Back to bug 2222794
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| TEJ RATHI | 2023-07-13 18:08:16 UTC | CC | security-response-team | |
| TEJ RATHI | 2023-07-13 18:11:40 UTC | CC | abokovoy, anoopcs, asn, dkarpele, nobody, pfilipen, sbose | |
| TEJ RATHI | 2023-07-13 18:13:19 UTC | Blocks | 2216374 | |
| TEJ RATHI | 2023-07-14 11:42:26 UTC | Depends On | 2222896, 2222894, 2222895 | |
| TEJ RATHI | 2023-07-17 14:35:18 UTC | Deadline | 2023-07-19 | |
| TEJ RATHI | 2023-07-19 14:52:34 UTC | Fixed In Version | samba 4.16.11, samba 4.17.10, samba 4.18.5 | |
| TEJ RATHI | 2023-07-20 05:18:20 UTC | Doc Text | A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. With a RPC worker processes shared among multiple client connections, a malicious client/attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients that are also served by this worker. | |
| TEJ RATHI | 2023-07-20 09:24:54 UTC | Summary | EMBARGOED CVE-2023-34967 samba: type confusion in mdssvc RPC service for spotlight | CVE-2023-34967 samba: type confusion in mdssvc RPC service for spotlight |
| CC | rhs-smb | |||
| Group | qe_staff, security | |||
| Deadline | 2023-07-19 | |||
| TEJ RATHI | 2023-07-20 09:33:07 UTC | Depends On | 2224252 | |
| RaTasha Tillery-Smith | 2023-07-20 13:41:44 UTC | Doc Text | A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. With a RPC worker processes shared among multiple client connections, a malicious client/attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients that are also served by this worker. | A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves. |
Back to bug 2222794