diff --git a/SOURCES/samba-CVE-2014-0178.patch b/SOURCES/samba-CVE-2014-0178.patch
new file mode 100644
index 0000000..143c130
--- /dev/null
+++ b/SOURCES/samba-CVE-2014-0178.patch
@@ -0,0 +1,86 @@
+From ab51cd90a077c2938620afedc61e2da21cb509be Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <christof.schmitt@us.ibm.com>
+Date: Mon, 5 Aug 2013 11:16:22 -0700
+Subject: [PATCH 1/2] FSCTL_GET_SHADOW_COPY_DATA: Initialize output array to
+ zero
+
+Otherwise num_volumes and the end marker can return uninitialized data
+to the client.
+
+Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+(cherry picked from commit 30e724cbff1ecd90e5a676831902d1e41ec1b347)
+---
+ source3/modules/vfs_default.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
+index f6200ed..97cd292 100644
+--- a/source3/modules/vfs_default.c
++++ b/source3/modules/vfs_default.c
+@@ -1151,7 +1151,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+
+- cur_pdata = talloc_array(ctx, char, *out_len);
++ cur_pdata = talloc_zero_array(ctx, char, *out_len);
+ if (cur_pdata == NULL) {
+ TALLOC_FREE(shadow_data);
+ return NT_STATUS_NO_MEMORY;
+--
+1.9.3
+
+
+From dbe2ef7f66c4c5cde1e1300675fcb78f4de3af70 Mon Sep 17 00:00:00 2001
+From: Christof Schmitt <christof.schmitt@us.ibm.com>
+Date: Mon, 5 Aug 2013 11:21:59 -0700
+Subject: [PATCH 2/2] FSCTL_GET_SHADOW_COPY_DATA: Don't return 4 extra bytes at
+ end
+
+labels_data_count already accounts for the unicode null character at the
+end of the array. There is no need in adding space for it again.
+
+Signed-off-by: Christof Schmitt <christof.schmitt@us.ibm.com>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Tue Aug 6 04:03:17 CEST 2013 on sn-devel-104
+
+(cherry picked from commit eb50fb8f3bf670bd7d1cf8fd4368ef4a73083696)
+
+The last 2 patches address bug #10549 - CVE-2014-0178: Malformed
+FSCTL_SRV_ENUMERATE_SNAPSHOTS response.
+
+Autobuild-User(v4-1-test): Karolin Seeger <kseeger@samba.org>
+Autobuild-Date(v4-1-test): Mon May 19 14:52:47 CEST 2014 on sn-devel-104
+---
+ source3/modules/vfs_default.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/modules/vfs_default.c b/source3/modules/vfs_default.c
+index 97cd292..7fda4b8 100644
+--- a/source3/modules/vfs_default.c
++++ b/source3/modules/vfs_default.c
+@@ -1141,7 +1141,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
+ if (!labels) {
+ *out_len = 16;
+ } else {
+- *out_len = 12 + labels_data_count + 4;
++ *out_len = 12 + labels_data_count;
+ }
+
+ if (max_out_len < *out_len) {
+@@ -1168,7 +1168,7 @@ static NTSTATUS vfswrap_fsctl(struct vfs_handle_struct *handle,
+ }
+
+ /* needed_data_count 4 bytes */
+- SIVAL(cur_pdata, 8, labels_data_count + 4);
++ SIVAL(cur_pdata, 8, labels_data_count);
+
+ cur_pdata += 12;
+
+--
+1.9.3
+
diff --git a/SOURCES/samba-CVE-2014-0244.patch b/SOURCES/samba-CVE-2014-0244.patch
new file mode 100644
index 0000000..7c94c85
--- /dev/null
+++ b/SOURCES/samba-CVE-2014-0244.patch
@@ -0,0 +1,48 @@
+From 9bef27dec1a81b7ba46bc3126edd5ac1b225f6dc Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 28 May 2014 10:40:27 -0700
+Subject: [PATCH] s3: nmbd: Fix bug 10633 - nmbd denial of service
+
+The Linux kernel has a bug in that it can give spurious
+wakeups on a non-blocking UDP socket for a non-deliverable packet.
+
+When nmbd was changed to use non-blocking sockets it
+became vulnerable to a spurious wakeup from poll/epoll.
+
+Fix sys_recvfile() to return on EWOULDBLOCK/EAGAIN.
+
+CVE-2014-0244
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/lib/system.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/source3/lib/system.c b/source3/lib/system.c
+index af72b2a..698de12 100644
+--- a/source3/lib/system.c
++++ b/source3/lib/system.c
+@@ -169,6 +169,7 @@ ssize_t sys_send(int s, const void *msg, size_t len, int flags)
+
+ /*******************************************************************
+ A recvfrom wrapper that will deal with EINTR.
++NB. As used with non-blocking sockets, return on EAGAIN/EWOULDBLOCK
+ ********************************************************************/
+
+ ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *from, socklen_t *fromlen)
+@@ -177,11 +178,7 @@ ssize_t sys_recvfrom(int s, void *buf, size_t len, int flags, struct sockaddr *f
+
+ do {
+ ret = recvfrom(s, buf, len, flags, from, fromlen);
+-#if defined(EWOULDBLOCK)
+- } while (ret == -1 && (errno == EINTR || errno == EAGAIN || errno == EWOULDBLOCK));
+-#else
+- } while (ret == -1 && (errno == EINTR || errno == EAGAIN));
+-#endif
++ } while (ret == -1 && (errno == EINTR));
+ return ret;
+ }
+
+--
+1.9.1.423.g4596e3a
+
diff --git a/SOURCES/samba-CVE-2014-3493.patch b/SOURCES/samba-CVE-2014-3493.patch
new file mode 100644
index 0000000..a1bfb94
--- /dev/null
+++ b/SOURCES/samba-CVE-2014-3493.patch
@@ -0,0 +1,120 @@
+From d31b7e056d790115bb3a3a838a8435dad3be8118 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Sat, 7 Jun 2014 21:51:44 -0700
+Subject: [PATCH] s3: smbd - fix processing of packets with invalid DOS charset
+ conversions.
+
+Bug 10654 - Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FILE_UNIX handler
+
+https://bugzilla.samba.org/show_bug.cgi?id=10654
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/lib/charcnv.c | 26 +++++++++++++++++---------
+ source3/libsmb/clirap.c | 4 ++--
+ source3/smbd/lanman.c | 4 ++--
+ 3 files changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
+index 71d2c3a..2189812 100644
+--- a/source3/lib/charcnv.c
++++ b/source3/lib/charcnv.c
+@@ -46,9 +46,9 @@ void gfree_charcnv(void)
+ **/
+ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
+ {
+- size_t src_len = strlen(src);
++ size_t src_len = 0;
+ char *tmpbuf = NULL;
+- size_t size;
++ size_t size = 0;
+ bool ret;
+
+ /* No longer allow a length of -1. */
+@@ -62,24 +62,32 @@ size_t push_ascii(void *dest, const char *src, size_t dest_len, int flags)
+ smb_panic("malloc fail");
+ }
+ if (!strupper_m(tmpbuf)) {
++ if ((flags & (STR_TERMINATE|STR_TERMINATE_ASCII)) &&
++ dest &&
++ dest_len > 0) {
++ *(char *)dest = 0;
++ }
+ SAFE_FREE(tmpbuf);
+- return (size_t)-1;
++ return 0;
+ }
+ src = tmpbuf;
+ }
+
++ src_len = strlen(src);
+ if (flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) {
+ src_len++;
+ }
+
+ ret = convert_string(CH_UNIX, CH_DOS, src, src_len, dest, dest_len, &size);
+- if (ret == false &&
+- (flags & (STR_TERMINATE | STR_TERMINATE_ASCII))
+- && dest_len > 0) {
+- ((char *)dest)[0] = '\0';
+- }
+ SAFE_FREE(tmpbuf);
+- return ret ? size : (size_t)-1;
++ if (ret == false) {
++ if ((flags & (STR_TERMINATE | STR_TERMINATE_ASCII)) &&
++ dest_len > 0) {
++ ((char *)dest)[0] = '\0';
++ }
++ return 0;
++ }
++ return size;
+ }
+
+ /********************************************************************
+diff --git a/source3/libsmb/clirap.c b/source3/libsmb/clirap.c
+index 036919f..64e3767 100644
+--- a/source3/libsmb/clirap.c
++++ b/source3/libsmb/clirap.c
+@@ -327,7 +327,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
+ sizeof(param) - PTR_DIFF(p,param) - 1,
+ STR_TERMINATE|STR_UPPER);
+
+- if (len == (size_t)-1) {
++ if (len == 0) {
+ SAFE_FREE(last_entry);
+ return false;
+ }
+@@ -339,7 +339,7 @@ bool cli_NetServerEnum(struct cli_state *cli, char *workgroup, uint32 stype,
+ sizeof(param) - PTR_DIFF(p,param) - 1,
+ STR_TERMINATE);
+
+- if (len == (size_t)-1) {
++ if (len == 0) {
+ SAFE_FREE(last_entry);
+ return false;
+ }
+diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
+index 63c2ad7..66ab8a2 100644
+--- a/source3/smbd/lanman.c
++++ b/source3/smbd/lanman.c
+@@ -128,7 +128,7 @@ static int CopyExpanded(connection_struct *conn,
+ return 0;
+ }
+ l = push_ascii(*dst,buf,*p_space_remaining, STR_TERMINATE);
+- if (l == -1) {
++ if (l == 0) {
+ return 0;
+ }
+ (*dst) += l;
+@@ -143,7 +143,7 @@ static int CopyAndAdvance(char **dst, char *src, int *n)
+ return 0;
+ }
+ l = push_ascii(*dst,src,*n, STR_TERMINATE);
+- if (l == -1) {
++ if (l == 0) {
+ return 0;
+ }
+ (*dst) += l;
+--
+2.0.0.526.g5318336
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index ba15772..fcf3257 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -1,7 +1,7 @@
# Set --with testsuite or %bcond_without to run the Samba torture testsuite.
%bcond_with testsuite
-%define main_release 33
+%define main_release 35
%define samba_version 4.1.1
%define talloc_version 2.0.8
@@ -115,6 +115,9 @@ Patch26: samba-4.1.6-fix_fragmented_rpc_handling.patch
Patch27: samba-4.1.7-make_pidl_lsa_struct_public.patch
Patch28: samba-4.1.7-Make_daemons_systemd_aware.patch
Patch29: samba-4.1.6-ipv6_workaround.patch
+Patch30: samba-CVE-2014-0244.patch
+Patch31: samba-CVE-2014-3493.patch
+Patch32: samba-CVE-2014-0178.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -550,6 +553,9 @@ module necessary to communicate to the Winbind Daemon
%patch27 -p1 -b .samba-4.1.7-make_pidl_lsa_struct_public.patch
%patch28 -p1 -b .samba-4.1.7-Make_daemons_systemd_aware.patch
%patch29 -p1 -b .samba-4.1.6-ipv6_workaround.patch
+%patch30 -p1 -b .samba-CVE-2014-0244.patch
+%patch31 -p1 -b .samba-CVE-2014-3493.patch
+%patch32 -p1 -b .samba-CVE-2014-0178.patch
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -1616,6 +1622,11 @@ rm -rf %{buildroot}
%{_mandir}/man8/pam_winbind.8*
%changelog
+* Wed Jun 11 2014 - Guenther Deschner <gdeschner@redhat.com> - 4.1.1-35
+- resolves: #1105504 - CVE-2014-0244: DoS in nmbd.
+- resolves: #1108844 - CVE-2014-3493: DoS in smbd with unicode path names.
+- resolves: #1105573 - CVE-2014-0178: Uninitialized memory exposure.
+
* Mon May 05 2014 - Andreas Schneider <asn@redhat.com> - 4.1.1-33
- related: #717484 - Add missing configure line to enable profiling data support.