[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

Steve Langasek vorlon at debian.org
Fri May 30 01:50:37 GMT 2008

On Wed, May 28, 2008 at 11:45:07AM -0700, Jeremy Allison wrote:
> On Wed, May 28, 2008 at 06:07:32PM +0200, Christian Perrier wrote:
> > Quoting Gerald (Jerry) Carter (jerry at samba.org):

> > > The time line is as follows:

> > > * May 15, 2008: Initial report to security at samba.org.
> > > * May 15, 2008: First response from Samba developers confirming
> > >   the bug along with a proposed patch.
> > > * May 28, 2008: Public security advisory made available.

> > Please understand this as a constructive remark, but was there a reason
> > to unveil the issue to "vendors" (including /me and Debian coworkers)
> > as late as May 27th?

> > For the previous security issues, a few months ago, the time we had to
> > develop updates was slightly longer....which is pretty important for
> > volunteers..:-)

> > Of course, and again, no finger pointing here. I have a too deep
> > respect for the work of the Samba Team and the great communication we
> > have with you people...I know there is certainly a reason for the late
> > unveil and would just like to hear about it.

> This was discussed immediately it was reported on vendor-sec at lst.de.
> Are you on that list ?

No.  The policies of vendor-sec are such that only the Debian security team
are on that list; it doesn't allow for per-upstream distro packagers to
subscribe (and most of the traffic would be noise to the Debian Samba
maintainers anyway).

So while the Debian Security Team will eventually be able to provide a
security update based on this information, it generally makes a big
difference to the timeliness of our package updates for security issues if
the Debian Samba maintainers receive advanced notification (something that
has worked quite well via the samba-pkg-sec list, aside from the present

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org

More information about the samba-technical mailing list