The Samba-Bugzilla – Attachment 17911 Details for
Bug 15341
[SECURITY] CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v1
CVE-bug15341-security_advisory.txt (text/plain), 2.08 KB, created by
Ralph Böhme
on 2023-06-07 17:20:16 UTC
(
hide
)
Description:
Advisory v1
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2023-06-07 17:20:16 UTC
Size:
2.08 KB
patch
obsolete
> >TODO: $VERSION, $CVE > >=========================================================== >== Subject: Samba Spotlight mdssvc RPC Request Type >== Confusion Denial-of-Service Vulnerability >== >== CVE ID#: $CVE >== >== Versions: All versions of Samba prior to $VERSION >== >== Summary: Missing type validation in Samba's mdssvc >== ROC service for Spotlight can be used by >== an unauthenticated attacker to trigger >== a process crash in a shared RPC mdssvc >== daemon process. >=========================================================== > >=========== >Description >=========== > >When parsing Spotlight mdssvc RPC packets, one encoded data >structure is a key-value style dictionary where the keys >are character strings and the values can be any of the >supported types in the mdssvc protocol. Due to a lack of >type checking in callers of the function >dalloc_value_for_key(), which returns the object associated >with a key, a caller may trigger a crash in >talloc_get_size() when talloc detects that the passed in >pointer is not a valid talloc pointer. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3) > >========== >Workaround >========== > >As a possible workaround disable Spotlight by removing all >configuration stanzas that enable Spotlight ("spotlight = >yes|true"). > >======= >Credits >======= > >Originally reported by Florent Saudel and Arnaud Gatignolof >the Thalium team working with Trend Micro Zero Day >Initiative. > >Patches provided by Ralph Boehme of SerNet and the Samba >team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17911">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review-
Actions:
View
Attachments on
bug 15341
:
17841
|
17903
|
17911
|
17917
|
17920
|
17943
|
17944
|
17951