CVE-2007-5398 remote code execution via NetBIOS replies

Debian Bug report logs - #451385
CVE-2007-5398 remote code execution via NetBIOS replies

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2007-5398 remote code execution via NetBIOS replies

Date: Thu, 15 Nov 2007 16:48:41 +0100

[Message part 1 (text/plain, inline)]

Package: samba
Version: 3.0.24-6etch4
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for samba.

CVE-2007-5398:
| Secunia Research has discovered a vulnerability in Samba, which can be
| exploited by malicious people to compromise a vulnerable system.
| 
| The vulnerability is caused due to a boundary error within the 
| "reply_netbios_packet()" function in nmbd/nmbd_packets.c when sending
| NetBIOS replies. This can be exploited to cause a stack-based buffer
| overflow by sending multiple specially crafted WINS "Name Registration"
| requests followed by a WINS "Name Query" request.
| 
| Successful exploitation allows execution of arbitrary code, but
| requires that Samba is configured to run as a WINS server (the "wins
| support" option is enabled).

This information is from:
http://secunia.com/secunia_research/2007-90/advisory/

Mitre did not yet published it but it will be available later on [0].
Please also see: http://us1.samba.org/samba/security/CVE-2007-4572.html
and http://us1.samba.org/samba/ftp/patches/security/samba-3.0.26a-CVE-2007-5398.patch
for the patch.

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5398

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #10 received at 451385@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Nico Golde <nion@debian.org>, 451385@bugs.debian.org

Subject: Re: Bug#451385: CVE-2007-5398 remote code execution via NetBIOS replies

Date: Thu, 15 Nov 2007 09:30:59 -0800

notfound 451385 3.0.24-6etch4
found 451385 3.0.14a-1
close 451385 3.0.14a-3sarge7
thanks

On Thu, Nov 15, 2007 at 04:48:41PM +0100, Nico Golde wrote:
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for samba.

Yes, upstream keeps us informed of pending security issues and fixed
packages are already in process, thanks.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #21 received at 451385@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Nico Golde <nion@debian.org>, 451385@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#451385: CVE-2007-5398 remote code execution via NetBIOS replies

Date: Thu, 15 Nov 2007 17:41:43 +0000

[Message part 1 (text/plain, inline)]

Quoting Nico Golde (nion@debian.org):
> Package: samba
> Version: 3.0.24-6etch4
> Severity: grave
> Tags: security patch
> 
> Hi,
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for samba.


Thanks for caring to report. We were indeed aware of the issue as
upstream kindly keeps up posted before the unveil embargoed security
issues.

As a consequence, we are all working on fixes for sarge, etch, and
lenny.

[signature.asc (application/pgp-signature, inline)]

Message #26 received at 451385@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 451385@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#451385: CVE-2007-5398 remote code execution via NetBIOS replies

Date: Thu, 15 Nov 2007 19:42:53 +0100

[Message part 1 (text/plain, inline)]

Hi,
* Christian Perrier <bubulle@debian.org> [2007-11-15 19:31]:
> Quoting Nico Golde (nion@debian.org):
[...] 
> > the following CVE (Common Vulnerabilities & Exposures) id was
> > published for samba.
> 
> Thanks for caring to report. We were indeed aware of the issue as
> upstream kindly keeps up posted before the unveil embargoed security
> issues.
> 
> As a consequence, we are all working on fixes for sarge, etch, and
> lenny.

I also saw Steves mail, great thanks!
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #31 received at 451385-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 451385-close@bugs.debian.org

Subject: Bug#451385: fixed in samba 3.0.27-1

Date: Thu, 15 Nov 2007 21:02:12 +0000

Source: samba
Source-Version: 3.0.27-1

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive:

libpam-smbpass_3.0.27-1_amd64.deb
  to pool/main/s/samba/libpam-smbpass_3.0.27-1_amd64.deb
libsmbclient-dev_3.0.27-1_amd64.deb
  to pool/main/s/samba/libsmbclient-dev_3.0.27-1_amd64.deb
libsmbclient_3.0.27-1_amd64.deb
  to pool/main/s/samba/libsmbclient_3.0.27-1_amd64.deb
samba-common_3.0.27-1_amd64.deb
  to pool/main/s/samba/samba-common_3.0.27-1_amd64.deb
samba-dbg_3.0.27-1_amd64.deb
  to pool/main/s/samba/samba-dbg_3.0.27-1_amd64.deb
samba-doc-pdf_3.0.27-1_all.deb
  to pool/main/s/samba/samba-doc-pdf_3.0.27-1_all.deb
samba-doc_3.0.27-1_all.deb
  to pool/main/s/samba/samba-doc_3.0.27-1_all.deb
samba_3.0.27-1.diff.gz
  to pool/main/s/samba/samba_3.0.27-1.diff.gz
samba_3.0.27-1.dsc
  to pool/main/s/samba/samba_3.0.27-1.dsc
samba_3.0.27-1_amd64.deb
  to pool/main/s/samba/samba_3.0.27-1_amd64.deb
samba_3.0.27.orig.tar.gz
  to pool/main/s/samba/samba_3.0.27.orig.tar.gz
smbclient_3.0.27-1_amd64.deb
  to pool/main/s/samba/smbclient_3.0.27-1_amd64.deb
smbfs_3.0.27-1_amd64.deb
  to pool/main/s/samba/smbfs_3.0.27-1_amd64.deb
swat_3.0.27-1_amd64.deb
  to pool/main/s/samba/swat_3.0.27-1_amd64.deb
winbind_3.0.27-1_amd64.deb
  to pool/main/s/samba/winbind_3.0.27-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 451385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 15 Nov 2007 11:46:17 -0800
Source: samba
Binary: samba-doc-pdf samba-doc libsmbclient libpam-smbpass swat winbind smbclient samba libsmbclient-dev samba-common samba-dbg smbfs
Architecture: source amd64 all
Version: 3.0.27-1
Distribution: unstable
Urgency: low
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-smbpass - pluggable authentication module for SMB/CIFS password database
 libsmbclient - shared library that allows applications to talk to SMB/CIFS serve
 libsmbclient-dev - libsmbclient static libraries and headers
 samba      - a LanManager-like file and printer server for Unix
 samba-common - Samba common files used by both the server and the client
 samba-dbg  - Samba debugging symbols
 samba-doc  - Samba documentation
 samba-doc-pdf - Samba documentation (PDF format)
 smbclient  - a LanManager-like simple client for Unix
 smbfs      - mount and umount commands for the smbfs (for kernels >= than 2.2.
 swat       - Samba Web Administration Tool
 winbind    - service to resolve user and group information from Windows NT ser
Closes: 346547 443230 444054 449422 450738 451270 451272 451385
Changes: 
 samba (3.0.27-1) unstable; urgency=low
 .
   * New upstream version
     - fixes a remote code execution vulnerability when running nmbd as a
       WINS server. (CVE-2007-5398; closes: #451385)
     - fixes a buffer overflow in nmbd when running as a domain controller
       during processing of GETDC logon server requests. (CVE-2007-4572)
 .
   [ Steve Langasek ]
   * fhs.patch: net usershares should also be stored under /var/lib, not under
     /var/run.  No transition handling in maintainer scripts, since this
     feature is not activated by default.
   * get_global_sam_sid-non-root.patch: avoid calling get_global_sam_sid()
     from smbpasswd -L or pam_smbpass when running as non-root, to avoid a
     foreseeable panic.  Closes: #346547, #450738.
   * usershare.patch: enable "user shares" by default in the server with a
     default limit of 100, to support user shares on both upgrades and new
     installs with no need to munge config files.  Thanks to Mathias Gug
     <mathiaz@ubuntu.com> for the patch.  Closes: #443230.
   * On Ubuntu, support autopopulating the sambashare group using the existing
     members of the admin group; no equivalent handling is done on Debian,
     because there doesn't seem to be an appropriate template group we can use
     that wouldn't be considered a privilege escalation for those users.
   * Update Samba to explicitly use the C locale when doing password changes,
     to account for Linux-PAM's recently adopted i18n support.
     Closes: #451272.
   * Enforce creation of the pid directory (/var/run/samba) in the samba
     init script, for compatibility with systems that use a tmpfs for
     /var/run.  Closes: #451270.
   * debian/patches/cups.patch, debian/NEWS: drop the patch to force bsd
     as the default printing system, as CUPS is now the dominant/default
     printing system for Linux.
 .
   [ Debconf translations ]
   * Hebrew added. Closes: #444054
 .
   [ Christian Perrier ]
   * Split fhs.patch into 3 separate patches to make upstream integration
     easier:
     - fhs-newpaths.patch: introduce new paths
     - fhs-filespaths.patch: assign files to new paths
     - fhs-assignpaths.patch: assign paths to FHS-compatible locations
   * Compile with DNS update support. Thanks to Matthias Gug for
     reporting and contributions from Launchpad's #156686
     Closes: #449422
Files: 
 f8637bb099323cfd69652674eafcb074 1361 net optional samba_3.0.27-1.dsc
 cff7854ea5947882954f30d2657e1a9d 18135175 net optional samba_3.0.27.orig.tar.gz
 35c31d506c8b0c4df3cc232e904672c4 199536 net optional samba_3.0.27-1.diff.gz
 a55152f55df4fa53b4730077d032452d 6974292 doc optional samba-doc_3.0.27-1_all.deb
 bede3c131468f090cb22988374ab975e 6610432 doc optional samba-doc-pdf_3.0.27-1_all.deb
 3a49a6d563b20ff117a563df7b58949e 4126010 net optional samba_3.0.27-1_amd64.deb
 7169a924a3cf245da659222ed7b016a9 3010890 net optional samba-common_3.0.27-1_amd64.deb
 338ac4174cce4537cec3b63788347b30 5224200 net optional smbclient_3.0.27-1_amd64.deb
 44bb61b40392d08297c980c2aae7cc2e 1028504 net optional swat_3.0.27-1_amd64.deb
 6afadf65e03d8ab5235e801d27297635 515994 otherosfs optional smbfs_3.0.27-1_amd64.deb
 815c75fe82388243b3e6213317f61497 503284 admin extra libpam-smbpass_3.0.27-1_amd64.deb
 05ac36813e02d2c63feacd657bf4e48b 947886 libs optional libsmbclient_3.0.27-1_amd64.deb
 e8d90628bce4686a2051e7b771cefb5d 1267422 libdevel extra libsmbclient-dev_3.0.27-1_amd64.deb
 df77c1930ff707c1028a242ea1cc8e08 2427574 net optional winbind_3.0.27-1_amd64.deb
 b7694c856d87a761bcbc39b1ad28871f 20828640 devel extra samba-dbg_3.0.27-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHPKo5KN6ufymYLloRAoRnAKC6nRrANKr5ryBxw9b4o4UMrQY8HACgjfTq
U0KPpKaEcRBS5jUKFWZVCHE=
=0P5x
-----END PGP SIGNATURE-----

Message #36 received at 451385@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: control@bugs.debian.org

Cc: 451385@bugs.debian.org

Subject: closing 451385

Date: Sat, 24 Nov 2007 17:49:54 -0800

# Automatically generated email from bts, devscripts version 2.10.7
# also fixed in etch
close 451385 3.0.24-6etch5

Message #43 received at 451385-close@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: 451385-close@bugs.debian.org

Subject: Bug#451385: fixed in samba 3.0.24-6etch5

Date: Thu, 20 Dec 2007 19:54:12 +0000

Source: samba
Source-Version: 3.0.24-6etch5

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive:

libpam-smbpass_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/libpam-smbpass_3.0.24-6etch5_i386.deb
libsmbclient-dev_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/libsmbclient-dev_3.0.24-6etch5_i386.deb
libsmbclient_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/libsmbclient_3.0.24-6etch5_i386.deb
python-samba_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/python-samba_3.0.24-6etch5_i386.deb
samba-common_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/samba-common_3.0.24-6etch5_i386.deb
samba-dbg_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/samba-dbg_3.0.24-6etch5_i386.deb
samba-doc-pdf_3.0.24-6etch5_all.deb
  to pool/main/s/samba/samba-doc-pdf_3.0.24-6etch5_all.deb
samba-doc_3.0.24-6etch5_all.deb
  to pool/main/s/samba/samba-doc_3.0.24-6etch5_all.deb
samba_3.0.24-6etch5.diff.gz
  to pool/main/s/samba/samba_3.0.24-6etch5.diff.gz
samba_3.0.24-6etch5.dsc
  to pool/main/s/samba/samba_3.0.24-6etch5.dsc
samba_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/samba_3.0.24-6etch5_i386.deb
smbclient_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/smbclient_3.0.24-6etch5_i386.deb
smbfs_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/smbfs_3.0.24-6etch5_i386.deb
swat_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/swat_3.0.24-6etch5_i386.deb
winbind_3.0.24-6etch5_i386.deb
  to pool/main/s/samba/winbind_3.0.24-6etch5_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 451385@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steve Langasek <vorlon@debian.org> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 13 Nov 2007 16:15:31 -0800
Source: samba
Binary: python-samba samba-doc-pdf samba-doc libsmbclient libpam-smbpass swat winbind smbclient samba libsmbclient-dev samba-common samba-dbg smbfs
Architecture: source i386 all
Version: 3.0.24-6etch5
Distribution: stable-security
Urgency: high
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Steve Langasek <vorlon@debian.org>
Description: 
 libpam-smbpass - pluggable authentication module for SMB/CIFS password database
 libsmbclient - shared library that allows applications to talk to SMB/CIFS serve
 libsmbclient-dev - libsmbclient static libraries and headers
 python-samba - Python bindings that allow access to various aspects of Samba
 samba      - a LanManager-like file and printer server for Unix
 samba-common - Samba common files used by both the server and the client
 samba-dbg  - Samba debugging symbols
 samba-doc  - Samba documentation
 samba-doc-pdf - Samba documentation (PDF format)
 smbclient  - a LanManager-like simple client for Unix
 smbfs      - mount and umount commands for the smbfs (for kernels >= than 2.2.
 swat       - Samba Web Administration Tool
 winbind    - service to resolve user and group information from Windows NT ser
Closes: 451385
Changes: 
 samba (3.0.24-6etch5) stable-security; urgency=high
 .
   * Fix a remote code execution vulnerability when running nmbd as a
     WINS server. (CVE-2007-5398, closes: #451385)
   * Fix a buffer overflow in nmbd when running as a domain controller
     during processing of GETDC logon server requests. (CVE-2007-4572)
Files: 
 c828613c5ad857f8abfe70c442237bc4 1425 net optional samba_3.0.24-6etch5.dsc
 3bcd30cc8acbfb025d02933089f49ddd 217271 net optional samba_3.0.24-6etch5.diff.gz
 6d5592789c1da6de9d51fc9ec74ae68e 6913352 doc optional samba-doc_3.0.24-6etch5_all.deb
 3148c88a9882d413a9a047e428c31a04 6599004 doc optional samba-doc-pdf_3.0.24-6etch5_all.deb
 a824bc521eb49df058677378d3748fcd 3261844 net optional samba_3.0.24-6etch5_i386.deb
 0a6eacc53831356d8cc8421efcbf4c8a 2381196 net optional samba-common_3.0.24-6etch5_i386.deb
 1e70a317af80cd7660d75dcb8ca1003d 3880562 net optional smbclient_3.0.24-6etch5_i386.deb
 989021d9ba9a9849fcc1fb63d282f304 793372 net optional swat_3.0.24-6etch5_i386.deb
 025f6ad977aa1f514f250a22c7074d80 412836 otherosfs optional smbfs_3.0.24-6etch5_i386.deb
 0db54383aaad978d587e85740ab8d72d 418896 admin extra libpam-smbpass_3.0.24-6etch5_i386.deb
 a17275e0ca39c3eadc849262ca5230dd 757994 libs optional libsmbclient_3.0.24-6etch5_i386.deb
 07e7b19040dac6833cd42a6f27241542 112394 libdevel extra libsmbclient-dev_3.0.24-6etch5_i386.deb
 4db7e2c0b8c79e47e96c6e3e475ce47a 1865830 net optional winbind_3.0.24-6etch5_i386.deb
 8d1dfa7ef86b265682b92fa46896107f 5661690 python optional python-samba_3.0.24-6etch5_i386.deb
 0d2c9ba880a4a72edcbe06c4e841c1fb 11886540 devel extra samba-dbg_3.0.24-6etch5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHPMOQKN6ufymYLloRAqB/AJ4vItqsS5vml4ikdQtA7ZCx/Xy+cgCfXcN7
lP+Regxxm0s+vOdtiSkUG6U=
=g4gw
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.