[Pkg-samba-maint] r3591 - in branches/samba/lenny/debian: . patches

bubulle at alioth.debian.org bubulle at alioth.debian.org
Tue Sep 14 20:28:06 UTC 2010 

tags 596891 pending
thanks

Author: bubulle
Date: 2010-09-14 20:28:01 +0000 (Tue, 14 Sep 2010)
New Revision: 3591

Added:
   branches/samba/lenny/debian/patches/security-CVE-2010-3069.patch
Modified:
   branches/samba/lenny/debian/changelog
   branches/samba/lenny/debian/patches/series
Log:
* Security update, fixing the following issue:
  - CVE-2019-3069: Buffer overrun vulnerability in sid_parse.
    Closes: #596891.

Modified: branches/samba/lenny/debian/changelog
===================================================================
--- branches/samba/lenny/debian/changelog	2010-09-14 20:01:55 UTC (rev 3590)
+++ branches/samba/lenny/debian/changelog	2010-09-14 20:28:01 UTC (rev 3591)
@@ -1,3 +1,11 @@
+samba (2:3.2.5-4lenny13) UNRELEASED; urgency=high
+
+  * Security update, fixing the following issue:
+    - CVE-2019-3069: Buffer overrun vulnerability in sid_parse.
+      Closes: #596891.
+
+ -- Christian Perrier <bubulle at debian.org>  Tue, 14 Sep 2010 22:24:59 +0200
+
 samba (2:3.2.5-4lenny12) stable-security; urgency=low
 
   * Security update, fix memory corruption vulnerability

Added: branches/samba/lenny/debian/patches/security-CVE-2010-3069.patch
===================================================================
--- branches/samba/lenny/debian/patches/security-CVE-2010-3069.patch	                        (rev 0)
+++ branches/samba/lenny/debian/patches/security-CVE-2010-3069.patch	2010-09-14 20:28:01 UTC (rev 3591)
@@ -0,0 +1,107 @@
+Goal: Fix buffer overrun in sid_parse
+
+Fixes: Upstream security fix. CVE-2010-3069
+
+Status wrt upstream: Fixed in 3.3.14, 3.4.9 and 3.5.5
+
+Author: Samba Team <security at samba.org>
+
+Index: lenny/source/lib/util_sid.c
+===================================================================
+--- lenny.orig/source/lib/util_sid.c
++++ lenny/source/lib/util_sid.c
+@@ -408,6 +408,9 @@
+ 
+ 	sid->sid_rev_num = CVAL(inbuf, 0);
+ 	sid->num_auths = CVAL(inbuf, 1);
++	if (sid->num_auths > MAXSUBAUTHS) {
++		return false;
++	}
+ 	memcpy(sid->id_auth, inbuf+2, 6);
+ 	if (len < 8 + sid->num_auths*4)
+ 		return False;
+Index: lenny/source/libads/ldap.c
+===================================================================
+--- lenny.orig/source/libads/ldap.c
++++ lenny/source/libads/ldap.c
+@@ -1899,7 +1899,9 @@
+ 	for (i=0; values[i]; i++) {
+ 		DOM_SID sid;
+ 		fstring tmp;
+-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
++		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
++			continue;
++		}
+ 		printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
+ 	}
+ }
+Index: lenny/source/libsmb/cliquota.c
+===================================================================
+--- lenny.orig/source/libsmb/cliquota.c
++++ lenny/source/libsmb/cliquota.c
+@@ -117,7 +117,9 @@
+ 	}
+ #endif /* LARGE_SMB_OFF_T */
+ 	
+-	sid_parse(rdata+40,sid_len,&qt.sid);
++	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
++		return false;
++	}
+ 
+ 	qt.qtype = SMB_USER_QUOTA_TYPE;
+ 
+Index: lenny/source/smbd/nttrans.c
+===================================================================
+--- lenny.orig/source/smbd/nttrans.c
++++ lenny/source/smbd/nttrans.c
+@@ -1980,7 +1980,11 @@
+ 		/* unknown 4 bytes: this is not the length of the sid :-(  */
+ 		/*unknown = IVAL(pdata,0);*/
+ 
+-		sid_parse(pdata+4,sid_len,&sid);
++		if (!sid_parse(pdata+4,sid_len,&sid)) {
++			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++			return;
++		}
++
+ 		DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
+ 
+ 		if (!sid_to_uid(&sid, &uid)) {
+@@ -2235,7 +2239,10 @@
+ 				break;
+ 			}
+ 
+-			sid_parse(pdata+8,sid_len,&sid);
++			if (!sid_parse(pdata+8,sid_len,&sid)) {
++				reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++				return;
++			}
+ 
+ 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
+ 				ZERO_STRUCT(qt);
+@@ -2415,7 +2422,11 @@
+ 	}
+ #endif /* LARGE_SMB_OFF_T */
+ 
+-	sid_parse(pdata+40,sid_len,&sid);
++	if (!sid_parse(pdata+40,sid_len,&sid)) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		return;
++	}
++
+ 	DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
+ 
+ 	/* 44 unknown bytes left... */
+Index: lenny/source/include/includes.h
+===================================================================
+--- lenny.orig/source/include/includes.h
++++ lenny/source/include/includes.h
+@@ -1294,4 +1294,8 @@
+ 				  struct in6_addr ip);
+ #endif
+ 
++#ifndef MAXSUBAUTHS
++#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
++#endif
++
+ #endif /* _INCLUDES_H */

Modified: branches/samba/lenny/debian/patches/series
===================================================================
--- branches/samba/lenny/debian/patches/series	2010-09-14 20:01:55 UTC (rev 3590)
+++ branches/samba/lenny/debian/patches/series	2010-09-14 20:28:01 UTC (rev 3591)
@@ -44,3 +44,4 @@
 bug_575951_upstream_6697.patch
 bug_538819_upstream_7021.patch
 security-CVE-2010-2063.patch
+security-CVE-2010-3069.patch

More information about the Pkg-samba-maint mailing list