Quoting Adam D. Barratt ([email protected]): > Assuming that the diff between the 3.4.8 packages currently in testing > and the tpu package would simply be upstream's patch from their security > page, please go ahead.
Thge diff will be the exact diff between two upstream versions. So that means: bubu...@sesostris:~/src/debian/samba$ diffstat diff-3.4.8-3.4.9 WHATSNEW.txt | 59 ++++++++++++++++++++ libcli/security/dom_sid.c | 4 + libcli/security/dom_sid.h | 4 + packaging/RHEL-CTDB/samba.spec | 2 packaging/RHEL/makerpms.sh | 2 packaging/RHEL/samba.spec | 2 source3/VERSION | 2 source3/include/version.h | 4 - source3/lib/util_sid.c | 3 + source3/libads/ldap.c | 4 + source3/libsmb/cliquota.c | 4 + source3/smbd/nttrans.c | 17 ++++-- source4/ldap_server/devdocs/AD-Syntaxes.txt | 79 ++++++++++++++++++++++++++++ 13 files changed, 173 insertions(+), 13 deletions(-) whatsnew.TXT is upstream "kinda changelog". It only lists the security fix. packaging/ is not used Source3/VERSION is just changing the displayed version ditto for source3/include/version.h Source3/* is upstream's fix source4/ldap_server/devdocs/AD-Syntaxes.txt...hmm, is noise, but doesn't harm and isn't used Full diff attached.
diff -Nru samba-3.4.8/libcli/security/dom_sid.c
samba-3.4.9/libcli/security/dom_sid.c
--- samba-3.4.8/libcli/security/dom_sid.c 2010-05-10 14:58:53.000000000
+0200
+++ samba-3.4.9/libcli/security/dom_sid.c 2010-09-09 16:23:21.000000000
+0200
@@ -117,6 +117,10 @@
if (sidstr[i] == '-') num_sub_auths++;
}
+ if (num_sub_auths > MAXSUBAUTHS) {
+ return false;
+ }
+
ret->sid_rev_num = rev;
ret->id_auth[0] = 0;
ret->id_auth[1] = 0;
diff -Nru samba-3.4.8/libcli/security/dom_sid.h
samba-3.4.9/libcli/security/dom_sid.h
--- samba-3.4.8/libcli/security/dom_sid.h 2010-05-10 14:58:53.000000000
+0200
+++ samba-3.4.9/libcli/security/dom_sid.h 2010-09-09 16:23:21.000000000
+0200
@@ -40,5 +40,9 @@
const struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
#endif /*_DOM_SID_H_*/
diff -Nru samba-3.4.8/packaging/RHEL/makerpms.sh
samba-3.4.9/packaging/RHEL/makerpms.sh
--- samba-3.4.8/packaging/RHEL/makerpms.sh 2010-05-10 15:01:43.000000000
+0200
+++ samba-3.4.9/packaging/RHEL/makerpms.sh 2010-09-09 19:20:16.000000000
+0200
@@ -20,7 +20,7 @@
USERID=`id -u`
GRPID=`id -g`
-VERSION='3.4.8'
+VERSION='3.4.9'
REVISION=''
SPECFILE="samba.spec"
RPMVER=`rpm --version | awk '{print $3}'`
diff -Nru samba-3.4.8/packaging/RHEL/samba.spec
samba-3.4.9/packaging/RHEL/samba.spec
--- samba-3.4.8/packaging/RHEL/samba.spec 2010-05-10 15:01:43.000000000
+0200
+++ samba-3.4.9/packaging/RHEL/samba.spec 2010-09-09 19:20:16.000000000
+0200
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <[email protected]>
Name: samba
-Version: 3.4.8
+Version: 3.4.9
Release: 1
Epoch: 0
License: GNU GPL version 3
diff -Nru samba-3.4.8/packaging/RHEL-CTDB/samba.spec
samba-3.4.9/packaging/RHEL-CTDB/samba.spec
--- samba-3.4.8/packaging/RHEL-CTDB/samba.spec 2010-05-10 15:01:43.000000000
+0200
+++ samba-3.4.9/packaging/RHEL-CTDB/samba.spec 2010-09-09 19:20:16.000000000
+0200
@@ -5,7 +5,7 @@
Vendor: Samba Team
Packager: Samba Team <[email protected]>
Name: samba
-Version: 3.4.8
+Version: 3.4.9
Release: ctdb.1
Epoch: 0
License: GNU GPL version 3
diff -Nru samba-3.4.8/source3/include/version.h
samba-3.4.9/source3/include/version.h
--- samba-3.4.8/source3/include/version.h 2010-05-10 15:01:44.000000000
+0200
+++ samba-3.4.9/source3/include/version.h 2010-09-09 19:20:17.000000000
+0200
@@ -1,8 +1,8 @@
/* Autogenerated by script/mkversion.sh */
#define SAMBA_VERSION_MAJOR 3
#define SAMBA_VERSION_MINOR 4
-#define SAMBA_VERSION_RELEASE 8
-#define SAMBA_VERSION_OFFICIAL_STRING "3.4.8"
+#define SAMBA_VERSION_RELEASE 9
+#define SAMBA_VERSION_OFFICIAL_STRING "3.4.9"
#ifdef SAMBA_VERSION_VENDOR_FUNCTION
# define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION
#else /* SAMBA_VERSION_VENDOR_FUNCTION */
diff -Nru samba-3.4.8/source3/lib/util_sid.c samba-3.4.9/source3/lib/util_sid.c
--- samba-3.4.8/source3/lib/util_sid.c 2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/lib/util_sid.c 2010-09-09 16:23:21.000000000 +0200
@@ -408,6 +408,9 @@
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
+ if (sid->num_auths > MAXSUBAUTHS) {
+ return false;
+ }
memcpy(sid->id_auth, inbuf+2, 6);
if (len < 8 + sid->num_auths*4)
return False;
diff -Nru samba-3.4.8/source3/libads/ldap.c samba-3.4.9/source3/libads/ldap.c
--- samba-3.4.8/source3/libads/ldap.c 2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/libads/ldap.c 2010-09-09 16:23:21.000000000 +0200
@@ -2128,7 +2128,9 @@
for (i=0; values[i]; i++) {
DOM_SID sid;
fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+ continue;
+ }
printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
}
}
diff -Nru samba-3.4.8/source3/libsmb/cliquota.c
samba-3.4.9/source3/libsmb/cliquota.c
--- samba-3.4.8/source3/libsmb/cliquota.c 2010-05-10 14:58:53.000000000
+0200
+++ samba-3.4.9/source3/libsmb/cliquota.c 2010-09-09 16:23:21.000000000
+0200
@@ -117,7 +117,9 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(rdata+40,sid_len,&qt.sid);
+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+ return false;
+ }
qt.qtype = SMB_USER_QUOTA_TYPE;
diff -Nru samba-3.4.8/source3/smbd/nttrans.c samba-3.4.9/source3/smbd/nttrans.c
--- samba-3.4.8/source3/smbd/nttrans.c 2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/smbd/nttrans.c 2010-09-09 16:23:21.000000000 +0200
@@ -2080,7 +2080,11 @@
/* unknown 4 bytes: this is not the length of the sid :-( */
/*unknown = IVAL(pdata,0);*/
- sid_parse(pdata+4,sid_len,&sid);
+ if (!sid_parse(pdata+4,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
if (!sid_to_uid(&sid, &uid)) {
@@ -2336,7 +2340,10 @@
break;
}
- sid_parse(pdata+8,sid_len,&sid);
+ if (!sid_parse(pdata+8,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid,
&qt)!=0) {
ZERO_STRUCT(qt);
@@ -2517,7 +2524,11 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(pdata+40,sid_len,&sid);
+ if (!sid_parse(pdata+40,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
/* 44 unknown bytes left... */
diff -Nru samba-3.4.8/source3/VERSION samba-3.4.9/source3/VERSION
--- samba-3.4.8/source3/VERSION 2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/VERSION 2010-09-09 16:23:21.000000000 +0200
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=3
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# Bug fix releases use a letter for the patch revision #
diff -Nru samba-3.4.8/source4/ldap_server/devdocs/AD-Syntaxes.txt
samba-3.4.9/source4/ldap_server/devdocs/AD-Syntaxes.txt
--- samba-3.4.8/source4/ldap_server/devdocs/AD-Syntaxes.txt 1970-01-01
01:00:00.000000000 +0100
+++ samba-3.4.9/source4/ldap_server/devdocs/AD-Syntaxes.txt 2010-09-09
16:23:21.000000000 +0200
@@ -0,0 +1,79 @@
+Description LDAP OID oMSyntax
oMObjectClass attributeSyntax MS-Name
+-------------------------------------------------------------------------------------------------------------------------------------------------------------
+Boolean 1.3.6.1.4.1.1466.115.121.1.7 1
2.5.5.8 Boolean
+Integer 1.3.6.1.4.1.1466.115.121.1.27 2
2.5.5.9 Integer
+Octet String 1.3.6.1.4.1.1466.115.121.1.40 4
2.5.5.10 String(Octet)
+Octet String 1.3.6.1.4.1.1466.115.121.1.40 4
2.5.5.17 String(Sid)
+OID 1.3.6.1.4.1.1466.115.121.1.38 6
2.5.5.2 String(Object-Identifier)
+Integer 1.3.6.1.4.1.1466.115.121.1.27 10
2.5.5.9 Enumeration
+Numeric String 1.3.6.1.4.1.1466.115.121.1.36 18
2.5.5.6 String(Numeric)
+Printable String 1.3.6.1.4.1.1466.115.121.1.44 19
2.5.5.5 String(Printable)
+CaseIgnoreString * 1.2.840.113556.1.4.905 20
2.5.5.4 String(Teletex)
+IA5 String 1.3.6.1.4.1.1466.115.121.1.26 22
2.5.5.5 String(IA5)
+UTC Time 1.3.6.1.4.1.1466.115.121.1.53 23
2.5.5.11 String(UTC-Time)
+Generalized Time 1.3.6.1.4.1.1466.115.121.1.24 24
2.5.5.11 String(Generalized-Time)
+ 1.2.840.113556.1.4.1362 27
2.5.5.3 String(Case Sensitive)
+Directory String 1.3.6.1.4.1.1466.115.121.1.15 64
2.5.5.12 String(Unicode)
+Large-Integer * 1.2.840.113556.1.4.906 65
2.5.5.16 Interval/LargeInteger
+Object-Security-Descriptor * 1.2.840.113556.1.4.907 66
2.5.5.15 String(NT-Sec-Desc)
+DN 1.3.6.1.4.1.1466.115.121.1.12 127 2b0c
0287 731c 0085 4a 2.5.5.1 Object(DS-DN)
+DNWithOctetString * 1.2.840.113556.1.4.903 127 2a86
4886 f714 0101 010b 2.5.5.7 Object(DN-Binary)
+OR-Name * 1.2.840.113556.1.4.1221 127
5606 0102 050b 1D 2.5.5.7 Object(OR-Name)
+Octet String 1.3.6.1.4.1.1466.115.121.1.40 127 2a86
4886 f714 0101 0106 2.5.5.10 Object(Replica-Link)
+Presentation Address 1.3.6.1.4.1.1466.115.121.1.43 127 2b0c
0287 731c 0085 5c 2.5.5.13 Object(Presentation-Address)
+Access Point 1.3.6.1.4.1.1466.115.121.1.2 127 2b0c
0287 731c 0085 3e 2.5.5.14 Object(Access-Point)
+DNWithString * 1.2.840.113556.1.4.904 127 2a86
4886 f714 0101 010c 2.5.5.14 Object(DN-String)
+
+
+Unrepresent Syntaxes:
+
+ACI Item 1.3.6.1.4.1.1466.115.121.1.1
+Access Point 1.3.6.1.4.1.1466.115.121.1.2
+Attribute Type Description 1.3.6.1.4.1.1466.115.121.1.3
+Audio 1.3.6.1.4.1.1466.115.121.1.4
+Binary 1.3.6.1.4.1.1466.115.121.1.5
+Bit String 1.3.6.1.4.1.1466.115.121.1.6
+Certificate 1.3.6.1.4.1.1466.115.121.1.8
+Certificate List 1.3.6.1.4.1.1466.115.121.1.9
+Certificate Pair 1.3.6.1.4.1.1466.115.121.1.10
+Country String 1.3.6.1.4.1.1466.115.121.1.11
+Data Quality Syntax 1.3.6.1.4.1.1466.115.121.1.13
+Delivery Method 1.3.6.1.4.1.1466.115.121.1.14
+DIT Content Rule Description 1.3.6.1.4.1.1466.115.121.1.16
+DIT Structure Rule Description 1.3.6.1.4.1.1466.115.121.1.17
+DL Submit Permission 1.3.6.1.4.1.1466.115.121.1.18
+DSA Quality Syntax 1.3.6.1.4.1.1466.115.121.1.19
+DSE Type 1.3.6.1.4.1.1466.115.121.1.20
+Enhanced Guide 1.3.6.1.4.1.1466.115.121.1.21
+Facsimile Telephone Number 1.3.6.1.4.1.1466.115.121.1.22
+Fax 1.3.6.1.4.1.1466.115.121.1.23
+Guide 1.3.6.1.4.1.1466.115.121.1.25
+JPEG 1.3.6.1.4.1.1466.115.121.1.28
+Master And Shadow Access Points 1.3.6.1.4.1.1466.115.121.1.29
+Matching Rule Description 1.3.6.1.4.1.1466.115.121.1.30
+Matching Rule Use Description 1.3.6.1.4.1.1466.115.121.1.31
+Mail Preference 1.3.6.1.4.1.1466.115.121.1.32
+MHS OR Address 1.3.6.1.4.1.1466.115.121.1.33
+Name And Optional UID 1.3.6.1.4.1.1466.115.121.1.34
+Name Form Description 1.3.6.1.4.1.1466.115.121.1.35
+Object Class Description 1.3.6.1.4.1.1466.115.121.1.37
+Other Mailbox 1.3.6.1.4.1.1466.115.121.1.39
+Postal Address 1.3.6.1.4.1.1466.115.121.1.41
+Protocol Information 1.3.6.1.4.1.1466.115.121.1.42
+Subtree Specification 1.3.6.1.4.1.1466.115.121.1.45
+Supplier Information 1.3.6.1.4.1.1466.115.121.1.46
+Supplier Or Consumer 1.3.6.1.4.1.1466.115.121.1.47
+Supplier And Consumer 1.3.6.1.4.1.1466.115.121.1.48
+Supported Algorithm 1.3.6.1.4.1.1466.115.121.1.49
+Telephone Number 1.3.6.1.4.1.1466.115.121.1.50
+Teletex Terminal Identifier 1.3.6.1.4.1.1466.115.121.1.51
+Telex Number 1.3.6.1.4.1.1466.115.121.1.52
+LDAP Syntax Description 1.3.6.1.4.1.1466.115.121.1.54
+Modify Rights 1.3.6.1.4.1.1466.115.121.1.55
+LDAP Schema Definition 1.3.6.1.4.1.1466.115.121.1.56
+LDAP Schema Description 1.3.6.1.4.1.1466.115.121.1.57
+Substring Assertion 1.3.6.1.4.1.1466.115.121.1.58
+
+
+* names come from: draft-armijo-ldap-syntax-00.txt
+
diff -Nru samba-3.4.8/WHATSNEW.txt samba-3.4.9/WHATSNEW.txt
--- samba-3.4.8/WHATSNEW.txt 2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/WHATSNEW.txt 2010-09-09 16:23:21.000000000 +0200
@@ -1,4 +1,59 @@
=============================
+ Release Notes for Samba 3.4.9
+ September 14, 2010
+ =============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o CVE-2010-3069:
+ All current released versions of Samba are vulnerable to
+ a buffer overrun vulnerability. The sid_parse() function
+ (and related dom_sid_parse() function in the source4 code)
+ do not correctly check their input lengths when reading a
+ binary representation of a Windows SID (Security ID). This
+ allows a malicious client to send a sid that can overflow
+ the stack variable that is being used to store the SID in the
+ Samba smbd server.
+
+
+Changes since 3.4.8
+-------------------
+
+
+o Jeremy Allison <[email protected]>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+o Andrew Bartlett <[email protected]>
+ * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 3.4.8
May 11, 2010
=============================
@@ -116,8 +171,8 @@
======================================================================
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 3.4.7
signature.asc
Description: Digital signature
