Changeset 581

Timestamp:

Jun 28, 2011, 9:27:20 AM (14 years ago)

Author:

Herwig Bauernfeind

Message:

Samba 3.5: Update vendor to version 3.5.5

Location:

vendor/current

Files:

• WHATSNEW.txt (modified) (2 diffs)
• docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml (modified) (1 diff)
• libcli/security/dom_sid.c (modified) (1 diff)
• libcli/security/dom_sid.h (modified) (1 diff)
• packaging/RHEL-CTDB/samba.spec (modified) (1 diff)
• packaging/RHEL/makerpms.sh (modified) (1 diff)
• packaging/RHEL/samba.spec (modified) (1 diff)
• source3/VERSION (modified) (1 diff)
• source3/include/version.h (modified) (1 diff)
• source3/lib/util_sid.c (modified) (1 diff)
• source3/libads/ldap.c (modified) (1 diff)
• source3/libsmb/cliquota.c (modified) (1 diff)
• source3/smbd/nttrans.c (modified) (3 diffs)

vendor/current/WHATSNEW.txt ¶

@@ +1 @@
+                   =============================
+                   Release Notes for Samba 3.5.5
+                         September 14, 2010
+                   =============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o  CVE-2010-3069:
+   All current released versions of Samba are vulnerable to
+   a buffer overrun vulnerability. The sid_parse() function
+   (and related dom_sid_parse() function in the source4 code)
+   do not correctly check their input lengths when reading a
+   binary representation of a Windows SID (Security ID). This
+   allows a malicious client to send a sid that can overflow
+   the stack variable that is being used to store the SID in the
+   Samba smbd server.
+
+
+Changes since 3.5.4
+--------------------
+
+
+o   Jeremy Allison <jra@samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+o   Andrew Bartlett <abartlet@samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.5 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    =============================
                    Release Notes for Samba 3.5.4
@@ -89 +144 @@
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================

vendor/current/docs-xml/smbdotconf/protocol/aclmapfullcontrol.xml ¶

@@ -7 +7 @@
     <para>
         This boolean parameter controls whether <citerefentry><refentrytitle>smbd</refentrytitle>
-        <manvolnum>8</manvolnum></citerefentry>maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum
+        <manvolnum>8</manvolnum></citerefentry> maps a POSIX ACE entry of "rwx" (read/write/execute), the maximum
         allowed POSIX permission set, into a Windows ACL of "FULL CONTROL". If this parameter is set to true any POSIX
         ACE entry of "rwx" will be returned in a Windows ACL as "FULL CONTROL", is this parameter is set to false any

vendor/current/libcli/security/dom_sid.c ¶

@@ -116 +116 @@
         for (i=0;sidstr[i];i++) {
                 if (sidstr[i] == '-') num_sub_auths++;
+        }
+
+        if (num_sub_auths > MAXSUBAUTHS) {
+                return false;
         }
 

vendor/current/libcli/security/dom_sid.h ¶

@@ -41 +41 @@
 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
 
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
 #endif /*_DOM_SID_H_*/
 

vendor/current/packaging/RHEL-CTDB/samba.spec ¶

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.5.4
+Version:      3.5.5
 Release:      1GITHASH
 Epoch:        0

vendor/current/packaging/RHEL/makerpms.sh ¶

@@ -21 +21 @@
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.5.4'
+VERSION='3.5.5'
 REVISION=''
 SPECFILE="samba.spec"

vendor/current/packaging/RHEL/samba.spec ¶

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.5.4
+Version:      3.5.5
 Release:      1
 Epoch:        0

vendor/current/source3/VERSION ¶

@@ -26 +26 @@
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
 
 ########################################################

vendor/current/source3/include/version.h ¶

@@ -2 +2 @@
 #define SAMBA_VERSION_MAJOR 3
 #define SAMBA_VERSION_MINOR 5
-#define SAMBA_VERSION_RELEASE 4
-#define SAMBA_VERSION_OFFICIAL_STRING "3.5.4"
+#define SAMBA_VERSION_RELEASE 5
+#define SAMBA_VERSION_OFFICIAL_STRING "3.5.5"
 #ifdef SAMBA_VERSION_VENDOR_FUNCTION
 #  define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION

vendor/current/source3/lib/util_sid.c ¶

@@ -409 +409 @@
         sid->sid_rev_num = CVAL(inbuf, 0);
         sid->num_auths = CVAL(inbuf, 1);
+        if (sid->num_auths > MAXSUBAUTHS) {
+                return false;
+        }
         memcpy(sid->id_auth, inbuf+2, 6);
         if (len < 8 + sid->num_auths*4)

vendor/current/source3/libads/ldap.c ¶

@@ -2142 +2142 @@
                 DOM_SID sid;
                 fstring tmp;
-                sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+                if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+                        continue;
+                }
                 printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
         }

vendor/current/source3/libsmb/cliquota.c ¶

@@ -112 +112 @@
 #endif /* LARGE_SMB_OFF_T */
 
-        sid_parse(rdata+40,sid_len,&qt.sid);
+        if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+                return false;
+        }
 
         qt.qtype = SMB_USER_QUOTA_TYPE;

vendor/current/source3/smbd/nttrans.c ¶

@@ -2162 +2162 @@
                 /*unknown = IVAL(pdata,0);*/
 
-                sid_parse(pdata+4,sid_len,&sid);
+                if (!sid_parse(pdata+4,sid_len,&sid)) {
+                        reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                        return;
+                }
+
                 DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
@@ -2418 +2422 @@
                         }
 
-                        sid_parse(pdata+8,sid_len,&sid);
+                        if (!sid_parse(pdata+8,sid_len,&sid)) {
+                                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                                return;
+                        }
 
                         if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
@@ -2599 +2606 @@
 #endif /* LARGE_SMB_OFF_T */
 
-        sid_parse(pdata+40,sid_len,&sid);
+        if (!sid_parse(pdata+40,sid_len,&sid)) {
+                reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+                return;
+        }
+
         DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));