2 files changed, 25 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 222c60a1e2..a530289920 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (3.0.24-6etch7) stable-security; urgency=low
+
+  * Fix for one final regression related to the fix for CVE-2007-4572,
+    pulled from upstream.  Thanks to Santiago Garcia Mantinan
+    <manty@debian.org> for catching this.
+
+ -- Steve Langasek <vorlon@debian.org>  Sat, 24 Nov 2007 02:17:06 -0800
+
 samba (3.0.24-6etch6) stable-security; urgency=high
 
   * debian/patches/security-CVE-2007-4572_part2.patch: fix a regression
diff --git a/debian/patches/security-CVE-2007-4572_part2.patch b/debian/patches/security-CVE-2007-4572_part2.patch
index 62ff142fc9..67c5385b66 100644
--- a/debian/patches/security-CVE-2007-4572_part2.patch
+++ b/debian/patches/security-CVE-2007-4572_part2.patch
@@ -238,3 +238,20 @@ Index: samba-3.0.24/source/smbd/trans2.c
  				pdata += len;
  				data_size = PTR_DIFF(pdata,(*ppdata));
  
+diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
+index 05a5962..058faed 100644
+--- a/source/smbd/sesssetup.c
++++ b/source/smbd/sesssetup.c
+@@ -68,9 +68,9 @@ static int add_signature(char *outbuf, char *p)
+ 
+ 	fstr_sprintf( lanman, "Samba %s", SAMBA_VERSION_STRING);
+ 
+-	p += srvstr_push(outbuf, p, "Unix", -1, STR_TERMINATE);
+-	p += srvstr_push(outbuf, p, lanman, -1, STR_TERMINATE);
+-	p += srvstr_push(outbuf, p, lp_workgroup(), -1, STR_TERMINATE);
++	p += srvstr_push(outbuf, p, "Unix", BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++	p += srvstr_push(outbuf, p, lanman, BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
++	p += srvstr_push(outbuf, p, lp_workgroup(), BUFFER_SIZE - (p - outbuf), STR_TERMINATE);
+ 
+ 	return PTR_DIFF(p, start);
+ }