[Pkg-samba-maint] r3599 - in branches/samba/squeeze: . debian libcli/security packaging/RHEL packaging/RHEL-CTDB source3 source3/include source3/lib source3/libads source3/libsmb source3/smbd
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Wed Sep 15 18:05:33 UTC 2010
tags 596891 pending
thanks
Author: bubulle
Date: 2010-09-15 18:05:21 +0000 (Wed, 15 Sep 2010)
New Revision: 3599
Modified:
branches/samba/squeeze/WHATSNEW.txt
branches/samba/squeeze/debian/changelog
branches/samba/squeeze/libcli/security/dom_sid.c
branches/samba/squeeze/libcli/security/dom_sid.h
branches/samba/squeeze/packaging/RHEL-CTDB/samba.spec
branches/samba/squeeze/packaging/RHEL/makerpms.sh
branches/samba/squeeze/packaging/RHEL/samba.spec
branches/samba/squeeze/source3/VERSION
branches/samba/squeeze/source3/include/version.h
branches/samba/squeeze/source3/lib/util_sid.c
branches/samba/squeeze/source3/libads/ldap.c
branches/samba/squeeze/source3/libsmb/cliquota.c
branches/samba/squeeze/source3/smbd/nttrans.c
Log:
Merge diff between 3.4.8 and 3.4.9
Modified: branches/samba/squeeze/WHATSNEW.txt
===================================================================
--- branches/samba/squeeze/WHATSNEW.txt 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/WHATSNEW.txt 2010-09-15 18:05:21 UTC (rev 3599)
@@ -1,4 +1,59 @@
=============================
+ Release Notes for Samba 3.4.9
+ September 14, 2010
+ =============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o CVE-2010-3069:
+ All current released versions of Samba are vulnerable to
+ a buffer overrun vulnerability. The sid_parse() function
+ (and related dom_sid_parse() function in the source4 code)
+ do not correctly check their input lengths when reading a
+ binary representation of a Windows SID (Security ID). This
+ allows a malicious client to send a sid that can overflow
+ the stack variable that is being used to store the SID in the
+ Samba smbd server.
+
+
+Changes since 3.4.8
+-------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 3.4.8
May 11, 2010
=============================
@@ -116,9 +171,9 @@
======================================================================
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 3.4.7
March 8, 2010
Modified: branches/samba/squeeze/debian/changelog
===================================================================
--- branches/samba/squeeze/debian/changelog 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/debian/changelog 2010-09-15 18:05:21 UTC (rev 3599)
@@ -1,3 +1,11 @@
+samba (2:3.4.9~dfsg-1) UNRELEASED; urgency=low
+
+ * New upstream release. Security release fixing:
+ - CVE-2019-3069: Buffer overrun vulnerability in sid_parse.
+ Closes: #596891.
+
+ -- Christian Perrier <bubulle at debian.org> Wed, 15 Sep 2010 20:03:40 +0200
+
samba (2:3.4.8~dfsg-2) unstable; urgency=low
[ Steve Langasek ]
Modified: branches/samba/squeeze/libcli/security/dom_sid.c
===================================================================
--- branches/samba/squeeze/libcli/security/dom_sid.c 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/libcli/security/dom_sid.c 2010-09-15 18:05:21 UTC (rev 3599)
@@ -117,6 +117,10 @@
if (sidstr[i] == '-') num_sub_auths++;
}
+ if (num_sub_auths > MAXSUBAUTHS) {
+ return false;
+ }
+
ret->sid_rev_num = rev;
ret->id_auth[0] = 0;
ret->id_auth[1] = 0;
Modified: branches/samba/squeeze/libcli/security/dom_sid.h
===================================================================
--- branches/samba/squeeze/libcli/security/dom_sid.h 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/libcli/security/dom_sid.h 2010-09-15 18:05:21 UTC (rev 3599)
@@ -40,5 +40,9 @@
const struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
#endif /*_DOM_SID_H_*/
Modified: branches/samba/squeeze/packaging/RHEL/makerpms.sh
===================================================================
--- branches/samba/squeeze/packaging/RHEL/makerpms.sh 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/packaging/RHEL/makerpms.sh 2010-09-15 18:05:21 UTC (rev 3599)
@@ -20,7 +20,7 @@
USERID=`id -u`
GRPID=`id -g`
-VERSION='3.4.8'
+VERSION='3.4.9'
REVISION=''
SPECFILE="samba.spec"
RPMVER=`rpm --version | awk '{print $3}'`
Modified: branches/samba/squeeze/packaging/RHEL/samba.spec
===================================================================
--- branches/samba/squeeze/packaging/RHEL/samba.spec 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/packaging/RHEL/samba.spec 2010-09-15 18:05:21 UTC (rev 3599)
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <samba at samba.org>
Name: samba
-Version: 3.4.8
+Version: 3.4.9
Release: 1
Epoch: 0
License: GNU GPL version 3
Modified: branches/samba/squeeze/packaging/RHEL-CTDB/samba.spec
===================================================================
--- branches/samba/squeeze/packaging/RHEL-CTDB/samba.spec 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/packaging/RHEL-CTDB/samba.spec 2010-09-15 18:05:21 UTC (rev 3599)
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <samba at samba.org>
Name: samba
-Version: 3.4.8
+Version: 3.4.9
Release: ctdb.1
Epoch: 0
License: GNU GPL version 3
Modified: branches/samba/squeeze/source3/VERSION
===================================================================
--- branches/samba/squeeze/source3/VERSION 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/source3/VERSION 2010-09-15 18:05:21 UTC (rev 3599)
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# Bug fix releases use a letter for the patch revision #
Modified: branches/samba/squeeze/source3/include/version.h
===================================================================
--- branches/samba/squeeze/source3/include/version.h 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/source3/include/version.h 2010-09-15 18:05:21 UTC (rev 3599)
@@ -1,8 +1,8 @@
/* Autogenerated by script/mkversion.sh */
#define SAMBA_VERSION_MAJOR 3
#define SAMBA_VERSION_MINOR 4
-#define SAMBA_VERSION_RELEASE 8
-#define SAMBA_VERSION_OFFICIAL_STRING "3.4.8"
+#define SAMBA_VERSION_RELEASE 9
+#define SAMBA_VERSION_OFFICIAL_STRING "3.4.9"
#ifdef SAMBA_VERSION_VENDOR_FUNCTION
# define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION
#else /* SAMBA_VERSION_VENDOR_FUNCTION */
Modified: branches/samba/squeeze/source3/lib/util_sid.c
===================================================================
--- branches/samba/squeeze/source3/lib/util_sid.c 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/source3/lib/util_sid.c 2010-09-15 18:05:21 UTC (rev 3599)
@@ -408,6 +408,9 @@
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
+ if (sid->num_auths > MAXSUBAUTHS) {
+ return false;
+ }
memcpy(sid->id_auth, inbuf+2, 6);
if (len < 8 + sid->num_auths*4)
return False;
Modified: branches/samba/squeeze/source3/libads/ldap.c
===================================================================
--- branches/samba/squeeze/source3/libads/ldap.c 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/source3/libads/ldap.c 2010-09-15 18:05:21 UTC (rev 3599)
@@ -2128,7 +2128,9 @@
for (i=0; values[i]; i++) {
DOM_SID sid;
fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+ continue;
+ }
printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
}
}
Modified: branches/samba/squeeze/source3/libsmb/cliquota.c
===================================================================
--- branches/samba/squeeze/source3/libsmb/cliquota.c 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/source3/libsmb/cliquota.c 2010-09-15 18:05:21 UTC (rev 3599)
@@ -117,7 +117,9 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(rdata+40,sid_len,&qt.sid);
+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+ return false;
+ }
qt.qtype = SMB_USER_QUOTA_TYPE;
Modified: branches/samba/squeeze/source3/smbd/nttrans.c
===================================================================
--- branches/samba/squeeze/source3/smbd/nttrans.c 2010-09-15 09:48:04 UTC (rev 3598)
+++ branches/samba/squeeze/source3/smbd/nttrans.c 2010-09-15 18:05:21 UTC (rev 3599)
@@ -2080,7 +2080,11 @@
/* unknown 4 bytes: this is not the length of the sid :-( */
/*unknown = IVAL(pdata,0);*/
- sid_parse(pdata+4,sid_len,&sid);
+ if (!sid_parse(pdata+4,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
if (!sid_to_uid(&sid, &uid)) {
@@ -2336,7 +2340,10 @@
break;
}
- sid_parse(pdata+8,sid_len,&sid);
+ if (!sid_parse(pdata+8,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
ZERO_STRUCT(qt);
@@ -2517,7 +2524,11 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(pdata+40,sid_len,&sid);
+ if (!sid_parse(pdata+40,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
/* 44 unknown bytes left... */
More information about the Pkg-samba-maint
mailing list