Gentoo Archives: gentoo-announce

From: Pierre-Yves Rofes <py@g.o>
To: gentoo-announce@l.g.o
Cc: full-disclosure@××××××××××××××.uk, bugtraq@×××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200711-29 ] Samba: Execution of arbitrary code
Date: Tue, 20 Nov 2007 21:43:49
Message-Id: 474350B6.8060604@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200711-29
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: High
11 Title: Samba: Execution of arbitrary code
12 Date: November 20, 2007
13 Bugs: #197519
14 ID: 200711-29
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Samba contains two buffer overflow vulnerabilities potentially
22 resulting in the execution of arbitrary code, one of which is currently
23 unfixed.
24
25 Background
26 ==========
27
28 Samba is a suite of SMB and CIFS client/server programs for UNIX.
29
30 Affected packages
31 =================
32
33 -------------------------------------------------------------------
34 Package / Vulnerable / Unaffected
35 -------------------------------------------------------------------
36 1 net-fs/samba < 3.0.26a-r2 >= 3.0.26a-r2
37
38 Description
39 ===========
40
41 Two vulnerabilities have been reported in nmbd. Alin Rad Pop (Secunia
42 Research) discovered a boundary checking error in the
43 reply_netbios_packet() function which could lead to a stack-based
44 buffer overflow (CVE-2007-5398). The Samba developers discovered a
45 boundary error when processing GETDC logon requests also leading to a
46 buffer overflow (CVE-2007-4572).
47
48 Impact
49 ======
50
51 To exploit the first vulnerability a remote unauthenticated attacker
52 could send specially crafted WINS "Name Registration" requests followed
53 by a WINS "Name Query" request. This might lead to execution of
54 arbitrary code with elevated privileges. Note that this vulnerability
55 is exploitable only when WINS server support is enabled in Samba. The
56 second vulnerability could be exploited by sending specially crafted
57 "GETDC" mailslot requests, but requires Samba to be configured as a
58 Primary or Backup Domain Controller. It is not believed the be
59 exploitable to execute arbitrary code.
60
61 Workaround
62 ==========
63
64 To work around the first vulnerability, disable WINS support in Samba
65 by setting "wins support = no" in the "global" section of your smb.conf
66 and restart Samba.
67
68 Resolution
69 ==========
70
71 The Samba 3.0.27 ebuild that resolves both vulnerabilities is currently
72 masked due to a regression in the patch for the second vulnerability.
73
74 Since no working patch exists yet, all Samba users should upgrade to
75 3.0.26a-r2, which contains a fix for the first vulnerability
76 (CVE-2007-5398):
77
78 # emerge --sync
79 # emerge --ask --oneshot --verbose ">=net-fs/samba-3.0.26a-r2"
80
81 An update to this temporary GLSA will be sent when the second
82 vulnerability will be fixed.
83
84 References
85 ==========
86
87 [ 1 ] CVE-2007-4572
88 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4572
89 [ 2 ] CVE-2007-5398
90 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398
91
92 Availability
93 ============
94
95 This GLSA and any updates to it are available for viewing at
96 the Gentoo Security Website:
97
98 http://security.gentoo.org/glsa/glsa-200711-29.xml
99
100 Concerns?
101 =========
102
103 Security is a primary focus of Gentoo Linux and ensuring the
104 confidentiality and security of our users machines is of utmost
105 importance to us. Any security concerns should be addressed to
106 security@g.o or alternatively, you may file a bug at
107 http://bugs.gentoo.org.
108
109 License
110 =======
111
112 Copyright 2007 Gentoo Foundation, Inc; referenced text
113 belongs to its owner(s).
114
115 The contents of this document are licensed under the
116 Creative Commons - Attribution / Share Alike license.
117
118 http://creativecommons.org/licenses/by-sa/2.5
119 -----BEGIN PGP SIGNATURE-----
120 Version: GnuPG v1.4.7 (GNU/Linux)
121 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
122
123 iD8DBQFHQ1C2uhJ+ozIKI5gRAnDrAJ9rbv6PXnbEEz8jvaraJkfH814GEACeN6dk
124 LTWtGdO+1xJLDW/uKaRwQGo=
125 =ic/h
126 -----END PGP SIGNATURE-----
127 --
128 gentoo-announce@g.o mailing list