[Pkg-samba-maint] r4045 - in branches/samba/squeeze/debian: . patches
bubulle at alioth.debian.org
bubulle at alioth.debian.org
Thu Apr 12 20:35:52 UTC 2012
Author: bubulle
Date: 2012-04-12 20:35:52 +0000 (Thu, 12 Apr 2012)
New Revision: 4045
Added:
branches/samba/squeeze/debian/patches/security-CVE-2012-1182.patch
Modified:
branches/samba/squeeze/debian/changelog
branches/samba/squeeze/debian/control
branches/samba/squeeze/debian/patches/series
branches/samba/squeeze/debian/rules
Log:
Security update, fixing CVE-2012-1182: PIDL based autogenerated code
allows overwriting beyond of allocated array
Modified: branches/samba/squeeze/debian/changelog
===================================================================
--- branches/samba/squeeze/debian/changelog 2012-04-12 19:45:44 UTC (rev 4044)
+++ branches/samba/squeeze/debian/changelog 2012-04-12 20:35:52 UTC (rev 4045)
@@ -1,3 +1,10 @@
+samba (2:3.5.6~dfsg-3squeeze7) stable-security; urgency=high
+
+ * Security update, fixing CVE-2012-1182: PIDL based autogenerated code
+ allows overwriting beyond of allocated array
+
+ -- Jelmer Vernooij <jelmer at debian.org> Thu, 10 Apr 2012 23:58:49 +0200
+
samba (2:3.5.6~dfsg-3squeeze6) stable-proposed-updates; urgency=low
* Allow using unencrypted passwords with Windows clients that
Modified: branches/samba/squeeze/debian/control
===================================================================
--- branches/samba/squeeze/debian/control 2012-04-12 19:45:44 UTC (rev 4044)
+++ branches/samba/squeeze/debian/control 2012-04-12 20:35:52 UTC (rev 4045)
@@ -6,6 +6,7 @@
Build-Depends: debhelper (>= 6.0.7~), libpam0g-dev, libreadline-dev,
libcups2-dev | libcupsys2-dev,
libacl1-dev [alpha amd64 arm armeb armel avr32 hppa i386 ia64 lpia m32r m68k mips mipsel powerpc ppc64 s390 s390x sh3 sh3eb sh4 sh4eb sparc],
+ libparse-yapp-perl,
libkrb5-dev, libldap2-dev, po-debconf, libpopt-dev, uuid-dev,
libtalloc-dev (>= 2.0.1-1~bpo50+1),
libcap2-dev [alpha amd64 arm armeb armel avr32 hppa i386 ia64 lpia m32r m68k mips mipsel powerpc ppc64 s390 s390x sh3 sh3eb sh4 sh4eb sparc],
Added: branches/samba/squeeze/debian/patches/security-CVE-2012-1182.patch
===================================================================
--- branches/samba/squeeze/debian/patches/security-CVE-2012-1182.patch (rev 0)
+++ branches/samba/squeeze/debian/patches/security-CVE-2012-1182.patch 2012-04-12 20:35:52 UTC (rev 4045)
@@ -0,0 +1,259 @@
+Author: Stefan Metzmacher <metze at samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=8815
+Description: Fix CVE-2012-1182: PIDL based autogenerated code allows overwriting beyond of allocated array
+
+Index: a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm
+===================================================================
+--- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm (revision 4039)
++++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm (working copy)
+@@ -315,39 +315,99 @@
+ }
+ }
+
+-#####################################################################
+-# parse an array - pull side
+-sub ParseArrayPullHeader($$$$$$)
++sub ParseArrayPullGetSize($$$$$$)
+ {
+ my ($self,$e,$l,$ndr,$var_name,$env) = @_;
+
+- my $length;
+ my $size;
+
+ if ($l->{IS_CONFORMANT}) {
+- $length = $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
++ $size = "ndr_get_array_size($ndr, " . get_pointer_to($var_name) . ")";
+ } elsif ($l->{IS_ZERO_TERMINATED} and $l->{SIZE_IS} == 0 and $l->{LENGTH_IS} == 0) { # Noheader arrays
+- $length = $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
++ $size = "ndr_get_string_size($ndr, sizeof(*$var_name))";
+ } else {
+- $length = $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
++ $size = ParseExprExt($l->{SIZE_IS}, $env, $e->{ORIGINAL},
+ check_null_pointer($e, $env, sub { $self->pidl(shift); },
+ "return ndr_pull_error($ndr, NDR_ERR_INVALID_POINTER, \"NULL Pointer for size_is()\");"),
+ check_fully_dereferenced($e, $env));
+ }
+
++ $self->pidl("size_$e->{NAME}_$l->{LEVEL_INDEX} = $size;");
++ my $array_size = "size_$e->{NAME}_$l->{LEVEL_INDEX}";
++
++ if (my $range = has_property($e, "range")) {
++ my ($low, $high) = split(/,/, $range, 2);
++ if ($low < 0) {
++ warning(0, "$low is invalid for the range of an array size");
++ }
++ if ($low == 0) {
++ $self->pidl("if ($array_size > $high) {");
++ } else {
++ $self->pidl("if ($array_size < $low || $array_size > $high) {");
++ }
++ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
++ $self->pidl("}");
++ }
++
++ return $array_size;
++}
++
++#####################################################################
++# parse an array - pull side
++sub ParseArrayPullGetLength($$$$$$;$)
++{
++ my ($self,$e,$l,$ndr,$var_name,$env,$array_size) = @_;
++
++ if (not defined($array_size)) {
++ $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
++ }
++
++ if (not $l->{IS_VARYING}) {
++ return $array_size;
++ }
++
++ my $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
++ $self->pidl("length_$e->{NAME}_$l->{LEVEL_INDEX} = $length;");
++ my $array_length = "length_$e->{NAME}_$l->{LEVEL_INDEX}";
++
++ if (my $range = has_property($e, "range")) {
++ my ($low, $high) = split(/,/, $range, 2);
++ if ($low < 0) {
++ warning(0, "$low is invalid for the range of an array size");
++ }
++ if ($low == 0) {
++ $self->pidl("if ($array_length > $high) {");
++ } else {
++ $self->pidl("if ($array_length < $low || $array_length > $high) {");
++ }
++ $self->pidl("\treturn ndr_pull_error($ndr, NDR_ERR_RANGE, \"value out of range\");");
++ $self->pidl("}");
++ }
++
++ return $array_length;
++}
++
++#####################################################################
++# parse an array - pull side
++sub ParseArrayPullHeader($$$$$$)
++{
++ my ($self,$e,$l,$ndr,$var_name,$env) = @_;
++
+ if ((!$l->{IS_SURROUNDING}) and $l->{IS_CONFORMANT}) {
+ $self->pidl("NDR_CHECK(ndr_pull_array_size($ndr, " . get_pointer_to($var_name) . "));");
+ }
+
+ if ($l->{IS_VARYING}) {
+ $self->pidl("NDR_CHECK(ndr_pull_array_length($ndr, " . get_pointer_to($var_name) . "));");
+- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
+ }
+
+- if ($length ne $size) {
+- $self->pidl("if ($length > $size) {");
++ my $array_size = $self->ParseArrayPullGetSize($e, $l, $ndr, $var_name, $env);
++ my $array_length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env, $array_size);
++
++ if ($array_length ne $array_size) {
++ $self->pidl("if ($array_length > $array_size) {");
+ $self->indent;
+- $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $size, $length);");
++ $self->pidl("return ndr_pull_error($ndr, NDR_ERR_ARRAY_SIZE, \"Bad array size %u should exceed array length %u\", $array_size, $array_length);");
+ $self->deindent;
+ $self->pidl("}");
+ }
+@@ -377,10 +437,10 @@
+ }
+
+ if (ArrayDynamicallyAllocated($e,$l) and not is_charset_array($e,$l)) {
+- $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$size);
++ $self->AllocateArrayLevel($e,$l,$ndr,$var_name,$array_size);
+ }
+
+- return $length;
++ return $array_length;
+ }
+
+ sub compression_alg($$)
+@@ -865,7 +925,10 @@
+
+ $self->pidl("NDR_CHECK(".TypeFunctionName("ndr_pull", $l->{DATA_TYPE})."($ndr, $ndr_flags, $var_name));");
+
+- if (my $range = has_property($e, "range")) {
++ my $pl = GetPrevLevel($e, $l);
++
++ my $range = has_property($e, "range");
++ if ($range and $pl->{TYPE} ne "ARRAY") {
+ $var_name = get_value_of($var_name);
+ my $signed = Parse::Pidl::Typelist::is_signed($l->{DATA_TYPE});
+ my ($low, $high) = split(/,/, $range, 2);
+@@ -996,6 +1059,7 @@
+ my($self,$e,$l,$ndr,$var_name,$env,$primitives,$deferred) = @_;
+
+ my $ndr_flags = CalcNdrFlags($l, $primitives, $deferred);
++ my $array_length = undef;
+
+ if ($l->{TYPE} eq "ARRAY" and ($l->{IS_VARYING} or $l->{IS_CONFORMANT})) {
+ $var_name = get_pointer_to($var_name);
+@@ -1009,6 +1073,7 @@
+ $self->ParseSubcontextPullEnd($e, $l, $ndr, $env);
+ } elsif ($l->{TYPE} eq "ARRAY") {
+ my $length = $self->ParseArrayPullHeader($e, $l, $ndr, $var_name, $env);
++ $array_length = $length;
+
+ my $nl = GetNextLevel($e, $l);
+
+@@ -1065,12 +1130,12 @@
+ }
+ } elsif ($l->{TYPE} eq "ARRAY" and
+ not has_fast_array($e,$l) and not is_charset_array($e, $l)) {
+- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
++ my $length = $array_length;
+ my $counter = "cntr_$e->{NAME}_$l->{LEVEL_INDEX}";
+ my $array_name = $var_name;
+
+- if ($l->{IS_VARYING}) {
+- $length = "ndr_get_array_length($ndr, " . get_pointer_to($var_name) .")";
++ if (not defined($length)) {
++ $length = $self->ParseArrayPullGetLength($e, $l, $ndr, $var_name, $env);
+ }
+
+ $var_name = get_array_element($var_name, $counter);
+@@ -1478,16 +1543,21 @@
+ }
+ }
+
+-sub DeclareArrayVariables($$)
++sub DeclareArrayVariables($$;$)
+ {
+- my ($self,$e) = @_;
++ my ($self,$e,$pull) = @_;
+
+ foreach my $l (@{$e->{LEVELS}}) {
++ next if ($l->{TYPE} ne "ARRAY");
++ if (defined($pull)) {
++ $self->pidl("uint32_t size_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
++ if ($l->{IS_VARYING}) {
++ $self->pidl("uint32_t length_$e->{NAME}_$l->{LEVEL_INDEX} = 0;");
++ }
++ }
+ next if has_fast_array($e,$l);
+ next if is_charset_array($e,$l);
+- if ($l->{TYPE} eq "ARRAY") {
+- $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+- }
++ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+ }
+ }
+
+@@ -1496,15 +1566,14 @@
+ my ($self,$e,$env) = @_;
+
+ foreach my $l (@{$e->{LEVELS}}) {
++ next if ($l->{TYPE} ne "ARRAY");
+ next if has_fast_array($e,$l);
+ next if is_charset_array($e,$l);
+- if ($l->{TYPE} eq "ARRAY") {
+- my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
+- if ($length eq "0") {
++ my $length = ParseExpr($l->{LENGTH_IS}, $env, $e->{ORIGINAL});
++ if ($length eq "0") {
+ warning($e->{ORIGINAL}, "pointless array cntr: 'cntr_$e->{NAME}_$l->{LEVEL_INDEX}': length=$length");
+- } else {
++ } else {
+ $self->pidl("uint32_t cntr_$e->{NAME}_$l->{LEVEL_INDEX};");
+- }
+ }
+ }
+ }
+@@ -1570,7 +1639,7 @@
+ # declare any internal pointers we need
+ foreach my $e (@{$struct->{ELEMENTS}}) {
+ $self->DeclarePtrVariables($e);
+- $self->DeclareArrayVariables($e);
++ $self->DeclareArrayVariables($e, "pull");
+ $self->DeclareMemCtxVariables($e);
+ }
+
+@@ -1814,8 +1883,6 @@
+
+ if ($el->{TYPE} ne "EMPTY") {
+ $self->indent;
+- $self->DeclarePtrVariables($el);
+- $self->DeclareArrayVariables($el);
+ if (defined($e->{PROPERTIES}{relative_base})) {
+ $self->pidl("NDR_CHECK(ndr_pull_align($ndr, $el->{ALIGN}));");
+ # set the current offset as base for relative pointers
+@@ -1892,6 +1959,8 @@
+ next if ($el->{TYPE} eq "EMPTY");
+ next if ($double_cases{"$el->{NAME}"});
+ $self->DeclareMemCtxVariables($el);
++ $self->DeclarePtrVariables($el);
++ $self->DeclareArrayVariables($el, "pull");
+ $double_cases{"$el->{NAME}"} = 1;
+ }
+
+@@ -2163,7 +2232,7 @@
+ # declare any internal pointers we need
+ foreach my $e (@{$fn->{ELEMENTS}}) {
+ $self->DeclarePtrVariables($e);
+- $self->DeclareArrayVariables($e);
++ $self->DeclareArrayVariables($e, "pull");
+ }
+
+ my %double_cases = ();
Modified: branches/samba/squeeze/debian/patches/series
===================================================================
--- branches/samba/squeeze/debian/patches/series 2012-04-12 19:45:44 UTC (rev 4044)
+++ branches/samba/squeeze/debian/patches/series 2012-04-12 20:35:52 UTC (rev 4045)
@@ -30,3 +30,4 @@
security-CVE-2011-2694.patch
security-CVE-2011-2522.patch
0001-s3-Fix-bug-8238-KB2536276-prevents-access-to-sha.patch
+security-CVE-2012-1182.patch
Modified: branches/samba/squeeze/debian/rules
===================================================================
--- branches/samba/squeeze/debian/rules 2012-04-12 19:45:44 UTC (rev 4044)
+++ branches/samba/squeeze/debian/rules 2012-04-12 20:35:52 UTC (rev 4045)
@@ -94,6 +94,7 @@
build-stamp:
dh_testdir
+ $(MAKE) -C source3 samba3-idl
$(MAKE) -C source3 # headers
$(MAKE) -C source3 everything
$(MAKE) -C source3 nsswitch
More information about the Pkg-samba-maint
mailing list