Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 275236 (CVE-2009-1888) - <net-fs/samba-3.0.35 Uninitialized read of a data value (CVE-2009-1888)
Summary: <net-fs/samba-3.0.35 Uninitialized read of a data value (CVE-2009-1888)
Status: RESOLVED FIXED
Alias: CVE-2009-1888
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.samba.org/samba/security/C...
Whiteboard: C4 [noglsa]
Keywords: STABLEREQ
Depends on:
Blocks:
 
Reported: 2009-06-24 00:10 UTC by Robert Buchholz (RETIRED)
Modified: 2009-10-04 23:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-06-24 00:10:28 UTC
===========================================================
== Subject:     Uninitialized read of a data value
==
== CVE ID#:     CVE-2009-1888
==
== Versions:    Samba 3.0.31 - 3.3.5
==
== Summary:     In Samba 3.0.31 to 3.3.5 (inclusive), an
==		uninitialized read of a data value can potentially
==		affect access control when "dos filemode"
==		is set to "yes".
==
===========================================================


===========
Description
===========

The smbd daemon in Samba 3.0.31 - 3.3.5 contains an
uninitialized read of a data value that can potentially
affect access control. If a user is trying to modify
an access control list (ACL) and is denied permission,
this deny may be overridden if the parameter "dos filemode"
is set to "yes" in the smb.conf and the user already has write
access to the file. The error occurs in checking that the
user has write access. Uninitialized memory is read instead
of the values in the 'stat' struct of the file.

An attack would be difficult to script by an attacker,
as the attacker would need to find a reproducible case
to ensure previously used stack memory had the correct
values to trigger the bug. In addition, the server would
have to have been configured with "dos filemode = yes"
in the smb.conf.


==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.2.13 and 3.0.35 and 3.3.6 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.


==========
Workaround
==========

Set the parameter:

dos filemode = no

in the [global] section of your smb.conf. This is
already the default setting.


=======
Credits
=======

This issue was found by Jeremy Allison  as part of
normal code auditing activities in Samba.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2009-06-25 13:50:19 UTC
CVE-2009-1888 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1888):
  The acl_group_override function in smbd/posix_acls.c in smbd in Samba
  3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before
  3.3.6, when dos filemode is enabled, allows remote attackers to
  modify access control lists for files via vectors related to read
  access to uninitialized memory.
Comment 2 Patrick Lauer gentoo-dev 2009-06-25 18:26:05 UTC
+  25 Jun 2009; Patrick Lauer <patrick@gentoo.org> +samba-3.0.35.ebuild:
+  Bump to 3.0.35. Fixes #275236.
Comment 3 Víctor Ostorga (RETIRED) gentoo-dev 2009-09-21 20:25:52 UTC
ping to @security to stabilize > net-fs/samba-3.0.35
Comment 4 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-09-22 09:47:55 UTC
Arches, please test and mark stable:
=net-fs/samba-3.0.36
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86"
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-09-22 15:35:26 UTC
Stable for HPPA.
Comment 6 Christian Faulhammer (RETIRED) gentoo-dev 2009-09-23 14:32:15 UTC
x86 stable
Comment 7 Raúl Porcel (RETIRED) gentoo-dev 2009-09-23 17:57:50 UTC
alpha/arm/ia64/s390/sh/sparc stable
Comment 8 Markus Meier gentoo-dev 2009-09-25 10:41:37 UTC
amd64 stable
Comment 9 Brent Baude (RETIRED) gentoo-dev 2009-09-25 18:17:20 UTC
ppc64 done
Comment 10 nixnut (RETIRED) gentoo-dev 2009-09-27 14:13:53 UTC
ppc stable
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-04 23:38:49 UTC
Adjusting to C4, as "dos filemode = no" is the default & closing NOGLSA.
Comment 12 Stefan Behte (RETIRED) gentoo-dev Security 2009-10-04 23:39:32 UTC
...and closing NOGLSA. ;)