Security patches for Samba 3.3.x (CVE-2010-{1635,1642})
Eren Türkay
eren at pardus.org.tr
Wed May 26 10:28:50 MDT 2010
Hello,
A NULL pointer dereference (#7229, CVE-2010-1635) and a crash with CUPS
printers (#7298, CVE-2010-1642) have been fixed with the release of
3.4.8. Accordingly to bugzilla, the fixes were also committed to
3.5-test.
It seems that 3.3.x is also vulnerable as the same code seems to exist in this
release as well. However, I couldn't see any reference for 3.3.x being
vulnerable. I would really appreciate a statement from Samba team as to
the status of 3.3.x
Attached is the patch that I made accordingly to the changes committed to
GIT repository, and hopefully it fixes the issues.
Regards,
Eren
-------------- next part --------------
Index: samba-3.3.12/source/smbd/service.c
===================================================================
--- samba-3.3.12.orig/source/smbd/service.c
+++ samba-3.3.12/source/smbd/service.c
@@ -409,7 +409,7 @@ int find_service(fstring service)
if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) < 0) {
iPrinterService = load_registry_service(PRINTERS_NAME);
}
- if (iPrinterService) {
+ if (iPrinterService >= 0) {
DEBUG(3,("checking whether %s is a valid printer name...\n", service));
if (pcap_printername_ok(service)) {
DEBUG(3,("%s is a valid printer name\n", service));
Index: samba-3.3.12/source/smbd/sesssetup.c
===================================================================
--- samba-3.3.12.orig/source/smbd/sesssetup.c
+++ samba-3.3.12/source/smbd/sesssetup.c
@@ -1199,7 +1199,7 @@ static void reply_sesssetup_and_X_spnego
file_save("negotiate.dat", blob1.data, blob1.length);
#endif
- p2 = (char *)req->inbuf + smb_vwv13 + data_blob_len;
+ p2 = (char *)req->inbuf + smb_vwv13 + blob1.length;
p2 += srvstr_pull_buf(req->inbuf, smb_flag2, native_os, p2,
sizeof(native_os), STR_TERMINATE);
p2 += srvstr_pull_buf(req->inbuf, smb_flag2, native_lanman, p2,
More information about the samba-technical
mailing list