Hi, See the attached patch for CVE-2018-1050 on samba 3.6. CVE-2018-10507 is on the AD DC code which is not part of samba 3.6.
I won't handle the update in wheezy-lts (it's already done in sid and stretch, and I will handle those in jessie tomorrow). Regards -- Mathieu Parent
From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001 From: Jeremy Allison <j...@samba.org> Date: Tue, 2 Jan 2018 15:56:03 -0800 Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343 Signed-off-by: Jeremy Allison <j...@samba.org> --- source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c index a010d0cbcec..27de94a9522 100644 --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c @@ -176,6 +176,11 @@ static void prune_printername_cache(void); static const char *canon_servername(const char *servername) { const char *pservername = servername; + + if (servername == NULL) { + return ""; + } + while (*pservername == '\\') { pservername++; } @@ -2090,6 +2095,10 @@ WERROR _spoolss_DeletePrinterDriver(struct pipes_struct *p, return WERR_ACCESS_DENIED; } + if (r->in.architecture == NULL || r->in.driver == NULL) { + return WERR_INVALID_ENVIRONMENT; + } + /* check that we have a valid driver name first */ if ((version = get_version_id(r->in.architecture)) == -1) @@ -2235,6 +2244,10 @@ WERROR _spoolss_DeletePrinterDriverEx(struct pipes_struct *p, return WERR_ACCESS_DENIED; } + if (r->in.architecture == NULL || r->in.driver == NULL) { + return WERR_INVALID_ENVIRONMENT; + } + /* check that we have a valid driver name first */ if (get_version_id(r->in.architecture) == -1) { /* this is what NT returns */ -- 2.16.2
