The branch, v3-0-stable has been updated via 5cc2baea238b49b99d69099a12c3c02ac4860a52 (commit) via 82bd5484ad502f2afdb771a27a12a39459cb2ec0 (commit) via e1abd8c2265dd63d5de388e7d8047c80204bb36e (commit) via 1f7b4c72d953d2fc9d18eb96a4c7739ae36b5a3d (commit) via 62197dd367e7c04759560f395f554b2bfda90d78 (commit) via 64547bd884668d801c3ac48ff3374bf02a2d0959 (commit) via b14aa30006033d9dbaa8120bc419406535d620b8 (commit) via 6a9610ba27f802136f1ca8a94816d552df17a166 (commit) from 2b4189175a4e54c922136dbfb35c276730a4039a (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 39 +++++++++++++++++++++++++++++++++++---- source/VERSION | 10 +++++----- source/auth/auth_util.c | 2 ++ source/lib/version.c | 6 +++--- source/libsmb/clidgram.c | 6 ++++++ source/nmbd/nmbd_packets.c | 6 ++++++ 6 files changed, 57 insertions(+), 12 deletions(-) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 9b5494c..bd4fe02 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,38 @@ + ============================== + Release Notes for Samba 3.0.28 + Dec 10, 2007 + ============================== + +Samba 3.0.28 is a security release in order to address the following +defect: + + o CVS-2007-6015 + Boundary failure in GETDC mailslot processing can result in + a buffer overrun + +The original security announcement for this and past advisories can +be found http://www.samba.org/samba/security/ + +###################################################################### +Changes +####### + +Changes since 3.0.27a +--------------------- + +o Jeremy Allison <[EMAIL PROTECTED]> + * Fix for CVS-2007-0615. + +o Volker Lendecke <[EMAIL PROTECTED]> + * Fix for CVS-2007-0615. + * Add missing unbecome_root() calls in error path processing + when failing to add local groups in create_local_nt_token(). + + +Release notes for older releases follow: + + -------------------------------------------------- + =============================== Release Notes for Samba 3.0.27a Nov 20, 2007 @@ -86,8 +121,6 @@ o Martin Zielinski <[EMAIL PROTECTED]> -Release notes for older releases follow: - -------------------------------------------------- ============================== @@ -124,8 +157,6 @@ o Simo Sorce <[EMAIL PROTECTED]> * Additional fixes for CVS-2007-4572. -Release notes for older releases follow: - -------------------------------------------------- =============================== Release Notes for Samba 3.0.26a diff --git a/source/VERSION b/source/VERSION index 4a0e3bd..d80ff13 100644 --- a/source/VERSION +++ b/source/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=27 +SAMBA_VERSION_RELEASE=28 ######################################################## # Bug fix releases use a letter for the patch revision # @@ -36,7 +36,7 @@ SAMBA_VERSION_RELEASE=27 # e.g. SAMBA_VERSION_REVISION=a # # -> "2.2.8a" # ######################################################## -SAMBA_VERSION_REVISION=a +SAMBA_VERSION_REVISION= ######################################################## # For 'pre' releases the version will be # @@ -68,7 +68,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # ######################################################## -SAMBA_VERSION_IS_GIT_SNAPSHOT=yes +SAMBA_VERSION_IS_GIT_SNAPSHOT= ######################################################## # This can be set by vendors if they want... # @@ -95,5 +95,5 @@ SAMBA_VERSION_IS_GIT_SNAPSHOT=yes # e.g. SAMBA_VERSION_VENDOR_SUFFIX=vendor_version() # # -> "CVS 3.0.0rc2-VendorVersion" # ######################################################## -SAMBA_VERSION_VENDOR_SUFFIX="stable" -SAMBA_VENDOR_PATCH= +SAMBA_VERSION_VENDOR_SUFFIX= +SAMBA_VERSION_VENDOR_PATCH= diff --git a/source/auth/auth_util.c b/source/auth/auth_util.c index 6fbec48..32224fa 100644 --- a/source/auth/auth_util.c +++ b/source/auth/auth_util.c @@ -956,6 +956,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, status = add_aliases(get_global_sam_sid(), result); if (!NT_STATUS_IS_OK(status)) { + unbecome_root(); TALLOC_FREE(result); return NULL; } @@ -965,6 +966,7 @@ static struct nt_user_token *create_local_nt_token(TALLOC_CTX *mem_ctx, status = add_aliases(&global_sid_Builtin, result); if (!NT_STATUS_IS_OK(status)) { + unbecome_root(); TALLOC_FREE(result); return NULL; } diff --git a/source/lib/version.c b/source/lib/version.c index ee8c3eb..93fd108 100644 --- a/source/lib/version.c +++ b/source/lib/version.c @@ -28,7 +28,7 @@ const char *samba_version_string(void) #else static fstring samba_version; static BOOL init_samba_version; -#ifdef SAMBA_VENDOR_PATCH +#ifdef SAMBA_VERSION_VENDOR_PATCH fstring tmp_version; size_t remaining; #endif @@ -40,9 +40,9 @@ const char *samba_version_string(void) SAMBA_VERSION_OFFICIAL_STRING, SAMBA_VERSION_VENDOR_SUFFIX); -#ifdef SAMBA_VENDOR_PATCH +#ifdef SAMBA_VERSION_VENDOR_PATCH remaining = sizeof(samba_version)-strlen(samba_version); - snprintf( tmp_version, sizeof(tmp_version), "-%d", SAMBA_VENDOR_PATCH ); + snprintf( tmp_version, sizeof(tmp_version), "-%d", SAMBA_VERSION_VENDOR_PATCH); strlcat( samba_version, tmp_version, remaining-1 ); #endif diff --git a/source/libsmb/clidgram.c b/source/libsmb/clidgram.c index 83ea81d..548ace6 100644 --- a/source/libsmb/clidgram.c +++ b/source/libsmb/clidgram.c @@ -72,6 +72,12 @@ BOOL cli_send_mailslot(BOOL unique, const char *mailslot, /* Setup the smb part. */ ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */ memcpy(tmp,ptr,4); + + if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) { + DEBUG(0, ("cli_send_mailslot: Cannot write beyond end of packet\n")); + return False; + } + set_message(ptr,17,strlen(mailslot) + 1 + len,True); memcpy(ptr,tmp,4); diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c index bbcc1ec..1460f7d 100644 --- a/source/nmbd/nmbd_packets.c +++ b/source/nmbd/nmbd_packets.c @@ -1892,6 +1892,12 @@ BOOL send_mailslot(BOOL unique, const char *mailslot,char *buf, size_t len, /* Setup the smb part. */ ptr -= 4; /* XXX Ugliness because of handling of tcp SMB length. */ memcpy(tmp,ptr,4); + + if (smb_size + 17*2 + strlen(mailslot) + 1 + len > MAX_DGRAM_SIZE) { + DEBUG(0, ("send_mailslot: Cannot write beyond end of packet\n")); + return False; + } + set_message(ptr,17,strlen(mailslot) + 1 + len,True); memcpy(ptr,tmp,4); -- Samba Shared Repository