diff --git a/SOURCES/samba-CVE-2014-0178.patch b/SOURCES/samba-CVE-2014-0178.patch new file mode 100644 index 0000000..143c130 --- /dev/null +++ b/SOURCES/samba-CVE-2014-0178.patch @@ -0,0 +1,86 @@ +From ab51cd90a077c2938620afedc61e2da21cb509be Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 5 Aug 2013 11:16:22 -0700 +Subject: [PATCH 1/2] FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to + zero + +Otherwise num_volumes and the end marker can return uninitialized data +to the client. + +Signed-off-by: Christof Schmitt +Reviewed-by: Jeremy Allison +Reviewed-by: Simo Sorce +(cherry picked from commit 30e724cbff1ecd90e5a676831902d1e41ec1b347) +--- + source3/modules/vfs_default.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c +index f6200ed..97cd292 100644 +--- a/source3/modules/vfs_default.c ++++ b/source3/modules/vfs_default.c +@@ -1151,7 +1151,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, + return NT_STATUS_BUFFER_TOO_SMALL; + } + +- cur_pdata = talloc_array(ctx, char, *out_len); ++ cur_pdata = talloc_zero_array(ctx, char, *out_len); + if (cur_pdata == NULL) { + TALLOC_FREE(shadow_data); + return NT_STATUS_NO_MEMORY; +-- +1.9.3 + + +From dbe2ef7f66c4c5cde1e1300675fcb78f4de3af70 Mon Sep 17 00:00:00 2001 +From: Christof Schmitt +Date: Mon, 5 Aug 2013 11:21:59 -0700 +Subject: [PATCH 2/2] FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at + end + +labels_data_count already accounts for the unicode null character at the +end of the array. There is no need in adding space for it again. + +Signed-off-by: Christof Schmitt +Reviewed-by: Jeremy Allison +Reviewed-by: Simo Sorce + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Tue Aug 6 04:03:17 CEST 2013 on sn-devel-104 + +(cherry picked from commit eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696) + +The last 2 patches address bug #10549 - CVE-2014-0178: Malformed +FSCTL_SRV_ENUMERATE_SNAPSHOTS response. + +Autobuild-User(v4-1-test): Karolin Seeger +Autobuild-Date(v4-1-test): Mon May 19 14:52:47 CEST 2014 on sn-devel-104 +--- + source3/modules/vfs_default.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c +index 97cd292..7fda4b8 100644 +--- a/source3/modules/vfs_default.c ++++ b/source3/modules/vfs_default.c +@@ -1141,7 +1141,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, + if (!labels) { + *out_len = 16; + } else { +- *out_len = 12 + labels_data_count + 4; ++ *out_len = 12 + labels_data_count; + } + + if (max_out_len < *out_len) { +@@ -1168,7 +1168,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle, + } + + /* needed_data_count 4 bytes */ +- SIVAL(cur_pdata, 8, labels_data_count + 4); ++ SIVAL(cur_pdata, 8, labels_data_count); + + cur_pdata += 12; + +-- +1.9.3 + diff --git a/SOURCES/samba-CVE-2014-0244.patch b/SOURCES/samba-CVE-2014-0244.patch new file mode 100644 index 0000000..7c94c85 --- /dev/null +++ b/SOURCES/samba-CVE-2014-0244.patch @@ -0,0 +1,48 @@ +From 9bef27dec1a81b7ba46bc3126edd5ac1b225f6dc Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 28 May 2014 10:40:27 -0700 +Subject: [PATCH] s3: nmbd: Fix bug 10633 - nmbd denial of service + +The Linux kernel has a bug in that it can give spurious +wakeups on a non-blocking UDP socket for a non-deliverable packet. + +When nmbd was changed to use non-blocking sockets it +became vulnerable to a spurious wakeup from poll/epoll. + +Fix sys_recvfile() to return on EWOULDBLOCK/EAGAIN. + +CVE-2014-0244 + +Signed-off-by: Jeremy Allison +--- + source3/lib/system.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/source3/lib/system.c b/source3/lib/system.c +index af72b2a..698de12 100644 +--- a/source3/lib/system.c ++++ b/source3/lib/system.c +@@ -169,6 +169,7 @@ ssize_t sys_send(int s, const void *msg, size_t len, int flags) + + /******************************************************************* + A recvfrom wrapper that will deal with EINTR. ++NB. As used with non-blocking sockets, return on EAGAIN/EWOULDBLOCK + ********************************************************************/ + + ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen) +@@ -177,11 +178,7 @@ ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *f + + do { + ret = recvfrom(s, buf, len, flags, from, fromlen); +-#if defined(EWOULDBLOCK) +- } while (ret == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK)); +-#else +- } while (ret == -1 && (errno == EINTR || errno == EAGAIN)); +-#endif ++ } while (ret == -1 && (errno == EINTR)); + return ret; + } + +-- +1.9.1.423.g4596e3a + diff --git a/SOURCES/samba-CVE-2014-3493.patch b/SOURCES/samba-CVE-2014-3493.patch new file mode 100644 index 0000000..a1bfb94 --- /dev/null +++ b/SOURCES/samba-CVE-2014-3493.patch @@ -0,0 +1,120 @@ +From d31b7e056d790115bb3a3a838a8435dad3be8118 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Sat, 7 Jun 2014 21:51:44 -0700 +Subject: [PATCH] s3: smbd - fix processing of packets with invalid DOS charset + conversions. + +Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler + +https://bugzilla.samba.org/show_bug.cgi?id=10654 + +Signed-off-by: Jeremy Allison +--- + source3/lib/charcnv.c | 26 +++++++++++++++++--------- + source3/libsmb/clirap.c | 4 ++-- + source3/smbd/lanman.c | 4 ++-- + 3 files changed, 21 insertions(+), 13 deletions(-) + +diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c +index 71d2c3a..2189812 100644 +--- a/source3/lib/charcnv.c ++++ b/source3/lib/charcnv.c +@@ -46,9 +46,9 @@ void gfree_charcnv(void) + **/ + size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) + { +- size_t src_len = strlen(src); ++ size_t src_len = 0; + char *tmpbuf = NULL; +- size_t size; ++ size_t size = 0; + bool ret; + + /* No longer allow a length of -1. */ +@@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags) + smb_panic("malloc fail"); + } + if (!strupper_m(tmpbuf)) { ++ if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) && ++ dest && ++ dest_len > 0) { ++ *(char *)dest = 0; ++ } + SAFE_FREE(tmpbuf); +- return (size_t)-1; ++ return 0; + } + src = tmpbuf; + } + ++ src_len = strlen(src); + if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) { + src_len++; + } + + ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size); +- if (ret == false && +- (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) +- && dest_len > 0) { +- ((char *)dest)[0] = '\0'; +- } + SAFE_FREE(tmpbuf); +- return ret ? size : (size_t)-1; ++ if (ret == false) { ++ if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) && ++ dest_len > 0) { ++ ((char *)dest)[0] = '\0'; ++ } ++ return 0; ++ } ++ return size; + } + + /******************************************************************** +diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c +index 036919f..64e3767 100644 +--- a/source3/libsmb/clirap.c ++++ b/source3/libsmb/clirap.c +@@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, + sizeof(param) - PTR_DIFF(p,param) - 1, + STR_TERMINATE|STR_UPPER); + +- if (len == (size_t)-1) { ++ if (len == 0) { + SAFE_FREE(last_entry); + return false; + } +@@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype, + sizeof(param) - PTR_DIFF(p,param) - 1, + STR_TERMINATE); + +- if (len == (size_t)-1) { ++ if (len == 0) { + SAFE_FREE(last_entry); + return false; + } +diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c +index 63c2ad7..66ab8a2 100644 +--- a/source3/smbd/lanman.c ++++ b/source3/smbd/lanman.c +@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn, + return 0; + } + l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE); +- if (l == -1) { ++ if (l == 0) { + return 0; + } + (*dst) += l; +@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n) + return 0; + } + l = push_ascii(*dst,src,*n, STR_TERMINATE); +- if (l == -1) { ++ if (l == 0) { + return 0; + } + (*dst) += l; +-- +2.0.0.526.g5318336 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index ba15772..fcf3257 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -1,7 +1,7 @@ # Set --with testsuite or %bcond_without to run the Samba torture testsuite. %bcond_with testsuite -%define main_release 33 +%define main_release 35 %define samba_version 4.1.1 %define talloc_version 2.0.8 @@ -115,6 +115,9 @@ Patch26: samba-4.1.6-fix_fragmented_rpc_handling.patch Patch27: samba-4.1.7-make_pidl_lsa_struct_public.patch Patch28: samba-4.1.7-Make_daemons_systemd_aware.patch Patch29: samba-4.1.6-ipv6_workaround.patch +Patch30: samba-CVE-2014-0244.patch +Patch31: samba-CVE-2014-3493.patch +Patch32: samba-CVE-2014-0178.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -550,6 +553,9 @@ module necessary to communicate to the Winbind Daemon %patch27 -p1 -b .samba-4.1.7-make_pidl_lsa_struct_public.patch %patch28 -p1 -b .samba-4.1.7-Make_daemons_systemd_aware.patch %patch29 -p1 -b .samba-4.1.6-ipv6_workaround.patch +%patch30 -p1 -b .samba-CVE-2014-0244.patch +%patch31 -p1 -b .samba-CVE-2014-3493.patch +%patch32 -p1 -b .samba-CVE-2014-0178.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1616,6 +1622,11 @@ rm -rf %{buildroot} %{_mandir}/man8/pam_winbind.8* %changelog +* Wed Jun 11 2014 - Guenther Deschner - 4.1.1-35 +- resolves: #1105504 - CVE-2014-0244: DoS in nmbd. +- resolves: #1108844 - CVE-2014-3493: DoS in smbd with unicode path names. +- resolves: #1105573 - CVE-2014-0178: Uninitialized memory exposure. + * Mon May 05 2014 - Andreas Schneider - 4.1.1-33 - related: #717484 - Add missing configure line to enable profiling data support.