Weekly Edition
Return to the Distributions page
| |||||||||||||||||||
Samba for Fedora Core 6
Fedora 7 and 8 packages are being released but as you may know FC6 has reached EOL just recently. As I think this is an important security problem I decided to release new packages for FC6 so that people that have not yet finished their migration to newer supported Fedora releases can buy some more time. This is a one off service I felt compelled to release to help people, I am not going to do regular releases for FC6. Packages here: http://simo.fedorapeople.org/samba/ Simo. On Mon, 2007-12-10 at 07:49 -0600, Gerald (Jerry) Carter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ========================================================== > == > == Subject: Boundary failure in GETDC mailslot > == processing can result in a buffer overrun > == > == CVE ID#: CVE-2007-6015 > == > == Versions: Samba 3.0.0 - 3.0.27a (inclusive) > == > == Summary: Specifically crafted GETDC mailslot requests > == can trigger a boundary error in the domain > == controller GETDC mail slot support which > == can be remotely exploited to execute arbitrary > == code. > == > ========================================================== > > =========== > Description > =========== > > Secunia Research reported a vulnerability that allows for > the execution of arbitrary code in nmbd. This defect is > only be exploited when the "domain logons" parameter has > been enabled in smb.conf. > > > ================== > Patch Availability > ================== > > A patch addressing this defect has been posted to > > http://www.samba.org/samba/security/ > > Additionally, Samba 3.0.28 has been issued as a security > release to correct the defect. > > > ========== > Workaround > ========== > > Samba administrators may avoid this security issue by disabling > both the "domain logons" options in the server's smb.conf file. > Note that this will disable all domain controller features as > well. > > > ======= > Credits > ======= > > This vulnerability was reported to Samba developers by > Alin Rad Pop, Secunia Research. > > The time line is as follows: > > * Nov 22, 2007: Initial report to security@samba.org. > * Nov 22, 2007: First response from Samba developers confirming > the bug along with a proposed patch. > * Dec 10, 2007: Public security advisory made available. > > > ========================================================== > == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > ========================================================== > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFHXUPeIR7qMdg1EfYRArBPAKDeDyXyeauJuVk0FcHYWbBci0Dw6gCgoYYF > UmvJh11x9pp5Nbbg/VYpSJ0= > =d7SS > -----END PGP SIGNATURE----- > -- Simo Sorce Samba Team GPL Compliance Officer <simo@samba.org> Senior Software Engineer at Red Hat Inc. <ssorce@redhat.com> -- fedora-announce-list mailing list fedora-announce-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-announce-list (Log in to post comments)
Really exploitable? Posted Dec 11, 2007 22:30 UTC (Tue) by arjan (subscriber, #36785) [Link] While I appreciate the service to the users... one has to wonder if this bug was actually exploitable in practice with the various anti-buffer-overflow things in Fedora 6....
Really exploitable? Posted Dec 12, 2007 18:12 UTC (Wed) by tialaramex (subscriber, #21167) [Link] The answer is "probably if you tried hard enough" as usual. Most of the improvements in modern operating systems (rather than improvements in the development process of the application software) concentrate on script kiddies, making it difficult to create a "one size fits all" exploit that will reliably break into huge numbers of servers. For the remaining bad guys, people with a financial interest in unauthorised access or the occasional teenager with real skill and an anti-social personality, such bolt-on security is rarely more than a minor obstacle. For example, ASLR means absolute address based attacks will usually do nothing or crash instead of working. But what happens when your server crashes? Most likely it is automatically restarted. This is no fun for a script kiddie. He pushes the button and nothing happens (or so it seems). But a patient and determined attacker can fiddle with the parameters again and again until they get it to work. Or consider a Mandatory Access Control system like SELinux. A script kiddie might give up on your servers when his exploit is refused permission to start a remote shell due to MAC. But a sophisticated attacker could investigate the OS provided MAC settings, discover an oversight, and use that to gain access to the machines by modifying the script kiddie's exploit to use this flaw (e.g. writing into a user's home directory to make them execute a remote shell for you during their next login). Actually I don't much like the look of the "fix" either. Complicated comparisons like this with the bad guy choosing the input values tend to be fragile. Without reading the surrounding code I can't be sure, of course, it could be fine (maybe his input limit is UDP packet size, which is much smaller than INT_MAX), but right now I'm kind of worried that he can force a sign-wrap and bypass the checks or something.
Samba for Fedora Core 6 Posted Dec 12, 2007 1:24 UTC (Wed) by proski (subscriber, #104) [Link] Rest in peace, Zod, the last and the best Fedora Core, we'll miss you dearly.
|
|||||||||||||||||||