test
This is a blocker bug for 3.5.7 Will not provide more info until we are sure we can restrict access when we change back the product to "Samba 3.5"
Restriction also set for Product Samba 3.5 and 3.6.
Created attachment 6248 [details] Patch for 3.5.x.
Created attachment 6249 [details] Patch for 3.4.x.
Created attachment 6252 [details] Slightly better 3.5.x patch that fixes doesn't do the check on every select call.
Created attachment 6253 [details] Correct patch for 3.4.x (removed extraneous changes).
Created attachment 6254 [details] Missed one extraneous change in the 3.4.x patch...
Created attachment 6255 [details] Patch for 3.3.x.
Created attachment 6256 [details] Patch for 3.2.x.
Created attachment 6257 [details] Patch for 3.0.x.
Created attachment 6262 [details] Modified version/ subset of the 3.0 patch for 3.0.20b
Created attachment 6264 [details] Modified version/ subset of the 3.0 patch for 3.0.20b; use False and return NULL insmb_readline_replacement()
After a short discussion with Günther <gd> I've checked the code further to see if the missing "return NULL;" in the patch for 3.0 is even able to cause any trouble. From source/client/client.c process_stdin() calls smb_readline(the_prompt, ...) while the_prompt is not initialized. Adding --- source/lib/readline.c.orig +++ source/lib/readline.c @@ -79,6 +84,7 @@ static char *smb_readline_replacement(co if (callback) callback(); } + return NULL; } · /**************************************************************************** and we're on the save side. That's how we handle this situation in post-3.0 versions.
Hello. We use samba-3.0.37 in Mandriva Corporate Server 4 and I used the 3.0 patch posted on vendor-sec. Are those the final patches?
Created attachment 6265 [details] Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement()
Created attachment 6266 [details] Modified version of Jeremy'sinitial to return NULL from smb_readline_replacement()
(In reply to comment #14) > We use samba-3.0.37 in Mandriva Corporate Server 4 and I used the 3.0 patch > posted on vendor-sec. Are those the final patches? For the final 3.0 patch version see attachment #6266 [details] That's a slightly modified version of the initial one. It includes the modification as described in comment #13. The patches against 3.2 and newer are correct. These code bases already include the return call we had to add in 3.0.
Thanks guys!
=========================================================== == Subject: Denial of service - memory corruption == == CVE ID#: CVE-2011-0719 == == Versions: Samba 3.0.x - 3.5.6 (inclusive) == == Summary: Samba 3.0.x to 3.5.6 are affected by a == denial of service caused by memory corruption. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select on a bad file descriptor set. A connection to a file share, or a local account is needed to exploit this problem, either authenticated or unauthenticated (guest connection). Currently we do not believe this flaw is exploitable beyond a crash or causing the code to loop, but on the advice of our security reviewers we are releasing fixes in case an exploit is discovered at a later date. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.5.7 has been issued as security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba administrators running affected versions are advised to upgrade to 3.5.7 or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found by an internal audit of the Samba code by Volker Lendecke of SerNet. Thanks to Volker for his careful code review.
Fixed with Samba 3.5.7, 3.4.12 and 3.3.15. Closing out bug report. Thanks!
Make the bug public as the embargo time expired.