Bug 1063008 - (CVE-2017-15275) VUL-0: CVE-2017-15275: samba: message_push_string() can leak uninitialized heap data to a client via SMB1.
(CVE-2017-15275)
VUL-0: CVE-2017-15275: samba: message_push_string() can leak uninitialized he...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
Security Team bot
CVSSv2:SUSE:CVE-2017-15275:4.3:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-10-12 12:06 UTC by Marcus Meissner
Modified: 2018-12-14 07:58 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-10-12 12:06:57 UTC
embargoed

https://bugzilla.samba.org/show_bug.cgi?id=13077

Ensure we zero out unused grown area.
Comment 2 Marcus Meissner 2017-10-16 08:51:32 UTC
====================================================================
== Subject:     Server heap memory information leak.
==
== CVE ID#:     CVE-2017-15275
==
== Versions:    All versions of Samba from 3.6.0 onwards.
==
== Summary:     The server may return the contents of heap
==		allocated memory to the client.
==
====================================================================

===========
Description
===========

All versions of Samba from 3.6.0 onwards are vulnerable to a heap
memory information leak, where server allocated heap memory may be
returned to the client without being cleared.

There is no known vulnerability associated with this error, but
uncleared heap memory may contain previously used data that may help
an attacker compromise the server via other methods. Uncleared heap
memory may potentially contain password hashes or other high-value
data.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.7.1, 4.6.9 and 4.5.15 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by Volker Lendecke of SetNet and the Samba
Team. Jeremy Allison of Google and the Samba Team provided the fix.
Comment 6 Marcus Meissner 2017-11-23 07:14:24 UTC
nowpublic
Comment 7 Swamp Workflow Management 2017-11-24 20:18:59 UTC
SUSE-SU-2017:3086-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027593,1060427,1063008
CVE References: CVE-2017-14746,CVE-2017-15275
Sources used:
SUSE OpenStack Cloud 6 (src):    samba-4.2.4-28.24.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.2.4-28.24.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    samba-4.2.4-28.24.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.2.4-28.24.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.2.4-28.24.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    samba-4.2.4-28.24.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-28.24.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.2.4-28.24.1
Comment 8 Swamp Workflow Management 2017-11-27 21:17:45 UTC
SUSE-SU-2017:3104-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027593,1060427,1063008
CVE References: CVE-2017-14746,CVE-2017-15275
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.4.2-38.14.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.4.2-38.14.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.4.2-38.14.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-38.14.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.4.2-38.14.1
Comment 9 Swamp Workflow Management 2017-11-30 02:11:52 UTC
openSUSE-SU-2017:3141-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027593,1060427,1063008
CVE References: CVE-2017-14746,CVE-2017-15275
Sources used:
openSUSE Leap 42.2 (src):    samba-4.4.2-11.15.1
Comment 10 Swamp Workflow Management 2017-11-30 02:12:37 UTC
openSUSE-SU-2017:3143-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1058565,1058622,1058624,1060427,1063008,1065066
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163,CVE-2017-14746,CVE-2017-15275
Sources used:
openSUSE Leap 42.3 (src):    samba-4.6.9+git.59.c2cff9cea4c-9.1
Comment 12 Swamp Workflow Management 2017-11-30 11:20:12 UTC
SUSE-SU-2017:3155-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1058565,1058622,1058624,1060427,1063008,1065066
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163,CVE-2017-14746,CVE-2017-15275
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Enterprise Storage 5 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
Comment 21 Christian Siebigteroth 2017-12-14 08:13:07 UTC
Hi Marcus,

we here had also a bit of confusion.
The Service Request was linkted to a this bug here however a new bug has been entered agains this issue too. The BUG# is 1072106, and for this BUG there is already a ptf available.
The link is:
https://ptf.suse.com/36c33b828f0c33f8750f1cfe92c9416a/sles11-sp4/14317/x86_64/20171211

I assume that we do not need then an additional ptf.

Thanks
Christian
Comment 22 Swamp Workflow Management 2018-01-04 17:09:45 UTC
SUSE-SU-2018:0018-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1016531,1063008
CVE References: CVE-2017-15275
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-94.8.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-94.8.1, samba-doc-3.6.3-94.8.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-94.8.1, samba-doc-3.6.3-94.8.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    samba-3.6.3-94.8.1, samba-doc-3.6.3-94.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-94.8.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-94.8.1
Comment 23 James McDonough 2018-02-14 13:08:10 UTC
Looks like we're done
Comment 25 Swamp Workflow Management 2018-08-14 16:09:14 UTC
SUSE-SU-2018:2321-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027593,1060427,1063008,1081741,1103411
CVE References: CVE-2017-14746,CVE-2017-15275,CVE-2018-1050,CVE-2018-10858
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.49.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.49.1