ports/50704: [SECURITY] japanese/samba update
NAKAJI Hiroyuki
nakaji at jp.freebsd.org
Tue Apr 8 04:40:15 UTC 2003
>Number: 50704
>Category: ports
>Synopsis: [SECURITY] japanese/samba update
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Mon Apr 07 21:40:13 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: NAKAJI Hiroyuki
>Release: FreeBSD 5.0-CURRENT i386
>Organization:
>Environment:
System: FreeBSD boggy.acest.tutrp.tut.ac.jp 5.0-CURRENT FreeBSD 5.0-CURRENT #75: Wed Mar 19 10:29:36 JST 2003 root at boggy.acest.tutrp.tut.ac.jp:/usr/obj/usr/src/sys/NAKAJI i386
>Description:
As reported in FreeBSD-SN-03:01, japanese/samba also has flaw
problem. A new file, files/patch-security, is added to fix the problem
quickly. I hope samba-2.2.8a-ja will soon be available.
P.S.
japanese/samba20 has to be forbidden before samba-2.0.10-ja
updated.
>How-To-Repeat:
>Fix:
diff -urN --exclude CVS /usr/ports/japanese/samba/Makefile ./Makefile
--- /usr/ports/japanese/samba/Makefile Wed Mar 19 16:18:47 2003
+++ ./Makefile Tue Apr 8 13:20:41 2003
@@ -7,7 +7,7 @@
PORTNAME= samba
PORTVERSION= ${SAMBA_VERSION}.j${SAMBA_JA_VERSION}
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= japanese net
MASTER_SITES= ftp://ftp.samba.gr.jp/pub/samba-jp/%SUBDIR%/ \
ftp://ftp.iij.ad.jp/pub/SAMBA/samba-jp/%SUBDIR%/ \
diff -urN --exclude CVS /usr/ports/japanese/samba/files/patch-security ./files/patch-security
--- /usr/ports/japanese/samba/files/patch-security Thu Jan 1 09:00:00 1970
+++ ./files/patch-security Tue Apr 8 13:17:57 2003
@@ -0,0 +1,103 @@
+--- smbd/ipc.c.orig Mon Mar 17 13:17:56 2003
++++ smbd/ipc.c Tue Apr 8 13:17:45 2003
+@@ -398,7 +398,7 @@
+
+ if (tdscnt) {
+ if((data = (char *)malloc(tdscnt)) == NULL) {
+- DEBUG(0,("reply_trans: data malloc fail for %d bytes !\n", tdscnt));
++ DEBUG(0,("reply_trans: data malloc fail for %u bytes !\n", tdscnt));
+ END_PROFILE(SMBtrans);
+ return(ERROR_DOS(ERRDOS,ERRnomem));
+ }
+@@ -412,7 +412,7 @@
+
+ if (tpscnt) {
+ if((params = (char *)malloc(tpscnt)) == NULL) {
+- DEBUG(0,("reply_trans: param malloc fail for %d bytes !\n", tpscnt));
++ DEBUG(0,("reply_trans: param malloc fail for %u bytes !\n", tpscnt));
+ SAFE_FREE(data);
+ END_PROFILE(SMBtrans);
+ return(ERROR_DOS(ERRDOS,ERRnomem));
+@@ -428,7 +428,7 @@
+ if (suwcnt) {
+ int i;
+ if((setup = (uint16 *)malloc(suwcnt*sizeof(uint16))) == NULL) {
+- DEBUG(0,("reply_trans: setup malloc fail for %d bytes !\n", (int)(suwcnt * sizeof(uint16))));
++ DEBUG(0,("reply_trans: setup malloc fail for %u bytes !\n", (unsigned int)(suwcnt * sizeof(uint16))));
+ SAFE_FREE(data);
+ SAFE_FREE(params);
+ END_PROFILE(SMBtrans);
+@@ -524,7 +524,7 @@
+ }
+
+
+- DEBUG(3,("trans <%s> data=%d params=%d setup=%d\n",
++ DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n",
+ name,tdscnt,tpscnt,suwcnt));
+
+ /*
+--- smbd/password.c.orig Thu Nov 21 22:05:51 2002
++++ smbd/password.c Tue Apr 8 13:17:45 2003
+@@ -816,7 +816,7 @@
+ if (!ok && lp_username(snum)) {
+ char *auser;
+ pstring user_list;
+- StrnCpy(user_list,lp_username(snum),sizeof(pstring));
++ StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
+
+ pstring_sub(user_list,"%S",lp_servicename(snum), True);
+
+--- smbd/reply.c.orig Wed Feb 5 15:15:15 2003
++++ smbd/reply.c Tue Apr 8 13:17:45 2003
+@@ -1490,6 +1490,9 @@
+
+ for (i=numentries;(i<maxentries) && !finished;i++)
+ {
++ /* check to make sure we have room in the buffer */
++ if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
++ break;
+ finished =
+ !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
+ if (!finished)
+@@ -3603,6 +3606,9 @@
+
+
+ for (i=first;i<first+num_to_get;i++) {
++ /* check to make sure we have room in the buffer */
++ if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
++ break;
+ put_dos_date2(p,0,queue[i].time);
+ SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3));
+ SSVAL(p,5, queue[i].job);
+--- smbd/statcache.c.orig Fri Nov 9 18:27:43 2001
++++ smbd/statcache.c Tue Apr 8 13:17:45 2003
+@@ -88,7 +88,7 @@
+ * StrnCpy always null terminates.
+ */
+
+- StrnCpy(orig_name, full_orig_name, namelen);
++ StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
+ if(!case_sensitive)
+ strupper( orig_name );
+
+--- smbd/trans2.c.orig Mon Mar 17 13:17:56 2003
++++ smbd/trans2.c Tue Apr 8 13:17:45 2003
+@@ -217,7 +217,6 @@
+ int16 open_ofun;
+ int32 open_size;
+ char *pname;
+- int16 namelen;
+
+ pstring fname;
+ mode_t unixmode;
+@@ -247,9 +246,8 @@
+ open_ofun = SVAL(params,12);
+ open_size = IVAL(params,14);
+ pname = ¶ms[28];
+- namelen = strlen(pname)+1;
+
+- StrnCpy(fname,pname,namelen);
++ pstrcpy(fname,pname);
+ if (strchr(fname,'?'))
+ return(ERROR_DOS(ERRDOS,ERRinvalidname));
+
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list