Quoting Christian PERRIER (bubu...@debian.org): > Package: samba > Severity: critical > Tags: security > > This vulnerability has been unveiled publicly without prior warning, > so probably exploits can be in the wild already. > > 3.2 from lenny is affected, too. Backporting the fix seems trivial and > I think we'll be working on it ASAP.
Proposed patch. I have a build targeted to stable-security that's currently running. To security team, please give me a GO to upload....unless of course you prefer reviewing thismor ecarefully. This patch is a port to 3.2 of changes made upstream between 3.5.4 and 3.5.5 (changes to version numbers in version.h as well as .spec files left aside). The only change has been moving a #define to source/include/includes.h as the include file it appear in for 3.5 does not exist in 3.2. Being quite a moron with all thius, this is the only thing I'm not very confident into. I guess that if I screwed, the build will fail anyway... Testing is vulnerable too. samba in testing is 3.4.8. In unstable, we have 3.5.4 (vulnerable too) after a discussion with the release team. The agreement with the RT is to let a few weeks pass before allowing samba 3.5 in testing. So, in case 3.5 wouldn't finally be allowed (chance are low, but still), maybe we should also upload a fixed 3.4.8 to t-p-u (or testing-security?).
Goal: Fix buffer overrun in sid_parse
Fixes: Upstream security fix. CVE-2010-3069
Status wrt upstream: Fixed in 3.3.14, 3.4.9 and 3.5.5
Author: Samba Team <secur...@samba.org>
Index: lenny/source/lib/util_sid.c
===================================================================
--- lenny.orig/source/lib/util_sid.c
+++ lenny/source/lib/util_sid.c
@@ -408,6 +408,9 @@
sid->sid_rev_num = CVAL(inbuf, 0);
sid->num_auths = CVAL(inbuf, 1);
+ if (sid->num_auths > MAXSUBAUTHS) {
+ return false;
+ }
memcpy(sid->id_auth, inbuf+2, 6);
if (len < 8 + sid->num_auths*4)
return False;
Index: lenny/source/libads/ldap.c
===================================================================
--- lenny.orig/source/libads/ldap.c
+++ lenny/source/libads/ldap.c
@@ -1899,7 +1899,9 @@
for (i=0; values[i]; i++) {
DOM_SID sid;
fstring tmp;
- sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+ if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+ continue;
+ }
printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
}
}
Index: lenny/source/libsmb/cliquota.c
===================================================================
--- lenny.orig/source/libsmb/cliquota.c
+++ lenny/source/libsmb/cliquota.c
@@ -117,7 +117,9 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(rdata+40,sid_len,&qt.sid);
+ if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+ return false;
+ }
qt.qtype = SMB_USER_QUOTA_TYPE;
Index: lenny/source/smbd/nttrans.c
===================================================================
--- lenny.orig/source/smbd/nttrans.c
+++ lenny/source/smbd/nttrans.c
@@ -1980,7 +1980,11 @@
/* unknown 4 bytes: this is not the length of the sid :-( */
/*unknown = IVAL(pdata,0);*/
- sid_parse(pdata+4,sid_len,&sid);
+ if (!sid_parse(pdata+4,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
if (!sid_to_uid(&sid, &uid)) {
@@ -2235,7 +2239,10 @@
break;
}
- sid_parse(pdata+8,sid_len,&sid);
+ if (!sid_parse(pdata+8,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
ZERO_STRUCT(qt);
@@ -2415,7 +2422,11 @@
}
#endif /* LARGE_SMB_OFF_T */
- sid_parse(pdata+40,sid_len,&sid);
+ if (!sid_parse(pdata+40,sid_len,&sid)) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
/* 44 unknown bytes left... */
Index: lenny/source/include/includes.h
===================================================================
--- lenny.orig/source/include/includes.h
+++ lenny/source/include/includes.h
@@ -1294,4 +1294,8 @@
struct in6_addr ip);
#endif
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
#endif /* _INCLUDES_H */
signature.asc
Description: Digital signature
