Gerald (Jerry) Carter
2007-Feb-05 14:55 UTC
[Samba] [SAMBA-SECURITY] CVE-2007-0454: Format string bug in afsacl.so VFS plugin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================ Subject: Format string bug in afsacl.so VFS plugin. == CVE ID#: CVE-2007-0454 === Versions: The AFS ACL mapping VFS plugin distributed == in Samba 3.0.6 - 3.0.23d (inclusive) === Summary: The name of a file on the server's share == is used as the format string when setting == an NT security descriptor through the == afsacl.so VFS plugin. ========================================================== ==========Description ========== NOTE: This security advisory only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module. The source defect results in the name of a file stored on disk being used as the format string in a call to snprintf(). This bug becomes exploitable only when a user is able to write to a share which utilizes Samba's afsacl.so library for setting Windows NT access control lists on files residing on an AFS file system. =================Patch Availability ================= A patch against Samba 3.0.23d has been attached to this email. This fix has be incorporated into the Samba 3.0.24 release. Patches are also available from at the Samba Security page (http://www.samba.org/samba/security). =========Workaround ========= An unpatched server may be protected by removing all references to the afsacl.so VFS module from shares in smb.conf. ======Credits ====== This vulnerability was reported (including a proposed patch) to Samba developers by <zybadawg333@hushmail.com>. Much thanks to zybadawg333 for the cooperation and patience in the announcement of this defect. The time line is as follows: * Jan 8, 2007: Defect first reported to the security@samba.org email alias. * Jan 8, 2007: Initial developer response by Jeremy Allison confirming the issue. * Jan 29, 2007: Announcement to vendor-sec mailing list * Feb 5, 2007: Public issue of security advisory. =========================================================== Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFxzArIR7qMdg1EfYRAmV6AKCfuADBCdmKqOxp5yVbKkjHHx6VZgCgsjzp 4VVFaQsDiVSS2014Q3Tk9c8=H5bC -----END PGP SIGNATURE----- -------------- next part -------------- diff -urN samba-3.0.23d/source/modules/vfs_afsacl.c samba/source/modules/vfs_afsacl.c --- samba-3.0.23d/source/modules/vfs_afsacl.c 2006-06-23 08:16:50.000000000 -0500 +++ samba/source/modules/vfs_afsacl.c 2007-01-29 20:11:07.000000000 -0600 @@ -901,7 +901,7 @@ ZERO_STRUCT(dir_acl); ZERO_STRUCT(file_acl); - pstr_sprintf(name, fsp->fsp_name); + pstrcpy(name, fsp->fsp_name); if (!fsp->is_directory) { /* We need to get the name of the directory containing the -------------- next part -------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQBFvrtvIR7qMdg1EfYRAqGvAJ4onsF4xrEJRULF8wELiui9gWtHJQCcD9Od GLlJYcMRe3wLaXf5ddU7FPc=tb2W -----END PGP SIGNATURE-----