Debian Bug report logs -
#451385
CVE-2007-5398 remote code execution via NetBIOS replies
Reported by: Nico Golde <nion@debian.org>
Date: Thu, 15 Nov 2007 15:51:02 UTC
Severity: grave
Tags: patch, security
Found in version samba/3.0.14a-1
Fixed in versions 3.0.14a-3sarge7, samba/3.0.27-1, 3.0.24-6etch5
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#451385
; Package samba
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: samba
Version: 3.0.24-6etch4
Severity: grave
Tags: security patch
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for samba.
CVE-2007-5398:
| Secunia Research has discovered a vulnerability in Samba, which can be
| exploited by malicious people to compromise a vulnerable system.
|
| The vulnerability is caused due to a boundary error within the
| "reply_netbios_packet()" function in nmbd/nmbd_packets.c when sending
| NetBIOS replies. This can be exploited to cause a stack-based buffer
| overflow by sending multiple specially crafted WINS "Name Registration"
| requests followed by a WINS "Name Query" request.
|
| Successful exploitation allows execution of arbitrary code, but
| requires that Samba is configured to run as a WINS server (the "wins
| support" option is enabled).
This information is from:
http://secunia.com/secunia_research/2007-90/advisory/
Mitre did not yet published it but it will be available later on [0].
Please also see: http://us1.samba.org/samba/security/CVE-2007-4572.html
and http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007-5398.patch
for the patch.
If you fix this vulnerability please also include the CVE id
in your changelog entry.
For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#451385
; Package samba
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #10 received at 451385@bugs.debian.org (full text, mbox, reply):
notfound 451385 3.0.24-6etch4
found 451385 3.0.14a-1
close 451385 3.0.14a-3sarge7
thanks
On Thu, Nov 15, 2007 at 04:48:41PM +0100, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for samba.
Yes, upstream keeps us informed of pending security issues and fixed
packages are already in process, thanks.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
Bug no longer marked as found in version 3.0.24-6etch4.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Thu, 15 Nov 2007 17:36:04 GMT) (full text, mbox, link).
Bug marked as found in version 3.0.14a-1.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Thu, 15 Nov 2007 17:36:05 GMT) (full text, mbox, link).
Bug marked as fixed in version 3.0.14a-3sarge7, send any further explanations to Nico Golde <nion@debian.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Thu, 15 Nov 2007 17:36:06 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#451385
; Package samba
.
(full text, mbox, link).
Acknowledgement sent to Christian Perrier <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #21 received at 451385@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Nico Golde (nion@debian.org):
> Package: samba
> Version: 3.0.24-6etch4
> Severity: grave
> Tags: security patch
>
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for samba.
Thanks for caring to report. We were indeed aware of the issue as
upstream kindly keeps up posted before the unveil embargoed security
issues.
As a consequence, we are all working on fixes for sarge, etch, and
lenny.
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#451385
; Package samba
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #26 received at 451385@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
* Christian Perrier <bubulle@debian.org> [2007-11-15 19:31]:
> Quoting Nico Golde (nion@debian.org):
[...]
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for samba.
>
> Thanks for caring to report. We were indeed aware of the issue as
> upstream kindly keeps up posted before the unveil embargoed security
> issues.
>
> As a consequence, we are all working on fixes for sarge, etch, and
> lenny.
I also saw Steves mail, great thanks!
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Steve Langasek <vorlon@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #31 received at 451385-close@bugs.debian.org (full text, mbox, reply):
Source: samba
Source-Version: 3.0.27-1
We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive:
libpam-smbpass_3.0.27-1_amd64.deb
to pool/main/s/samba/libpam-smbpass_3.0.27-1_amd64.deb
libsmbclient-dev_3.0.27-1_amd64.deb
to pool/main/s/samba/libsmbclient-dev_3.0.27-1_amd64.deb
libsmbclient_3.0.27-1_amd64.deb
to pool/main/s/samba/libsmbclient_3.0.27-1_amd64.deb
samba-common_3.0.27-1_amd64.deb
to pool/main/s/samba/samba-common_3.0.27-1_amd64.deb
samba-dbg_3.0.27-1_amd64.deb
to pool/main/s/samba/samba-dbg_3.0.27-1_amd64.deb
samba-doc-pdf_3.0.27-1_all.deb
to pool/main/s/samba/samba-doc-pdf_3.0.27-1_all.deb
samba-doc_3.0.27-1_all.deb
to pool/main/s/samba/samba-doc_3.0.27-1_all.deb
samba_3.0.27-1.diff.gz
to pool/main/s/samba/samba_3.0.27-1.diff.gz
samba_3.0.27-1.dsc
to pool/main/s/samba/samba_3.0.27-1.dsc
samba_3.0.27-1_amd64.deb
to pool/main/s/samba/samba_3.0.27-1_amd64.deb
samba_3.0.27.orig.tar.gz
to pool/main/s/samba/samba_3.0.27.orig.tar.gz
smbclient_3.0.27-1_amd64.deb
to pool/main/s/samba/smbclient_3.0.27-1_amd64.deb
smbfs_3.0.27-1_amd64.deb
to pool/main/s/samba/smbfs_3.0.27-1_amd64.deb
swat_3.0.27-1_amd64.deb
to pool/main/s/samba/swat_3.0.27-1_amd64.deb
winbind_3.0.27-1_amd64.deb
to pool/main/s/samba/winbind_3.0.27-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 451385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated samba package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 15 Nov 2007 11:46:17 -0800
Source: samba
Binary: samba-doc-pdf samba-doc libsmbclient libpam-smbpass swat winbind smbclient samba libsmbclient-dev samba-common samba-dbg smbfs
Architecture: source amd64 all
Version: 3.0.27-1
Distribution: unstable
Urgency: low
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description:
libpam-smbpass - pluggable authentication module for SMB/CIFS password database
libsmbclient - shared library that allows applications to talk to SMB/CIFS serve
libsmbclient-dev - libsmbclient static libraries and headers
samba - a LanManager-like file and printer server for Unix
samba-common - Samba common files used by both the server and the client
samba-dbg - Samba debugging symbols
samba-doc - Samba documentation
samba-doc-pdf - Samba documentation (PDF format)
smbclient - a LanManager-like simple client for Unix
smbfs - mount and umount commands for the smbfs (for kernels >= than 2.2.
swat - Samba Web Administration Tool
winbind - service to resolve user and group information from Windows NT ser
Closes: 346547 443230 444054 449422 450738 451270 451272 451385
Changes:
samba (3.0.27-1) unstable; urgency=low
.
* New upstream version
- fixes a remote code execution vulnerability when running nmbd as a
WINS server. (CVE-2007-5398; closes: #451385)
- fixes a buffer overflow in nmbd when running as a domain controller
during processing of GETDC logon server requests. (CVE-2007-4572)
.
[ Steve Langasek ]
* fhs.patch: net usershares should also be stored under /var/lib, not under
/var/run. No transition handling in maintainer scripts, since this
feature is not activated by default.
* get_global_sam_sid-non-root.patch: avoid calling get_global_sam_sid()
from smbpasswd -L or pam_smbpass when running as non-root, to avoid a
foreseeable panic. Closes: #346547, #450738.
* usershare.patch: enable "user shares" by default in the server with a
default limit of 100, to support user shares on both upgrades and new
installs with no need to munge config files. Thanks to Mathias Gug
<mathiaz@ubuntu.com> for the patch. Closes: #443230.
* On Ubuntu, support autopopulating the sambashare group using the existing
members of the admin group; no equivalent handling is done on Debian,
because there doesn't seem to be an appropriate template group we can use
that wouldn't be considered a privilege escalation for those users.
* Update Samba to explicitly use the C locale when doing password changes,
to account for Linux-PAM's recently adopted i18n support.
Closes: #451272.
* Enforce creation of the pid directory (/var/run/samba) in the samba
init script, for compatibility with systems that use a tmpfs for
/var/run. Closes: #451270.
* debian/patches/cups.patch, debian/NEWS: drop the patch to force bsd
as the default printing system, as CUPS is now the dominant/default
printing system for Linux.
.
[ Debconf translations ]
* Hebrew added. Closes: #444054
.
[ Christian Perrier ]
* Split fhs.patch into 3 separate patches to make upstream integration
easier:
- fhs-newpaths.patch: introduce new paths
- fhs-filespaths.patch: assign files to new paths
- fhs-assignpaths.patch: assign paths to FHS-compatible locations
* Compile with DNS update support. Thanks to Matthias Gug for
reporting and contributions from Launchpad's #156686
Closes: #449422
Files:
f8637bb099323cfd69652674eafcb074 1361 net optional samba_3.0.27-1.dsc
cff7854ea5947882954f30d2657e1a9d 18135175 net optional samba_3.0.27.orig.tar.gz
35c31d506c8b0c4df3cc232e904672c4 199536 net optional samba_3.0.27-1.diff.gz
a55152f55df4fa53b4730077d032452d 6974292 doc optional samba-doc_3.0.27-1_all.deb
bede3c131468f090cb22988374ab975e 6610432 doc optional samba-doc-pdf_3.0.27-1_all.deb
3a49a6d563b20ff117a563df7b58949e 4126010 net optional samba_3.0.27-1_amd64.deb
7169a924a3cf245da659222ed7b016a9 3010890 net optional samba-common_3.0.27-1_amd64.deb
338ac4174cce4537cec3b63788347b30 5224200 net optional smbclient_3.0.27-1_amd64.deb
44bb61b40392d08297c980c2aae7cc2e 1028504 net optional swat_3.0.27-1_amd64.deb
6afadf65e03d8ab5235e801d27297635 515994 otherosfs optional smbfs_3.0.27-1_amd64.deb
815c75fe82388243b3e6213317f61497 503284 admin extra libpam-smbpass_3.0.27-1_amd64.deb
05ac36813e02d2c63feacd657bf4e48b 947886 libs optional libsmbclient_3.0.27-1_amd64.deb
e8d90628bce4686a2051e7b771cefb5d 1267422 libdevel extra libsmbclient-dev_3.0.27-1_amd64.deb
df77c1930ff707c1028a242ea1cc8e08 2427574 net optional winbind_3.0.27-1_amd64.deb
b7694c856d87a761bcbc39b1ad28871f 20828640 devel extra samba-dbg_3.0.27-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHPKo5KN6ufymYLloRAoRnAKC6nRrANKr5ryBxw9b4o4UMrQY8HACgjfTq
U0KPpKaEcRBS5jUKFWZVCHE=
=0P5x
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#451385
; Package samba
.
(full text, mbox, link).
Acknowledgement sent to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(full text, mbox, link).
Message #36 received at 451385@bugs.debian.org (full text, mbox, reply):
# Automatically generated email from bts, devscripts version 2.10.7
# also fixed in etch
close 451385 3.0.24-6etch5
Bug marked as fixed in version 3.0.24-6etch5, send any further explanations to Nico Golde <nion@debian.org>
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Sun, 25 Nov 2007 01:51:04 GMT) (full text, mbox, link).
Reply sent to Steve Langasek <vorlon@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Nico Golde <nion@debian.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #43 received at 451385-close@bugs.debian.org (full text, mbox, reply):
Source: samba
Source-Version: 3.0.24-6etch5
We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive:
libpam-smbpass_3.0.24-6etch5_i386.deb
to pool/main/s/samba/libpam-smbpass_3.0.24-6etch5_i386.deb
libsmbclient-dev_3.0.24-6etch5_i386.deb
to pool/main/s/samba/libsmbclient-dev_3.0.24-6etch5_i386.deb
libsmbclient_3.0.24-6etch5_i386.deb
to pool/main/s/samba/libsmbclient_3.0.24-6etch5_i386.deb
python-samba_3.0.24-6etch5_i386.deb
to pool/main/s/samba/python-samba_3.0.24-6etch5_i386.deb
samba-common_3.0.24-6etch5_i386.deb
to pool/main/s/samba/samba-common_3.0.24-6etch5_i386.deb
samba-dbg_3.0.24-6etch5_i386.deb
to pool/main/s/samba/samba-dbg_3.0.24-6etch5_i386.deb
samba-doc-pdf_3.0.24-6etch5_all.deb
to pool/main/s/samba/samba-doc-pdf_3.0.24-6etch5_all.deb
samba-doc_3.0.24-6etch5_all.deb
to pool/main/s/samba/samba-doc_3.0.24-6etch5_all.deb
samba_3.0.24-6etch5.diff.gz
to pool/main/s/samba/samba_3.0.24-6etch5.diff.gz
samba_3.0.24-6etch5.dsc
to pool/main/s/samba/samba_3.0.24-6etch5.dsc
samba_3.0.24-6etch5_i386.deb
to pool/main/s/samba/samba_3.0.24-6etch5_i386.deb
smbclient_3.0.24-6etch5_i386.deb
to pool/main/s/samba/smbclient_3.0.24-6etch5_i386.deb
smbfs_3.0.24-6etch5_i386.deb
to pool/main/s/samba/smbfs_3.0.24-6etch5_i386.deb
swat_3.0.24-6etch5_i386.deb
to pool/main/s/samba/swat_3.0.24-6etch5_i386.deb
winbind_3.0.24-6etch5_i386.deb
to pool/main/s/samba/winbind_3.0.24-6etch5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 451385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated samba package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Tue, 13 Nov 2007 16:15:31 -0800
Source: samba
Binary: python-samba samba-doc-pdf samba-doc libsmbclient libpam-smbpass swat winbind smbclient samba libsmbclient-dev samba-common samba-dbg smbfs
Architecture: source i386 all
Version: 3.0.24-6etch5
Distribution: stable-security
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description:
libpam-smbpass - pluggable authentication module for SMB/CIFS password database
libsmbclient - shared library that allows applications to talk to SMB/CIFS serve
libsmbclient-dev - libsmbclient static libraries and headers
python-samba - Python bindings that allow access to various aspects of Samba
samba - a LanManager-like file and printer server for Unix
samba-common - Samba common files used by both the server and the client
samba-dbg - Samba debugging symbols
samba-doc - Samba documentation
samba-doc-pdf - Samba documentation (PDF format)
smbclient - a LanManager-like simple client for Unix
smbfs - mount and umount commands for the smbfs (for kernels >= than 2.2.
swat - Samba Web Administration Tool
winbind - service to resolve user and group information from Windows NT ser
Closes: 451385
Changes:
samba (3.0.24-6etch5) stable-security; urgency=high
.
* Fix a remote code execution vulnerability when running nmbd as a
WINS server. (CVE-2007-5398, closes: #451385)
* Fix a buffer overflow in nmbd when running as a domain controller
during processing of GETDC logon server requests. (CVE-2007-4572)
Files:
c828613c5ad857f8abfe70c442237bc4 1425 net optional samba_3.0.24-6etch5.dsc
3bcd30cc8acbfb025d02933089f49ddd 217271 net optional samba_3.0.24-6etch5.diff.gz
6d5592789c1da6de9d51fc9ec74ae68e 6913352 doc optional samba-doc_3.0.24-6etch5_all.deb
3148c88a9882d413a9a047e428c31a04 6599004 doc optional samba-doc-pdf_3.0.24-6etch5_all.deb
a824bc521eb49df058677378d3748fcd 3261844 net optional samba_3.0.24-6etch5_i386.deb
0a6eacc53831356d8cc8421efcbf4c8a 2381196 net optional samba-common_3.0.24-6etch5_i386.deb
1e70a317af80cd7660d75dcb8ca1003d 3880562 net optional smbclient_3.0.24-6etch5_i386.deb
989021d9ba9a9849fcc1fb63d282f304 793372 net optional swat_3.0.24-6etch5_i386.deb
025f6ad977aa1f514f250a22c7074d80 412836 otherosfs optional smbfs_3.0.24-6etch5_i386.deb
0db54383aaad978d587e85740ab8d72d 418896 admin extra libpam-smbpass_3.0.24-6etch5_i386.deb
a17275e0ca39c3eadc849262ca5230dd 757994 libs optional libsmbclient_3.0.24-6etch5_i386.deb
07e7b19040dac6833cd42a6f27241542 112394 libdevel extra libsmbclient-dev_3.0.24-6etch5_i386.deb
4db7e2c0b8c79e47e96c6e3e475ce47a 1865830 net optional winbind_3.0.24-6etch5_i386.deb
8d1dfa7ef86b265682b92fa46896107f 5661690 python optional python-samba_3.0.24-6etch5_i386.deb
0d2c9ba880a4a72edcbe06c4e841c1fb 11886540 devel extra samba-dbg_3.0.24-6etch5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHPMOQKN6ufymYLloRAqB/AJ4vItqsS5vml4ikdQtA7ZCx/Xy+cgCfXcN7
lP+Regxxm0s+vOdtiSkUG6U=
=g4gw
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 18 Jan 2008 07:37:28 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:50:15 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.