** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** Samba Security wrote: the following security issue has been found in Samba. Security releases are planned for November, 27 2008. Please find further information in the advisory. Thank you! =========================================================== == Subject: Potential leak of arbitrary memory contents == == CVE ID#: CVE-2008-4314 == == Versions: Samba 3.0.29 - 3.2.4 (inclusive) == == Summary: Samba 3.0.29 to 3.2.4 can potentially leak == arbitrary memory contents to malicious == clients == =========================================================== =========== Description =========== Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers and back using small SMB requests and contain two offsets: One offset (A) pointing into the PDU sent by the client and one (B) to direct the transferred contents into the buffer built on the server side. While the range checking for offset (B) is correct, a cut&paste error lets offset (A) pass completely unchecked against overflow. The buffers passed into trans, trans2 and nttrans undergo higher-level processing like DCE/RPC requests or listing directories. The missing bounds check means that a malicious client can make the server do this higher-level processing on arbitrary memory contents of the smbd process handling the request. It is unknown if that can be abused to pass arbitrary memory contents back to the client, but an important barrier is missing from the affected Samba versions. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.2.5 and 3.0.33 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to 3.2.5 (or 3.0.33) or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This flaw was found during a code review internal to the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Tiziano, we can do prestable testing on this bug. Do not commit to CVS, you know the drill...
Created attachment 172416 [details, diff] 3.0.32-CVE-2008-4314.patch
public via $URL
Ok, please bump to 3.0.33 since I won't be able to do that until tomorrow. Sorry :-(
Updated ebuild for 3.0.33 is in the tree.
Arches, please test and mark stable: =net-fs/samba-3.0.33 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Stable for HPPA.
amd64/x86 stable
ppc stable
alpha/arm/ia64/sparc stable
ppc64 done
Ready for vote, I vote YES.
s390/sh stable
Yes, too. Request filed.
GLSA 200903-07