[Pkg-samba-maint] r3592 - in trunk/samba: . docs-xml/smbdotconf/protocol libcli/security packaging/RHEL packaging/RHEL-CTDB source3 source3/include source3/lib source3/libads source3/libsmb source3/smbd

Tue Sep 14 20:59:26 UTC 2010

Author: bubulle
Date: 2010-09-14 20:59:06 +0000 (Tue, 14 Sep 2010)
New Revision: 3592

Modified:
   trunk/samba/WHATSNEW.txt
   trunk/samba/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml
   trunk/samba/libcli/security/dom_sid.c
   trunk/samba/libcli/security/dom_sid.h
   trunk/samba/packaging/RHEL-CTDB/samba.spec
   trunk/samba/packaging/RHEL/makerpms.sh
   trunk/samba/packaging/RHEL/samba.spec
   trunk/samba/source3/VERSION
   trunk/samba/source3/include/version.h
   trunk/samba/source3/lib/util_sid.c
   trunk/samba/source3/libads/ldap.c
   trunk/samba/source3/libsmb/cliquota.c
   trunk/samba/source3/smbd/nttrans.c
Log:
Merge upstream 3.5.5

Modified: trunk/samba/WHATSNEW.txt
===================================================================

--- trunk/samba/WHATSNEW.txt	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/WHATSNEW.txt	2010-09-14 20:59:06 UTC (rev 3592)
@@ -1,4 +1,59 @@
                    =============================
+                   Release Notes for Samba 3.5.5
+			 September 14, 2010
+                   =============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o  CVE-2010-3069:
+   All current released versions of Samba are vulnerable to
+   a buffer overrun vulnerability. The sid_parse() function
+   (and related dom_sid_parse() function in the source4 code)
+   do not correctly check their input lengths when reading a
+   binary representation of a Windows SID (Security ID). This
+   allows a malicious client to send a sid that can overflow
+   the stack variable that is being used to store the SID in the
+   Samba smbd server.
+
+
+Changes since 3.5.4
+--------------------
+
+
+o   Jeremy Allison <jra at samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+o   Andrew Bartlett <abartlet at samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 3.5.4
 			   June 23, 2010
                    =============================
@@ -88,9 +143,9 @@
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
+
                    =============================
                    Release Notes for Samba 3.5.3
 			    May 19, 2010

Modified: trunk/samba/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml
===================================================================
--- trunk/samba/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml	2010-09-14 20:59:06 UTC (rev 3592)
@@ -6,7 +6,7 @@
 <description>
     <para>
 	This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
-	<manvolnum>8</manvolnum></citerefentry>maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum
+	<manvolnum>8</manvolnum></citerefentry> maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum
 	allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX
 	ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any
 	POSIX ACE entry of "rwx" will be returned as the specific Windows ACL bits representing read, write and

Modified: trunk/samba/libcli/security/dom_sid.c
===================================================================
--- trunk/samba/libcli/security/dom_sid.c	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/libcli/security/dom_sid.c	2010-09-14 20:59:06 UTC (rev 3592)
@@ -117,6 +117,10 @@
 		if (sidstr[i] == '-') num_sub_auths++;
 	}
 
+	if (num_sub_auths > MAXSUBAUTHS) {
+		return false;
+	}
+
 	ret->sid_rev_num = rev;
 	ret->id_auth[0] = 0;
 	ret->id_auth[1] = 0;

Modified: trunk/samba/libcli/security/dom_sid.h
===================================================================
--- trunk/samba/libcli/security/dom_sid.h	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/libcli/security/dom_sid.h	2010-09-14 20:59:06 UTC (rev 3592)
@@ -40,5 +40,9 @@
 		       const struct dom_sid *sid);
 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
 
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
 #endif /*_DOM_SID_H_*/
 

Modified: trunk/samba/packaging/RHEL/makerpms.sh
===================================================================
--- trunk/samba/packaging/RHEL/makerpms.sh	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/packaging/RHEL/makerpms.sh	2010-09-14 20:59:06 UTC (rev 3592)
@@ -20,7 +20,7 @@
 
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.5.4'
+VERSION='3.5.5'
 REVISION=''
 SPECFILE="samba.spec"
 RPMVER=`rpm --version | awk '{print $3}'`

Modified: trunk/samba/packaging/RHEL/samba.spec
===================================================================
--- trunk/samba/packaging/RHEL/samba.spec	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/packaging/RHEL/samba.spec	2010-09-14 20:59:06 UTC (rev 3592)
@@ -5,7 +5,7 @@
 Vendor: Samba Team
 Packager: Samba Team <samba at samba.org>
 Name:         samba
-Version:      3.5.4
+Version:      3.5.5
 Release:      1
 Epoch:        0
 License: GNU GPL version 3

Modified: trunk/samba/packaging/RHEL-CTDB/samba.spec
===================================================================
--- trunk/samba/packaging/RHEL-CTDB/samba.spec	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/packaging/RHEL-CTDB/samba.spec	2010-09-14 20:59:06 UTC (rev 3592)
@@ -5,7 +5,7 @@
 Vendor: Samba Team
 Packager: Samba Team <samba at samba.org>
 Name:         samba
-Version:      3.5.4
+Version:      3.5.5
 Release:      1GITHASH
 Epoch:        0
 License: GNU GPL version 3

Modified: trunk/samba/source3/VERSION
===================================================================
--- trunk/samba/source3/VERSION	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/source3/VERSION	2010-09-14 20:59:06 UTC (rev 3592)
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #

Modified: trunk/samba/source3/include/version.h
===================================================================
--- trunk/samba/source3/include/version.h	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/source3/include/version.h	2010-09-14 20:59:06 UTC (rev 3592)
@@ -1,8 +1,8 @@
 /* Autogenerated by script/mkversion.sh */
 #define SAMBA_VERSION_MAJOR 3
 #define SAMBA_VERSION_MINOR 5
-#define SAMBA_VERSION_RELEASE 4
-#define SAMBA_VERSION_OFFICIAL_STRING "3.5.4"
+#define SAMBA_VERSION_RELEASE 5
+#define SAMBA_VERSION_OFFICIAL_STRING "3.5.5"
 #ifdef SAMBA_VERSION_VENDOR_FUNCTION
 #  define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION
 #else /* SAMBA_VERSION_VENDOR_FUNCTION */

Modified: trunk/samba/source3/lib/util_sid.c
===================================================================
--- trunk/samba/source3/lib/util_sid.c	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/source3/lib/util_sid.c	2010-09-14 20:59:06 UTC (rev 3592)
@@ -408,6 +408,9 @@
 
 	sid->sid_rev_num = CVAL(inbuf, 0);
 	sid->num_auths = CVAL(inbuf, 1);
+	if (sid->num_auths > MAXSUBAUTHS) {
+		return false;
+	}
 	memcpy(sid->id_auth, inbuf+2, 6);
 	if (len < 8 + sid->num_auths*4)
 		return False;

Modified: trunk/samba/source3/libads/ldap.c
===================================================================
--- trunk/samba/source3/libads/ldap.c	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/source3/libads/ldap.c	2010-09-14 20:59:06 UTC (rev 3592)
@@ -2141,7 +2141,9 @@
 	for (i=0; values[i]; i++) {
 		DOM_SID sid;
 		fstring tmp;
-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+			continue;
+		}
 		printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
 	}
 }

Modified: trunk/samba/source3/libsmb/cliquota.c
===================================================================
--- trunk/samba/source3/libsmb/cliquota.c	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/source3/libsmb/cliquota.c	2010-09-14 20:59:06 UTC (rev 3592)
@@ -111,7 +111,9 @@
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(rdata+40,sid_len,&qt.sid);
+	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+		return false;
+	}
 
 	qt.qtype = SMB_USER_QUOTA_TYPE;
 

Modified: trunk/samba/source3/smbd/nttrans.c
===================================================================
--- trunk/samba/source3/smbd/nttrans.c	2010-09-14 20:28:01 UTC (rev 3591)
+++ trunk/samba/source3/smbd/nttrans.c	2010-09-14 20:59:06 UTC (rev 3592)
@@ -2161,7 +2161,11 @@
 		/* unknown 4 bytes: this is not the length of the sid :-(  */
 		/*unknown = IVAL(pdata,0);*/
 
-		sid_parse(pdata+4,sid_len,&sid);
+		if (!sid_parse(pdata+4,sid_len,&sid)) {
+			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			return;
+		}
+
 		DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
 		if (!sid_to_uid(&sid, &uid)) {
@@ -2417,7 +2421,10 @@
 				break;
 			}
 
-			sid_parse(pdata+8,sid_len,&sid);
+			if (!sid_parse(pdata+8,sid_len,&sid)) {
+				reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+				return;
+			}
 
 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
 				ZERO_STRUCT(qt);
@@ -2598,7 +2605,11 @@
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(pdata+40,sid_len,&sid);
+	if (!sid_parse(pdata+40,sid_len,&sid)) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
 
 	/* 44 unknown bytes left... */



