Bug 678328 (CVE-2011-0719) - CVE-2011-0719 Samba unsafe fd_set usage
Summary: CVE-2011-0719 Samba unsafe fd_set usage
Status: CLOSED ERRATA
Alias: CVE-2011-0719
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20110228,repo...
Keywords: Security
Depends On: 678329 678330 678331 678332 678333 678334 678335 681852
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-02-17 15:46 UTC by Josh Bressers
Modified: 2016-02-15 10:12 UTC (History)
5 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2014-06-02 19:26:23 UTC


Attachments (Terms of Use)
v3-0-test.patch from upstream bug (2.47 KB, patch)
2011-02-18 15:06 UTC, Guenther Deschner
no flags Details | Diff
v3-3-test.patch from upstream bug (2.47 KB, patch)
2011-02-18 15:07 UTC, Guenther Deschner
no flags Details | Diff
v3-5-test.patch from upstream bug (2.47 KB, patch)
2011-02-18 15:07 UTC, Guenther Deschner
no flags Details | Diff
v3-0-test.patch from upstream bug (this time correct) (14.37 KB, patch)
2011-02-18 16:19 UTC, Guenther Deschner
no flags Details | Diff
v3-3-test.patch from upstream bug (this time correct) (15.91 KB, patch)
2011-02-18 16:19 UTC, Guenther Deschner
no flags Details | Diff
v3-5-test.patch from upstream bug (this time correct) (13.22 KB, patch)
2011-02-18 16:20 UTC, Guenther Deschner
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0305 normal SHIPPED_LIVE Important: samba security update 2011-03-01 21:41:48 UTC
Samba Project 7949 None None None Never
Red Hat Product Errata RHSA-2011:0306 normal SHIPPED_LIVE Important: samba3x security update 2011-03-01 22:07:23 UTC

Description Josh Bressers 2011-02-17 15:46:45 UTC
A flaw was found in the way Samba handles the file descriptor sets (fd_set)
datastructure.

The Samba codebase uses file descriptor sets in various places. The fd_set
structure is a fixed size defined by the FD_SETSIZE variable. If a file
descriptor with a value greater than or equal to FD_SETSIZE is added to a
set, it can set a single bit on the stack to a '1'.

In Red Hat Enterprise Linux, all samba processes except for smbd have a
limit set which prevents a process from allocating more than 1024 file
descriptors by default. 1024 is the value of FD_SETSIZE on Red Hat
Enterprise Linux.

smbd does not cap the maximum allowed file descriptors below 1024. This
means that if a remote attacker has the ability to open files on a Samba
server, they may be able to flip arbitrary stack bits to a '1'. It is not
currently believed that this flaw can be used for arbitrary code execution,
but the possibility should not be ruled out.

Acknowledgements:

Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Volker Lendecke of SerNet as the original reporter.

Comment 9 Vincent Danen 2011-02-28 23:46:12 UTC
This is public now, and fixed in 3.5.7:

http://samba.org/samba/history/samba-3.5.7.html
http://samba.org/samba/security/CVE-2011-0719.html

Comment 10 errata-xmlrpc 2011-03-01 21:41:57 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0305 https://rhn.redhat.com/errata/RHSA-2011-0305.html

Comment 11 errata-xmlrpc 2011-03-01 22:07:29 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0306 https://rhn.redhat.com/errata/RHSA-2011-0306.html

Comment 12 Josh Bressers 2011-03-03 12:37:12 UTC
Created samba tracking bugs for this issue

Affects: fedora-all [bug 681852]


Note You need to log in before you can comment on or make changes to this bug.