update Samba in f10 to current f9.

Guenther

samba-3.2.0rc1-server.diff

@@ -0,0 +1,42 @@
+commit 779a3af0cd3ecbf82e3de16a4e0aec046c19d869
+Author: Volker Lendecke <vl@samba.org>
+Date:   Fri May 30 11:46:34 2008 +0200
+
+    Fix security=server, bug 5502
+    
+    This has brown paper bag quality and is definitely needed for 3.2.0.
+    
+    Thanks to Orion Poplawski for reporting this!
+    
+    Volker
+
+diff --git a/source/auth/auth_server.c b/source/auth/auth_server.c
+index b07884c..31d1d37 100644
+--- a/source/auth/auth_server.c
++++ b/source/auth/auth_server.c
+@@ -270,13 +270,15 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
+ 					 const auth_usersupplied_info *user_info, 
+ 					 auth_serversupplied_info **server_info)
+ {
++	struct server_security_state *state = talloc_get_type_abort(
++		my_private_data, struct server_security_state);
+ 	struct cli_state *cli;
+ 	static bool tested_password_server = False;
+ 	static bool bad_password_server = False;
+ 	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
+ 	bool locally_made_cli = False;
+ 
+-	cli = (struct cli_state *)my_private_data;
++	cli = state->cli;
+ 	
+ 	if (cli) {
+ 	} else {
+@@ -285,7 +287,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
+ 	}
+ 
+ 	if (!cli || !cli->initialised) {
+-		DEBUG(1,("password server is not connected (cli not initilised)\n"));
++		DEBUG(1,("password server is not connected (cli not initialised)\n"));
+ 		return NT_STATUS_LOGON_FAILURE;
+ 	}  
+ 	

samba-CVE-2008-1105.diff

@@ -0,0 +1,315 @@
+diff --git a/source/client/client.c b/source/client/client.c
+index e08fa89..d684ba8 100644
+--- a/source/client/client.c
++++ b/source/client/client.c
+@@ -4382,7 +4382,7 @@ static void readline_callback(void)
+ 
+ 		set_smb_read_error(&cli->smb_rw_error, SMB_READ_OK);
+ 
+-		status = receive_smb_raw(cli->fd, cli->inbuf, 0, 0, &len);
++		status = receive_smb_raw(cli->fd, cli->inbuf, cli->bufsize, 0, 0, &len);
+ 
+ 		if (!NT_STATUS_IS_OK(status)) {
+ 			DEBUG(0, ("Read from server failed, maybe it closed "
+diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
+index f252377..df89dc8 100644
+--- a/source/lib/util_sock.c
++++ b/source/lib/util_sock.c
+@@ -1160,7 +1160,7 @@ NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout,
+  Doesn't check the MAC on signed packets.
+ ****************************************************************************/
+ 
+-NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
++NTSTATUS receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout,
+ 			 size_t maxlen, size_t *p_len)
+ {
+ 	size_t len;
+@@ -1173,17 +1173,10 @@ NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
+ 		return status;
+ 	}
+ 
+-	/*
+-	 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
+-	 * of header. Don't print the error if this fits.... JRA.
+-	 */
+-
+-	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
++	if (len > buflen) {
+ 		DEBUG(0,("Invalid packet length! (%lu bytes).\n",
+ 					(unsigned long)len));
+-		if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
+-			return NT_STATUS_INVALID_PARAMETER;
+-		}
++		return NT_STATUS_INVALID_PARAMETER;
+ 	}
+ 
+ 	if(len > 0) {
+diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c
+index 6419123..2af4383 100644
+--- a/source/libsmb/clientgen.c
++++ b/source/libsmb/clientgen.c
+@@ -57,8 +57,7 @@ int cli_set_port(struct cli_state *cli, int port)
+ }
+ 
+ /****************************************************************************
+- Read an smb from a fd ignoring all keepalive packets. Note that the buffer 
+- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
++ Read an smb from a fd ignoring all keepalive packets.
+  The timeout is in milliseconds
+ 
+  This is exactly the same as receive_smb except that it never returns
+@@ -76,8 +75,8 @@ static ssize_t client_receive_smb(struct cli_state *cli, size_t maxlen)
+ 
+ 		set_smb_read_error(&cli->smb_rw_error, SMB_READ_OK);
+ 
+-		status = receive_smb_raw(cli->fd, cli->inbuf, cli->timeout,
+-					 maxlen, &len);
++		status = receive_smb_raw(cli->fd, cli->inbuf, cli->bufsize,
++					cli->timeout, maxlen, &len);
+ 		if (!NT_STATUS_IS_OK(status)) {
+ 			DEBUG(10,("client_receive_smb failed\n"));
+ 			show_msg(cli->inbuf);
+@@ -225,93 +224,6 @@ ssize_t cli_receive_smb_data(struct cli_state *cli, char *buffer, size_t len)
+ 	return -1;
+ }
+ 
+-/****************************************************************************
+- Read a smb readX header.
+- We can only use this if encryption and signing are off.
+-****************************************************************************/
+-
+-bool cli_receive_smb_readX_header(struct cli_state *cli)
+-{
+-	ssize_t len, offset;
+-
+-	if (cli->fd == -1)
+-		return false; 
+-
+- again:
+-
+-	/* Read up to the size of a readX header reply. */
+-	len = client_receive_smb(cli, (smb_size - 4) + 24);
+-	
+-	if (len > 0) {
+-		/* it might be an oplock break request */
+-		if (!(CVAL(cli->inbuf, smb_flg) & FLAG_REPLY) &&
+-		    CVAL(cli->inbuf,smb_com) == SMBlockingX &&
+-		    SVAL(cli->inbuf,smb_vwv6) == 0 &&
+-		    SVAL(cli->inbuf,smb_vwv7) == 0) {
+-			ssize_t total_len = smb_len(cli->inbuf);
+-
+-			if (total_len > CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN) {
+-				goto read_err;
+-			}
+-
+-			/* Read the rest of the data. */
+-			if ((total_len - len > 0) &&
+-			    !cli_receive_smb_data(cli,cli->inbuf+len,total_len - len)) {
+-				goto read_err;
+-			}
+-
+-			if (cli->oplock_handler) {
+-				int fnum = SVAL(cli->inbuf,smb_vwv2);
+-				unsigned char level = CVAL(cli->inbuf,smb_vwv3+1);
+-				if (!cli->oplock_handler(cli, fnum, level)) return false;
+-			}
+-			/* try to prevent loops */
+-			SCVAL(cli->inbuf,smb_com,0xFF);
+-			goto again;
+-		}
+-	}
+-
+-	/* If it's not the above size it probably was an error packet. */
+-
+-	if ((len == (smb_size - 4) + 24) && !cli_is_error(cli)) {
+-		/* Check it's a non-chained readX reply. */
+-		if (!(CVAL(cli->inbuf, smb_flg) & FLAG_REPLY) ||
+-			(CVAL(cli->inbuf,smb_vwv0) != 0xFF) ||
+-			(CVAL(cli->inbuf,smb_com) != SMBreadX)) {
+-			/* 
+-			 * We're not coping here with asnyc replies to
+-			 * other calls. Punt here - we need async client
+-			 * libs for this.
+-			 */
+-			goto read_err;
+-		}
+-
+-		/* 
+-		 * We know it's a readX reply - ensure we've read the
+-		 * padding bytes also.
+-		 */
+-
+-		offset = SVAL(cli->inbuf,smb_vwv6);
+-		if (offset > len) {
+-			ssize_t ret;
+-			size_t padbytes = offset - len;
+-			ret = cli_receive_smb_data(cli,smb_buf(cli->inbuf),padbytes);
+-			if (ret != padbytes) {
+-				goto read_err;
+-			}
+-		}
+-	}
+-
+-	return true;
+-
+-  read_err:
+-
+-	cli->smb_rw_error = SMB_READ_ERROR;
+-	close(cli->fd);
+-	cli->fd = -1;
+-	return false;
+-}
+-
+ static ssize_t write_socket(int fd, const char *buf, size_t len)
+ {
+         ssize_t ret=0;
+diff --git a/source/libsmb/clireadwrite.c b/source/libsmb/clireadwrite.c
+index 12ba4b7..487f446 100644
+--- a/source/libsmb/clireadwrite.c
++++ b/source/libsmb/clireadwrite.c
+@@ -472,106 +472,6 @@ ssize_t cli_read(struct cli_state *cli, int fnum, char *buf,
+ 	return ret;
+ }
+ 
+-#if 0  /* relies on client_receive_smb(), now a static in libsmb/clientgen.c */
+-
+-/* This call is INCOMPATIBLE with SMB signing.  If you remove the #if 0
+-   you must fix ensure you don't attempt to sign the packets - data
+-   *will* be currupted */
+-
+-/****************************************************************************
+-Issue a single SMBreadraw and don't wait for a reply.
+-****************************************************************************/
+-
+-static bool cli_issue_readraw(struct cli_state *cli, int fnum, off_t offset, 
+-			   size_t size, int i)
+-{
+-
+-	if (!cli->sign_info.use_smb_signing) {
+-		DEBUG(0, ("Cannot use readraw and SMB Signing\n"));
+-		return False;
+-	}
+-	
+-	memset(cli->outbuf,'\0',smb_size);
+-	memset(cli->inbuf,'\0',smb_size);
+-
+-	cli_set_message(cli->outbuf,10,0,True);
+-		
+-	SCVAL(cli->outbuf,smb_com,SMBreadbraw);
+-	SSVAL(cli->outbuf,smb_tid,cli->cnum);
+-	cli_setup_packet(cli);
+-
+-	SSVAL(cli->outbuf,smb_vwv0,fnum);
+-	SIVAL(cli->outbuf,smb_vwv1,offset);
+-	SSVAL(cli->outbuf,smb_vwv2,size);
+-	SSVAL(cli->outbuf,smb_vwv3,size);
+-	SSVAL(cli->outbuf,smb_mid,cli->mid + i);
+-
+-	return cli_send_smb(cli);
+-}
+-
+-/****************************************************************************
+- Tester for the readraw call.
+-****************************************************************************/
+-
+-ssize_t cli_readraw(struct cli_state *cli, int fnum, char *buf, off_t offset, size_t size)
+-{
+-	char *p;
+-	int size2;
+-	size_t readsize;
+-	ssize_t total = 0;
+-
+-	if (size == 0) 
+-		return 0;
+-
+-	/*
+-	 * Set readsize to the maximum size we can handle in one readraw.
+-	 */
+-
+-	readsize = 0xFFFF;
+-
+-	while (total < size) {
+-		readsize = MIN(readsize, size-total);
+-
+-		/* Issue a read and receive a reply */
+-
+-		if (!cli_issue_readraw(cli, fnum, offset, readsize, 0))
+-			return -1;
+-
+-		if (!client_receive_smb(cli->fd, cli->inbuf, cli->timeout))
+-			return -1;
+-
+-		size2 = smb_len(cli->inbuf);
+-
+-		if (size2 > readsize) {
+-			DEBUG(5,("server returned more than we wanted!\n"));
+-			return -1;
+-		} else if (size2 < 0) {
+-			DEBUG(5,("read return < 0!\n"));
+-			return -1;
+-		}
+-
+-		/* Copy data into buffer */
+-
+-		if (size2) {
+-			p = cli->inbuf + 4;
+-			memcpy(buf + total, p, size2);
+-		}
+-
+-		total += size2;
+-		offset += size2;
+-
+-		/*
+-		 * If the server returned less than we asked for we're at EOF.
+-		 */
+-
+-		if (size2 < readsize)
+-			break;
+-	}
+-
+-	return total;
+-}
+-#endif
+-
+ /****************************************************************************
+  Issue a single SMBwrite and don't wait for a reply.
+ ****************************************************************************/
+diff --git a/source/smbd/process.c b/source/smbd/process.c
+index 5946989..ed34e9b 100644
+--- a/source/smbd/process.c
++++ b/source/smbd/process.c
+@@ -120,9 +120,7 @@ static bool valid_packet_size(size_t len)
+ 	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
+ 		DEBUG(0,("Invalid packet length! (%lu bytes).\n",
+ 					(unsigned long)len));
+-		if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
+-			return false;
+-		}
++		return false;
+ 	}
+ 	return true;
+ }
+diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
+index e128e1c..d274e09 100644
+--- a/source/utils/smbfilter.c
++++ b/source/utils/smbfilter.c
+@@ -171,7 +171,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
+ 		if (c != -1 && FD_ISSET(c, &fds)) {
+ 			size_t len;
+ 			if (!NT_STATUS_IS_OK(receive_smb_raw(
+-						     c, packet, 0, 0, &len))) {
++							c, packet, sizeof(packet),
++							0, 0, &len))) {
+ 				d_printf("client closed connection\n");
+ 				exit(0);
+ 			}
+@@ -184,7 +185,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
+ 		if (s != -1 && FD_ISSET(s, &fds)) {
+ 			size_t len;
+ 			if (!NT_STATUS_IS_OK(receive_smb_raw(
+-						     s, packet, 0, 0, &len))) {
++							s, packet, sizeof(packet),
++							0, 0, &len))) {
+ 				d_printf("server closed connection\n");
+ 				exit(0);
+ 			}

samba.spec

@@ -1,4 +1,4 @@
-%define main_release 13
+%define main_release 15
 %define samba_version 3.2.0rc1
 %define tdb_version 1.1.1
 %define talloc_version 1.2.0
@@ -47,6 +47,8 @@ Patch110: samba-3.0.21pre1-smbspool.patch
 Patch111: samba-3.0.13-smbclient.patch
 Patch200: samba-3.0.25rc1-inotifiy.patch
 Patch220: samba-3.2.0rc1-capget.diff
+Patch221: samba-CVE-2008-1105.diff
+Patch222: samba-3.2.0rc1-server.diff
 
 Requires(pre): samba-common = %{epoch}:%{version}-%{release}
 Requires: pam >= 0:0.64
@@ -254,6 +256,8 @@ cp %{SOURCE11} packaging/Fedora/
 #%patch111 -p1 -b .smbclient # FIXME: does not apply
 #%patch200 -p0 -b .inotify # FIXME: does not compile
 %patch220 -p1 -b .capget
+%patch221 -p1 -b .CVE-2008-1105
+%patch222 -p1 -b .server
 
 mv source/VERSION source/VERSION.orig
 sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{release}\"/' < source/VERSION.orig > source/VERSION
@@ -848,11 +852,19 @@ exit 0
 %{_datadir}/pixmaps/samba/logo-small.png
 
 %changelog
-* Fri May 23 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre3.13
+* Fri May 30 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc1.15
+- Fix security=server
+- resolves: #449038, #449039
+
+* Wed May 28 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc1.14
+- Add fix for CVE-2008-1105
+- resolves: #446724
+
+* Fri May 23 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc1.13
 - Update to 3.2.0rc1
 
 * Wed May 21 2008 Simo Sorce <ssorce@redhat.com> - 3.2.0-1.pre3.12
-- impossit made iimpossible to print against Vista and XP SP3 as servers
+- make it possible to print against Vista and XP SP3 as servers
 - resolves: #439154
 
 * Thu May 15 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.pre3.11