Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 8 Apr 2003 13:33:03 +0900 (JST)
From:      NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/50704: [SECURITY] japanese/samba update
Message-ID:  <200304080433.h384X3tC026029@boggy.acest.tutrp.tut.ac.jp>
Resent-Message-ID: <200304080440.h384eEbW021652@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         50704
>Category:       ports
>Synopsis:       [SECURITY] japanese/samba update
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 07 21:40:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     NAKAJI Hiroyuki
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD boggy.acest.tutrp.tut.ac.jp 5.0-CURRENT FreeBSD 5.0-CURRENT #75: Wed Mar 19 10:29:36 JST 2003 root@boggy.acest.tutrp.tut.ac.jp:/usr/obj/usr/src/sys/NAKAJI i386


	
>Description:
	As reported in FreeBSD-SN-03:01, japanese/samba also has flaw
problem. A new file, files/patch-security, is added to fix the problem
quickly. I hope samba-2.2.8a-ja will soon be available.

P.S.
	japanese/samba20 has to be forbidden before samba-2.0.10-ja
updated.

>How-To-Repeat:

>Fix:

diff -urN --exclude CVS /usr/ports/japanese/samba/Makefile ./Makefile
--- /usr/ports/japanese/samba/Makefile	Wed Mar 19 16:18:47 2003
+++ ./Makefile	Tue Apr  8 13:20:41 2003
@@ -7,7 +7,7 @@
 
 PORTNAME=	samba
 PORTVERSION=	${SAMBA_VERSION}.j${SAMBA_JA_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	japanese net
 MASTER_SITES=	ftp://ftp.samba.gr.jp/pub/samba-jp/%SUBDIR%/ \
 		ftp://ftp.iij.ad.jp/pub/SAMBA/samba-jp/%SUBDIR%/ \
diff -urN --exclude CVS /usr/ports/japanese/samba/files/patch-security ./files/patch-security
--- /usr/ports/japanese/samba/files/patch-security	Thu Jan  1 09:00:00 1970
+++ ./files/patch-security	Tue Apr  8 13:17:57 2003
@@ -0,0 +1,103 @@
+--- smbd/ipc.c.orig	Mon Mar 17 13:17:56 2003
++++ smbd/ipc.c	Tue Apr  8 13:17:45 2003
+@@ -398,7 +398,7 @@
+   
+ 	if (tdscnt)  {
+ 		if((data = (char *)malloc(tdscnt)) == NULL) {
+-			DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
++			DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt));
+ 			END_PROFILE(SMBtrans);
+ 			return(ERROR_DOS(ERRDOS,ERRnomem));
+ 		} 
+@@ -412,7 +412,7 @@
+ 
+ 	if (tpscnt) {
+ 		if((params = (char *)malloc(tpscnt)) == NULL) {
+-			DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
++			DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt));
+ 			SAFE_FREE(data);
+ 			END_PROFILE(SMBtrans);
+ 			return(ERROR_DOS(ERRDOS,ERRnomem));
+@@ -428,7 +428,7 @@
+ 	if (suwcnt) {
+ 		int i;
+ 		if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
+-			DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16))));
++			DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));
+ 			SAFE_FREE(data);
+ 			SAFE_FREE(params);
+ 			END_PROFILE(SMBtrans);
+@@ -524,7 +524,7 @@
+ 	}
+ 	
+ 	
+-	DEBUG(3,("trans <%s> data=%d params=%d setup=%d\n",
++	DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n",
+ 		 name,tdscnt,tpscnt,suwcnt));
+ 	
+ 	/*
+--- smbd/password.c.orig	Thu Nov 21 22:05:51 2002
++++ smbd/password.c	Tue Apr  8 13:17:45 2003
+@@ -816,7 +816,7 @@
+ 		if (!ok && lp_username(snum)) {
+ 			char *auser;
+ 			pstring user_list;
+-			StrnCpy(user_list,lp_username(snum),sizeof(pstring));
++			StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
+ 
+ 			pstring_sub(user_list,"%S",lp_servicename(snum), True);
+ 	  
+--- smbd/reply.c.orig	Wed Feb  5 15:15:15 2003
++++ smbd/reply.c	Tue Apr  8 13:17:45 2003
+@@ -1490,6 +1490,9 @@
+ 
+         for (i=numentries;(i<maxentries) && !finished;i++)
+         {
++          /* check to make sure we have room in the buffer */
++	  if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
++	      break;
+           finished = 
+             !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
+           if (!finished)
+@@ -3603,6 +3606,9 @@
+     
+ 
+ 		for (i=first;i<first+num_to_get;i++) {
++			/* check to make sure we have room in the buffer */
++			if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
++				break;
+ 			put_dos_date2(p,0,queue[i].time);
+ 			SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3));
+ 			SSVAL(p,5, queue[i].job);
+--- smbd/statcache.c.orig	Fri Nov  9 18:27:43 2001
++++ smbd/statcache.c	Tue Apr  8 13:17:45 2003
+@@ -88,7 +88,7 @@
+    * StrnCpy always null terminates.
+    */
+ 
+-  StrnCpy(orig_name, full_orig_name, namelen);
++  StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
+   if(!case_sensitive)
+     strupper( orig_name );
+ 
+--- smbd/trans2.c.orig	Mon Mar 17 13:17:56 2003
++++ smbd/trans2.c	Tue Apr  8 13:17:45 2003
+@@ -217,7 +217,6 @@
+ 	int16 open_ofun;
+ 	int32 open_size;
+ 	char *pname;
+-	int16 namelen;
+ 
+ 	pstring fname;
+ 	mode_t unixmode;
+@@ -247,9 +246,8 @@
+ 	open_ofun = SVAL(params,12);
+ 	open_size = IVAL(params,14);
+ 	pname = &params[28];
+-	namelen = strlen(pname)+1;
+ 
+-	StrnCpy(fname,pname,namelen);
++	pstrcpy(fname,pname);
+ 	if (strchr(fname,'?'))
+ 		return(ERROR_DOS(ERRDOS,ERRinvalidname));
+ 
>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200304080433.h384X3tC026029>