678328 – (CVE-2011-0719) CVE-2011-0719 Samba unsafe fd_set usage

Bug 678328 (CVE-2011-0719) - CVE-2011-0719 Samba unsafe fd_set usage

Summary: CVE-2011-0719 Samba unsafe fd_set usage

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2011-0719
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	678329 678330 678331 678332 678333 678334 678335 681852
Blocks:
TreeView+	depends on / blocked

Reported:	2011-02-17 15:46 UTC by Josh Bressers
Modified:	2023-05-11 16:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-02 19:26:23 UTC
Embargoed:

Attachments	(Terms of Use)
v3-0-test.patch from upstream bug (2.47 KB, patch) 2011-02-18 15:06 UTC, Guenther Deschner	no flags	Details \| Diff
v3-3-test.patch from upstream bug (2.47 KB, patch) 2011-02-18 15:07 UTC, Guenther Deschner	no flags	Details \| Diff
v3-5-test.patch from upstream bug (2.47 KB, patch) 2011-02-18 15:07 UTC, Guenther Deschner	no flags	Details \| Diff
v3-0-test.patch from upstream bug (this time correct) (14.37 KB, patch) 2011-02-18 16:19 UTC, Guenther Deschner	no flags	Details \| Diff
v3-3-test.patch from upstream bug (this time correct) (15.91 KB, patch) 2011-02-18 16:19 UTC, Guenther Deschner	no flags	Details \| Diff
v3-5-test.patch from upstream bug (this time correct) (13.22 KB, patch) 2011-02-18 16:20 UTC, Guenther Deschner	no flags	Details \| Diff
Show Obsolete (3) View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0305	normal	SHIPPED_LIVE	Important: samba security update	2011-03-01 21:41:48 UTC
Red Hat Product Errata	RHSA-2011:0306	normal	SHIPPED_LIVE	Important: samba3x security update	2011-03-01 22:07:23 UTC
Samba Project	7949	None	None	None	Never

Description Josh Bressers 2011-02-17 15:46:45 UTC

A flaw was found in the way Samba handles the file descriptor sets (fd_set)
datastructure.

The Samba codebase uses file descriptor sets in various places. The fd_set
structure is a fixed size defined by the FD_SETSIZE variable. If a file
descriptor with a value greater than or equal to FD_SETSIZE is added to a
set, it can set a single bit on the stack to a '1'.

In Red Hat Enterprise Linux, all samba processes except for smbd have a
limit set which prevents a process from allocating more than 1024 file
descriptors by default. 1024 is the value of FD_SETSIZE on Red Hat
Enterprise Linux.

smbd does not cap the maximum allowed file descriptors below 1024. This
means that if a remote attacker has the ability to open files on a Samba
server, they may be able to flip arbitrary stack bits to a '1'. It is not
currently believed that this flaw can be used for arbitrary code execution,
but the possibility should not be ruled out.

Acknowledgements:

Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Volker Lendecke of SerNet as the original reporter.

Comment 9 Vincent Danen 2011-02-28 23:46:12 UTC

This is public now, and fixed in 3.5.7:

http://samba.org/samba/history/samba-3.5.7.html
http://samba.org/samba/security/CVE-2011-0719.html

Comment 10 errata-xmlrpc 2011-03-01 21:41:57 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0305 https://rhn.redhat.com/errata/RHSA-2011-0305.html

Comment 11 errata-xmlrpc 2011-03-01 22:07:29 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0306 https://rhn.redhat.com/errata/RHSA-2011-0306.html

Comment 12 Josh Bressers 2011-03-03 12:37:12 UTC

Created samba tracking bugs for this issue

Affects: fedora-all [bug 681852]

Note You need to log in before you can comment on or make changes to this bug.