[Pkg-samba-maint] [samba] 01/04: add patch for CVE-2014-0178

Ivo De Decker ivodd at moszumanska.debian.org
Mon Jun 23 16:04:27 UTC 2014 

This is an automated email from the git hooks/post-receive script.

ivodd pushed a commit to branch wheezy
in repository samba.

commit 5350accd7bf68effe342c0b1dbb15c9aaff5dc65
Author: Ivo De Decker <ivo.dedecker at ugent.be>
Date:   Sun Jun 22 00:02:11 2014 +0200

    add patch for CVE-2014-0178
    
    Uninitialized memory exposure when handling shadow_copy data
---
 debian/changelog                            |  8 +++
 debian/patches/security-CVE-2014-0178.patch | 82 +++++++++++++++++++++++++++++
 debian/patches/series                       |  1 +
 3 files changed, 91 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d37386b..40f9cbc 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.6.6-6+deb7u4) UNRELEASED; urgency=high
+
+  * Security update
+  * CVE-2014-0178: Uninitialized memory exposure when handling shadow_copy
+    data
+
+ -- Ivo De Decker <ivo.dedecker at ugent.be>  Sun, 22 Jun 2014 00:00:38 +0200
+
 samba (2:3.6.6-6+deb7u3) wheezy; urgency=medium
 
   * Security update
diff --git a/debian/patches/security-CVE-2014-0178.patch b/debian/patches/security-CVE-2014-0178.patch
new file mode 100644
index 0000000..db4963d
--- /dev/null
+++ b/debian/patches/security-CVE-2014-0178.patch
@@ -0,0 +1,82 @@
+From 080973527097de29261b4f17a976155dae4b1d5c Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <christof.schmitt at us.ibm.com>
+Date: Mon, 5 Aug 2013 11:16:22 -0700
+Subject: [PATCH 1/2] FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to
+ zero
+
+Otherwise num_volumes and the end marker can return uninitialized data
+to the client.
+
+Signed-off-by: Christof Schmitt <christof.schmitt at us.ibm.com>
+Reviewed-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Simo Sorce <idra at samba.org>
+(cherry picked from commit 30e724cbff1ecd90e5a676831902d1e41ec1b347)
+[ddiss at samba.org: rebased on 3.6, where fsctl code is in nttrans.c]
+---
+ source3/smbd/nttrans.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
+index 4c145e0..88415aa 100644
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -2313,7 +2313,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
+ 			return NT_STATUS_BUFFER_TOO_SMALL;
+ 		}
+ 
+-		cur_pdata = talloc_array(ctx, char, *out_len);
++		cur_pdata = talloc_zero_array(ctx, char, *out_len);
+ 		if (cur_pdata == NULL) {
+ 			TALLOC_FREE(shadow_data);
+ 			return NT_STATUS_NO_MEMORY;
+-- 
+1.8.4.5
+
+
+From 06c7fc330f8743f98abd7d07535ff541f6e4c264 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <christof.schmitt at us.ibm.com>
+Date: Mon, 5 Aug 2013 11:21:59 -0700
+Subject: [PATCH 2/2] FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at
+ end
+
+labels_data_count already accounts for the unicode null character at the
+end of the array. There is no need in adding space for it again.
+
+Signed-off-by: Christof Schmitt <christof.schmitt at us.ibm.com>
+Reviewed-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Simo Sorce <idra at samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra at samba.org>
+Autobuild-Date(master): Tue Aug  6 04:03:17 CEST 2013 on sn-devel-104
+
+(cherry picked from commit eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696)
+[ddiss at samba.org: rebased on 3.6, where fsctl code is in nttrans.c]
+---
+ source3/smbd/nttrans.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c
+index 88415aa..b9a6620 100644
+--- a/source3/smbd/nttrans.c
++++ b/source3/smbd/nttrans.c
+@@ -2303,7 +2303,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
+ 		if (!labels) {
+ 			*out_len = 16;
+ 		} else {
+-			*out_len = 12 + labels_data_count + 4;
++			*out_len = 12 + labels_data_count;
+ 		}
+ 
+ 		if (max_out_len < *out_len) {
+@@ -2330,7 +2330,7 @@ NTSTATUS smb_fsctl(struct files_struct *fsp,
+ 		}
+ 
+ 		/* needed_data_count 4 bytes */
+-		SIVAL(cur_pdata, 8, labels_data_count + 4);
++		SIVAL(cur_pdata, 8, labels_data_count);
+ 
+ 		cur_pdata += 12;
+ 
+-- 
+1.8.4.5
+
diff --git a/debian/patches/series b/debian/patches/series
index 16929b6..90acf3e 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -29,3 +29,4 @@ security-CVE-2013-4475.patch
 security-CVE-2013-4408.patch
 security-CVE-2012-6150.patch
 security-CVE-2013-4496.patch
+security-CVE-2014-0178.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git

More information about the Pkg-samba-maint mailing list