[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses - Samba

This is a discussion on [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses - Samba ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ================================================== ======== == == Subject: Boundary failure when parsing SMB responses == can result in a buffer overrun == == CVE ID#: CVE-2008-1105 == == Versions: Samba 3.0.0 - 3.0.29 (inclusive) == == Summary: ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

  1. [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ================================================== ========
    ==
    == Subject: Boundary failure when parsing SMB responses
    == can result in a buffer overrun
    ==
    == CVE ID#: CVE-2008-1105
    ==
    == Versions: Samba 3.0.0 - 3.0.29 (inclusive)
    ==
    == Summary: Specifically crafted SMB responses can result
    == in a heap overflow in the Samba client code.
    == Because the server process, smbd, can itself
    == act as a client during operations such as
    == printer notification and domain authentication,
    == this issue affects both Samba client and server
    == installations.
    ==
    ================================================== ========

    ===========
    Description
    ===========

    Secunia Research reported a vulnerability that allows for
    the execution of arbitrary code in smbd. This defect is
    is a result of an incorrect buffer size when parsing SMB
    replies in the routine receive_smb_raw().


    ==================
    Patch Availability
    ==================

    A patch addressing this defect has been posted to

    http://www.samba.org/samba/security/

    Additionally, Samba 3.0.30 has been issued as a security
    release to correct the defect. Samba administrators are
    advised to upgrade to 3.0.30 or apply the patch as soon
    as possible.


    =======
    Credits
    =======

    This vulnerability was reported to Samba developers by
    Alin Rad Pop, Secunia Research.

    The time line is as follows:

    * May 15, 2008: Initial report to security@samba.org.
    * May 15, 2008: First response from Samba developers confirming
    the bug along with a proposed patch.
    * May 28, 2008: Public security advisory made available.


    ================================================== ========
    == Our Code, Our Bugs, Our Responsibility.
    == The Samba Team
    ================================================== ========

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIPXJ/IR7qMdg1EfYRAue5AKDa9zke1fUfAK8+PkGAHPPI+HOGAgCgyA dy
    95siCUO1D5/qxy4h4qf/flY=
    =sf+i
    -----END PGP SIGNATURE-----
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. [Samba] Debian packages for CVE-2008-1105

    Quoting Gerald (Jerry) Carter (jerry@samba.org):
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    >
    > ================================================== ========
    > ==
    > == Subject: Boundary failure when parsing SMB responses
    > == can result in a buffer overrun
    > ==
    > == CVE ID#: CVE-2008-1105


    I think that Debian users might benefit from the following:

    The maintainers of samba packages in Debian are working on updates wrt
    this issue.

    A bug has already been reported to track it in Debian BTS and, as all
    security issues in Debian, is tracked by the Debian security team.

    I've already prepared packages for 3.0.30, which will be uploaded to
    Debian unstable ASAP. These packages have a high priority so they
    should be built for all architectures in priority by Debian
    autobuilders, then enter Debian testing 2 days after the upload (in
    theory: some autobuilders are slow).

    Packages for Debian etch (which includes 3.0.24) have been built
    without problems. We'll do some regression testing (but, as everybody
    knows, that's pretty complicated for sambe given the number of
    possible use cases) and they'll be uploaded to be reviewed by Debian
    security team.

    Of course, the usual Debian security announcements will be sent when
    things are ready.

    *There will not be any official Debian packages for sarge* (which has
    3.0.14a). The sarge release is no longer supported by Debian and
    Debian security team and users should upgrade to etch. For samba, this
    is the first time we won't issue sarge packages (last CVE issues
    happened when sarge was still supported).

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Debian packages for CVE-2008-1105

    On Thu, May 29, 2008 at 6:34 AM, Christian Perrier wrote:
    > Quoting Gerald (Jerry) Carter (jerry@samba.org):
    >> ================================================== ========
    >> ==
    >> == Subject: Boundary failure when parsing SMB responses
    >> == can result in a buffer overrun
    >> ==
    >> == CVE ID#: CVE-2008-1105

    [...]
    > I've already prepared packages for 3.0.30, which will be uploaded to
    > Debian unstable ASAP.

    [...]
    > Packages for Debian etch (which includes 3.0.24) have been built
    > without problems.


    [applause] my sincere thanks to the Debian packagers for this effort
    in such a short time window [/applause]

    Just wondering - given all the improvements (particularly Vista
    compatibility) made since 3.0.24 - does anyone know of a backport of
    anything later than 3.0.24 for Etch on i386 ?

    Cheers
    Nick Boyce
    --
    Leave the Olympics in Greece where they belong
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  4. Re: [Samba] Debian packages for CVE-2008-1105

    Quoting Nick Boyce (nick.boyce@gmail.com):

    (please keep applause for the moment we will upload the fixed packages
    for etch. I haven't done this yet...3.0.30 is in unstable now, though)

    > Just wondering - given all the improvements (particularly Vista
    > compatibility) made since 3.0.24 - does anyone know of a backport of
    > anything later than 3.0.24 for Etch on i386 ?


    Maybe check on backports.org but, IIRC, there is noone maintaining
    such backports for samba there.

    I think that simply rebuilding the current lenny packages would work:

    In /etc/apt/sources.list on an etch machine:

    deb-src http://ftp.fr.debian.org/debian sid main contrib non-free

    Then:
    apt-get update
    apt-get source samba
    cd samba-3.0.30
    dpkg-checkbuilddeps

    ..../... install all packages needed to build as reported

    debuild

    If you want to build in a clean environment (recommended if you make
    such packages available to other users), you should use "pbuilder" to
    build in a dedicated and clean chroot.


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  5. [Samba] (pudate) Debian packages for CVE-2008-1105

    > I've already prepared packages for 3.0.30, which will be uploaded to
    > Debian unstable ASAP. These packages have a high priority so they


    An i386 1:3.0.30-1 package was uploaded yesterday to Debian unstable.
    Autobuilders (ie those magic scripts that build packages for all
    supported architectures) started building it for non-i386 arches.


    > Packages for Debian etch (which includes 3.0.24) have been built
    > without problems. We'll do some regression testing (but, as everybody


    3.0.24-6etch10 packages are in the hand of the Debian Security Team
    for review (this is our usual process). Here as well, autobuilders
    have to build. Then a security announcement will be sent and
    the packages will be available through security.debian.org APT
    repository.

    That step might take some time as building samba on some architectures
    (arm, m68k...) takes significant time.


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  6. [Samba] (update 2) Debian packages for CVE-2008-1105

    > 3.0.24-6etch10 packages are in the hand of the Debian Security Team
    > for review (this is our usual process). Here as well, autobuilders
    > have to build. Then a security announcement will be sent and
    > the packages will be available through security.debian.org APT
    > repository.


    Updated packages for Debian etch are now available on
    security.debian.org. So, once you have this in /etc/apt/sources.list:

    deb http://security.debian.org/ etch/updates main

    (and every Debian user should)

    ....then, you'll get them at your next "apt-get dist-upgrade"

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  7. Re: [Samba] Debian packages for CVE-2008-1105

    Hallo, Nick,

    Du (nick.boyce) meintest am 29.05.08:

    >> I've already prepared packages for 3.0.30, which will be uploaded to
    >> Debian unstable ASAP.

    > [...]
    >> Packages for Debian etch (which includes 3.0.24) have been built
    >> without problems.


    > [applause] my sincere thanks to the Debian packagers for this effort
    > in such a short time window [/applause]


    Hmmm - the Samba-3.0.30 slackware packages for slackware 11.0 and
    slackware-current are always available ... applause too?

    And I prefer the actual version, no backport.

    Viele Gruesse!
    Helmut
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  8. [Samba] (update 3) Debian packages for CVE-2008-1105

    Updated packages (3.0.30-2) are now available to users of Debian
    "testing" (Debian "testing" is the future release of the Debian
    distribution).

    So, as of now, all development branches of Debian have fixed packages,
    with the exception of Debian experimental as samba is 3.2.0-rc1
    there....and that version is till vulnerable to CVE-2008-1105, as far
    as I know (Karolin mentioned that rc2 will fix that).

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread