[SCM] Samba Shared Repository - branch v3-3-stable updated
Karolin Seeger
kseeger at samba.org
Tue Sep 14 04:31:46 MDT 2010
The branch, v3-3-stable has been updated
via cdb6f49 WHATSNEW: Update release date.
via df1c76e Fix bug #7669.
via da9325d WHATSNEW: Prepare 3.3.14 release notes.
via 293a867 VERSION: Raise version number up to 3.3.14.
from d07d870 WHATSNEW: Prepare release notes for 3.3.13.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-3-stable
- Log -----------------------------------------------------------------
commit cdb6f49d577fa5b24d294a50780604c89912c012
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 9 16:23:49 2010 +0200
WHATSNEW: Update release date.
Karolin
commit df1c76e2275068d1006e82a4a21d42b58175268b
Author: Jeremy Allison <jra at samba.org>
Date: Thu Sep 9 15:43:07 2010 +0200
Fix bug #7669.
Fix bug #7669 (buffer overflow in sid_parse() in Samba3 and dom_sid_parse in
Samba4).
CVE-2010-3069:
===========
Description
===========
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
commit da9325d02038b5e65873593dece510fa09851772
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 9 15:41:40 2010 +0200
WHATSNEW: Prepare 3.3.14 release notes.
Karolin
commit 293a8676ee72a635096ff1a1b167ecf6fa525276
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Sep 9 15:31:18 2010 +0200
VERSION: Raise version number up to 3.3.14.
Karolin
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 59 ++++++++++++++++++++++++++++++++++++++++++++-
source/VERSION | 2 +-
source/lib/util_sid.c | 3 ++
source/libads/ldap.c | 4 ++-
source/libsmb/cliquota.c | 4 ++-
source/smbd/nttrans.c | 17 +++++++++++--
6 files changed, 81 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c63fd1f..a5026cd 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,59 @@
==============================
+ Release Notes for Samba 3.3.14
+ September 14, 2010
+ ==============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o CVE-2010-3069:
+ All current released versions of Samba are vulnerable to
+ a buffer overrun vulnerability. The sid_parse() function
+ (and related dom_sid_parse() function in the source4 code)
+ do not correctly check their input lengths when reading a
+ binary representation of a Windows SID (Security ID). This
+ allows a malicious client to send a sid that can overflow
+ the stack variable that is being used to store the SID in the
+ Samba smbd server.
+
+
+Changes since 3.3.13
+--------------------
+
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 3.3.13
June 16, 2010
==============================
@@ -39,8 +94,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 3.3.12
diff --git a/source/VERSION b/source/VERSION
index a6430a6..83d25bc 100644
--- a/source/VERSION
+++ b/source/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=13
+SAMBA_VERSION_RELEASE=14
########################################################
# Bug fix releases use a letter for the patch revision #
diff --git a/source/lib/util_sid.c b/source/lib/util_sid.c
index f656bb1..aa49b86 100644
--- a/source/lib/util_sid.c
+++ b/source/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
+ if (sid->num_auths > MAXSUBAUTHS) {
+ return false;
+ }
memcpy(sid->id_auth, inbuf+2, 6);
if (len < 8 + sid->num_auths*4)
return False;
diff --git a/source/libads/ldap.c b/source/libads/ldap.c
index d9598e5..f426996 100644
--- a/source/libads/ldap.c
+++ b/source/libads/ldap.c
@@ -2139,7 +2139,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
for (i=0; values[i]; i++) {
DOM_SID sid;
fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+ continue;
+ }
printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
}
}
diff --git a/source/libsmb/cliquota.c b/source/libsmb/cliquota.c
index dcdfec2..47739f0 100644
--- a/source/libsmb/cliquota.c
+++ b/source/libsmb/cliquota.c
@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count,
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(rdata+40,sid_len,&qt.sid);
+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+ return false;
+ }
qt.qtype = SMB_USER_QUOTA_TYPE;
diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
index c392380..b610b1f 100644
--- a/source/smbd/nttrans.c
+++ b/source/smbd/nttrans.c
@@ -1950,7 +1950,11 @@ static void call_nt_transact_ioctl(connection_struct *conn,
/* unknown 4 bytes: this is not the length of the sid :-( */
/*unknown = IVAL(pdata,0);*/
- sid_parse(pdata+4,sid_len,&sid);
+ if (!sid_parse(pdata+4,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
if (!sid_to_uid(&sid, &uid)) {
@@ -2206,7 +2210,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn,
break;
}
- sid_parse(pdata+8,sid_len,&sid);
+ if (!sid_parse(pdata+8,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
ZERO_STRUCT(qt);
@@ -2387,7 +2394,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn,
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(pdata+40,sid_len,&sid);
+ if (!sid_parse(pdata+40,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
/* 44 unknown bytes left... */
--
Samba Shared Repository
More information about the samba-cvs
mailing list