sync/ports
1
0
Fork 0
mirror of https://git.freebsd.org/ports.git synced 2025-07-18 01:39:16 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add patch to correct remote root vulnerability.

Browse source 
This vulnerability is being exploited in the wild.
This commit is contained in:
Jacques Vidrine 2003-04-07 13:34:58 +00:00
parent 9c4d96f1f9
commit 25e295a55d
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=78518
6 changed files with 77 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/samba/Makefile
View file

@ -7,7 +7,7 @@
PORTNAME= samba PORTNAME= samba
PORTVERSION= 2.2.8 PORTVERSION= 2.2.8
PORTREVISION= 1 PORTREVISION= 2
CATEGORIES= net CATEGORIES= net
MASTER_SITES= http://us3.samba.org/samba/ftp/%SUBDIR%/ \ MASTER_SITES= http://us3.samba.org/samba/ftp/%SUBDIR%/ \
http://us4.samba.org/samba/ftp/%SUBDIR%/ \ http://us4.samba.org/samba/ftp/%SUBDIR%/ \

22
net/samba/files/patch-security-aa Normal file
View file

@ -0,0 +1,22 @@
diff -u -r --new-file --exclude=CVS source/smbd/trans2.c samba-2.2.8a/source/smbd/trans2.c
--- source/smbd/trans2.c 2003-03-14 15:34:49.000000000 -0600
+++ source/smbd/trans2.c 2003-04-05 12:38:22.000000000 -0600
@@ -217,7 +217,6 @@
int16 open_ofun;
int32 open_size;
char *pname;
- int16 namelen;
pstring fname;
mode_t unixmode;
@@ -247,9 +246,8 @@
open_ofun = SVAL(params,12);
open_size = IVAL(params,14);
pname = &params[28];
- namelen = strlen(pname)+1;
- StrnCpy(fname,pname,namelen);
+ pstrcpy(fname, pname);
DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n",
fname,open_mode, open_attr, open_ofun, open_size));

23
net/samba/files/patch-security-ab Normal file
View file

@ -0,0 +1,23 @@
diff -u -r --new-file --exclude=CVS source/smbd/reply.c samba-2.2.8a/source/smbd/reply.c
--- source/smbd/reply.c 2003-03-14 15:34:49.000000000 -0600
+++ source/smbd/reply.c 2003-04-05 14:16:35.000000000 -0600
@@ -1500,6 +1500,9 @@
for (i=numentries;(i<maxentries) && !finished;i++)
{
+ /* check to make sure we have room in the buffer */
+ if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
+ break;
finished =
!get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
if (!finished)
@@ -3528,6 +3531,9 @@
for (i=first;i<first+num_to_get;i++) {
+ /* check to make sure we have room in the buffer */
+ if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
+ break;
put_dos_date2(p,0,queue[i].time);
SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3));
SSVAL(p,5, queue[i].job);

12
net/samba/files/patch-security-ac Normal file
View file

@ -0,0 +1,12 @@
diff -u -r --new-file --exclude=CVS source/smbd/statcache.c samba-2.2.8a/source/smbd/statcache.c
--- source/smbd/statcache.c 2001-10-11 04:34:37.000000000 -0500
+++ source/smbd/statcache.c 2003-04-04 16:02:33.000000000 -0600
@@ -88,7 +88,7 @@
* StrnCpy always null terminates.
*/
- StrnCpy(orig_name, full_orig_name, namelen);
+ StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
if(!case_sensitive)
strupper( orig_name );

12
net/samba/files/patch-security-ad Normal file
View file

@ -0,0 +1,12 @@
diff -u -r --new-file --exclude=CVS source/smbd/password.c samba-2.2.8a/source/smbd/password.c
--- source/smbd/password.c 2003-03-14 15:34:49.000000000 -0600
+++ source/smbd/password.c 2003-04-04 16:02:33.000000000 -0600
@@ -816,7 +816,7 @@
if (!ok && lp_username(snum)) {
char *auser;
pstring user_list;
- StrnCpy(user_list,lp_username(snum),sizeof(pstring));
+ StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
pstring_sub(user_list,"%S",lp_servicename(snum));

7
net/samba/files/patch-security-ae Normal file
View file

@ -0,0 +1,7 @@
*** source/include/version.h.orig Sat Apr 5 10:00:34 2003
--- source/include/version.h Sat Apr 5 10:00:39 2003
***************
*** 1 ****
! #define VERSION "2.2.8"
--- 1 ----
! #define VERSION "2.2.8p1"