Bug 43990

Summary: VUL-0: CVE-2003-0686: overflow in pam_smb
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: qa-bugs, ro, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2003-0686: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: patchinfo
putonftp

Description Sebastian Krahmer 2003-08-15 18:29:40 UTC 
Date: Fri, 15 Aug 2003 04:57:20 +0100 (IST)
From: Dave Airlie <airlied@samba.org>
To: secalert@redhat.com, security@suse.de, security@debian.org
Cc: security@linux-mandrake.com
Cc: secure@conectiva.com.br
Cc: security-officer@freebsd.org
Subject: [security@suse.de] pam_smb remote buffer overflow..
Sender: security-bounces+okir=suse.de@suse.de


Dear Distribution Security people,

I am writing to give you an advance warning of a remote buffer overflow in
the password handling code in pam_smb 1.1.6 and pam_smb v2 version in
non-daemon mode...

I've attached a patch against my 1.1.6 release, and the latest v2.0.0-rc4
in cvs on sourceforge is not vunerable (all earlier versions are..)

I wish to delay announcing this until all major distributions have
a chance to prepare an upgrade for their users, and I can post new
versions to samba.org,

Thanks,
Dave.

Fix looks simple (From Dave):

diff -ur ../../pam_smb/smbval/smblib.c pam_smb/smbval/smblib.c
--- ../../pam_smb/smbval/smblib.c       Thu Apr 22 21:24:31 1999
+++ pam_smb/smbval/smblib.c     Fri Aug 15 03:54:49 2003
@@ -25,6 +25,7 @@
 
 #include "../config.h"
 #include <malloc.h>
+#include <string.h>
 
 int SMBlib_errno;
 int SMBlib_SMB_Error;
@@ -33,6 +34,7 @@
 #include "smblib-priv.h"
 
 #include "rfcnb.h"
+#define safestrcpy(s1, s2, n) strncpy(s1, s2, n); ((char *)s1)[n-1] = 0
 
 #include <signal.h>
 
@@ -334,7 +336,7 @@
 
   }
 
-  strcpy(pword, PassWord);
+  safestrcpy(pword, PassWord, 128);
#ifdef PAM_SMB_ENC_PASS
   if (Con_Handle -> encrypt_passwords)
   {
Comment 1 Sebastian Krahmer 2003-08-15 18:29:40 UTC 
<!-- SBZ_reproduce  -->
With long passwords probably.
Comment 2 Sebastian Krahmer 2003-08-15 18:37:52 UTC 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0686 to this issue.

Release date is Aug the 26th.
Comment 3 Thomas Biege 2003-08-19 15:05:43 UTC 
Created attachment 13473 [details]
patchinfo
Comment 4 Thomas Biege 2003-08-19 15:06:17 UTC 
Created attachment 13474 [details]
putonftp
Comment 5 Thomas Biege 2003-08-19 20:52:52 UTC 
any news here?
Comment 6 Ruediger Oertel 2003-08-20 22:51:10 UTC 
ok, checking in. please submit the needed patchinfo file(s)
Comment 7 Petr Ostadal 2003-08-20 23:01:06 UTC 
patchinfo submited
Comment 8 Petr Ostadal 2003-08-20 23:02:15 UTC 
reassign to security team
Comment 9 Thomas Biege 2003-09-04 19:22:52 UTC 
adv. released
Comment 10 Thomas Biege 2009-10-13 19:38:18 UTC 
CVE-2003-0686: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)