|
|
Author: ssorce
Update of /cvs/dist/rpms/samba/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv12666
Modified Files:
samba.spec
Added Files:
samba-3.0.24-CVE-2007-4572.patch samba-CVE-2007-5398.patch
Log Message:
* Thu Nov 15 2007 Simo Sorce <ssorce@xxxxxxxxxx> 3.0.24-8.fc6
- Fix CVE-2007-4572
- Fix CVE-2007-5398
samba-3.0.24-CVE-2007-4572.patch:
lib/charcnv.c | 4 +-
libsmb/ntlmssp_parse.c | 3 +
nmbd/nmbd_processlogon.c | 89 ++++++++++++++++++++++++++++++++++++++++-------
smbd/lanman.c | 2 -
4 files changed, 81 insertions(+), 17 deletions(-)
--- NEW FILE samba-3.0.24-CVE-2007-4572.patch ---
--- samba-3.0.24/source/nmbd/nmbd_processlogon.c.orig 2005-02-25
12:59:38.000000000 -0500
+++ samba-3.0.24/source/nmbd/nmbd_processlogon.c 2007-11-15
11:15:30.000000000 -0500
@@ -135,7 +135,9 @@
fstrcpy(reply_name, "\\\\");
fstrcat(reply_name, my_name);
- push_ascii_fstring(q, reply_name);
+ push_ascii(q,reply_name,
+ sizeof(outbuf)-PTR_DIFF(q,
outbuf),
+ STR_TERMINATE);
q = skip_string(q, 1); /* PDC name */
SSVAL(q, 0, token);
@@ -231,7 +233,9 @@
q += 2;
fstrcpy(reply_name,my_name);
- push_ascii_fstring(q, reply_name);
+ push_ascii(q, reply_name,
+ sizeof(outbuf)-PTR_DIFF(q,
outbuf),
+ STR_TERMINATE);
q = skip_string(q, 1); /* PDC name */
/* PDC and domain name */
@@ -239,8 +243,15 @@
/* Make a full reply */
q = ALIGN2(q, outbuf);
- q += dos_PutUniCode(q, my_name,
sizeof(pstring), True); /* PDC name */
- q += dos_PutUniCode(q,
lp_workgroup(),sizeof(pstring), True); /* Domain name*/
+ q += dos_PutUniCode(q, my_name,
+ sizeof(outbuf) - PTR_DIFF(q,
outbuf),
+ True); /* PDC name */
+ q += dos_PutUniCode(q, lp_workgroup(),
+ sizeof(outbuf) - PTR_DIFF(q,
outbuf),
+ True); /* Domain name*/
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 8) {
+ return;
+ }
SIVAL(q, 0, 1); /* our nt version */
SSVAL(q, 4, 0xffff); /* our lmnttoken */
SSVAL(q, 6, 0xffff); /* our lm20token */
@@ -376,9 +387,15 @@
q += 2;
- q += dos_PutUniCode(q,
reply_name,sizeof(pstring), True);
- q += dos_PutUniCode(q, ascuser,
sizeof(pstring), True);
- q += dos_PutUniCode(q,
lp_workgroup(),sizeof(pstring), True);
+ q += dos_PutUniCode(q, reply_name,
+ sizeof(outbuf) - PTR_DIFF(q,
outbuf),
+ True);
+ q += dos_PutUniCode(q, ascuser,
+ sizeof(outbuf) - PTR_DIFF(q,
outbuf),
+ True);
+ q += dos_PutUniCode(q, lp_workgroup(),
+ sizeof(outbuf) - PTR_DIFF(q,
outbuf),
+ True);
}
#ifdef HAVE_ADS
else {
@@ -394,6 +411,9 @@
get_mydnsdomname(domain);
get_myname(hostname);
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 8) {
+ return;
+ }
if (SVAL(uniuser, 0) == 0) {
SIVAL(q, 0, SAMLOGON_AD_UNK_R);
/* user unknown */
} else {
@@ -406,6 +426,9 @@
q += 4;
/* Push Domain GUID */
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < UUID_FLAT_SIZE) {
+ return;
+ }
if (False ==
secrets_fetch_domain_guid(domain, &domain_guid)) {
DEBUG(2, ("Could not fetch
DomainGUID for %s\n", domain));
return;
@@ -421,12 +444,20 @@
q1 = q;
while ((component = strtok(dc, "."))) {
dc = NULL;
- size = push_ascii(&q[1],
component, -1, 0);
+ if (sizeof(outbuf) -
PTR_DIFF(q, outbuf) < 1) {
+ return;
+ }
+ size = push_ascii(&q[1],
component,
+ sizeof(outbuf) -
PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
}
/* Unk0 */
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 4) {
+ return;
+ }
SCVAL(q, 0, 0);
q++;
@@ -436,44 +467,72 @@
q += 2;
/* Hostname */
- size = push_ascii(&q[1], hostname, -1,
0);
+ size = push_ascii(&q[1], hostname,
+ sizeof(outbuf) -
PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
+
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 3) {
+ return;
+ }
+
SCVAL(q, 0, 0xc0 | ((str_offset >> 8) &
0x3F));
SCVAL(q, 1, str_offset & 0xFF);
q += 2;
/* NETBIOS of domain */
- size = push_ascii(&q[1],
lp_workgroup(), -1, STR_UPPER);
+ size = push_ascii(&q[1], lp_workgroup(),
+ sizeof(outbuf) -
PTR_DIFF(q+1, outbuf),
+ STR_UPPER);
SCVAL(q, 0, size);
q += (size + 1);
/* Unk1 */
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 2) {
+ return;
+ }
SCVAL(q, 0, 0);
q++;
/* NETBIOS of hostname */
- size = push_ascii(&q[1], my_name, -1,
0);
+ size = push_ascii(&q[1], my_name,
+ sizeof(outbuf) -
PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
/* Unk2 */
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 4) {
+ return;
+ }
SCVAL(q, 0, 0);
q++;
/* User name */
if (SVAL(uniuser, 0) != 0) {
- size = push_ascii(&q[1],
ascuser, -1, 0);
+ size = push_ascii(&q[1],
ascuser,
+ sizeof(outbuf) -
PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
}
q_orig = q;
/* Site name */
- size = push_ascii(&q[1],
"Default-First-Site-Name", -1, 0);
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 1) {
+ return;
+ }
+ size = push_ascii(&q[1],
"Default-First-Site-Name",
+ sizeof(outbuf) -
PTR_DIFF(q+1, outbuf),
+ 0);
SCVAL(q, 0, size);
q += (size + 1);
+ if (sizeof(outbuf) - PTR_DIFF(q,
outbuf) < 18) {
+ return;
+ }
+
/* Site name (2) */
str_offset = q - q_orig;
SCVAL(q, 0, 0xc0 | ((str_offset >> 8) &
0x3F));
@@ -494,6 +553,10 @@
}
#endif
+ if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+ return;
+ }
+
/* tell the client what version we are */
SIVAL(q, 0, ((ntversion < 11) || (SEC_ADS !=
lp_security())) ? 1 : 13);
/* our ntversion */
--- samba-3.0.24/source/lib/charcnv.c.orig 2007-11-15 11:11:52.000000000
-0500
+++ samba-3.0.24/source/lib/charcnv.c 2007-11-15 11:14:21.000000000 -0500
@@ -855,9 +855,9 @@
size_t src_len = strlen(src);
pstring tmpbuf;
- /* treat a pstring as "unlimited" length */
+ /* No longer allow a length of -1 */
if (dest_len == (size_t)-1)
- dest_len = sizeof(pstring);
+ smb_panic("push_ascii - dest_len == -1");
if (flags & STR_UPPER) {
pstrcpy(tmpbuf, src);
--- samba-3.0.24/source/smbd/lanman.c.orig 2007-02-04 13:59:13.000000000
-0500
+++ samba-3.0.24/source/smbd/lanman.c 2007-11-15 11:14:21.000000000 -0500
@@ -388,7 +388,7 @@
SIVAL(drivdata,0,sizeof drivdata); /* cb */
SIVAL(drivdata,4,1000); /* lVersion */
memset(drivdata+8,0,32); /* szDeviceName */
- push_ascii(drivdata+8,"NULL",-1, STR_TERMINATE);
+ push_ascii(drivdata+8,"NULL",32, STR_TERMINATE);
PACKl(desc,"l",drivdata,sizeof drivdata); /* pDriverData */
}
--- samba-3.0.24/source/libsmb/ntlmssp_parse.c.orig 2007-11-15
11:14:01.000000000 -0500
+++ samba-3.0.24/source/libsmb/ntlmssp_parse.c 2007-11-15 11:14:21.000000000
-0500
@@ -152,7 +152,8 @@
break;
case 'C':
s = va_arg(ap, char *);
- head_ofs += push_string(NULL, blob->data+head_ofs, s,
-1,
+ n = str_charnum(s) + 1;
+ head_ofs += push_string(NULL, blob->data+head_ofs, s, n,
STR_ASCII|STR_TERMINATE);
break;
}
samba-CVE-2007-5398.patch:
nmbd_packets.c | 6 ++++++
1 files changed, 6 insertions(+)
--- NEW FILE samba-CVE-2007-5398.patch ---
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index d49c8ba..b78ab5b 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -970,6 +970,12 @@ for id %hu\n", packet_type,
nmb_namestr(&orig_nmb->question.question_name),
nmb->answers->ttl = ttl;
if (data && len) {
+ if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+ DEBUG(5,("reply_netbios_packet: "
+ "invalid packet len (%d)\n",
+ len ));
+ return;
+ }
nmb->answers->rdlength = len;
memcpy(nmb->answers->rdata, data, len);
}
Index: samba.spec
===================================================================
RCS file: /cvs/dist/rpms/samba/FC-6/samba.spec,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- samba.spec 5 Jun 2007 13:52:30 -0000 1.79
+++ samba.spec 15 Nov 2007 16:22:20 -0000 1.80
@@ -3,7 +3,7 @@
Summary: The Samba SMB server.
Name: samba
Version: 3.0.24
-Release: 7%{?dist}
+Release: 8%{?dist}
Epoch: 0
License: GNU GPL Version 2
Group: System Environment/Daemons
@@ -57,6 +57,8 @@
Patch124: samba-3.0.24-smbrun.patch
Patch125: samba-3.0.24-nmbd_segv.patch
Patch126: samba-3.0.24-force_group_fix.patch
+Patch127: samba-3.0.24-CVE-2007-4572.patch
+Patch128: samba-CVE-2007-5398.patch
Requires: pam >= 0:0.64 %{auth} samba-common = %{epoch}:%{version}-%{release}
Requires: logrotate >= 0:3.4 initscripts >= 0:5.54-1
@@ -152,6 +154,8 @@
%patch124 -p0 -b .smbrun
%patch125 -p2 -b .nmbd_segv
%patch126 -p0 -b .force_group
+%patch127 -p1 -b .CVE-2007-4572
+%patch128 -p1 -b .2007-5398
# crap
rm -f examples/VFS/.cvsignore
@@ -472,7 +476,11 @@
%{_mandir}/man7/libsmbclient.7*
%changelog
-* Tue Jun 5 2007 Simo Sorce <ssorce@xxxxxxxxxx> 3.0.24-7.fc5
+* Thu Nov 15 2007 Simo Sorce <ssorce@xxxxxxxxxx> 3.0.24-8.fc6
+- Fix CVE-2007-4572
+- Fix CVE-2007-5398
+
+* Tue Jun 5 2007 Simo Sorce <ssorce@xxxxxxxxxx> 3.0.24-7.fc6
- CVE-2007-2447 patch v2
- CVE-2007-2444 patch v2
not security problems, just bugs in the patches
--
fedora-cvs-commits mailing list
fedora-cvs-commits@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-cvs-commits
|
|