Bug 499765 (CVE-2008-6800)

Summary: CVE-2008-6800 samba: race condition in winbindd may lead to DoS
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: samba-bugs-list, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6800
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-05-12 21:44:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vincent Danen 2009-05-08 03:36:37 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6800 to
the following vulnerability:

Name: CVE-2008-6800
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6800
Assigned: 20090507
Reference: BUGTRAQ:20081030 rPSA-2008-0308-1 samba samba-client samba-server samba-swat
Reference: URL: http://www.securityfocus.com/archive/1/archive/1/497941/100/0/threaded
Reference: MISC: https://issues.rpath.com/browse/RPL-2766
Reference: CONFIRM: http://wiki.rpath.com/Advisories:rPSA-2008-0308
Reference: CONFIRM: http://www.samba.org/samba/history/samba-3.0.32.html

Race condition in the winbind daemon (aka winbindd) in Samba before
3.0.32 allows attackers to cause a denial of service (crash) via
unspecified vectors related to an "unresponsive" child process.
Comment 2 Vincent Danen 2009-05-08 14:36:55 UTC 
Upstream commit to fix this issue is here:

http://gitweb.samba.org/?p=samba.git;a=commitdiff;h=c93d42969451949566327e7fdbf29bfcee2c8319
Comment 4 Simo Sorce 2009-05-08 14:47:08 UTC 
Sorry, I have to ask, what is the point of this bugzilla ?
Comment 7 Vincent Danen 2009-05-12 21:44:37 UTC 
The Red Hat Security Team does not view this as a vulnerability.

The winbindd children process run as root, and in order to exploit this race condition, not only does a local user require sufficiently elevated privileges (such as root), but must also be able to time the kill of the child process accurately, which we do not believe would be at all easy.  If the user did have root privileges, it would be much easier to kill the winbindd parent process, or even take down the entire system, to accomplish a denial of service attack, than to attempt to exploit this race condition.