Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 197519 - net-fs/samba < 3.0.27 "reply_netbios_packet()" Buffer Overflow Vulnerability (CVE-2007-5398)
Summary: net-fs/samba < 3.0.27 "reply_netbios_packet()" Buffer Overflow Vulnerability ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/27450/
Whiteboard: B0 [glsa]
Keywords:
Depends on: 199450
Blocks:
  Show dependency tree
 
Reported: 2007-10-30 14:29 UTC by Sune Kloppenborg Jeppesen
Modified: 2020-04-03 07:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
samba-3.0.26a-r2.ebuild (samba-3.0.26a-r2.ebuild,8.63 KB, text/plain)
2007-11-02 22:27 UTC, Tiziano Müller
no flags Details
files/3.0.26a-CVE-2007-5398.patch (3.0.26a-CVE-2007-5398.patch,454 bytes, patch)
2007-11-02 22:28 UTC, Tiziano Müller
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2007-10-30 14:29:13 UTC
Slightly edited report below
---
Secunia Research has discovered a vulnerability in Samba, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"reply_netbios_packet()" function in nmbd/nmbd_packets.c when sending
NetBios replies. This can be exploited to cause a stack-based buffer
overflow by sending multiple specially crafted WINS "Name Registration"
requests followed by a WINS "Name Query" request.

Successful exploitation allows execution of arbitrary code, but requires
that Samba is configured to run as a WINS server (the "wins support"
option is enabled).

The vulnerability is confirmed in version 3.0.26a. Prior versions may
also be affected.

Vulnerability Details:
----------------------

The vulnerability is caused by incorrectly calling "memcpy()" at line
967 in nmbd/nmbd_packets.c without ensuring that the "nmb->answers-
>rdata" array (576 bytes) has enough allocated space.

Exploitation:
-------------

Secunia Research has created a PoC for the vulnerability, which is
available upon request.

The vulnerability can also be reproduced by sending 250 "Name
Registration" requests for different names having the "0x1b" type and
sending a "Name Query" request for the "*....\x1b" name.

Closing comments:
-----------------

We have assigned this vulnerability Secunia advisory SA27450 and CVE
identifier CVE-2007-5398.

Credits should go to:
Alin Rad Pop, Secunia Research.
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2007-10-31 15:03:42 UTC
Proposed upstream patch.

diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
index d49c8ba..b78ab5b 100644
--- a/source/nmbd/nmbd_packets.c
+++ b/source/nmbd/nmbd_packets.c
@@ -970,6 +970,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
        nmb->answers->ttl      = ttl;
 
        if (data && len) {
+               if (len < 0 || len > sizeof(nmb->answers->rdata)) {
+                       DEBUG(5,("reply_netbios_packet: "
+                               "invalid packet len (%d)\n",
+                               len ));
+                       return;
+               }
                nmb->answers->rdlength = len;
                memcpy(nmb->answers->rdata, data, len);
        }
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-11-01 17:38:30 UTC
Hi Tiziano, if you want stable testing before the disclosure date please attach
updated ebuilds to this bug. Do not commit anything yet.
Comment 3 Tiziano Müller gentoo-dev 2007-11-02 22:27:58 UTC
Created attachment 135044 [details]
samba-3.0.26a-r2.ebuild
Comment 4 Tiziano Müller gentoo-dev 2007-11-02 22:28:32 UTC
Created attachment 135045 [details, diff]
files/3.0.26a-CVE-2007-5398.patch
Comment 5 Tiziano Müller gentoo-dev 2007-11-02 22:34:18 UTC
@rbu: I don't think this is a question of whether I want it or not.

Attached is a revision bump of 3.0.26a-r1 which includes the proposed fix.
3.0.26a-r1 is a small improvement over the former 3.0.26a ebuild and adds a small fix (which fixes a bug in the client library only). Both 3.0.26a and 3.0.26a-r1 were/are not yet stable, but ready (3.0.26a has been committed October 15th).

I'd really appreciate it, if we could test and mark stable 3.0.26a (which is the recommended version according to upstream anyway).
Comment 6 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-02 22:56:31 UTC
Arches liaisons, please test attached ebuild and report back here. Do not commit anything for the moment.
Comment 7 Jeroen Roovers gentoo-dev 2007-11-03 17:32:49 UTC
Works for HPPA.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-11-03 23:56:14 UTC
GLSA filed.
Comment 9 Markus Rothe (RETIRED) gentoo-dev 2007-11-04 08:32:21 UTC
looks good on ppc64, too.
Comment 10 Fernando J. Pereda (RETIRED) gentoo-dev 2007-11-05 21:17:49 UTC
Adding armin for alpha
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-11-06 16:25:24 UTC
Works fine on alpha/ia64/sparc/x86
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-06 19:14:12 UTC
looks good for ppc
Comment 13 Robert Buchholz (RETIRED) gentoo-dev 2007-11-12 02:31:23 UTC
Adding Chris for releng.

Steve, do you have time to test on amd64?
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-13 22:27:37 UTC
Official disclosure is in about 48 hours. For once, the GLSA draft is almost ready and we have an opportunity to publish it in time! so Chris, Steve, please test on amd64, or cc another amd64 guy if you don't have time. thanks :)
 
Comment 15 Steve Dibb (RETIRED) gentoo-dev 2007-11-14 00:39:54 UTC
(In reply to comment #13)
> Adding Chris for releng.
> 
> Steve, do you have time to test on amd64?
> 

is good to go on amd64
Comment 16 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 00:56:19 UTC
Tiziano, the vulnerability should be disclosed tomorrow at 10:00 CET. As soon as you have time after that, please check this URL:
  http://secunia.com/secunia_research/2007-90/

If the advisory is public, please do the straight stable bump for all the arches that gave an OK on this bug. If you cannot do the commit for some reason, please let us or someone else know.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 00:57:46 UTC
(In reply to comment #16)
> If you cannot do the commit for some
> reason, please let us or someone else know.

Of course, let us know. And let us or someone else do the commit, is what I meant.
Comment 18 Ferris McCormick (RETIRED) gentoo-dev 2007-11-15 01:33:53 UTC
Also reporting sparc good (all tests pass).
Comment 19 Tiziano Müller gentoo-dev 2007-11-15 14:59:42 UTC
Ok, I committed 3.0.26a-r2 as stable on the mentioned archs.
In addition to that, I also committed 3.0.27 which upstream released as a pure security release for CVE-2007-5398 AND for CVE-2007-4572, for which we don't have a security bug open yet (at least, I don't know of any).

So, I'd like to ask all arch teams to test and mark stable 3.0.27 to get CVE-2007-4572 fixed as well. But the final decision for this is up to the security team.
Comment 20 Robert Buchholz (RETIRED) gentoo-dev 2007-11-15 15:53:13 UTC
Opening as this is public by $URL.

(In reply to comment #19)
> So, I'd like to ask all arch teams to test and mark stable 3.0.27 to get
> CVE-2007-4572 fixed as well. But the final decision for this is up to the
> security team.

Thanks for noticing. Well, then we have to start the stabling dance again.

Arches, please test and mark stable net-fs/samba-3.0.27.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
Comment 21 Ferris McCormick (RETIRED) gentoo-dev 2007-11-15 16:44:55 UTC
Sparc stable, all tests run as expected.
Comment 22 Jeroen Roovers gentoo-dev 2007-11-15 19:05:11 UTC
Is this harmful?

TEST FAILED: /dev/shm/portage/net-fs/samba-3.0.27/work/samba-3.0.27/source/bin/replacetort (status 255)
Comment 23 Markus Meier gentoo-dev 2007-11-15 19:23:51 UTC
x86 stable
Comment 24 Jeroen Roovers gentoo-dev 2007-11-15 23:28:37 UTC
(In reply to comment #22)
> Is this harmful?

Stable for HPPA despite the unanswered question...
Comment 25 Steve Dibb (RETIRED) gentoo-dev 2007-11-15 23:50:33 UTC
amd64 stable
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2007-11-16 14:57:14 UTC
alpha/ia64 stable
Comment 27 Tobias Scherbaum (RETIRED) gentoo-dev 2007-11-18 09:02:33 UTC
ppc stable, what about #199450 though?
Comment 28 Markus Rothe (RETIRED) gentoo-dev 2007-11-18 13:44:06 UTC
ppc64 stable
Comment 29 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 14:18:06 UTC
glsa was filed.

dev-zero, please let us know how to proceed about the regression.
Comment 30 Tiziano Müller gentoo-dev 2007-11-18 20:37:10 UTC
Ok, full stop for stabilization of samba-3.0.27 (well, a bit late, sorry). I p.masked net-fs/samba-3.0.27 due to bug #199450 (thanks to Tobias).

Users should upgrade to 3.0.26-r2 as soon as possible. Users who have 3.0.27 already installed should downgrade.
Comment 31 Robert Buchholz (RETIRED) gentoo-dev 2007-11-18 21:21:46 UTC
Will you apply the fix for CVE-2007-4572 to .26a?

http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007-4572.patch
Comment 32 Tiziano Müller gentoo-dev 2007-11-18 22:19:29 UTC
no, since 3.0.27 doesn't seem to contain anything else than the two patches and that one seems to be the cause of the regression (as far as I know up to now).
Comment 33 Tiziano Müller gentoo-dev 2007-11-18 23:00:37 UTC
@jer: I guess you ran the tests on an ext3 volume with acl's active?
Comment 34 Joshua Kinard gentoo-dev 2007-11-20 03:06:28 UTC
mips stable.
Comment 35 Robert Buchholz (RETIRED) gentoo-dev 2007-11-20 17:39:48 UTC
Upgrading status to B0 and setting [tempglsa]
Comment 36 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-11-20 21:28:56 UTC
temporary GLSA 200711-29 sent, waiting for upstream to correct the regression...
Comment 37 Tiziano Müller gentoo-dev 2007-11-21 17:09:59 UTC
Fixed version 3.0.27a is now in CVS with keywords reset.
Security-Team: your turn again (hopefully last one for this version).
Comment 38 Robert Buchholz (RETIRED) gentoo-dev 2007-11-21 20:18:44 UTC
Thanks.

Arches, please test and mark stable net-fs/samba-3.0.27a.
Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86"
Comment 39 Christian Faulhammer (RETIRED) gentoo-dev 2007-11-22 08:07:32 UTC
x86 stable
Comment 40 Raúl Porcel (RETIRED) gentoo-dev 2007-11-22 12:35:58 UTC
alpha/ia64/sparc stable
Comment 41 Jeroen Roovers gentoo-dev 2007-11-22 15:24:08 UTC
Stable for HPPA.
Comment 42 Markus Rothe (RETIRED) gentoo-dev 2007-11-23 16:20:38 UTC
ppc64 stable
Comment 43 Brent Baude (RETIRED) gentoo-dev 2007-11-24 04:34:19 UTC
ppc stable
Comment 44 Chris Gianelloni (RETIRED) gentoo-dev 2007-11-24 05:56:12 UTC
amd64 done...
Comment 45 Robert Buchholz (RETIRED) gentoo-dev 2007-11-26 01:37:29 UTC
All done, thanks.
Comment 46 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-05 23:24:44 UTC
GLSA 200711-29 finally updated, closing.