Bug 678328 (CVE-2011-0719)

Summary: CVE-2011-0719 Samba unsafe fd_set usage
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: gdeschner, prc, security-response-team, sparks, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-02 19:26:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 678329, 678330, 678331, 678332, 678333, 678334, 678335, 681852    
Bug Blocks:    
Attachments:
Description Flags
v3-0-test.patch from upstream bug
none
v3-3-test.patch from upstream bug
none
v3-5-test.patch from upstream bug
none
v3-0-test.patch from upstream bug (this time correct)
none
v3-3-test.patch from upstream bug (this time correct)
none
v3-5-test.patch from upstream bug (this time correct) none

Description Josh Bressers 2011-02-17 15:46:45 UTC 
A flaw was found in the way Samba handles the file descriptor sets (fd_set)
datastructure.

The Samba codebase uses file descriptor sets in various places. The fd_set
structure is a fixed size defined by the FD_SETSIZE variable. If a file
descriptor with a value greater than or equal to FD_SETSIZE is added to a
set, it can set a single bit on the stack to a '1'.

In Red Hat Enterprise Linux, all samba processes except for smbd have a
limit set which prevents a process from allocating more than 1024 file
descriptors by default. 1024 is the value of FD_SETSIZE on Red Hat
Enterprise Linux.

smbd does not cap the maximum allowed file descriptors below 1024. This
means that if a remote attacker has the ability to open files on a Samba
server, they may be able to flip arbitrary stack bits to a '1'. It is not
currently believed that this flaw can be used for arbitrary code execution,
but the possibility should not be ruled out.

Acknowledgements:

Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Volker Lendecke of SerNet as the original reporter.
Comment 9 Vincent Danen 2011-02-28 23:46:12 UTC 
This is public now, and fixed in 3.5.7:

http://samba.org/samba/history/samba-3.5.7.html
http://samba.org/samba/security/CVE-2011-0719.html
Comment 10 errata-xmlrpc 2011-03-01 21:41:57 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0305 https://rhn.redhat.com/errata/RHSA-2011-0305.html
Comment 11 errata-xmlrpc 2011-03-01 22:07:29 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0306 https://rhn.redhat.com/errata/RHSA-2011-0306.html
Comment 12 Josh Bressers 2011-03-03 12:37:12 UTC 
Created samba tracking bugs for this issue

Affects: fedora-all [bug 681852]