Bug 526645 (CVE-2009-2906)

Summary: CVE-2009-2906 samba: infinite loop flaw in smbd on unexpected oplock break notification reply
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: gdeschner, kreilly, mjc, security-response-team, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-19 15:00:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 526657, 526658, 526659, 526660, 526661, 526663    
Bug Blocks:    
Attachments:
Description Flags
Upstream patch - 3.0.x
none
Upstream patch - 3.2.x
none
Upstream patch - 3.3.x
none
Upstream patch - 3.4.x none

Description Tomas Hoger 2009-10-01 09:32:01 UTC 
Quoting upcoming Samba security advisory:

  Subject: Remote DoS against smbd on authenticated connections
  Versions: All known versions of samba
  Summary: Specially crafted SMB requests on authenticated SMB
    connections can send smbd into a 100% CPU loop, causing a DoS
    on the Samba server

  Description:
  Smbd is susceptible to a remote DoS attack by an authenticated
  remote client.

  If the client sends a reply to an oplock break notification
  that Samba does not expect it can cause smbd to spin the CPU
  repeatedly trying to process the unexpected packet and being
  unable to finish the processing. This is unlikely to happen
  with normal client activity (although not impossible).
Comment 1 Tomas Hoger 2009-10-01 09:35:04 UTC 
Created attachment 363297 [details]
Upstream patch - 3.0.x
Comment 2 Tomas Hoger 2009-10-01 09:35:31 UTC 
Created attachment 363298 [details]
Upstream patch - 3.2.x
Comment 3 Tomas Hoger 2009-10-01 09:36:07 UTC 
Created attachment 363299 [details]
Upstream patch - 3.3.x
Comment 4 Tomas Hoger 2009-10-01 09:37:02 UTC 
Created attachment 363300 [details]
Upstream patch - 3.4.x
Comment 7 Tomas Hoger 2009-10-01 10:12:56 UTC 
Upstream advisory:
  http://www.samba.org/samba/security/CVE-2009-2906.html

Fixed upstream in: 3.0.37, 3.2.15, 3.3.8 and 3.4.2
Comment 12 Fedora Update System 2009-10-03 18:57:39 UTC 
samba-3.2.15-0.36.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2009-10-03 18:59:29 UTC 
samba-3.4.2-0.42.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2009-10-27 16:46:52 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 3

Via RHSA-2009:1528 https://rhn.redhat.com/errata/RHSA-2009-1528.html
Comment 15 errata-xmlrpc 2009-10-27 17:11:56 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1529 https://rhn.redhat.com/errata/RHSA-2009-1529.html
Comment 16 errata-xmlrpc 2009-11-16 15:39:56 UTC 
This issue has been addressed in following products:

  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1585 https://rhn.redhat.com/errata/RHSA-2009-1585.html