Sat Jun 19 14:08:56 2010 UTC ()

Add a patch to fix CVE-2010-2063.

Bump PKGREVISION.


(taca)

diff -r1.200 -r1.201 pkgsrc/net/samba/Makefile
diff -r1.6 -r1.7 pkgsrc/net/samba/Makefile.mirrors
diff -r1.73 -r1.74 pkgsrc/net/samba/distinfo
diff -r0 -r1.3 pkgsrc/net/samba/patches/patch-ee

--- pkgsrc/net/samba/Makefile 2010/04/15 09:38:09 1.200
+++ pkgsrc/net/samba/Makefile 2010/06/19 14:08:56 1.201

 @@ -1,19 +1,19 @@
-# $NetBSD: Makefile,v 1.200 2010/04/15 09:38:09 sborrill Exp $
+# $NetBSD: Makefile,v 1.201 2010/06/19 14:08:56 taca Exp $
 .include "Makefile.mirrors"
 DISTNAME=		samba-${VERSION}
-PKGREVISION=		3
+PKGREVISION=		4
 CATEGORIES=		net
 MASTER_SITES=		${SAMBA_MIRRORS:=old-versions/}
 .include "Makefile.patches"
 MAINTAINER=		pkgsrc-users@NetBSD.org
 HOMEPAGE=		http://www.samba.org/
 COMMENT=		SMB/CIFS protocol server suite
 LICENSE=		gnu-gpl-v2
 VERSION=		3.0.37
 CONFLICTS+=		ja-samba-[0-9]* pam-smbpass-[0-9]* tdb-[0-9]*	\
 			winbind-[0-9]*

--- pkgsrc/net/samba/Makefile.mirrors 2009/10/11 09:18:04 1.6
+++ pkgsrc/net/samba/Makefile.mirrors 2010/06/19 14:08:56 1.7

 @@ -1,26 +1,28 @@
-# $NetBSD: Makefile.mirrors,v 1.6 2009/10/11 09:18:04 wiz Exp $
+# $NetBSD: Makefile.mirrors,v 1.7 2010/06/19 14:08:56 taca Exp $
+#
 # This Makefile fragment contains the mirror sites for fetching Samba.
 ###
 ### This list was last updated on 20080403 from:
 ###	http://www.samba.org/samba/download/ftp_mirrors.html
 ###
 SAMBA_MIRRORS=	\
 	ftp://ftp.easynet.be/samba/ \
 	http://mirrors.uol.com.br/pub/samba/ \
 	ftp://ca.samba.org/ \
 	ftp://mirrors.dotsrc.org/samba/ \
 	ftp://de3.samba.org/pub/samba/ \
 	ftp://ftp.ntua.gr/pub/net/samba/ \
 	ftp://ftp.hkmirror.org/pub/samba/sambaftp/ \
 	ftp://ftp.heanet.ie/pub/samba/ \
 	ftp://ftp.ring.gr.jp/pub/net/samba/ \
 	ftp://ftp.samba.gr.jp/pub/samba/ \
 	http://samba.osmirror.nl/samba/ftp/ \
 	ftp://ftp.bit.nl/mirror/samba/ \
 	ftp://www.bibsyst.no/pub/samba/ \
 	ftp://pl.samba.org/pub/unix/net/samba/ \
 	ftp://ftp.chg.ru/packages/samba/ \
 	ftp://ftp.oss.eznetsols.org/samba/ \
-	ftp://us5.samba.org/pub/samba-ftp/
+	ftp://us5.samba.org/pub/samba-ftp/ \
 	ftp://download.samba.org/pub/samba/ \
 	http://download.samba.org/samba/ftp/

--- pkgsrc/net/samba/distinfo 2010/02/09 16:08:36 1.73
+++ pkgsrc/net/samba/distinfo 2010/06/19 14:08:56 1.74

 @@ -1,14 +1,14 @@
-$NetBSD: distinfo,v 1.73 2010/02/09 16:08:36 drochner Exp $
+$NetBSD: distinfo,v 1.74 2010/06/19 14:08:56 taca Exp $
 SHA1 (samba-3.0.37.tar.gz) = 5ec6bc6558b3c799f747eb49fbba019d5edf0cbd
 RMD160 (samba-3.0.37.tar.gz) = 06b76ae22729e10c83d6af42d03b03ad69e49103
 Size (samba-3.0.37.tar.gz) = 23416703 bytes
 SHA1 (patch-aa) = c3a1fd7cf6f8db8ea4001c697b19df555b496b29
 SHA1 (patch-ac) = 47529dfe904768e6a3076131978c89fe2d1e3619
 SHA1 (patch-ae) = 28fc3d1ad158f8025f1f9ba8e170d93c31fa45ba
 SHA1 (patch-af) = 9f14842b7d0b5e66bf1d52bcacefe5e1aa392b7c
 SHA1 (patch-ag) = c73e717e053b6618b2a334602fefabe5a5f98a98
 SHA1 (patch-ak) = 0c69720954282022c7982d36eaee94a03db7b689
 SHA1 (patch-at) = de18d1fa7f1d4a2e9e3c0b28173584c7d42ed710
 SHA1 (patch-au) = e8a86ff28c2e22e1a9c3b80b90bcaea573b856ca
 SHA1 (patch-av) = c29ba19e96c24ef95a9a043f8678d77c00d73506
 @@ -29,13 +29,14 @@ SHA1 (patch-bp) = ab55020e477ff36403b1e5
 SHA1 (patch-bq) = dc25eb43336d4ad7ecef1b4ea8c5dcd72cc91a7b
 SHA1 (patch-br) = fc0d4c1f638a534f86e59ed8ebaddbf1978fa64f
 SHA1 (patch-bs) = da62a8e59fbab1b9ef9fbcd623f5d63816667447
 SHA1 (patch-bu) = 317d0a197e4564c6ab734890302c1f73cc54e1df
 SHA1 (patch-bv) = 2d80f4e24edab32bf4f620f651e70b9e63d28cc5
 SHA1 (patch-bw) = 83a57fd2c21e1abd1bfab046e867096d46931958
 SHA1 (patch-ca) = 0c2c4c1bdb3348de3e8719cc468a6e0c28a36b73
 SHA1 (patch-ce) = 81c6c2d9c6c0df7180d41a0382f2b4600f545620
 SHA1 (patch-cf) = 8b50f657f8f4fa71936ec4766c2517ca5d128ff7
 SHA1 (patch-cg) = 2755a019759826a39c3e201f6a0d1646e6dd2fba
 SHA1 (patch-ch) = 3c4c404519154e294cee134ddb4d2b9c7d8e02a2
 SHA1 (patch-ci) = d78298d0997cf7877cfe2411355fb6c61dec17f6
 SHA1 (patch-da) = 2dddd250b2207d658b02ff43b46199ce4305b7f8
 SHA1 (patch-ee) = d52511dc7d065db7ba1464138c4bc85cfe2f0d59

$NetBSD: patch-ee,v 1.3 2010/06/19 14:08:56 taca Exp $

Patch to fix CVE-2010-2063.

--- smbd/process.c.orig	2009-09-30 12:21:56.000000000 +0000
+++ smbd/process.c
@@ -1159,6 +1159,7 @@ int chain_reply(char *inbuf,char *outbuf
 {
 	static char *orig_inbuf;
 	static char *orig_outbuf;
+	static int orig_size;
 	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
 	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
 	char *inbuf2, *outbuf2;
@@ -1178,6 +1179,13 @@ int chain_reply(char *inbuf,char *outbuf
 		/* this is the first part of the chain */
 		orig_inbuf = inbuf;
 		orig_outbuf = outbuf;
+		orig_size = size;
+	}
+
+	/* Validate smb_off2 */
+	if ((smb_off2 < smb_wct - 4) || orig_size < (smb_off2 + 4 - smb_wct)) {
+		exit_server_cleanly("Bad chained packet");
+		return -1;
 	}
 
 	/*
@@ -1192,6 +1200,11 @@ int chain_reply(char *inbuf,char *outbuf
 	SSVAL(outbuf,smb_vwv1,smb_offset(outbuf+outsize,outbuf));
 	SCVAL(outbuf,smb_vwv0,smb_com2);
 
+	if (outsize <= smb_wct) {
+		exit_server_cleanly("Bad chained packet");
+		return -1;
+	}
+
 	/* remember how much the caller added to the chain, only counting stuff
 		after the parameter words */
 	chain_size += outsize - smb_wct;