[csw-users] Security Vulnerabilities in Samba.

Bogdan Iamandei bogdan at its.uq.edu.au
Fri Jul 20 12:20:50 CEST 2007


-----Original Message-----
From: users-bounces+bogdan=its.uq.edu.au at lists.blastwave.org on behalf of Jeremiah Johnson
Sent: Fri 7/20/2007 8:54 AM
To: users at lists.blastwave.org
Subject: [csw-users] Security Vulnerabilities in Samba.
 
Hello,

I contacted the maintainer of the Samba package well over a month ago
about some vulnerabilities in the Samba package.  I've never received
a response from him, and there is no other clear method of resolving
security issues in Blastwave packages.

Samba has the following problems:
o CVE-2007-2444
	Versions: Samba 3.0.23d - 3.0.25pre2
	Local SID/Name translation bug can result in
	user privilege elevation
o CVE-2007-2446
	Versions: Samba 3.0.0 - 3.0.24
	Multiple heap overflows allow remote code execution
o CVE-2007-2447
	Versions: Samba 3.0.0 - 3.0.24
	Unescaped user input parameters are passed as
	arguments to /bin/sh allowing for remote command
	execution

These problems were fixed in Samba 3.0.25(released on May 14, 2007),
3.0.25b is current, 3.0.23,REV=2006.08.09b is what Blastwave packages.
FWIW, the blastwave package is also vuln to:

(Fixed in Samba 3.0.24 Feb 5, 2007)
- CVE-2007-0452 (Potential Denial of Service bug in smbd)
- CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
  NSS library on Solaris)
- CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)

Further, there should be some clearly defined Blastwave policy
regarding security issues.  If the maintainer cannot get to it,
somebody else from the Blastwave team should be able to handle it.
The maintainer, and a security user/list at Blastwave should probably
be subscribed to samba-announce, and similar lists for other packages
so security announcements are not missed.

Considering that one of your standards is "Efforts are focused on
providing a greater, more timely set of packages than SFW, while also
having consistency and dependancies that are not offered by
sunfreeware.com" its fairly sad that SFW has actually updated the
package before Blastwave.

FWIW, Sun has actually updated the SFW packages that they distribute
to fix this problem.
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1

I really like the Blastwave distribution, after having SFW cause more
problems than it was worth, I was glad to have a friend tell me about
Blastwave.  If there is any way I can actually help rectify this
problem, please let me know.

-miah
_______________________________________________


Heys,

I was pretty much in the same boat as you are. I since I haven't got a
proper answer on this case, I have decided to ditch the CSW samba package
and build my own. It works great and have no problems with it (now).

However - if you decide to do the same, I will  give you a word of warning.
3.0.25b has a major flaw wich if you don't know about will send you and your
users absolutely bonkers. In short, your users will randomly be disconnected
 (i.e. get error messages right in the middle of doing something with the mapped
share, stating that "the network path is no longer available" ) *and* to top it off,
they will end up with corrupted or truncated files.

See : http://lists.samba.org/archive/samba/2007-July/133789.html for more details.
Also - to fix it - you download the 3.0.25b sources and apply the patch located here:
https://bugzilla.samba.org/attachment.cgi?id=2827&action=view

Allegedly this patch will make it in 3.0.25c... whenever that happens.

At any rate - this crap took me 4 days to track down, and it was an absolute bastard of
a thing... it was mostly affecting just a very limited group of users, with a few spikes here
and there... nothing you could've put down to smbd being buggy. I even got to the point
where I suspected that the network driver dealing with NIC aggregation on Solaris was
brain-dead and reverted to a more "normal" configuration using IPMP.

Anyways, that's the warning. Choose your poison! :)

Ino!~
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/ms-tnef
Size: 5179 bytes
Desc: not available
URL: <http://lists.opencsw.org/pipermail/users/attachments/20070720/81e5fadf/attachment-0001.bin>


More information about the users mailing list