When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This infinite loop bug in Samba's mdssvc RPC service for Spotlight can be triggered by an unauthenticated attacker by issuing a malformed RPC request.
This CVE is public now - https://www.samba.org/samba/security/CVE-2023-34966.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 2224253]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6667 https://access.redhat.com/errata/RHSA-2023:6667
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7139 https://access.redhat.com/errata/RHSA-2023:7139
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0423 https://access.redhat.com/errata/RHSA-2024:0423
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:0580 https://access.redhat.com/errata/RHSA-2024:0580