Launchpad has imported 17 comments from the remote bug at https://bugs.gentoo.org/show_bug.cgi?id=200773.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2007-11-29T20:18:32+00:00 rbu wrote: Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "send_mailslot()" function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the "domain logon" option is enabled. The vulnerability is confirmed in version 3.0.27a. Other versions may also be affected. Vulnerability Details: ---------------------- The buffer overflow is triggered by the call to "set_message()" in nmbd/nmbd_packets.c at line 1895. The "set_message()" function will call a "memset()" to zero on "dgram->data" + 35 with a length bigger than the available 576-35 bytes for an overly long total length for the SAMLOGON GETDC, username, workgroup, and local hostname. The vulnerability would at first glance be only triggerable in certain unusual configurations with an overly long local workgroup or hostname due to the limitations in size of the NetBIOS Datagram packet (576 bytes). However if an empty (two zero bytes) Unicode username is placed at an odd offset within the SAMLOGON request, the "pull_ucs2_pstring()" function called at line 365 in nmbd/nmbd_processlogon.c will convert the whole GETDC string following the username into ascuser, allowing the buffer overflow to take place in standard configurations. Exploitation: ------------- Secunia Research has created a PoC for the vulnerability, which is available upon request. The vulnerability can also be reproduced by sending a SAMLOGON request with an empty username placed at an odd offset and an overly long GETDC string (around 250 bytes). Closing comments: ----------------- We have assigned this vulnerability Secunia advisory SA27760 and CVE identifier CVE-2007-6015. A preliminary disclosure date of 2007-12-05 10am CET has been set, where the details will be publicly disclosed. However, we are naturally prepared to push the disclosure date if you need more time to address the vulnerability. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/0 ------------------------------------------------------------------------ On 2007-11-29T20:19:35+00:00 rbu wrote: Upstream is working on a patch. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/1 ------------------------------------------------------------------------ On 2007-12-06T23:40:55+00:00 rbu wrote: Created attachment 137917 CVE-2007-0615.patch You know the drill, please do not commit, but add an updated ebuild to this bug, so it can get testing and be committed to straight stable at the release date. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/2 ------------------------------------------------------------------------ On 2007-12-08T08:50:58+00:00 dev-zero wrote: Created attachment 137995 samba-3.0.27a-r1.ebuild Sorry for the delay, I was really busy yesterday... The patch needs to be renamed to 3.0.27a-CVE-2007-0615.patch Besides the requested patch, the ebuild fixes the bugs #200132 ("typo in elog") and #199934 ("oneliner to remove +x bit from headers"). Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/3 ------------------------------------------------------------------------ On 2007-12-08T11:47:07+00:00 rbu wrote: Please test the attached ebuild and report back at this bug. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86" Adding Arch Security Liaisons: alpha : ferdy amd64 : welp hppa : jer ppc : dertobi123 ppc64 : corsair sparc : ferdy x86 : tsunam Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/4 ------------------------------------------------------------------------ On 2007-12-08T17:53:50+00:00 jer wrote: make test does its job right up to the SMBTORTURE4 tests. This isn't a regression though, and all else looks OK for HPPA. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/5 ------------------------------------------------------------------------ On 2007-12-08T22:08:15+00:00 welp wrote: Ditto for amd64. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/6 ------------------------------------------------------------------------ On 2007-12-09T07:58:24+00:00 corsair wrote: looking as good on ppc64, too. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/7 ------------------------------------------------------------------------ On 2007-12-09T10:59:21+00:00 armin76 wrote: Looks fine on alpha/ia64/sparc/x86 Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/8 ------------------------------------------------------------------------ On 2007-12-09T16:18:42+00:00 dertobi123 wrote: looks good for ppc Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/9 ------------------------------------------------------------------------ On 2007-12-09T21:19:54+00:00 rbu wrote: Please rename the patch to contain 6015 instead of 0615. prestabled for all security supported arches. Tiziano, please prepare for a commit on Tuesday. The time is not confirmed yet. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/10 ------------------------------------------------------------------------ On 2007-12-10T02:07:07+00:00 rbu wrote: Samba folks will release their advisory at about 15 UTC and Secunia did not reply to the schedule question. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/11 ------------------------------------------------------------------------ On 2007-12-10T15:42:01+00:00 rbu wrote: public now. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/12 ------------------------------------------------------------------------ On 2007-12-10T16:40:57+00:00 dev-zero wrote: commited as 3.0.28 (as released by upstream, contains only the security update). Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/13 ------------------------------------------------------------------------ On 2007-12-10T16:49:09+00:00 rbu wrote: Arches, please test and mark stable net-fs/samba-3.0.28. Target keywords : "alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86" Already stabled : "alpha amd64 hppa ia64 ppc ppc64 sparc x86" Missing keywords: "arm mips s390 sh" Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/14 ------------------------------------------------------------------------ On 2007-12-10T21:09:35+00:00 py wrote: GLSA 200712-10 Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/15 ------------------------------------------------------------------------ On 2008-03-06T09:53:00+00:00 pva wrote: Does not affect current (2008.0) release. Removing release. Reply at: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/comments/18 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-0615 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/175502 Title: [samba] [CVE-2007-6015] remote buffer overflow vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/175502/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
