[SCM] Samba Shared Repository - branch v4-7-test updated
Karolin Seeger
kseeger at samba.org
Wed Nov 22 08:08:40 UTC 2017
The branch, v4-7-test has been updated
via cb6ec4d VERSION: Bump version up to 4.7.4...
via 641af30 Merge tag 'samba-4.7.3' into v4-7-test
via d0b59a5 VERSION: Disable GIT_SNAPSHOT for the 4.7.3 release.
via 6dc9b5f WHATSNEW: Add release notes for Samba 4.7.3.
via 8c08a4e s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
via 7e17418 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
from 7b28a97 s3: libsmb: smbc_statvfs is missing the supporting SMB2 calls.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-7-test
- Log -----------------------------------------------------------------
commit cb6ec4d50ebc5eb89ef6cff3c4d8f887d329da1b
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Nov 22 09:08:06 2017 +0100
VERSION: Bump version up to 4.7.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 641af304b9d1d55951376a57b41d8396658714e4
Merge: 7b28a97 d0b59a5
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Nov 22 09:07:45 2017 +0100
Merge tag 'samba-4.7.3' into v4-7-test
samba: tag release samba-4.7.3
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 75 ++++++++++++++++++++++++++++++++++++++++++++++++--
source3/smbd/process.c | 7 +++--
source3/smbd/reply.c | 5 ++++
source3/smbd/srvstr.c | 14 ++++++++++
5 files changed, 97 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 0ba31a3..6be993b 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=7
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8074a83..4e403ae 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,75 @@
=============================
+ Release Notes for Samba 4.7.3
+ November 21, 2017
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2017-14746 (Use-after-free vulnerability.)
+o CVE-2017-15275 (Server heap memory information leak.)
+
+
+=======
+Details
+=======
+
+o CVE-2017-14746:
+ All versions of Samba from 4.0.0 onwards are vulnerable to a use after
+ free vulnerability, where a malicious SMB1 request can be used to
+ control the contents of heap memory via a deallocated heap pointer. It
+ is possible this may be used to compromise the SMB server.
+
+o CVE-2017-15275:
+ All versions of Samba from 3.6.0 onwards are vulnerable to a heap
+ memory information leak, where server allocated heap memory may be
+ returned to the client without being cleared.
+
+ There is no known vulnerability associated with this error, but
+ uncleared heap memory may contain previously used data that may help
+ an attacker compromise the server via other methods. Uncleared heap
+ memory may potentially contain password hashes or other high-value
+ data.
+
+For more details and workarounds, please see the security advisories:
+
+ o https://www.samba.org/samba/security/CVE-2017-14746.html
+ o https://www.samba.org/samba/security/CVE-2017-15275.html
+
+
+Changes since 4.7.2:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
+ * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized
+ memory when talloc buffer is grown.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.7.2
November 15, 2017
=============================
@@ -51,8 +122,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.7.1
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 3765739..3544266 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1855,12 +1855,13 @@ void smb_request_done(struct smb_request *req)
next->vuid = SVAL(req->outbuf, smb_uid);
next->tid = SVAL(req->outbuf, smb_tid);
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
now, &tcon);
+
if (NT_STATUS_IS_OK(status)) {
- req->conn = tcon->compat;
+ next->conn = tcon->compat;
} else {
- req->conn = NULL;
+ next->conn = NULL;
}
next->chain_fsp = req->chain_fsp;
next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 7b07078..81acedf 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -923,6 +923,11 @@ void reply_tcon_and_X(struct smb_request *req)
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba..c2d70b3 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
Samba Shared Repository
More information about the samba-cvs
mailing list