Bug 43990 - VUL-0: CVE-2003-0686: overflow in pam_smb
Summary: VUL-0: CVE-2003-0686: overflow in pam_smb
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2003-0686: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2003-08-15 18:29 UTC by Sebastian Krahmer
Modified: 2021-09-27 13:09 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patchinfo (567 bytes, text/plain)
2003-08-19 15:05 UTC, Thomas Biege 		Details
putonftp (190 bytes, text/plain)
2003-08-19 15:06 UTC, Thomas Biege 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2003-08-15 18:29:40 UTC 
Date: Fri, 15 Aug 2003 04:57:20 +0100 (IST)
From: Dave Airlie <airlied@samba.org>
To: secalert@redhat.com, security@suse.de, security@debian.org
Cc: security@linux-mandrake.com
Cc: secure@conectiva.com.br
Cc: security-officer@freebsd.org
Subject: [security@suse.de] pam_smb remote buffer overflow..
Sender: security-bounces+okir=suse.de@suse.de


Dear Distribution Security people,

I am writing to give you an advance warning of a remote buffer overflow in
the password handling code in pam_smb 1.1.6 and pam_smb v2 version in
non-daemon mode...

I've attached a patch against my 1.1.6 release, and the latest v2.0.0-rc4
in cvs on sourceforge is not vunerable (all earlier versions are..)

I wish to delay announcing this until all major distributions have
a chance to prepare an upgrade for their users, and I can post new
versions to samba.org,

Thanks,
Dave.

Fix looks simple (From Dave):

diff -ur ../../pam_smb/smbval/smblib.c pam_smb/smbval/smblib.c
--- ../../pam_smb/smbval/smblib.c       Thu Apr 22 21:24:31 1999
+++ pam_smb/smbval/smblib.c     Fri Aug 15 03:54:49 2003
@@ -25,6 +25,7 @@
 
 #include "../config.h"
 #include <malloc.h>
+#include <string.h>
 
 int SMBlib_errno;
 int SMBlib_SMB_Error;
@@ -33,6 +34,7 @@
 #include "smblib-priv.h"
 
 #include "rfcnb.h"
+#define safestrcpy(s1, s2, n) strncpy(s1, s2, n); ((char *)s1)[n-1] = 0
 
 #include <signal.h>
 
@@ -334,7 +336,7 @@
 
   }
 
-  strcpy(pword, PassWord);
+  safestrcpy(pword, PassWord, 128);
#ifdef PAM_SMB_ENC_PASS
   if (Con_Handle -> encrypt_passwords)
   {
Comment 1 Sebastian Krahmer 2003-08-15 18:29:40 UTC 
<!-- SBZ_reproduce  -->
With long passwords probably.
Comment 2 Sebastian Krahmer 2003-08-15 18:37:52 UTC 
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0686 to this issue.

Release date is Aug the 26th.
Comment 3 Thomas Biege 2003-08-19 15:05:43 UTC 
Created attachment 13473 [details]
patchinfo
Comment 4 Thomas Biege 2003-08-19 15:06:17 UTC 
Created attachment 13474 [details]
putonftp
Comment 5 Thomas Biege 2003-08-19 20:52:52 UTC 
any news here?
Comment 6 Ruediger Oertel 2003-08-20 22:51:10 UTC 
ok, checking in. please submit the needed patchinfo file(s)
Comment 7 Petr Ostadal 2003-08-20 23:01:06 UTC 
patchinfo submited
Comment 8 Petr Ostadal 2003-08-20 23:02:15 UTC 
reassign to security team
Comment 9 Thomas Biege 2003-09-04 19:22:52 UTC 
adv. released
Comment 10 Thomas Biege 2009-10-13 19:38:18 UTC 
CVE-2003-0686: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)