Bug 8347 - CVE-2011-2522 regression for HP-UX, AIX and OSF
Summary: CVE-2011-2522 regression for HP-UX, AIX and OSF
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.6
Classification: Unclassified
Component: Build environment (show other bugs)
Version: 3.6.0rc3
Hardware: All HP-UX
: P5 critical
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-03 18:57 UTC by Torgeir Lerkerød
Modified: 2011-08-09 12:30 UTC (History)
4 users (show)

See Also:


Attachments
Patch to fix regresion (3.98 KB, text/plain)
2011-08-03 18:57 UTC, Torgeir Lerkerød
no flags Details
Patch for master (1.50 KB, patch)
2011-08-05 18:07 UTC, Stefan Metzmacher
kai: review+
Details
Patch for v3-6-test (1.68 KB, patch)
2011-08-09 06:37 UTC, Stefan Metzmacher
kai: review+
Details
Patch for v3-5-test (1.68 KB, patch)
2011-08-09 07:18 UTC, Stefan Metzmacher
kai: review+
Details
Patch for v3-4-test (1.68 KB, patch)
2011-08-09 07:18 UTC, Stefan Metzmacher
kai: review+
Details
Patch for v3-3-test (1.68 KB, patch)
2011-08-09 11:32 UTC, Stefan Metzmacher
kai: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Torgeir Lerkerød 2011-08-03 18:57:43 UTC
Created attachment 6751 [details]
Patch to fix regresion

CVE-2011-2522 introduced the dependency on atoll. Atoll
is not supported on AIX 5.1, HP-UX 11, OSF/1 5.1, 
Interix 3.5.

This patch adds a replace function for atoll based on 
http://pubs.opengroup.org/onlinepubs/9699919799/functions/atoll.html

Patch includes:
* Waf test
* Configure test
* actual code to libreplace for atoll
* added testcase to replacetest

The replacement was possible, because strtoll is allready
supported by libreplace.
Comment 1 Stefan Metzmacher 2011-08-05 18:07:00 UTC
Created attachment 6756 [details]
Patch for master

I think it's better to use strtoll() in the caller.

Kai, can you please test if this also works as desired?

metze
Comment 2 Kai Blin 2011-08-06 07:09:29 UTC
Comment on attachment 6756 [details]
Patch for master

Looks good.
Comment 3 Stefan Metzmacher 2011-08-09 06:37:46 UTC
Created attachment 6760 [details]
Patch for v3-6-test

I'm not sure if this is needed for 3.6.0, it should at least not delay it.
Comment 4 Kai Blin 2011-08-09 07:04:17 UTC
Comment on attachment 6760 [details]
Patch for v3-6-test

Direct cherry-pick of the code I reviewed for master, the related code in SWAT is unchanged between 3.6 and master.
Comment 5 Stefan Metzmacher 2011-08-09 07:14:24 UTC
Karolin, please pick for 3.6.0 or 3.6.1
Comment 6 Stefan Metzmacher 2011-08-09 07:18:25 UTC
Created attachment 6761 [details]
Patch for v3-5-test
Comment 7 Stefan Metzmacher 2011-08-09 07:18:56 UTC
Created attachment 6762 [details]
Patch for v3-4-test
Comment 8 Kai Blin 2011-08-09 07:19:42 UTC
Comment on attachment 6761 [details]
Patch for v3-5-test

Same as before.
Comment 9 Kai Blin 2011-08-09 07:20:12 UTC
Comment on attachment 6762 [details]
Patch for v3-4-test

Ditto.
Comment 10 Kai Blin 2011-08-09 07:21:27 UTC
Karolin, the patches look good for inclusion into the next 3.5 (and possibly 3.4) releases.
Comment 11 Karolin Seeger 2011-08-09 11:24:06 UTC
Pushed to v3-4-test, v3-5-test and v3-6-test.
Will be included in 3.6.0.
Closing out bug report.

Thanks!
Comment 12 Stefan Metzmacher 2011-08-09 11:32:46 UTC
Created attachment 6765 [details]
Patch for v3-3-test
Comment 13 Karolin Seeger 2011-08-09 11:44:21 UTC
(In reply to comment #12)
> Created attachment 6765 [details]
> Patch for v3-3-test

Pushed to v3-3-test.
Comment 14 Kai Blin 2011-08-09 12:30:35 UTC
Comment on attachment 6765 [details]
Patch for v3-3-test

Last but not least, fine as well.