Quoting Adam D. Barratt (adam@adam-barratt.org.uk): > Assuming that the diff between the 3.4.8 packages currently in testing > and the tpu package would simply be upstream's patch from their security > page, please go ahead. Thge diff will be the exact diff between two upstream versions. So that means: bubulle@sesostris:~/src/debian/samba$ diffstat diff-3.4.8-3.4.9 WHATSNEW.txt | 59 ++++++++++++++++++++ libcli/security/dom_sid.c | 4 + libcli/security/dom_sid.h | 4 + packaging/RHEL-CTDB/samba.spec | 2 packaging/RHEL/makerpms.sh | 2 packaging/RHEL/samba.spec | 2 source3/VERSION | 2 source3/include/version.h | 4 - source3/lib/util_sid.c | 3 + source3/libads/ldap.c | 4 + source3/libsmb/cliquota.c | 4 + source3/smbd/nttrans.c | 17 ++++-- source4/ldap_server/devdocs/AD-Syntaxes.txt | 79 ++++++++++++++++++++++++++++ 13 files changed, 173 insertions(+), 13 deletions(-) whatsnew.TXT is upstream "kinda changelog". It only lists the security fix. packaging/ is not used Source3/VERSION is just changing the displayed version ditto for source3/include/version.h Source3/* is upstream's fix source4/ldap_server/devdocs/AD-Syntaxes.txt...hmm, is noise, but doesn't harm and isn't used Full diff attached.
diff -Nru samba-3.4.8/libcli/security/dom_sid.c samba-3.4.9/libcli/security/dom_sid.c --- samba-3.4.8/libcli/security/dom_sid.c 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/libcli/security/dom_sid.c 2010-09-09 16:23:21.000000000 +0200 @@ -117,6 +117,10 @@ if (sidstr[i] == '-') num_sub_auths++; } + if (num_sub_auths > MAXSUBAUTHS) { + return false; + } + ret->sid_rev_num = rev; ret->id_auth[0] = 0; ret->id_auth[1] = 0; diff -Nru samba-3.4.8/libcli/security/dom_sid.h samba-3.4.9/libcli/security/dom_sid.h --- samba-3.4.8/libcli/security/dom_sid.h 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/libcli/security/dom_sid.h 2010-09-09 16:23:21.000000000 +0200 @@ -40,5 +40,9 @@ const struct dom_sid *sid); char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); +#ifndef MAXSUBAUTHS +#define MAXSUBAUTHS 15 /* max sub authorities in a SID */ +#endif + #endif /*_DOM_SID_H_*/ diff -Nru samba-3.4.8/packaging/RHEL/makerpms.sh samba-3.4.9/packaging/RHEL/makerpms.sh --- samba-3.4.8/packaging/RHEL/makerpms.sh 2010-05-10 15:01:43.000000000 +0200 +++ samba-3.4.9/packaging/RHEL/makerpms.sh 2010-09-09 19:20:16.000000000 +0200 @@ -20,7 +20,7 @@ USERID=`id -u` GRPID=`id -g` -VERSION='3.4.8' +VERSION='3.4.9' REVISION='' SPECFILE="samba.spec" RPMVER=`rpm --version | awk '{print $3}'` diff -Nru samba-3.4.8/packaging/RHEL/samba.spec samba-3.4.9/packaging/RHEL/samba.spec --- samba-3.4.8/packaging/RHEL/samba.spec 2010-05-10 15:01:43.000000000 +0200 +++ samba-3.4.9/packaging/RHEL/samba.spec 2010-09-09 19:20:16.000000000 +0200 @@ -5,7 +5,7 @@ Vendor: Samba Team Packager: Samba Team <samba@samba.org> Name: samba -Version: 3.4.8 +Version: 3.4.9 Release: 1 Epoch: 0 License: GNU GPL version 3 diff -Nru samba-3.4.8/packaging/RHEL-CTDB/samba.spec samba-3.4.9/packaging/RHEL-CTDB/samba.spec --- samba-3.4.8/packaging/RHEL-CTDB/samba.spec 2010-05-10 15:01:43.000000000 +0200 +++ samba-3.4.9/packaging/RHEL-CTDB/samba.spec 2010-09-09 19:20:16.000000000 +0200 @@ -5,7 +5,7 @@ Vendor: Samba Team Packager: Samba Team <samba@samba.org> Name: samba -Version: 3.4.8 +Version: 3.4.9 Release: ctdb.1 Epoch: 0 License: GNU GPL version 3 diff -Nru samba-3.4.8/source3/include/version.h samba-3.4.9/source3/include/version.h --- samba-3.4.8/source3/include/version.h 2010-05-10 15:01:44.000000000 +0200 +++ samba-3.4.9/source3/include/version.h 2010-09-09 19:20:17.000000000 +0200 @@ -1,8 +1,8 @@ /* Autogenerated by script/mkversion.sh */ #define SAMBA_VERSION_MAJOR 3 #define SAMBA_VERSION_MINOR 4 -#define SAMBA_VERSION_RELEASE 8 -#define SAMBA_VERSION_OFFICIAL_STRING "3.4.8" +#define SAMBA_VERSION_RELEASE 9 +#define SAMBA_VERSION_OFFICIAL_STRING "3.4.9" #ifdef SAMBA_VERSION_VENDOR_FUNCTION # define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION #else /* SAMBA_VERSION_VENDOR_FUNCTION */ diff -Nru samba-3.4.8/source3/lib/util_sid.c samba-3.4.9/source3/lib/util_sid.c --- samba-3.4.8/source3/lib/util_sid.c 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/source3/lib/util_sid.c 2010-09-09 16:23:21.000000000 +0200 @@ -408,6 +408,9 @@ sid->sid_rev_num = CVAL(inbuf, 0); sid->num_auths = CVAL(inbuf, 1); + if (sid->num_auths > MAXSUBAUTHS) { + return false; + } memcpy(sid->id_auth, inbuf+2, 6); if (len < 8 + sid->num_auths*4) return False; diff -Nru samba-3.4.8/source3/libads/ldap.c samba-3.4.9/source3/libads/ldap.c --- samba-3.4.8/source3/libads/ldap.c 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/source3/libads/ldap.c 2010-09-09 16:23:21.000000000 +0200 @@ -2128,7 +2128,9 @@ for (i=0; values[i]; i++) { DOM_SID sid; fstring tmp; - sid_parse(values[i]->bv_val, values[i]->bv_len, &sid); + if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) { + continue; + } printf("%s: %s\n", field, sid_to_fstring(tmp, &sid)); } } diff -Nru samba-3.4.8/source3/libsmb/cliquota.c samba-3.4.9/source3/libsmb/cliquota.c --- samba-3.4.8/source3/libsmb/cliquota.c 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/source3/libsmb/cliquota.c 2010-09-09 16:23:21.000000000 +0200 @@ -117,7 +117,9 @@ } #endif /* LARGE_SMB_OFF_T */ - sid_parse(rdata+40,sid_len,&qt.sid); + if (!sid_parse(rdata+40,sid_len,&qt.sid)) { + return false; + } qt.qtype = SMB_USER_QUOTA_TYPE; diff -Nru samba-3.4.8/source3/smbd/nttrans.c samba-3.4.9/source3/smbd/nttrans.c --- samba-3.4.8/source3/smbd/nttrans.c 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/source3/smbd/nttrans.c 2010-09-09 16:23:21.000000000 +0200 @@ -2080,7 +2080,11 @@ /* unknown 4 bytes: this is not the length of the sid :-( */ /*unknown = IVAL(pdata,0);*/ - sid_parse(pdata+4,sid_len,&sid); + if (!sid_parse(pdata+4,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid))); if (!sid_to_uid(&sid, &uid)) { @@ -2336,7 +2340,10 @@ break; } - sid_parse(pdata+8,sid_len,&sid); + if (!sid_parse(pdata+8,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) { ZERO_STRUCT(qt); @@ -2517,7 +2524,11 @@ } #endif /* LARGE_SMB_OFF_T */ - sid_parse(pdata+40,sid_len,&sid); + if (!sid_parse(pdata+40,sid_len,&sid)) { + reply_nterror(req, NT_STATUS_INVALID_PARAMETER); + return; + } + DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid))); /* 44 unknown bytes left... */ diff -Nru samba-3.4.8/source3/VERSION samba-3.4.9/source3/VERSION --- samba-3.4.8/source3/VERSION 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/source3/VERSION 2010-09-09 16:23:21.000000000 +0200 @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=4 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 ######################################################## # Bug fix releases use a letter for the patch revision # diff -Nru samba-3.4.8/source4/ldap_server/devdocs/AD-Syntaxes.txt samba-3.4.9/source4/ldap_server/devdocs/AD-Syntaxes.txt --- samba-3.4.8/source4/ldap_server/devdocs/AD-Syntaxes.txt 1970-01-01 01:00:00.000000000 +0100 +++ samba-3.4.9/source4/ldap_server/devdocs/AD-Syntaxes.txt 2010-09-09 16:23:21.000000000 +0200 @@ -0,0 +1,79 @@ +Description LDAP OID oMSyntax oMObjectClass attributeSyntax MS-Name +------------------------------------------------------------------------------------------------------------------------------------------------------------- +Boolean 1.3.6.1.4.1.1466.115.121.1.7 1 2.5.5.8 Boolean +Integer 1.3.6.1.4.1.1466.115.121.1.27 2 2.5.5.9 Integer +Octet String 1.3.6.1.4.1.1466.115.121.1.40 4 2.5.5.10 String(Octet) +Octet String 1.3.6.1.4.1.1466.115.121.1.40 4 2.5.5.17 String(Sid) +OID 1.3.6.1.4.1.1466.115.121.1.38 6 2.5.5.2 String(Object-Identifier) +Integer 1.3.6.1.4.1.1466.115.121.1.27 10 2.5.5.9 Enumeration +Numeric String 1.3.6.1.4.1.1466.115.121.1.36 18 2.5.5.6 String(Numeric) +Printable String 1.3.6.1.4.1.1466.115.121.1.44 19 2.5.5.5 String(Printable) +CaseIgnoreString * 1.2.840.113556.1.4.905 20 2.5.5.4 String(Teletex) +IA5 String 1.3.6.1.4.1.1466.115.121.1.26 22 2.5.5.5 String(IA5) +UTC Time 1.3.6.1.4.1.1466.115.121.1.53 23 2.5.5.11 String(UTC-Time) +Generalized Time 1.3.6.1.4.1.1466.115.121.1.24 24 2.5.5.11 String(Generalized-Time) + 1.2.840.113556.1.4.1362 27 2.5.5.3 String(Case Sensitive) +Directory String 1.3.6.1.4.1.1466.115.121.1.15 64 2.5.5.12 String(Unicode) +Large-Integer * 1.2.840.113556.1.4.906 65 2.5.5.16 Interval/LargeInteger +Object-Security-Descriptor * 1.2.840.113556.1.4.907 66 2.5.5.15 String(NT-Sec-Desc) +DN 1.3.6.1.4.1.1466.115.121.1.12 127 2b0c 0287 731c 0085 4a 2.5.5.1 Object(DS-DN) +DNWithOctetString * 1.2.840.113556.1.4.903 127 2a86 4886 f714 0101 010b 2.5.5.7 Object(DN-Binary) +OR-Name * 1.2.840.113556.1.4.1221 127 5606 0102 050b 1D 2.5.5.7 Object(OR-Name) +Octet String 1.3.6.1.4.1.1466.115.121.1.40 127 2a86 4886 f714 0101 0106 2.5.5.10 Object(Replica-Link) +Presentation Address 1.3.6.1.4.1.1466.115.121.1.43 127 2b0c 0287 731c 0085 5c 2.5.5.13 Object(Presentation-Address) +Access Point 1.3.6.1.4.1.1466.115.121.1.2 127 2b0c 0287 731c 0085 3e 2.5.5.14 Object(Access-Point) +DNWithString * 1.2.840.113556.1.4.904 127 2a86 4886 f714 0101 010c 2.5.5.14 Object(DN-String) + + +Unrepresent Syntaxes: + +ACI Item 1.3.6.1.4.1.1466.115.121.1.1 +Access Point 1.3.6.1.4.1.1466.115.121.1.2 +Attribute Type Description 1.3.6.1.4.1.1466.115.121.1.3 +Audio 1.3.6.1.4.1.1466.115.121.1.4 +Binary 1.3.6.1.4.1.1466.115.121.1.5 +Bit String 1.3.6.1.4.1.1466.115.121.1.6 +Certificate 1.3.6.1.4.1.1466.115.121.1.8 +Certificate List 1.3.6.1.4.1.1466.115.121.1.9 +Certificate Pair 1.3.6.1.4.1.1466.115.121.1.10 +Country String 1.3.6.1.4.1.1466.115.121.1.11 +Data Quality Syntax 1.3.6.1.4.1.1466.115.121.1.13 +Delivery Method 1.3.6.1.4.1.1466.115.121.1.14 +DIT Content Rule Description 1.3.6.1.4.1.1466.115.121.1.16 +DIT Structure Rule Description 1.3.6.1.4.1.1466.115.121.1.17 +DL Submit Permission 1.3.6.1.4.1.1466.115.121.1.18 +DSA Quality Syntax 1.3.6.1.4.1.1466.115.121.1.19 +DSE Type 1.3.6.1.4.1.1466.115.121.1.20 +Enhanced Guide 1.3.6.1.4.1.1466.115.121.1.21 +Facsimile Telephone Number 1.3.6.1.4.1.1466.115.121.1.22 +Fax 1.3.6.1.4.1.1466.115.121.1.23 +Guide 1.3.6.1.4.1.1466.115.121.1.25 +JPEG 1.3.6.1.4.1.1466.115.121.1.28 +Master And Shadow Access Points 1.3.6.1.4.1.1466.115.121.1.29 +Matching Rule Description 1.3.6.1.4.1.1466.115.121.1.30 +Matching Rule Use Description 1.3.6.1.4.1.1466.115.121.1.31 +Mail Preference 1.3.6.1.4.1.1466.115.121.1.32 +MHS OR Address 1.3.6.1.4.1.1466.115.121.1.33 +Name And Optional UID 1.3.6.1.4.1.1466.115.121.1.34 +Name Form Description 1.3.6.1.4.1.1466.115.121.1.35 +Object Class Description 1.3.6.1.4.1.1466.115.121.1.37 +Other Mailbox 1.3.6.1.4.1.1466.115.121.1.39 +Postal Address 1.3.6.1.4.1.1466.115.121.1.41 +Protocol Information 1.3.6.1.4.1.1466.115.121.1.42 +Subtree Specification 1.3.6.1.4.1.1466.115.121.1.45 +Supplier Information 1.3.6.1.4.1.1466.115.121.1.46 +Supplier Or Consumer 1.3.6.1.4.1.1466.115.121.1.47 +Supplier And Consumer 1.3.6.1.4.1.1466.115.121.1.48 +Supported Algorithm 1.3.6.1.4.1.1466.115.121.1.49 +Telephone Number 1.3.6.1.4.1.1466.115.121.1.50 +Teletex Terminal Identifier 1.3.6.1.4.1.1466.115.121.1.51 +Telex Number 1.3.6.1.4.1.1466.115.121.1.52 +LDAP Syntax Description 1.3.6.1.4.1.1466.115.121.1.54 +Modify Rights 1.3.6.1.4.1.1466.115.121.1.55 +LDAP Schema Definition 1.3.6.1.4.1.1466.115.121.1.56 +LDAP Schema Description 1.3.6.1.4.1.1466.115.121.1.57 +Substring Assertion 1.3.6.1.4.1.1466.115.121.1.58 + + +* names come from: draft-armijo-ldap-syntax-00.txt + diff -Nru samba-3.4.8/WHATSNEW.txt samba-3.4.9/WHATSNEW.txt --- samba-3.4.8/WHATSNEW.txt 2010-05-10 14:58:53.000000000 +0200 +++ samba-3.4.9/WHATSNEW.txt 2010-09-09 16:23:21.000000000 +0200 @@ -1,4 +1,59 @@ ============================= + Release Notes for Samba 3.4.9 + September 14, 2010 + ============================= + + +This is a security release in order to address CVE-2010-3069. + + +o CVE-2010-3069: + All current released versions of Samba are vulnerable to + a buffer overrun vulnerability. The sid_parse() function + (and related dom_sid_parse() function in the source4 code) + do not correctly check their input lengths when reading a + binary representation of a Windows SID (Security ID). This + allows a malicious client to send a sid that can overflow + the stack variable that is being used to store the SID in the + Samba smbd server. + + +Changes since 3.4.8 +------------------- + + +o Jeremy Allison <jra@samba.org> + * BUG 7669: Fix for CVE-2010-3069. + + +o Andrew Bartlett <abartlet@samba.org> + * BUG 7669: Fix for CVE-2010-3069. + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.4 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older versions follow: +---------------------------------------- + + ============================= Release Notes for Samba 3.4.8 May 11, 2010 ============================= @@ -116,8 +171,8 @@ ====================================================================== -Release notes for older versions follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 3.4.7
Attachment:
signature.asc
Description: Digital signature