diff options
author | bubulle <bubulle@alioth.debian.org> | 2009-06-21 09:49:40 +0000 |
---|---|---|
committer | bubulle <bubulle@alioth.debian.org> | 2009-06-21 09:49:40 +0000 |
commit | 21cc4c69af8a2efe03341c2b8030137d825ea320 (patch) | |
tree | 973ca74e686ebcac9221a3c84e8b4787766d26eb | |
parent | e5137130912599187412fecd9459c7c129087bcb (diff) | |
download | samba-21cc4c69af8a2efe03341c2b8030137d825ea320.tar.gz |
Security update for backports.org
git-svn-id: svn://svn.debian.org/svn/pkg-samba/branches/samba/backports.org/lenny@2899 fc4039ab-9d04-0410-8cac-899223bdd6b0
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/patches/security-upstream_6478.patch | 182 | ||||
-rw-r--r-- | debian/patches/series | 1 |
3 files changed, 190 insertions, 0 deletions
diff --git a/debian/changelog b/debian/changelog index 040b878ee7..66852addd1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +samba (2:3.3.4-1~bpo50+3) lenny-backports; urgency=high + + * Fix Formatstring vulnerability in smbclient. CVE ID + not assigned yet. + + -- Christian Perrier <bubulle@debian.org> Sun, 21 Jun 2009 11:47:35 +0200 + samba (2:3.3.4-1~bpo50+2) lenny-backports; urgency=low * Rebuild (really for lenny this time) diff --git a/debian/patches/security-upstream_6478.patch b/debian/patches/security-upstream_6478.patch new file mode 100644 index 0000000000..521049c11a --- /dev/null +++ b/debian/patches/security-upstream_6478.patch @@ -0,0 +1,182 @@ +Goal: Fix Formatstring vulnerability in smbclient + +Fixes: Upstream security fix. CVE ID to be assigned. + +Status wrt upstream: Fixed in 3.2.13 + +Author: Volker Lendecke <vl@samba.org> + +Note: The smbclient commands dealing with file + names treat user input as a format string + to asprintf. + +Index: lenny/source/client/client.c +=================================================================== +--- lenny.orig/source/client/client.c 2009-06-19 20:03:39.198283928 +0200 ++++ lenny/source/client/client.c 2009-06-19 20:03:52.398284448 +0200 +@@ -364,7 +364,7 @@ + + /* Ensure cur_dir ends in a DIRSEP */ + if ((new_cd[0] != '\0') && (*(new_cd+strlen(new_cd)-1) != CLI_DIRSEP_CHAR)) { +- new_cd = talloc_asprintf_append(new_cd, CLI_DIRSEP_STR); ++ new_cd = talloc_asprintf_append(new_cd, "%s", CLI_DIRSEP_STR); + if (!new_cd) { + goto out; + } +@@ -871,7 +871,7 @@ + if (*buf == CLI_DIRSEP_CHAR) { + mask = talloc_strdup(ctx, buf); + } else { +- mask = talloc_asprintf_append(mask, buf); ++ mask = talloc_asprintf_append(mask, "%s", buf); + } + } else { + mask = talloc_asprintf_append(mask, "*"); +@@ -912,7 +912,7 @@ + return 1; + } + if ((mask[0] != '\0') && (mask[strlen(mask)-1]!=CLI_DIRSEP_CHAR)) { +- mask = talloc_asprintf_append(mask, CLI_DIRSEP_STR); ++ mask = talloc_asprintf_append(mask, "%s", CLI_DIRSEP_STR); + if (!mask) { + return 1; + } +@@ -923,7 +923,7 @@ + if (*buf == CLI_DIRSEP_CHAR) { + mask = talloc_strdup(ctx, buf); + } else { +- mask = talloc_asprintf_append(mask, buf); ++ mask = talloc_asprintf_append(mask, "%s", buf); + } + } else { + mask = talloc_strdup(ctx, "*"); +@@ -1107,7 +1107,7 @@ + d_printf("get <filename> [localname]\n"); + return 1; + } +- rname = talloc_asprintf_append(rname, fname); ++ rname = talloc_asprintf_append(rname, "%s", fname); + if (!rname) { + return 1; + } +@@ -1266,7 +1266,7 @@ + unlink(lname); + return 1; + } +- rname = talloc_asprintf_append(rname, fname); ++ rname = talloc_asprintf_append(rname, "%s", fname); + if (!rname) { + return 1; + } +@@ -1318,7 +1318,7 @@ + mget_mask = talloc_strdup(ctx, buf); + } else { + mget_mask = talloc_asprintf_append(mget_mask, +- buf); ++ "%s", buf); + } + if (!mget_mask) { + return 1; +@@ -1414,7 +1414,7 @@ + } + return 1; + } +- mask = talloc_asprintf_append(mask, buf); ++ mask = talloc_asprintf_append(mask, "%s", buf); + if (!mask) { + return 1; + } +@@ -1443,14 +1443,14 @@ + trim_char(ddir,'.','\0'); + p = strtok_r(ddir, "/\\", &saveptr); + while (p) { +- ddir2 = talloc_asprintf_append(ddir2, p); ++ ddir2 = talloc_asprintf_append(ddir2, "%s", p); + if (!ddir2) { + return 1; + } + if (!cli_chkpath(targetcli, ddir2)) { + do_mkdir(ddir2); + } +- ddir2 = talloc_asprintf_append(ddir2, CLI_DIRSEP_STR); ++ ddir2 = talloc_asprintf_append(ddir2, "%s", CLI_DIRSEP_STR); + if (!ddir2) { + return 1; + } +@@ -1482,7 +1482,7 @@ + d_printf("altname <file>\n"); + return 1; + } +- name = talloc_asprintf_append(name, buf); ++ name = talloc_asprintf_append(name, "%s", buf); + if (!name) { + return 1; + } +@@ -1566,7 +1566,7 @@ + d_printf("allinfo <file>\n"); + return 1; + } +- name = talloc_asprintf_append(name, buf); ++ name = talloc_asprintf_append(name, "%s", buf); + if (!name) { + return 1; + } +@@ -1733,9 +1733,9 @@ + } + + if (next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) { +- rname = talloc_asprintf_append(rname, buf); ++ rname = talloc_asprintf_append(rname, "%s", buf); + } else { +- rname = talloc_asprintf_append(rname, lname); ++ rname = talloc_asprintf_append(rname, "%s", lname); + } + if (!rname) { + return 1; +@@ -2132,7 +2132,7 @@ + d_printf("del <filename>\n"); + return 1; + } +- mask = talloc_asprintf_append(mask, buf); ++ mask = talloc_asprintf_append(mask, "%s", buf); + if (!mask) { + return 1; + } +@@ -3524,7 +3524,7 @@ + d_printf("reget <filename>\n"); + return 1; + } +- remote_name = talloc_asprintf_append(remote_name, fname); ++ remote_name = talloc_asprintf_append(remote_name, "%s", fname); + if (!remote_name) { + return 1; + } +@@ -3571,10 +3571,10 @@ + + if (next_token_talloc(ctx, &cmd_ptr, &buf, NULL)) { + remote_name = talloc_asprintf_append(remote_name, +- buf); ++ "%s", buf); + } else { + remote_name = talloc_asprintf_append(remote_name, +- local_name); ++ "%s", local_name); + } + if (!remote_name) { + return 1; +@@ -4107,13 +4107,13 @@ + TALLOC_FREE(ctx); + return; + } +- tmp = talloc_asprintf_append(tmp, f->name); ++ tmp = talloc_asprintf_append(tmp, "%s", f->name); + if (!tmp) { + TALLOC_FREE(ctx); + return; + } + if (f->mode & aDIR) { +- tmp = talloc_asprintf_append(tmp, CLI_DIRSEP_STR); ++ tmp = talloc_asprintf_append(tmp, "%s", CLI_DIRSEP_STR); + } + if (!tmp) { + TALLOC_FREE(ctx); diff --git a/debian/patches/series b/debian/patches/series index 41c27543f7..e3396c03fa 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -19,3 +19,4 @@ smbtar-bashism.patch no-unnecessary-cups.patch shrink-dead-code.patch fix-manpages-warnings.patch +security-upstream_6478.patch |