[vuxml] [patch] net/samba3,
net/samba32-devel: document and fix CVE-2008-4314
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Thu Nov 27 12:00:02 PST 2008
>Submitter-Id: current-users
>Originator: Eygene Ryabinkin
>Organization: Code Labs
>Confidential: no
>Synopsis: [vuxml] [patch] net/samba3, net/samba32-devel: document and fix CVE-2008-4314
>Severity: serious
>Priority: high
>Category: ports
>Class: sw-bug
>Release: FreeBSD 7.1-PRERELEASE i386
>Environment:
System: FreeBSD 7.1-PRERELEASE i386
>Description:
Samba team discovered memory disclosure vulnerability:
http://www.samba.org/samba/security/CVE-2008-4314.html
>How-To-Repeat:
Read document at the above link.
>Fix:
The following patch updates both net/samba3 and net/samba32-devel,
patches are taken directly from vendor. I had just tested the
compilability of those, but assuming that vendor knows what he is doing
and taking into account the simplicity of patches, I am mostly confident
that the updated versions will work fine.
--- vendor-fixes-for-CVE-2008-4314.diff begins here ---
>From a1baef8a3ae57552559bd2cc7bb575011c06f23b Mon Sep 17 00:00:00 2001
From: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
Date: Thu, 27 Nov 2008 22:50:14 +0300
http://www.samba.org/samba/security/CVE-2008-4314.html
http://www.samba.org/samba/ftp/patches/security/samba-3.0.32-CVE-2008-4314.patch
http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch
Signed-off-by: Eygene Ryabinkin <rea-fbsd at codelabs.ru>
---
net/samba3/Makefile | 2 +-
net/samba3/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++
net/samba32-devel/Makefile | 1 +
net/samba32-devel/files/patch-CVE-2008-4314 | 74 +++++++++++++++++++++++++++
4 files changed, 150 insertions(+), 1 deletions(-)
create mode 100644 net/samba3/files/patch-CVE-2008-4314
create mode 100644 net/samba32-devel/files/patch-CVE-2008-4314
diff --git a/net/samba3/Makefile b/net/samba3/Makefile
index 117c9fc..f37fe5d 100644
--- a/net/samba3/Makefile
+++ b/net/samba3/Makefile
@@ -7,7 +7,7 @@
PORTNAME= samba
PORTVERSION?= 3.0.32
-PORTREVISION= 1
+PORTREVISION= 2
PORTEPOCH?= 1
CATEGORIES?= net
MASTER_SITES= ${MASTER_SITE_SAMBA}
diff --git a/net/samba3/files/patch-CVE-2008-4314 b/net/samba3/files/patch-CVE-2008-4314
new file mode 100644
index 0000000..b19dc4c
--- /dev/null
+++ b/net/samba3/files/patch-CVE-2008-4314
@@ -0,0 +1,74 @@
+Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch
+
+From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl at samba.org>
+Date: Sat, 8 Nov 2008 17:14:06 +0100
+Subject: [PATCH] Fix the offset checks in the trans routines
+
+This fixes a potential crash bug, a client can make us read memory we
+should not read. Luckily I got the disp checks right...
+
+Volker
+---
+ source/smbd/ipc.c | 6 +++---
+ source/smbd/nttrans.c | 6 +++---
+ source/smbd/trans2.c | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
+index 6961a5c..a53bc5b 100644
+--- smbd/ipc.c
++++ smbd/ipc.c
+@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req)
+ goto bad_param;
+ }
+
+- if (ddisp > av_size ||
++ if (doff > av_size ||
+ dcnt > av_size ||
+- ddisp+dcnt > av_size ||
+- ddisp+dcnt < ddisp) {
++ doff+dcnt > av_size ||
++ doff+dcnt < doff) {
+ goto bad_param;
+ }
+
+diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
+index 13caf77..ef81404 100644
+--- smbd/nttrans.c
++++ smbd/nttrans.c
+@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req)
+ goto bad_param;
+ }
+
+- if (ddisp > av_size ||
++ if (doff > av_size ||
+ dcnt > av_size ||
+- ddisp+dcnt > av_size ||
+- ddisp+dcnt < ddisp) {
++ doff+dcnt > av_size ||
++ doff+dcnt < doff) {
+ goto bad_param;
+ }
+
+diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
+index acc424f..c7edec1 100644
+--- smbd/trans2.c
++++ smbd/trans2.c
+@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req)
+ goto bad_param;
+ }
+
+- if (ddisp > av_size ||
++ if (doff > av_size ||
+ dcnt > av_size ||
+- ddisp+dcnt > av_size ||
+- ddisp+dcnt < ddisp) {
++ doff+dcnt > av_size ||
++ doff+dcnt < doff) {
+ goto bad_param;
+ }
+
+--
+1.5.5
+
diff --git a/net/samba32-devel/Makefile b/net/samba32-devel/Makefile
index bd3482e..c57a317 100644
--- a/net/samba32-devel/Makefile
+++ b/net/samba32-devel/Makefile
@@ -7,6 +7,7 @@
PORTNAME= samba
PORTVERSION?= 3.2.4
+PORTREVISION?= 1
CATEGORIES?= net
MASTER_SITES= ${MASTER_SITE_SAMBA}
MASTER_SITE_SUBDIR= . old-versions rc pre
diff --git a/net/samba32-devel/files/patch-CVE-2008-4314 b/net/samba32-devel/files/patch-CVE-2008-4314
new file mode 100644
index 0000000..b19dc4c
--- /dev/null
+++ b/net/samba32-devel/files/patch-CVE-2008-4314
@@ -0,0 +1,74 @@
+Obtained from: http://www.samba.org/samba/ftp/patches/security/samba-3.2.4-CVE-2008-4314.patch
+
+From e334563f48f85b1580638d3dd444c2f9c97f05af Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl at samba.org>
+Date: Sat, 8 Nov 2008 17:14:06 +0100
+Subject: [PATCH] Fix the offset checks in the trans routines
+
+This fixes a potential crash bug, a client can make us read memory we
+should not read. Luckily I got the disp checks right...
+
+Volker
+---
+ source/smbd/ipc.c | 6 +++---
+ source/smbd/nttrans.c | 6 +++---
+ source/smbd/trans2.c | 6 +++---
+ 3 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/source/smbd/ipc.c b/source/smbd/ipc.c
+index 6961a5c..a53bc5b 100644
+--- smbd/ipc.c
++++ smbd/ipc.c
+@@ -764,10 +764,10 @@ void reply_transs(struct smb_request *req)
+ goto bad_param;
+ }
+
+- if (ddisp > av_size ||
++ if (doff > av_size ||
+ dcnt > av_size ||
+- ddisp+dcnt > av_size ||
+- ddisp+dcnt < ddisp) {
++ doff+dcnt > av_size ||
++ doff+dcnt < doff) {
+ goto bad_param;
+ }
+
+diff --git a/source/smbd/nttrans.c b/source/smbd/nttrans.c
+index 13caf77..ef81404 100644
+--- smbd/nttrans.c
++++ smbd/nttrans.c
+@@ -2853,10 +2853,10 @@ void reply_nttranss(struct smb_request *req)
+ goto bad_param;
+ }
+
+- if (ddisp > av_size ||
++ if (doff > av_size ||
+ dcnt > av_size ||
+- ddisp+dcnt > av_size ||
+- ddisp+dcnt < ddisp) {
++ doff+dcnt > av_size ||
++ doff+dcnt < doff) {
+ goto bad_param;
+ }
+
+diff --git a/source/smbd/trans2.c b/source/smbd/trans2.c
+index acc424f..c7edec1 100644
+--- smbd/trans2.c
++++ smbd/trans2.c
+@@ -7785,10 +7785,10 @@ void reply_transs2(struct smb_request *req)
+ goto bad_param;
+ }
+
+- if (ddisp > av_size ||
++ if (doff > av_size ||
+ dcnt > av_size ||
+- ddisp+dcnt > av_size ||
+- ddisp+dcnt < ddisp) {
++ doff+dcnt > av_size ||
++ doff+dcnt < doff) {
+ goto bad_param;
+ }
+
+--
+1.5.5
+
--
1.6.0.4
--- vendor-fixes-for-CVE-2008-4314.diff ends here ---
The following VuXML entry should be evaluated and added:
--- vuln.xml begins here ---
<vuln vid="">
<topic>samba -- potential leakage of arbitrary memory contents</topic>
<affects>
<package>
<name>samba32-devel</name>
<range><lt>3.2.4_1</lt></range>
</package>
<package>
<name>samba3</name>
<range><ge>3.0.29,1</ge><lt>3.0.32_2,1</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Vendor reports:</p>
<blockquote cite="http://www.samba.org/samba/security/CVE-2008-4314.html">
<p>Samba 3.0.29 to 3.2.4 can potentially leak arbitrary
memory contents to malicious clients</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4314</cvename>
<url>http://www.samba.org/samba/security/CVE-2008-4314.html</url>
<url>http://www.ubuntu.com/usn/USN-680-1</url>
</references>
<dates>
<entry>TODAY</entry>
<discovery>2008-11-27</discovery>
</dates>
</vuln>
--- vuln.xml ends here ---
More information about the freebsd-vuxml
mailing list