Alin Rad Pop of Secunia Research discovered a heap based buffer overflow flaw in the Samba client library. A boundary error in the receive_smb_raw() function could allow an overly large SMB packet to execute arbitrary code as the user running the client. Acknowledgements: Red Hat would like to thank Alin Rad Pop of Secunia Research for responsibly disclosing this issue.
Created attachment 305534 [details] Proposed upstream patch for Samba 3.0
Created attachment 305636 [details] Updated upstream patch for Samba 3.0 Corrects the comment in lib/util_sock.c to remove the incorrect function contract description. No other functional change to the previous patch.
Public now, lifting embargo: http://secunia.com/advisories/30228/ http://secunia.com/secunia_research/2008-20/advisory/
samba-3.2.0-1.rc1.14.fc9 has been submitted as an update for Fedora 9
Upstream released samba 3.0.30 to address this flaw: http://www.samba.org/samba/security/CVE-2008-1105.html
samba-3.0.30-0.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
samba-3.2.0-1.rc1.14.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
samba-3.0.28a-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
This issue was addressed in: Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2008-0288.html http://rhn.redhat.com/errata/RHSA-2008-0289.html http://rhn.redhat.com/errata/RHSA-2008-0290.html Fedora: https://admin.fedoraproject.org/updates/F7/FEDORA-2008-4797 https://admin.fedoraproject.org/updates/F8/FEDORA-2008-4679 https://admin.fedoraproject.org/updates/F9/FEDORA-2008-4724