From owner-freebsd-ports-bugs@FreeBSD.ORG Thu Nov 27 20:10:02 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A17201065672; Thu, 27 Nov 2008 20:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 83CAA8FC17; Thu, 27 Nov 2008 20:10:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mARKA2qF097497; Thu, 27 Nov 2008 20:10:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mARKA2A6097496; Thu, 27 Nov 2008 20:10:02 GMT (envelope-from gnats) Resent-Date: Thu, 27 Nov 2008 20:10:02 GMT Resent-Message-Id: <200811272010.mARKA2A6097496@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: timur@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 99BC21065670; Thu, 27 Nov 2008 20:00:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 2CA638FC12; Thu, 27 Nov 2008 20:00:02 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from phoenix.codelabs.ru (ppp83-237-104-199.pppoe.mtu-net.ru [83.237.104.199]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L5n1t-000NY3-3B; Thu, 27 Nov 2008 23:00:01 +0300 Message-Id: <20081127195959.7BA2AF181F@phoenix.codelabs.ru> Date: Thu, 27 Nov 2008 22:59:59 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: timur@freebsd.org Cc: freebsd-vuxml@freebsd.org Subject: ports/129239: [vuxml] [patch] net/samba3, net/samba32-devel: document and fix CVE-2008-4314 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2008 20:10:02 -0000 >Number: 129239 >Category: ports >Synopsis: [vuxml] [patch] net/samba3, net/samba32-devel: document and fix CVE-2008-4314 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Nov 27 20:10:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Samba team discovered memory disclosure vulnerability: http://www.samba.org/samba/security/CVE-2008-4314.html >How-To-Repeat: Read document at the above link. >Fix: The following patch updates both net/samba3 and net/samba32-devel, patches are taken directly from vendor. I had just tested the compilability of those, but assuming that vendor knows what he is doing and taking into account the simplicity of patches, I am mostly confident that the updated versions will work fine. --- vendor-fixes-for-CVE-2008-4314.diff begins here --- >From a1baef8a3ae57552559bd2cc7bb575011c06f23b Mon Sep 17 00:00:00 2001 From: Eygene Ryabinkin Date: Thu, 27 Nov 2008 22:50:14 +0300 http://www.samba.org/samba/security/CVE-2008-4314.html http://www.samba.org/samba/ftp/patches/security/samba-3.0.32-CVE-2008-4314.patch http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch Signed-off-by: Eygene Ryabinkin --- net/samba3/Makefile | 2 +- net/samba3/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++ net/samba32-devel/Makefile | 1 + net/samba32-devel/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++ 4 files changed, 150 insertions(+), 1 deletions(-) create mode 100644 net/samba3/files/patch-CVE-2008-4314 create mode 100644 net/samba32-devel/files/patch-CVE-2008-4314 diff --git a/net/samba3/Makefile b/net/samba3/Makefile index 117c9fc..f37fe5d 100644 --- a/net/samba3/Makefile +++ b/net/samba3/Makefile @@ -7,7 +7,7 @@ PORTNAME= samba PORTVERSION?= 3.0.32 -PORTREVISION= 1 +PORTREVISION= 2 PORTEPOCH?= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} diff --git a/net/samba3/files/patch-CVE-2008-4314 b/net/samba3/files/patch-CVE-2008-4314 new file mode 100644 index 0000000..b19dc4c --- /dev/null +++ b/net/samba3/files/patch-CVE-2008-4314 @@ -0,0 +1,74 @@ +Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch + +From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Sat, 8 Nov 2008 17:14:06 +0100 +Subject: [PATCH] Fix the offset checks in the trans routines + +This fixes a potential crash bug, a client can make us read memory we +should not read. Luckily I got the disp checks right... + +Volker +--- + source/smbd/ipc.c | 6 +++--- + source/smbd/nttrans.c | 6 +++--- + source/smbd/trans2.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c +index 6961a5c..a53bc5b 100644 +--- smbd/ipc.c ++++ smbd/ipc.c +@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c +index 13caf77..ef81404 100644 +--- smbd/nttrans.c ++++ smbd/nttrans.c +@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c +index acc424f..c7edec1 100644 +--- smbd/trans2.c ++++ smbd/trans2.c +@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +-- +1.5.5 + diff --git a/net/samba32-devel/Makefile b/net/samba32-devel/Makefile index bd3482e..c57a317 100644 --- a/net/samba32-devel/Makefile +++ b/net/samba32-devel/Makefile @@ -7,6 +7,7 @@ PORTNAME= samba PORTVERSION?= 3.2.4 +PORTREVISION?= 1 CATEGORIES?= net MASTER_SITES= ${MASTER_SITE_SAMBA} MASTER_SITE_SUBDIR= . old-versions rc pre diff --git a/net/samba32-devel/files/patch-CVE-2008-4314 b/net/samba32-devel/files/patch-CVE-2008-4314 new file mode 100644 index 0000000..b19dc4c --- /dev/null +++ b/net/samba32-devel/files/patch-CVE-2008-4314 @@ -0,0 +1,74 @@ +Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch + +From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Sat, 8 Nov 2008 17:14:06 +0100 +Subject: [PATCH] Fix the offset checks in the trans routines + +This fixes a potential crash bug, a client can make us read memory we +should not read. Luckily I got the disp checks right... + +Volker +--- + source/smbd/ipc.c | 6 +++--- + source/smbd/nttrans.c | 6 +++--- + source/smbd/trans2.c | 6 +++--- + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c +index 6961a5c..a53bc5b 100644 +--- smbd/ipc.c ++++ smbd/ipc.c +@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c +index 13caf77..ef81404 100644 +--- smbd/nttrans.c ++++ smbd/nttrans.c +@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c +index acc424f..c7edec1 100644 +--- smbd/trans2.c ++++ smbd/trans2.c +@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req) + goto bad_param; + } + +- if (ddisp > av_size || ++ if (doff > av_size || + dcnt > av_size || +- ddisp+dcnt > av_size || +- ddisp+dcnt < ddisp) { ++ doff+dcnt > av_size || ++ doff+dcnt < doff) { + goto bad_param; + } + +-- +1.5.5 + -- 1.6.0.4 --- vendor-fixes-for-CVE-2008-4314.diff ends here --- The following VuXML entry should be evaluated and added: --- vuln.xml begins here --- samba -- potential leakage of arbitrary memory contents samba32-devel 3.2.4_1 samba3 3.0.29,13.0.32_2,1

Vendor reports:

Samba 3.0.29 to 3.2.4 can potentially leak arbitrary memory contents to malicious clients

 CVE-2008-4314 http://www.samba.org/samba/security/CVE-2008-4314.html http://www.ubuntu.com/usn/USN-680-1 TODAY 2008-11-27 --- vuln.xml ends here --- >Release-Note: >Audit-Trail: >Unformatted: