All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.
3.5.5 is in tree
(In reply to comment #1)
> 3.5.5 is in tree
Thanks, Patrick. Are there any issues with stabilizing 3.5.5 with only 3.4.8 stable now?
3.4.9 was released as an update for the 3.4 slot as well:
It should be the preferred stabilization target.
(In reply to comment #3)
> 3.4.9 was released as an update for the 3.4 slot as well:
> It should be the preferred stabilization target.
I'd prefer 3.5, but I just added 3.4.9 so you can have fun with it.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
Stable for PPC.
GLSA request filed.
Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse
functions in Samba before 3.5.5 allows remote attackers to cause a denial of
service (crash) and possibly execute arbitrary code via a crafted Windows
Security ID (SID) on a file share.
This issue was resolved and addressed in
GLSA 201206-22 at http://security.gentoo.org/glsa/glsa-201206-22.xml
by GLSA coordinator Sean Amoss (ackle).