Bug 152847 - CAN-2004-0882,0930,1154 Samba Vulnerabilities
CAN-2004-0882,0930,1154 Samba Vulnerabilities
Status: CLOSED DUPLICATE of bug 152874
Product: Fedora Legacy
Classification: Retired
Component: samba (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://us1.samba.org/samba/security/C...
1, LEGACY, QA, rh73, rh90
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-11-09 16:36 EST by David Lawrence
Modified: 2007-04-18 13:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-16 06:37:22 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:29:32 EST
http://us1.samba.org/samba/security/CAN-2004-0930.html

A remote attacker could cause and smbd process
to consume abnormal amounts of system resources
due to an input validation error when matching
filenames containing wildcard characters.

The vulnerability affects version 3.0.7 and prior.
Probably, Samba 2.x is also affected, but 2.x support was already stopped by
community.

CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0930

A patch for Samba 3.0.7: 
http://us1.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-0930.patch



------- Additional Comments From fedora-legacy-bugzilla-2004@fumika.jp 2004-11-16 02:09:29 ----

Additionally, new vulnerability has been reported.

http://security.e-matters.de/advisories/132004.html

During an audit of the Samba 3.x codebase a unicode filename buffer overflow
within the handling of TRANSACT2_QFILEPATHINFO replies was discovered that
allows remote execution of arbitrary code.

Exploiting this vulnerability is possible through every Samba user if a special
crafted pathname exists. If such a path does not exist the attacker needs write
access to one of the network shares.

CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882

Red Hat Bugzilla:
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134640

Patch:
http://us1.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-0882.patch



------- Additional Comments From nehresma@css.tayloru.edu 2004-11-16 06:21:15 ----

Created an attachment (id=927)
Backport of the 3.0.7 patch for CAN-2004-0882 to samba 2.2.12

This patch is untested.



------- Additional Comments From rob.myers@gtri.gatech.edu 2004-11-16 11:37:16 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Here are updated samba packages to QA for rh73, rh90, and fc1:
  
- - CAN-2004-0882, CAN-2004-0930 should be fixed.
 
i didn't find any in bugzilla, but are there any other
vulnerabilities in samba that need to be fixed?
 
re comment #2: i just used redhat's backported patch for CAN-2004-0882.
 
 
changelogs:
 
rh73:
* Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.2.12-0.73.4.legacy
- - apply patches for CAN-2004-0882, CAN-2004-0930 (FL #2264)
 
rh9:
* Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 2.2.12-0.90.3.legacy
- - apply patches for CAN-2004-0882, CAN-2004-0930 (FL #2264)
 
 
fc1:
* Tue Nov 16 2004 Rob Myers <rob.myers@gtri.gatech.edu> 3.0.7-2.FC1.1.legacy
- - apply patches for CAN-2004-0882, CAN-2004-0930 (FL #2264)
- - add BuildRequires: openldap-devel, openssl-devel, and cups-devel
 
sha1sums:
 
rh73:
1b5170329b7cf85850bad33a7de2767a547d6e0d  samba-2.2.12-0.73.4.legacy.i386.rpm
b53b512f11037dc3be9f5e28efc76d824528e508  samba-2.2.12-0.73.4.legacy.src.rpm
dbff9118ca80e517b4cd0e57449736563fbbf1de  samba-client-2.2.12-0.73.4.legacy.i386.rpm
2a05d2c88a5e032a3eb658ab549f90fde6ebd382  samba-common-2.2.12-0.73.4.legacy.i386.rpm
60bc57024990108eacc8b261e30d2cd2cbdb844e  samba-swat-2.2.12-0.73.4.legacy.i386.rpm
 
rh9:
5323b675c0271fe180cb345cf7ac7b1a8faf675b  samba-2.2.12-0.90.3.legacy.i386.rpm
8c1ec11e6647968ee0630caa3c2909d46c954b66  samba-2.2.12-0.90.3.legacy.src.rpm
eb7966a1f78f283822b03e5d48c0cc90c85e750d  samba-client-2.2.12-0.90.3.legacy.i386.rpm
5d200eeb8acffecb33bd00d34f2240aef2dc4c8b  samba-common-2.2.12-0.90.3.legacy.i386.rpm
8af82364c11ed4f4105f7c08cc27fe963a3c4dbc 
samba-debuginfo-2.2.12-0.90.3.legacy.i386.rpm
5fd3867ced4567f05ff74039facf88aeeafe7721  samba-swat-2.2.12-0.90.3.legacy.i386.rpm
 
fc1:
a55ae95cbf79bbe936cb787b0ad623109786fd51  samba-3.0.7-2.FC1.1.legacy.i386.rpm
b511d87af1cda57748ab1d6202dbcec12fe38705  samba-3.0.7-2.FC1.1.legacy.src.rpm
7d71d0dfb9dddbb20cc1546369c2bc31fb3811f2  samba-client-3.0.7-2.FC1.1.legacy.i386.rpm
6fc99a233c58cba773a6d508208818fe5d80be49  samba-common-3.0.7-2.FC1.1.legacy.i386.rpm
e51bc8583b5be9f43cbd21fc8f0b70551e1ca329 
samba-debuginfo-3.0.7-2.FC1.1.legacy.i386.rpm
0725363edd5e288a71acced38465ab00879f6563  samba-swat-3.0.7-2.FC1.1.legacy.i386.rpm
  
files:
 
rh73:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.73.4.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.73.4.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-client-2.2.12-0.73.4.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-common-2.2.12-0.73.4.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-swat-2.2.12-0.73.4.legacy.i386.rpm
 
rh9:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.90.3.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-2.2.12-0.90.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-client-2.2.12-0.90.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-common-2.2.12-0.90.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-debuginfo-2.2.12-0.90.3.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-swat-2.2.12-0.90.3.legacy.i386.rpm
 
fc1:
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-3.0.7-2.FC1.1.legacy.src.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-3.0.7-2.FC1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-client-3.0.7-2.FC1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-common-3.0.7-2.FC1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-debuginfo-3.0.7-2.FC1.1.legacy.i386.rpm
http://www.stl.gtri.gatech.edu/rmyers/fedoralegacy/samba-swat-3.0.7-2.FC1.1.legacy.i386.rpm
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
 
iD8DBQFBmnLhtU2XAt1OWnsRAm9fAJ9jkNF/XM84jbuuDABynTHN7ImilQCg9pt3
IMfwCIdgBDxxQd+EZkdMmU0=
=uQnD
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-11-16 13:51:48 ----

Red Hat advisory: https://rhn.redhat.com/errata/RHSA-2004-632.html



------- Additional Comments From nehresma@css.tayloru.edu 2004-11-17 06:48:27 ----

In response to rob's comment #3:

Much, much easier.  :)  I was just now in the process of backporting 0930 from
3.0.8 to 2.2.12.  Interestingly enough, Red Hat's patch was very similar to
mine.  Interestingly, theirs is a bit less intrusive -- they added a few
functions that should have gone into util/ into ms_fnmatch.c itself meaning less
adjustment to headers, etc.

Good sleuthing on your part!



------- Additional Comments From bugzilla.fedora.us@beej.org 2004-12-16 06:20:10 ----

another eploitable bug (CAN-2004-1154)
http://www.idefense.com/application/poi/display?id=165
the official advisory at http://us1.samba.org/samba/security/CAN-2004-1154.html
says:
===
Remote exploitation of an integer overflow vulnerability
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
and Samba 3.0.x prior to and including 3.0.9 could
allow an attacker to cause controllable heap corruption,
leading to execution of arbitrary commands with root
privileges.

Successful remote exploitation allows an attacker to
gain root privileges on a vulnerable system. In order
to exploit this vulnerability an attacker must possess
credentials that allow access to a share on the Samba server.
===

can somebody update the summary with the new CVE number?



------- Additional Comments From bugzilla.fedora.us@beej.org 2004-12-23 11:56:28 ----

heh.. looks like i can be that "somebody" :)



------- Additional Comments From pekkas@netcore.fi 2004-12-23 21:25:51 ----

Patches to 1154 from RHEL appear to be rather straightforward and apply well,
see #2349.  These can be put together.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

QA for all samba packages w/ rpm-build-compare:
 - original sources are OK
 - patches are verified to come from various RHEL RPMs
 - spec file changes are good

One weird thing in RHL9 is that while it's essentially the same version as
RHL73, some patches have been disabled and there have been other changes --
but there was already divergence in samba-2.2.7a-8.9.0.src.rpm ->
samba-2.2.12-0.90.2.legacy.src.rpm so this isn't changing the situation.

I could give all of them a +PUBLISH, but I think #2349 needs to be addressed
at the same time.  However, when doing QA for #2349, I suggest folks compare
to these RPMs as they seem to be good.

b53b512f11037dc3be9f5e28efc76d824528e508  samba-2.2.12-0.73.4.legacy.src.rpm
8c1ec11e6647968ee0630caa3c2909d46c954b66  samba-2.2.12-0.90.3.legacy.src.rpm
b511d87af1cda57748ab1d6202dbcec12fe38705  samba-3.0.7-2.FC1.1.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBy8Q+GHbTkzxSL7QRAjTrAJkBwFxkCpHbCG+ZcmF1qSvX3IXS4ACgpVtj
mbgfmmE1j43ECWtTTuJARuE=
=rsXU
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2005-02-13 15:18:32 ----

This bug has been superceded by bug 2349



------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:29 -------

This bug previously known as bug 2264 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2264
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Backport of the 3.0.7 patch for CAN-2004-0882 to samba 2.2.12
https://bugzilla.fedora.us/attachment.cgi?action=view&id=927

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was fedora-legacy-bugzilla-2004@fumika.jp.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-05-16 06:37:22 EDT

*** This bug has been marked as a duplicate of 152874 ***

Note You need to log in before you can comment on or make changes to this bug.