samba - Dec 2007 - [SECURITY] Buffer overrun in send_mailslot()

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================================ Subject:    
Boundary failure in GETDC mailslot
==              processing can result in a buffer overrun
=== CVE ID#:     CVE-2007-6015
=== Versions:    Samba 3.0.0 - 3.0.27a (inclusive)
=== Summary:     Specifically crafted GETDC mailslot requests
==              can trigger a boundary error in the domain
==              controller GETDC mail slot support which
==              can be remotely exploited to execute arbitrary
==              code.
==========================================================
==========Description
==========
Secunia Research reported a vulnerability that allows for
the execution of arbitrary code in nmbd.  This defect is
only be exploited when the "domain logons" parameter has
been enabled in smb.conf.


=================Patch Availability
=================
A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.0.28 has been issued as a security
release to correct the defect.


=========Workaround
=========
Samba administrators may avoid this security issue by disabling
both the "domain logons" options in the server's smb.conf file.
Note that this will disable all domain controller features as
well.


======Credits
======
This vulnerability was reported to Samba developers by
Alin Rad Pop, Secunia Research.

The time line is as follows:

* Nov 22, 2007: Initial report to security@samba.org.
* Nov 22, 2007: First response from Samba developers confirming
  the bug along with a proposed patch.
* Dec 10, 2007: Public security advisory made available.


=========================================================== Our Code, Our Bugs,
Our Responsibility.
== The Samba Team
=========================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHXUPeIR7qMdg1EfYRArBPAKDeDyXyeauJuVk0FcHYWbBci0Dw6gCgoYYF
UmvJh11x9pp5Nbbg/VYpSJ0=d7SS
-----END PGP SIGNATURE-----

Fedora 7 and 8 packages are being released but as you may know FC6 has
reached EOL just recently.

As I think this is an important security problem I decided to release
new packages for FC6 so that people that have not yet finished their
migration to newer supported Fedora releases can buy some more time.

This is a one off service I felt compelled to release to help people, I
am not going to do regular releases for FC6.

Packages here:
http://simo.fedoraproject.org/samba

Simo.


On Mon, 2007-12-10 at 07:49 -0600, Gerald (Jerry) Carter
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> =========================================================> => ==
Subject:     Boundary failure in GETDC mailslot
> ==              processing can result in a buffer overrun
> => == CVE ID#:     CVE-2007-6015
> => == Versions:    Samba 3.0.0 - 3.0.27a (inclusive)
> => == Summary:     Specifically crafted GETDC mailslot requests
> ==              can trigger a boundary error in the domain
> ==              controller GETDC mail slot support which
> ==              can be remotely exploited to execute arbitrary
> ==              code.
> => =========================================================> 
> ==========> Description
> ==========> 
> Secunia Research reported a vulnerability that allows for
> the execution of arbitrary code in nmbd.  This defect is
> only be exploited when the "domain logons" parameter has
> been enabled in smb.conf.
> 
> 
> =================> Patch Availability
> =================> 
> A patch addressing this defect has been posted to
> 
>   http://www.samba.org/samba/security/
> 
> Additionally, Samba 3.0.28 has been issued as a security
> release to correct the defect.
> 
> 
> =========> Workaround
> =========> 
> Samba administrators may avoid this security issue by disabling
> both the "domain logons" options in the server's smb.conf
file.
> Note that this will disable all domain controller features as
> well.
> 
> 
> ======> Credits
> ======> 
> This vulnerability was reported to Samba developers by
> Alin Rad Pop, Secunia Research.
> 
> The time line is as follows:
> 
> * Nov 22, 2007: Initial report to security@samba.org.
> * Nov 22, 2007: First response from Samba developers confirming
>   the bug along with a proposed patch.
> * Dec 10, 2007: Public security advisory made available.
> 
> 
> =========================================================> == Our Code,
Our Bugs, Our Responsibility.
> == The Samba Team
> =========================================================> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFHXUPeIR7qMdg1EfYRArBPAKDeDyXyeauJuVk0FcHYWbBci0Dw6gCgoYYF
> UmvJh11x9pp5Nbbg/VYpSJ0> =d7SS
> -----END PGP SIGNATURE-----
> 
-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com>