Bug 58061 (CVE-2004-0686)

Summary: VUL-0: CVE-2004-0686: buffer overrun in SWAT's base64 decoding affecting servers >= 3.0.2
Product: [Novell Products] SUSE Security Incidents Reporter: Lars Müller <lmuelle>
Component: IncidentsAssignee: Thomas Biege <thomas>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: aj, patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0686: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: samba-3-0-5.patch

Description Lars Müller 2004-07-15 23:14:11 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Subject:           Potential Buffer Overrun
Description:       Invalid length in memcpy() caused by
~                  invalid base64 character string
Affected Versions: Samba 3.0.2 and later

The internal routine used by the Samba Web Administration
Tool (SWAT) to decode the base64 data during HTTP basic
authentication is subject to a buffer overrun caused by
an invalid base64 character.  This same code is used
internally to decode the sambaMungedDial attribute value
when using the ldapsam passdb backend and to decode input
given to the ntlm_auth tool.

The current 3.0.5 release candidate will be renamed to
3.0.6rcX and a new 3.0.5 release will be made publically
available on Tuesday, July 20th, at 6am GMT-6.  Samba 3.0.5
will be identical to v3.0.4 with the addition of this one
change to correct the base64 decoding buffer overrun issue
(patch and signature attached to this message).

Affected Samba installations include those running v3.0.2
or later and meeting one of the following three requirements:

(a) Servers using the ldapsam passdb backend
(b) Servers running winbindd and allowing 3rd
~   party applications to issue authentication requests
~   via the ntlm_auth tool included with Samba.
(c) Servers running SWAT.

While there are no known exploits for this security flaw,
it is recommended that all affected Samba installations
be upgraded to v3.0.5.

The Samba Team would like to heartily thank Evgeny Demidov
for locating and reporting this bug.

Our code, Our bugs, Our responsibility.

                        -- The Samba Team


GPG Public Key
http://www.samba.org/samba/ftp/samba-pubkey.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA9fQkIR7qMdg1EfYRApEdAKCPnP3sqyO3GOaDVkYS+4P7+A+uJwCbBTYP
AqUAi8DXsvoBz19AgkKSmj0=
=jMvA
-----END PGP SIGNATURE-----
Comment 1 Lars Müller 2004-07-15 23:16:04 UTC
This is a Samba >= 3.0.2 only bug.  We have official Samba 3 packages only on
9.1 and SLES 9.
Comment 2 Lars Müller 2004-07-15 23:53:29 UTC
The patch is signed by the Samba Distribution Verification Key
<samba-bugs@samba.org>.

Patch applies fine to Samba 3.0.4 of SLES 9/ 9.1.

mbuild succeded for all SLES 9 architectures.
Comment 3 Michael Schröder 2004-07-16 01:06:34 UTC
where's the SL9.1 patchinfo?
Comment 4 Thomas Biege 2004-07-16 01:23:14 UTC
CRD: Tuesday, July 20th, at 6am GMT-6. 
Comment 5 Lars Müller 2004-07-16 01:27:44 UTC
Patchinfo files are created.

SLES 9
/work/src/done/PATCHINFO/samba.patch.maintained

9.1 
/work/src/done/PATCHINFO/samba,samba-client,samba-pdb,samba-python,samba-winbind.patch.box
Comment 6 Lars Müller 2004-07-16 01:29:04 UTC
Reassign bug to the security team as my part should be done.
Comment 7 Thomas Biege 2004-07-16 16:38:18 UTC
thx! 
Comment 8 Thomas Biege 2004-07-16 16:44:16 UTC
CAN-2004-0600 
Comment 9 Lars Müller 2004-07-16 17:31:32 UTC
Both changes to lib/util_str.c introduce a length check.  They are trvial. 
Therfore I suggest to do no extra testing of this version.
Comment 10 Lars Müller 2004-07-19 19:41:34 UTC
patch-9179 tested from you.suse.de for SLES 9 and 9.1.  All installed packages
are updated well.  Running services are restarted.  Connection to file share
tested successfull.
Comment 11 Roman Drahtmueller 2004-07-20 08:05:39 UTC
Kommando zurück:

From: "Gerald (Jerry) Carter" <jerry@samba.org>
To: vendor-sec@lst.de, samba-pkg-sec@samba.org
Cc: security@samba.org
Date: Mon, 19 Jul 2004 15:06:46 -0500
Subject: [vendor-sec] samba 3.0.5 security release delayed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Attention Samba Vendors,

Sorry about this, but one of our developers, Jeremy Allison,
has found an additional buffer overrun unrelated to CAN-2004-0600
(the base64 decoding bug).

We are in the process of developing a patch and will post it here
later today with more details.

So Samba 3.0.5 will include fixes for 2 security issues.




cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFA/CnVIR7qMdg1EfYRApbeAJ9/4vrISFdVlyAolsspziEeC8PU6wCeLymL
XkMFa/GM1fGA8mfDIptd8iU=
=HFK1
-----END PGP SIGNATURE-----
Comment 12 Roman Drahtmueller 2004-07-20 08:07:14 UTC
Now: 

CAN-2004-0600 + CAN-2004-0686

Let's hope that we won't run out of md5 sums for the patchinfo files.
Comment 13 Thomas Biege 2004-07-20 15:15:02 UTC
ok' i'll drop the packages and reassign to Lars. 
Comment 14 Thomas Biege 2004-07-20 15:28:38 UTC
Date: Mon, 19 Jul 2004 21:21:51 -0500 
From: "Gerald (Jerry) Carter" <jerry@samba.org> 
To: vendor-sec@lst.de, samba-pkg-sec@samba.org, elrond@samba-tng.org 
Cc: security@samba.org 
Subject: [vendor-sec] Multiple Potential Buffer Overruns in Samba 3.0.x 
Parts/Attachments: 
   1 Shown     73 lines  Text 
   2 Shown    203 lines  Text 
   3 Shown      7 lines  Text 
---------------------------------------- 
 
-----BEGIN PGP SIGNED MESSAGE----- 
Hash: SHA1 
 
The following 2 security holes and been identified in Samba 3. 
The proposed patch to address both bugs is attached to the mail 
(including the gpg signature).  The samba public gpg key 
can be downloaded from 
 
~      http://www.samba.org/samba/ftp/samba-pubkey.asc 
 
Samba 3.0.5 will be publically released and these bugs disclosed 
on Wednedday, July 21, at 6am GMT-6.  With the exception of 
fixing these two bugs, Samba 3.0.5 will be identical to 3.0.4. 
The previous 3.0.5 release candidate will be renamed to 3.0.6rcX. 
 
Our code, Our bugs, Our responsibility. 
 
       -- The Samba Team 
 
 
CAN-2004-0600 
- ------------- 
 
Affected Versions:      Samba 3.0.2 and later 
 
The internal routine used by the Samba Web Administration 
Tool (SWAT v3.0.2 and later) to decode the base64 data 
during HTTP basic authentication is subject to a buffer 
overrun caused by an invalid base64 character.  There are 
no known exploits for this security flaw.  However, it is 
recommended that all Samba v3.0.2 or later installations 
running SWAT either (a) upgrade to v3.0.5, or (b) disable 
the swat administration service as a temporary workaround. 
 
This same code is used internally to decode the 
sambaMungedDial attribute value when using the ldapsam 
passdb backend. While we do not believe that the base64 
decoding routines used by the ldapsam passdb backend can 
be exploited, sites using an LDAP directory service with 
Samba are strongly encouraged to verify that the DIT only 
allows write access to sambaSamAccount attributes by a 
sufficiently authorized user. 
 
The Samba Team would like to heartily thank Evgeny Demidov 
for analyzing and reporting this bug. 
 
 
CAN-2004-0686 
- ------------- 
 
Affected Versions:      Samba 3.0.0 and later 
 
A buffer overrun has been located in the code used to support 
the 'mangling method = hash' smb.conf option.  Please be aware 
that the default setting for this parameter is 'mangling method 
= hash2' and therefore not vulnerable. 
 
Affected Samba 3 installations can avoid this possible security 
bug by using the default hash2 mangling method.  Server 
installations requiring the hash mangling method are encouraged 
to upgrade to Samba 3.0.5.  There are no known exploits for the 
bug. 
 
 
 
-----BEGIN PGP SIGNATURE----- 
Version: GnuPG v1.2.4 (GNU/Linux) 
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 
 
iD8DBQFA/IG/IR7qMdg1EfYRAi/VAJwJa3QvWbJ5E+bYDEQJH2g/MxqA6ACg4pga 
eJUOgGD88L6HK9aSNFm5C9k= 
=xR0Q 
-----END PGP SIGNATURE----- 
 
[PATCHES ATTACHED] 
Comment 15 Thomas Biege 2004-07-20 15:30:27 UTC
Created attachment 22293 [details]
samba-3-0-5.patch
Comment 16 Thomas Biege 2004-07-20 15:34:23 UTC
Lars, I'll attach new patchinfo files for you to sumbit in a few minutes. 
 
In what way can the second/new bug be exploited? 
Comment 17 Lars Müller 2004-07-20 22:17:43 UTC
Package and patchinfo submitted.

Attention: New CRD is Wednedday, July 21, at 6am GMT-6.
Comment 18 Thomas Biege 2004-07-20 23:10:13 UTC
thx! 
Comment 19 Lars Müller 2004-07-20 23:24:53 UTC
The second patch is also a simple one.  check_cache() of smbd/mangle_hash.c,
source/smbd/mangle_hash2.c, and mangle_check_cache() from source/smbd/mangle.c
got an second argument, size_t maxlen and now use safe_strcpy( dest, src,
maxlen) instead of fstrcpy( dest, src) or pstrcat( dest, src).
Comment 20 Lars Müller 2004-07-21 16:48:03 UTC
CAN-2004-0686 is also valid for Samba 2.2.  Therfore we got a new CRD: Thursday,
July 22, at 6am GMT-6.
Comment 21 Lars Müller 2004-07-22 20:53:05 UTC
Samba 2.2.8a is now our only version for

UL1, SLES8, 8.1
8.2
9.0

Packages and patchinfo files are submitted

8.1 /work/src/done/PATCHINFO/samba-2.2.8a-8.1
8.2
/work/src/done/PATCHINFO/samba,samba-client,samba-doc,libsmbclient,libsmbclient-devel,samba-vscan.patch.box
9.0 /work/src/done/PATCHINFO/samba-2.2.8a-9.0
Comment 22 Lars Müller 2004-07-22 21:00:22 UTC
UL1, SLES8, 8.1 /work/src/done/PATCHINFO/samba,samba-client.patch.maintained
Comment 23 Thomas Biege 2004-07-23 00:33:53 UTC
packages approved 
Comment 24 Lars Müller 2004-07-23 03:58:58 UTC
<!-- SBZ_reopen -->Reopened by lmuelle@suse.de at Thu Jul 22 21:58:58 2004
Comment 25 Lars Müller 2004-07-23 03:58:58 UTC
Ad Samba 2.2: Do we need extra patchinfo files for SLOX, Standard Server 8, and SLD?
Comment 26 Thomas Biege 2004-07-23 15:06:35 UTC
I dunno. 
Comment 27 Lars Müller 2004-07-23 22:39:12 UTC
SLOX and Standard Server 8 are covered by the UL1/ SLES8 patchinfo.

For SLD aka SLEC I've submitted an additional patchinfo file.

Anything to do with the laufzettel stuff for this additional patchinfo?
Comment 28 Thomas Biege 2004-07-26 19:22:05 UTC
no, I'll approve it soon ast it is tested. 
 
Comment 29 Thomas Biege 2004-07-26 23:29:50 UTC
packages approved 
Comment 30 Thomas Biege 2009-10-13 20:29:07 UTC
CVE-2004-0686: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)