Changeset 467 for branches

Timestamp:

Jun 17, 2010, 10:59:42 AM (15 years ago)

Author:

Herwig Bauernfeind

Message:

Update Samba 3.3 to 3.3.13 (security update)

Location:

branches/samba-3.3.x

Files:

• WHATSNEW.txt (modified) (3 diffs)
• packaging/RHEL-CTDB/samba.spec (modified) (1 diff)
• packaging/RHEL/makerpms.sh (modified) (1 diff)
• packaging/RHEL/samba.spec (modified) (1 diff)
• source/VERSION (modified) (1 diff)
• source/smbd/process.c (modified) (2 diffs)

branches/samba-3.3.x/WHATSNEW.txt

@@ +1 @@
+                   ==============================
+                   Release Notes for Samba 3.3.13
+                            June 16, 2010
+                   ==============================
+
+
+This is a security release in order to address CVE-2010-2063.
+
+
+o  CVE-2010-2063:
+   In Samba 3.3.x and below, a buffer overrun is possible in chain_reply code.
+
+
+Changes since 3.3.12
+--------------------
+
+
+o   Jeremy Allison <jra@samba.org>
+    * BUG 7494: Fix for CVE-2010-2063.
+
+
+######################################################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 3.3 product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    ==============================
                    Release Notes for Samba 3.3.12
@@ -18 +62 @@
 
 
-Changes since 3.5.0
--------------------
+Changes since 3.3.11
+--------------------
 
 
@@ -46 +90 @@
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    ==============================

branches/samba-3.3.x/packaging/RHEL-CTDB/samba.spec

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.3.12
+Version:      3.3.13
 Release:      ctdb.1
 Epoch:        0

branches/samba-3.3.x/packaging/RHEL/makerpms.sh

@@ -21 +21 @@
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='3.3.12'
+VERSION='3.3.13'
 REVISION=''
 SPECFILE="samba.spec"

branches/samba-3.3.x/packaging/RHEL/samba.spec

@@ -6 +6 @@
 Packager: Samba Team <samba@samba.org>
 Name:         samba
-Version:      3.3.12
+Version:      3.3.13
 Release:      1
 Epoch:        0

branches/samba-3.3.x/source/VERSION

@@ -26 +26 @@
 SAMBA_VERSION_MAJOR=3
 SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
 
 ########################################################

branches/samba-3.3.x/source/smbd/process.c

@@ -1646 +1646 @@
 {
         static char *orig_inbuf;
+        static int orig_size;
 
         /*
@@ -1680 +1681 @@
                 /* this is the first part of the chain */
                 orig_inbuf = inbuf;
-        }
-
+                orig_size = size;
+        }
+
+        /* Validate smb_off2 */
+        if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+                exit_server_cleanly("Bad chained packet");
+                return;
+        }
         /*
          * We need to save the output the caller added to the chain so that we
          * can splice it into the final output buffer later.
          */
+
+        if (outsize <= smb_wct) {
+                exit_server_cleanly("Bad chained packet");
+                return;
+        }
 
         caller_outputlen = outsize - smb_wct;