Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 222299 (CVE-2008-1105) - net-fs/samba <3.0.28a-r1 "receive_smb_raw()" Buffer Overflow Vulnerability (CVE-2008-1105)
Summary: net-fs/samba <3.0.28a-r1 "receive_smb_raw()" Buffer Overflow Vulnerability (C...
Status: RESOLVED FIXED
Alias: CVE-2008-1105
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/30228/
Whiteboard: A2 [glsa]
Keywords:
: 224033 224135 224215 (view as bug list)
Depends on:
Blocks:
 
Reported: 2008-05-15 17:51 UTC by Matthias Geerdsen (RETIRED)
Modified: 2008-07-09 21:03 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
samba-3.0.28a-CVE-2008-1105.patch (samba-3.0.28a-CVE-2008-1105.patch,5.64 KB, patch)
2008-05-16 10:24 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
samba-3.0.28a-r1.ebuild (samba-3.0.28a-r1.ebuild,9.17 KB, text/plain)
2008-05-17 12:39 UTC, Tiziano Müller
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2008-05-15 17:51:24 UTC
Secunia Research reports a vulnerability in Samba, upstream has been contacted and is working on a patch. Preliminary disclosure date is 2008-05-28 10am CET. This is CVE-2008-1105.

The following is an excerpt from the vulnerability report, more details are available:

Secunia Research has discovered a vulnerability in Samba, which can be
exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the
"receive_smb_raw()" function in lib/util_sock.c when parsing SMB
packets. This can be exploited to cause a heap-based buffer overflow via
an overly large SMB packet received in a client context.

Successful exploitation allows execution of arbitrary code by tricking a
user into connecting to a malicious server (e.g. by clicking an "smb://"
link) or by sending specially crafted packets to an "nmbd" server
configured as a local or domain master browser.

The vulnerability is confirmed in version 3.0.28a. Other versions may
also be affected.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-16 10:24:40 UTC
Created attachment 153305 [details, diff]
samba-3.0.28a-CVE-2008-1105.patch

Proposed patch against Samba 3.0.28a, needs to be confirmed.
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-05-16 16:31:12 UTC
Secunia confirmed the patch is good. 

Stefan, please prepare an ebuild including the patch and attach it to this bug. Do not commit anything to CVS and keep any information confidential until the embargo date. We will perform stable testing on the bug.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-05-16 16:32:40 UTC
Sorry, I meant to say Tiziano. Damn copy and paste.
Comment 4 Tiziano Müller gentoo-dev 2008-05-17 05:01:22 UTC
Ok, will do so this evening.
Comment 5 Tiziano Müller gentoo-dev 2008-05-17 12:39:28 UTC
Created attachment 153419 [details]
samba-3.0.28a-r1.ebuild

here we go (a bit sooner than I expected :-)

Compiles fine here on ~amd64.
Please note that tests are _not_ available anymore (so the arch testers probably have to start the server and try to access it to test whether it works).

Please note that the patch has to be named like "3.0.28a-CVE-2008-1105.patch".
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-17 13:08:43 UTC
Arch Security Liaisons, please test the attached ebuild and report it stable on this bug.
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"

CC'ing current Liaisons:
   alpha : yoswink
   amd64 : welp
    hppa : jer
     ppc : dertobi123
   ppc64 : corsair
 release : pva
   sparc : fmccor
     x86 : opfer
Comment 7 Markus Rothe (RETIRED) gentoo-dev 2008-05-18 14:10:39 UTC
looks good on ppc64
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2008-05-18 15:58:39 UTC
HPPA is OK.
Comment 9 Jose Luis Rivero (yoswink) (RETIRED) gentoo-dev 2008-05-18 18:03:45 UTC
Early testing in alpha is ok.
 - Compiles with default profile use flags.
 - Daemon start without problems.
 - smbclient can connect and browse the shared resource perfeclty.
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2008-05-19 12:57:59 UTC
Patch file name doesn't match what's in the ebuild, and that's a bit annoying.  That said,
Looks good on sparc.
Comment 11 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-19 14:35:30 UTC
looks good for ppc
Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-20 18:11:49 UTC
Good to go on x86
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2008-05-23 10:24:18 UTC
looks okay on ia64
Comment 14 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-28 11:21:47 UTC
public as per $URL, removing archs liaisons and cc'ing remaining arches. Tiziano, you may commit with stable keywords gathered. Only amd64 is missing before we're good to go with a GLSA.
Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-28 11:22:51 UTC
and actually removing arch liaisons, sorry :/
Comment 16 Markus Meier gentoo-dev 2008-05-28 19:02:41 UTC
(In reply to comment #14)
> public as per $URL, removing archs liaisons and cc'ing remaining arches.
> Tiziano, you may commit with stable keywords gathered. Only amd64 is missing
> before we're good to go with a GLSA.

looks good on amd64. please stabilize it for amd64, too - thanks.
Comment 17 Robert Buchholz (RETIRED) gentoo-dev 2008-05-29 05:17:16 UTC
Sorry, I am too much in a hurry to do this myself, can someone commit this please?
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2008-05-29 05:18:50 UTC
*** Bug 224033 has been marked as a duplicate of this bug. ***
Comment 19 Tiziano Müller gentoo-dev 2008-05-29 06:37:55 UTC
Done. Sorry for the delay.
Comment 20 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-29 13:10:06 UTC
all security supported arches done, moving to the GLSA part.
Comment 21 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-29 19:17:53 UTC
GLSA 200805-23.
Leaving opened for the remaining arches.
Comment 22 Richard Freeman gentoo-dev 2008-05-29 19:55:08 UTC
*** Bug 224135 has been marked as a duplicate of this bug. ***
Comment 23 Robert Buchholz (RETIRED) gentoo-dev 2008-05-30 05:09:35 UTC
Arches, please test and mark stable:
=net-fs/samba-3.0.28a-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 release s390 sh sparc x86"
Already stabled : "alpha amd64 hppa ppc ppc64 sparc x86"
Missing keywords: "arm ia64 release s390 sh"
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2008-05-30 05:11:32 UTC
(In reply to comment #21)
> Leaving opened for the remaining arches.

We don't usually do that. Unsupported arches can easily figure out which bugs they are still CC'ed to even if they are closed. Is there a reason to leave the bug open?
Comment 25 Arttu Valo 2008-05-30 10:10:43 UTC
*** Bug 224215 has been marked as a duplicate of this bug. ***
Comment 26 Raúl Porcel (RETIRED) gentoo-dev 2008-05-30 10:56:29 UTC
Hey :( i said ia64 was good...
Comment 27 Peter Volkov (RETIRED) gentoo-dev 2008-05-30 11:57:52 UTC
Fixed in release snapshot.
Comment 28 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-07-09 21:03:47 UTC
dunno why this was still open :/