Bug 1108748 (CVE-2014-3493) - CVE-2014-3493 samba: smbd unicode path names denial of service
Summary: CVE-2014-3493 samba: smbd unicode path names denial of service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-3493
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1108840 1108841 1108842 1108843 1108844 1108845 1112150 1112151 1112251
Blocks: 1098221
TreeView+ depends on / blocked
 
Reported: 2014-06-12 13:59 UTC by Stefan Cornelius
Modified: 2023-05-12 04:00 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was discovered that smbd, the Samba file server daemon, did not properly handle certain files that were stored on the disk and used a valid Unicode character in the file name. An attacker able to send an authenticated non-Unicode request that attempted to read such a file could cause smbd to crash.
Clone Of:
Environment:
Last Closed: 2014-08-12 16:49:18 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0866 0 normal SHIPPED_LIVE Moderate: samba and samba3x security update 2014-07-09 20:27:55 UTC
Red Hat Product Errata RHSA-2014:0867 0 normal SHIPPED_LIVE Moderate: samba security update 2014-07-09 20:17:12 UTC

Description Stefan Cornelius 2014-06-12 13:59:28 UTC
It was discovered that smbd, the Samba file server deamon, did not properly handle certain valid on-disk unicode path names if an authenticated client tries to read them via a non-unicode request.

In case the push_ascii() function encounters an error, e.g. a conversion failure, its error return value may incorrectly be used as a pointer in subsequent memory writes, leading to a crash or possible memory corruption. 

Acknowledgments:

Red Hat would like to thank the Samba project for reporting this issue. The Samba project acknowledges Simon Arlott as the original reporter.

Comment 7 Stefan Cornelius 2014-06-23 12:21:38 UTC
Public now.

External Reference:

http://www.samba.org/samba/security/CVE-2014-3493

Comment 8 Stefan Cornelius 2014-06-23 12:26:25 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1112251]

Comment 9 Stefan Cornelius 2014-07-02 09:19:27 UTC
Statement:

This issue affects the versions of samba3x as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of samba and samba4 as shipped with Red Hat Enterprise Linux 6. This issue affects the versions of samba as shipped with Red Hat Enterprise Linux 7. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 5.

Comment 10 Martin Prpič 2014-07-08 12:53:06 UTC
IssueDescription:

It was discovered that smbd, the Samba file server daemon, did not properly handle certain files that were stored on the disk and used a valid Unicode character in the file name. An attacker able to send an authenticated non-Unicode request that attempted to read such a file could cause smbd to crash.

Comment 11 errata-xmlrpc 2014-07-09 16:18:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:0867 https://rhn.redhat.com/errata/RHSA-2014-0867.html

Comment 12 errata-xmlrpc 2014-07-09 16:29:38 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:0866 https://rhn.redhat.com/errata/RHSA-2014-0866.html

Comment 14 Stefan Cornelius 2014-08-12 16:49:18 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2014:1009 https://rhn.redhat.com/errata/RHSA-2014-1009.html


Note You need to log in before you can comment on or make changes to this bug.