=========================================================== == Subject: Denial of service - Server crash/memory corruption == == CVE ID#: CVE-2014-3493 == == Versions: Samba 3.6.0 - 4.1.8 (inclusive) == == Summary: Samba 3.6.x to 4.1.8 are affected by a == denial of service crash involving overwriting == memory on an authenticated connection to the == smbd file server. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a denial of service on the smbd file server daemon. Valid unicode path names stored on disk can cause smbd to crash if an authenticated client attempts to read them using a non-unicode request. The crash is caused by memory being overwritten by zeros at a 4GB offset from the expected return buffer area, due to an invalid return code from a bad unicode to Windows character set conversion. Currently it is not believed to be exploitable by an attacker, as there is no way to control the exact area of memory being overwritten. However, in the interests of safety this is being treated as a security issue. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.9, 4.0.19 and 3.6.24 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found and reported by Simon Arlott. The analysis and fix were provided by Jeremy Allison of Google.
The following advisory was also posted http://www.samba.org/samba/security/CVE-2014-0244 : =========== Description =========== All current released versions of Samba are vulnerable to a denial of service on the nmbd NetBIOS name services daemon. A malformed packet can cause the nmbd server to loop the CPU and prevent any further NetBIOS name service. This flaw is not exploitable beyond causing the code to loop expending CPU resources. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.9, 4.0.19 and 3.6.24 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found by a Red Hat user and analyzed by Stefan Cornelius <scorneli@redhat.com>. Jeremy Allison of Google provided the Samba code fix for nmbd. @maintainers: Please advise once the updated packages are in the tree and available for stabilization.
CVE-2014-0244 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0244): The sys_recvfrom function in nmbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed UDP packet.
CVE-2014-3493 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3493): The push_ascii function in smbd in Samba 3.6.x before 3.6.24, 4.0.x before 4.0.19, and 4.1.x before 4.1.9 allows remote authenticated users to cause a denial of service (memory corruption and daemon crash) via an attempt to read a Unicode pathname without specifying use of Unicode, leading to a character-set conversion failure that triggers an invalid pointer dereference.
*** Bug 531548 has been marked as a duplicate of this bug. ***
Maintainers, may we proceed with stabilization of =net-fs/samba-3.6.24 ?
Arches please tst and mark stable =net-fs/samba-3.6.24 with target KEYWORDS: alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux
Stable for HPPA.
amd64 stable
x86 stable
alpha stable
arm stable
ppc stable
ppc64 stable
ia64 stable
sparc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
Added to existing GLSA request. Vulnerable versions are either dropped or masked
This issue was resolved and addressed in GLSA 201502-15 at http://security.gentoo.org/glsa/glsa-201502-15.xml by GLSA coordinator Kristian Fiskerstrand (K_F).
