diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/REVISION samba-3.0.5/REVISION --- samba-3.0.4/REVISION Fri May 7 19:32:51 2004 +++ samba-3.0.5/REVISION Wed Dec 31 18:00:00 1969 @@ -1,11 +0,0 @@ -Path: . -URL: svn+ssh://svn.samba.org/home/svn/samba/branches/SAMBA_3_0_RELEASE -Repository UUID: 0c0555d6-39d7-0310-84fc-f1cc0bd64818 -Revision: 580 -Node Kind: directory -Schedule: normal -Last Changed Author: samba-bugs -Last Changed Rev: 580 -Last Changed Date: 2004-05-07 19:18:31 -0500 (Fri, 07 May 2004) -Properties Last Updated: 2004-04-05 07:42:09 -0500 (Mon, 05 Apr 2004) - diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/WHATSNEW.txt samba-3.0.5/WHATSNEW.txt --- samba-3.0.4/WHATSNEW.txt Fri May 7 19:16:20 2004 +++ samba-3.0.5/WHATSNEW.txt Tue Jul 20 11:30:47 2004 @@ -1,13 +1,79 @@ ============================= + Release Notes for Samba 3.0.5 + July 20, 2004 + ============================= + +######################## SECURITY RELEASE ######################## + +Summary: Multiple Potential Buffer Overruns in Samba 3.0.x +CVE ID: CAN-2004-0600, CAN-2004-0686 + (http://cve.mitre.org/) + + +This is the latest stable release of Samba. This is the version +that production Samba servers should be running for all current +bug-fixes. + +It has been confirmed that versions of Samba 3 prior to v3.0.4 +are vulnerable to two potential buffer overruns. The individual +details are given below. + + +------------- +CAN-2004-0600 +------------- + +Affected Versions: Samba 3.0.2 and later + +The internal routine used by the Samba Web Administration +Tool (SWAT v3.0.2 and later) to decode the base64 data +during HTTP basic authentication is subject to a buffer +overrun caused by an invalid base64 character. It is +recommended that all Samba v3.0.2 or later installations +running SWAT either (a) upgrade to v3.0.5, or (b) disable +the swat administration service as a temporary workaround. + +This same code is used internally to decode the +sambaMungedDial attribute value when using the ldapsam +passdb backend. While we do not believe that the base64 +decoding routines used by the ldapsam passdb backend can +be exploited, sites using an LDAP directory service with +Samba are strongly encouraged to verify that the DIT only +allows write access to sambaSamAccount attributes by a +sufficiently authorized user. + +The Samba Team would like to heartily thank Evgeny Demidov +for analyzing and reporting this bug. + + +------------- +CAN-2004-0686 +------------- + +Affected Versions: Samba 3.0.0 and later + +A buffer overrun has been located in the code used to support +the 'mangling method = hash' smb.conf option. Please be aware +that the default setting for this parameter is 'mangling method += hash2' and therefore not vulnerable. + +Affected Samba 3 installations can avoid this possible security +bug by using the default hash2 mangling method. Server +installations requiring the hash mangling method are encouraged +to upgrade to Samba 3.0.5. + + +################################################################## + + +Changes for older versions follow below: + + -------------------------------------------------- + ============================= Release Notes for Samba 3.0.4 May 8, 2004 ============================= -This is the latest stable release of Samba. This is the version -that production Samba servers should be running for all -current bug-fixes. There have been several issues fixes since -the 3.0.3 release and new features have been added as well. -See the "Changes" section for details on exact updates. Common bugs fixed in Samba 3.0.4 include: @@ -18,11 +84,6 @@ o Several memory leaks in winbindd and smbd. o Compile issues on AIX and *BSD. - -###################################################################### -Changes -####### - Changes since 3.0.3 -------------------- @@ -107,8 +168,6 @@ * Add additional NT_STATUS errorm mappings. -Changes for older versions follow below: - -------------------------------------------------- ============================= diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/packaging/Fedora/makerpms.sh samba-3.0.5/packaging/Fedora/makerpms.sh --- samba-3.0.4/packaging/Fedora/makerpms.sh Fri May 7 19:32:50 2004 +++ samba-3.0.5/packaging/Fedora/makerpms.sh Tue Jul 20 11:32:38 2004 @@ -18,7 +18,7 @@ USERID=`id -u` GRPID=`id -g` -VERSION='3.0.4' +VERSION='3.0.5' SPECFILE="samba.spec" RPMVER=`rpm --version | awk '{print $3}'` RPM="rpmbuild" diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/packaging/Fedora/samba.spec samba-3.0.5/packaging/Fedora/samba.spec --- samba-3.0.4/packaging/Fedora/samba.spec Fri May 7 19:32:50 2004 +++ samba-3.0.5/packaging/Fedora/samba.spec Tue Jul 20 11:32:38 2004 @@ -3,7 +3,7 @@ Summary: The Samba SMB server. Name: samba -Version: 3.0.4 +Version: 3.0.5 Release: 1 License: GNU GPL Version 2 Group: System Environment/Daemons diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/packaging/Mandrake/makerpms.sh samba-3.0.5/packaging/Mandrake/makerpms.sh --- samba-3.0.4/packaging/Mandrake/makerpms.sh Fri May 7 19:32:50 2004 +++ samba-3.0.5/packaging/Mandrake/makerpms.sh Tue Jul 20 11:32:38 2004 @@ -20,7 +20,7 @@ USERID=`id -u` GRPID=`id -g` -VERSION='3.0.4' +VERSION='3.0.5' RPMVER=`rpm --version | awk '{print $3}'` echo The RPM Version on this machine is: $RPMVER diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/packaging/Mandrake/samba2.spec samba-3.0.5/packaging/Mandrake/samba2.spec --- samba-3.0.4/packaging/Mandrake/samba2.spec Fri May 7 19:32:50 2004 +++ samba-3.0.5/packaging/Mandrake/samba2.spec Tue Jul 20 11:32:38 2004 @@ -24,7 +24,7 @@ %define libname %mklibname smbclient %libsmbmajor # Version and release replaced by samba-team at release from samba cvs -%define pversion 3.0.4 +%define pversion 3.0.5 %define prelease 1 #Check to see if p(version|release) has been replaced (1 if replaced) diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/packaging/RedHat/makerpms.sh samba-3.0.5/packaging/RedHat/makerpms.sh --- samba-3.0.4/packaging/RedHat/makerpms.sh Fri May 7 19:32:50 2004 +++ samba-3.0.5/packaging/RedHat/makerpms.sh Tue Jul 20 11:32:38 2004 @@ -20,7 +20,7 @@ USERID=`id -u` GRPID=`id -g` -VERSION='3.0.4' +VERSION='3.0.5' SPECFILE="samba3.spec" RPMVER=`rpm --version | awk '{print $3}'` RPM="rpm" diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/packaging/RedHat/samba.spec samba-3.0.5/packaging/RedHat/samba.spec --- samba-3.0.4/packaging/RedHat/samba.spec Fri May 7 19:32:50 2004 +++ samba-3.0.5/packaging/RedHat/samba.spec Tue Jul 20 11:32:38 2004 @@ -4,7 +4,7 @@ Summary: Samba SMB client and server Vendor: Samba Team Name: samba -Version: 3.0.4 +Version: 3.0.5 Release: 1 License: GNU GPL version 2 Group: Networking diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/packaging/Solaris/makepkg.sh samba-3.0.5/packaging/Solaris/makepkg.sh --- samba-3.0.4/packaging/Solaris/makepkg.sh Fri May 7 19:32:50 2004 +++ samba-3.0.5/packaging/Solaris/makepkg.sh Tue Jul 20 11:32:38 2004 @@ -156,7 +156,7 @@ fi # Setup version from version.h -VERSION=3.0.4 +VERSION=3.0.5 sed -e "s|__VERSION__|$VERSION|" -e "s|__ARCH__|`uname -p`|" -e "s|__BASEDIR__|$INSTALL_BASE|g" pkginfo.master >pkginfo sed -e "s|__BASEDIR__|$INSTALL_BASE|g" inetd.conf.master >inetd.conf diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/VERSION samba-3.0.5/source/VERSION --- samba-3.0.4/source/VERSION Fri May 7 14:27:32 2004 +++ samba-3.0.5/source/VERSION Tue Jul 20 11:30:47 2004 @@ -19,7 +19,7 @@ ######################################################## SAMBA_VERSION_MAJOR=3 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=4 +SAMBA_VERSION_RELEASE=5 ######################################################## # If a official release has a serious bug # diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/include/mangle.h samba-3.0.5/source/include/mangle.h --- samba-3.0.4/source/include/mangle.h Sun Apr 4 01:37:24 2004 +++ samba-3.0.5/source/include/mangle.h Tue Jul 20 11:30:47 2004 @@ -8,7 +8,7 @@ BOOL (*is_mangled)(const char *s); BOOL (*is_8_3)(const char *fname, BOOL check_case, BOOL allow_wildcards); void (*reset)(void); - BOOL (*check_cache)(char *s); + BOOL (*check_cache)(char *s, size_t maxlen); void (*name_map)(char *OutName, BOOL need83, BOOL cache83); }; #endif /* _MANGLE_H_ */ diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/include/version.h samba-3.0.5/source/include/version.h --- samba-3.0.4/source/include/version.h Fri May 7 19:33:22 2004 +++ samba-3.0.5/source/include/version.h Tue Jul 20 11:32:57 2004 @@ -1,6 +1,6 @@ /* Autogenerated by script/mkversion.sh */ #define SAMBA_VERSION_MAJOR 3 #define SAMBA_VERSION_MINOR 0 -#define SAMBA_VERSION_RELEASE 4 -#define SAMBA_VERSION_OFFICIAL_STRING "3.0.4" +#define SAMBA_VERSION_RELEASE 5 +#define SAMBA_VERSION_OFFICIAL_STRING "3.0.5" #define SAMBA_VERSION_STRING samba_version_string() diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/lib/util_str.c samba-3.0.5/source/lib/util_str.c --- samba-3.0.4/source/lib/util_str.c Tue Apr 20 15:42:55 2004 +++ samba-3.0.5/source/lib/util_str.c Tue Jul 20 11:30:47 2004 @@ -1951,7 +1951,9 @@ s++; i++; } - if (*s == '=') n -= 1; + if ((n > 0) && (*s == '=')) { + n -= 1; + } /* fix up length */ decoded.length = n; @@ -1964,9 +1966,15 @@ void base64_decode_inplace(char *s) { DATA_BLOB decoded = base64_decode_data_blob(s); - memcpy(s, decoded.data, decoded.length); - /* null terminate */ - s[decoded.length] = '\0'; + + if ( decoded.length != 0 ) { + memcpy(s, decoded.data, decoded.length); + + /* null terminate */ + s[decoded.length] = '\0'; + } else { + *s = '\0'; + } data_blob_free(&decoded); } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/smbd/filename.c samba-3.0.5/source/smbd/filename.c --- samba-3.0.4/source/smbd/filename.c Sun Apr 4 01:37:31 2004 +++ samba-3.0.5/source/smbd/filename.c Tue Jul 20 11:30:47 2004 @@ -306,7 +306,7 @@ */ if (mangle_is_mangled(start)) { - mangle_check_cache( start ); + mangle_check_cache( start, sizeof(pstring) - 1 - (start - name) ); } DEBUG(5,("New file %s\n",start)); @@ -455,7 +455,7 @@ * (JRA). */ if (mangled) - mangled = !mangle_check_cache( name ); + mangled = !mangle_check_cache( name, maxlength ); /* open the directory */ if (!(cur_dir = OpenDir(conn, path, True))) { diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/smbd/mangle.c samba-3.0.5/source/smbd/mangle.c --- samba-3.0.4/source/smbd/mangle.c Sun Apr 4 01:37:30 2004 +++ samba-3.0.5/source/smbd/mangle.c Tue Jul 20 11:30:47 2004 @@ -98,9 +98,9 @@ looking for a matching name if it doesn't. It should succeed most of the time or there will be a huge performance penalty */ -BOOL mangle_check_cache(char *s) +BOOL mangle_check_cache(char *s, size_t maxlen) { - return mangle_fns->check_cache(s); + return mangle_fns->check_cache(s, maxlen); } /* diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/smbd/mangle_hash.c samba-3.0.5/source/smbd/mangle_hash.c --- samba-3.0.4/source/smbd/mangle_hash.c Sun Apr 4 01:37:29 2004 +++ samba-3.0.5/source/smbd/mangle_hash.c Tue Jul 20 11:30:47 2004 @@ -569,7 +569,7 @@ * Check for a name on the mangled name stack * * Input: s - Input *and* output string buffer. - * + * maxlen - space in i/o string buffer. * Output: True if the name was found in the cache, else False. * * Notes: If a reverse map is found, the function will overwrite the string @@ -580,7 +580,7 @@ * ************************************************************************** ** */ -static BOOL check_cache( char *s ) +static BOOL check_cache( char *s, size_t maxlen ) { ubi_cacheEntryPtr FoundPtr; char *ext_start = NULL; @@ -614,7 +614,7 @@ if( !FoundPtr ) { if(saved_ext) { /* Replace the saved_ext as it was truncated. */ - (void)pstrcat( s, saved_ext ); + (void)safe_strcat( s, saved_ext, maxlen ); SAFE_FREE(saved_ext); } return( False ); @@ -624,10 +624,10 @@ found_name = (char *)(FoundPtr + 1); found_name += (strlen( found_name ) + 1); - (void)pstrcpy( s, found_name ); + (void)safe_strcpy( s, found_name, maxlen ); if( saved_ext ) { /* Replace the saved_ext as it was truncated. */ - (void)pstrcat( s, saved_ext ); + (void)safe_strcat( s, saved_ext, maxlen ); SAFE_FREE(saved_ext); } diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/smbd/mangle_hash2.c samba-3.0.5/source/smbd/mangle_hash2.c --- samba-3.0.4/source/smbd/mangle_hash2.c Sun Apr 4 01:37:30 2004 +++ samba-3.0.5/source/smbd/mangle_hash2.c Tue Jul 20 11:30:47 2004 @@ -362,10 +362,8 @@ /* try to find a 8.3 name in the cache, and if found then replace the string with the original long name. - - The filename must be able to hold at least sizeof(fstring) */ -static BOOL check_cache(char *name) +static BOOL check_cache(char *name, size_t maxlen) { u32 hash, multiplier; unsigned int i; @@ -403,10 +401,10 @@ if (extension[0]) { M_DEBUG(10,("check_cache: %s -> %s.%s\n", name, prefix, extension)); - slprintf(name, sizeof(fstring), "%s.%s", prefix, extension); + slprintf(name, maxlen, "%s.%s", prefix, extension); } else { M_DEBUG(10,("check_cache: %s -> %s\n", name, prefix)); - fstrcpy(name, prefix); + safe_strcpy(name, prefix, maxlen); } return True; diff -u -r --new-file --exclude .svn --exclude CVS samba-3.0.4/source/smbd/reply.c samba-3.0.5/source/smbd/reply.c --- samba-3.0.4/source/smbd/reply.c Sun Apr 4 01:37:30 2004 +++ samba-3.0.5/source/smbd/reply.c Tue Jul 20 11:30:47 2004 @@ -1524,7 +1524,7 @@ */ if (!rc && mangle_is_mangled(mask)) - mangle_check_cache( mask ); + mangle_check_cache( mask, sizeof(pstring)-1 ); if (!has_wild) { pstrcat(directory,"/"); @@ -3664,7 +3664,7 @@ */ if (!rc && mangle_is_mangled(mask)) - mangle_check_cache( mask ); + mangle_check_cache( mask, sizeof(pstring)-1 ); has_wild = ms_has_wild(mask); @@ -4136,7 +4136,7 @@ */ if (!rc && mangle_is_mangled(mask)) - mangle_check_cache( mask ); + mangle_check_cache( mask, sizeof(pstring)-1 ); has_wild = ms_has_wild(mask);