Bug 70429

Summary:	net-fs/samba: Potential Remote Denial of Service (CAN-2004-0930)
Product:	Gentoo Security	Reporter:	Thierry Carrez (RETIRED) <koon>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	samba
Priority:	High
Version:	unspecified
Hardware:	All
OS:	All
URL:	http://us4.samba.org/samba/security/CAN-2004-0930.html
Whiteboard:	A3 [glsa] vorlon
Package list:		Runtime testing required:	---

Description Thierry Carrez (RETIRED) gentoo-dev

2004-11-08 00:45:57 UTC

Still confidential, from samba-pkg-sec :

Versions:    Samba 3.0.x <= 3.0.7

A remote attacker could cause and smbd process to consume abnormal amounts of system resources due to an input validation error when matching filenames containing wildcard characters.

A bug in the input validation routines used to match filename strings containing wildcard characters may allow a user to consume more than normal amounts of CPU cycles thus impacting the performance and response of the server. In some circumstances the server can become entirely unresponsive.

3.0.8 will be released around 09:00 CST (GMT-6) Monday, Nov 8.
Given the short timeframe it's probably better to bump to 3.0.8 when it's ready rather than to patch it. However we've patches if they are preferred.

Comment 1 Thierry Carrez (RETIRED) gentoo-dev

2004-11-08 14:16:15 UTC

Issue is now public, fixed version has been released. Please bump to 3.0.8...

Comment 2 Christian Andreetta (RETIRED) gentoo-dev

2004-11-09 01:30:09 UTC

In cvs: samba-3.0.8.ebuild is marked unstable for all archs at now.

Comment 3 Matthias Geerdsen (RETIRED) gentoo-dev

2004-11-09 01:35:25 UTC

thanks Christian

arches please test samba-3.0.8 and mark stable if possible

current KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86"
target KEYWORDS="arm alpha amd64 hppa ia64 mips ppc ppc64 s390 sparc x86"

Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev

2004-11-09 01:39:22 UTC

http://us4.samba.org/samba/security/CAN-2004-0930.html
http://securitytracker.com/alerts/2004/Nov/1012133.html

Comment 5 Jochen Maes (RETIRED) gentoo-dev

2004-11-09 04:13:21 UTC

stable on ppc

Comment 6 Markus Rothe (RETIRED) gentoo-dev

2004-11-09 08:33:29 UTC

stable on ppc64

Comment 7 Gustavo Zacarias (RETIRED) gentoo-dev

2004-11-09 12:43:10 UTC

sparc stable.

Comment 8 Simon Stelling (RETIRED) gentoo-dev

2004-11-09 12:44:36 UTC

amd64 stable

Comment 9 Thierry Carrez (RETIRED) gentoo-dev

2004-11-09 12:53:10 UTC

Adding x86 to the needed stable arches

Comment 10 SpanKY gentoo-dev

2004-11-09 22:01:05 UTC

arm/hppa/ia64/s390 stable uNF

Comment 11 Bryan Østergaard (RETIRED) gentoo-dev

2004-11-10 01:33:40 UTC

Stable on alpha.

Comment 12 Joshua Kinard gentoo-dev

2004-11-10 03:00:13 UTC

mips stable.

Comment 13 Olivier Crete (RETIRED) gentoo-dev

2004-11-10 11:40:18 UTC

x86 there.. sorry for the delay.. 
Btw, why are winbind, quotas and libclamav USE flags not in use.local.desc?

Comment 14 Matthias Geerdsen (RETIRED) gentoo-dev

2004-11-11 13:08:34 UTC

GLSA 200411-21