Date: Thu, 27 Nov 2008 22:59:59 +0300 (MSK) From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> To: FreeBSD-gnats-submit@freebsd.org Cc: freebsd-vuxml@freebsd.org Subject: [vuxml] [patch] net/samba3, net/samba32-devel: document and fix CVE-2008-4314 Message-ID: <20081127195959.7BA2AF181F@phoenix.codelabs.ru>
next in thread | raw e-mail | index | archive | help
>Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] [patch] net/samba3, net/samba32-devel: document and fix CVE-2008-4314 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Samba team discovered memory disclosure vulnerability: http://www.samba.org/samba/security/CVE-2008-4314.html >How-To-Repeat: Read document at the above link. >Fix: The following patch updates both net/samba3 and net/samba32-devel, patches are taken directly from vendor. I had just tested the compilability of those, but assuming that vendor knows what he is doing and taking into account the simplicity of patches, I am mostly confident that the updated versions will work fine. --- vendor-fixes-for-CVE-2008-4314.diff begins here --- >From a1baef8a3ae57552559bd2cc7bb575011c06f23b Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin <rea-fbsd@codelabs.ru> Date: Thu, 27 Nov 2008 22:50:14 +0300 http://www.samba.org/samba/security/CVE-2008-4314.html http://www.samba.org/samba/ftp/patches/security/samba-3.0.32-CVE-2008-4314.patch http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch Signed-off-by: Eygene Ryabinkin <rea-fbsd@codelabs.ru> --- net/samba3/Makefile | 2 +- net/samba3/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++ net/samba32-devel/Makefile | 1 + net/samba32-devel/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++ 4 files changed, 150 insertions(+), 1 deletions(-) create mode 100644 net/samba3/files/patch-CVE-2008-4314 create mode 100644 net/samba32-devel/files/patch-CVE-2008-4314 diff --git a/net/samba3/Makefile b/net/samba3/Makefile index 117c9fc..f37fe5d 100644 --- a/net/samba3/Makefile +++ b/net/samba3/Makefile @@ -7,7 +7,7 @@ PORTNAME= samba PORTVERSION?= 3.0.32 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH?= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} diff --git a/net/samba3/files/patch-CVE-2008-4314 b/net/samba3/files/patch-CVE-2008-4314 new file mode 100644 index 0000000..b19dc4c --- /dev/null +++ b/net/samba3/files/patch-CVE-2008-4314 @@ -0,0 +1,74 @@ +Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch + +From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001 +From: Volker Lendecke <vl@samba.org> +Date: Sat, 8 Nov 2008 17:14:06 +0100 +Subject: [PATCH] Fix the offset checks in the trans routines + +This fixes a potential crash bug, a client can make us read memory we +should not read. Luckily I got the disp checks right... + +Volker +--- + source/smbd/ipc.c | 6 +++--- + source/smbd/nttrans.c | 6 +++--- + source/smbd/trans2.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c +index 6961a5c..a53bc5b 100644 +--- smbd/ipc.c ++++ smbd/ipc.c +@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c +index 13caf77..ef81404 100644 +--- smbd/nttrans.c ++++ smbd/nttrans.c +@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c +index acc424f..c7edec1 100644 +--- smbd/trans2.c ++++ smbd/trans2.c +@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +-- +1.5.5 + diff --git a/net/samba32-devel/Makefile b/net/samba32-devel/Makefile index bd3482e..c57a317 100644 --- a/net/samba32-devel/Makefile +++ b/net/samba32-devel/Makefile @@ -7,6 +7,7 @@ PORTNAME= samba PORTVERSION?= 3.2.4 +PORTREVISION?= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} MASTER_SITE_SUBDIR= . old-versions rc pre diff --git a/net/samba32-devel/files/patch-CVE-2008-4314 b/net/samba32-devel/files/patch-CVE-2008-4314 new file mode 100644 index 0000000..b19dc4c --- /dev/null +++ b/net/samba32-devel/files/patch-CVE-2008-4314 @@ -0,0 +1,74 @@ +Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch + +From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001 +From: Volker Lendecke <vl@samba.org> +Date: Sat, 8 Nov 2008 17:14:06 +0100 +Subject: [PATCH] Fix the offset checks in the trans routines + +This fixes a potential crash bug, a client can make us read memory we +should not read. Luckily I got the disp checks right... + +Volker +--- + source/smbd/ipc.c | 6 +++--- + source/smbd/nttrans.c | 6 +++--- + source/smbd/trans2.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c +index 6961a5c..a53bc5b 100644 +--- smbd/ipc.c ++++ smbd/ipc.c +@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c +index 13caf77..ef81404 100644 +--- smbd/nttrans.c ++++ smbd/nttrans.c +@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c +index acc424f..c7edec1 100644 +--- smbd/trans2.c ++++ smbd/trans2.c +@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +-- +1.5.5 + -- 1.6.0.4 --- vendor-fixes-for-CVE-2008-4314.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- <vuln vid=""> <topic>samba -- potential leakage of arbitrary memory contents</topic> <affects> <package> <name>samba32-devel</name> <range><lt>3.2.4_1</lt></range> </package> <package> <name>samba3</name> <range><ge>3.0.29,1</ge><lt>3.0.32_2,1</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml">; <p>Vendor reports:</p> <blockquote cite="http://www.samba.org/samba/security/CVE-2008-4314.html">; <p>Samba 3.0.29 to 3.2.4 can potentially leak arbitrary memory contents to malicious clients</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-4314</cvename> <url>http://www.samba.org/samba/security/CVE-2008-4314.html</url>; <url>http://www.ubuntu.com/usn/USN-680-1</url>; </references> <dates> <entry>TODAY</entry> <discovery>2008-11-27</discovery> </dates> </vuln> --- vuln.xml ends here ---
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081127195959.7BA2AF181F>