CVE-2006-3403: Memory exhaustion DoS against smbd

Debian Bug report logs - #378070
CVE-2006-3403: Memory exhaustion DoS against smbd

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Geoff Crompton <geoff.crompton@strategicdata.com.au>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: CVE-2006-3403: Memory exhaustion DoS against smbd

Date: Thu, 13 Jul 2006 11:31:21 +1000

Package: samba
Version: 3.0.14a-3sarge1
Severity: grave

Samba have announced http://www.samba.org/samba/security/CAN-2006-3403.html,
and have a patch available. It affects all samba configurations, hence I
consider this grave.
I wouldn't be surprised if the security team is already aware of this.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-3-686-smp
Locale: LANG=en_AU, LC_CTYPE=en_AU (charmap=ISO-8859-1)

Versions of packages samba depends on:
ii  debconf [debconf-2.0] 1.4.30.13          Debian configuration management sy
ii  libacl1               2.2.23-1           Access control list shared library
ii  libc6                 2.3.2.ds1-22sarge3 GNU C Library: Shared libraries an
ii  libcomerr2            1.37-2sarge1       common error description library
ii  libcupsys2-gnutls10   1.1.23-10sarge1    Common UNIX Printing System(tm) - 
ii  libkrb53              1.3.6-2sarge2      MIT Kerberos runtime libraries
ii  libldap2              2.1.30-8           OpenLDAP libraries
ii  libpam-modules        0.76-22            Pluggable Authentication Modules f
ii  libpam-runtime        0.76-22            Runtime support for the PAM librar
ii  libpam0g              0.76-22            Pluggable Authentication Modules l
ii  logrotate             3.7-5              Log rotation utility
ii  netbase               4.21               Basic TCP/IP networking system
ii  samba-common          3.0.14a-3sarge1    Samba common files used by both th

-- debconf information excluded

Message #10 received at 378070@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: Geoff Crompton <geoff.crompton@strategicdata.com.au>, 378070@bugs.debian.org

Subject: Re: Bug#378070: CVE-2006-3403: Memory exhaustion DoS against smbd

Date: Thu, 13 Jul 2006 07:56:02 +0200

[Message part 1 (text/plain, inline)]

Quoting Geoff Crompton (geoff.crompton@strategicdata.com.au):
> Package: samba
> Version: 3.0.14a-3sarge1
> Severity: grave
> 
> Samba have announced http://www.samba.org/samba/security/CAN-2006-3403.html,
> and have a patch available. It affects all samba configurations, hence I
> consider this grave.
> I wouldn't be surprised if the security team is already aware of this.


It is.

I tested a compile of the current sarge package to which I added the
patch provided by upstream (attached) but it failed:

Compiling lib/util.c
lib/util.c:2447: error: redefinition of `data_path'
lib/util.c:2392: error: `data_path' previously defined here
lib/util.c:2457: error: redefinition of `state_path'
lib/util.c:2402: error: `state_path' previously defined here
lib/util.c:2477: error: redefinition of `cache_path'
lib/util.c:2422: error: `cache_path' previously defined here
make[1]: *** [lib/util.o] Erreur 1
make[1]: Leaving directory `/home/bubulle/src/debian/samba/samba-3.0.14a/source'
make: *** [build-stamp] Erreur 2

[samba-3.0-CAN-2006-3403.patch (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 378070@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Christian Perrier <bubulle@debian.org>, 378070@bugs.debian.org

Cc: Geoff Crompton <geoff.crompton@strategicdata.com.au>

Subject: Re: Bug#378070: CVE-2006-3403: Memory exhaustion DoS against smbd

Date: Thu, 13 Jul 2006 01:20:14 -0700

On Thu, Jul 13, 2006 at 07:56:02AM +0200, Christian Perrier wrote:
> Quoting Geoff Crompton (geoff.crompton@strategicdata.com.au):
> > Package: samba
> > Version: 3.0.14a-3sarge1
> > Severity: grave

> > Samba have announced http://www.samba.org/samba/security/CAN-2006-3403.html,
> > and have a patch available. It affects all samba configurations, hence I
> > consider this grave.
> > I wouldn't be surprised if the security team is already aware of this.

> It is.

> I tested a compile of the current sarge package to which I added the
> patch provided by upstream (attached) but it failed:

> Compiling lib/util.c
> lib/util.c:2447: error: redefinition of `data_path'
> lib/util.c:2392: error: `data_path' previously defined here
> lib/util.c:2457: error: redefinition of `state_path'
> lib/util.c:2402: error: `state_path' previously defined here
> lib/util.c:2477: error: redefinition of `cache_path'
> lib/util.c:2422: error: `cache_path' previously defined here
> make[1]: *** [lib/util.o] Erreur 1
> make[1]: Leaving directory `/home/bubulle/src/debian/samba/samba-3.0.14a/source'
> make: *** [build-stamp] Erreur 2

This looks like you've gotten yourself a double-patched file.  Perhaps you
should try cleaning your build tree and trying again?

Anyway, it built for me and I've committed the patch to /branches/sarge. 
I'd be happy if someone else could follow through with the security team,
though.

BTW, I've downgraded this bug from 'grave' to 'important' since, according
to upstream's security advisory, it's a DoS rather than an exploitable
privilege escalation.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

Message #20 received at 378070@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: team@security.debian.org

Cc: 378070@bugs.debian.org

Subject: Re: (forw) [SECURITY] Samba 3.0.1 - 3.0.22: memory exhaustion DoS against smbd

Date: Fri, 14 Jul 2006 08:23:22 +0200

[Message part 1 (text/plain, inline)]

Quoting Moritz Muehlenhoff (jmm@inutil.org):
> Christian Perrier wrote:
> > I briefly pinged Joey on IRC but certainly better to send this by
> > email.
> 
> Thanks, I'll prepare a DSA.

Fixed packages for sarge are ready in
http://www.perrier.eu.org/debian/packages

They're ready for upload to stable-security. As the devref mentions
that uploading to the security upload queue must be coordinated with
you, security team, I did of course *not* upload them.

The packages were prepared before #378070 was reported and thus the
changelog does not close that bug.

We still need to figure out what we will do for unstable and testing.

samba 3.0.22, which is in testing, is vulnerable to this bug. As we
were preparing 3.0.23, we should probably hurry to polish it and
upload it.


-- 

[signature.asc (application/pgp-signature, inline)]

Message #29 received at 378070-close@bugs.debian.org (full text, mbox, reply):

From: Peter Eisentraut <petere@debian.org>

To: 378070-close@bugs.debian.org

Subject: Bug#378070: fixed in samba 3.0.23a-1

Date: Wed, 09 Aug 2006 08:12:53 -0700

Source: samba
Source-Version: 3.0.23a-1

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive:

libpam-smbpass_3.0.23a-1_i386.deb
  to pool/main/s/samba/libpam-smbpass_3.0.23a-1_i386.deb
libsmbclient-dev_3.0.23a-1_i386.deb
  to pool/main/s/samba/libsmbclient-dev_3.0.23a-1_i386.deb
libsmbclient_3.0.23a-1_i386.deb
  to pool/main/s/samba/libsmbclient_3.0.23a-1_i386.deb
python-samba_3.0.23a-1_i386.deb
  to pool/main/s/samba/python-samba_3.0.23a-1_i386.deb
samba-common_3.0.23a-1_i386.deb
  to pool/main/s/samba/samba-common_3.0.23a-1_i386.deb
samba-dbg_3.0.23a-1_i386.deb
  to pool/main/s/samba/samba-dbg_3.0.23a-1_i386.deb
samba-doc-pdf_3.0.23a-1_all.deb
  to pool/main/s/samba/samba-doc-pdf_3.0.23a-1_all.deb
samba-doc_3.0.23a-1_all.deb
  to pool/main/s/samba/samba-doc_3.0.23a-1_all.deb
samba_3.0.23a-1.diff.gz
  to pool/main/s/samba/samba_3.0.23a-1.diff.gz
samba_3.0.23a-1.dsc
  to pool/main/s/samba/samba_3.0.23a-1.dsc
samba_3.0.23a-1_i386.deb
  to pool/main/s/samba/samba_3.0.23a-1_i386.deb
samba_3.0.23a.orig.tar.gz
  to pool/main/s/samba/samba_3.0.23a.orig.tar.gz
smbclient_3.0.23a-1_i386.deb
  to pool/main/s/samba/smbclient_3.0.23a-1_i386.deb
smbfs_3.0.23a-1_i386.deb
  to pool/main/s/samba/smbfs_3.0.23a-1_i386.deb
swat_3.0.23a-1_i386.deb
  to pool/main/s/samba/swat_3.0.23a-1_i386.deb
winbind_3.0.23a-1_i386.deb
  to pool/main/s/samba/winbind_3.0.23a-1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 378070@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Peter Eisentraut <petere@debian.org> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon,  7 Aug 2006 23:00:49 +0200
Source: samba
Binary: python-samba samba-doc-pdf samba-doc libsmbclient libpam-smbpass swat winbind smbclient samba libsmbclient-dev samba-common samba-dbg smbfs
Architecture: source i386 all
Version: 3.0.23a-1
Distribution: unstable
Urgency: medium
Maintainer: Eloy A. Paris <peloy@debian.org>
Changed-By: Peter Eisentraut <petere@debian.org>
Description: 
 libpam-smbpass - pluggable authentication module for SMB/CIFS password database
 libsmbclient - shared library that allows applications to talk to SMB/CIFS serve
 libsmbclient-dev - libsmbclient static libraries and headers
 python-samba - Python bindings that allow access to various aspects of Samba
 samba      - a LanManager-like file and printer server for Unix
 samba-common - Samba common files used by both the server and the client
 samba-dbg  - Samba debugging symbols
 samba-doc  - Samba documentation
 samba-doc-pdf - Samba documentation (PDF format)
 smbclient  - a LanManager-like simple client for Unix
 smbfs      - mount and umount commands for the smbfs (for kernels >= than 2.2.
 swat       - Samba Web Administration Tool
 winbind    - service to resolve user and group information from Windows NT ser
Closes: 168732 206672 262313 275241 288995 307257 307626 337070 350050 361204 363523 365618 367472 367507 369375 369403 369408 369457 369587 369730 369782 372632 374411 375104 376515 376991 378070 379246 380939 381557 381833
Changes: 
 samba (3.0.23a-1) unstable; urgency=medium
 .
   * New upstream release
 .
   * Fixes the following Debian bugs:
     - winbind: panic()s when started outside of a domain context.
       Closes: #337070
     - Make smbclient -L use RPC to list shares, fall back to RAP.
       Closes: #168732
     - Potential hang in nmbd. Upstream bug #3779. Closes: #367472
     - Typos in "ldap group suffix" in smb.conf(5) (upstream #3780).
       Closes: #367507
     - Erroneous permissions checks after 3.0.10 -> 3.0.14a
       (upstream #2591). Closes: #307626
     - Anonymous memory exhaustion DoS (CVE-2006-3403). Closes: #378070
     - ImportError exception raised when trying to import samba.smb
       (upstream #3567). Closes: #350050
     - Changed references from pam_pwdb to pam_unix (upstream #3225).
       Closes: #206672
     - SWAT segfault (upstream #3702). Closes: #363523
 .
   [ Adam Conrad ]
   * Fix typo in smb.conf that causes all samba apps to whine.
     Closes: #369782
   * Add myself to Uploaders, on the off chance that I might upload.
 .
   [ Debconf translations ]
   * Add Galician translation of debconf templates. Closes: #361204, #369403
   * Add Basque translation of debconf templates. Closes: #375104
   * Add Romanian translation of debconf templates. Closes: #379246
   * Add Khmer translation of debconf templates. Closes: #381833
   * Add Dzongkha translation of debconf templates.
   * Updated Russian. Closes: #369375
   * Updated Czech. Closes: #369408
   * Updated Japanese. Closes: #369457
   * Updated Italian. Closes: #369587
   * Updated Swedish. Closes: #369730
   * Updated Dutch. Closes: #376515
   * Updated Vietnamese. Closes: #381557
   * Updated French.
   * Updated Brazilian.
   * Updated Portuguese. Closes: #372632
   * Updated Arabic.
 .
   [ Christian Perrier ]
   * Add dependency on procps for samba, as ps is used in init scripts.
     Thanks to Bastian Blank for reporting. Closes: #365618
   * Rewrite debconf templates to be compliant with 6.5.2 of the Developer's
     Reference
   * Add support for /etc/default/winbind. Closes: #262313, #374411
     Thanks to Guido Guenther for the old patch and to Jérôme Warnier
     for reminding us about it.
   * Compile with --with-cifsmount which is now needed to properly compile
     mount.cifs and umount.cifs. See samba bug #3799
 .
   [ Peter Eisentraut ]
   * Use debian/compat instead of DH_COMPAT
   * Updated Standards-Version to 3.7.2 (no changes needed)
   * Replaced libsmbclient shlibs file by dh_makeshlibs call, so the
     required ldconfig calls appear in the maintainer scripts
   * Adjusted debian/rules to get 3.0.23rc1 to build
   * Updated to debhelper level 5
   * Rearranged dh_strip calls so that build succeeds with
     DEB_BUILD_OPTIONS=nostrip. Closes: #288995
   * Create /var/spool/samba and use it as default printer spool.
     Closes: #275241
   * Made winbind init script more careful about returning proper exit code
   * Added winbindd_priv group as owner of winbindd_privileged directory.
     Closes: #307257
   * Python transition preparations: renamed package to python-samba,
     removed hardcoded references to Python version 2.3. Closes: #380939
   * Removed unwanted swat debconf warning
   * Put localized swat messages into /usr/share/samba, where swat looks for
     them. Closes: #376991
Files: 
 d3068a7060eeaf6952c5840acc528652 1291 net optional samba_3.0.23a-1.dsc
 e48f196fa51c22ff67463680ce95a58d 17683518 net optional samba_3.0.23a.orig.tar.gz
 df9dd7ad4089a77901f10971aee3af7c 309614 net optional samba_3.0.23a-1.diff.gz
 237c87f66f2fd17a248feab06099fa33 6906640 doc optional samba-doc_3.0.23a-1_all.deb
 81a4f052cd3f094f83cfa5bf6225f87e 6589522 doc optional samba-doc-pdf_3.0.23a-1_all.deb
 0def4b61f436d1a29881eb55cc06ef47 3224098 net optional samba_3.0.23a-1_i386.deb
 733eeece2a3acb0e033003202db6c8ca 2338756 net optional samba-common_3.0.23a-1_i386.deb
 aa45e04d5d0802753f2730bb21fa9d31 3859538 net optional smbclient_3.0.23a-1_i386.deb
 6c7ed84370a62cba3d6197bdc16dd4d6 787784 net optional swat_3.0.23a-1_i386.deb
 8d2de132a68b0248dbb60ead6cb27673 407708 otherosfs optional smbfs_3.0.23a-1_i386.deb
 256c40dfe8b4944d0ec62efc09ab0bd6 413610 admin extra libpam-smbpass_3.0.23a-1_i386.deb
 ac82dfc65c6d00be12fc602c70a52020 752314 libs optional libsmbclient_3.0.23a-1_i386.deb
 19c0a25f89e1a318caedade48b98988f 109284 libdevel extra libsmbclient-dev_3.0.23a-1_i386.deb
 857e41a2948b938b2c23eef0fb22c912 1851752 net optional winbind_3.0.23a-1_i386.deb
 a055cc828a524232f03e870ccf4a92c9 5638736 python optional python-samba_3.0.23a-1_i386.deb
 71366a5aa77eda66866ea5e59c65d645 11844560 devel optional samba-dbg_3.0.23a-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFE17iJTTx8oVVPtMYRAkBAAJ9GnS9b4p5tbOnMeHg6C2e1MPDiIwCeP8WJ
ygJFsrZCtF9i1zfTyHi5OTw=
=vLSO
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.