Bug#488688: samba: regression with CVE-2008-1105: serving large files may break

Mon, 30 Jun 2008 09:52:52 -0700 

Package: samba
Version: 2:3.0.30-2
Severity: normal
Tags: patch
User: [EMAIL PROTECTED]
Usertags: origin-ubuntu intrepid ubuntu-patch


In Ubuntu, we've applied the attached patch to our development and stable
releases to achieve the following:

  * debian/patches/upstream_bug5517.patch: adjust cli_negprot() to properly
    calculate buffer sizes. This bug was introduced in the fix for
    CVE-2008-1105
  * References
    https://bugs.launchpad.net/ubuntu/+source/samba/+bug/241448
    https://bugzilla.samba.org/show_bug.cgi?id=5517

Jamie

diff -u samba-3.0.30/debian/changelog samba-3.0.30/debian/changelog
diff -u samba-3.0.30/debian/patches/series samba-3.0.30/debian/patches/series
--- samba-3.0.30/debian/patches/series
+++ samba-3.0.30/debian/patches/series
@@ -17,0 +18 @@
+upstream_bug5517.patch
only in patch2:
unchanged:
--- samba-3.0.30.orig/debian/patches/upstream_bug5517.patch
+++ samba-3.0.30/debian/patches/upstream_bug5517.patch
@@ -0,0 +1,16 @@
+diff -Nur samba-3.0.30/source/libsmb/cliconnect.c 
samba-3.0.30.new/source/libsmb/cliconnect.c
+--- samba-3.0.30/source/libsmb/cliconnect.c    2008-05-28 08:41:11.000000000 
-0400
++++ samba-3.0.30.new/source/libsmb/cliconnect.c        2008-06-30 
09:17:06.000000000 -0400
+@@ -1328,9 +1328,9 @@
+               if (cli->capabilities & (CAP_LARGE_READX|CAP_LARGE_WRITEX)) {
+                       SAFE_FREE(cli->outbuf);
+                       SAFE_FREE(cli->inbuf);
+-                      cli->outbuf = (char 
*)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN);
+-                      cli->inbuf = (char 
*)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN);
+-                      cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE;
++                      cli->outbuf = (char 
*)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN);
++                      cli->inbuf = (char 
*)SMB_MALLOC(CLI_SAMBA_MAX_LARGE_READX_SIZE+LARGE_WRITEX_HDR_SIZE+SAFETY_MARGIN);
++                      cli->bufsize = CLI_SAMBA_MAX_LARGE_READX_SIZE + 
LARGE_WRITEX_HDR_SIZE;
+               }
+ 
+       } else if (cli->protocol >= PROTOCOL_LANMAN1) {

Reply via email to