From owner-freebsd-vuxml@FreeBSD.ORG Tue Nov 25 21:16:01 2008 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1EEBA106564A for ; Tue, 25 Nov 2008 21:16:01 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id C73C88FC1E for ; Tue, 25 Nov 2008 21:16:00 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=PZnlwJqD+XZ4snjTdpGx7KFUP5joPVYp70stMQkt7aAwKfi/nQYHfAsfwCkxnT3s4/cGBOtOhp0FdGu51Vo0PQonE7hunZvOMp7uS6FU5MKrJDpz43iJPRgqO3VVJuEEt42woFMjpeRMJ+4n1RULJYo0/JatWctgJWvLjQfnxf0=; Received: from phoenix.codelabs.ru (ppp91-78-117-2.pppoe.mtu-net.ru [91.78.117.2]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L552f-000Och-SB; Wed, 26 Nov 2008 00:01:53 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: maho@freebsd.org, openoffice@freebsd.org Message-Id: <20081125210153.2B4B2F181D@phoenix.codelabs.ru> Date: Wed, 26 Nov 2008 00:01:53 +0300 (MSK) X-Mailman-Approved-At: Tue, 25 Nov 2008 21:16:45 +0000 Cc: freebsd-vuxml@freebsd.org Subject: [vuxml] editors/openoffice.org-2: document CVE-2008-2237 and CVE-2008-2238 X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 21:16:01 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] editors/openoffice.org-2: document CVE-2008-2237 and CVE-2008-2238 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: WMS/EMF processing flaws were found in the openoffice.org 2.x: http://www.securityfocus.com/bid/31962 >How-To-Repeat: Look at http://www.securityfocus.com/bid/31962 http://www.openoffice.org/security/cves/CVE-2008-2237.html http://www.openoffice.org/security/cves/CVE-2008-2238.html >Fix: Since 2.4.2 is in the tree, there is no point to upgrade any ports. I believe that openoffice-2-RC and openoffice-2-devel are vulnerable too, because vendor says about affected releases "All versions prior to OpenOffice.org 2.4.2". The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- openoffice -- arbitrary code execution by processing crafted EMF/WMF files openoffice.org 2.42.4.2 2.4.20040402

Vendor notifies:

A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.

A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.

http://www.openoffice.org/security/cves/CVE-2008-2237.html http://www.openoffice.org/security/cves/CVE-2008-2238.html CVE-2008-2237 CVE-2008-2238 31962 2008-10-29 today --- vuln.xml ends here --- I hope that the version specification catches all openoffice 2.x with x < 4.2 as well as -RC and -devel versions. From owner-freebsd-vuxml@FreeBSD.ORG Tue Nov 25 21:21:36 2008 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 531B21065673; Tue, 25 Nov 2008 21:21:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 0C4C98FC13; Tue, 25 Nov 2008 21:21:36 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=CM8chiZR1Pkcnaq2MWtPdxINR1i5EU7cwgWPw9H6H7crEuPvxtsD///wF7zJdY7XACvjpjCo4LaSLXxGsSsM9GNJz+AUIPJR9dOOyuUWAWfmeGNRAsPpuTreQhZ+KzWXU3Dw17BcbrRT7Iira5F+l8Sqa0jR1CreZkhmRLc1CKo=; Received: from phoenix.codelabs.ru (ppp91-78-117-2.pppoe.mtu-net.ru [91.78.117.2]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L55Lj-000PzU-2k; Wed, 26 Nov 2008 00:21:35 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: dinoex@freebsd.org Message-Id: <20081125212134.7A533F181D@phoenix.codelabs.ru> Date: Wed, 26 Nov 2008 00:21:34 +0300 (MSK) X-Mailman-Approved-At: Tue, 25 Nov 2008 21:27:01 +0000 Cc: freebsd-vuxml@freebsd.org Subject: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Nov 2008 21:21:36 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] [patch] print/cups-base: fix buffer overflow in the PNG reader >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Release notes for CUPS 1.3.10 say that there were potential buffer overflow in the PNG reader code: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt The corresponding entry in the CUPS bug tracker is at http://www.cups.org/str.php?L2974 >How-To-Repeat: Look at the above URLs. >Fix: The following patch updates the port itself. I had used PORTREVISION of 2, but the patch was made against the clean 1.3.9 tree. If it will be applied simultaneously with the patch in ports/129001, then the PORTVERSION can be set to 1. In this case the below VuXML entry should be changed to reflect this. --- 1.3.9-fix-potential-PNG-buffer-overflow.diff begins here --- >From 95c304d2b3ce819ea68f493f6dcc2fed76ac2029 Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Wed, 26 Nov 2008 00:11:53 +0300 See: http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt See: http://www.openwall.com/lists/oss-security/2008/11/25/2 Signed-off-by: Eygene Ryabinkin --- print/cups-base/Makefile | 1 + print/cups-base/files/patch-str2974 | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 0 deletions(-) create mode 100644 print/cups-base/files/patch-str2974 diff --git a/print/cups-base/Makefile b/print/cups-base/Makefile index 87e5ee3..aad7c52 100644 --- a/print/cups-base/Makefile +++ b/print/cups-base/Makefile @@ -7,6 +7,7 @@ PORTNAME= cups PORTVERSION= 1.3.9 +PORTREVISION= 2 DISTVERSIONSUFFIX= -source CATEGORIES= print MASTER_SITES= EASYSW/${PORTNAME}/${DISTVERSION} diff --git a/print/cups-base/files/patch-str2974 b/print/cups-base/files/patch-str2974 new file mode 100644 index 0000000..f407d55 --- /dev/null +++ b/print/cups-base/files/patch-str2974 @@ -0,0 +1,27 @@ +Fix for the buffer overflow in the PNG reading code + +See: http://www.cups.org/str.php?L2974 +Obtained from: http://www.cups.org/strfiles/2974/str2974.patch + +Index: filter/image-png.c +=================================================================== +--- filter/image-png.c (revision 8062) ++++ filter/image-png.c (working copy) +@@ -178,7 +178,7 @@ + { + bufsize = img->xsize * img->ysize; + +- if ((bufsize / img->ysize) != img->xsize) ++ if ((bufsize / img->xsize) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); +@@ -190,7 +190,7 @@ + { + bufsize = img->xsize * img->ysize * 3; + +- if ((bufsize / (img->ysize * 3)) != img->xsize) ++ if ((bufsize / (img->xsize * 3)) != img->ysize) + { + fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n", + (unsigned)width, (unsigned)height); -- 1.6.0.4 --- 1.3.9-fix-potential-PNG-buffer-overflow.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- cups -- potential buffer overflow in PNG reading code cups-base 1.3.9_2

ChangeLog for CUPS 1.3.10 says:

SECURITY: The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow (STR #2974)

http://svn.easysw.com/public/cups/trunk/CHANGES-1.3.txt http://www.openwall.com/lists/oss-security/2008/11/25/2 2008-11-25 today --- vuln.xml ends here --- From owner-freebsd-vuxml@FreeBSD.ORG Thu Nov 27 20:00:02 2008 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99BC21065670; Thu, 27 Nov 2008 20:00:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2CA638FC12; Thu, 27 Nov 2008 20:00:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=bj4X9SHg1WBs3IQHOwp11Tf/dOI5bc0Ga6J8L5+3XIRpnc9LcXxyiewy6sUXTkhkxtiBPeS5S2Y4vtyvfb4tYvi+iDQkOod40dK9TYu1m0h0UUMllK4Vn7oCAnlc6WdlVSp80XWNai0RAq5xy6YfO8gmnYujPCEIS6uPd31BHns=; Received: from phoenix.codelabs.ru (ppp83-237-104-199.pppoe.mtu-net.ru [83.237.104.199]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L5n1t-000NY3-3B; Thu, 27 Nov 2008 23:00:01 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: timur@freebsd.org Message-Id: <20081127195959.7BA2AF181F@phoenix.codelabs.ru> Date: Thu, 27 Nov 2008 22:59:59 +0300 (MSK) X-Mailman-Approved-At: Thu, 27 Nov 2008 20:16:43 +0000 Cc: freebsd-vuxml@freebsd.org Subject: [vuxml] [patch] net/samba3, net/samba32-devel: document and fix CVE-2008-4314 X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 20:00:02 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] [patch] net/samba3, net/samba32-devel: document and fix CVE-2008-4314 >Severity: serious >Priority: high >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Samba team discovered memory disclosure vulnerability: http://www.samba.org/samba/security/CVE-2008-4314.html >How-To-Repeat: Read document at the above link. >Fix: The following patch updates both net/samba3 and net/samba32-devel, patches are taken directly from vendor. I had just tested the compilability of those, but assuming that vendor knows what he is doing and taking into account the simplicity of patches, I am mostly confident that the updated versions will work fine. --- vendor-fixes-for-CVE-2008-4314.diff begins here --- >From a1baef8a3ae57552559bd2cc7bb575011c06f23b Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Thu, 27 Nov 2008 22:50:14 +0300 http://www.samba.org/samba/security/CVE-2008-4314.html http://www.samba.org/samba/ftp/patches/security/samba-3.0.32-CVE-2008-4314.patch http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch Signed-off-by: Eygene Ryabinkin --- net/samba3/Makefile | 2 +- net/samba3/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++ net/samba32-devel/Makefile | 1 + net/samba32-devel/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++ 4 files changed, 150 insertions(+), 1 deletions(-) create mode 100644 net/samba3/files/patch-CVE-2008-4314 create mode 100644 net/samba32-devel/files/patch-CVE-2008-4314 diff --git a/net/samba3/Makefile b/net/samba3/Makefile index 117c9fc..f37fe5d 100644 --- a/net/samba3/Makefile +++ b/net/samba3/Makefile @@ -7,7 +7,7 @@ PORTNAME= samba PORTVERSION?= 3.0.32 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH?= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} diff --git a/net/samba3/files/patch-CVE-2008-4314 b/net/samba3/files/patch-CVE-2008-4314 new file mode 100644 index 0000000..b19dc4c --- /dev/null +++ b/net/samba3/files/patch-CVE-2008-4314 @@ -0,0 +1,74 @@ +Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch + +From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Sat, 8 Nov 2008 17:14:06 +0100 +Subject: [PATCH] Fix the offset checks in the trans routines + +This fixes a potential crash bug, a client can make us read memory we +should not read. Luckily I got the disp checks right... + +Volker +--- + source/smbd/ipc.c | 6 +++--- + source/smbd/nttrans.c | 6 +++--- + source/smbd/trans2.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c +index 6961a5c..a53bc5b 100644 +--- smbd/ipc.c ++++ smbd/ipc.c +@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c +index 13caf77..ef81404 100644 +--- smbd/nttrans.c ++++ smbd/nttrans.c +@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c +index acc424f..c7edec1 100644 +--- smbd/trans2.c ++++ smbd/trans2.c +@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +-- +1.5.5 + diff --git a/net/samba32-devel/Makefile b/net/samba32-devel/Makefile index bd3482e..c57a317 100644 --- a/net/samba32-devel/Makefile +++ b/net/samba32-devel/Makefile @@ -7,6 +7,7 @@ PORTNAME= samba PORTVERSION?= 3.2.4 +PORTREVISION?= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} MASTER_SITE_SUBDIR= . old-versions rc pre diff --git a/net/samba32-devel/files/patch-CVE-2008-4314 b/net/samba32-devel/files/patch-CVE-2008-4314 new file mode 100644 index 0000000..b19dc4c --- /dev/null +++ b/net/samba32-devel/files/patch-CVE-2008-4314 @@ -0,0 +1,74 @@ +Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch + +From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Sat, 8 Nov 2008 17:14:06 +0100 +Subject: [PATCH] Fix the offset checks in the trans routines + +This fixes a potential crash bug, a client can make us read memory we +should not read. Luckily I got the disp checks right... + +Volker +--- + source/smbd/ipc.c | 6 +++--- + source/smbd/nttrans.c | 6 +++--- + source/smbd/trans2.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c +index 6961a5c..a53bc5b 100644 +--- smbd/ipc.c ++++ smbd/ipc.c +@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c +index 13caf77..ef81404 100644 +--- smbd/nttrans.c ++++ smbd/nttrans.c +@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c +index acc424f..c7edec1 100644 +--- smbd/trans2.c ++++ smbd/trans2.c +@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +-- +1.5.5 + -- 1.6.0.4 --- vendor-fixes-for-CVE-2008-4314.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- samba -- potential leakage of arbitrary memory contents samba32-devel 3.2.4_1 samba3 3.0.29,13.0.32_2,1

Vendor reports:

Samba 3.0.29 to 3.2.4 can potentially leak arbitrary memory contents to malicious clients

CVE-2008-4314 http://www.samba.org/samba/security/CVE-2008-4314.html http://www.ubuntu.com/usn/USN-680-1 TODAY 2008-11-27 --- vuln.xml ends here --- From owner-freebsd-vuxml@FreeBSD.ORG Thu Nov 27 20:23:48 2008 Return-Path: Delivered-To: freebsd-vuxml@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EAD221065670; Thu, 27 Nov 2008 20:23:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id A30EE8FC1B; Thu, 27 Nov 2008 20:23:47 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) DomainKey-Signature: a=rsa-sha1; q=dns; c=simple; s=one; d=codelabs.ru; h=Received:To:Subject:From:Reply-To:Cc:X-send-pr-version:X-GNATS-Notify:Message-Id:Date; b=WAeGKSPV2DPMsbYZaxzxUH6AnaBnISa5NfFz9IIvKRI9v4zOJGx4MpzGpSnIig6XEwSVKA/ZhNS4+m11DHtDBylk6Ql79chFz5PyJrsjM76HPna7cCOEcqCKmkCtUyNa6kEGJRqOBHTEwlQW+5Xl02ToId1YYS9DkWes5s4EEFw=; Received: from phoenix.codelabs.ru (ppp83-237-104-199.pppoe.mtu-net.ru [83.237.104.199]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L5nOs-000PBA-KC; Thu, 27 Nov 2008 23:23:46 +0300 To: FreeBSD-gnats-submit@freebsd.org From: Eygene Ryabinkin X-send-pr-version: 3.113 X-GNATS-Notify: timur@freebsd.org, eik@freebsd.org Message-Id: <20081127202346.3BCEEF181F@phoenix.codelabs.ru> Date: Thu, 27 Nov 2008 23:23:46 +0300 (MSK) X-Mailman-Approved-At: Thu, 27 Nov 2008 20:36:20 +0000 Cc: freebsd-vuxml@freebsd.org Subject: [vuxml] eliminate false-positive for samba due to the entry in old portaudit.xml X-BeenThere: freebsd-vuxml@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Documenting security issues in VuXML List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 20:23:48 -0000 >Submitter-Id: current-users >Originator: Eygene Ryabinkin >Organization: Code Labs >Confidential: no >Synopsis: [vuxml] eliminate false-positive for samba due to the entry in old portaudit.xml >Severity: serious >Priority: medium >Category: ports >Class: sw-bug >Release: FreeBSD 7.1-PRERELEASE i386 >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Samba version specification that is found in the old portaudit.xml file inside ports-mgmt/portaudit-db/databases has improper entry that cathes modern Samba port: ----- $ pkg_version -T samba-3.2.4 'samba>=3.*<3.0.5,1' && echo Found! Found! ----- >How-To-Repeat: Run the above command or do 'cd /usr/ports/net/samba32-devel; make check-vulnerable', it should produce something like this: ----- ===> samba-3.2.4 has known vulnerabilities: => Multiple Potential Buffer Overruns in Samba. Reference: => Please update your ports tree and try again. *** Error code 1 ----- >Fix: The following patch fixes the things, at least for me: --- portaudit.xml-fix-old-VuXML-entries-for-samba.diff begins here --- >From 601cd8355609580f914c27e15c25bbee25219f6d Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Thu, 27 Nov 2008 23:04:40 +0300 Very old portaudit.xml in ports-mgmt/portaudit-db/database has 4 years old entry for samba that renders current port, net/samba32-devel to be marked as vulnerable. This happens due to the bad version specification that spans over port epoches, thus caching samba32-devel that has no portepoch: ----- $ pkg_version -T samba-3.2.4 'samba>=3.*<3.0.5,1' && echo Found! Found! ----- Applied modification fixes the things, ----- $ pkg_version -T samba-3.2.4 'samba>=3.*<3.0a20' && echo Found! $ pkg_version -T samba-3.2.4 'samba>=3.0.0.b1,1<3.0.5,1' && echo Found! ----- and seem to catch originally intended versions properly: ----- $ pkg_version -T samba-3.0a19 'samba>=3.*<3.0a20' && echo Found! Found! $ pkg_version -T samba-3.0a19 'samba>=3.0.0.b1,1<3.0.5,1' && echo Found! $ pkg_version -T samba-3.0.1,1 'samba>=3.0.0.b1,1<3.0.5,1' && echo Found! Found! $ pkg_version -T samba-3.0.1,1 'samba>=3.*<3.0a20' && echo Found! ----- Samba revision history was traced by using CVS logs, http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/samba3/Makefile Particularily, portepoch was bumped at the Makefile's version 1.92: http://www.freebsd.org/cgi/cvsweb.cgi/ports/net/samba3/Makefile.diff?r1=1.91;r2=1.92 Note well: the added port specification will catch version 3.0.20, for example, ----- $ pkg_version -T samba-3.0.20 'samba>=3.*<3.0a20' && echo Found! Found! ----- but FreeBSD's 3.0.20 is be named '3.0.20,1', so we seem to be safe here, since this particular specification will catch only 3.0.x: ----- $ pkg_version -T samba-3.1.32 'samba>=3.*<3.0a20' && echo Found! ----- Signed-off-by: Eygene Ryabinkin --- ports-mgmt/portaudit-db/database/portaudit.xml | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/ports-mgmt/portaudit-db/database/portaudit.xml b/ports-mgmt/portaudit-db/database/portaudit.xml index 168072a..bcae088 100644 --- a/ports-mgmt/portaudit-db/database/portaudit.xml +++ b/ports-mgmt/portaudit-db/database/portaudit.xml @@ -287,7 +287,8 @@ EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. samba - 3.*3.0.5,1 + 3.0.0.b1,13.0.5,1 + 3.*3.0a20 2.2.10 -- 1.6.0.4 --- portaudit.xml-fix-old-VuXML-entries-for-samba.diff ends here ---