|Summary:||<net-fs/samba-3.0.35 Uninitialized read of a data value (CVE-2009-1888)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Package list:||Runtime testing required:||---|
Description Robert Buchholz (RETIRED) 2009-06-24 00:10:28 UTC
=========================================================== == Subject: Uninitialized read of a data value == == CVE ID#: CVE-2009-1888 == == Versions: Samba 3.0.31 - 3.3.5 == == Summary: In Samba 3.0.31 to 3.3.5 (inclusive), an == uninitialized read of a data value can potentially == affect access control when "dos filemode" == is set to "yes". == =========================================================== =========== Description =========== The smbd daemon in Samba 3.0.31 - 3.3.5 contains an uninitialized read of a data value that can potentially affect access control. If a user is trying to modify an access control list (ACL) and is denied permission, this deny may be overridden if the parameter "dos filemode" is set to "yes" in the smb.conf and the user already has write access to the file. The error occurs in checking that the user has write access. Uninitialized memory is read instead of the values in the 'stat' struct of the file. An attack would be difficult to script by an attacker, as the attacker would need to find a reproducible case to ensure previously used stack memory had the correct values to trigger the bug. In addition, the server would have to have been configured with "dos filemode = yes" in the smb.conf. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.2.13 and 3.0.35 and 3.3.6 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ========== Workaround ========== Set the parameter: dos filemode = no in the [global] section of your smb.conf. This is already the default setting. ======= Credits ======= This issue was found by Jeremy Allison as part of normal code auditing activities in Samba. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Comment 1 Stefan Behte (RETIRED) 2009-06-25 13:50:19 UTC
CVE-2009-1888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1888): The acl_group_override function in smbd/posix_acls.c in smbd in Samba 3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before 3.3.6, when dos filemode is enabled, allows remote attackers to modify access control lists for files via vectors related to read access to uninitialized memory.
Comment 2 Patrick Lauer 2009-06-25 18:26:05 UTC
+ 25 Jun 2009; Patrick Lauer <email@example.com> +samba-3.0.35.ebuild: + Bump to 3.0.35. Fixes #275236.
Comment 3 Víctor Ostorga (RETIRED) 2009-09-21 20:25:52 UTC
ping to @security to stabilize > net-fs/samba-3.0.35
Comment 4 Alex Legler (RETIRED) 2009-09-22 09:47:55 UTC
Arches, please test and mark stable: =net-fs/samba-3.0.36 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Jeroen Roovers (RETIRED) 2009-09-22 15:35:26 UTC
Stable for HPPA.
Comment 6 Christian Faulhammer (RETIRED) 2009-09-23 14:32:15 UTC
Comment 7 Raúl Porcel (RETIRED) 2009-09-23 17:57:50 UTC
Comment 8 Markus Meier 2009-09-25 10:41:37 UTC
Comment 9 Brent Baude (RETIRED) 2009-09-25 18:17:20 UTC
Comment 10 nixnut (RETIRED) 2009-09-27 14:13:53 UTC
Comment 11 Stefan Behte (RETIRED) 2009-10-04 23:38:49 UTC
Adjusting to C4, as "dos filemode = no" is the default & closing NOGLSA.
Comment 12 Stefan Behte (RETIRED) 2009-10-04 23:39:32 UTC
...and closing NOGLSA. ;)