svn commit: samba-web r1075 - in trunk: history security

jerry at samba.org jerry at samba.org
Mon Feb 5 14:36:21 GMT 2007 

Author: jerry
Date: 2007-02-05 14:36:20 +0000 (Mon, 05 Feb 2007)
New Revision: 1075

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba-web&rev=1075

Log:
pushing announcements to the web site
Added:
   trunk/security/CVE-2007-0452.html
   trunk/security/CVE-2007-0453.html
   trunk/security/CVE-2007-0454.html
Modified:
   trunk/history/security.html


Changeset:
Modified: trunk/history/security.html
===================================================================
--- trunk/history/security.html	2007-02-05 13:12:05 UTC (rev 1074)
+++ trunk/history/security.html	2007-02-05 14:36:20 UTC (rev 1075)
@@ -22,6 +22,33 @@
       </tr>
       
     <tr>
+        <td>5 Feb 2007</td>
+        <td><a href="/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0452.patch">patch for Samba 3.0.23d</a></td>
+        <td>Potential Denial of Service bug in smbd</td>
+        <td>Samba 3.0.6 - 3.0.23d</td>
+        <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0452">CVE-2007-0452</a></td>
+        <td><a href="/samba/security/CVE-2007-0452.html">Announcement</a></td>
+    </tr>
+
+    <tr>
+        <td>5 Feb 2007</td>
+        <td><a href="/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0453.patch">patch for Samba 3.0.23d</a></td>
+        <td>Buffer overrun in NSS host lookup Winbind library on Solaris</td>
+        <td>Samba 3.0.21 - 3.0.23d</td>
+        <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0453">CVE-2007-0453</a></td>
+        <td><a href="/samba/security/CVE-2007-0453.html">Announcement</a></td>
+    </tr>
+
+    <tr>
+        <td>5 Feb 2007</td>
+        <td><a href="/samba/ftp/patches/security/samba-3.0.23d-CVE-2007-0454.patch">patch for Samba 3.0.23d</a></td>
+        <td>Format string bug in afsacl.so VFS plugin</td>
+        <td>Samba 3.0.6 - 3.0.23d</td>
+        <td><a href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0454">CVE-2007-0454</a></td>
+        <td><a href="/samba/security/CVE-2007-0454.html">Announcement</a></td>
+    </tr>
+
+    <tr>
         <td>10 July 2006</td>
         <td><a href="/samba/ftp/patches/security/samba-3.0-CVE-2006-3403.patch">patch for Samba 3.0.1 - 3.0.22</a></td>
         <td>Memory exhaustion DoS against smbd</td>

Added: trunk/security/CVE-2007-0452.html
===================================================================
--- trunk/security/CVE-2007-0452.html	2007-02-05 13:12:05 UTC (rev 1074)
+++ trunk/security/CVE-2007-0452.html	2007-02-05 14:36:20 UTC (rev 1075)
@@ -0,0 +1,79 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2007-0452: Potential Denial of Service bug in smbd</H2>
+
+<p>
+<pre>
+==========================================================
+==
+== Subject:     Potential Denial of Service bug in smbd
+== CVE ID#:     CVE-2007-0452
+==
+== Versions:    Samba 3.0.6 - 3.0.23d (inclusive)
+==
+== Summary:     A logic error in the deferred open code
+== 		can lead to an infinite loop in smbd
+==
+==========================================================
+
+===========
+Description
+===========
+
+Internally Samba's file server daemon, smbd, implements
+support for deferred file open calls in an attempt to serve
+client requests that would otherwise fail due to a share mode
+violation.  When renaming a file under certain circumstances
+it is possible that the request is never removed from the deferred
+open queue.  smbd will then become stuck is a loop trying to
+service the open request.
+
+This bug may allow an authenticated user to exhaust resources
+such as memory and CPU on the server by opening multiple CIFS
+sessions, each of which will normally spawn a new smbd process,
+and sending each connection into an infinite loop.
+
+
+==================
+Patch Availability
+==================
+
+A patch against Samba 3.0.23d has been attached to this
+email.  This fix has be incorporated into the Samba 3.0.24
+release.  Patches are also available from at the Samba Security
+page (http://www.samba.org/samba/security).
+
+
+==========
+Workaround
+==========
+
+The bug is believed to be exploitable only by an authenticated
+user.  The server's exposure can be alleviated by disabling
+any suspect or hostile user accounts.
+
+
+=======
+Credits
+=======
+
+This vulnerability was found during internal regression
+testing by Samba developers.
+
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+
+</body>
+</html>

Added: trunk/security/CVE-2007-0453.html
===================================================================
--- trunk/security/CVE-2007-0453.html	2007-02-05 13:12:05 UTC (rev 1074)
+++ trunk/security/CVE-2007-0453.html	2007-02-05 14:36:20 UTC (rev 1075)
@@ -0,0 +1,92 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2007-0453: Buffer overrun in NSS host lookup Winbind library on Solaris</H2>
+
+<p>
+<pre>
+==========================================================
+==
+== Subject:     Buffer overrun in NSS host lookup Winbind
+==		library on Solaris
+== CVE ID#:     CVE-2007-0453
+==
+== Versions:    Samba 3.0.21 - 3.0.23d (inclusive) running on
+==		Sun Solaris
+==
+== Summary:     A potential overrun in the gethostbyname()
+==		and getipnodebyname() in the nss_winbind.so.1
+==		library on Solaris can potentially allow
+==		for code execution.
+==
+==========================================================
+
+===========
+Description
+===========
+
+NOTE: This security advisory only affects Sun Solaris
+systems running Samba's winbindd daemon and configured to
+make use of the nss_winbind.so.1 library for gethostbyname()
+and getipnodebyname() name resolution queries.  For example,
+
+	## /etc/nsswitch.conf
+	...
+	ipnodes: files winbind
+	hosts: files winbind
+
+The buffer overrun is caused by copying a string passed
+into the NSS interface into a static buffer prior to sending
+the request to the winbindd daemon.
+
+
+==================
+Patch Availability
+==================
+
+A patch against Samba 3.0.23d has been attached to this
+email.  This fix has be incorporated into the Samba 3.0.24
+release.  Patches are also available from at the Samba Security
+page (http://www.samba.org/samba/security).
+
+==========
+Workaround
+==========
+
+An unpatched Solaris server may be protected by removing
+the 'winbind' entry from the hosts and ipnodes services in
+/etc/nsswitch.conf.
+
+
+=======
+Credits
+=======
+
+This vulnerability was reported (including a proposed patch)
+to Samba developers by Olivier Gay <ouah at ouah.org>.   Much thanks
+to Olivier for his cooperation and patience in the announcement
+of this defect.  The time line is as follows:
+
+* Dec 15, 2006: Defect first reported to the security at samba.org
+  email alias.
+* Dec 21, 2006: Initial developer response by Andrew Tridgell
+  confirming the issue.
+* Jan 29, 2007: Announcement to vendor-sec mailing list
+* Feb 5, 2007: Public issue of security advisory.
+
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+
+</body>
+</html>

Added: trunk/security/CVE-2007-0454.html
===================================================================
--- trunk/security/CVE-2007-0454.html	2007-02-05 13:12:05 UTC (rev 1074)
+++ trunk/security/CVE-2007-0454.html	2007-02-05 14:36:20 UTC (rev 1075)
@@ -0,0 +1,90 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2007-0454: Format string bug in afsacl.so VFS plugin</H2>
+
+<p>
+<pre>
+==========================================================
+==
+== Subject:     Format string bug in afsacl.so VFS plugin.
+== CVE ID#:     CVE-2007-0454
+==
+== Versions:    The AFS ACL mapping VFS plugin distributed
+==		in Samba 3.0.6 - 3.0.23d (inclusive)
+==
+== Summary:     The name of a file on the server's share
+==		is used as the format string when setting
+==		an NT security descriptor through the
+==		afsacl.so VFS plugin.
+==
+==========================================================
+
+===========
+Description
+===========
+
+NOTE: This security advisory only impacts Samba servers
+that share AFS file systems to CIFS clients and which have
+been explicitly instructed in smb.conf to load the afsacl.so
+VFS module.
+
+The source defect results in the name of a file stored on
+disk being used as the format string in a call to snprintf().
+This bug becomes exploitable only when a user is able
+to write to a share which utilizes Samba's afsacl.so library
+for setting Windows NT access control lists on files residing
+on an AFS file system.
+
+
+==================
+Patch Availability
+==================
+
+A patch against Samba 3.0.23d has been attached to this
+email.  This fix has be incorporated into the Samba 3.0.24
+release.  Patches are also available from at the Samba Security
+page (http://www.samba.org/samba/security).
+
+
+==========
+Workaround
+==========
+
+An unpatched server may be protected by removing all
+references to the afsacl.so VFS module from shares in
+smb.conf.
+
+
+=======
+Credits
+=======
+
+This vulnerability was reported (including a proposed patch)
+to Samba developers by <zybadawg333 at hushmail.com>.  Much thanks
+to zybadawg333 for the cooperation and patience in the
+announcement of this defect.  The time line is as follows:
+
+* Jan 8, 2007: Defect first reported to the security at samba.org
+  email alias.
+* Jan 8, 2007: Initial developer response by Jeremy Allison
+  confirming the issue.
+* Jan 29, 2007: Announcement to vendor-sec mailing list
+* Feb 5, 2007: Public issue of security advisory.
+
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+
+</body>
+</html>

More information about the samba-cvs mailing list