Appliying both CVE-2010-2063 and CVE-2012-0870 security patches

Yael Goldberg yael.technical at gmail.com
Wed May 9 03:13:15 MDT 2012


Hello,

We are using SAMBA-3.0.37.

I was going to apply security patch CVE-2012-0870 (
http://www.samba.org/samba/security/CVE-2012-0870), and I noticed that it
is closely related to patch CVE-2010-2063 (
http://www.samba.org/samba/security/CVE-2010-2063.html), and applying both
patches using patch.exe causes a reject.

Should both patches be applied?
Should the final code in "chain_reply" function in* process.c* look like
the code below? (code that came from the security patches, is marked by
appropriate comments)

Thank you
(also for releasing security patches for this version, even though it is
obsolete)
Yael.


int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
{
 static char *orig_inbuf;
 static char *orig_outbuf;
   static int orig_size; //CVE 2010-2063
 int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
 static unsigned smb_off2; // CVE 2012-0870
   ...
 if (chain_size == 0) {
  /* this is the first part of the chain */
  orig_inbuf = inbuf;
  orig_outbuf = outbuf;
  orig_size = size; // CVE 2010-2063
  smb_off2 = 0; //CVE 2012-0870
 }
 // CVE 2012-0870 Start
 if (SVAL(inbuf,smb_vwv1) <= smb_off2) {
  DEBUG(1, ("AndX offset not increasing\n"));
  SCVAL(outbuf, smb_vwv0, 0xFF);
  return outsize;
 }
 smb_off2 = SVAL(inbuf, smb_vwv1);
   // CVE 2012-0870 End
   // CVE 2010-2063 Start
 /* Validate smb_off2 */
 if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
  exit_server_cleanly("Bad chained packet");
  return -1;
  }
   // CVE 2010-2063 End
 /*
  * The original Win95 redirector dies on a reply to
  * a lockingX and read chain unless the chain reply is
  * 4 byte aligned. JRA.
  */
    ...


More information about the samba-technical mailing list