Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 511764 (CVE-2014-0178) - <net-fs/samba-3.6.24: Uninitialized memory exposure (CVE-2014-{0178,0239})
Summary: <net-fs/samba-3.6.24: Uninitialized memory exposure (CVE-2014-{0178,0239})
Status: RESOLVED FIXED
Alias: CVE-2014-0178
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on: CVE-2014-0244
Blocks:
  Show dependency tree
 
Reported: 2014-05-29 07:59 UTC by Agostino Sarubbo
Modified: 2015-02-26 08:59 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-29 07:59:19 UTC
From ${URL} :

It was reported that Samba 3.6.6 to 4.1.7 are affected by a vulnerability
that allows an authenticated client to retrieve eight bytes of uninitialized
server memory when a shadow-copy VFS module is enabled.

In preparing a response to an authenticated FSCTL_GET_SHADOW_COPY_DATA
or FSCTL_SRV_ENUMERATE_SNAPSHOTS client request, affected versions of
Samba do not initialize 8 bytes of the 16 byte SRV_SNAPSHOT_ARRAY
response field. The uninitialized buffer is sent back to the client.

A non-default VFS module providing the get_shadow_copy_data_fn() hook
must be explicitly enabled for Samba to process the aforementioned
client requests. Therefore, only configurations with "shadow_copy" or
"shadow_copy2" specified for the "vfs objects" parameter are vulnerable.

To avoid the vulnerability, affected versions can be configured without
"shadow_copy" or "shadow_copy2" specified for the "vfs objects"
parameter. This is the default configuration.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 01:52:44 UTC
Samba Reference:

http://www.samba.org/samba/security/CVE-2014-0178

Samba 4.1.8 Available for Download

                   =============================
                   Release Notes for Samba 4.1.8
                           June 3, 2014
                   =============================


This is the latest stable release of Samba 4.1.

Please note that this bug fix release also addresses two minor security issues
without being a dedicated security release:

  o CVE-2014-0239: dns: Don't reply to replies (bug #10609).
  o CVE-2014-0178: Malformed FSCTL_SRV_ENUMERATE_SNAPSHOTS response
    (bug #10549).


Please let us know when you are ready for stabilization.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-08-31 15:01:12 UTC
CVE-2014-0178 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0178):
  Samba 3.6.6 through 3.6.23, 4.0.x before 4.0.18, and 4.1.x before 4.1.8,
  when a certain vfs shadow copy configuration is enabled, does not properly
  initialize the SRV_SNAPSHOT_ARRAY response field, which allows remote
  authenticated users to obtain potentially sensitive information from process
  memory via a (1) FSCTL_GET_SHADOW_COPY_DATA or (2)
  FSCTL_SRV_ENUMERATE_SNAPSHOTS request.
Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev 2014-08-31 18:52:38 UTC
I don't see a fix for this upstream for the 3.6 series, specifically it is not mentioned in either http://www.samba.org/samba/history/samba-3.6.24.html nor http://www.samba.org/samba/history/samba-3.6.23.html
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2014-09-03 21:09:04 UTC
CVE-2014-0239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-0239):
  The internal DNS server in Samba 4.x before 4.0.18 does not check the QR
  field in the header section of an incoming DNS message before sending a
  response, which allows remote attackers to cause a denial of service (CPU
  and bandwidth consumption) via a forged response packet that triggers a
  communication loop, a related issue to CVE-1999-0103.
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-02-23 21:46:07 UTC
*** Bug 541182 has been marked as a duplicate of this bug. ***
Comment 6 Lars Wendler (Polynomial-C) gentoo-dev 2015-02-23 22:43:48 UTC
+*samba-4.1.17 (23 Feb 2015)
+*samba-4.0.25 (23 Feb 2015)
+*samba-3.6.25 (23 Feb 2015)
+
+  23 Feb 2015; Lars Wendler <polynomial-c@gentoo.org> +samba-3.6.25.ebuild,
+  -samba-4.0.23.ebuild, -samba-4.0.24.ebuild, +samba-4.0.25.ebuild,
+  -samba-4.1.15.ebuild, -samba-4.1.16.ebuild, +samba-4.1.17.ebuild:
+  Security bump (bug #511764). Removed old.
+
Comment 7 Sergey Popov gentoo-dev 2015-02-24 08:16:52 UTC
Added to existing GLSA request
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-02-26 08:59:22 UTC
This issue was resolved and addressed in
 GLSA 201502-15 at http://security.gentoo.org/glsa/glsa-201502-15.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).