[SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses - Samba

This is a discussion on [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses - Samba ; -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ================================================== ======== == == Subject: Boundary failure when parsing SMB responses == can result in a buffer overrun == == CVE ID#: CVE-2008-1105 == == Versions: Samba 3.0.0 - 3.0.29 (inclusive) == == Summary: ...

+ Reply to Thread
Results 1 to 7 of 7

Thread: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

  1. [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMB responses

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ================================================== ========
    ==
    == Subject: Boundary failure when parsing SMB responses
    == can result in a buffer overrun
    ==
    == CVE ID#: CVE-2008-1105
    ==
    == Versions: Samba 3.0.0 - 3.0.29 (inclusive)
    ==
    == Summary: Specifically crafted SMB responses can result
    == in a heap overflow in the Samba client code.
    == Because the server process, smbd, can itself
    == act as a client during operations such as
    == printer notification and domain authentication,
    == this issue affects both Samba client and server
    == installations.
    ==
    ================================================== ========

    ===========
    Description
    ===========

    Secunia Research reported a vulnerability that allows for
    the execution of arbitrary code in smbd. This defect is
    is a result of an incorrect buffer size when parsing SMB
    replies in the routine receive_smb_raw().


    ==================
    Patch Availability
    ==================

    A patch addressing this defect has been posted to

    http://www.samba.org/samba/security/

    Additionally, Samba 3.0.30 has been issued as a security
    release to correct the defect. Samba administrators are
    advised to upgrade to 3.0.30 or apply the patch as soon
    as possible.


    =======
    Credits
    =======

    This vulnerability was reported to Samba developers by
    Alin Rad Pop, Secunia Research.

    The time line is as follows:

    * May 15, 2008: Initial report to security@samba.org.
    * May 15, 2008: First response from Samba developers confirming
    the bug along with a proposed patch.
    * May 28, 2008: Public security advisory made available.


    ================================================== ========
    == Our Code, Our Bugs, Our Responsibility.
    == The Samba Team
    ================================================== ========

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIPXKTIR7qMdg1EfYRAtAPAJ0QVs2+Lvym7/mNYYynRi4jyBVlMgCgpzxM
    mMOit+kEDcx13IlvNT9jNRk=
    =c37d
    -----END PGP SIGNATURE-----


  2. Re: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMBresponses

    Quoting Gerald (Jerry) Carter (jerry@samba.org):

    > The time line is as follows:
    >
    > * May 15, 2008: Initial report to security@samba.org.
    > * May 15, 2008: First response from Samba developers confirming
    > the bug along with a proposed patch.
    > * May 28, 2008: Public security advisory made available.


    Please understand this as a constructive remark, but was there a reason
    to unveil the issue to "vendors" (including /me and Debian coworkers)
    as late as May 27th?

    For the previous security issues, a few months ago, the time we had to
    develop updates was slightly longer....which is pretty important for
    volunteers..:-)

    Of course, and again, no finger pointing here. I have a too deep
    respect for the work of the Samba Team and the great communication we
    have with you people...I know there is certainly a reason for the late
    unveil and would just like to hear about it.


  3. Re: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMBresponses

    On Wed, May 28, 2008 at 06:07:32PM +0200, Christian Perrier wrote:
    > Quoting Gerald (Jerry) Carter (jerry@samba.org):
    >
    > > The time line is as follows:
    > >
    > > * May 15, 2008: Initial report to security@samba.org.
    > > * May 15, 2008: First response from Samba developers confirming
    > > the bug along with a proposed patch.
    > > * May 28, 2008: Public security advisory made available.

    >
    > Please understand this as a constructive remark, but was there a reason
    > to unveil the issue to "vendors" (including /me and Debian coworkers)
    > as late as May 27th?
    >
    > For the previous security issues, a few months ago, the time we had to
    > develop updates was slightly longer....which is pretty important for
    > volunteers..:-)
    >
    > Of course, and again, no finger pointing here. I have a too deep
    > respect for the work of the Samba Team and the great communication we
    > have with you people...I know there is certainly a reason for the late
    > unveil and would just like to hear about it.


    This was discussed immediately it was reported on vendor-sec@lst.de.
    Are you on that list ?

    Jeremy.


  4. Re: [SAMBA] CVE-2008-1105 - Boundary failure when parsingSMB responses

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Christian Perrier wrote:
    > Quoting Gerald (Jerry) Carter (jerry@samba.org):
    >
    >> The time line is as follows:
    >>
    >> * May 15, 2008: Initial report to security@samba.org.
    >> * May 15, 2008: First response from Samba developers confirming
    >> the bug along with a proposed patch.
    >> * May 28, 2008: Public security advisory made available.

    >
    > Please understand this as a constructive remark, but was there a reason
    > to unveil the issue to "vendors" (including /me and Debian coworkers)
    > as late as May 27th?
    >
    > For the previous security issues, a few months ago, the time we had to
    > develop updates was slightly longer....which is pretty important for
    > volunteers..:-)
    >
    > Of course, and again, no finger pointing here. I have a too deep
    > respect for the work of the Samba Team and the great communication we
    > have with you people...I know there is certainly a reason for the late
    > unveil and would just like to hear about it.


    My fault for now sending it to the samba-pkg-sec security list before
    then but like Jeremy said, the discussion on the vendor security list
    included a public release date and patch.

    So I'll take the blame for not contacting you personally. But this
    is a good reason to have a fall back. Certainly the debian security
    team knew about this.




    cheers, jerry
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIPaozIR7qMdg1EfYRAiCSAJ9Z0S0WOcG0BRs34a4Er2 ZnYJ0fbQCfc3xd
    bL72n8pKQ3cUWIg1HAlb5kA=
    =nNnQ
    -----END PGP SIGNATURE-----


  5. Re: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMBresponses

    Quoting Gerald (Jerry) Carter (jerry@samba.org):

    > My fault for now sending it to the samba-pkg-sec security list before
    > then but like Jeremy said, the discussion on the vendor security list
    > included a public release date and patch.


    Thanks for your precisions, Jerry/Jeremy.

    Actually, my misunderstanding comes from the confusion between
    samba-pkg-sec and vendor-sec. I simply ignored there were two lists.

    I ws also confused by the fact that, for CVE-2007-6015, CVE-2007-5398,
    CVE-2007-4572, you contacted us in advance, IIRC.

    >
    > So I'll take the blame for not contacting you personally. But this


    Well, don't. I certainly don't expect you to maintain a special list
    of ppl which you'd need to contact in addition of existing lists..:-)

    As said, I really didn't want to put the blame anywhere but better
    understand why we had this notification pretty late.


    > is a good reason to have a fall back. Certainly the debian security
    > team knew about this.



    Correct. So, actually, that seems to be a communication problem
    between the Debian sec. team and us. No blame on them, here: they're
    volunteers, just like we are, on just like in many areas in Debian
    these days, the "human resources" are scarce.

    Anyway, no big harm done. I have packages ready for etch now and the
    packages for lenny are ready as well (3.0.30 packages in that
    case). Our security team confirmed that sarge is no longer supported.


  6. Re: [SAMBA] CVE-2008-1105 - Boundary failure when parsingSMB responses

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Christian Perrier wrote:

    > Well, don't. I certainly don't expect you to maintain a special list
    > of ppl which you'd need to contact in addition of existing lists..:-)


    Nah...I'll own this one. I'll be more diligent in future
    circumstances. but it's always good to have a backup check
    on me should I screw up again in a similar fashion.





    cheers, jerry
    - --
    ================================================== ===================
    Samba ------- http://www.samba.org
    Likewise Software --------- http://www.likewisesoftware.com
    "What man is a man who does not make the world better?" --Balian
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.6 (GNU/Linux)
    Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

    iD8DBQFIPrDCIR7qMdg1EfYRAqV0AKDO+9E62N3VPsSRkfcajv TccHk20ACeJXW0
    5tz9PmYZ52Z2Dew7RSyrL34=
    =NMp9
    -----END PGP SIGNATURE-----


  7. Re: [SAMBA] CVE-2008-1105 - Boundary failure when parsing SMBresponses

    On Wed, May 28, 2008 at 11:45:07AM -0700, Jeremy Allison wrote:
    > On Wed, May 28, 2008 at 06:07:32PM +0200, Christian Perrier wrote:
    > > Quoting Gerald (Jerry) Carter (jerry@samba.org):


    > > > The time line is as follows:


    > > > * May 15, 2008: Initial report to security@samba.org.
    > > > * May 15, 2008: First response from Samba developers confirming
    > > > the bug along with a proposed patch.
    > > > * May 28, 2008: Public security advisory made available.


    > > Please understand this as a constructive remark, but was there a reason
    > > to unveil the issue to "vendors" (including /me and Debian coworkers)
    > > as late as May 27th?


    > > For the previous security issues, a few months ago, the time we had to
    > > develop updates was slightly longer....which is pretty important for
    > > volunteers..:-)


    > > Of course, and again, no finger pointing here. I have a too deep
    > > respect for the work of the Samba Team and the great communication we
    > > have with you people...I know there is certainly a reason for the late
    > > unveil and would just like to hear about it.


    > This was discussed immediately it was reported on vendor-sec@lst.de.
    > Are you on that list ?


    No. The policies of vendor-sec are such that only the Debian security team
    are on that list; it doesn't allow for per-upstream distro packagers to
    subscribe (and most of the traffic would be noise to the Debian Samba
    maintainers anyway).

    So while the Debian Security Team will eventually be able to provide a
    security update based on this information, it generally makes a big
    difference to the timeliness of our package updates for security issues if
    the Debian Samba maintainers receive advanced notification (something that
    has worked quite well via the samba-pkg-sec list, aside from the present
    case).

    --
    Steve Langasek Give me a lever long enough and a Free OS
    Debian Developer to set it on, and I can move the world.
    Ubuntu Developer http://www.debian.org/
    slangasek@ubuntu.com vorlon@debian.org


+ Reply to Thread