Bug 7669 - buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4; CVE-2010-3069
buffer overflow in sid_parse() in Samba3 and dom_sid_parse in Samba4; CVE-201...
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: File services
3.4.5
Other Linux
: P3 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-09-09 05:15 UTC by Lars Müller
Modified: 2012-03-16 23:56 UTC (History)
6 users (show)

See Also:


Attachments
CVE-2010-3069 patch Samba 3.0 (2.60 KB, text/plain)
2010-09-09 05:17 UTC, Lars Müller
no flags Details
CVE-2010-3069 patch Samba 3.2 (2.62 KB, patch)
2010-09-09 05:18 UTC, Lars Müller
no flags Details
CVE-2010-3069 patch Samba 3.3 (2.62 KB, patch)
2010-09-09 05:18 UTC, Lars Müller
no flags Details
CVE-2010-3069 patch Samba 3.4 (3.50 KB, patch)
2010-09-09 05:18 UTC, Lars Müller
no flags Details
CVE-2010-3069 patch Samba 3.5 (3.50 KB, patch)
2010-09-09 05:19 UTC, Lars Müller
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Müller 2010-09-09 05:15:23 UTC
== Subject:     Buffer Overrun Vulnerability
== CVE ID#:     CVE-2010-3069
== Versions:    Samba 3.0.x - 3.5.x (inclusive)
== Summary:     Samba 3.0.x to 3.5.x are affected by a
==              buffer overrun vulnerability.

Description
===========

All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.

A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.5.x has been issued as security release to correct the
defect.  Patches against older Samba versions are available at
http://samba.org/samba/patches/.  Samba administrators running affected
versions are advised to upgrade to 3.5.x or apply the patch as soon
as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by
Andrew Bartlett of Cisco. Thanks to Andrew for his careful code
review.
Comment 1 Lars Müller 2010-09-09 05:17:47 UTC
Created attachment 5951 [details]
CVE-2010-3069 patch Samba 3.0
Comment 2 Lars Müller 2010-09-09 05:18:11 UTC
Created attachment 5952 [details]
CVE-2010-3069 patch Samba 3.2
Comment 3 Lars Müller 2010-09-09 05:18:33 UTC
Created attachment 5953 [details]
CVE-2010-3069 patch Samba 3.3
Comment 4 Lars Müller 2010-09-09 05:18:59 UTC
Created attachment 5954 [details]
CVE-2010-3069 patch Samba 3.4
Comment 5 Lars Müller 2010-09-09 05:19:18 UTC
Created attachment 5955 [details]
CVE-2010-3069 patch Samba 3.5
Comment 6 Lars Müller 2010-09-16 03:56:51 UTC
Fixed with the latest released versions.

Those needing the fixes find them as attachments to this report.