Bugzilla – Bug 58061
VUL-0: CVE-2004-0686: buffer overrun in SWAT's base64 decoding affecting servers >= 3.0.2
Last modified: 2021-10-14 14:35:27 UTC
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Subject: Potential Buffer Overrun Description: Invalid length in memcpy() caused by ~ invalid base64 character string Affected Versions: Samba 3.0.2 and later The internal routine used by the Samba Web Administration Tool (SWAT) to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. This same code is used internally to decode the sambaMungedDial attribute value when using the ldapsam passdb backend and to decode input given to the ntlm_auth tool. The current 3.0.5 release candidate will be renamed to 3.0.6rcX and a new 3.0.5 release will be made publically available on Tuesday, July 20th, at 6am GMT-6. Samba 3.0.5 will be identical to v3.0.4 with the addition of this one change to correct the base64 decoding buffer overrun issue (patch and signature attached to this message). Affected Samba installations include those running v3.0.2 or later and meeting one of the following three requirements: (a) Servers using the ldapsam passdb backend (b) Servers running winbindd and allowing 3rd ~ party applications to issue authentication requests ~ via the ntlm_auth tool included with Samba. (c) Servers running SWAT. While there are no known exploits for this security flaw, it is recommended that all affected Samba installations be upgraded to v3.0.5. The Samba Team would like to heartily thank Evgeny Demidov for locating and reporting this bug. Our code, Our bugs, Our responsibility. -- The Samba Team GPG Public Key http://www.samba.org/samba/ftp/samba-pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA9fQkIR7qMdg1EfYRApEdAKCPnP3sqyO3GOaDVkYS+4P7+A+uJwCbBTYP AqUAi8DXsvoBz19AgkKSmj0= =jMvA -----END PGP SIGNATURE-----
This is a Samba >= 3.0.2 only bug. We have official Samba 3 packages only on 9.1 and SLES 9.
The patch is signed by the Samba Distribution Verification Key <samba-bugs@samba.org>. Patch applies fine to Samba 3.0.4 of SLES 9/ 9.1. mbuild succeded for all SLES 9 architectures.
where's the SL9.1 patchinfo?
CRD: Tuesday, July 20th, at 6am GMT-6.
Patchinfo files are created. SLES 9 /work/src/done/PATCHINFO/samba.patch.maintained 9.1 /work/src/done/PATCHINFO/samba,samba-client,samba-pdb,samba-python,samba-winbind.patch.box
Reassign bug to the security team as my part should be done.
thx!
CAN-2004-0600
Both changes to lib/util_str.c introduce a length check. They are trvial. Therfore I suggest to do no extra testing of this version.
patch-9179 tested from you.suse.de for SLES 9 and 9.1. All installed packages are updated well. Running services are restarted. Connection to file share tested successfull.
Kommando zurück: From: "Gerald (Jerry) Carter" <jerry@samba.org> To: vendor-sec@lst.de, samba-pkg-sec@samba.org Cc: security@samba.org Date: Mon, 19 Jul 2004 15:06:46 -0500 Subject: [vendor-sec] samba 3.0.5 security release delayed -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Attention Samba Vendors, Sorry about this, but one of our developers, Jeremy Allison, has found an additional buffer overrun unrelated to CAN-2004-0600 (the base64 decoding bug). We are in the process of developing a patch and will post it here later today with more details. So Samba 3.0.5 will include fixes for 2 security issues. cheers, jerry -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA/CnVIR7qMdg1EfYRApbeAJ9/4vrISFdVlyAolsspziEeC8PU6wCeLymL XkMFa/GM1fGA8mfDIptd8iU= =HFK1 -----END PGP SIGNATURE-----
Now: CAN-2004-0600 + CAN-2004-0686 Let's hope that we won't run out of md5 sums for the patchinfo files.
ok' i'll drop the packages and reassign to Lars.
Date: Mon, 19 Jul 2004 21:21:51 -0500 From: "Gerald (Jerry) Carter" <jerry@samba.org> To: vendor-sec@lst.de, samba-pkg-sec@samba.org, elrond@samba-tng.org Cc: security@samba.org Subject: [vendor-sec] Multiple Potential Buffer Overruns in Samba 3.0.x Parts/Attachments: 1 Shown 73 lines Text 2 Shown 203 lines Text 3 Shown 7 lines Text ---------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The following 2 security holes and been identified in Samba 3. The proposed patch to address both bugs is attached to the mail (including the gpg signature). The samba public gpg key can be downloaded from ~ http://www.samba.org/samba/ftp/samba-pubkey.asc Samba 3.0.5 will be publically released and these bugs disclosed on Wednedday, July 21, at 6am GMT-6. With the exception of fixing these two bugs, Samba 3.0.5 will be identical to 3.0.4. The previous 3.0.5 release candidate will be renamed to 3.0.6rcX. Our code, Our bugs, Our responsibility. -- The Samba Team CAN-2004-0600 - ------------- Affected Versions: Samba 3.0.2 and later The internal routine used by the Samba Web Administration Tool (SWAT v3.0.2 and later) to decode the base64 data during HTTP basic authentication is subject to a buffer overrun caused by an invalid base64 character. There are no known exploits for this security flaw. However, it is recommended that all Samba v3.0.2 or later installations running SWAT either (a) upgrade to v3.0.5, or (b) disable the swat administration service as a temporary workaround. This same code is used internally to decode the sambaMungedDial attribute value when using the ldapsam passdb backend. While we do not believe that the base64 decoding routines used by the ldapsam passdb backend can be exploited, sites using an LDAP directory service with Samba are strongly encouraged to verify that the DIT only allows write access to sambaSamAccount attributes by a sufficiently authorized user. The Samba Team would like to heartily thank Evgeny Demidov for analyzing and reporting this bug. CAN-2004-0686 - ------------- Affected Versions: Samba 3.0.0 and later A buffer overrun has been located in the code used to support the 'mangling method = hash' smb.conf option. Please be aware that the default setting for this parameter is 'mangling method = hash2' and therefore not vulnerable. Affected Samba 3 installations can avoid this possible security bug by using the default hash2 mangling method. Server installations requiring the hash mangling method are encouraged to upgrade to Samba 3.0.5. There are no known exploits for the bug. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFA/IG/IR7qMdg1EfYRAi/VAJwJa3QvWbJ5E+bYDEQJH2g/MxqA6ACg4pga eJUOgGD88L6HK9aSNFm5C9k= =xR0Q -----END PGP SIGNATURE----- [PATCHES ATTACHED]
Created attachment 22293 [details] samba-3-0-5.patch
Lars, I'll attach new patchinfo files for you to sumbit in a few minutes. In what way can the second/new bug be exploited?
Package and patchinfo submitted. Attention: New CRD is Wednedday, July 21, at 6am GMT-6.
The second patch is also a simple one. check_cache() of smbd/mangle_hash.c, source/smbd/mangle_hash2.c, and mangle_check_cache() from source/smbd/mangle.c got an second argument, size_t maxlen and now use safe_strcpy( dest, src, maxlen) instead of fstrcpy( dest, src) or pstrcat( dest, src).
CAN-2004-0686 is also valid for Samba 2.2. Therfore we got a new CRD: Thursday, July 22, at 6am GMT-6.
Samba 2.2.8a is now our only version for UL1, SLES8, 8.1 8.2 9.0 Packages and patchinfo files are submitted 8.1 /work/src/done/PATCHINFO/samba-2.2.8a-8.1 8.2 /work/src/done/PATCHINFO/samba,samba-client,samba-doc,libsmbclient,libsmbclient-devel,samba-vscan.patch.box 9.0 /work/src/done/PATCHINFO/samba-2.2.8a-9.0
UL1, SLES8, 8.1 /work/src/done/PATCHINFO/samba,samba-client.patch.maintained
packages approved
<!-- SBZ_reopen -->Reopened by lmuelle@suse.de at Thu Jul 22 21:58:58 2004
Ad Samba 2.2: Do we need extra patchinfo files for SLOX, Standard Server 8, and SLD?
I dunno.
SLOX and Standard Server 8 are covered by the UL1/ SLES8 patchinfo. For SLD aka SLEC I've submitted an additional patchinfo file. Anything to do with the laufzettel stuff for this additional patchinfo?
no, I'll approve it soon ast it is tested.
CVE-2004-0686: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)