Commit 4546f9e3 authored by Leonardo Arena's avatar Leonardo Arena
Browse files

main/samba: security fixes (CVE-2018-10858, CVE-2018-10919

Fixes #9253
parent e72e7d9f
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
pkgver=4.5.16
pkgrel=0
pkgrel=1
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="http://www.samba.org"
arch="all"
......@@ -48,6 +48,8 @@ source="https://us1.samba.org/samba/ftp/stable/samba-$pkgver.tar.gz
domain.patch
getpwent_r.patch
netdb-defines.patch
CVE-2018-10858-4.6.patch
CVE-2018-10919.patch
samba.initd
samba.confd
......@@ -57,6 +59,9 @@ pkggroups="winbind"
_builddir="$srcdir"/samba-$pkgver
# secfixes:
# 4.5.16-r1:
# - CVE-2018-10858
# - CVE-2018-10919
# 4.5.16-r0:
# - CVE-2018-1050
# - CVE-2018-1057
......@@ -519,11 +524,33 @@ libs() {
|| return 1
}
md5sums="fc3f427b5a356e89787a9d0828f4df1c samba-4.5.16.tar.gz
f9ee1f13e59c60ee7e481f51329bf7d4 uclibc-xattr-create.patch
f0d10a87a2067d0d3accdcb6c9b64ea9 domain.patch
6a220b2471764e6e189829ac9cc81996 getpwent_r.patch
39b8cfa9abe6584d13a13ea63459a2e7 netdb-defines.patch
4e68d71721c0c9ac144064021207b7e3 CVE-2018-10858-4.6.patch
244a069b3c472aa1c7d95902768f3219 CVE-2018-10919.patch
c1702b2ad7b68f7d704f50a1bfef3ad3 samba.initd
c150433426e18261e6e3eed3930e1a76 samba.confd
b7cafabfb4fa5b3ab5f2e857d8d1c733 samba.logrotate"
sha256sums="3a3356faab1694680e2ccd7fdf051ab1bbd3b0d058fc1f671e135dd2d1eae1aa samba-4.5.16.tar.gz
dcf6a7118297d6567d8ff31c9eff1afffdf2f548db36fd17d00cdf0ffc555fe3 uclibc-xattr-create.patch
5554fff0df5d31e67a705c60d97e187b4109c79c8a4063c8ea7ebe1e0e4a7e7e domain.patch
7956274b412a268339abb63f8e1bd63b5049cd4ab7c6270235d9d0b9bcf6c81a getpwent_r.patch
d4a17891a14d9a4290750097cc28279059e6d971fadf132085e857ed4400d5ed netdb-defines.patch
da8ee9f4e8ebd84d8927e5cbb8c3a64ea94e0142452bf26bb32e4aab527ec1a6 CVE-2018-10858-4.6.patch
70533f0dd5fd993cd304ebcb4ca4aa64bef19721a431a845e5226f365a8b881c CVE-2018-10919.patch
3866a15ab73a9fd704ec8315cff48caf98937c490ba8dc40ce3701cef5ca22c9 samba.initd
1d12f98a7727967b04eb123109b34cfffef320822dc0e8059286b6e3394c3fc0 samba.confd
4c2b7d529126b2fc4f62fb09d99e49a87632d723a2d9d289a61e37dd84145be1 samba.logrotate"
sha512sums="de8a41013cfb5ef3adcb290efd97a78a5de876d90ad05764d631f14e663a1849bb53e4ac394b46c906f1109be5748fee9316407a659c57007d36851ae8adcd7f samba-4.5.16.tar.gz
b43809d7ecbf3968f5154c2ded6ed47dae36921f1895ea98bcce50557eb2ad39b736345ffb4214655ed3154c143c20431d248cde828285380bafbf4d2627df9b uclibc-xattr-create.patch
62d373dbaee75121a1d73f2c09cdca7239705808ff807b171d1d5a28fd4ffc66bdb52494b62786d7aaba8aeece5c08433b532ca96a28d712452fe9daac8d8d2e domain.patch
0d4fd9862191554dc9c724cec0b94fd19afbfd0c4ed619e4c620c075e849cb3f3d44db1e5f119d890da23a3dd0068d9873703f3d86c47b91310521f37356208b getpwent_r.patch
1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8 netdb-defines.patch
03c38186821954642c0342b3ef2bfbaee3cdb1e98ee57d73c26ac300d80cdb61ea51af5ed9618a91dcf8ea82286f2198f022276e4ba18fbf6383ddd1722ba001 CVE-2018-10858-4.6.patch
13d7ff1139c1d1343bfd89c8fe80ef843d99268a6aa0bfa27cf0dfb034520896eda65037d678eeed2e30ae3cd171e89785751d0b127b27e041388daf318178c4 CVE-2018-10919.patch
6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf samba.initd
4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6 samba.confd
f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053 samba.logrotate"
From c6a7d5a2afaddc82038bdda1cd2717237c1301c0 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:07:17 -0700
Subject: [PATCH 1/2] libsmb: Ensure smbc_urlencode() can't overwrite passed in
buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_path.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index 01b0a61e483..ed70ab37550 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,8 +173,13 @@ smbc_urlencode(char *dest,
}
}
- *dest++ = '\0';
- max_dest_len--;
+ if (max_dest_len == 0) {
+ /* Ensure we return -1 if no null termination. */
+ return -1;
+ }
+
+ *dest++ = '\0';
+ max_dest_len--;
return max_dest_len;
}
--
2.11.0
From c712faa47b0bf693a8dda408a7fd8a2938ce0024 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 15 Jun 2018 15:08:17 -0700
Subject: [PATCH 2/2] libsmb: Harden smbc_readdir_internal() against returns
from malicious servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/libsmb/libsmb_dir.c | 57 ++++++++++++++++++++++++++++++++++++++------
source3/libsmb/libsmb_path.c | 2 +-
2 files changed, 51 insertions(+), 8 deletions(-)
diff --git a/source3/libsmb/libsmb_dir.c b/source3/libsmb/libsmb_dir.c
index 631459156d5..96eb1631542 100644
--- a/source3/libsmb/libsmb_dir.c
+++ b/source3/libsmb/libsmb_dir.c
@@ -930,27 +930,47 @@ SMBC_closedir_ctx(SMBCCTX *context,
}
-static void
+static int
smbc_readdir_internal(SMBCCTX * context,
struct smbc_dirent *dest,
struct smbc_dirent *src,
int max_namebuf_len)
{
if (smbc_getOptionUrlEncodeReaddirEntries(context)) {
+ int remaining_len;
/* url-encode the name. get back remaining buffer space */
- max_namebuf_len =
+ remaining_len =
smbc_urlencode(dest->name, src->name, max_namebuf_len);
+ /* -1 means no null termination. */
+ if (remaining_len < 0) {
+ return -1;
+ }
+
/* We now know the name length */
dest->namelen = strlen(dest->name);
+ if (dest->namelen + 1 < 1) {
+ /* Integer wrap. */
+ return -1;
+ }
+
+ if (dest->namelen + 1 >= max_namebuf_len) {
+ /* Out of space for comment. */
+ return -1;
+ }
+
/* Save the pointer to the beginning of the comment */
dest->comment = dest->name + dest->namelen + 1;
+ if (remaining_len < 1) {
+ /* No room for comment null termination. */
+ return -1;
+ }
+
/* Copy the comment */
- strncpy(dest->comment, src->comment, max_namebuf_len - 1);
- dest->comment[max_namebuf_len - 1] = '\0';
+ strlcpy(dest->comment, src->comment, remaining_len);
/* Save other fields */
dest->smbc_type = src->smbc_type;
@@ -960,10 +980,21 @@ smbc_readdir_internal(SMBCCTX * context,
} else {
/* No encoding. Just copy the entry as is. */
+ if (src->dirlen > max_namebuf_len) {
+ return -1;
+ }
memcpy(dest, src, src->dirlen);
+ if (src->namelen + 1 < 1) {
+ /* Integer wrap */
+ return -1;
+ }
+ if (src->namelen + 1 >= max_namebuf_len) {
+ /* Comment off the end. */
+ return -1;
+ }
dest->comment = (char *)(&dest->name + src->namelen + 1);
}
-
+ return 0;
}
/*
@@ -975,6 +1006,7 @@ SMBC_readdir_ctx(SMBCCTX *context,
SMBCFILE *dir)
{
int maxlen;
+ int ret;
struct smbc_dirent *dirp, *dirent;
TALLOC_CTX *frame = talloc_stackframe();
@@ -1024,7 +1056,12 @@ SMBC_readdir_ctx(SMBCCTX *context,
dirp = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirp, dirent, maxlen);
+ ret = smbc_readdir_internal(context, dirp, dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return NULL;
+ }
dir->dir_next = dir->dir_next->next;
@@ -1082,6 +1119,7 @@ SMBC_getdents_ctx(SMBCCTX *context,
*/
while ((dirlist = dir->dir_next)) {
+ int ret;
struct smbc_dirent *dirent;
struct smbc_dirent *currentEntry = (struct smbc_dirent *)ndir;
@@ -1096,8 +1134,13 @@ SMBC_getdents_ctx(SMBCCTX *context,
/* Do urlencoding of next entry, if so selected */
dirent = &context->internal->dirent;
maxlen = sizeof(context->internal->_dirent_name);
- smbc_readdir_internal(context, dirent,
+ ret = smbc_readdir_internal(context, dirent,
dirlist->dirent, maxlen);
+ if (ret == -1) {
+ errno = EINVAL;
+ TALLOC_FREE(frame);
+ return -1;
+ }
reqd = dirent->dirlen;
diff --git a/source3/libsmb/libsmb_path.c b/source3/libsmb/libsmb_path.c
index ed70ab37550..5b53b386a67 100644
--- a/source3/libsmb/libsmb_path.c
+++ b/source3/libsmb/libsmb_path.c
@@ -173,7 +173,7 @@ smbc_urlencode(char *dest,
}
}
- if (max_dest_len == 0) {
+ if (max_dest_len <= 0) {
/* Ensure we return -1 if no null termination. */
return -1;
}
--
2.11.0
This diff is collapsed.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment