From b2e504b25fff91c4c1a023a299492875149611f6 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Mon, 7 Apr 2003 15:15:54 +0000 Subject: [PATCH] syncing with release branch (includes trans2 fixes) --- WHATSNEW.txt | 51 +++++++++++++++++++++++++++++++++++++++++++------ source/smbd/password.c | 2 +- source/smbd/reply.c | 6 ++++++ source/smbd/statcache.c | 2 +- source/smbd/trans2.c | 4 +--- 5 files changed, 54 insertions(+), 11 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index fbcd54f6863..1d542ee28d2 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,4 @@ - What's new in Samba 2.2.8 - 14th March 2003 + What's new in Samba 2.2.8a - 7th April 2003 =========================================== This is the latest stable release of Samba. This is the version that @@ -12,6 +12,50 @@ bug-fixes. Summary ------- +Digital Defense, Inc. has alerted the Samba Team to a serious +vulnerability in all stable versions of Samba currently shipping. +The Common Vulnerabilities and Exposures (CVE) project has assigned +the ID CAN-2003-0201 to this defect. + +This vulnerability, if exploited correctly, leads to an anonymous +user gaining root access on a Samba serving system. All versions +of Samba up to and including Samba 2.2.8 are vulnerable. An active +exploit of the bug has been reported in the wild. Alpha versions of +Samba 3.0 and above are *NOT* vulnerable. + + +Credit +------ + +The Samba Team would like to thank Erik Parker and the team at +Digital Defense, Inc. for their efforts spent in the responsible +and timely reporting of this bug. + + +Patch Availability +------------------ + +The Samba 2.2.8a release contains only updates to address this +security issue. A roll-up patch for release 2.2.7a and 2.0.10 +addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained +from http://www.samba.org/samba/ftp/patches/security/. + + + ======================================== + + +Older releases notes for 2.2.x distributions follow + +----------------------------------------------------------------- +The release notes for 2.2.8 follow: + + **************************************** + * IMPORTANT: Security bugfix for Samba * + **************************************** + +Summary +------- + The SuSE security audit team, in particular Sebastian Krahmer , has found an flaw in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain @@ -204,7 +248,6 @@ Protecting an unpatched Samba server **************************************** **************************************** ------------------------------------------------------------------ Changes since 2.2.7a --------------------- @@ -333,11 +376,7 @@ See the cvs log for SAMBA_2_2 for more details 6) Correctly handle querygroup rpcclient command 7) fix broken incremental tar in smbtar command - ========================================= -Older releases notes for 2.2.x distributions follow - ------------------------------------------------------------------ The release notes for 2.2.7 follow : IMPORTANT: Security bugfix for Samba diff --git a/source/smbd/password.c b/source/smbd/password.c index 94c487db57a..c82f58377c6 100644 --- a/source/smbd/password.c +++ b/source/smbd/password.c @@ -816,7 +816,7 @@ and given password ok\n", user)); if (!ok && lp_username(snum)) { char *auser; pstring user_list; - StrnCpy(user_list,lp_username(snum),sizeof(pstring)); + StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1); pstring_sub(user_list,"%S",lp_servicename(snum)); diff --git a/source/smbd/reply.c b/source/smbd/reply.c index 06c81ec826d..12995722c78 100644 --- a/source/smbd/reply.c +++ b/source/smbd/reply.c @@ -1502,6 +1502,9 @@ int reply_search(connection_struct *conn, char *inbuf,char *outbuf, int dum_size for (i=numentries;(i BUFFER_SIZE ) + break; finished = !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend); if (!finished) @@ -3530,6 +3533,9 @@ int reply_printqueue(connection_struct *conn, for (i=first;i BUFFER_SIZE ) + break; put_dos_date2(p,0,queue[i].time); SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3)); SSVAL(p,5, queue[i].job); diff --git a/source/smbd/statcache.c b/source/smbd/statcache.c index 03d22a08d03..fbb7dfb6873 100644 --- a/source/smbd/statcache.c +++ b/source/smbd/statcache.c @@ -88,7 +88,7 @@ void stat_cache_add( char *full_orig_name, char *orig_translated_path) * StrnCpy always null terminates. */ - StrnCpy(orig_name, full_orig_name, namelen); + StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1)); if(!case_sensitive) strupper( orig_name ); diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c index 88ce327b714..36e371dc2c8 100644 --- a/source/smbd/trans2.c +++ b/source/smbd/trans2.c @@ -217,7 +217,6 @@ static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf, i int16 open_ofun; int32 open_size; char *pname; - int16 namelen; pstring fname; mode_t unixmode; @@ -247,9 +246,8 @@ static int call_trans2open(connection_struct *conn, char *inbuf, char *outbuf, i open_ofun = SVAL(params,12); open_size = IVAL(params,14); pname = ¶ms[28]; - namelen = strlen(pname)+1; - StrnCpy(fname,pname,namelen); + pstrcpy(fname, pname); DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n", fname,open_mode, open_attr, open_ofun, open_size)); -- 2.11.4.GIT