packages (AC-branch): samba/samba.spec, samba/samba-3.0.37-CVE-2010-2063.pa...

Fri Jun 18 12:16:33 CEST 2010

Author: glen                         Date: Fri Jun 18 10:16:33 2010 GMT
Module: packages                      Tag: AC-branch
---- Log message:
- fix for CVE-2010-2063; rel 3

---- Files affected:
packages/samba:
   samba.spec (1.348.2.7.2.17 -> 1.348.2.7.2.18) , samba-3.0.37-CVE-2010-2063.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: packages/samba/samba.spec
diff -u packages/samba/samba.spec:1.348.2.7.2.17 packages/samba/samba.spec:1.348.2.7.2.18

--- packages/samba/samba.spec:1.348.2.7.2.17	Fri Jan 22 18:18:18 2010
+++ packages/samba/samba.spec	Fri Jun 18 12:16:27 2010
@@ -42,7 +42,7 @@
 Summary(zh_CN.UTF-8):	Samba 客户端和服务器
 Name:		samba
 Version:	3.0.37
-Release:	2
+Release:	3
 Epoch:		1
 License:	GPL v2
 Group:		Networking/Daemons
@@ -67,6 +67,7 @@
 Patch6:		%{name}-libs-needed.patch
 Patch7:		%{name}-lprng-no-dot-printers.patch
 Patch8:		%{name}-printerlocation.patch
+Patch9:		http://www.samba.org/samba/ftp/patches/security/samba-3.0.37-CVE-2010-2063.patch
 URL:		http://www.samba.org/
 BuildRequires:	acl-devel
 BuildRequires:	autoconf
@@ -955,6 +956,7 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 %{__sed} -i 's#%SAMBAVERSION%#%{version}#' docs/htmldocs/index.html
 
 cd examples/VFS
@@ -1505,6 +1507,9 @@
 All persons listed below can be reached at <cvs_login>@pld-linux.org
 
 $Log$
+Revision 1.348.2.7.2.18  2010/06/18 10:16:27  glen
+- fix for CVE-2010-2063; rel 3
+
 Revision 1.348.2.7.2.17  2010/01/22 17:18:18  glen
 - release 2
 

================================================================
Index: packages/samba/samba-3.0.37-CVE-2010-2063.patch
diff -u /dev/null packages/samba/samba-3.0.37-CVE-2010-2063.patch:1.1
--- /dev/null	Fri Jun 18 12:16:33 2010
+++ packages/samba/samba-3.0.37-CVE-2010-2063.patch	Fri Jun 18 12:16:27 2010
@@ -0,0 +1,38 @@
+diff --git a/source/smbd/process.c b/source/smbd/process.c
+index e861e16..6499bc7 100644
+--- a/source/smbd/process.c
++++ b/source/smbd/process.c
+@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
+ {
+ 	static char *orig_inbuf;
+ 	static char *orig_outbuf;
++	static int orig_size;
+ 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
+ 	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
+ 	char *inbuf2, *outbuf2;
+@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
+ 		/* this is the first part of the chain */
+ 		orig_inbuf = inbuf;
+ 		orig_outbuf = outbuf;
++		orig_size = size;
++	}
++
++	/* Validate smb_off2 */
++	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
++		exit_server_cleanly("Bad chained packet");
++		return -1;
+ 	}
+ 
+ 	/*
+@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf,int size,int bufsize)
+ 	SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
+ 	SCVAL(outbuf,smb_vwv0,smb_com2);
+ 
++	if (outsize <= smb_wct) {
++		exit_server_cleanly("Bad chained packet");
++		return -1;
++	}
++
+ 	/* remember how much the caller added to the chain, only counting stuff
+ 		after the parameter words */
+ 	chain_size += outsize - smb_wct;
================================================================

---- CVS-web:
    http://cvs.pld-linux.org/cgi-bin/cvsweb.cgi/packages/samba/samba.spec?r1=1.348.2.7.2.17&r2=1.348.2.7.2.18&f=u

