Bug 678328 - (CVE-2011-0719) CVE-2011-0719 Samba unsafe fd_set usage
CVE-2011-0719 Samba unsafe fd_set usage
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20110228,repo...
: Security
Depends On: 678329 678330 678331 678332 678333 678334 678335 681852
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-17 10:46 EST by Josh Bressers
Modified: 2016-02-15 05:12 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-02 15:26:23 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
v3-0-test.patch from upstream bug (2.47 KB, patch)
2011-02-18 10:06 EST, Guenther Deschner
no flags Details | Diff
v3-3-test.patch from upstream bug (2.47 KB, patch)
2011-02-18 10:07 EST, Guenther Deschner
no flags Details | Diff
v3-5-test.patch from upstream bug (2.47 KB, patch)
2011-02-18 10:07 EST, Guenther Deschner
no flags Details | Diff
v3-0-test.patch from upstream bug (this time correct) (14.37 KB, patch)
2011-02-18 11:19 EST, Guenther Deschner
no flags Details | Diff
v3-3-test.patch from upstream bug (this time correct) (15.91 KB, patch)
2011-02-18 11:19 EST, Guenther Deschner
no flags Details | Diff
v3-5-test.patch from upstream bug (this time correct) (13.22 KB, patch)
2011-02-18 11:20 EST, Guenther Deschner
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 7949 None None None Never

  None (edit)
Description Josh Bressers 2011-02-17 10:46:45 EST
A flaw was found in the way Samba handles the file descriptor sets (fd_set)
datastructure.

The Samba codebase uses file descriptor sets in various places. The fd_set
structure is a fixed size defined by the FD_SETSIZE variable. If a file
descriptor with a value greater than or equal to FD_SETSIZE is added to a
set, it can set a single bit on the stack to a '1'.

In Red Hat Enterprise Linux, all samba processes except for smbd have a
limit set which prevents a process from allocating more than 1024 file
descriptors by default. 1024 is the value of FD_SETSIZE on Red Hat
Enterprise Linux.

smbd does not cap the maximum allowed file descriptors below 1024. This
means that if a remote attacker has the ability to open files on a Samba
server, they may be able to flip arbitrary stack bits to a '1'. It is not
currently believed that this flaw can be used for arbitrary code execution,
but the possibility should not be ruled out.

Acknowledgements:

Red Hat would like to thank the Samba team for reporting this issue. Upstream acknowledges Volker Lendecke of SerNet as the original reporter.
Comment 9 Vincent Danen 2011-02-28 18:46:12 EST
This is public now, and fixed in 3.5.7:

http://samba.org/samba/history/samba-3.5.7.html
http://samba.org/samba/security/CVE-2011-0719.html
Comment 10 errata-xmlrpc 2011-03-01 16:41:57 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0305 https://rhn.redhat.com/errata/RHSA-2011-0305.html
Comment 11 errata-xmlrpc 2011-03-01 17:07:29 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0306 https://rhn.redhat.com/errata/RHSA-2011-0306.html
Comment 12 Josh Bressers 2011-03-03 07:37:12 EST
Created samba tracking bugs for this issue

Affects: fedora-all [bug 681852]

Note You need to log in before you can comment on or make changes to this bug.