Security update for backports.org

git-svn-id: svn://svn.debian.org/svn/pkg-samba/branches/samba/backports.org/lenny@2899 fc4039ab-9d04-0410-8cac-899223bdd6b0

3 files changed, 190 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 040b878ee7..66852addd1 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+samba (2:3.3.4-1~bpo50+3) lenny-backports; urgency=high
+
+  * Fix Formatstring vulnerability in smbclient. CVE ID
+    not assigned yet.
+
+ -- Christian Perrier <bubulle@debian.org>  Sun, 21 Jun 2009 11:47:35 +0200
+
 samba (2:3.3.4-1~bpo50+2) lenny-backports; urgency=low
 
   * Rebuild (really for lenny this time)
diff --git a/debian/patches/security-upstream_6478.patch b/debian/patches/security-upstream_6478.patch
new file mode 100644
index 0000000000..521049c11a
--- /dev/null
+++ b/debian/patches/security-upstream_6478.patch
@@ -0,0 +1,182 @@
+Goal: Fix Formatstring vulnerability in smbclient
+
+Fixes: Upstream security fix. CVE ID to be assigned.
+
+Status wrt upstream: Fixed in 3.2.13
+
+Author: Volker Lendecke <vl@samba.org>
+
+Note: The smbclient commands dealing with file
+      names treat user input as a format string
+      to asprintf.
+
+Index: lenny/source/client/client.c
+===================================================================
+--- lenny.orig/source/client/client.c	2009-06-19 20:03:39.198283928 +0200
++++ lenny/source/client/client.c	2009-06-19 20:03:52.398284448 +0200
+@@ -364,7 +364,7 @@
+ 
+ 	/* Ensure cur_dir ends in a DIRSEP */
+ 	if ((new_cd[0] != '\0') && (*(new_cd+strlen(new_cd)-1) != CLI_DIRSEP_CHAR)) {
+-		new_cd = talloc_asprintf_append(new_cd, CLI_DIRSEP_STR);
++		new_cd = talloc_asprintf_append(new_cd, "%s", CLI_DIRSEP_STR);
+ 		if (!new_cd) {
+ 			goto out;
+ 		}
+@@ -871,7 +871,7 @@
+ 		if (*buf == CLI_DIRSEP_CHAR) {
+ 			mask = talloc_strdup(ctx, buf);
+ 		} else {
+-			mask = talloc_asprintf_append(mask, buf);
++			mask = talloc_asprintf_append(mask, "%s", buf);
+ 		}
+ 	} else {
+ 		mask = talloc_asprintf_append(mask, "*");
+@@ -912,7 +912,7 @@
+ 		return 1;
+ 	}
+ 	if ((mask[0] != '\0') && (mask[strlen(mask)-1]!=CLI_DIRSEP_CHAR)) {
+-		mask = talloc_asprintf_append(mask, CLI_DIRSEP_STR);
++		mask = talloc_asprintf_append(mask, "%s", CLI_DIRSEP_STR);
+ 		if (!mask) {
+ 			return 1;
+ 		}
+@@ -923,7 +923,7 @@
+ 		if (*buf == CLI_DIRSEP_CHAR) {
+ 			mask = talloc_strdup(ctx, buf);
+ 		} else {
+-			mask = talloc_asprintf_append(mask, buf);
++			mask = talloc_asprintf_append(mask, "%s", buf);
+ 		}
+ 	} else {
+ 		mask = talloc_strdup(ctx, "*");
+@@ -1107,7 +1107,7 @@
+ 		d_printf("get <filename> [localname]\n");
+ 		return 1;
+ 	}
+-	rname = talloc_asprintf_append(rname, fname);
++	rname = talloc_asprintf_append(rname, "%s", fname);
+ 	if (!rname) {
+ 		return 1;
+ 	}
+@@ -1266,7 +1266,7 @@
+ 		unlink(lname);
+ 		return 1;
+ 	}
+-	rname = talloc_asprintf_append(rname, fname);
++	rname = talloc_asprintf_append(rname, "%s", fname);
+ 	if (!rname) {
+ 		return 1;
+ 	}
+@@ -1318,7 +1318,7 @@
+ 			mget_mask = talloc_strdup(ctx, buf);
+ 		} else {
+ 			mget_mask = talloc_asprintf_append(mget_mask,
+-							buf);
++							"%s", buf);
+ 		}
+ 		if (!mget_mask) {
+ 			return 1;
+@@ -1414,7 +1414,7 @@
+ 		}
+ 		return 1;
+ 	}
+-	mask = talloc_asprintf_append(mask, buf);
++	mask = talloc_asprintf_append(mask, "%s", buf);
+ 	if (!mask) {
+ 		return 1;
+ 	}
+@@ -1443,14 +1443,14 @@
+ 		trim_char(ddir,'.','\0');
+ 		p = strtok_r(ddir, "/\\", &saveptr);
+ 		while (p) {
+-			ddir2 = talloc_asprintf_append(ddir2, p);
++			ddir2 = talloc_asprintf_append(ddir2, "%s", p);
+ 			if (!ddir2) {
+ 				return 1;
+ 			}
+ 			if (!cli_chkpath(targetcli, ddir2)) {
+ 				do_mkdir(ddir2);
+ 			}
+-			ddir2 = talloc_asprintf_append(ddir2, CLI_DIRSEP_STR);
++			ddir2 = talloc_asprintf_append(ddir2, "%s", CLI_DIRSEP_STR);
+ 			if (!ddir2) {
+ 				return 1;
+ 			}
+@@ -1482,7 +1482,7 @@
+ 		d_printf("altname <file>\n");
+ 		return 1;
+ 	}
+-	name = talloc_asprintf_append(name, buf);
++	name = talloc_asprintf_append(name, "%s", buf);
+ 	if (!name) {
+ 		return 1;
+ 	}
+@@ -1566,7 +1566,7 @@
+ 		d_printf("allinfo <file>\n");
+ 		return 1;
+ 	}
+-	name = talloc_asprintf_append(name, buf);
++	name = talloc_asprintf_append(name, "%s", buf);
+ 	if (!name) {
+ 		return 1;
+ 	}
+@@ -1733,9 +1733,9 @@
+ 	}
+ 
+ 	if (next_token_talloc(ctx, &cmd_ptr,&buf,NULL)) {
+-		rname = talloc_asprintf_append(rname, buf);
++		rname = talloc_asprintf_append(rname, "%s", buf);
+ 	} else {
+-		rname = talloc_asprintf_append(rname, lname);
++		rname = talloc_asprintf_append(rname, "%s", lname);
+ 	}
+ 	if (!rname) {
+ 		return 1;
+@@ -2132,7 +2132,7 @@
+ 		d_printf("del <filename>\n");
+ 		return 1;
+ 	}
+-	mask = talloc_asprintf_append(mask, buf);
++	mask = talloc_asprintf_append(mask, "%s", buf);
+ 	if (!mask) {
+ 		return 1;
+ 	}
+@@ -3524,7 +3524,7 @@
+ 		d_printf("reget <filename>\n");
+ 		return 1;
+ 	}
+-	remote_name = talloc_asprintf_append(remote_name, fname);
++	remote_name = talloc_asprintf_append(remote_name, "%s", fname);
+ 	if (!remote_name) {
+ 		return 1;
+ 	}
+@@ -3571,10 +3571,10 @@
+ 
+ 	if (next_token_talloc(ctx, &cmd_ptr, &buf, NULL)) {
+ 		remote_name = talloc_asprintf_append(remote_name,
+-						buf);
++						"%s", buf);
+ 	} else {
+ 		remote_name = talloc_asprintf_append(remote_name,
+-						local_name);
++						"%s", local_name);
+ 	}
+ 	if (!remote_name) {
+ 		return 1;
+@@ -4107,13 +4107,13 @@
+ 				TALLOC_FREE(ctx);
+ 				return;
+ 			}
+-			tmp = talloc_asprintf_append(tmp, f->name);
++			tmp = talloc_asprintf_append(tmp, "%s", f->name);
+ 			if (!tmp) {
+ 				TALLOC_FREE(ctx);
+ 				return;
+ 			}
+ 			if (f->mode & aDIR) {
+-				tmp = talloc_asprintf_append(tmp, CLI_DIRSEP_STR);
++				tmp = talloc_asprintf_append(tmp, "%s", CLI_DIRSEP_STR);
+ 			}
+ 			if (!tmp) {
+ 				TALLOC_FREE(ctx);
diff --git a/debian/patches/series b/debian/patches/series
index 41c27543f7..e3396c03fa 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,3 +19,4 @@ smbtar-bashism.patch
 no-unnecessary-cups.patch
 shrink-dead-code.patch
 fix-manpages-warnings.patch
+security-upstream_6478.patch