Summary: | Kernel: DoS by smbfs remote overflows (CAN-2004-{0883,0949}) | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | solar (RETIRED) <solar> | ||||||||||
Component: | Kernel | Assignee: | Gentoo Security <security> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | normal | CC: | gregkh, hardened-kernel+disabled, kang, voxus | ||||||||||
Priority: | High | Flags: | plasmaroo:
Assigned_To?
(plasmaroo) |
||||||||||
Version: | unspecified | ||||||||||||
Hardware: | All | ||||||||||||
OS: | All | ||||||||||||
URL: | http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=a1aa20982329c681ac8023a8e7e1eb9c17d9dc85 | ||||||||||||
Whiteboard: | [linux <2.4.28] [linux >=2.6 <2.6.10] | ||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||
Attachments: |
|
Description
solar (RETIRED)
![]() From: Stefan Esser <s.esser@e-matters.de> To: Josh Bressers <bressers@redhat.com> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] Samba 3.x Remote Heap Overflow and Linux smbfs remote overflows Date: Thu, 30 Sep 2004 08:36:01 +0200 Morning vendor-sec, > Anyhow, the issues you speak of were reported by Stefan Esser, which puts > him in the drivers seat for this one. > > Stefan, any ideas on an embargo date? Well the thing is that security@samba.org said: Uhh we believe this is hard to exploit and therefore lets call it a DOS (and btw... how can overwriting glibc malloc control structures result in code execution?) Now I am in the situation that I have not completed a POC for this one because I wasted on the one hand a lot of time on trying to exploit the more interesting (linux kernel remote) one and on the other hand my time for doing this stuff is limited to parts of the weekend at the moment. This means I will create the POC at the weekend, to convince samba security of the existence of malloc exploits and after that I am ready to release. I seriously doubt that they will release anything until I proofed it to them. If I recall correctly linux kernel bugs are usually fixed in the distributions long time before the next stable kernel reaches the street and therefore just tell me how long you need to build your kernels and test them. In the meantime I will simply try to get an answer from Marcelo about his plans to handle this. (Maybe one day he will answer one of my emails) Stefan Esser We already require >=samba-3.0.7 as per GLSA 200409-16 so CAN-2004-0882 is covered here. That leaves us with CAN-2004-0883 kernel smbfs issue. These issues don't seem to have been touched upon upstream yet, adding on gregkh to this bug in case he knows more. This may of been addressed in 2.6.9rc3. But we are not supposed to patch it yet or make a big deal. This is simply a tracker bug for internal awareness. This bug should never be opened to the public either. When it's time file a new bug. As a general usage note : you don't need to remove "Gentoo Security" group to open the bug to non-Security members. Adding someone to Cc: will make them see the bug (unless you uncheck the "Users in the Cc List can always view this bug" checkbox). Security test comment -- please ignore. Moving to newly-created kernel-specific category Created attachment 44595 [details, diff]
< 2.4.25 Patch
Created attachment 44596 [details, diff]
2.4 (2.4.25+) Patch
Created attachment 44597 [details, diff]
<= 2.6.8.1 Patch
Created attachment 44598 [details, diff]
2.6.9 Patch
Changing status, this is now public. All done, the following externally maintained sources need fixing: gentoo-dev-sources - Adding dsd... grsec-sources - Solar's already on... hardened(-dev)-sources - Adding hardened herd... hardened-sources - Adding hardened herd... hppa(-dev)-sources - Adding GMSoft... mips-sources - Adding Kumba... pegasos-dev-sources - Adding dholm... openmosix-sources - Adding cluster herd. rsbac(-dev)-sources - Adding kang... selinux-sources - There are masked, taking no action... sparc-sources - Adding joker... gentoo-dev-sources fixed, both 2.6.9 for normal users and 2.6.7 for sparcs hppa-(dev-)sources done. oM-sources done. sparc-sources-2.4.28 stable mips-sources patched. pegasos-dev-sources fixed hardened-sources bumped to 2.4.28 Note: hardened-sources are only ~arch; the maintainer scox needs to declare them stable or the hardened team can after it gets a little feedback from the users. rsbac-dev-sources: done rsba-sources bumped to 2.4.28 (~x86) Hardened herd: Only hardened-dev-sources is left for this bug. Some swift action would be appreciated since this is blocking the GLSA. We may need to mask if this issue is not dealt with quickly. Thanks! Fixed in stable hardened-dev-sources-r16 Mitre has assigned the following CVE id's to this issue: CAN-2004-0949 CAN-2004-0882 CAN-2004-0883 This can be closed? Hi it seems, this patch cause some special behavior of mounted smb-shares. When I write to a mounted share "echo abcdefg > test.txt" it blocks for about 30s but then the file is written correctly. dmesg shows: smb_trans2: invalid data, disp=0, cnt=0, tot=0, ofs=0 smb_add_request: request [0000010035e29e00, mid=15] timed out! I use gentoo-dev-soures and since r6 I have this problem, and since then this patch is added to the ebuild. With every other kernel I don't have this problem. (Server is samba-3.0.9-r1) theres a bug open for this (bug 72968) http://bugs.gentoo.org/show_bug.cgi?id=72968#c7 but it is assigned to the samba team and I think it's a problem of this patch and not a problem on the server side (that's why i post here). Frank Meier All kernels fixed, closing bug; notifications are being migrated away from GLSAs for kernels, more news coming soon so stay tuned :-] |