[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

rpms/samba/FC-6 samba-3.0.24-CVE-2007-4572.patch, NONE, 1.1 samba-CVE-2007-5398.patch, NONE, 1.1 samba.spec, 1.79, 1.80

Author: ssorce

Update of /cvs/dist/rpms/samba/FC-6
In directory cvs.devel.redhat.com:/tmp/cvs-serv12666

Modified Files:
	samba.spec 
Added Files:
	samba-3.0.24-CVE-2007-4572.patch samba-CVE-2007-5398.patch 
Log Message:
* Thu Nov 15 2007 Simo Sorce <ssorce redhat com> 3.0.24-8.fc6
- Fix CVE-2007-4572
- Fix CVE-2007-5398


samba-3.0.24-CVE-2007-4572.patch:
 lib/charcnv.c            |    4 +-
 libsmb/ntlmssp_parse.c   |    3 +
 nmbd/nmbd_processlogon.c |   89 ++++++++++++++++++++++++++++++++++++++++-------
 smbd/lanman.c            |    2 -
 4 files changed, 81 insertions(+), 17 deletions(-)

--- NEW FILE samba-3.0.24-CVE-2007-4572.patch ---
--- samba-3.0.24/source/nmbd/nmbd_processlogon.c.orig	2005-02-25 12:59:38.000000000 -0500
+++ samba-3.0.24/source/nmbd/nmbd_processlogon.c	2007-11-15 11:15:30.000000000 -0500
@@ -135,7 +135,9 @@
 
 				fstrcpy(reply_name, "\\\\");
 				fstrcat(reply_name, my_name);
-				push_ascii_fstring(q, reply_name);
+ 				push_ascii(q,reply_name,
+ 						sizeof(outbuf)-PTR_DIFF(q, outbuf),
+ 						STR_TERMINATE);
 				q = skip_string(q, 1); /* PDC name */
 
 				SSVAL(q, 0, token);
@@ -231,7 +233,9 @@
 				q += 2;
 
 				fstrcpy(reply_name,my_name);
-				push_ascii_fstring(q, reply_name);
+ 				push_ascii(q, reply_name,
+ 						sizeof(outbuf)-PTR_DIFF(q, outbuf),
+ 						STR_TERMINATE);
 				q = skip_string(q, 1); /* PDC name */
 
 				/* PDC and domain name */
@@ -239,8 +243,15 @@
 					/* Make a full reply */
 					q = ALIGN2(q, outbuf);
 
-					q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */
-					q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True); /* Domain name*/
+					q += dos_PutUniCode(q, my_name,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True); /* PDC name */
+					q += dos_PutUniCode(q, lp_workgroup(),
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True); /* Domain name*/
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+						return;
+					}
 					SIVAL(q, 0, 1); /* our nt version */
 					SSVAL(q, 4, 0xffff); /* our lmnttoken */
 					SSVAL(q, 6, 0xffff); /* our lm20token */
@@ -376,9 +387,15 @@
 
 					q += 2;
 
-					q += dos_PutUniCode(q, reply_name,sizeof(pstring), True);
-					q += dos_PutUniCode(q, ascuser, sizeof(pstring), True);
-					q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True);
+					q += dos_PutUniCode(q, reply_name,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
+					q += dos_PutUniCode(q, ascuser,
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
+					q += dos_PutUniCode(q, lp_workgroup(),
+						sizeof(outbuf) - PTR_DIFF(q, outbuf),
+						True);
 				}
 #ifdef HAVE_ADS
 				else {
@@ -394,6 +411,9 @@
 					get_mydnsdomname(domain);
 					get_myname(hostname);
 	
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+						return;
+					}
 					if (SVAL(uniuser, 0) == 0) {
 						SIVAL(q, 0, SAMLOGON_AD_UNK_R);	/* user unknown */
 					} else {
@@ -406,6 +426,9 @@
 					q += 4;
 
 					/* Push Domain GUID */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < UUID_FLAT_SIZE) {
+						return;
+					}
 					if (False == secrets_fetch_domain_guid(domain, &domain_guid)) {
 						DEBUG(2, ("Could not fetch DomainGUID for %s\n", domain));
 						return;
@@ -421,12 +444,20 @@
 					q1 = q;
 					while ((component = strtok(dc, "."))) {
 						dc = NULL;
-						size = push_ascii(&q[1], component, -1, 0);
+						if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
+							return;
+						}
+						size = push_ascii(&q[1], component,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 						SCVAL(q, 0, size);
 						q += (size + 1);
 					}
 
 					/* Unk0 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
@@ -436,44 +467,72 @@
 					q += 2;
 
 					/* Hostname */
-					size = push_ascii(&q[1], hostname, -1, 0);
+					size = push_ascii(&q[1], hostname,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
+
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 3) {
+						return;
+					}
+
 					SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
 					SCVAL(q, 1, str_offset & 0xFF);
 					q += 2;
 
 					/* NETBIOS of domain */
-					size = push_ascii(&q[1], lp_workgroup(), -1, STR_UPPER);
+					size = push_ascii(&q[1], lp_workgroup(),
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							STR_UPPER);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
 					/* Unk1 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 2) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
 					/* NETBIOS of hostname */
-					size = push_ascii(&q[1], my_name, -1, 0);
+					size = push_ascii(&q[1], my_name,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
 					/* Unk2 */
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) {
+						return;
+					}
 					SCVAL(q, 0, 0);
 					q++;
 
 					/* User name */
 					if (SVAL(uniuser, 0) != 0) {
-						size = push_ascii(&q[1], ascuser, -1, 0);
+						size = push_ascii(&q[1], ascuser,
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 						SCVAL(q, 0, size);
 						q += (size + 1);
 					}
 
 					q_orig = q;
 					/* Site name */
-					size = push_ascii(&q[1], "Default-First-Site-Name", -1, 0);
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) {
+						return;
+					}
+					size = push_ascii(&q[1], "Default-First-Site-Name",
+							sizeof(outbuf) - PTR_DIFF(q+1, outbuf),
+							0);
 					SCVAL(q, 0, size);
 					q += (size + 1);
 
+					if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 18) {
+						return;
+					}
+
 					/* Site name (2) */
 					str_offset = q - q_orig;
 					SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F));
@@ -494,6 +553,10 @@
 				}	
 #endif
 
+				if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) {
+					return;
+				}
+
 				/* tell the client what version we are */
 				SIVAL(q, 0, ((ntversion < 11) || (SEC_ADS != lp_security())) ? 1 : 13); 
 				/* our ntversion */
--- samba-3.0.24/source/lib/charcnv.c.orig	2007-11-15 11:11:52.000000000 -0500
+++ samba-3.0.24/source/lib/charcnv.c	2007-11-15 11:14:21.000000000 -0500
@@ -855,9 +855,9 @@
 	size_t src_len = strlen(src);
 	pstring tmpbuf;
 
-	/* treat a pstring as "unlimited" length */
+	/* No longer allow a length of -1 */
 	if (dest_len == (size_t)-1)
-		dest_len = sizeof(pstring);
+		smb_panic("push_ascii - dest_len == -1");
 
 	if (flags & STR_UPPER) {
 		pstrcpy(tmpbuf, src);
--- samba-3.0.24/source/smbd/lanman.c.orig	2007-02-04 13:59:13.000000000 -0500
+++ samba-3.0.24/source/smbd/lanman.c	2007-11-15 11:14:21.000000000 -0500
@@ -388,7 +388,7 @@
 	SIVAL(drivdata,0,sizeof drivdata); /* cb */
 	SIVAL(drivdata,4,1000);	/* lVersion */
 	memset(drivdata+8,0,32);	/* szDeviceName */
-	push_ascii(drivdata+8,"NULL",-1, STR_TERMINATE);
+	push_ascii(drivdata+8,"NULL",32, STR_TERMINATE);
 	PACKl(desc,"l",drivdata,sizeof drivdata); /* pDriverData */
 }
 
--- samba-3.0.24/source/libsmb/ntlmssp_parse.c.orig	2007-11-15 11:14:01.000000000 -0500
+++ samba-3.0.24/source/libsmb/ntlmssp_parse.c	2007-11-15 11:14:21.000000000 -0500
@@ -152,7 +152,8 @@
 			break;
 		case 'C':
 			s = va_arg(ap, char *);
-			head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, 
+			n = str_charnum(s) + 1;
+			head_ofs += push_string(NULL, blob->data+head_ofs, s, n,
 						STR_ASCII|STR_TERMINATE);
 			break;
 		}

samba-CVE-2007-5398.patch:
 nmbd_packets.c |    6 ++++++
 1 files changed, 6 insertions(+)

--- NEW FILE samba-CVE-2007-5398.patch ---
diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index d49c8ba..b78ab5b 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
 	nmb->answers->ttl      = ttl;
 
 	if (data && len) {
+		if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+			DEBUG(5,("reply_netbios_packet: "
+				"invalid packet len (%d)\n",
+				len ));
+			return;
+		}
 		nmb->answers->rdlength = len;
 		memcpy(nmb->answers->rdata, data, len);
 	}


Index: samba.spec
===================================================================
RCS file: /cvs/dist/rpms/samba/FC-6/samba.spec,v
retrieving revision 1.79
retrieving revision 1.80
diff -u -r1.79 -r1.80
--- samba.spec	5 Jun 2007 13:52:30 -0000	1.79
+++ samba.spec	15 Nov 2007 16:22:20 -0000	1.80
@@ -3,7 +3,7 @@
 Summary: The Samba SMB server.
 Name: samba
 Version: 3.0.24
-Release: 7%{?dist}
+Release: 8%{?dist}
 Epoch: 0
 License: GNU GPL Version 2
 Group: System Environment/Daemons
@@ -57,6 +57,8 @@
 Patch124: samba-3.0.24-smbrun.patch
 Patch125: samba-3.0.24-nmbd_segv.patch
 Patch126: samba-3.0.24-force_group_fix.patch
+Patch127: samba-3.0.24-CVE-2007-4572.patch
+Patch128: samba-CVE-2007-5398.patch
 
 Requires: pam >= 0:0.64 %{auth} samba-common = %{epoch}:%{version}-%{release}
 Requires: logrotate >= 0:3.4 initscripts >= 0:5.54-1 
@@ -152,6 +154,8 @@
 %patch124 -p0 -b .smbrun
 %patch125 -p2 -b .nmbd_segv
 %patch126 -p0 -b .force_group
+%patch127 -p1 -b .CVE-2007-4572
+%patch128 -p1 -b .2007-5398
 
 # crap
 rm -f examples/VFS/.cvsignore
@@ -472,7 +476,11 @@
 %{_mandir}/man7/libsmbclient.7*
 
 %changelog
-* Tue Jun 5 2007 Simo Sorce <ssorce redhat com> 3.0.24-7.fc5
+* Thu Nov 15 2007 Simo Sorce <ssorce redhat com> 3.0.24-8.fc6
+- Fix CVE-2007-4572
+- Fix CVE-2007-5398
+
+* Tue Jun 5 2007 Simo Sorce <ssorce redhat com> 3.0.24-7.fc6
 - CVE-2007-2447 patch v2
 - CVE-2007-2444 patch v2
   not security problems, just bugs in the patches
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]