Secunia Research reports a vulnerability in Samba, upstream has been contacted and is working on a patch. Preliminary disclosure date is 2008-05-28 10am CET. This is CVE-2008-1105. The following is an excerpt from the vulnerability report, more details are available: Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "receive_smb_raw()" function in lib/util_sock.c when parsing SMB packets. This can be exploited to cause a heap-based buffer overflow via an overly large SMB packet received in a client context. Successful exploitation allows execution of arbitrary code by tricking a user into connecting to a malicious server (e.g. by clicking an "smb://" link) or by sending specially crafted packets to an "nmbd" server configured as a local or domain master browser. The vulnerability is confirmed in version 3.0.28a. Other versions may also be affected.
Created attachment 153305 [details, diff] samba-3.0.28a-CVE-2008-1105.patch Proposed patch against Samba 3.0.28a, needs to be confirmed.
Secunia confirmed the patch is good. Stefan, please prepare an ebuild including the patch and attach it to this bug. Do not commit anything to CVS and keep any information confidential until the embargo date. We will perform stable testing on the bug.
Sorry, I meant to say Tiziano. Damn copy and paste.
Ok, will do so this evening.
Created attachment 153419 [details] samba-3.0.28a-r1.ebuild here we go (a bit sooner than I expected :-) Compiles fine here on ~amd64. Please note that tests are _not_ available anymore (so the arch testers probably have to start the server and try to access it to test whether it works). Please note that the patch has to be named like "3.0.28a-CVE-2008-1105.patch".
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug. Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86" CC'ing current Liaisons: alpha : yoswink amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair release : pva sparc : fmccor x86 : opfer
looks good on ppc64
HPPA is OK.
Early testing in alpha is ok. - Compiles with default profile use flags. - Daemon start without problems. - smbclient can connect and browse the shared resource perfeclty.
Patch file name doesn't match what's in the ebuild, and that's a bit annoying. That said, Looks good on sparc.
looks good for ppc
Good to go on x86
looks okay on ia64
public as per $URL, removing archs liaisons and cc'ing remaining arches. Tiziano, you may commit with stable keywords gathered. Only amd64 is missing before we're good to go with a GLSA.
and actually removing arch liaisons, sorry :/
(In reply to comment #14) > public as per $URL, removing archs liaisons and cc'ing remaining arches. > Tiziano, you may commit with stable keywords gathered. Only amd64 is missing > before we're good to go with a GLSA. looks good on amd64. please stabilize it for amd64, too - thanks.
Sorry, I am too much in a hurry to do this myself, can someone commit this please?
*** Bug 224033 has been marked as a duplicate of this bug. ***
Done. Sorry for the delay.
all security supported arches done, moving to the GLSA part.
GLSA 200805-23. Leaving opened for the remaining arches.
*** Bug 224135 has been marked as a duplicate of this bug. ***
Arches, please test and mark stable: =net-fs/samba-3.0.28a-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86" Already stabled : "alpha amd64 hppa ppc ppc64 sparc x86" Missing keywords: "arm ia64 release s390 sh"
(In reply to comment #21) > Leaving opened for the remaining arches. We don't usually do that. Unsupported arches can easily figure out which bugs they are still CC'ed to even if they are closed. Is there a reason to leave the bug open?
*** Bug 224215 has been marked as a duplicate of this bug. ***
Hey :( i said ia64 was good...
Fixed in release snapshot.
dunno why this was still open :/
