[SECURITY] Samba 2.2.8 available for download

[Green, Paul]

The 2.2.8 release notes say:

> A buffer overrun condition exists in the SMB/CIFS packet fragment
> re-assembly code in smbd which would allow an attacker to cause smbd
> to overwrite arbitrary areas of memory in its own process address
> space. This could allow a skilled attacker to inject binary specific
> exploit code into smbd.

Comment: It seems to me that the ability of a "skilled attacker to inject
binary specific exploit code into smbd" is dependent upon the processor
architecture.  On a chip that fails to distinguish between code and data, I
can readily see how a skilled attacker could inject binary specific code
using a buffer overrun.  However, on a chip that does distinguish areas of
virtual memory that are code, and areas that are data, and further disallows
execution of data (absent a specific operating system call to change the
access mode of that region of virtual memory), it seems to me that it would
be almost impossible for even a highly skilled attacker to inject binary
specific code.  I consider myself highly skilled on the Stratus VOS
operating system and I can't for the life of my see how I could get the HP
PA-RISC microprocessor to execute code that came down the wire as data.

Question: Would someone please confirm or refute my hypothesis?  Some of my
customers are asking me about this vulnerability, and as all of the Stratus
VOS customers are using Samba on a microprocessor that draws a strong
distinction between virtual memory used for data (e.g., stack, heap, static
data) versus virtual memory used by executable code, it is my current strong
belief that we are not susceptible to this vulnerability as described in the
release notes.  [I can see how an attacker could mount a DoS attack, of
course].

[[Meta comment: vulnerabilities that require combinations of code holes and
microprocessor design flaws and/or operating system holes should be so
labeled, IMHO. Blanket statements needlessly scare people, and needlessly
let certain vendors of chips with weak hardware security controls, or OS
vendors with same, off the hook.]]

> Patch Availability
> - -----------------
> 
> As this is a security issue, patches for this flaw specific to earlier
> versions of Samba will be posted on the samba-technical at samba.org
> mailing list as requested.

Well, if my hypothesis is incorrect, I'd like to request a patch against
2.0.7.  Either that, or I'm going to send you a lot of patches to get 2.2.8
to build on VOS...

Thanks
PG
--
Paul Green, Senior Technical Consultant, Stratus Technologies.
Voice: +1 (978) 461-7557; FAX: +1 (978) 461-3610