The branch, v3-6-test has been updated via cb48b06 WHATSNEW: Start release notes for Samba 3.6.18. via dda0d8d VERSION: Bump version number up to 3.6.18. via d69a4f7 WHATSNEW: Add release notes for Samba 3.6.17. via 6173b83 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. from dbb52ee build:autoconf: fix output of syslog-facility check
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test - Log ----------------------------------------------------------------- commit cb48b067251c3a523b1bdc10bf4b3ff4fc8b104f Author: Karolin Seeger <ksee...@samba.org> Date: Mon Aug 5 12:46:58 2013 +0200 WHATSNEW: Start release notes for Samba 3.6.18. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit dda0d8da02a41be149af5b66e6b77dae2fd6f227 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Aug 5 12:44:46 2013 +0200 VERSION: Bump version number up to 3.6.18. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit d69a4f78b7faf020d3736e4d73848ef8b00ea832 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Jul 29 20:55:18 2013 +0200 WHATSNEW: Add release notes for Samba 3.6.17. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit e03ad1401fd1cca54f9f5c4c1e98ec9ad87b5565) commit 6173b83e7df39f222771bd71de7a92086387c293 Author: Jeremy Allison <j...@samba.org> Date: Wed Jul 10 17:10:17 2013 -0700 Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server to loop with DOS. Ensure we never wrap whilst adding client provided input. CVE-2013-4124 Signed-off-by: Jeremy Allison <j...@samba.org> (cherry picked from commit efdbcabbe97a594572d71d714d258a5854c5d8ce) ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 65 +++++++++++++++++++++++++++++++++++++++++++++--- source3/VERSION | 2 +- source3/smbd/nttrans.c | 12 +++++++++ 3 files changed, 74 insertions(+), 5 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index a921e4a..125d793 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,16 +1,17 @@ ============================== - Release Notes for Samba 3.6.17 + Release Notes for Samba 3.6.18 August 14, 2013 ============================== This is is the latest stable release of Samba 3.6. -Major enhancements in Samba 3.6.17 include: +Major enhancements in Samba 3.6.18 include: -o +o -Changes since 3.6.16: + +Changes since 3.6.17: --------------------- o Jeremy Allison <j...@samba.org> @@ -39,6 +40,62 @@ Release notes for older releases follow: ---------------------------------------- ============================== + Release Notes for Samba 3.6.17 + August 05, 2013 + ============================== + + +This is a security release in order to address +CVE-2013-4124 (Missing integer wrap protection in EA list reading can cause +server to loop with DOS). + +o CVE-2013-4124: + All current released versions of Samba are vulnerable to a denial of + service on an authenticated or guest connection. A malformed packet + can cause the smbd server to loop the CPU performing memory + allocations and preventing any further service. + + A connection to a file share, or a local account is needed to exploit + this problem, either authenticated or unauthenticated if guest + connections are allowed. + + This flaw is not exploitable beyond causing the code to loop + allocating memory, which may cause the machine to exceed memory + limits. + + +Changes since 3.6.16: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 10010: CVE-2013-4124: Missing integer wrap protection in EA list + reading can cause server to loop with DOS. + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 3.6 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +---------------------------------------------------------------------- + + + ============================== Release Notes for Samba 3.6.16 June 19, 2013 ============================== diff --git a/source3/VERSION b/source3/VERSION index 6effe73..fb852a7 100644 --- a/source3/VERSION +++ b/source3/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=6 -SAMBA_VERSION_RELEASE=17 +SAMBA_VERSION_RELEASE=18 ######################################################## # Bug fix releases use a letter for the patch revision # diff --git a/source3/smbd/nttrans.c b/source3/smbd/nttrans.c index ea9d417..5fc3a09 100644 --- a/source3/smbd/nttrans.c +++ b/source3/smbd/nttrans.c @@ -989,7 +989,19 @@ struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t if (next_offset == 0) { break; } + + /* Integer wrap protection for the increment. */ + if (offset + next_offset < offset) { + break; + } + offset += next_offset; + + /* Integer wrap protection for while loop. */ + if (offset + 4 < offset) { + break; + } + } return ea_list_head; -- Samba Shared Repository