh 2010-09-14 20:01:36 UTC (rev 3589)
@@ -20,7 +20,7 @@
USERID=`id -u`
GRPID=`id -g`
-VERSION='3.5.4'
+VERSION='3.5.5'
REVISION=''
SPECFILE="samba.spec"
RPMVER=`rpm --version | awk '{print $3}'`
Modified: branches/samba/upstream/packaging/RHEL/samba.spec
===================================================================
--- branches/samba/upstream/packaging/RHEL/samba.spec 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/packaging/RHEL/samba.spec 2010-09-14 20:01:36 UTC (rev 3589)
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <samba at samba.org>
Name: samba
-Version: 3.5.4
+Version: 3.5.5
Release: 1
Epoch: 0
License: GNU GPL version 3
Modified: branches/samba/upstream/packaging/RHEL-CTDB/samba.spec
===================================================================
--- branches/samba/upstream/packaging/RHEL-CTDB/samba.spec 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/packaging/RHEL-CTDB/samba.spec 2010-09-14 20:01:36 UTC (rev 3589)
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <samba at samba.org>
Name: samba
-Version: 3.5.4
+Version: 3.5.5
Release: 1GITHASH
Epoch: 0
License: GNU GPL version 3
Modified: branches/samba/upstream/source3/VERSION
===================================================================
--- branches/samba/upstream/source3/VERSION 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/source3/VERSION 2010-09-14 20:01:36 UTC (rev 3589)
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# Bug fix releases use a letter for the patch revision #
Modified: branches/samba/upstream/source3/include/version.h
===================================================================
--- branches/samba/upstream/source3/include/version.h 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/source3/include/version.h 2010-09-14 20:01:36 UTC (rev 3589)
@@ -1,8 +1,8 @@
/* Autogenerated by script/mkversion.sh */
#define SAMBA_VERSION_MAJOR 3
#define SAMBA_VERSION_MINOR 5
-#define SAMBA_VERSION_RELEASE 4
-#define SAMBA_VERSION_OFFICIAL_STRING "3.5.4"
+#define SAMBA_VERSION_RELEASE 5
+#define SAMBA_VERSION_OFFICIAL_STRING "3.5.5"
#ifdef SAMBA_VERSION_VENDOR_FUNCTION
# define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION
#else /* SAMBA_VERSION_VENDOR_FUNCTION */
Modified: branches/samba/upstream/source3/lib/util_sid.c
===================================================================
--- branches/samba/upstream/source3/lib/util_sid.c 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/source3/lib/util_sid.c 2010-09-14 20:01:36 UTC (rev 3589)
@@ -408,6 +408,9 @@
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
+ if (sid->num_auths > MAXSUBAUTHS) {
+ return false;
+ }
memcpy(sid->id_auth, inbuf+2, 6);
if (len < 8 + sid->num_auths*4)
return False;
Modified: branches/samba/upstream/source3/libads/ldap.c
===================================================================
--- branches/samba/upstream/source3/libads/ldap.c 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/source3/libads/ldap.c 2010-09-14 20:01:36 UTC (rev 3589)
@@ -2141,7 +2141,9 @@
for (i=0; values[i]; i++) {
DOM_SID sid;
fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+ continue;
+ }
printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
}
}
Modified: branches/samba/upstream/source3/libsmb/cliquota.c
===================================================================
--- branches/samba/upstream/source3/libsmb/cliquota.c 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/source3/libsmb/cliquota.c 2010-09-14 20:01:36 UTC (rev 3589)
@@ -111,7 +111,9 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(rdata+40,sid_len,&qt.sid);
+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+ return false;
+ }
qt.qtype = SMB_USER_QUOTA_TYPE;
Modified: branches/samba/upstream/source3/smbd/nttrans.c
===================================================================
--- branches/samba/upstream/source3/smbd/nttrans.c 2010-09-14 00:39:13 UTC (rev 3588)
+++ branches/samba/upstream/source3/smbd/nttrans.c 2010-09-14 20:01:36 UTC (rev 3589)
@@ -2161,7 +2161,11 @@
/* unknown 4 bytes: this is not the length of the sid :-( */
/*unknown = IVAL(pdata,0);*/
- sid_parse(pdata+4,sid_len,&sid);
+ if (!sid_parse(pdata+4,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
if (!sid_to_uid(&sid, &uid)) {
@@ -2417,7 +2421,10 @@
break;
}
- sid_parse(pdata+8,sid_len,&sid);
+ if (!sid_parse(pdata+8,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
ZERO_STRUCT(qt);
@@ -2598,7 +2605,11 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(pdata+40,sid_len,&sid);
+ if (!sid_parse(pdata+40,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
/* 44 unknown bytes left... */
More information about the Pkg-samba-maint
mailing list