diff --git a/samba-3.0.27-CVE-2007-4572-regression.patch b/samba-3.0.27-CVE-2007-4572-regression.patch new file mode 100644 index 0000000..9ccc687 --- /dev/null +++ b/samba-3.0.27-CVE-2007-4572-regression.patch @@ -0,0 +1,261 @@ +diff -ur samba-3.0.27.orig/source/smbd/negprot.c samba-3.0.27/source/smbd/negprot.c +--- samba-3.0.27.orig/source/smbd/negprot.c 2007-11-14 22:15:04.000000000 -0500 ++++ samba-3.0.27/source/smbd/negprot.c 2007-11-19 15:43:27.000000000 -0500 +@@ -346,7 +346,7 @@ + SCVAL(outbuf,smb_vwv16+1,8); + p += 8; + } +- p += srvstr_push(outbuf, p, lp_workgroup(), -1, ++ p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p-outbuf), + STR_UNICODE|STR_TERMINATE|STR_NOALIGN); + DEBUG(3,("not using SPNEGO\n")); + } else { +diff -ur samba-3.0.27.orig/source/smbd/reply.c samba-3.0.27/source/smbd/reply.c +--- samba-3.0.27.orig/source/smbd/reply.c 2007-11-14 22:15:04.000000000 -0500 ++++ samba-3.0.27/source/smbd/reply.c 2007-11-19 15:43:27.000000000 -0500 +@@ -524,7 +524,7 @@ + if (Protocol < PROTOCOL_NT1) { + set_message(outbuf,2,0,True); + p = smb_buf(outbuf); +- p += srvstr_push(outbuf, p, server_devicetype, -1, ++ p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf), + STR_TERMINATE|STR_ASCII); + set_message_end(outbuf,p); + } else { +@@ -554,9 +554,9 @@ + } + + p = smb_buf(outbuf); +- p += srvstr_push(outbuf, p, server_devicetype, -1, ++ p += srvstr_push(outbuf, p, server_devicetype, BUFFER_SIZE - (p - outbuf), + STR_TERMINATE|STR_ASCII); +- p += srvstr_push(outbuf, p, fstype, -1, ++ p += srvstr_push(outbuf, p, fstype, BUFFER_SIZE - (p - outbuf), + STR_TERMINATE); + + set_message_end(outbuf,p); +@@ -1766,7 +1766,7 @@ + thing in the byte section. JRA */ + SSVALS(p, 0, -1); /* what is this? not in spec */ + #endif +- namelen = srvstr_push(outbuf, p, s, -1, STR_ASCII|STR_TERMINATE); ++ namelen = srvstr_push(outbuf, p, s, BUFFER_SIZE - (p - outbuf), STR_ASCII|STR_TERMINATE); + p += namelen; + outsize = set_message_end(outbuf, p); + +diff -ur samba-3.0.27.orig/source/smbd/sesssetup.c samba-3.0.27/source/smbd/sesssetup.c +--- samba-3.0.27.orig/source/smbd/sesssetup.c 2007-11-14 22:15:04.000000000 -0500 ++++ samba-3.0.27/source/smbd/sesssetup.c 2007-11-19 15:45:34.000000000 -0500 +@@ -68,9 +68,9 @@ + + fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING); + +- p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE); +- p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE); +- p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE); ++ p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE); ++ p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE); ++ p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE); + + return PTR_DIFF(p, start); + } +diff -ur samba-3.0.27.orig/source/smbd/srvstr.c samba-3.0.27/source/smbd/srvstr.c +--- samba-3.0.27.orig/source/smbd/srvstr.c 2007-11-14 22:15:04.000000000 -0500 ++++ samba-3.0.27/source/smbd/srvstr.c 2007-11-19 15:43:27.000000000 -0500 +@@ -28,17 +28,10 @@ + const char *base_ptr, void *dest, + const char *src, int dest_len, int flags) + { +- size_t buf_used = PTR_DIFF(dest, base_ptr); +- if (dest_len == -1) { +- if (((ptrdiff_t)dest < (ptrdiff_t)base_ptr) || (buf_used > (size_t)max_send)) { +-#if 0 +- DEBUG(0, ("Pushing string of 'unlimited' length into non-SMB buffer!\n")); +-#endif +- return push_string_fn(function, line, base_ptr, dest, src, -1, flags); +- } +- return push_string_fn(function, line, base_ptr, dest, src, max_send - buf_used, flags); ++ if (dest_len < 0) { ++ return 0; + } +- ++ + /* 'normal' push into size-specified buffer */ + return push_string_fn(function, line, base_ptr, dest, src, dest_len, flags); + } +diff -ur samba-3.0.27.orig/source/smbd/trans2.c samba-3.0.27/source/smbd/trans2.c +--- samba-3.0.27.orig/source/smbd/trans2.c 2007-11-14 22:15:04.000000000 -0500 ++++ samba-3.0.27/source/smbd/trans2.c 2007-11-19 15:43:27.000000000 -0500 +@@ -1283,7 +1283,7 @@ + p += 23; + nameptr = p; + p += align_string(outbuf, p, 0); +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE); + if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { + if (len > 2) { + SCVAL(nameptr, -1, len - 2); +@@ -1318,7 +1318,7 @@ + } + p += 27; + nameptr = p - 1; +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE | STR_NOALIGN); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN); + if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { + if (len > 2) { + len -= 2; +@@ -1372,9 +1372,9 @@ + } + + /* Push the ea_data followed by the name. */ +- p += fill_ea_buffer(ea_ctx, p, space_remaining, conn, name_list); ++ p += fill_ea_buffer(ea_ctx, p, space_remaining - (p - pdata), conn, name_list); + nameptr = p; +- len = srvstr_push(outbuf, p + 1, fname, -1, STR_TERMINATE | STR_NOALIGN); ++ len = srvstr_push(outbuf, p + 1, fname, space_remaining - (p - pdata), STR_TERMINATE | STR_NOALIGN); + if (SVAL(outbuf, smb_flg2) & FLAGS2_UNICODE_STRINGS) { + if (len > 2) { + len -= 2; +@@ -1431,7 +1431,7 @@ + memset(p,'\0',26); + } + p += 2 + 24; +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); + SIVAL(q,0,len); + p += len; + SIVAL(p,0,0); /* Ensure any padding is null. */ +@@ -1452,7 +1452,7 @@ + SOFF_T(p,0,file_size); p += 8; + SOFF_T(p,0,allocation_size); p += 8; + SIVAL(p,0,nt_extmode); p += 4; +- len = srvstr_push(outbuf, p + 4, fname, -1, STR_TERMINATE_ASCII); ++ len = srvstr_push(outbuf, p + 4, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); + SIVAL(p,0,len); + p += 4 + len; + SIVAL(p,0,0); /* Ensure any padding is null. */ +@@ -1479,7 +1479,7 @@ + SIVAL(p,0,ea_size); /* Extended attributes */ + p +=4; + } +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); + SIVAL(q, 0, len); + p += len; + +@@ -1497,7 +1497,7 @@ + p += 4; + /* this must *not* be null terminated or w2k gets in a loop trying to set an + acl on a dir (tridge) */ +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); + SIVAL(p, -4, len); + p += len; + SIVAL(p,0,0); /* Ensure any padding is null. */ +@@ -1527,7 +1527,7 @@ + SIVAL(p,0,0); p += 4; /* Unknown - reserved ? */ + SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */ + SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */ +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); + SIVAL(q, 0, len); + p += len; + SIVAL(p,0,0); /* Ensure any padding is null. */ +@@ -1578,7 +1578,7 @@ + SSVAL(p,0,0); p += 2; /* Reserved ? */ + SIVAL(p,0,sbuf.st_ino); p += 4; /* FileIndexLow */ + SIVAL(p,0,sbuf.st_dev); p += 4; /* FileIndexHigh */ +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE_ASCII); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE_ASCII); + SIVAL(q,0,len); + p += len; + SIVAL(p,0,0); /* Ensure any padding is null. */ +@@ -1601,14 +1601,14 @@ + DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX\n")); + p = store_file_unix_basic(conn, p, + NULL, &sbuf); +- len = srvstr_push(outbuf, p, fname, -1, STR_TERMINATE); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), STR_TERMINATE); + } else { + DEBUG(10,("get_lanman2_dir_entry: SMB_FIND_FILE_UNIX_INFO2\n")); + p = store_file_unix_basic_info2(conn, p, + NULL, &sbuf); + nameptr = p; + p += 4; +- len = srvstr_push(outbuf, p, fname, -1, 0); ++ len = srvstr_push(outbuf, p, fname, space_remaining - (p - pdata), 0); + SIVAL(nameptr, 0, len); + } + +@@ -2309,7 +2309,7 @@ + * this call so try fixing this by adding a terminating null to + * the pushed string. The change here was adding the STR_TERMINATE. JRA. + */ +- len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, -1, STR_NOALIGN|STR_TERMINATE); ++ len = srvstr_push(outbuf, pdata+l2_vol_szVolLabel, vname, max_data_bytes - l2_vol_szVolLabel, STR_NOALIGN|STR_TERMINATE); + SCVAL(pdata,l2_vol_cch,len); + data_len = l2_vol_szVolLabel + len; + DEBUG(5,("call_trans2qfsinfo : time = %x, namelen = %d, name = %s\n", +@@ -2331,14 +2331,14 @@ + SIVAL(pdata,4,255); /* Max filename component length */ + /* NOTE! the fstype must *not* be null terminated or win98 won't recognise it + and will think we can't do long filenames */ +- len = srvstr_push(outbuf, pdata+12, fstype, -1, STR_UNICODE); ++ len = srvstr_push(outbuf, pdata+12, fstype, max_data_bytes - 12, STR_UNICODE); + SIVAL(pdata,8,len); + data_len = 12 + len; + break; + + case SMB_QUERY_FS_LABEL_INFO: + case SMB_FS_LABEL_INFORMATION: +- len = srvstr_push(outbuf, pdata+4, vname, -1, 0); ++ len = srvstr_push(outbuf, pdata+4, vname, max_data_bytes - 4, 0); + data_len = 4 + len; + SIVAL(pdata,0,len); + break; +@@ -2354,7 +2354,7 @@ + (str_checksum(get_local_machine_name())<<16)); + + /* Max label len is 32 characters. */ +- len = srvstr_push(outbuf, pdata+18, vname, -1, STR_UNICODE); ++ len = srvstr_push(outbuf, pdata+18, vname, max_data_bytes - 18, STR_UNICODE); + SIVAL(pdata,12,len); + data_len = 18+len; + +@@ -3589,7 +3589,7 @@ + if(!mangle_is_8_3(short_name, True, conn->params)) { + mangle_map(short_name,True,True,conn->params); + } +- len = srvstr_push(outbuf, pdata+4, short_name, -1, STR_UNICODE); ++ len = srvstr_push(outbuf, pdata+4, short_name, max_data_bytes - 4, STR_UNICODE); + data_size = 4 + len; + SIVAL(pdata,0,len); + break; +@@ -3599,7 +3599,7 @@ + /* + this must be *exactly* right for ACLs on mapped drives to work + */ +- len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE); ++ len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - 4, STR_UNICODE); + DEBUG(10,("call_trans2qfilepathinfo: SMB_QUERY_FILE_NAME_INFO\n")); + data_size = 4 + len; + SIVAL(pdata,0,len); +@@ -3640,7 +3640,7 @@ + pdata += 24; + SIVAL(pdata,0,ea_size); + pdata += 4; /* EA info */ +- len = srvstr_push(outbuf, pdata+4, dos_fname, -1, STR_UNICODE); ++ len = srvstr_push(outbuf, pdata+4, dos_fname, max_data_bytes - (pdata+4 - *ppdata), STR_UNICODE); + SIVAL(pdata,0,len); + pdata += 4 + len; + data_size = PTR_DIFF(pdata,(*ppdata)); +@@ -3802,7 +3802,7 @@ + if (len == -1) + return(UNIXERROR(ERRDOS,ERRnoaccess)); + buffer[len] = 0; +- len = srvstr_push(outbuf, pdata, buffer, -1, STR_TERMINATE); ++ len = srvstr_push(outbuf, pdata, buffer, max_data_bytes, STR_TERMINATE); + pdata += len; + data_size = PTR_DIFF(pdata,(*ppdata)); + +Only in samba-3.0.27/source/smbd: trans2.c.rej diff --git a/samba.spec b/samba.spec index bd97ed8..97fe483 100644 --- a/samba.spec +++ b/samba.spec @@ -2,7 +2,7 @@ Summary: The Samba Suite of programs Name: samba Epoch: 0 Version: 3.0.27 -Release: 0%{?dist} +Release: 1%{?dist} License: GPLv2+ and LGPLv2+ Group: System Environment/Daemons URL: http://www.samba.org/ @@ -43,6 +43,7 @@ Patch111: samba-3.0.13-smbclient.patch Patch200: samba-3.0.25rc1-inotifiy.patch Patch201: samba3_idmap_default_domain.patch Patch202: samba-3.0.26a-winbindd-padding.patch +Patch203: samba-3.0.27-CVE-2007-4572-regression.patch Requires(pre): samba-common = %{epoch}:%{version}-%{release} Requires: pam >= 0:0.64 @@ -161,6 +162,7 @@ cp %{SOURCE11} packaging/Fedora/ %patch200 -p0 -b .inotify %patch201 -p0 -b .idmap_def_dom %patch202 -p1 -b .winbindd_padding +%patch203 -p1 -b .CVE-2007-4572-regression mv source/VERSION source/VERSION.orig sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{release}\"/' < source/VERSION.orig > source/VERSION @@ -646,6 +648,9 @@ exit 0 #%{_includedir}/libmsrpc.h %changelog +* Mon Nov 19 2007 Simo Sorce 3.0.27-1.fc7 +- Fix regression in CVE-2007-4572 + * Thu Nov 15 2007 Simo Sorce 3.0.27-0.fc7 - Fix CVE-2007-4572 - Fix CVE-2007-5398