Add patch to correct remote root vulnerability.

This vulnerability is being exploited in the wild.
author: Jacques Vidrine <nectar@FreeBSD.org> 2003-04-07 13:34:58 +0000
committer: Jacques Vidrine <nectar@FreeBSD.org> 2003-04-07 13:34:58 +0000
commit: 25e295a55daefb0f7cd8aead9082ae583b2a2bcb (patch)
tree: 03a033dedb66ab6d600fb432d8ad932e20223339 /net/samba
parent: Allow the user to specify environment variables on the command line. (diff)
6 files changed, 77 insertions, 1 deletions
diff --git a/net/samba/Makefile b/net/samba/Makefile
index 98f8dbc43b71..3b0f7ba491c2 100644
--- a/net/samba/Makefile
+++ b/net/samba/Makefile
@@ -7,7 +7,7 @@
 
 PORTNAME=	samba
 PORTVERSION=	2.2.8
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net
 MASTER_SITES=	http://us3.samba.org/samba/ftp/%SUBDIR%/ \
 		http://us4.samba.org/samba/ftp/%SUBDIR%/ \
diff --git a/net/samba/files/patch-security-aa b/net/samba/files/patch-security-aa
new file mode 100644
index 000000000000..e88e02744d9c
--- /dev/null
+++ b/net/samba/files/patch-security-aa
@@ -0,0 +1,22 @@
+diff -u -r --new-file --exclude=CVS source/smbd/trans2.c samba-2.2.8a/source/smbd/trans2.c
+--- source/smbd/trans2.c	2003-03-14 15:34:49.000000000 -0600
++++ source/smbd/trans2.c	2003-04-05 12:38:22.000000000 -0600
+@@ -217,7 +217,6 @@
+ 	int16 open_ofun;
+ 	int32 open_size;
+ 	char *pname;
+-	int16 namelen;
+ 
+ 	pstring fname;
+ 	mode_t unixmode;
+@@ -247,9 +246,8 @@
+ 	open_ofun = SVAL(params,12);
+ 	open_size = IVAL(params,14);
+ 	pname = &params[28];
+-	namelen = strlen(pname)+1;
+ 
+-	StrnCpy(fname,pname,namelen);
++	pstrcpy(fname, pname);
+ 
+ 	DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n",
+ 		fname,open_mode, open_attr, open_ofun, open_size));
diff --git a/net/samba/files/patch-security-ab b/net/samba/files/patch-security-ab
new file mode 100644
index 000000000000..76b09577b9b1
--- /dev/null
+++ b/net/samba/files/patch-security-ab
@@ -0,0 +1,23 @@
+diff -u -r --new-file --exclude=CVS source/smbd/reply.c samba-2.2.8a/source/smbd/reply.c
+--- source/smbd/reply.c	2003-03-14 15:34:49.000000000 -0600
++++ source/smbd/reply.c	2003-04-05 14:16:35.000000000 -0600
+@@ -1500,6 +1500,9 @@
+ 
+         for (i=numentries;(i<maxentries) && !finished;i++)
+         {
++	  /* check to make sure we have room in the buffer */
++	  if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
++	  	break;
+           finished = 
+             !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
+           if (!finished)
+@@ -3528,6 +3531,9 @@
+     
+ 
+ 		for (i=first;i<first+num_to_get;i++) {
++			/* check to make sure we have room in the buffer */
++			if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
++				break;
+ 			put_dos_date2(p,0,queue[i].time);
+ 			SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3));
+ 			SSVAL(p,5, queue[i].job);
diff --git a/net/samba/files/patch-security-ac b/net/samba/files/patch-security-ac
new file mode 100644
index 000000000000..10887607716b
--- /dev/null
+++ b/net/samba/files/patch-security-ac
@@ -0,0 +1,12 @@
+diff -u -r --new-file --exclude=CVS source/smbd/statcache.c samba-2.2.8a/source/smbd/statcache.c
+--- source/smbd/statcache.c	2001-10-11 04:34:37.000000000 -0500
++++ source/smbd/statcache.c	2003-04-04 16:02:33.000000000 -0600
+@@ -88,7 +88,7 @@
+    * StrnCpy always null terminates.
+    */
+ 
+-  StrnCpy(orig_name, full_orig_name, namelen);
++  StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
+   if(!case_sensitive)
+     strupper( orig_name );
+ 
diff --git a/net/samba/files/patch-security-ad b/net/samba/files/patch-security-ad
new file mode 100644
index 000000000000..7c05bc1f1730
--- /dev/null
+++ b/net/samba/files/patch-security-ad
@@ -0,0 +1,12 @@
+diff -u -r --new-file --exclude=CVS source/smbd/password.c samba-2.2.8a/source/smbd/password.c
+--- source/smbd/password.c	2003-03-14 15:34:49.000000000 -0600
++++ source/smbd/password.c	2003-04-04 16:02:33.000000000 -0600
+@@ -816,7 +816,7 @@
+ 		if (!ok && lp_username(snum)) {
+ 			char *auser;
+ 			pstring user_list;
+-			StrnCpy(user_list,lp_username(snum),sizeof(pstring));
++			StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
+ 
+ 			pstring_sub(user_list,"%S",lp_servicename(snum));
+ 	  
diff --git a/net/samba/files/patch-security-ae b/net/samba/files/patch-security-ae
new file mode 100644
index 000000000000..e47c4fdadd93
--- /dev/null
+++ b/net/samba/files/patch-security-ae
@@ -0,0 +1,7 @@
+*** source/include/version.h.orig	Sat Apr  5 10:00:34 2003
+--- source/include/version.h	Sat Apr  5 10:00:39 2003
+***************
+*** 1 ****
+! #define VERSION "2.2.8"
+--- 1 ----
+! #define VERSION "2.2.8p1"
author	Jacques Vidrine <nectar@FreeBSD.org>	2003-04-07 13:34:58 +0000
committer	Jacques Vidrine <nectar@FreeBSD.org>	2003-04-07 13:34:58 +0000
commit	25e295a55daefb0f7cd8aead9082ae583b2a2bcb (patch)
tree	03a033dedb66ab6d600fb432d8ad932e20223339 /net/samba
parent	Allow the user to specify environment variables on the command line. (diff)