The branch, v4-0-test has been updated via f5bd128 VERSION: Bump version number up to 4.0.9. via 3b7e719 Merge tag 'samba-4.0.8' into v4-0-test via dbf87d3 WHATSNEW: Add release notes for Samba 4.0.8. via 03656a7 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. via b4bfcdf Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. via 4df0ef0 VERSION: Bump version number up to 4.0.8. from 221cffa s4-lib/socket: Allocate a the larger sockaddr_un and not just a sockaddr_in in unixdom_get_my_addr()
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit f5bd1286f124dd03161dcd876681c3df1d4793f3 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Aug 5 12:41:23 2013 +0200 VERSION: Bump version number up to 4.0.9. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 3b7e7196c6854cd549a0d2fab39165e0c13fa88f Merge: 221cffa25510b6115490b5c48d60ec231357a068 dbf87d3867c1771a09029b733c8de1e134e270e4 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Aug 5 12:40:37 2013 +0200 Merge tag 'samba-4.0.8' into v4-0-test samba: tag release samba-4.0.8 ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 60 +++++++++++++++++++++++++++++++++++++++++- source3/smbd/nttrans.c | 12 ++++++++ source4/libcli/raw/raweas.c | 7 +++- 4 files changed, 76 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index be94a07..6cb5cba 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6ab15c8..503aff0 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,60 @@ ============================= + Release Notes for Samba 4.0.8 + August 05, 2013 + ============================= + + +This is a security release in order to address +CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause +server to loop with DOS). + +o CVE-2013-4124: + All current released versions of Samba are vulnerable to a denial of + service on an authenticated or guest connection. A malformed packet + can cause the smbd server to loop the CPU performing memory + allocations and preventing any further service. + + A connection to a file share, or a local account is needed to exploit + this problem, either authenticated or unauthenticated if guest + connections are allowed. + + This flaw is not exploitable beyond causing the code to loop + allocating memory, which may cause the machine to exceed memory + limits. + + +Changes since 4.0.7: +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list + reading can cause server to loop with DOS. + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.0 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================= Release Notes for Samba 4.0.7 July 2, 2013 ============================= @@ -103,8 +159,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.0.6 diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index 54e475d..f70fb36 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -993,7 +993,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t if (next_offset == 0) { break; } + + /* Integer wrap protection for the increment. */ + if (offset + next_offset < offset) { + break; + } + offset += next_offset; + + /* Integer wrap protection for while loop. */ + if (offset + 4 < offset) { + break; + } + } return ea_list_head; diff --git a/source4/libcli/raw/raweas.c b/source4/libcli/raw/raweas.c index 5f06e70..b626b31 100644 --- a/source4/libcli/raw/raweas.c +++ b/source4/libcli/raw/raweas.c @@ -243,9 +243,12 @@ NTSTATUS ea_pull_list_chained(const DATA_BLOB *blob, return NT_STATUS_INVALID_PARAMETER; } - ofs += next_ofs; + if (ofs + next_ofs < ofs) { + return NT_STATUS_INVALID_PARAMETER; + } - if (ofs+4 > blob->length) { + ofs += next_ofs; + if (ofs+4 > blob->length || ofs+4 < ofs) { return NT_STATUS_INVALID_PARAMETER; } n++; -- Samba Shared Repository