Add patch to correct remote root vulnerability.

This vulnerability is being exploited in the wild.
svn path=/head/; revision=78518
2025-07-18 01:39:16 -04:00 · 2003-04-07 13:34:58 +00:00 · 2003-04-07 13:34:58 +00:00 · 25e295a55d · 2021-03-31 03:12:20 +00:00
commit 25e295a55d
parent 9c4d96f1f9
6 changed files with 77 additions and 1 deletions
--- a/net/samba/Makefile
+++ b/net/samba/Makefile
@ -7,7 +7,7 @@

 PORTNAME=	samba
 PORTVERSION=	2.2.8
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	net
 MASTER_SITES=	http://us3.samba.org/samba/ftp/%SUBDIR%/ \
 		http://us4.samba.org/samba/ftp/%SUBDIR%/ \
--- a/net/samba/files/patch-security-aa
+++ b/net/samba/files/patch-security-aa
@ -0,0 +1,22 @@
+diff -u -r --new-file --exclude=CVS source/smbd/trans2.c samba-2.2.8a/source/smbd/trans2.c
+--- source/smbd/trans2.c	2003-03-14 15:34:49.000000000 -0600
+++ source/smbd/trans2.c	2003-04-05 12:38:22.000000000 -0600
+@@ -217,7 +217,6 @@
+ 	int16 open_ofun;
+ 	int32 open_size;
+ 	char *pname;
+-	int16 namelen;
+ 
+ 	pstring fname;
+ 	mode_t unixmode;
+@@ -247,9 +246,8 @@
+ 	open_ofun = SVAL(params,12);
+ 	open_size = IVAL(params,14);
+ 	pname = &params[28];
+-	namelen = strlen(pname)+1;
+ 
+-	StrnCpy(fname,pname,namelen);
+	pstrcpy(fname, pname);
+ 
+ 	DEBUG(3,("trans2open %s mode=%d attr=%d ofun=%d size=%d\n",
+ 		fname,open_mode, open_attr, open_ofun, open_size));
--- a/net/samba/files/patch-security-ab
+++ b/net/samba/files/patch-security-ab
@ -0,0 +1,23 @@
+diff -u -r --new-file --exclude=CVS source/smbd/reply.c samba-2.2.8a/source/smbd/reply.c
+--- source/smbd/reply.c	2003-03-14 15:34:49.000000000 -0600
+++ source/smbd/reply.c	2003-04-05 14:16:35.000000000 -0600
+@@ -1500,6 +1500,9 @@
+ 
+         for (i=numentries;(i<maxentries) && !finished;i++)
+         {
+	  /* check to make sure we have room in the buffer */
+	  if ( ((PTR_DIFF(p, outbuf))+DIR_STRUCT_SIZE) > BUFFER_SIZE )
+	  	break;
+           finished = 
+             !get_dir_entry(conn,mask,dirtype,fname,&size,&mode,&date,check_descend);
+           if (!finished)
+@@ -3528,6 +3531,9 @@
+     
+ 
+ 		for (i=first;i<first+num_to_get;i++) {
+			/* check to make sure we have room in the buffer */
+			if ( (PTR_DIFF(p, outbuf)+28) > BUFFER_SIZE )
+				break;
+ 			put_dos_date2(p,0,queue[i].time);
+ 			SCVAL(p,4,(queue[i].status==LPQ_PRINTING?2:3));
+ 			SSVAL(p,5, queue[i].job);
--- a/net/samba/files/patch-security-ac
+++ b/net/samba/files/patch-security-ac
@ -0,0 +1,12 @@
+diff -u -r --new-file --exclude=CVS source/smbd/statcache.c samba-2.2.8a/source/smbd/statcache.c
+--- source/smbd/statcache.c	2001-10-11 04:34:37.000000000 -0500
+++ source/smbd/statcache.c	2003-04-04 16:02:33.000000000 -0600
+@@ -88,7 +88,7 @@
+    * StrnCpy always null terminates.
+    */
+ 
+-  StrnCpy(orig_name, full_orig_name, namelen);
+  StrnCpy(orig_name, full_orig_name, MIN(namelen, sizeof(orig_name)-1));
+   if(!case_sensitive)
+     strupper( orig_name );
+ 
--- a/net/samba/files/patch-security-ad
+++ b/net/samba/files/patch-security-ad
@ -0,0 +1,12 @@
+diff -u -r --new-file --exclude=CVS source/smbd/password.c samba-2.2.8a/source/smbd/password.c
+--- source/smbd/password.c	2003-03-14 15:34:49.000000000 -0600
+++ source/smbd/password.c	2003-04-04 16:02:33.000000000 -0600
+@@ -816,7 +816,7 @@
+ 		if (!ok && lp_username(snum)) {
+ 			char *auser;
+ 			pstring user_list;
+-			StrnCpy(user_list,lp_username(snum),sizeof(pstring));
+			StrnCpy(user_list,lp_username(snum),sizeof(pstring)-1);
+ 
+ 			pstring_sub(user_list,"%S",lp_servicename(snum));
+ 	  
--- a/net/samba/files/patch-security-ae
+++ b/net/samba/files/patch-security-ae
@ -0,0 +1,7 @@
+*** source/include/version.h.orig	Sat Apr  5 10:00:34 2003
+--- source/include/version.h	Sat Apr  5 10:00:39 2003
+***************
+*** 1 ****
+! #define VERSION "2.2.8"
+--- 1 ----
+! #define VERSION "2.2.8p1"