From owner-freebsd-ports-bugs@FreeBSD.ORG  Mon Apr  7 21:40:15 2003
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6CA2C37B401
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon,  7 Apr 2003 21:40:15 -0700 (PDT)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4BD0743FCB
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Mon,  7 Apr 2003 21:40:14 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h384eEUp021653
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Mon, 7 Apr 2003 21:40:14 -0700 (PDT)
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h384eEbW021652;
	Mon, 7 Apr 2003 21:40:14 -0700 (PDT)
Resent-Date: Mon, 7 Apr 2003 21:40:14 -0700 (PDT)
Resent-Message-Id: <200304080440.h384eEbW021652@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 9592837B401
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  7 Apr 2003 21:33:14 -0700 (PDT)
Received: from boggy.acest.tutrp.tut.ac.jp (boggy.acest.tutrp.tut.ac.jp
	[133.15.67.40])	by mx1.FreeBSD.org (Postfix) with ESMTP id 7E18A43F75
	for <FreeBSD-gnats-submit@freebsd.org>;
	Mon,  7 Apr 2003 21:33:13 -0700 (PDT)
	(envelope-from nakaji@boggy.acest.tutrp.tut.ac.jp)
Received: from boggy.acest.tutrp.tut.ac.jp (localhost [127.0.0.1])
	h384X4cw026030	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 8 Apr 2003 13:33:05 +0900 (JST)
	(envelope-from nakaji@boggy.acest.tutrp.tut.ac.jp)
Received: (from nakaji@localhost)h384X3tC026029;
	Tue, 8 Apr 2003 13:33:03 +0900 (JST)	(envelope-from nakaji)
Message-Id: <200304080433.h384X3tC026029@boggy.acest.tutrp.tut.ac.jp>
Date: Tue, 8 Apr 2003 13:33:03 +0900 (JST)
From: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Subject: ports/50704: [SECURITY] japanese/samba update
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
Reply-To: NAKAJI Hiroyuki <nakaji@jp.freebsd.org>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>,
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2003 04:40:15 -0000


>Number:         50704
>Category:       ports
>Synopsis:       [SECURITY] japanese/samba update
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Apr 07 21:40:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     NAKAJI Hiroyuki
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD boggy.acest.tutrp.tut.ac.jp 5.0-CURRENT FreeBSD 5.0-CURRENT #75: Wed Mar 19 10:29:36 JST 2003 root@boggy.acest.tutrp.tut.ac.jp:/usr/obj/usr/src/sys/NAKAJI i386


	
>Description:
	As reported in FreeBSD-SN-03:01, japanese/samba also has flaw
problem. A new file, files/patch-security, is added to fix the problem
quickly. I hope samba-2.2.8a-ja will soon be available.

P.S.
	japanese/samba20 has to be forbidden before samba-2.0.10-ja
updated.

>How-To-Repeat:

>Fix:

diff -urN --exclude CVS /usr/ports/japanese/samba/Makefile ./Makefile
--- /usr/ports/japanese/samba/Makefile	Wed Mar 19 16:18:47 2003
+++ ./Makefile	Tue Apr  8 13:20:41 2003
@@ -7,7 +7,7 @@
 
 PORTNAME=	samba
 PORTVERSION=	${SAMBA_VERSION}.j${SAMBA_JA_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	japanese net
 MASTER_SITES=	ftp://ftp.samba.gr.jp/pub/samba-jp/%SUBDIR%/ \
 		ftp://ftp.iij.ad.jp/pub/SAMBA/samba-jp/%SUBDIR%/ \
diff -urN --exclude CVS /usr/ports/japanese/samba/files/patch-security ./files/patch-security
--- /usr/ports/japanese/samba/files/patch-security	Thu Jan  1 09:00:00 1970
+++ ./files/patch-security	Tue Apr  8 13:17:57 2003
@@ -0,0 +1,103 @@
+--- smbd/ipc.c.orig	Mon Mar 17 13:17:56 2003
++++ smbd/ipc.c	Tue Apr  8 13:17:45 2003
+@@ -398,7 +398,7 @@
+   
+ 	if (tdscnt)  {
+ 		if((data = (char *)malloc(tdscnt)) == NULL) {
+-			DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
++			DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt));
+ 			END_PROFILE(SMBtrans);
+ 			return(ERROR_DOS(ERRDOS,ERRnomem));
+ 		} 
+@@ -412,7 +412,7 @@
+ 
+ 	if (tpscnt) {
+ 		if((params = (char *)malloc(tpscnt)) == NULL) {
+-			DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
++			DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt));
+ 			SAFE_FREE(data);
+ 			END_PROFILE(SMBtrans);
+ 			return(ERROR_DOS(ERRDOS,ERRnomem));
+@@ -428,7 +428,7 @@
+ 	if (suwcnt) {
+ 		int i;
+ 		if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
+-			DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16))));
++			DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));
+ 			SAFE_FREE(data);
+ 			SAFE_FREE(params);
+ 			END_PROFILE(SMBtrans);
+@@ -524,7 +524,7 @@
+ 	}
+ 	
+ 	
+-	DEBUG(3,("trans <%s> data=%d params=%d setup=%d\n",
++	DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n",
+ 		 name,tdscnt,tpscnt,suwcnt));
+ 	
+ 	/*
+--- smbd/password.c.orig	Thu Nov 21 22:05:51 2002
++++ smbd/password.c	Tue Apr  8 13:17:45 2003
+@@ -816,7 +816,7 @@
+ 		if (!ok && lp_username(snum)) {
+ 			char *auser;
+ 			pstring user_list;
+-			StrnCpy(user_list,lp_username(snum),sizeof(pstring));
++			StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
+ 
+ 			pstring_sub(user_list,"%S",lp_servicename(snum), True);
+ 	  
+--- smbd/reply.c.orig	Wed Feb  5 15:15:15 2003
++++ smbd/reply.c	Tue Apr  8 13:17:45 2003
+@@ -1490,6 +1490,9 @@
+ 
+         for (i=numentries;(i<maxentries) && !finished;i++)
+         {
++          /* check to make sure we have room in the buffer */
++	  if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
++	      break;
+           finished = 
+             !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
+           if (!finished)
+@@ -3603,6 +3606,9 @@
+     
+ 
+ 		for (i=first;i<first+num_to_get;i++) {
++			/* check to make sure we have room in the buffer */
++			if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
++				break;
+ 			put_dos_date2(p,0,queue[i].time);
+ 			SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3));
+ 			SSVAL(p,5, queue[i].job);
+--- smbd/statcache.c.orig	Fri Nov  9 18:27:43 2001
++++ smbd/statcache.c	Tue Apr  8 13:17:45 2003
+@@ -88,7 +88,7 @@
+    * StrnCpy always null terminates.
+    */
+ 
+-  StrnCpy(orig_name, full_orig_name, namelen);
++  StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
+   if(!case_sensitive)
+     strupper( orig_name );
+ 
+--- smbd/trans2.c.orig	Mon Mar 17 13:17:56 2003
++++ smbd/trans2.c	Tue Apr  8 13:17:45 2003
+@@ -217,7 +217,6 @@
+ 	int16 open_ofun;
+ 	int32 open_size;
+ 	char *pname;
+-	int16 namelen;
+ 
+ 	pstring fname;
+ 	mode_t unixmode;
+@@ -247,9 +246,8 @@
+ 	open_ofun = SVAL(params,12);
+ 	open_size = IVAL(params,14);
+ 	pname = &params[28];
+-	namelen = strlen(pname)+1;
+ 
+-	StrnCpy(fname,pname,namelen);
++	pstrcpy(fname,pname);
+ 	if (strchr(fname,'?'))
+ 		return(ERROR_DOS(ERRDOS,ERRinvalidname));
+ 
>Release-Note:
>Audit-Trail:
>Unformatted: