From nobody@FreeBSD.org  Wed Sep 15 04:41:45 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id A3D631065674
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Sep 2010 04:41:45 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 946378FC1B
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Sep 2010 04:41:45 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o8F4fjBW018772
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 15 Sep 2010 04:41:45 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o8F4fiAO018771;
	Wed, 15 Sep 2010 04:41:44 GMT
	(envelope-from nobody)
Message-Id: <201009150441.o8F4fiAO018771@www.freebsd.org>
Date: Wed, 15 Sep 2010 04:41:44 GMT
From: Dan van Pelt <dan@chem.wwu.edu>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [patch] net/samba34 CVE-2010-3069
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         150583
>Category:       ports
>Synopsis:       [patch] net/samba34 CVE-2010-3069
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    timur
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Wed Sep 15 04:50:00 UTC 2010
>Closed-Date:    Thu Sep 30 10:41:04 UTC 2010
>Last-Modified:  Thu Sep 30 21:50:01 UTC 2010
>Originator:     Dan van Pelt
>Release:        8.1-RELEASE
>Organization:
>Environment:
FreeBSD xxx 8.1-RELEASE FreeBSD 8.1-RELEASE #0: Mon Jul 19 02:36:49 UTC 2010     root@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
Adaptation of samba 3.4.8 CVE-2010-3069 security patch for net/samba34.  Applies clean and builds.  Original is here:

http://www.samba.org/samba/ftp/patches/security/samba-3.4.8-CVE-2010-3069.patch


>How-To-Repeat:

>Fix:
Put the attached patch in /usr/ports/net/samba34/files and rebuild port.

Patch attached with submission follows:

diff --git ./libcli/security/dom_sid.c ./libcli/security/dom_sid.c
index 0c88900..350a14f 100644
--- ./libcli/security/dom_sid.c.orig
+++ ./libcli/security/dom_sid.c
@@ -117,6 +117,10 @@ bool dom_sid_parse(const char *sidstr, struct dom_sid *ret)
 		if (sidstr[i] == '-') num_sub_auths++;
 	}
 
+	if (num_sub_auths > MAXSUBAUTHS) {
+		return false;
+	}
+
 	ret->sid_rev_num = rev;
 	ret->id_auth[0] = 0;
 	ret->id_auth[1] = 0;
diff --git ./libcli/security/dom_sid.h ./libcli/security/dom_sid.h
index e892535..748e009 100644
--- ./libcli/security/dom_sid.h.orig
+++ ./libcli/security/dom_sid.h
@@ -40,5 +40,9 @@ bool dom_sid_in_domain(const struct dom_sid *domain_sid,
 		       const struct dom_sid *sid);
 char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid);
 
+#ifndef MAXSUBAUTHS
+#define MAXSUBAUTHS 15 /* max sub authorities in a SID */
+#endif
+
 #endif /*_DOM_SID_H_*/
 
diff --git ./source3/lib/util_sid.c ./source3/lib/util_sid.c
index 97284af..52e8448 100644
--- ./source3/lib/util_sid.c.orig
+++ ./source3/lib/util_sid.c
@@ -408,6 +408,9 @@ bool sid_parse(const char *inbuf, size_t len, DOM_SID *sid)
 
 	sid->sid_rev_num = CVAL(inbuf, 0);
 	sid->num_auths = CVAL(inbuf, 1);
+	if (sid->num_auths > MAXSUBAUTHS) {
+		return false;
+	}
 	memcpy(sid->id_auth, inbuf+2, 6);
 	if (len < 8 + sid->num_auths*4)
 		return False;
diff --git ./source3/libads/ldap.c ./source3/libads/ldap.c
index 1fb541d..08b8311 100644
--- ./source3/libads/ldap.c.orig
+++ ./source3/libads/ldap.c
@@ -2128,7 +2128,9 @@ static void dump_sid(ADS_STRUCT *ads, const char *field, struct berval **values)
 	for (i=0; values[i]; i++) {
 		DOM_SID sid;
 		fstring tmp;
-		sid_parse(values[i]->bv_val, values[i]->bv_len, &sid);
+		if (!sid_parse(values[i]->bv_val, values[i]->bv_len, &sid)) {
+			continue;
+		}
 		printf("%s: %s\n", field, sid_to_fstring(tmp, &sid));
 	}
 }
diff --git ./source3/libsmb/cliquota.c ./source3/libsmb/cliquota.c
index e40dac3..2af5b22 100644
--- ./source3/libsmb/cliquota.c.orig
+++ ./source3/libsmb/cliquota.c
@@ -117,7 +117,9 @@ static bool parse_user_quota_record(const char *rdata, unsigned int rdata_count,
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(rdata+40,sid_len,&qt.sid);
+	if (!sid_parse(rdata+40,sid_len,&qt.sid)) {
+		return false;
+	}
 
 	qt.qtype = SMB_USER_QUOTA_TYPE;
 
diff --git ./source3/smbd/nttrans.c ./source3/smbd/nttrans.c
index 4bfbcd1..2834f08 100644
--- ./source3/smbd/nttrans.c.orig
+++ ./source3/smbd/nttrans.c
@@ -2080,7 +2080,11 @@ static void call_nt_transact_ioctl(connection_struct *conn,
 		/* unknown 4 bytes: this is not the length of the sid :-(  */
 		/*unknown = IVAL(pdata,0);*/
 
-		sid_parse(pdata+4,sid_len,&sid);
+		if (!sid_parse(pdata+4,sid_len,&sid)) {
+			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			return;
+		}
+
 		DEBUGADD(10, ("for SID: %s\n", sid_string_dbg(&sid)));
 
 		if (!sid_to_uid(&sid, &uid)) {
@@ -2336,7 +2340,10 @@ static void call_nt_transact_get_user_quota(connection_struct *conn,
 				break;
 			}
 
-			sid_parse(pdata+8,sid_len,&sid);
+			if (!sid_parse(pdata+8,sid_len,&sid)) {
+				reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+				return;
+			}
 
 			if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
 				ZERO_STRUCT(qt);
@@ -2517,7 +2524,11 @@ static void call_nt_transact_set_user_quota(connection_struct *conn,
 	}
 #endif /* LARGE_SMB_OFF_T */
 
-	sid_parse(pdata+40,sid_len,&sid);
+	if (!sid_parse(pdata+40,sid_len,&sid)) {
+		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return;
+	}
+
 	DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
 
 	/* 44 unknown bytes left... */


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-ports-bugs->timur 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Wed Sep 15 04:50:13 UTC 2010 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=150583 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: ports/150583: commit references a PR
Date: Thu, 30 Sep 2010 10:39:59 +0000 (UTC)

 mm          2010-09-30 10:39:54 UTC
 
   FreeBSD ports repository
 
   Modified files:
     net/samba34          Makefile distinfo 
   Log:
   - Update to 3.4.9 (fixes CVE-2010-3069, the only change to 3.4.8)
   
   PR:             ports/150583
   Approved by:    maintainer (timeout)
   
   Revision  Changes    Path
   1.6       +2 -2      ports/net/samba34/Makefile
   1.3       +3 -3      ports/net/samba34/distinfo
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: mm 
State-Changed-When: Thu Sep 30 10:41:03 UTC 2010 
State-Changed-Why:  
Committed by updating to 3.4.9. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=150583 

From: Phillip Nordwall <Phillip.Nordwall@wwu.edu>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>
Cc:  
Subject: Re: ports/150583: [patch] net/samba34 CVE-2010-3069
Date: Thu, 30 Sep 2010 14:34:50 -0700

 Thank you for getting this updated I really appreciate it.  I have noticed =
 that this critical bug took 16 days to get fixed from when the patch reques=
 t was made to being fixed. Meanwhile Ubuntu had an update at the time that =
 the patch request was made. Is there anything different that someone submit=
 ting a patch request could do that would make this occur more quickly?
 
 Once again I want to thank everyone who volunteers their time to making Fre=
 eBSD so wonderful.
 
 Phillip Nordwall
 Systems Manager
 WWU Computer Science
 PH: (360) 650-4841
 FX: (360) 650-4980
 Phillip.Nordwall@wwu.edu
 
 
>Unformatted:
