Red Hat Bugzilla – Bug 152847
CAN-2004-0882,0930,1154 Samba Vulnerabilities
Last modified: 2007-04-18 13:22:26 EDT
http://us1.samba.org/samba/security/CAN-2004-0930.html A remote attacker could cause and smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters. The vulnerability affects version 3.0.7 and prior. Probably, Samba 2.x is also affected, but 2.x support was already stopped by community. CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0930 A patch for Samba 3.0.7: http://us1.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-0930.patch ------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-11-16 02:09:29 ---- Additionally, new vulnerability has been reported. http://security.e-matters.de/advisories/132004.html During an audit of the Samba 3.x codebase a unicode filename buffer overflow within the handling of TRANSACT2_QFILEPATHINFO replies was discovered that allows remote execution of arbitrary code. Exploiting this vulnerability is possible through every Samba user if a special crafted pathname exists. If such a path does not exist the attacker needs write access to one of the network shares. CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882 Red Hat Bugzilla: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134640 Patch: http://us1.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-0882.patch ------- Additional Comments From nehresma@css.tayloru.edu 2004-11-16 06:21:15 ---- Created an attachment (id=927) Backport of the 3.0.7 patch for CAN-2004-0882 to samba 2.2.12 This patch is untested. ------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-16 11:37:16 ---- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here are updated samba packages to QA for rh73, rh90, and fc1: - - CAN-2004-0882, CAN-2004-0930 should be fixed. i didn't find any in bugzilla, but are there any other vulnerabilities in samba that need to be fixed? re comment #2: i just used redhat's backported patch for CAN-2004-0882. changelogs: rh73: * Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.2.12-0.73.4.legacy - - apply patches for CAN-2004-0882, CAN-2004-0930 (FL #2264) rh9: * Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.2.12-0.90.3.legacy - - apply patches for CAN-2004-0882, CAN-2004-0930 (FL #2264) fc1: * Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 3.0.7-2.FC1.1.legacy - - apply patches for CAN-2004-0882, CAN-2004-0930 (FL #2264) - - add BuildRequires: openldap-devel, openssl-devel, and cups-devel sha1sums: rh73: 1b5170329b7cf85850bad33a7de2767a547d6e0d samba-2.2.12-0.73.4.legacy.i386.rpm b53b512f11037dc3be9f5e28efc76d824528e508 samba-2.2.12-0.73.4.legacy.src.rpm dbff9118ca80e517b4cd0e57449736563fbbf1de samba-client-2.2.12-0.73.4.legacy.i386.rpm 2a05d2c88a5e032a3eb658ab549f90fde6ebd382 samba-common-2.2.12-0.73.4.legacy.i386.rpm 60bc57024990108eacc8b261e30d2cd2cbdb844e samba-swat-2.2.12-0.73.4.legacy.i386.rpm rh9: 5323b675c0271fe180cb345cf7ac7b1a8faf675b samba-2.2.12-0.90.3.legacy.i386.rpm 8c1ec11e6647968ee0630caa3c2909d46c954b66 samba-2.2.12-0.90.3.legacy.src.rpm eb7966a1f78f283822b03e5d48c0cc90c85e750d samba-client-2.2.12-0.90.3.legacy.i386.rpm 5d200eeb8acffecb33bd00d34f2240aef2dc4c8b samba-common-2.2.12-0.90.3.legacy.i386.rpm 8af82364c11ed4f4105f7c08cc27fe963a3c4dbc samba-debuginfo-2.2.12-0.90.3.legacy.i386.rpm 5fd3867ced4567f05ff74039facf88aeeafe7721 samba-swat-2.2.12-0.90.3.legacy.i386.rpm fc1: a55ae95cbf79bbe936cb787b0ad623109786fd51 samba-3.0.7-2.FC1.1.legacy.i386.rpm b511d87af1cda57748ab1d6202dbcec12fe38705 samba-3.0.7-2.FC1.1.legacy.src.rpm 7d71d0dfb9dddbb20cc1546369c2bc31fb3811f2 samba-client-3.0.7-2.FC1.1.legacy.i386.rpm 6fc99a233c58cba773a6d508208818fe5d80be49 samba-common-3.0.7-2.FC1.1.legacy.i386.rpm e51bc8583b5be9f43cbd21fc8f0b70551e1ca329 samba-debuginfo-3.0.7-2.FC1.1.legacy.i386.rpm 0725363edd5e288a71acced38465ab00879f6563 samba-swat-3.0.7-2.FC1.1.legacy.i386.rpm files: rh73: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.73.4.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.73.4.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-client-2.2.12-0.73.4.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-common-2.2.12-0.73.4.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-swat-2.2.12-0.73.4.legacy.i386.rpm rh9: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.90.3.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.90.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-client-2.2.12-0.90.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-common-2.2.12-0.90.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-debuginfo-2.2.12-0.90.3.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-swat-2.2.12-0.90.3.legacy.i386.rpm fc1: http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-3.0.7-2.FC1.1.legacy.src.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-3.0.7-2.FC1.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-client-3.0.7-2.FC1.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-common-3.0.7-2.FC1.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-debuginfo-3.0.7-2.FC1.1.legacy.i386.rpm http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-swat-3.0.7-2.FC1.1.legacy.i386.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQFBmnLhtU2XAt1OWnsRAm9fAJ9jkNF/XM84jbuuDABynTHN7ImilQCg9pt3 IMfwCIdgBDxxQd+EZkdMmU0= =uQnD -----END PGP SIGNATURE----- ------- Additional Comments From dom@earth.li 2004-11-16 13:51:48 ---- Red Hat advisory: https://rhn.redhat.com/errata/RHSA-2004-632.html ------- Additional Comments From nehresma@css.tayloru.edu 2004-11-17 06:48:27 ---- In response to rob's comment #3: Much, much easier. :) I was just now in the process of backporting 0930 from 3.0.8 to 2.2.12. Interestingly enough, Red Hat's patch was very similar to mine. Interestingly, theirs is a bit less intrusive -- they added a few functions that should have gone into util/ into ms_fnmatch.c itself meaning less adjustment to headers, etc. Good sleuthing on your part! ------- Additional Comments From bugzilla.fedora.us@beej.org 2004-12-16 06:20:10 ---- another eploitable bug (CAN-2004-1154) http://www.idefense.com/application/poi/display?id=165 the official advisory at http://us1.samba.org/samba/security/CAN-2004-1154.html says: === Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. Successful remote exploitation allows an attacker to gain root privileges on a vulnerable system. In order to exploit this vulnerability an attacker must possess credentials that allow access to a share on the Samba server. === can somebody update the summary with the new CVE number? ------- Additional Comments From bugzilla.fedora.us@beej.org 2004-12-23 11:56:28 ---- heh.. looks like i can be that "somebody" :) ------- Additional Comments From pekkas@netcore.fi 2004-12-23 21:25:51 ---- Patches to 1154 from RHEL appear to be rather straightforward and apply well, see #2349. These can be put together. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 QA for all samba packages w/ rpm-build-compare: - original sources are OK - patches are verified to come from various RHEL RPMs - spec file changes are good One weird thing in RHL9 is that while it's essentially the same version as RHL73, some patches have been disabled and there have been other changes -- but there was already divergence in samba-2.2.7a-8.9.0.src.rpm -> samba-2.2.12-0.90.2.legacy.src.rpm so this isn't changing the situation. I could give all of them a +PUBLISH, but I think #2349 needs to be addressed at the same time. However, when doing QA for #2349, I suggest folks compare to these RPMs as they seem to be good. b53b512f11037dc3be9f5e28efc76d824528e508 samba-2.2.12-0.73.4.legacy.src.rpm 8c1ec11e6647968ee0630caa3c2909d46c954b66 samba-2.2.12-0.90.3.legacy.src.rpm b511d87af1cda57748ab1d6202dbcec12fe38705 samba-3.0.7-2.FC1.1.legacy.src.rpm -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBy8Q+GHbTkzxSL7QRAjTrAJkBwFxkCpHbCG+ZcmF1qSvX3IXS4ACgpVtj mbgfmmE1j43ECWtTTuJARuE= =rsXU -----END PGP SIGNATURE----- ------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-13 15:18:32 ---- This bug has been superceded by bug 2349 ------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 ------- This bug previously known as bug 2264 at https://bugzilla.fedora.us/ https://bugzilla.fedora.us/show_bug.cgi?id=2264 Originally filed under the Fedora Legacy product and Package request component. Attachments: Backport of the 3.0.7 patch for CAN-2004-0882 to samba 2.2.12 https://bugzilla.fedora.us/attachment.cgi?action=view&id=927 Unknown priority P2. Setting to default priority "normal". Unknown platform PC. Setting to default platform "All". The original reporter of this bug does not have an account here. Reassigning to the person who moved it here, dkl@redhat.com. Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp. Setting qa contact to the default for this product. This bug either had no qa contact or an invalid one.
*** This bug has been marked as a duplicate of 152874 ***