Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 247620 (CVE-2008-4314) - net-fs/samba <3.0.33 Potential leak of arbitrary memory contents (CVE-2008-4314)
Summary: net-fs/samba <3.0.33 Potential leak of arbitrary memory contents (CVE-2008-4314)
Status: RESOLVED FIXED
Alias: CVE-2008-4314
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://us1.samba.org/samba/security/C...
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-19 20:45 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-07 16:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
3.0.32-CVE-2008-4314.patch (3.0.32-CVE-2008-4314.patch,1.80 KB, patch)
2008-11-19 20:48 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-11-19 20:45:49 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

Samba Security wrote:
the following security issue has been found in Samba.
Security releases are planned for November, 27 2008.
Please find further information in the advisory.

Thank you!

===========================================================
== Subject:     Potential leak of arbitrary memory contents
==
== CVE ID#:     CVE-2008-4314
==
== Versions:    Samba 3.0.29 - 3.2.4 (inclusive)
==
== Summary:     Samba 3.0.29 to 3.2.4 can potentially leak
==              arbitrary memory contents to malicious
==              clients
==
===========================================================

===========
Description
===========

Samba 3.0.29 and beyond contain a change to deal with gcc 4
optimizations. Part of the change modified range checking for client-generated
offsets of secondary trans, trans2 and nttrans requests. These requests are
used to transfer arbitrary amounts of memory from clients to servers and back
using small SMB requests and contain two offsets: One offset (A) pointing into
the PDU sent by the client and one (B) to direct the transferred contents into
the buffer built on the server side. While the range checking for offset (B) is
correct, a cut&paste error lets offset (A) pass completely unchecked against
overflow.

The buffers passed into trans, trans2 and nttrans undergo higher-level
processing like DCE/RPC requests or listing directories. The missing bounds
check means that a malicious client can make the server do this higher-level
processing on arbitrary memory contents of the smbd process handling the
request. It is unknown if that can be abused to pass arbitrary memory contents
back to the client, but an important barrier is missing from the affected Samba
versions.


==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.2.5 and 3.0.33 have been issued as security
releases to correct the defect.  Samba administrators are
advised to upgrade to 3.2.5 (or 3.0.33) or apply the patch as soon
as possible.


==========
Workaround
==========

None.

=======
Credits
=======

This flaw was found during a code review internal to the Samba Team.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-11-19 20:47:24 UTC
Tiziano, we can do prestable testing on this bug. Do not commit to CVS, you know the drill...
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-11-19 20:48:20 UTC
Created attachment 172416 [details, diff]
3.0.32-CVE-2008-4314.patch
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-11-27 17:23:46 UTC
public via $URL
Comment 4 Tiziano Müller (RETIRED) gentoo-dev 2008-11-27 18:26:18 UTC
Ok, please bump to 3.0.33 since I won't be able to do that until tomorrow. Sorry :-(
Comment 5 Tiziano Müller (RETIRED) gentoo-dev 2008-11-28 07:16:02 UTC
Updated ebuild for 3.0.33 is in the tree.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-11-28 15:50:32 UTC
Arches, please test and mark stable:
=net-fs/samba-3.0.33
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2008-11-28 17:16:05 UTC
Stable for HPPA.
Comment 8 Markus Meier gentoo-dev 2008-11-28 20:34:26 UTC
amd64/x86 stable
Comment 9 Tobias Scherbaum (RETIRED) gentoo-dev 2008-11-28 21:45:06 UTC
ppc stable
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2008-11-29 16:59:27 UTC
alpha/arm/ia64/sparc stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2008-12-01 15:48:45 UTC
ppc64 done
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2008-12-07 20:22:11 UTC
Ready for vote, I vote YES.
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2009-01-04 17:50:23 UTC
s390/sh stable
Comment 14 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-11 18:43:53 UTC
Yes, too. Request filed.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-03-07 16:26:31 UTC
GLSA 200903-07