diff -u -r --new-file --exclude=CVS samba-2.2.8/WHATSNEW.txt samba-2.2.8a/WHATSNEW.txt
--- samba-2.2.8/WHATSNEW.txt	Fri Mar 14 22:44:40 2003
+++ samba-2.2.8a/WHATSNEW.txt	Sun Apr  6 21:17:54 2003
@@ -1,4 +1,4 @@
-            What's new in Samba 2.2.8 - 14th March 2003
+            What's new in Samba 2.2.8a - 7th April 2003
             ===========================================
 
 This is the latest stable release of Samba. This is the version that
@@ -12,6 +12,50 @@
 Summary
 -------
 
+Digital Defense, Inc. has alerted the Samba Team to a serious 
+vulnerability in all stable versions of Samba currently shipping. 
+The Common Vulnerabilities and Exposures (CVE) project has assigned 
+the ID CAN-2003-0201 to this defect.
+
+This vulnerability, if exploited correctly, leads to an anonymous 
+user gaining root access on a Samba serving system. All versions 
+of Samba up to and including Samba 2.2.8 are vulnerable. An active 
+exploit of the bug has been reported in the wild. Alpha versions of 
+Samba 3.0 and above are *NOT* vulnerable.
+
+
+Credit
+------
+
+The Samba Team would like to thank Erik Parker and the team at
+Digital Defense, Inc. for their efforts spent in the responsible 
+and timely reporting of this bug.
+
+
+Patch Availability
+------------------
+
+The Samba 2.2.8a release contains only updates to address this 
+security issue. A roll-up patch for release 2.2.7a and 2.0.10 
+addressing both CAN-2003-0201 and CAN-2003-0085 can be obtained 
+from http://www.samba.org/samba/ftp/patches/security/.
+
+
+            ========================================
+
+
+Older releases notes for 2.2.x distributions follow
+
+-----------------------------------------------------------------
+The release notes for 2.2.8 follow:
+
+            ****************************************
+            * IMPORTANT: Security bugfix for Samba *
+            ****************************************
+
+Summary
+-------
+
 The SuSE security audit team, in particular Sebastian Krahmer
 <krahmer@suse.de>, has found an flaw in the Samba main smbd code which
 could allow an external attacker to remotely and anonymously gain
@@ -204,7 +248,6 @@
             ****************************************
             ****************************************
 
------------------------------------------------------------------
 
 Changes since 2.2.7a
 ---------------------
@@ -333,11 +376,7 @@
 6)  Correctly handle querygroup rpcclient command
 7)  fix broken incremental tar in smbtar command
 
-              =========================================
 
-Older releases notes for 2.2.x distributions follow
-
------------------------------------------------------------------
 The release notes for 2.2.7 follow :
 
 IMPORTANT: Security bugfix for Samba
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/Caldera/OpenLinux/makerpms.sh samba-2.2.8a/packaging/Caldera/OpenLinux/makerpms.sh
--- samba-2.2.8/packaging/Caldera/OpenLinux/makerpms.sh	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/Caldera/OpenLinux/makerpms.sh	Sun Apr  6 21:22:14 2003
@@ -24,11 +24,11 @@
 
 # Start preparing the packages...
 if [ $devel -ne 0 ]; then
-        ( cd ../../../.. ; chown -R ${USERID}.${GRPID} samba; mv samba samba-2.2.8 )
-        ( cd ../../../.. ; tar czvf ${SRCDIR}/samba-2.2.8.tar.gz samba-2.2.8; mv samba-2.2.8 samba )
+        ( cd ../../../.. ; chown -R ${USERID}.${GRPID} samba; mv samba samba-2.2.8a )
+        ( cd ../../../.. ; tar czvf ${SRCDIR}/samba-2.2.8a.tar.gz samba-2.2.8a; mv samba-2.2.8a samba )
 else
-        ( cd ../../../.. ; chown -R ${USERID}.${GRPID} samba-2.2.8 )
-        ( cd ../../../.. ; tar czvf ${SRCDIR}/samba-2.2.8.tar.gz samba-2.2.8 )
+        ( cd ../../../.. ; chown -R ${USERID}.${GRPID} samba-2.2.8a )
+        ( cd ../../../.. ; tar czvf ${SRCDIR}/samba-2.2.8a.tar.gz samba-2.2.8a )
 fi
 
 cp -af *.spec *.spec-lsb $SPECDIR
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec
--- samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec	Sun Apr  6 21:22:14 2003
@@ -1,4 +1,4 @@
-%define Version 	2.2.8
+%define Version 	2.2.8a
 %define date            1
 %define Vendor  	Caldera
 %define Dist		OpenLinux
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec-lsb samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec-lsb
--- samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec-lsb	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec-lsb	Sun Apr  6 21:22:14 2003
@@ -1,4 +1,4 @@
-%define Version 	2.2.8
+%define Version 	2.2.8a
 %define date            1
 %define Vendor  	Caldera
 %define Dist		OpenLinux
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec-sam samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec-sam
--- samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec-sam	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec-sam	Sun Apr  6 21:22:14 2003
@@ -1,4 +1,4 @@
-%define Version 	2.2.8sam
+%define Version 	2.2.8asam
 %define date            1
 %define Vendor  	Caldera
 %define Dist		OpenLinux
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec-team samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec-team
--- samba-2.2.8/packaging/Caldera/OpenLinux/samba2.spec-team	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/Caldera/OpenLinux/samba2.spec-team	Sun Apr  6 21:22:14 2003
@@ -1,4 +1,4 @@
-%define Version 	2.2.8
+%define Version 	2.2.8a
 %define date            1
 %define Vendor  	Caldera
 %define Dist		OpenLinux
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/Mandrake/makerpms.sh samba-2.2.8a/packaging/Mandrake/makerpms.sh
--- samba-2.2.8/packaging/Mandrake/makerpms.sh	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/Mandrake/makerpms.sh	Sun Apr  6 21:22:14 2003
@@ -20,7 +20,7 @@
 
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='2.2.8'
+VERSION='2.2.8a'
 
 RPMVER=`rpm --version | awk '{print $3}'`
 echo The RPM Version on this machine is: $RPMVER
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/Mandrake/samba2.spec samba-2.2.8a/packaging/Mandrake/samba2.spec
--- samba-2.2.8/packaging/Mandrake/samba2.spec	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/Mandrake/samba2.spec	Sun Apr  6 21:22:14 2003
@@ -3,7 +3,7 @@
 %define vscanver 0.3.1
 
 # 2.2.4 and 1 replace by samba-team at release
-%define pversion 2.2.8
+%define pversion 2.2.8a
 %define prelease 1
 # For testing this setup:
 #%define pversion1 2.2.5
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/PHT/TurboLinux/makerpms.sh samba-2.2.8a/packaging/PHT/TurboLinux/makerpms.sh
--- samba-2.2.8/packaging/PHT/TurboLinux/makerpms.sh	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/PHT/TurboLinux/makerpms.sh	Sun Apr  6 21:22:14 2003
@@ -6,8 +6,8 @@
 USERID=`id -u`
 GRPID=`id -g`
 
-( cd ../../../.. ; chown -R ${USERID}.${GRPID} ${SRCDIR}/samba-2.2.8 )
-( cd ../../../.. ; tar czvf ${SRCDIR}/samba-2.2.8.tar.gz samba-2.2.8 )
+( cd ../../../.. ; chown -R ${USERID}.${GRPID} ${SRCDIR}/samba-2.2.8a )
+( cd ../../../.. ; tar czvf ${SRCDIR}/samba-2.2.8a.tar.gz samba-2.2.8a )
 cp -a *.spec $SPECDIR
 cp -a *.patch smb.* samba.log $SRCDIR
 cd $SPECDIR
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/PHT/TurboLinux/samba2.spec samba-2.2.8a/packaging/PHT/TurboLinux/samba2.spec
--- samba-2.2.8/packaging/PHT/TurboLinux/samba2.spec	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/PHT/TurboLinux/samba2.spec	Sun Apr  6 21:22:14 2003
@@ -1,10 +1,10 @@
 Summary: Samba SMB client and server
 Name: samba
-Version: 2.2.8
+Version: 2.2.8a
 Release: 1
 Copyright: GNU GPL version 2
 Group: Networking
-Source: ftp://samba.org/pub/samba/samba-2.2.8.tar.gz
+Source: ftp://samba.org/pub/samba/samba-2.2.8a.tar.gz
 Patch: smbw.patch
 Requires: pam >= 0.64 kernel >= 2.2.1 glibc >= 2.1.2
 Prereq: chkconfig fileutils
@@ -12,7 +12,7 @@
 Prefix: /usr
 
 %package -n smbfs
-Version: 2.2.8
+Version: 2.2.8a
 Release: 1
 Group: Utilities/File
 Summary: Programs to mount SMB shares.
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/RedHat/makerpms.sh samba-2.2.8a/packaging/RedHat/makerpms.sh
--- samba-2.2.8/packaging/RedHat/makerpms.sh	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/RedHat/makerpms.sh	Sun Apr  6 21:22:14 2003
@@ -27,7 +27,7 @@
 
 USERID=`id -u`
 GRPID=`id -g`
-VERSION='2.2.8'
+VERSION='2.2.8a'
 
 RPMVER=`rpm --version | awk '{print $3}'`
 RPM="rpm"
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/RedHat/samba2-devel.spec samba-2.2.8a/packaging/RedHat/samba2-devel.spec
--- samba-2.2.8/packaging/RedHat/samba2-devel.spec	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/RedHat/samba2-devel.spec	Sun Apr  6 21:22:14 2003
@@ -1,6 +1,6 @@
 Summary: Samba SMB client and server
 Name: samba
-Version: 2.2.8
+Version: 2.2.8a
 Release: 1
 Copyright: GNU GPL version 2
 Group: Networking
diff -u -r --new-file --exclude=CVS samba-2.2.8/packaging/RedHat/samba2.spec samba-2.2.8a/packaging/RedHat/samba2.spec
--- samba-2.2.8/packaging/RedHat/samba2.spec	Fri Mar 14 22:47:05 2003
+++ samba-2.2.8a/packaging/RedHat/samba2.spec	Sun Apr  6 21:22:14 2003
@@ -1,6 +1,6 @@
 Summary: Samba SMB client and server
 Name: samba
-Version: 2.2.8
+Version: 2.2.8a
 Release: 1
 Copyright: GNU GPL version 2
 Group: Networking
diff -u -r --new-file --exclude=CVS samba-2.2.8/source/include/version.h samba-2.2.8a/source/include/version.h
--- samba-2.2.8/source/include/version.h	Fri Mar 14 22:47:00 2003
+++ samba-2.2.8a/source/include/version.h	Sun Apr  6 21:22:04 2003
@@ -1 +1 @@
-#define VERSION "2.2.8"
+#define VERSION "2.2.8a"
diff -u -r --new-file --exclude=CVS samba-2.2.8/source/smbd/password.c samba-2.2.8a/source/smbd/password.c
--- samba-2.2.8/source/smbd/password.c	Fri Mar 14 15:34:49 2003
+++ samba-2.2.8a/source/smbd/password.c	Sun Apr  6 20:54:00 2003
@@ -816,7 +816,7 @@
 		if (!ok && lp_username(snum)) {
 			char *auser;
 			pstring user_list;
-			StrnCpy(user_list,lp_username(snum),sizeof(pstring));
+			StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
 
 			pstring_sub(user_list,"%S",lp_servicename(snum));
 	  
diff -u -r --new-file --exclude=CVS samba-2.2.8/source/smbd/reply.c samba-2.2.8a/source/smbd/reply.c
--- samba-2.2.8/source/smbd/reply.c	Fri Mar 14 15:34:49 2003
+++ samba-2.2.8a/source/smbd/reply.c	Sun Apr  6 20:54:00 2003
@@ -1500,6 +1500,9 @@
 
         for (i=numentries;(i<maxentries) && !finished;i++)
         {
+	  /* check to make sure we have room in the buffer */
+	  if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
+	  	break;
           finished = 
             !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
           if (!finished)
@@ -3528,6 +3531,9 @@
     
 
 		for (i=first;i<first+num_to_get;i++) {
+			/* check to make sure we have room in the buffer */
+			if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
+				break;
 			put_dos_date2(p,0,queue[i].time);
 			SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3));
 			SSVAL(p,5, queue[i].job);
diff -u -r --new-file --exclude=CVS samba-2.2.8/source/smbd/statcache.c samba-2.2.8a/source/smbd/statcache.c
--- samba-2.2.8/source/smbd/statcache.c	Thu Oct 11 04:34:37 2001
+++ samba-2.2.8a/source/smbd/statcache.c	Sun Apr  6 20:54:00 2003
@@ -88,7 +88,7 @@
    * StrnCpy always null terminates.
    */
 
-  StrnCpy(orig_name, full_orig_name, namelen);
+  StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
   if(!case_sensitive)
     strupper( orig_name );
 
diff -u -r --new-file --exclude=CVS samba-2.2.8/source/smbd/trans2.c samba-2.2.8a/source/smbd/trans2.c
--- samba-2.2.8/source/smbd/trans2.c	Fri Mar 14 15:34:49 2003
+++ samba-2.2.8a/source/smbd/trans2.c	Sun Apr  6 20:54:00 2003
@@ -217,7 +217,6 @@
 	int16 open_ofun;
 	int32 open_size;
 	char *pname;
-	int16 namelen;
 
 	pstring fname;
 	mode_t unixmode;
@@ -247,9 +246,8 @@
 	open_ofun = SVAL(params,12);
 	open_size = IVAL(params,14);
 	pname = &params[28];
-	namelen = strlen(pname)+1;
 
-	StrnCpy(fname,pname,namelen);
+	pstrcpy(fname, pname);
 
 	DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n",
 		fname,open_mode, open_attr, open_ofun, open_size));