git: dfe0f7673b60 - main - net/samba420: Fix recent CVEs

From: Mateusz Piotrowski <0mp_at_FreeBSD.org>
Date: Wed, 22 Oct 2025 14:45:15 UTC 
The branch main has been updated by 0mp:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dfe0f7673b604dd813da98c2219c8d0ef3e7b599

commit dfe0f7673b604dd813da98c2219c8d0ef3e7b599
Author:     Andrea Venturoli <freebsd@netfence.it>
AuthorDate: 2025-10-22 14:43:05 +0000
Commit:     Mateusz Piotrowski <0mp@FreeBSD.org>
CommitDate: 2025-10-22 14:43:05 +0000

    net/samba420: Fix recent CVEs
    
    PR:             290329
    Security:       https://www.samba.org/samba/security/CVE-2025-10230.html
    Security:       https://www.samba.org/samba/security/CVE-2025-9640.html
---
 net/samba420/Makefile              |  5 ++--
 net/samba420/files/Oct25CVEs.patch | 49 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 52 insertions(+), 2 deletions(-)

diff --git a/net/samba420/Makefile b/net/samba420/Makefile
index 3696bb72befa..487e6fb0e241 100644
--- a/net/samba420/Makefile
+++ b/net/samba420/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=			${SAMBA4_BASENAME}420
 PORTVERSION=			${SAMBA4_VERSION}
-PORTREVISION=			10
+PORTREVISION=			11
 CATEGORIES?=			net
 MASTER_SITES=			SAMBA/samba/stable SAMBA/samba/rc
 DISTNAME=			${SAMBA4_DISTNAME}
@@ -47,7 +47,8 @@ EXTRA_PATCHES=			\
 				${PATCHDIR}/0028-Fix-rl_completion_func_t.patch:-p1 \
 				${PATCHDIR}/0028-s3-lib-system-add-FreeBSD-proc_fd_pattern.patch \
 				${PATCHDIR}/0100-Fix-pathref-handling-for-FreeBSD-13plus_samba42x.patch:-p1 \
-				${PATCHDIR}/0102-FreeBSD-vfs_freebsd-fix-sys_proc_fd_path-args.patch:-p1
+				${PATCHDIR}/0102-FreeBSD-vfs_freebsd-fix-sys_proc_fd_path-args.patch:-p1 \
+				${PATCHDIR}/Oct25CVEs.patch:-p1
 
 SAMBA4_BASENAME=		samba
 SAMBA4_PORTNAME=		${SAMBA4_BASENAME}4
diff --git a/net/samba420/files/Oct25CVEs.patch b/net/samba420/files/Oct25CVEs.patch
new file mode 100644
index 000000000000..3f84f60d699f
--- /dev/null
+++ b/net/samba420/files/Oct25CVEs.patch
@@ -0,0 +1,49 @@
+diff -Naurp a/source3/modules/vfs_streams_xattr.c b/source3/modules/vfs_streams_xattr.c
+index 03ff6147cb0..4fb4f42baa0 100644
+--- a/source3/modules/vfs_streams_xattr.c
++++ b/source3/modules/vfs_streams_xattr.c
+@@ -959,14 +959,17 @@ static ssize_t streams_xattr_pwrite(vfs_handle_struct *handle,
+ 
+         if ((offset + n) > ea.value.length - config->xattr_compat_bytes) {
+ 		uint8_t *tmp;
++		size_t new_sz = offset + n + config->xattr_compat_bytes;
+ 
+ 		tmp = talloc_realloc(talloc_tos(), ea.value.data, uint8_t,
+-					   offset + n + config->xattr_compat_bytes);
++					   new_sz);
+ 
+ 		if (tmp == NULL) {
+ 			TALLOC_FREE(ea.value.data);
+                         errno = ENOMEM;
+                         return -1;
+                 }
++
++		memset(tmp + ea.value.length, 0, new_sz - ea.value.length);
+ 		ea.value.data = tmp;
+- 		ea.value.length = offset + n + config->xattr_compat_bytes;
++ 		ea.value.length = new_sz;
+		if (config->xattr_compat_bytes) {
+
+diff -Naurp a/source4/nbt_server/wins/wins_hook.c b/source4/nbt_server/wins/wins_hook.c
+index 1af471b15bc..442141fecdd 100644
+--- a/source4/nbt_server/wins/wins_hook.c
++++ b/source4/nbt_server/wins/wins_hook.c
+@@ -43,9 +43,18 @@ void wins_hook(struct winsdb_handle *h, const struct winsdb_record *rec,
+ 	int child;
+ 	char *cmd = NULL;
+ 	TALLOC_CTX *tmp_mem = NULL;
++	const char *p = NULL;
+ 
+ 	if (!wins_hook_script || !wins_hook_script[0]) return;
+ 
++	for (p = rec->name->name; *p; p++) {
++		if (!(isalnum((int)*p) || strchr_m("._-", *p))) {
++			DBG_ERR("not calling wins hook for invalid name %s\n",
++				rec->name->name);
++			return;
++		}
++	}
++
+ 	tmp_mem = talloc_new(h);
+ 	if (!tmp_mem) goto failed;
+