Re: Situation of samba packages (security update)

To: debian-release@lists.debian.org
Subject: Re: Situation of samba packages (security update)
From: Christian PERRIER <bubulle@debian.org>
Date: Wed, 15 Sep 2010 20:42:56 +0200
Message-id: <[🔎] 20100915184256.GZ12681@mykerinos.kheops.frmug.org>
In-reply-to: <[🔎] 1284575390.11205.197.camel@kaa.jungle.aubergine.my-net-space.net>
References: <[🔎] 20100915044256.GH12681@mykerinos.kheops.frmug.org> <[🔎] 1284575390.11205.197.camel@kaa.jungle.aubergine.my-net-space.net>

Quoting Adam D. Barratt (adam@adam-barratt.org.uk):

> Assuming that the diff between the 3.4.8 packages currently in testing
> and the tpu package would simply be upstream's patch from their security
> page, please go ahead.

Thge diff will be the exact diff between two upstream versions.

So that means:

bubulle@sesostris:~/src/debian/samba$ diffstat  diff-3.4.8-3.4.9 
 WHATSNEW.txt                                |   59 ++++++++++++++++++++
 libcli/security/dom_sid.c                   |    4 +
 libcli/security/dom_sid.h                   |    4 +
 packaging/RHEL-CTDB/samba.spec              |    2 
 packaging/RHEL/makerpms.sh                  |    2 
 packaging/RHEL/samba.spec                   |    2 
 source3/VERSION                             |    2 
 source3/include/version.h                   |    4 -
 source3/lib/util_sid.c                      |    3 +
 source3/libads/ldap.c                       |    4 +
 source3/libsmb/cliquota.c                   |    4 +
 source3/smbd/nttrans.c                      |   17 ++++--
 source4/ldap_server/devdocs/AD-Syntaxes.txt |   79 ++++++++++++++++++++++++++++
 13 files changed, 173 insertions(+), 13 deletions(-)

whatsnew.TXT is upstream "kinda changelog". It only lists the security
fix.

packaging/ is not used

Source3/VERSION is just changing the displayed version
ditto for source3/include/version.h

Source3/* is upstream's fix

source4/ldap_server/devdocs/AD-Syntaxes.txt...hmm, is noise, but
doesn't harm and isn't used

Full diff attached.

diff -Nru samba-3.4.8/libcli/security/dom_sid.c samba-3.4.9/libcli/security/dom_sid.c
--- samba-3.4.8/libcli/security/dom_sid.c	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/libcli/security/dom_sid.c	2010-09-09 16:23:21.000000000 +0200
@@ -117,6 +117,10 @@
 		if (sidstr[i] == '-') num_sub_auths++;
 	}
 
+	if (num_sub_auths > MAXSUBAUTHS) {
+		return false;
+	}
+
 	ret->sid_rev_num = rev;
 	ret->id_auth[0] = 0;
 	ret->id_auth[1] = 0;
diff -Nru samba-3.4.8/libcli/security/dom_sid.h samba-3.4.9/libcli/security/dom_sid.h
--- samba-3.4.8/libcli/security/dom_sid.h	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/libcli/security/dom_sid.h	2010-09-09 16:23:21.000000000 +0200
@@ -40,5 +40,9 @@
 		       const struct dom_sid *sid);
 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
 
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
 #endif /*_DOM_SID_H_*/
 
diff -Nru samba-3.4.8/packaging/RHEL/makerpms.sh samba-3.4.9/packaging/RHEL/makerpms.sh
--- samba-3.4.8/packaging/RHEL/makerpms.sh	2010-05-10 15:01:43.000000000 +0200
+++ samba-3.4.9/packaging/RHEL/makerpms.sh	2010-09-09 19:20:16.000000000 +0200
@@ -20,7 +20,7 @@
 
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.4.8'
+VERSION='3.4.9'
 REVISION=''
 SPECFILE="samba.spec"
 RPMVER=`rpm --version | awk '{print $3}'`
diff -Nru samba-3.4.8/packaging/RHEL/samba.spec samba-3.4.9/packaging/RHEL/samba.spec
--- samba-3.4.8/packaging/RHEL/samba.spec	2010-05-10 15:01:43.000000000 +0200
+++ samba-3.4.9/packaging/RHEL/samba.spec	2010-09-09 19:20:16.000000000 +0200
@@ -5,7 +5,7 @@
 Vendor: Samba Team
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.4.8
+Version:      3.4.9
 Release:      1
 Epoch:        0
 License: GNU GPL version 3
diff -Nru samba-3.4.8/packaging/RHEL-CTDB/samba.spec samba-3.4.9/packaging/RHEL-CTDB/samba.spec
--- samba-3.4.8/packaging/RHEL-CTDB/samba.spec	2010-05-10 15:01:43.000000000 +0200
+++ samba-3.4.9/packaging/RHEL-CTDB/samba.spec	2010-09-09 19:20:16.000000000 +0200
@@ -5,7 +5,7 @@
 Vendor: Samba Team
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.4.8
+Version:      3.4.9
 Release:      ctdb.1
 Epoch:        0
 License: GNU GPL version 3
diff -Nru samba-3.4.8/source3/include/version.h samba-3.4.9/source3/include/version.h
--- samba-3.4.8/source3/include/version.h	2010-05-10 15:01:44.000000000 +0200
+++ samba-3.4.9/source3/include/version.h	2010-09-09 19:20:17.000000000 +0200
@@ -1,8 +1,8 @@
 /* Autogenerated by script/mkversion.sh */
 #define SAMBA_VERSION_MAJOR 3
 #define SAMBA_VERSION_MINOR 4
-#define SAMBA_VERSION_RELEASE 8
-#define SAMBA_VERSION_OFFICIAL_STRING "3.4.8"
+#define SAMBA_VERSION_RELEASE 9
+#define SAMBA_VERSION_OFFICIAL_STRING "3.4.9"
 #ifdef SAMBA_VERSION_VENDOR_FUNCTION
 #  define SAMBA_VERSION_STRING SAMBA_VERSION_VENDOR_FUNCTION
 #else /* SAMBA_VERSION_VENDOR_FUNCTION */
diff -Nru samba-3.4.8/source3/lib/util_sid.c samba-3.4.9/source3/lib/util_sid.c
--- samba-3.4.8/source3/lib/util_sid.c	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/lib/util_sid.c	2010-09-09 16:23:21.000000000 +0200
@@ -408,6 +408,9 @@
 
 	sid->sid_rev_num = CVAL(inbuf, 0);
 	sid->num_auths = CVAL(inbuf, 1);
+	if (sid->num_auths > MAXSUBAUTHS) {
+		return false;
+	}
 	memcpy(sid->id_auth, inbuf+2, 6);
 	if (len < 8 + sid->num_auths*4)
 		return False;
diff -Nru samba-3.4.8/source3/libads/ldap.c samba-3.4.9/source3/libads/ldap.c
--- samba-3.4.8/source3/libads/ldap.c	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/libads/ldap.c	2010-09-09 16:23:21.000000000 +0200
@@ -2128,7 +2128,9 @@
 	for (i=0; values[i]; i++) {
 		DOM_SID sid;
 		fstring tmp;
-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+			continue;
+		}
 		printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
 	}
 }
diff -Nru samba-3.4.8/source3/libsmb/cliquota.c samba-3.4.9/source3/libsmb/cliquota.c
--- samba-3.4.8/source3/libsmb/cliquota.c	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/libsmb/cliquota.c	2010-09-09 16:23:21.000000000 +0200
@@ -117,7 +117,9 @@
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(rdata+40,sid_len,&qt.sid);
+	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+		return false;
+	}
 
 	qt.qtype = SMB_USER_QUOTA_TYPE;
 
diff -Nru samba-3.4.8/source3/smbd/nttrans.c samba-3.4.9/source3/smbd/nttrans.c
--- samba-3.4.8/source3/smbd/nttrans.c	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/smbd/nttrans.c	2010-09-09 16:23:21.000000000 +0200
@@ -2080,7 +2080,11 @@
 		/* unknown 4 bytes: this is not the length of the sid :-(  */
 		/*unknown = IVAL(pdata,0);*/
 
-		sid_parse(pdata+4,sid_len,&sid);
+		if (!sid_parse(pdata+4,sid_len,&sid)) {
+			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			return;
+		}
+
 		DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
 		if (!sid_to_uid(&sid, &uid)) {
@@ -2336,7 +2340,10 @@
 				break;
 			}
 
-			sid_parse(pdata+8,sid_len,&sid);
+			if (!sid_parse(pdata+8,sid_len,&sid)) {
+				reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+				return;
+			}
 
 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
 				ZERO_STRUCT(qt);
@@ -2517,7 +2524,11 @@
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(pdata+40,sid_len,&sid);
+	if (!sid_parse(pdata+40,sid_len,&sid)) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
 
 	/* 44 unknown bytes left... */
diff -Nru samba-3.4.8/source3/VERSION samba-3.4.9/source3/VERSION
--- samba-3.4.8/source3/VERSION	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/source3/VERSION	2010-09-09 16:23:21.000000000 +0200
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
 
 ########################################################
 # Bug fix releases use a letter for the patch revision #
diff -Nru samba-3.4.8/source4/ldap_server/devdocs/AD-Syntaxes.txt samba-3.4.9/source4/ldap_server/devdocs/AD-Syntaxes.txt
--- samba-3.4.8/source4/ldap_server/devdocs/AD-Syntaxes.txt	1970-01-01 01:00:00.000000000 +0100
+++ samba-3.4.9/source4/ldap_server/devdocs/AD-Syntaxes.txt	2010-09-09 16:23:21.000000000 +0200
@@ -0,0 +1,79 @@
+Description			LDAP OID			oMSyntax	oMObjectClass		attributeSyntax		MS-Name
+-------------------------------------------------------------------------------------------------------------------------------------------------------------
+Boolean				1.3.6.1.4.1.1466.115.121.1.7	   1					2.5.5.8			Boolean
+Integer				1.3.6.1.4.1.1466.115.121.1.27	   2					2.5.5.9			Integer
+Octet String			1.3.6.1.4.1.1466.115.121.1.40	   4					2.5.5.10		String(Octet)
+Octet String			1.3.6.1.4.1.1466.115.121.1.40	   4					2.5.5.17		String(Sid)
+OID				1.3.6.1.4.1.1466.115.121.1.38	   6					2.5.5.2			String(Object-Identifier)
+Integer				1.3.6.1.4.1.1466.115.121.1.27	  10					2.5.5.9			Enumeration
+Numeric String			1.3.6.1.4.1.1466.115.121.1.36	  18					2.5.5.6			String(Numeric)
+Printable String		1.3.6.1.4.1.1466.115.121.1.44	  19					2.5.5.5			String(Printable)
+CaseIgnoreString       	     *	1.2.840.113556.1.4.905		  20					2.5.5.4			String(Teletex)
+IA5 String			1.3.6.1.4.1.1466.115.121.1.26	  22					2.5.5.5			String(IA5)
+UTC Time			1.3.6.1.4.1.1466.115.121.1.53	  23					2.5.5.11		String(UTC-Time)
+Generalized Time		1.3.6.1.4.1.1466.115.121.1.24	  24					2.5.5.11		String(Generalized-Time)
+				1.2.840.113556.1.4.1362		  27					2.5.5.3			String(Case Sensitive)
+Directory String		1.3.6.1.4.1.1466.115.121.1.15	  64					2.5.5.12		String(Unicode)
+Large-Integer                *	1.2.840.113556.1.4.906		  65					2.5.5.16		Interval/LargeInteger
+Object-Security-Descriptor   *	1.2.840.113556.1.4.907		  66					2.5.5.15		String(NT-Sec-Desc)
+DN				1.3.6.1.4.1.1466.115.121.1.12	 127	2b0c 0287 731c 0085 4a		2.5.5.1			Object(DS-DN)
+DNWithOctetString            *	1.2.840.113556.1.4.903		 127	2a86 4886 f714 0101 010b	2.5.5.7			Object(DN-Binary)
+OR-Name	                     *	1.2.840.113556.1.4.1221		 127	5606 0102 050b 1D		2.5.5.7			Object(OR-Name)
+Octet String			1.3.6.1.4.1.1466.115.121.1.40  	 127	2a86 4886 f714 0101 0106	2.5.5.10		Object(Replica-Link)
+Presentation Address		1.3.6.1.4.1.1466.115.121.1.43	 127	2b0c 0287 731c 0085 5c		2.5.5.13		Object(Presentation-Address)
+Access Point			1.3.6.1.4.1.1466.115.121.1.2	 127	2b0c 0287 731c 0085 3e		2.5.5.14		Object(Access-Point)
+DNWithString                 *	1.2.840.113556.1.4.904		 127	2a86 4886 f714 0101 010c	2.5.5.14		Object(DN-String)
+
+
+Unrepresent Syntaxes:
+
+ACI Item			1.3.6.1.4.1.1466.115.121.1.1
+Access Point			1.3.6.1.4.1.1466.115.121.1.2
+Attribute Type Description	1.3.6.1.4.1.1466.115.121.1.3
+Audio				1.3.6.1.4.1.1466.115.121.1.4
+Binary				1.3.6.1.4.1.1466.115.121.1.5
+Bit String			1.3.6.1.4.1.1466.115.121.1.6
+Certificate			1.3.6.1.4.1.1466.115.121.1.8
+Certificate List		1.3.6.1.4.1.1466.115.121.1.9
+Certificate Pair		1.3.6.1.4.1.1466.115.121.1.10
+Country String			1.3.6.1.4.1.1466.115.121.1.11
+Data Quality Syntax		1.3.6.1.4.1.1466.115.121.1.13
+Delivery Method			1.3.6.1.4.1.1466.115.121.1.14
+DIT Content Rule Description	1.3.6.1.4.1.1466.115.121.1.16
+DIT Structure Rule Description	1.3.6.1.4.1.1466.115.121.1.17
+DL Submit Permission		1.3.6.1.4.1.1466.115.121.1.18
+DSA Quality Syntax		1.3.6.1.4.1.1466.115.121.1.19
+DSE Type			1.3.6.1.4.1.1466.115.121.1.20
+Enhanced Guide			1.3.6.1.4.1.1466.115.121.1.21
+Facsimile Telephone Number	1.3.6.1.4.1.1466.115.121.1.22
+Fax				1.3.6.1.4.1.1466.115.121.1.23
+Guide				1.3.6.1.4.1.1466.115.121.1.25
+JPEG				1.3.6.1.4.1.1466.115.121.1.28
+Master And Shadow Access Points	1.3.6.1.4.1.1466.115.121.1.29
+Matching Rule Description	1.3.6.1.4.1.1466.115.121.1.30
+Matching Rule Use Description	1.3.6.1.4.1.1466.115.121.1.31
+Mail Preference			1.3.6.1.4.1.1466.115.121.1.32
+MHS OR Address			1.3.6.1.4.1.1466.115.121.1.33
+Name And Optional UID		1.3.6.1.4.1.1466.115.121.1.34
+Name Form Description		1.3.6.1.4.1.1466.115.121.1.35
+Object Class Description	1.3.6.1.4.1.1466.115.121.1.37
+Other Mailbox			1.3.6.1.4.1.1466.115.121.1.39
+Postal Address			1.3.6.1.4.1.1466.115.121.1.41
+Protocol Information		1.3.6.1.4.1.1466.115.121.1.42
+Subtree Specification		1.3.6.1.4.1.1466.115.121.1.45
+Supplier Information		1.3.6.1.4.1.1466.115.121.1.46
+Supplier Or Consumer		1.3.6.1.4.1.1466.115.121.1.47
+Supplier And Consumer		1.3.6.1.4.1.1466.115.121.1.48
+Supported Algorithm		1.3.6.1.4.1.1466.115.121.1.49
+Telephone Number		1.3.6.1.4.1.1466.115.121.1.50
+Teletex Terminal Identifier	1.3.6.1.4.1.1466.115.121.1.51
+Telex Number			1.3.6.1.4.1.1466.115.121.1.52
+LDAP Syntax Description		1.3.6.1.4.1.1466.115.121.1.54
+Modify Rights			1.3.6.1.4.1.1466.115.121.1.55
+LDAP Schema Definition		1.3.6.1.4.1.1466.115.121.1.56
+LDAP Schema Description		1.3.6.1.4.1.1466.115.121.1.57
+Substring Assertion		1.3.6.1.4.1.1466.115.121.1.58
+
+
+* names come from: draft-armijo-ldap-syntax-00.txt
+
diff -Nru samba-3.4.8/WHATSNEW.txt samba-3.4.9/WHATSNEW.txt
--- samba-3.4.8/WHATSNEW.txt	2010-05-10 14:58:53.000000000 +0200
+++ samba-3.4.9/WHATSNEW.txt	2010-09-09 16:23:21.000000000 +0200
@@ -1,4 +1,59 @@
                    =============================
+                   Release Notes for Samba 3.4.9
+			 September 14, 2010
+                   =============================
+
+
+This is a security release in order to address CVE-2010-3069.
+
+
+o  CVE-2010-3069:
+   All current released versions of Samba are vulnerable to
+   a buffer overrun vulnerability. The sid_parse() function
+   (and related dom_sid_parse() function in the source4 code)
+   do not correctly check their input lengths when reading a
+   binary representation of a Windows SID (Security ID). This
+   allows a malicious client to send a sid that can overflow
+   the stack variable that is being used to store the SID in the
+   Samba smbd server.
+
+
+Changes since 3.4.8
+-------------------
+
+
+o   Jeremy Allison <jra@samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+o   Andrew Bartlett <abartlet@samba.org>
+    * BUG 7669: Fix for CVE-2010-3069.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.4 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older versions follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 3.4.8
 			   May 11, 2010
                    =============================
@@ -116,8 +171,8 @@
 ======================================================================
 
 
-Release notes for older versions follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 3.4.7

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Situation of samba packages (security update)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- Situation of samba packages (security update)
  - From: Christian PERRIER <bubulle@debian.org>
- Re: Situation of samba packages (security update)
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: Situation of samba packages (security update)
Next by Date: Re: Viability of patches I want to prepare for Squeeze binutils 2.20.1-14 to port two recent modifications
Previous by thread: Re: Situation of samba packages (security update)
Next by thread: Re: Situation of samba packages (security update)
Index(es):
- Date
- Thread