Bug 152780 - CAN-2004-0829 samba - DOS in smbd
CAN-2004-0829 samba - DOS in smbd
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://www.securityfocus.com/archive/...
LEGACY, QA, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-09 17:20 EDT by Marc Deslauriers
Modified: 2008-05-01 11:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:27:11 EST
The Samba 2.2.11 release addresses the following bug:

~  o Crashes in smbd triggered by a Windows XP SP2 client sending
~    a FindNextPrintChangeNotify() request without previously
~    issuing FindFirstPrintChangeNotify().

Upstream released 2.2.11 on 2004-08-12.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131446
http://www.securityfocus.com/archive/1/373619



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-09 17:22:13 ----

See bug 1924



------- Additional Comments From v@iki.fi 2004-09-09 19:14:50 ----

The actual fix in the 2.2.10 -> 2.2.11 patch from 

http://fi.samba.org/samba/ftp/patches/patch-2.2.10-2.2.11.diffs.gz

appears trivial:

--- samba-2.2.10/source/rpc_server/srv_spoolss_nt.c     Wed Jul 21 10:04:45 2004
+++ samba-2.2.11/source/rpc_server/srv_spoolss_nt.c     Thu Aug 12 13:31:57 2004
@@ -2830,6 +2830,12 @@
        info->data=NULL;
        info->count=0;
 
+       /* a bug in xp sp2 rc2 causes it to send a fnpcn request without 
+          sending a ffpcn() request first */
+
+       if ( !option )
+               return WERR_BADFID;
+
        for (i=0; i<option->count; i++) {
                option_type=&(option->ctr.type[i]);
                
@@ -2891,6 +2897,12 @@
        info->data=NULL;
        info->count=0;
 
+       /* a bug in xp sp2 rc2 causes it to send a fnpcn request without 
+          sending a ffpcn() request first */
+
+       if ( !option )
+               return WERR_BADFID;
+
        get_printer_snum(p, hnd, &snum);
 
        for (i=0; i<option->count; i++) {



------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-10 04:40:39 ----

This may not be an issue:

"We incorrectly thought that this bug could be exploited to deny service to all
Samba users. It is not the case, this bug has no security impact whatsoever.
Many thanks to Jerry Carter from the Samba team for correcting our mistake."

http://www.gentoo.org/security/en/glsa/glsa-200409-14.xml



------- Additional Comments From ckelley@ibnads.com 2004-09-10 04:55:14 ----

So what's the verdict?  Do we need new packages?  If not, then the published
ones need to be pushed out to testing.



------- Additional Comments From ckelley@ibnads.com 2004-09-14 12:05:12 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
8e5b7339cc004863d5dffc9302e5b28259a777ef  samba-2.2.11-0.73.0.legacy.i386.rpm
5610a16753900c0c8ba6bce53ca86c448c66b1b7  samba-2.2.11-0.73.0.legacy.src.rpm
c041d1064d7d9a3ad91a83ab3cf16d818cd609e2  samba-client-2.2.11-0.73.0.legacy.i386.rpm
4e79e939f6ad45b0cbba36b123e4fac5af18ea72  samba-common-2.2.11-0.73.0.legacy.i386.rpm
a861d914a80864bd22528c835f9c0d5495a915fb  samba-swat-2.2.11-0.73.0.legacy.i386.rpm
 
http://www.ibnads.com/fedora_legacy/samba/
 
This is simply the 2.2.10 sources from bug #1924 with the samba project's
2.2.11 release;  Redhat 7.3 has gone through pretty much every minor version
of 2.2 (starting with 2.2.3a), so I don't see a problem with another one.  I
don't have a Redhat 9 box to build those on.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBR2sDyQ+yTHz+jJkRAmY5AJsE45g+vNukNZNoarn93I19exki+ACfe8W3
1QYOJwDq/XPOfohZXX0KGAI=
=Ra2j
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-14 12:40:04 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the packages for 7.3:

5610a16753900c0c8ba6bce53ca86c448c66b1b7  samba-2.2.11-0.73.0.legacy.src.rpm

- - Source tarball matches upstream
- - Other source files match previous release
- - Spec file looks good
- - Build, installs and seems to run fine.

I think going to 2.2.11 is a good idea.

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD4DBQFBR3NSLMAs/0C4zNoRAsSTAJjViuy3rRj8wuEkYWmJSALe8b9ZAJsEaM54
gha9KqqDnub2OnTJgJDEKA==
=nHQG
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-09-14 13:46:58 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for rh9:

Changelog:
* Tue Sep 14 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.2.11-0.90.0.legacy
- - Updated to samba-2.2.11 to fix the PrintChangeNotify bug (samba bug #1520)

ebf61bf380c27d4e3d2557616417516008672acc  samba-2.2.11-0.90.0.legacy.i386.rpm
342afeda18953c0a30eac9b19ddbd11b15f55a8d  samba-2.2.11-0.90.0.legacy.src.rpm
b451285b0c540e163f2e5307b8d6622b248c587e  samba-client-2.2.11-0.90.0.legacy.i386.rpm
78c15f672d0ffae6a29e842fe1762277cd87dfa3  samba-common-2.2.11-0.90.0.legacy.i386.rpm
169acb2cc28c1324c45f0211eecc59fb721028ae  samba-swat-2.2.11-0.90.0.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/samba-2.2.11-0.90.0.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-2.2.11-0.90.0.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-client-2.2.11-0.90.0.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-common-2.2.11-0.90.0.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-swat-2.2.11-0.90.0.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBR4LzLMAs/0C4zNoRAo5aAJ9Fn0GyKiloe+t3d7yg5iEBYiWgLACeI/th
/9Bs9vIBPm3XjBtT1+PS4z8=
=dulT
-----END PGP SIGNATURE-----




------- Additional Comments From mule@umich.edu 2004-09-14 16:14:42 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
ebf61bf380c27d4e3d2557616417516008672acc  samba-2.2.11-0.90.0.legacy.i386.rpm
342afeda18953c0a30eac9b19ddbd11b15f55a8d  samba-2.2.11-0.90.0.legacy.src.rpm
b451285b0c540e163f2e5307b8d6622b248c587e  samba-client-2.2.11-0.90.0.legacy.i386.rpm
78c15f672d0ffae6a29e842fe1762277cd87dfa3  samba-common-2.2.11-0.90.0.legacy.i386.rpm
169acb2cc28c1324c45f0211eecc59fb721028ae  samba-swat-2.2.11-0.90.0.legacy.i386.rpm
  
For Red Hat 9:
* Checked spec file - ok
* Build from source - ok
* Install - ok
* Runs - ok
  
PUBLISH
 
FYI from http://us4.samba.org/samba/history/samba-2.2.11.html:
 
"Please note that the Samba 2.2 code tree will reach its End-Of-Life
on October 1, 2004."
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFBR6UlTsaUa9pp4VIRAhjYAKCkvi+zkUG1Gn7FgAu1+hY2xhOi/QCcDjDY
AvrSTDj+7cqzZ+nrq5MmXg0=
=zUSP
-----END PGP SIGNATURE-----



------- Additional Comments From sheltren@cs.ucsb.edu 2004-09-28 07:00:45 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ebf61bf380c27d4e3d2557616417516008672acc  samba-2.2.11-0.90.0.legacy.i386.rpm
342afeda18953c0a30eac9b19ddbd11b15f55a8d  samba-2.2.11-0.90.0.legacy.src.rpm
b451285b0c540e163f2e5307b8d6622b248c587e  samba-client-2.2.11-0.90.0.legacy.i386.rpm
78c15f672d0ffae6a29e842fe1762277cd87dfa3  samba-common-2.2.11-0.90.0.legacy.i386.rpm
169acb2cc28c1324c45f0211eecc59fb721028ae  samba-swat-2.2.11-0.90.0.legacy.i386.rpm

Spec file looks OK.
Source package builds OK.
Binary packages install OK.
Client works fine connecting to another samba server.
Server starts up and I was able to connect to it OK.

PUBLISH++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBWZiXKe7MLJjUbNMRAjQuAJ9RtkuEGYTG4DPR9r/ShgNHTc9CdgCfUQch
xz4024saGu9VV/TOPxF4aM4=
=FxZE
-----END PGP SIGNATURE-----



------- Additional Comments From ckelley@ibnads.com 2004-09-30 04:12:36 ----

Subject:        Potential Arbitrary File Access
                                                                                
Affected
Versions:       Samba 2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5
                                                                                
Summary:        A remote attacker may be able to gain access
                to files which exist outside of the share's
                defined path. Such files must still be readable
                by the account used for the connection.
                                                                                
                                                                                
Patch Availability
- ------------------
The patch for Samba 3.0.5 and earlier releases
(samba-3.0.5-reduce_name.patch) can be downloaded
from http://download.samba.org/samba/ftp/patches/security/
                                                                                
Samba 2.2.12 has been released to specifically address
this bug.




------- Additional Comments From ckelley@ibnads.com 2004-09-30 10:01:47 ----

Obsoleted by bug #2102



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2057 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2057
Originally filed under the Fedora Legacy product and Package request component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.