The branch, v3-0-test has been updated via 14ecfecbdf3e631f87d83337e06060724deb7756 (commit) via 63918ac0f0a3767237210182f0f35840db87242c (commit) via 96e61fb89caa9e9d500c3006b83299a7938d0af7 (commit) via 99eea67a5a1114e499ece00f8b68ccbf2ec4ae75 (commit) via a7c6fe1e3cb4d66a48f43a49fe31778adace2332 (commit) from 1cdf89a02af6e7a2deed3f59519af97c10dbdaa3 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test - Log ----------------------------------------------------------------- commit 14ecfecbdf3e631f87d83337e06060724deb7756 Author: Gerald (Jerry) Carter <[EMAIL PROTECTED]> Date: Thu Nov 15 10:51:37 2007 -0600 Set release to 3.0.27a in development branch commit 63918ac0f0a3767237210182f0f35840db87242c Author: Gerald (Jerry) Carter <[EMAIL PROTECTED]> Date: Thu Nov 15 10:51:23 2007 -0600 Pull in release notes from 3.0.27 to the v3-0 development branch commit 96e61fb89caa9e9d500c3006b83299a7938d0af7 Author: Gerald (Jerry) Carter <[EMAIL PROTECTED]> Date: Thu Nov 15 10:48:13 2007 -0600 Set version to 3.0.27a commit 99eea67a5a1114e499ece00f8b68ccbf2ec4ae75 Author: Gerald (Jerry) Carter <[EMAIL PROTECTED]> Date: Wed Nov 14 20:54:44 2007 -0600 Fix for CVE-2007-4572 == Subject: Stack buffer overflow in nmbd's logon == request processing. == == CVE ID#: CVE-2007-4572 == == Versions: Samba 3.0.0 - 3.0.26a (inclusive) ... Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller. commit a7c6fe1e3cb4d66a48f43a49fe31778adace2332 Author: Gerald (Jerry) Carter <[EMAIL PROTECTED]> Date: Wed Nov 14 20:51:14 2007 -0600 Fix for CVE-2007-5398. == Subject: Remote code execution in Samba's WINS == server daemon (nmbd) when processing name == registration followed name query requests. == == CVE ID#: CVE-2007-5398 == == Versions: Samba 3.0.0 - 3.0.26a (inclusive) ... Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf. ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 265 +++++++++++++++++++++++++++++++++++++++ source/VERSION | 4 +- source/lib/charcnv.c | 4 +- source/libsmb/ntlmssp_parse.c | 3 +- source/nmbd/nmbd_packets.c | 6 + source/nmbd/nmbd_processlogon.c | 89 +++++++++++-- source/smbd/lanman.c | 2 +- 7 files changed, 354 insertions(+), 19 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 5868036..d208c07 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,268 @@ + ============================== + Release Notes for Samba 3.0.27 + Nov 15, 2007 + ============================== + +Samba 3.0.27 is a security release in order to address the following +defects: + + o CVS-2007-4572 + Stack buffer overflow in nmbd's logon request processing. + + o CVE-2007-5398 + Remote code execution in Samba's WINS server daemon (nmbd) + when processing name registration followed name query requests. + +The original security announcement for this and past advisories can +be found http://www.samba.org/samba/security/ + +###################################################################### +Changes +####### + +Changes since 3.0.26a +--------------------- + +o Jeremy Allison <[EMAIL PROTECTED]> + * Fix for CVS-2007-4572. + * Fix for CVE-2007-5398. + + +o Simo Sorce <[EMAIL PROTECTED]> + * Additional fixes for CVS-2007-4572. + + +Release notes for older releases follow: + + -------------------------------------------------- + =============================== + Release Notes for Samba 3.0.26a + Sep 11, 2007 + =============================== + +Major bug fixes included in Samba 3.0.26a are: + + o Memory leaks in Winbind's IDMap manager. + + +###################################################################### +Changes +####### + +Changes since 3.0.26 +-------------------- + +o Michael Adam <[EMAIL PROTECTED]> + * Fix read_sock() semantics in wb_common.c to address "invalid + request size" errors in winbindd logs. + * Fix use of pwrite() in tdb IO code paths. + + +o Jeremy Allison <[EMAIL PROTECTED]> + * Fix logic error in timeout of blocking lock processing. + + +o Guenther Deschner <[EMAIL PROTECTED]> + * Fix error code in the msrpc EnumerateDomainGroups() Winbind + method when a memory allocation fails. + * Fix Winbind initialization storms when contacting an older Samba DC. + + +o Volker Lendecke <[EMAIL PROTECTED]> + * Fix compile failure in NFSv4 VFS module. + * Fix compile failures on True64. + * Fix compile failure in unmaintained python bindings. + * BUG 4917: Fix memory leaks in Winbind's idmap_ldap and + idmap_cache backends. + * Coverity fixes in the group mapping code. + + +o Derrell Lipman <[EMAIL PROTECTED]> + * Remove NetBIOS keepalives from libsmbclient and consolidate on + the use of getpeername() when checking connection health. + * Use formal syntax for invoking function pointers in + libsmbclient. + + +o Lars Mueller <[EMAIL PROTECTED]> + * Fixes for Winbind's AD site support when the host is not + configured in any site or nor DC's are present within the host's + configured site. + + +o Simo Sorce <[EMAIL PROTECTED]> + * Debian packaging updates for 3.0.25c. + * Add sanity checks for "smb ports" values. + * Fix compile issues related to the VFS "open" method and newer + glibc implementations. + * Fix a segv in smbldap_set_creds() when using an anonymous + connection. + * BUG 4772: Fix us of ldap_base_dn for the idmap_ldap plugin. + + +Release notes for older releases follow: + + -------------------------------------------------- + ============================== + Release Notes for Samba 3.0.26 + Sep 11, 2007 + ============================== + +This is a security release of Samba 3.0 to address + + o CVE-2007-4138 + Versions: All Samba 3.0.25 releases + Incorrect primary group assignment for + domain users using the rfc2307 or sfu + winbind nss info plugin. + +The original security announcement for this and past advisories +can be found http://www.samba.org/samba/security/ + +###################################################################### +Changes +####### + +Changes since 3.0.25c +--------------------- + +o Gerald (Jerry) Carter <[EMAIL PROTECTED]> + * Fix CVE-2007-4138 in the "winbind nss info = {sfu | rfc2307}" + plugin (idmap_ad.c) + + + -------------------------------------------------- + =============================== + Release Notes for Samba 3.0.25c + Aug 20, 2007 + =============================== + +Major bug fixes included in Samba 3.0.25c are: + + o File sharing with Widows 9x clients. + o Winbind running out of file descriptors due to stalled + child processes. + o MS-DFS inter-operability issues. + + +###################################################################### +Changes +####### + +Changes since 3.0.25b +--------------------- + +o Michael Adam <[EMAIL PROTECTED]> + * Fix incorrect log messages in tdbbackup. + * Fix a bug in pwrite error detection in tdb_expand_file(). + + +o Jeremy Allison <[EMAIL PROTECTED]> + * BUG 4711: Make cli_connect() return NT_STATUS codes. + * Ensure we obey Unicode consortium restrictions. Based on + patch from MORIYAMA Masayuki. + * BUG 3204: Cope with stalled winbindd child processes and + prevent the parent winbindd process from running out of file + descriptors. + * Fix realloc leak on failure case from Jim Meyering. + * BUG 4759: Fix crash in ber_printf() caused invalid tag. + * BUG 4763: Limit notify responses to client max buf size. + * BUG 4777: Doing a DFS traverse through a deep link could fail + (not using explorer). + * BUG 4779: Setting the allocation size updates the modified + time as a write does. + * BUG 4308: Fix interaction with MS Excel and POSIX ACLs. + * Fix POSIX unlink bug found by the Linux CIFS fs client. + * Stop counting locks if we get a POSIX lock request. + * Fix interaction between Linux CIFS fs client and Windows + clients when the former tries to remove a file opened by the + latter. + * Fix incorrect mapping of invalid resume names in FindNext + commands. + * Cope with dead entries in the locking database tied to + non-existent processes (merge from 3.2-ctdb). + * Fix MS-DFS related renaming bug in smbclient. + * Fix for write cache corruption bug. + * Fix invalid vuid from being returned by a failed call to + cli_session_setup_spnego.(). + * Fixes for error mappings from NT_STATUS to the appropriate DOS + error codes in reply_opeNXXX() calls. + + +o Ofir Azoulay <[EMAIL PROTECTED]> + * Only look at errno set by SMB_VFS_CLOSE() if the call actually + failed. + + +o Alexander Bokovoy <[EMAIL PROTECTED]> + * Fix vfs_readahead: transparent modules should always pass + through. + + +o David S. Collier-Brown <[EMAIL PROTECTED]> + * BUG 4897: Fix Solaris xattr misdeclarations. + + +o Guenther Deschner <[EMAIL PROTECTED]> + * Remove redundant pointer checks when freeing memory in winbindd. + * BUG 4408: Remove last traces of Heimdal KCM support. + * Fix bug in user Krb5 ticket refresh feature in winbindd. + * Fix Heimdal path in the krb5 renew routine. + * Unused code cleanup in winbindd. + + +o SATOH Fumiyasu <[EMAIL PROTECTED]> + * BUG 4750: smbc_telldir_ctx() was not returning a value useful + to smbc_lseekdir_ctx(). + + +o Bjoern Jacke <[EMAIL PROTECTED]> + * Add support for Extended Attributes on Solaris. + + +o Matthijs Kooijman <[EMAIL PROTECTED]> + * BUG 4836: Fix incorrect log message in the nss_info + plugin init call. + * BUG 4849: Fix "net ads dns register" usage text. + + +o Volker Lendecke <[EMAIL PROTECTED]> + * Port cli_connect() NT_STATUS fixes to smbmount. + * Add notes about smbfs/cifs to usage() in smb[u]mount. + * BUG 4792: Fix pidfile name bug. + * Fix missing END_PROFILE() call in the SMBunlink reply. + * Coverity fixes. + * Correct logic error in change notify code that would result in + an endless loop. + * Fix uninitialized reads in the spoolss GetPrinterData() replies. + * Fix file overwrites from Windows 9x clients. + + +o Herb Lewis <[EMAIL PROTECTED]> + * Unused code cleanup. + * Avoid a crash in "net rpc info" when no username has + been specified. + * Remove biconv detection on *BSD. + + +o Derrell Lipman <[EMAIL PROTECTED]> + * Get/Set ACL fixes in libsmbclient. + + +o Jan Martin <[EMAIL PROTECTED]> + * BUG 4860: Patches for fixing MS-DFS links with trailing + back slashes. + + +o Jim McDonough <[EMAIL PROTECTED]> + * BUG 4719: "Must change password" is not set from usrmgr.exe. + + +o Atsushi Nakabayashi <[EMAIL PROTECTED]> + * Ensure proper exit when nmbd is unable to reopen the wins.tdb. + * Fix error path memleaks in the messaging subsystem. + + -------------------------------------------------- =============================== Release Notes for Samba 3.0.25b June 20, 2007 diff --git a/source/VERSION b/source/VERSION index dac2ecd..002f246 100644 --- a/source/VERSION +++ b/source/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=26 +SAMBA_VERSION_RELEASE=27 ######################################################## # Bug fix releases use a letter for the patch revision # @@ -36,7 +36,7 @@ SAMBA_VERSION_RELEASE=26 # e.g. SAMBA_VERSION_REVISION=a # # -> "2.2.8a" # ######################################################## -SAMBA_VERSION_REVISION=b +SAMBA_VERSION_REVISION= ######################################################## # For 'pre' releases the version will be # diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c index 8d5fbc8..2341429 100644 --- a/source/lib/charcnv.c +++ b/source/lib/charcnv.c @@ -872,9 +872,9 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) size_t src_len = strlen(src); pstring tmpbuf; - /* treat a pstring as "unlimited" length */ + /* No longer allow a length of -1 */ if (dest_len == (size_t)-1) - dest_len = sizeof(pstring); + smb_panic("push_ascii - dest_len == -1"); if (flags & STR_UPPER) { pstrcpy(tmpbuf, src); diff --git a/source/libsmb/ntlmssp_parse.c b/source/libsmb/ntlmssp_parse.c index e715048..38a65d3 100644 --- a/source/libsmb/ntlmssp_parse.c +++ b/source/libsmb/ntlmssp_parse.c @@ -152,7 +152,8 @@ BOOL msrpc_gen(DATA_BLOB *blob, break; case 'C': s = va_arg(ap, char *); - head_ofs += push_string(NULL, blob->data+head_ofs, s, -1, + n = str_charnum(s) + 1; + head_ofs += push_string(NULL, blob->data+head_ofs, s, n, STR_ASCII|STR_TERMINATE); break; } diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c index 87a38b9..bbcc1ec 100644 --- a/source/nmbd/nmbd_packets.c +++ b/source/nmbd/nmbd_packets.c @@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name), nmb->answers->ttl = ttl; if (data && len) { + if (len < 0 || len > sizeof(nmb->answers->rdata)) { + DEBUG(5,("reply_netbios_packet: " + "invalid packet len (%d)\n", + len )); + return; + } nmb->answers->rdlength = len; memcpy(nmb->answers->rdata, data, len); } diff --git a/source/nmbd/nmbd_processlogon.c b/source/nmbd/nmbd_processlogon.c index 1672b03..05e82a4 100644 --- a/source/nmbd/nmbd_processlogon.c +++ b/source/nmbd/nmbd_processlogon.c @@ -135,7 +135,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) )); fstrcpy(reply_name, "\\\\"); fstrcat(reply_name, my_name); - push_ascii_fstring(q, reply_name); + push_ascii(q,reply_name, + sizeof(outbuf)-PTR_DIFF(q, outbuf), + STR_TERMINATE); q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */ SSVAL(q, 0, token); @@ -231,7 +233,9 @@ logons are not enabled.\n", inet_ntoa(p->ip) )); q += 2; fstrcpy(reply_name,my_name); - push_ascii_fstring(q, reply_name); + push_ascii(q, reply_name, + sizeof(outbuf)-PTR_DIFF(q, outbuf), + STR_TERMINATE); q = skip_string(outbuf,sizeof(outbuf),q); /* PDC name */ /* PDC and domain name */ @@ -239,8 +243,15 @@ logons are not enabled.\n", inet_ntoa(p->ip) )); /* Make a full reply */ q = ALIGN2(q, outbuf); - q += dos_PutUniCode(q, my_name, sizeof(pstring), True); /* PDC name */ - q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True); /* Domain name*/ + q += dos_PutUniCode(q, my_name, + sizeof(outbuf) - PTR_DIFF(q, outbuf), + True); /* PDC name */ + q += dos_PutUniCode(q, lp_workgroup(), + sizeof(outbuf) - PTR_DIFF(q, outbuf), + True); /* Domain name*/ + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) { + return; + } SIVAL(q, 0, 1); /* our nt version */ SSVAL(q, 4, 0xffff); /* our lmnttoken */ SSVAL(q, 6, 0xffff); /* our lm20token */ @@ -376,9 +387,15 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", q += 2; - q += dos_PutUniCode(q, reply_name,sizeof(pstring), True); - q += dos_PutUniCode(q, ascuser, sizeof(pstring), True); - q += dos_PutUniCode(q, lp_workgroup(),sizeof(pstring), True); + q += dos_PutUniCode(q, reply_name, + sizeof(outbuf) - PTR_DIFF(q, outbuf), + True); + q += dos_PutUniCode(q, ascuser, + sizeof(outbuf) - PTR_DIFF(q, outbuf), + True); + q += dos_PutUniCode(q, lp_workgroup(), + sizeof(outbuf) - PTR_DIFF(q, outbuf), + True); } #ifdef HAVE_ADS else { @@ -394,6 +411,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", get_mydnsdomname(domain); get_myname(hostname); + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 8) { + return; + } if (SVAL(uniuser, 0) == 0) { SIVAL(q, 0, SAMLOGON_AD_UNK_R); /* user unknown */ } else { @@ -406,6 +426,9 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", q += 4; /* Push Domain GUID */ + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < UUID_FLAT_SIZE) { + return; + } if (False == secrets_fetch_domain_guid(domain, &domain_guid)) { DEBUG(2, ("Could not fetch DomainGUID for %s\n", domain)); return; @@ -421,12 +444,20 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", q1 = q; while ((component = strtok(dc, "."))) { dc = NULL; - size = push_ascii(&q[1], component, -1, 0); + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 1) { + return; + } + size = push_ascii(&q[1], component, + sizeof(outbuf) - PTR_DIFF(q+1, outbuf), + 0); SCVAL(q, 0, size); q += (size + 1); } /* Unk0 */ + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) { + return; + } SCVAL(q, 0, 0); q++; @@ -436,44 +467,72 @@ reporting %s domain %s 0x%x ntversion=%x lm_nt token=%x lm_20 token=%x\n", q += 2; /* Hostname */ - size = push_ascii(&q[1], hostname, -1, 0); + size = push_ascii(&q[1], hostname, + sizeof(outbuf) - PTR_DIFF(q+1, outbuf), + 0); SCVAL(q, 0, size); q += (size + 1); + + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 3) { + return; + } + SCVAL(q, 0, 0xc0 | ((str_offset >> 8) & 0x3F)); SCVAL(q, 1, str_offset & 0xFF); q += 2; /* NETBIOS of domain */ - size = push_ascii(&q[1], lp_workgroup(), -1, STR_UPPER); + size = push_ascii(&q[1], lp_workgroup(), + sizeof(outbuf) - PTR_DIFF(q+1, outbuf), + STR_UPPER); SCVAL(q, 0, size); q += (size + 1); /* Unk1 */ + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 2) { + return; + } SCVAL(q, 0, 0); q++; /* NETBIOS of hostname */ - size = push_ascii(&q[1], my_name, -1, 0); + size = push_ascii(&q[1], my_name, + sizeof(outbuf) - PTR_DIFF(q+1, outbuf), + 0); SCVAL(q, 0, size); q += (size + 1); /* Unk2 */ + if (sizeof(outbuf) - PTR_DIFF(q, outbuf) < 4) { + return; + } SCVAL(q, 0, 0); q++; /* User name */ if (SVAL(uniuser, 0) != 0) { - size = push_ascii(&q[1], ascuser, -1, 0); + size = push_ascii(&q[1], ascuser, -- Samba Shared Repository