svn commit: samba r21147 - in branches/SAMBA_3_0_RELEASE: .
source/modules source/nsswitch source/printing source/smbd
jerry at samba.org
jerry at samba.org
Mon Feb 5 14:58:37 GMT 2007
Author: jerry
Date: 2007-02-05 14:58:36 +0000 (Mon, 05 Feb 2007)
New Revision: 21147
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=21147
Log:
committing changes for 3.0.24
Modified:
branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
branches/SAMBA_3_0_RELEASE/source/modules/vfs_afsacl.c
branches/SAMBA_3_0_RELEASE/source/nsswitch/winbind_nss_solaris.c
branches/SAMBA_3_0_RELEASE/source/printing/nt_printing.c
branches/SAMBA_3_0_RELEASE/source/smbd/nttrans.c
branches/SAMBA_3_0_RELEASE/source/smbd/reply.c
branches/SAMBA_3_0_RELEASE/source/smbd/trans2.c
Changeset:
Modified: branches/SAMBA_3_0_RELEASE/WHATSNEW.txt
===================================================================
--- branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2007-02-05 14:57:31 UTC (rev 21146)
+++ branches/SAMBA_3_0_RELEASE/WHATSNEW.txt 2007-02-05 14:58:36 UTC (rev 21147)
@@ -1,3 +1,49 @@
+ ==============================
+ Release Notes for Samba 3.0.24
+ Feb 5, 2007
+ ==============================
+
+This is the latest stable release of Samba. This is the version
+that production Samba servers should be running for all current
+bug-fixes. Please read the changes in this section and for the
+original 3.0.23 release regarding new features and difference
+in behavior from previous releases.
+
+Important issues addressed in 3.0.24 include:
+
+ o Fixes for the following security advisories:
+ - CVE-2007-0452 (Potential Denial of Service bug in smbd)
+ - CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
+ NSS library on Solaris)
+ - CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.23d
+---------------------
+
+commits
+-------
+
+o Jeremy Allison <jra at samba.org>
+ * Fix for CVE-2007-0452 & CVE-2007-0454
+
+
+o Olivier Gay <ouah at ouah.org>
+ * Fix for CVE-2007-0453
+
+
+o Volker Lendecke <vl at samba.org>
+ * Fix for CVE-2007-0452
+
+
+
+Release Notes for older release follow:
+
+ --------------------------------------------------
===============================
Release Notes for Samba 3.0.23d
Nov 14, 2006
Modified: branches/SAMBA_3_0_RELEASE/source/modules/vfs_afsacl.c
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/modules/vfs_afsacl.c 2007-02-05 14:57:31 UTC (rev 21146)
+++ branches/SAMBA_3_0_RELEASE/source/modules/vfs_afsacl.c 2007-02-05 14:58:36 UTC (rev 21147)
@@ -901,7 +901,7 @@
ZERO_STRUCT(dir_acl);
ZERO_STRUCT(file_acl);
- pstr_sprintf(name, fsp->fsp_name);
+ pstrcpy(name, fsp->fsp_name);
if (!fsp->is_directory) {
/* We need to get the name of the directory containing the
Modified: branches/SAMBA_3_0_RELEASE/source/nsswitch/winbind_nss_solaris.c
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/nsswitch/winbind_nss_solaris.c 2007-02-05 14:57:31 UTC (rev 21146)
+++ branches/SAMBA_3_0_RELEASE/source/nsswitch/winbind_nss_solaris.c 2007-02-05 14:58:36 UTC (rev 21147)
@@ -493,7 +493,8 @@
af = AF_INET6;
#endif
- strncpy(request.data.winsreq, argp->key.name, strlen(argp->key.name)) ;
+ strncpy(request.data.winsreq, argp->key.name, sizeof(request.data.winsreq) - 1);
+ request.data.winsreq[sizeof(request.data.winsreq) - 1] = '\0';
if( (ret = winbindd_request_response(WINBINDD_WINS_BYNAME, &request, &response))
== NSS_STATUS_SUCCESS ) {
@@ -515,7 +516,8 @@
ZERO_STRUCT(response);
ZERO_STRUCT(request);
- strncpy(request.data.winsreq, argp->key.name, strlen(argp->key.name));
+ strncpy(request.data.winsreq, argp->key.name, sizeof(request.data.winsreq) - 1);
+ request.data.winsreq[sizeof(request.data.winsreq) - 1] = '\0';
if( (ret = winbindd_request_response(WINBINDD_WINS_BYNAME, &request, &response))
== NSS_STATUS_SUCCESS ) {
Modified: branches/SAMBA_3_0_RELEASE/source/printing/nt_printing.c
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/printing/nt_printing.c 2007-02-05 14:57:31 UTC (rev 21146)
+++ branches/SAMBA_3_0_RELEASE/source/printing/nt_printing.c 2007-02-05 14:58:36 UTC (rev 21147)
@@ -4839,7 +4839,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting driverfile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4848,7 +4848,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting configfile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4857,7 +4857,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting datafile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4866,7 +4866,7 @@
pstrcpy( file, s );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting helpfile [%s]\n", s));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
}
@@ -4882,7 +4882,7 @@
pstrcpy( file, p );
driver_unix_convert(file, conn, NULL, &bad_path, &st);
DEBUG(10,("deleting dependent file [%s]\n", file));
- unlink_internals(conn, 0, file, False);
+ unlink_internals(conn, 0, file, False, False);
}
i++;
Modified: branches/SAMBA_3_0_RELEASE/source/smbd/nttrans.c
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/smbd/nttrans.c 2007-02-05 14:57:31 UTC (rev 21146)
+++ branches/SAMBA_3_0_RELEASE/source/smbd/nttrans.c 2007-02-05 14:58:36 UTC (rev 21147)
@@ -664,7 +664,7 @@
if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE)
&& (access_mask & DELETE_ACCESS)) {
#endif
- status = can_delete(conn, fname, file_attributes, bad_path, True);
+ status = can_delete(conn, fname, file_attributes, bad_path, True, False);
/* We're only going to fail here if it's access denied, as that's the
only error we care about for "can we delete this ?" questions. */
if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) ||
@@ -1281,7 +1281,7 @@
/* Setting FILE_SHARE_DELETE is the hint. */
if (lp_acl_check_permissions(SNUM(conn)) && (share_access & FILE_SHARE_DELETE) && (access_mask & DELETE_ACCESS)) {
#endif
- status = can_delete(conn, fname, file_attributes, bad_path, True);
+ status = can_delete(conn, fname, file_attributes, bad_path, True, False);
/* We're only going to fail here if it's access denied, as that's the
only error we care about for "can we delete this ?" questions. */
if (!NT_STATUS_IS_OK(status) && (NT_STATUS_EQUAL(status,NT_STATUS_ACCESS_DENIED) ||
@@ -1888,8 +1888,14 @@
status = rename_internals(conn, fsp->fsp_name,
new_name, 0, replace_if_exists, path_contains_wcard);
- if (!NT_STATUS_IS_OK(status))
+
+ if (!NT_STATUS_IS_OK(status)) {
+ if (open_was_deferred(SVAL(inbuf,smb_mid))) {
+ /* We have re-scheduled this call. */
+ return -1;
+ }
return ERROR_NT(status);
+ }
/*
* Rename was successful.
Modified: branches/SAMBA_3_0_RELEASE/source/smbd/reply.c
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/smbd/reply.c 2007-02-05 14:57:31 UTC (rev 21146)
+++ branches/SAMBA_3_0_RELEASE/source/smbd/reply.c 2007-02-05 14:58:36 UTC (rev 21147)
@@ -1865,7 +1865,7 @@
Check if a user is allowed to delete a file.
********************************************************************/
-NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open)
+NTSTATUS can_delete(connection_struct *conn, char *fname, uint32 dirtype, BOOL bad_path, BOOL check_is_at_open, BOOL can_defer)
{
SMB_STRUCT_STAT sbuf;
uint32 fattr;
@@ -1938,7 +1938,7 @@
FILE_OPEN,
0,
FILE_ATTRIBUTE_NORMAL,
- 0,
+ can_defer ? 0 : INTERNAL_OPEN_ONLY,
NULL);
if (!fsp) {
@@ -1960,7 +1960,7 @@
code.
****************************************************************************/
-NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild)
+NTSTATUS unlink_internals(connection_struct *conn, uint32 dirtype, char *name, BOOL has_wild, BOOL can_defer)
{
pstring directory;
pstring mask;
@@ -2000,7 +2000,7 @@
if (!has_wild) {
pstrcat(directory,"/");
pstrcat(directory,mask);
- error = can_delete(conn,directory,dirtype,bad_path,False);
+ error = can_delete(conn,directory,dirtype,bad_path,False,can_defer);
if (!NT_STATUS_IS_OK(error))
return error;
@@ -2058,7 +2058,7 @@
}
slprintf(fname,sizeof(fname)-1, "%s/%s",directory,dname);
- error = can_delete(conn,fname,dirtype,bad_path,False);
+ error = can_delete(conn,fname,dirtype,bad_path,False,False);
if (!NT_STATUS_IS_OK(error)) {
continue;
}
@@ -2104,7 +2104,7 @@
DEBUG(3,("reply_unlink : %s\n",name));
- status = unlink_internals(conn, dirtype, name, path_contains_wcard);
+ status = unlink_internals(conn, dirtype, name, path_contains_wcard, True);
if (!NT_STATUS_IS_OK(status)) {
if (open_was_deferred(SVAL(inbuf,smb_mid))) {
/* We have re-scheduled this call. */
Modified: branches/SAMBA_3_0_RELEASE/source/smbd/trans2.c
===================================================================
--- branches/SAMBA_3_0_RELEASE/source/smbd/trans2.c 2007-02-05 14:57:31 UTC (rev 21146)
+++ branches/SAMBA_3_0_RELEASE/source/smbd/trans2.c 2007-02-05 14:58:36 UTC (rev 21147)
@@ -4446,9 +4446,15 @@
fname, newname ));
status = rename_internals(conn, fname, base_name, 0, overwrite, False);
}
+
if (!NT_STATUS_IS_OK(status)) {
+ if (open_was_deferred(SVAL(inbuf,smb_mid))) {
+ /* We have re-scheduled this call. */
+ return -1;
+ }
return ERROR_NT(status);
}
+
process_pending_change_notify_queue((time_t)0);
SSVAL(params,0,0);
send_trans2_replies(outbuf, bufsize, params, 2, *ppdata, 0);
More information about the samba-cvs
mailing list