[SCM] Samba Shared Repository - branch v3-0-test updated -
release-3-0-29-11-g749178f
Gerald Carter
jerry at samba.org
Wed May 28 15:26:43 GMT 2008
The branch, v3-0-test has been updated
via 749178f44ea9a065120478ff1df44a932e45ec37 (commit)
via fa07a60da640795513c40e6c23589847a01e9372 (commit)
via 159946915fe35cab1d0fe2deef8547b720ccc011 (commit)
from d48bdc8f5de03b88d79685d2e89f0ed2f8207ef5 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit 749178f44ea9a065120478ff1df44a932e45ec37
Author: Gerald W. Carter <jerry at samba.org>
Date: Wed May 28 07:40:51 2008 -0500
Updating release notes for 3.0.30 security release.
commit fa07a60da640795513c40e6c23589847a01e9372
Author: Gerald W. Carter <jerry at samba.org>
Date: Wed May 28 07:30:19 2008 -0500
Security: Patche for CVE-2008-1105.
-- Summary --
Specifically crafted SMB responses can result
in a heap overflow in the Samba client code.
Because the server process, smbd, can itself
act as a client during operations such as
printer notification and domain authentication,
this issue affects both Samba client and server
installations.
Ensure that we specify the buffer size used to store incoming SMB
packets. This bug was originally introduced in Samba 2.2.4. Patch from
Jeremy Allison.
commit 159946915fe35cab1d0fe2deef8547b720ccc011
Author: Gerald W. Carter <jerry at samba.org>
Date: Tue May 27 16:30:54 2008 -0500
Release scripts: Copy the support release scripts from the v3-3-tree
(cherry picked from commit 8555ceeca7ac50f18589c07d2deb45c1d6fe8010)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 43 +++++++-
release-scripts/build-docs | 25 +++++
release-scripts/create-tarball | 222 ++++++++++++++++++++++++++++++++++++++++
source/client/client.c | 2 +-
source/client/smbctool.c | 2 +-
source/lib/util_sock.c | 34 +++----
source/libsmb/clientgen.c | 9 +-
source/smbd/process.c | 3 +-
source/utils/smbfilter.c | 4 +-
9 files changed, 308 insertions(+), 36 deletions(-)
create mode 100755 release-scripts/build-docs
create mode 100755 release-scripts/create-tarball
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index cdb3703..0af6a15 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,11 +1,46 @@
===============================
+ Release Notes for Samba 3.0.30
+ May 28, 2008
+ ===============================
+
+This is a security release in order to address CVE-2008-1105 ("Boundary
+failure when parsing SMB responses can result in a buffer overrun").
+
+ o CVE-2008-1105
+ Specifically crafted SMB responses can result in a heap overflow
+ in the Samba client code. Because the server process, smbd, can
+ itself act as a client during operations such as printer notification
+ and domain authentication, this issue affects both Samba client
+ and server installations.
+
+The original security announcement for this and past advisories can
+be found http://www.samba.org/samba/security/
+
+
+######################################################################
+Changes
+#######
+
+Changes since 3.0.29
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * Fix for CVE-2008-1105.
+
+
+o Karolin Seeger <kseeger at samba.org>
+ * Remove man pages for ldb tools not included in Samba 3.0.
+
+
+Release notes for older releases follow:
+
+ --------------------------------------------------
+
+ ===============================
Release Notes for Samba 3.0.29
May 20, 2008
===============================
-This is a bug fix release of the Samba 3.0 production series and is the
-version that servers should be run for for all current Samba 3.0 bug fixes.
-
Major bug fixes included in Samba 3.0.29 are:
o Problems following domain trusts on a Samba DC.
@@ -128,8 +163,6 @@ o Martin Zielinski <mz at seh.de>
-Release notes for older releases follow:
-
--------------------------------------------------
===============================
diff --git a/release-scripts/build-docs b/release-scripts/build-docs
new file mode 100755
index 0000000..529a1c0
--- /dev/null
+++ b/release-scripts/build-docs
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+DOCSRCDIR=`dirname $0`/../docs-xml
+
+cd $DOCSRCDIR || exit 1
+
+git-clean -d -x -f
+autoconf && ./configure --with-papersize=letter && make release
+
+if [ $? != 0 ]; then
+ echo "Docs build failed!"
+ exit 1
+fi
+
+mkdir ../docs
+rsync -Ca --delete --exclude=.git output/ ../docs/
+rsync -Ca --exclude=.svn registry ../docs/
+rsync -Ca --exclude=.svn archives/ ../docs/
+
+cd ../docs || exit 1
+/bin/rm -rf test.pdf Samba4*pdf htmldocs/Samba4* htmldocs/test
+mv manpages-3 manpages
+mv htmldocs/manpages-3 htmldocs/manpages
+
+exit
\ No newline at end of file
diff --git a/release-scripts/create-tarball b/release-scripts/create-tarball
new file mode 100755
index 0000000..3463f01
--- /dev/null
+++ b/release-scripts/create-tarball
@@ -0,0 +1,222 @@
+#!/bin/bash
+
+## option defaults
+OPT_BRANCH=""
+OPT_DOCSDIR=""
+OPT_TAG=""
+OPT_KEYID=""
+
+TOPDIR="`dirname $0`/.."
+VER_H="${TOPDIR}/source/include/version.h"
+
+function exitOnError
+{
+ local _error="$1"
+ local _msg="$2"
+
+ if [ ${_error} -eq 0 ]; then
+ return 0
+ fi
+
+ echo "FAILURE: ${_msg}"
+ exit ${_error}
+}
+
+##
+## Print help usage
+##
+
+function printUsage
+{
+ echo "Usage $0 [options]"
+ echo " --help Print command usage"
+ echo " --branch <name> Specify the branch to to create the archive file from"
+ echo " --copy-docs <dir> Copy documentation from <dir> rather than building"
+ echo " --tag <name> Tag name for release"
+ echo " --keyid <email> The GnuPG key ID used to sign the release tag"
+ echo ""
+}
+
+##
+## Parse the command line options
+##
+
+function parseOptions
+{
+ while [ -n "$1" ]; do
+ case "$1" in
+ --help)
+ printUsage
+ exit 0
+ ;;
+ --branch)
+ shift
+ if [ -z "$1" ]; then
+ printUsage
+ return 1
+ fi
+ OPT_BRANCH="$1"
+ shift
+ ;;
+ --copy-docs)
+ shift
+ if [ -z "$1" ]; then
+ printUsage
+ return 1
+ fi
+ OPT_DOCSDIR="$1"
+ shift
+ ;;
+ --tag)
+ shift
+ if [ -z "$1" ]; then
+ printUsage
+ return 1
+ fi
+ OPT_TAG="$1"
+ shift
+ ;;
+ --keyid)
+ shift
+ if [ -z "$1" ]; then
+ printUsage
+ return 1
+ fi
+ OPT_KEYID="$1"
+ shift
+ ;;
+ *)
+ printUsage
+ return 1
+ ;;
+ esac
+ done
+
+ if [ -z "${OPT_BRANCH}" ]; then
+ echo "You must specify a branch name!"
+ printUsage
+ return 1
+ fi
+}
+
+##
+## Build the dopcumentation (may be a no-op)
+##
+
+function buildDocs
+{
+ if [ -n "${OPT_DOCSDIR}" ]; then
+ if [ ! -d "${OPT_DOCSDIR}" ]; then
+ exitOnError 1 "${OPT_DOCSDIR} does not exist. Please specify the absolute path."
+ fi
+
+ mkdir docs
+ exitOnError $? "Failed to create docs directory"
+
+ rsync -av "${OPT_DOCSDIR}"/ docs/
+ exitOnError $? "Failed top copy docs from ${OPT_DOCSDIR}"
+
+ return 0
+ fi
+
+ echo "Building documentation. This may take a while. Log file in /tmp/docs-build.log.$$"
+
+ ${TOPDIR}/release-scripts/build-docs 2> /tmp/docs-build.log.$$
+ return $?
+
+}
+
+
+##
+## Create a release tag
+##
+function createReleaseTag
+{
+ if [ -z "${OPT_TAG}" ]; then
+ echo "Tagging disabled"
+ return 0
+ fi
+
+ if [ "x`git-tag -l ${OPT_TAG}`" != "x" ]; then
+ echo -n "Tag exists. Do you wish to overwrite? (y/N): "
+ read answer
+
+ if [ "x$answer" != "xy" ]; then
+ echo "Tag creation aborted."
+ exit 1
+ fi
+ fi
+
+ if [ -z "${OPT_KEYID}" ]; then
+ echo -n "Enter the keyid:"
+ read OPT_KEYID
+ if [ -z "${OPT_KEYID}" ]; then
+ exitOnError 1 "No keyid specified"
+ fi
+ fi
+
+ git-tag -u ${OPT_KEYID} ${OPT_TAG}
+ exitOnError $? "Failed to create tag"
+
+ return 0
+}
+##
+## Main driver
+##
+function main
+{
+ parseOptions "$@"
+ exitOnError $? "Failed to parse options"
+
+ cd $TOPDIR
+
+ git-checkout ${OPT_BRANCH}
+ exitOnError $? "Invalid branch name \"${OPT_BRANCH}\""
+
+ (cd source && ./script/mkversion.sh)
+ if [ ! -f $VER_H ]; then
+ exitOnError 1 "Failed to find ${VER_H}!"
+ fi
+
+ version=`grep SAMBA_VERSION_OFFICIAL_STRING $VER_H | awk '{print $3}'`
+ vendor_version=`grep SAMBA_VERSION_VENDOR_SUFFIX $VER_H | awk '{print $3}'`
+ if [ -n "$vendor_version" ]; then
+ version="$version-$vendor_version"
+ fi
+ version=`echo $version | sed 's/\"//g'`
+
+ echo "Creating release tarball for Samba $version"
+
+ /bin/rm -rf ../samba-${version}
+ git-archive --format=tar --prefix=samba-${version}/ HEAD | (cd .. && tar xf -)
+ exitOnError $? "Failed to create release directory tree"
+
+ pushd ../samba-${version}
+
+ packaging/bin/update-pkginfo ${version} 1 ""
+
+ buildDocs
+ exitOnError $? "Failed to build documentation"
+
+ ( cd source && ./autogen.sh )
+
+ cd ..
+ tar cf samba-${version}.tar --exclude=.git* --exclude=CVS --exclude=.svn samba-${version}
+ exitOnError $? "Failed to create tarball from git tree"
+
+ gpg --detach-sign --armor samba-${version}.tar
+ ## exitOnError $? "Failed to sign tarball"
+
+ gzip -9 samba-${version}.tar
+ exitOnError $? "Failed to compress archive"
+
+ popd
+
+ createReleaseTag
+ exitOnError $? "Failed to create release tag"
+
+ return 0
+}
+
+main "$@"
+exit $?
diff --git a/source/client/client.c b/source/client/client.c
index 3f96f63..e87623a 100644
--- a/source/client/client.c
+++ b/source/client/client.c
@@ -3626,7 +3626,7 @@ static void readline_callback(void)
session keepalives and then drop them here.
*/
if (FD_ISSET(cli->fd,&fds)) {
- if (!receive_smb(cli->fd,cli->inbuf,0)) {
+ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) {
DEBUG(0, ("Read from server failed, maybe it closed the "
"connection\n"));
return;
diff --git a/source/client/smbctool.c b/source/client/smbctool.c
index 2063418..a18505b 100644
--- a/source/client/smbctool.c
+++ b/source/client/smbctool.c
@@ -3304,7 +3304,7 @@ static void readline_callback(void)
session keepalives and then drop them here.
*/
if (FD_ISSET(cli->fd,&fds)) {
- receive_smb(cli->fd,cli->inbuf,0);
+ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0);
goto again;
}
diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
index 94c5e82..4715ca7 100644
--- a/source/lib/util_sock.c
+++ b/source/lib/util_sock.c
@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout)
}
/****************************************************************************
- Read an smb from a fd. Note that the buffer *MUST* be of size
- BUFFER_SIZE+SAFETY_MARGIN.
+ Read an smb from a fd.
The timeout is in milliseconds.
This function will return on receipt of a session keepalive packet.
Doesn't check the MAC on signed packets.
****************************************************************************/
-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
+BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout)
{
ssize_t len,ret;
@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
return False;
}
- /*
- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
- * of header. Don't print the error if this fits.... JRA.
- */
-
- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
+ if (len > buflen) {
DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
- /*
- * Correct fix. smb_read_error may have already been
- * set. Only set it here if not already set. Global
- * variables still suck :-). JRA.
- */
+ /*
+ * smb_read_error may have already been
+ * set. Only set it here if not already set. Global
+ * variables still suck :-). JRA.
+ */
- if (smb_read_error == 0)
- smb_read_error = READ_ERROR;
- return False;
- }
+ if (smb_read_error == 0)
+ smb_read_error = READ_ERROR;
+ return False;
}
if(len > 0) {
@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
Checks the MAC on signed packets.
****************************************************************************/
-BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
+BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout)
{
- if (!receive_smb_raw(fd, buffer, timeout)) {
+ if (!receive_smb_raw(fd, buffer, buflen, timeout)) {
return False;
}
diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c
index c6cef08..7d7ab9e 100644
--- a/source/libsmb/clientgen.c
+++ b/source/libsmb/clientgen.c
@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port)
}
/****************************************************************************
- Read an smb from a fd ignoring all keepalive packets. Note that the buffer
- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
+ Read an smb from a fd ignoring all keepalive packets.
The timeout is in milliseconds
This is exactly the same as receive_smb except that it never returns
@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port)
should never go into a blocking read.
****************************************************************************/
-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
+static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout)
{
BOOL ret;
for(;;) {
- ret = receive_smb_raw(fd, buffer, timeout);
+ ret = receive_smb_raw(fd, buffer, bufsize, timeout);
if (!ret) {
DEBUG(10,("client_receive_smb failed\n"));
@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli)
return False;
again:
- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
+ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);
if (ret) {
/* it might be an oplock break request */
diff --git a/source/smbd/process.c b/source/smbd/process.c
index 8dec719..3d31c29 100644
--- a/source/smbd/process.c
+++ b/source/smbd/process.c
@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout)
goto again;
}
- return receive_smb(smbd_server_fd(), buffer, 0);
+ return receive_smb(smbd_server_fd(), buffer,
+ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0);
}
/*
diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
index 97d2223..2152e53 100644
--- a/source/utils/smbfilter.c
+++ b/source/utils/smbfilter.c
@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip)
if (num <= 0) continue;
if (c != -1 && FD_ISSET(c, &fds)) {
- if (!receive_smb(c, packet, 0)) {
+ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) {
d_printf("client closed connection\n");
exit(0);
}
@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip)
}
}
if (s != -1 && FD_ISSET(s, &fds)) {
- if (!receive_smb(s, packet, 0)) {
+ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) {
d_printf("server closed connection\n");
exit(0);
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list