CERT/CC Vulnerability Note VU#958321

Overview

A remotely exploitable stack buffer overflow exists in the Samba server daemon (smbd).

Description

Versions 2.2.2 through 2.2.6 of Samba contain a remotely exploitable stack buffer overflow. The Samba Team describes Samba as follows:

The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS), LanManager or NetBIOS protocol.
The Samba Team describes the vulnerability as follows:
There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attach would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code.

Impact

A remote attacker can execute arbitrary code with superuser privileges or can cause smbd to crash.

Solution

Apply a patch from your vendor.

Vendor Information

958321

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Conectiva Affected

Debian Affected

Gentoo Linux Affected

Hewlett-Packard Company Affected

Updated: December 12, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Support Information Digests

=============================================================================== o Security Bulletin Digest Split ------------------------------
The security bulletins digest has been split into multiple digests based on the operating system (HP-UX, MPE/iX, and HP Secure OS Software for Linux). You will continue to receive all security bulletin digests unless you choose to update your subscriptions.
To update your subscriptions, use your browser to access the IT Resource Center on the World Wide Web at:
http://support.itrc.hp.com/
Under the Maintenance and Support Menu, click on the "more..." link. Then use the 'login' link at the left side of the screen to login using your IT Resource Center User ID and Password.
Under the notifications section (near the bottom of the page), select Support Information Digests.
To subscribe or unsubscribe to a specific security bulletin digest, select or unselect the checkbox beside it. Then click the "Update Subscriptions" button at the bottom of the page.
o IT Resource Center World Wide Web Service ---------------------------------------------------
If you subscribed through the IT Resource Center and would like to be REMOVED from this mailing list, access the IT Resource Center on the World Wide Web at:
http://support.itrc.hp.com/
Login using your IT Resource Center User ID and Password. Then select Support Information Digests (located under Maintenance and Support). You may then unsubscribe from the appropriate digest. ===============================================================================

Digest Name: daily HP-UX security bulletins digest Created: Wed Dec 11 6:00:03 EST 2002
Table of Contents:
Document ID Title --------------- ----------- HPSBUX0212-232 SSRT2370 Sec. Vulnerability with ntpd on HP-UX HPSBUX0212-230 SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2 2 HPSBUX0212-231 SSRT2434 Sec. vulnerability with HP-UX Visualize Conference
The documents are listed below. -------------------------------------------------------------------------------

Document ID: HPSBUX0212-232 Date Loaded: 20021210 Title: SSRT2370 Sec. Vulnerability with ntpd on HP-UX
TEXT

----------------------------------------------------------------- Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0212-233 Originally issued: 10 Dec 2002 SSRT2370 Sec. Vulnerability with ntpd on HP-UX -----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact.
The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible.
------------------------------------------------------------------ PROBLEM: xntpd software may HANG or exhibit extremely poor performance.
IMPACT: Potential denial of service (DoS).
PLATFORM: HP 9000 Series 700 and 800 running HP-UX releases 10.20, 10.24, 11.00, 11.04 and 11.11 using the xntpd software.
SOLUTION: Retrieve and apply the following patches:
for HP-UX 10.20: PHNE_24510 for HP-UX 10.24(VVOS): PHNE_28002 for HP-UX 11.00: PHNE_27223 for HP-UX 11.04(VVOS): PHNE_27442 for HP-UX 11.11: PHNE_24512
MANUAL ACTIONS: No
AVAILABILITY: All patches are currently available from <itrc.hp.com>. ------------------------------------------------------------------ A. Background Some HP-UX systems running the latest xntpd software may HANG or exhibit extremely poor performance.
B. Recommended solution HP has made available a patch to upgrade NTP timeservices. Retrieve and apply the following patches to affected systems. for HP-UX 10.20: PHNE_24510 10.24(VVOS): PHNE_28002 11.00: PHNE_27223 11.04(VVOS): PHNE_27442 11.11: PHNE_24512
The patches do not require a reboot. The problem is fixed in HP-UX release 11.22.
C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:
Use your browser to get to the HP IT Resource Center page at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link (in the middle column) for the appropriate digest.
To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems.
For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA
The security patch matrix is also available via anonymous ftp:
ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive".
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com.
------------------------------------------------------------------
(c) Copyright 2002 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners.
________________________________________________________________ -- -----End of Document ID: HPSBUX0212-232--------------------------------------

Document ID: HPSBUX0212-230 Date Loaded: 20021210 Title: SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2 2
TEXT

----------------------------------------------------------------- Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0212-0230 Originally issued: 10 Dec 2002 SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2.2 -----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact.
The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible.
------------------------------------------------------------------ PROBLEM: CIFS/9000 Server 2.2 buffer overflow vulnerability.
IMPACT: Potential root access.
PLATFORM: HP 9000 servers running the following CIFS Server versions:
- A.01.08 - A.01.08.01 - A.01.09
SOLUTION: Update to CIFS Server 2.2 version A.01.09.01
MANUAL ACTIONS: Yes - Update to version A.01.09.01
AVAILABILITY: CIFS Server 2.2 version A.01.09.01 is currently available from: <http://www.software.hp.com/NSM_products_list.html>
------------------------------------------------------------------
A. Background A buffer overrun has been discovered in the HP CIFS Server version A.01.09 and earlier. There is no known exploit of this vulnerability, and the Samba Team has not been able to craft one themselves. Nevertheless, the Samba Team has judged the vulnerability significant and announced the defect and fix in their latest release. HP has integrated the fix into the latest release of CIFS Server 2.2 For additional details, see: http://www.samba.org/samba/whatsnew/samba-2.2.7.html
B. Recommended solution Upgrade to CIFS Server 2.2 version A.01.09.01 which is currently available from:
<http://www.software.hp.com/NSM_products_list.html>
It is the product B8725AA, CIFS/9000 Server 2.2.c.

C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:
Use your browser to get to the HP IT Resource Center page at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of the page), select "Support Information Digests". To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link (in the middle column) for the appropriate digest.
To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems.
For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=3DB6834AA
The security patch matrix is also available via anonymous ftp:
ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive".
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com.
------------------------------------------------------------------
(c) Copyright 2002 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners.
________________________________________________________________ -- -----End of Document ID: HPSBUX0212-230--------------------------------------

Document ID: HPSBUX0212-231 Date Loaded: 20021210 Title: SSRT2434 Sec. vulnerability with HP-UX Visualize Conference
TEXT

----------------------------------------------------------------- Source: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: HPSBUX0212-231 Originally issued: 11 December 2002 SSRT2434 Security vulnerability with HP-UX Visualize Conference -----------------------------------------------------------------
NOTICE: There are no restrictions for distribution of this Bulletin provided that it remains complete and intact.
The information in the following Security Bulletin should be acted upon as soon as possible. Hewlett-Packard Company will not be liable for any consequences to any customer resulting from customer's failure to fully implement instructions in this Security Bulletin as soon as possible.
------------------------------------------------------------------ PROBLEM: The installation of HP-UX Visualize Conference leaves certain directories with insecure permissions.
IMPACT: Potential increase in privileges, unauthorized access.
PLATFORM: HP 9000 Series 700 and 800, HP-UX 11.00 and 11.11 systems which have ever installed HP-UX Visualize Conference version B.11.00.11.
SOLUTION: Change the insecure directory permissions.
MANUAL ACTIONS: Yes - NonUpdate Change ownership and permissions as follows: /etc/dt 755 bin/bin /etc/dt/appconfig 755 root/sys /etc/dt/appconfig/icons 755 root/sys /etc/dt/appconfig/icons/C 755 root/sys /etc/dt/appconfig/types 755 root/sys /etc/dt/appconfig/types/C 755 root/sys
AVAILABILITY: This bulletin will be revised when a product update is available. ------------------------------------------------------------------ A. Background If HP-UX Visualize Conference version B.11.00.11 has ever been installed on an 11.00 or 11.11 system the permissions of certain directories may be insecure.
The installation of HP-UX Visualize Conference may leave certain directories with insecure permissions. The vulnerability is not with the HP-UX Visualize Conference product itself, but rather with the state of the directory
permissions after HP-UX Visualize Conference has been installed. The vulnerability remains even after HP-UX Visualize Conference is removed.
The problem arises if the directories do not exist at the time HP-UX Visualize Conference version B.11.00.11 is installed. Therefore not all systems with HP-UX Visualize Conference version B.11.00.11 are vulnerable. Also once the directory permissions are corrected a subsequent reinstallation of HP-UX Visualize Conference version B.11.00.11 will not alter the permissions.
B. Recommended solution
Change the insecure directory permissions using the following procedure or the equivalent:
As root create a script "chown_chmod":
#!/sbin/sh # chown_chmod root:sys 755 file chown $1$ 3 chmod $2$ 3
Then:
chown_chmod bin:bin 755 /etc/dt chown_chmod root:sys 755 /etc/dt/appconfig chown_chmod root:sys 755 /etc/dt/appconfig/icons chown_chmod root:sys 755 /etc/dt/appconfig/icons/C chown_chmod root:sys 755 /etc/dt/appconfig/types chown_chmod root:sys 755 /etc/dt/appconfig/types/C

C. To subscribe to automatically receive future NEW HP Security Bulletins from the HP IT Resource Center via electronic mail, do the following:
Use your browser to get to the HP IT Resource Center page at:
http://itrc.hp.com
Use the 'Login' tab at the left side of the screen to login using your ID and password. Use your existing login or the "Register" button at the left to create a login, in order to gain access to many areas of the ITRC. Remember to save the User ID assigned to you, and your password.
In the left most frame select "Maintenance and Support".
Under the "Notifications" section (near the bottom of the page), select "Support Information Digests".
To -subscribe- to future HP Security Bulletins or other Technical Digests, click the check box (in the left column) for the appropriate digest and then click the "Update Subscriptions" button at the bottom of the page.
or
To -review- bulletins already released, select the link (in the middle column) for the appropriate digest.
To -gain access- to the Security Patch Matrix, select the link for "The Security Bulletins Archive". (near the bottom of the page) Once in the archive the third link is to the current Security Patch Matrix. Updated daily, this matrix categorizes security patches by platform/OS release, and by bulletin topic. Security Patch Check completely automates the process of reviewing the patch matrix for 11.XX systems.
For information on the Security Patch Check tool, see: http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/ displayProductInfo.pl?productNumber=B6834AA
The security patch matrix is also available via anonymous ftp:
ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/
On the "Support Information Digest Main" page: click on the "HP Security Bulletin Archive".
D. To report new security vulnerabilities, send email to
security-alert@hp.com
Please encrypt any exploit information using the security-alert PGP key, available from your local key server, or by sending a message with a -subject- (not body) of 'get key' (no quotes) to security-alert@hp.com.
------------------------------------------------------------------
(c)Copyright 2002 Hewlett-Packard Company Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of HP products referenced herein are trademarks and/or service marks of Hewlett-Packard Company. Other product and company names mentioned herein may be trademarks and/or service marks of their respective owners.
________________________________________________________________ -----End of Document ID: HPSBUX0212-231--------------------------------------

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Updated: December 13, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

________________________________________________________________________
Mandrake Linux Security Update Advisory ________________________________________________________________________
Package name: samba Advisory ID: MDKSA-2002:081 Date: November 25th, 2002
Affected versions: 8.1, 8.2, 9.0 ________________________________________________________________________
Problem Description:
A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered by the Debian samba maintainers. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack. This attack would have to crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code.
This vulnerability has been fixed in samba version 2.2.7, and the updated packages have had a patch applied to fix the problem. ________________________________________________________________________
References:
http://www.samba.org/samba/whatsnew/samba-2.2.7.html________________________________________________________________________
Updated Packages:
Mandrake Linux 8.1: b10451e71a1ba27d45956f57fb203118 8.1/RPMS/samba-2.2.2-3.3mdk.i586.rpm 22a6f9977518bbe2923ec7d2f68a698e 8.1/RPMS/samba-client-2.2.2-3.3mdk.i586.rpm 74d59e5578aaa0a23e760c828a6d8688 8.1/RPMS/samba-common-2.2.2-3.3mdk.i586.rpm 6d6a2835fd6e21b4c93dbaa5fe6f2d13 8.1/RPMS/samba-doc-2.2.2-3.3mdk.i586.rpm 4c7511781a263f633cab5bf1831ad69b 8.1/SRPMS/samba-2.2.2-3.3mdk.src.rpm
Mandrake Linux 8.1/IA64: 2456e2af90d2e71e877a16f2ff034c73 ia64/8.1/RPMS/samba-2.2.2-3.3mdk.ia64.rpm 66043b111988d82d2800763950ea07e3 ia64/8.1/RPMS/samba-client-2.2.2-3.3mdk.ia64.rpm 6954d750eae921eece5e1e2ece9c42e5 ia64/8.1/RPMS/samba-common-2.2.2-3.3mdk.ia64.rpm cf5545988b8d07299b776a25d6dc2e56 ia64/8.1/RPMS/samba-doc-2.2.2-3.3mdk.ia64.rpm 4c7511781a263f633cab5bf1831ad69b ia64/8.1/SRPMS/samba-2.2.2-3.3mdk.src.rpm
Mandrake Linux 8.2: 5552fadd8509fc7222099f88dad0f5a9 8.2/RPMS/nss_wins-2.2.3a-10.1mdk.i586.rpm 58da182a9a84a02010ddaf939e97bc7c 8.2/RPMS/samba-2.2.3a-10.1mdk.i586.rpm 91dcff33758dca1ca9a4779186a6917d 8.2/RPMS/samba-client-2.2.3a-10.1mdk.i586.rpm ce98076728c73ca79b78fc9d69b94b47 8.2/RPMS/samba-common-2.2.3a-10.1mdk.i586.rpm 983c2de083b240971026bb054b449fde 8.2/RPMS/samba-doc-2.2.3a-10.1mdk.i586.rpm fe4c7a8ebedede8ac10ff98eac2b84a5 8.2/RPMS/samba-swat-2.2.3a-10.1mdk.i586.rpm ec00eed80e135dd79b56608bbd2c0574 8.2/RPMS/samba-winbind-2.2.3a-10.1mdk.i586.rpm 5677dee51659f50acee4e55346ca737d 8.2/SRPMS/samba-2.2.3a-10.1mdk.src.rpm
Mandrake Linux 8.2/PPC: 32e41a8c06f1b5b24b13de0f65dfa3cc ppc/8.2/RPMS/nss_wins-2.2.3a-10.1mdk.ppc.rpm 275bf7b8a2792e11bf94dc24557f8ebc ppc/8.2/RPMS/samba-2.2.3a-10.1mdk.ppc.rpm 66232f77afcacc83090e3cf848717962 ppc/8.2/RPMS/samba-client-2.2.3a-10.1mdk.ppc.rpm 912ccb4cc81f89de6de871aa1c4833c0 ppc/8.2/RPMS/samba-common-2.2.3a-10.1mdk.ppc.rpm af73612d4ea52c4a391ca75afd0dae8b ppc/8.2/RPMS/samba-doc-2.2.3a-10.1mdk.ppc.rpm 2117cd7af96f6467c867faef73a425b6 ppc/8.2/RPMS/samba-swat-2.2.3a-10.1mdk.ppc.rpm ab0402b7173a04be1cbc6c415807b98a ppc/8.2/RPMS/samba-winbind-2.2.3a-10.1mdk.ppc.rpm 5677dee51659f50acee4e55346ca737d ppc/8.2/SRPMS/samba-2.2.3a-10.1mdk.src.rpm
Mandrake Linux 9.0: 25b264e1b5ee43b26d861f5b5e07d7d2 9.0/RPMS/nss_wins-2.2.7-2.1mdk.i586.rpm 619a0506a84d25099ca0653be0f5fd3a 9.0/RPMS/samba-client-2.2.7-2.1mdk.i586.rpm d7ed710067f71285cc616fe07efd7753 9.0/RPMS/samba-common-2.2.7-2.1mdk.i586.rpm 2b5667097a398ef87e9e721c26bb613b 9.0/RPMS/samba-doc-2.2.7-2.1mdk.i586.rpm ff124b4103dd84e51f5be82dd9244b1f 9.0/RPMS/samba-server-2.2.7-2.1mdk.i586.rpm a7b976a81f59d7ce7111cb5f44d89bcd 9.0/RPMS/samba-swat-2.2.7-2.1mdk.i586.rpm 0859d8665e9d2ea2f1f96365a7456e3f 9.0/RPMS/samba-winbind-2.2.7-2.1mdk.i586.rpm b93cd8ca9319a628ee7015bbd5d2196e 9.0/SRPMS/samba-2.2.7-2.1mdk.src.rpm ________________________________________________________________________
Bug IDs fixed (see https://qa.mandrakesoft.com for more information): ________________________________________________________________________
To upgrade automatically, use MandrakeUpdate. The verification of md5 checksums and GPG signatures is performed automatically for you.
If you want to upgrade manually, download the updated package from one of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm". A list of FTP mirrors can be obtained from:
http://www.mandrakesecure.net/en/ftp.php
Please verify the update prior to upgrading to ensure the integrity of the downloaded package. You can do this with the command:
rpm --checksig <filename>
All packages are signed by MandrakeSoft for security. You can obtain the GPG public key of the Mandrake Linux Security Team from:
https://www.mandrakesecure.net/RPM-GPG-KEYS
Please be aware that sometimes it takes the mirrors a few hours to update.
You can view other update advisories for Mandrake Linux at:
http://www.mandrakesecure.net/en/advisories/
MandrakeSoft has several security-related mailing list services that anyone can subscribe to. Information on these lists can be obtained by visiting:
http://www.mandrakesecure.net/en/mlist.php
If you want to report vulnerabilities, please contact
security_linux-mandrake.com
Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>
- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux)
mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7 WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H 8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K +jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+ AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ 9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z 269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN 6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo 0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ EJGXlA== =yGlX - -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE94uCrmqjQ0CJFipgRAtH9AKDZ5fi6/mGdx4HldnVAgaWwTGSzDgCg53+K XVuJ3G64lSEO7Q2wvP4C2zo= =CVQZ -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc. Affected

Updated: December 13, 2002

Status

Affected

Vendor Statement

--------------------------------------------------------------------- Red Hat, Inc. Red Hat Security Advisory

Synopsis: New samba packages available to fix potential security vulnerability Advisory ID: RHSA-2002:266-05 Issue date: 2002-11-22 Updated on: 2002-11-21 Product: Red Hat Linux Keywords: samba security encrypted password change Cross references: Obsoletes: ---------------------------------------------------------------------
1. Topic:
New samba packages are available that fix a security vulnerability present in samba versions 2.2.2 through 2.2.6. A potential attacker could gain root access on the target machine. It is strongly encouraged that all Samba users update to the fixed packages.
As of this time, there are no known exploits for this vulnerability.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386 Red Hat Linux 8.0 - i386
3. Problem description:
There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password, could be used as a buffer overrun attack on smbd's stack. The attack would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code.
Thanks to the Debian Samba maintainers for discovering this issue, and to the Samba team for providing the fix (and the problem description text above.)
4. Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
To update all RPMs for your particular architecture, run:
rpm -Fvh [filenames]
where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs.
Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command:
up2date
This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.
5. RPMs required:
Red Hat Linux 7.3:
SRPMS:ftp://updates.redhat.com/7.3/en/os/SRPMS/samba-2.2.7-1.7.3.src.rpm
i386:ftp://updates.redhat.com/7.3/en/os/i386/samba-2.2.7-1.7.3.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/samba-common-2.2.7-1.7.3.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/samba-client-2.2.7-1.7.3.i386.rpmftp://updates.redhat.com/7.3/en/os/i386/samba-swat-2.2.7-1.7.3.i386.rpm
Red Hat Linux 8.0:
SRPMS:ftp://updates.redhat.com/8.0/en/os/SRPMS/samba-2.2.7-2.src.rpm
i386:ftp://updates.redhat.com/8.0/en/os/i386/samba-2.2.7-2.i386.rpmftp://updates.redhat.com/8.0/en/os/i386/samba-common-2.2.7-2.i386.rpmftp://updates.redhat.com/8.0/en/os/i386/samba-client-2.2.7-2.i386.rpmftp://updates.redhat.com/8.0/en/os/i386/samba-swat-2.2.7-2.i386.rpm

6. Verification:
MD5 sum Package Name -------------------------------------------------------------------------- 5c8ba729bb3e6d2f0614fd543053e6e9 7.3/en/os/SRPMS/samba-2.2.7-1.7.3.src.rpm 92178f0aa6c7ec0cb2b55c0f32c59ca4 7.3/en/os/i386/samba-2.2.7-1.7.3.i386.rpm 6915d467d9572737dfbfcac916734084 7.3/en/os/i386/samba-client-2.2.7-1.7.3.i386.rpm 56ce43d49614bf5a79b90dfbd4a77235 7.3/en/os/i386/samba-common-2.2.7-1.7.3.i386.rpm 82cbcb8e2c3be661e0e6c1c7f9856ecd 7.3/en/os/i386/samba-swat-2.2.7-1.7.3.i386.rpm 9b5ded05dc9cc2c49c40b686ec78caf7 8.0/en/os/SRPMS/samba-2.2.7-2.src.rpm 4e2339d23bad01690938748d84dac186 8.0/en/os/i386/samba-2.2.7-2.i386.rpm a7a48f9d6d8e45966172ae1b941e0208 8.0/en/os/i386/samba-client-2.2.7-2.i386.rpm 3bd309562e0cdefc8d4cd5b02ee0b71c 8.0/en/os/i386/samba-common-2.2.7-2.i386.rpm 0efdfc0d8de8294c0dd4978a82d15991 8.0/en/os/i386/samba-swat-2.2.7-2.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key is available athttp://www.redhat.com/about/contact/pgpkey.html
You can verify each package with the following command:
rpm --checksig -v <filename>
If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command:
md5sum <filename>
7. Contact:
The Red Hat security contact is <security@redhat.com>. More contact details athttp://www.redhat.com/solutions/security/news/contact.html
Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO Affected

Updated: May 05, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SCO Security Advisory

Subject:OpenLinux: Various serious Samba vulnerabilities Advisory number: CSSA-2003-017.0 Issue date: 2003 May 02 Cross reference: ______________________________________________________________________________

1. Problem Description
This update addresses the following Samba issues:
A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack.

A vulnerability that could lead to an anonymous user gaining root access on a Samba serving system.

A chown race condition that could allow overwriting of critical system files if exploited.

A buffer overflow in the call_trans2open function in trans2.c allows remote attackers to execute arbitrary code.

Multiple buffer overflows that may allow remote attackers to execute arbitrary code or cause a denial of service.

2. Vulnerable Supported Versions
SystemPackage ----------------------------------------------------------------------

OpenLinux 3.1.1 Serverprior to libsmbclient-2.2.2-7.i386.rpm prior to samba-2.2.2-7.i386.rpm prior to samba-doc-2.2.2-7.i386.rpm prior to smbfs-2.2.2-7.i386.rpm prior to swat-2.2.2-7.i386.rpm

OpenLinux 3.1.1 Workstationprior to libsmbclient-2.2.2-7.i386.rpm prior to samba-2.2.2-7.i386.rpm prior to samba-doc-2.2.2-7.i386.rpm prior to smbfs-2.2.2-7.i386.rpm prior to swat-2.2.2-7.i386.rpm

3. Solution
The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand.

4. OpenLinux 3.1.1 Server
4.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/RPMS
4.2 Packages
a4f667678f6a3c283491ae04480625d6libsmbclient-2.2.2-7.i386.rpm 8c95e0b81771bb703e08937125e8c9bfsamba-2.2.2-7.i386.rpm 2a590b5458186279fd3bb17bb87c5af3samba-doc-2.2.2-7.i386.rpm fcabaf8b0567ed5faad0e2fe8e206f92smbfs-2.2.2-7.i386.rpm bd13c1771c2267549916f3afb60ad019swat-2.2.2-7.i386.rpm

4.3 Installation
rpm -Fvh libsmbclient-2.2.2-7.i386.rpm rpm -Fvh samba-2.2.2-7.i386.rpm rpm -Fvh samba-doc-2.2.2-7.i386.rpm rpm -Fvh smbfs-2.2.2-7.i386.rpm rpm -Fvh swat-2.2.2-7.i386.rpm

4.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/SRPMS
4.5 Source Packages
403ddcea6384a309768066e06941a68fsamba-2.2.2-7.src.rpm

5. OpenLinux 3.1.1 Workstation
5.1 Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/RPMS
5.2 Packages
c04cb8377d18180c6b914ed9d0d1d4e3libsmbclient-2.2.2-7.i386.rpm aad7fa4db863931a9c57b8720e17cbb6samba-2.2.2-7.i386.rpm be052cbf6e77f05ad1cbc7fba57be7bdsamba-doc-2.2.2-7.i386.rpm 4bf70f287baf74e47ef5cff351a7a740smbfs-2.2.2-7.i386.rpm 906d1705b64767cd774e29287b5ab437swat-2.2.2-7.i386.rpm

5.3 Installation
rpm -Fvh libsmbclient-2.2.2-7.i386.rpm rpm -Fvh samba-2.2.2-7.i386.rpm rpm -Fvh samba-doc-2.2.2-7.i386.rpm rpm -Fvh smbfs-2.2.2-7.i386.rpm rpm -Fvh swat-2.2.2-7.i386.rpm

5.4 Source Package Location
ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/SRPMS
5.5 Source Packages
21c0df3f652692c3db10dd5783e78e93samba-2.2.2-7.src.rpm

6. References
Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201

SCO security resources:
http://www.sco.com/support/security/index.html
This security fix closes SCO incidents sr876764, sr875830, sr872195, fz527679, fz527532, fz526744, erg712283, erg712263, erg712169.

7. Disclaimer
SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products.

8. Acknowledgements
Steve Langasek (Debian), Sebastian Krahmer (SuSE), and Digital Defense Inc. discovered and researched these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI Affected

Updated: December 13, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________ SGI Security Advisory
Title : Samba Security Vulnerability Number : 20021204-01-I Date : December 5, 2002 Reference: CVE CAN-2002-1318 Reference: SGI BUG 874162 Fixed in : Samba v2.2.7 ______________________________________________________________________________
- ----------------------- - --- Issue Specifics --- - -----------------------
It's been reported that versions of Samba prior to 2.2.7 have a security vulnerability that could potentially allow an attacker to gain root access on the target machine. The word "potentially" is used because there is no known exploit of this bug. SGI has not found one, nor has the Samba group found one. Nevertheless, the vulnerability is considered serious.
See http://www.samba.org/samba/whatsnew/samba-2.2.7.html for additional details.
This vulnerability was assigned the following CVE candidate:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318
SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems.
These issues have been corrected in Samba version 2.2.7.

- -------------- - --- Impact --- - --------------
Samba is an optional product, and is not installed by default on IRIX 6.5 systems.
To determine the version of IRIX you are running, execute the following command:
# /bin/uname -R
That will return a result similar to the following:
# 6.5 6.5.16f
The first number ("6.5") is the release name, the second ("6.5.16f" in this case) is the extended release name. The extended release name is the "version" we refer to throughout this document.
To see if samba is installed, execute the following command:
% versions samba_irix I = Installed, R = Removed
Name Date Description
I samba_irix 07/02/2002 Samba 2.2.4 for IRIX I samba_irix.man 07/02/2002 Samba Online Documentation I samba_irix.man.doc 07/02/2002 Samba 2.2.4 Documentation I samba_irix.man.manpages 07/02/2002 Samba 2.2.4 Man Page I samba_irix.man.relnotes 07/02/2002 Samba 2.2.4 Release Notes I samba_irix.src 07/02/2002 Samba Source Code I samba_irix.src.samba 07/02/2002 Samba 2.2.4 Source Code I samba_irix.sw 07/02/2002 Samba Execution Environment I samba_irix.sw.base 07/02/2002 Samba 2.2.4 Execution Environment
If the result is similar to the above and the version shown is less than 2.2.7, then the system is vulnerable.
- ---------------------------- - --- Temporary Workaround --- - ----------------------------
There is no effective workaround available for these problems if Samba is required. SGI recommends upgrading to Samba version 2.2.7.

- ---------------- - --- Solution --- - ----------------
SGI has provided an instable version of Samba for this vulnerability. Our recommendation is to upgrade to Samba version 2.2.7.
Samba 2.2.7 can be downloaded from http://www.samba.org/ orhttp://freeware.sgi.com/
For customers who have purchased the SGI supported version of Samba, please contact your SGI Support Representative and request part number 812-0893-008 -- Samba 2.2.7 for IRIX on CD.

OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x unknown Note 1 IRIX 4.x unknown Note 1 IRIX 5.x unknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1 unknown Note 1 IRIX 6.2 unknown Note 1 IRIX 6.3 unknown Note 1 IRIX 6.4 unknown Note 1 IRIX 6.5 yes Notes 2 & 3 IRIX 6.5.1 yes Notes 2 & 3 IRIX 6.5.2 yes Notes 2 & 3 IRIX 6.5.3 yes Notes 2 & 3 IRIX 6.5.4 yes Notes 2 & 3 IRIX 6.5.5 yes Notes 2 & 3 IRIX 6.5.6 yes Notes 2 & 3 IRIX 6.5.7 yes Notes 2 & 3 IRIX 6.5.8 yes Notes 2 & 3 IRIX 6.5.9 yes Notes 2 & 3 IRIX 6.5.10 yes Notes 2 & 3 IRIX 6.5.11 yes Notes 2 & 3 IRIX 6.5.12 yes Notes 2 & 3 IRIX 6.5.13 yes Notes 2 & 3 IRIX 6.5.14 yes Notes 2 & 3 IRIX 6.5.15 yes Notes 2 & 3 IRIX 6.5.16 yes Notes 2 & 3 IRIX 6.5.17 yes Notes 2 & 3 IRIX 6.5.18 yes Notes 2 & 3
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL:http://support.sgi.com/irix/swupdates/
3) This version of IRIX is vulnerable if a version of Samba prior to 2.2.7 is installed. Please install Samba 2.2.7.

- ------------------------ - --- Acknowledgments ---- - ------------------------
SGI wishes to thank Steve Langasek, Eloy Paris, the Samba Group and the users of the Internet Community at large for their assistance in this matter.

- ------------- - --- Links --- - -------------
SGI Security Advisories can be found at:http://www.sgi.com/support/security/ andftp://patches.sgi.com/support/free/security/advisories/
SGI Security Patches can be found at:http://www.sgi.com/support/security/ andftp://patches.sgi.com/support/free/security/patches/
SGI patches for IRIX can be found at the following patch servers:http://support.sgi.com/irix/ and ftp://patches.sgi.com/
SGI freeware updates for IRIX can be found at:http://freeware.sgi.com/
SGI fixes for SGI open sourced code can be found on:http://oss.sgi.com/projects/
SGI patches and RPMs for Linux can be found at:http://support.sgi.com/linux/ orhttp://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/
SGI patches for Windows NT or 2000 can be found at:http://support.sgi.com/nt/
IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/
IRIX 6.5 Maintenance Release Streams can be found at:http://support.sgi.com/colls/patches/tools/relstream/index.html
IRIX 6.5 Software Update CDs can be obtained from:http://support.sgi.com/irix/swupdates/
The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URLftp://patches.sgi.com/support/free/security/
For security and patch management reasons, ftp.sgi.com (mirrors patches.sgi.com security FTP repository) lags behind and does not do a real-time update.

- ----------------------------------------- - --- SGI Security Information/Contacts --- - -----------------------------------------
If there are questions about this document, email can be sent to security-info@sgi.com.
------oOo------
SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security advisories and patches is patches.sgi.com (216.32.174.211). Security advisories and patches are located under the URLftp://patches.sgi.com/support/free/security/
The SGI Security Headquarters Web page is accessible at the URL:http://www.sgi.com/support/security/
For issues with the patches on the FTP sites, email can be sent to security-info@sgi.com.
For assistance obtaining or working with security patches, please contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/support/security/wiretap.html) or by sending email to SGI as outlined below.
% mail wiretap-request@sgi.com subscribe wiretap <YourEmailAddress such as zedwatch@sgi.com > end ^d
In the example above, <YourEmailAddress> is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message.

------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is located athttp://www.sgi.com/support/security/ .
------oOo------
If there are general security questions on SGI systems, email can be sent to security-info@sgi.com.
For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report.
______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature.
-----BEGIN PGP SIGNATURE----- Version: 2.6.2
iQCVAwUBPe+J4LQ4cFApAP75AQEZfAP+Pnm7uYFMAQHtMCa8Bzk+uNMWmt8qxvwb OguoHlb8Sh81NiY6Y/SsvBB+aBADw7PwiVfd9eHU/KZL38I8a0nnB2kMrqady8fR ERieXRJKPqs2BnOtUgbdBqgBnRu9Vf39K9IDWKV+iiL3j6LpmOmnBnfa40jIwwSP Pl9jBQcLlxE= =keNO -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Affected

Updated: December 13, 2002

Status

Affected

Vendor Statement

New Samba packages are available for Slackware 8.1 and -current to fix a security problem and provide other bugfixes and improvements.

Here are the details from the Slackware 8.1 ChangeLog:
---------------------------- Wed Nov 20 16:51:23 PST 2002 patches/packages/samba-2.2.7-i386-1.tgz: Upgraded to samba-2.2.7. Some details (based on the WHATSNEW.txt file included in samba-2.2.7): This fixes a security hole discovered in versions 2.2.2 through 2.2.6 of Samba that could potentially allow an attacker to gain root access on the target machine. The word "potentially" is used because there is no known exploit of this bug, and the Samba Team has not been able to craft one ourselves. However, the seriousness of the problem warrants this immediate 2.2.7 release. There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attack would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code. Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris <peloy@debian.org> for bringing this vulnerability to our notice. (* Security fix *) ----------------------------

WHERE TO FIND THE NEW PACKAGES: ------------------------------- Updated Samba package for Slackware 8.1:ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/samba-2.2.7-i386-1.tgz
Updated Samba package for Slackware-current:ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-2.2.7-i386-1.tgz

MD5 SIGNATURES: ---------------
Here are the md5sums for the packages:
Slackware 8.1: 835f2069561251cf9649b1f60ebc21f0 samba-2.2.7-i386-1.tgz
Slackware-current: 18eff1898b289735c51895e628797733 samba-2.2.7-i386-1.tgz

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc. Affected

Updated: December 13, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
SuSE Security Announcement
Package: samba Announcement-ID: SuSE-SA:2002:045 Date: Wednesday, November 20th 2002 16:00 MET Affected products: 7.2, 7.3, 8.0, 8.1 SuSE Linux Database Server, SuSE eMail Server III, 3.1 SuSE Linux Enterprise Server 7+8, SuSE Linux Firewall on CD/Admin host SuSE Linux Connectivity Server SuSE Linux Office Server Vulnerability Type: possible remote code execution Severity (1-10): 7 SuSE default package: no Cross References: http://www.samba.org/
Content of this advisory: 1) security vulnerability resolved: samba problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
Samba developer Steve Langasek found a security problem in samba, the widely known free implementation of the SMB protocol.
The error consists of a buffer overflow in a commonly used routine that accepts user input and may write up to 127 bytes past the end of the buffer allocated with static length, leaving enough room for an exploit. The resulting vulnerability can be exploited locally in applications using the pam_smbpass Pluggable Authentication Module (PAM). It may be possible to exploit this vulnerability remotely, causing the running smbd to crash or even to execute arbitrary code.
The samba package is installed by default only on the SuSE Linux Enterprise Server. SuSE Linux products do not have the samba and samba-client packages installed by default. The samba packages in SuSE Linux version 7.1 and before are not affected by this vulnerability. For the bug to be exploited, your system has to be running the smbd samba server, or an administrator must have (manually) changed the configuration of the PAM authentification subsystem to enable the use of the pam_smbpass module. The samba server process(es) are not activated automatically after installation (of the package).
The samba subsystem on SuSE products is split into two different subpackages: samba and smbclnt up to and including SuSE Linux 7.2, on SuSE Linux 7.3 and newer the package names are samba and samba-client. To completely remove the vulnerability, you should update all of the installed packages.
We wish to express our gratitude to the samba development team and in particular to Steve Langasek and Volker Lendecke who provided the patches and communicated them to the vendors. Please know that the samba team will release the new version 2.2.7 of the samba software to address the security fix at the same time as this announcement gets published. More information about samba (and the security fix) is available athttp://www.samba.org.
Please download the update package for your distribution and verify its integrity by the methods listed in section 3) of this announcement. Then, install the package using the command "rpm -Fhv file.rpm" to apply the update. Our maintenance customers are being notified individually. The packages are being offered to install from the maintenance web.
SPECIAL INSTALL INSTRUCTIONS: ============================== After successfully installing the update packages, you should restart the samba server process(es) to make the changes in the system effective. If you do not have a samba server running on your system, no further action is required. If you have a samba server running, please run the following command as root: rcsmb restart # SuSE Linux, all versions rcnmb restart # only on SuSE Linux 8.1

Intel i386 Platform:
SuSE-8.1: ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-124.i586.rpm f0a94ef6cc49165d4dace59caaf359d7 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-124.i586.rpm f694fb4aaabffa98b6a76941cb2c0eaf patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-124.i586.patch.rpm af43bc1d5dc1b097389933f34ca5a625 ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-124.i586.patch.rpm bff278f9366df7efe72fa880c4f7618f source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/samba-2.2.5-124.src.rpm 674adb466663259c2117852b9525a29a
SuSE-8.0: ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-165.i386.rpm 8c7edd09c5acfc269467ecbcdcdfc21c ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-165.i386.rpm bfc08a1d64f0d85670041c7046d1e775 patch rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-165.i386.patch.rpm 7d08c2c07137d9da0b3d1a301295a084 ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-165.i386.patch.rpm 887230d4ed61bec496dff73c50fa3de0 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/samba-2.2.3a-165.src.rpm b208c4d5bcceb7f9cc18df75b7831d2d
SuSE-7.3: ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/samba-2.2.1a-206.i386.rpm dc4232333a0babbb257cff346609625f ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/samba-client-2.2.1a-206.i386.rpm 163a565a5a0b0320eae6ba1d0ebdfb27 source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/samba-2.2.1a-206.src.rpm 6086e3bb296a320c28fced9068c931fc
SuSE-7.2: ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/samba-2.2.0a-45.i386.rpm 184b17987ca99325782f4c7f9e04b6a6 ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/smbclnt-2.2.0a-45.i386.rpm b9926ade015ccaf271088da246814abb source rpm(s): ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/samba-2.2.0a-45.src.rpm 384ec49b0b8a81d8ecf7c84ef0fa2689

Sparc Platform:
SuSE-7.3: ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/samba-2.2.1a-69.sparc.rpm 61b72787bc8e0b333662962a60bce0c2 ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/samba-client-2.2.1a-69.sparc.rpm 6acd0ffd218d721d7c10b17e1194738d source rpm(s): ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/samba-2.2.1a-69.src.rpm 77f57a3277bb1a270ae79bc94ee28345

PPC Power PC Platform:
SuSE-7.3: ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/samba-2.2.1a-141.ppc.rpm d127afabc7d5b764289f9b65ad4c4cd1 ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/samba-client-2.2.1a-141.ppc.rpm 894132f3b5041a54ec871d67eef072e5 source rpm(s): ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/samba-2.2.1a-141.src.rpm ccff812fdddd3af9d62a399f63e0405e

______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- 7.0 update trees We will move the SuSE Linux 7.0 update tree structure to the /pub/suse/discontinued/ tree shortly, following the announcement about discontinued products on Tue, 29 Oct 2002.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over the world. While this service is being considered valuable and important to the free and open source software community, many users wish to be sure about the origin of the package and its content before installing the package. There are two verification methods that can be used independently from each other to prove the authenticity of a downloaded file or rpm package: 1) md5sums as provided in the (cryptographically signed) announcement. 2) using the internal gpg signatures of the rpm package.
1) execute the command md5sum <name-of-the-file.rpm> after you downloaded the file from a SuSE ftp server or its mirrors. Then, compare the resulting md5sum with the one that is listed in the announcement. Since the announcement containing the checksums is cryptographically signed (usually using the key security@suse.de), the checksums show proof of the authenticity of the package. We disrecommend to subscribe to security lists which cause the email message containing the announcement to be modified so that the signature does not match after transport through the mailing list software. Downsides: You must be able to verify the authenticity of the announcement in the first place. If RPM packages are being rebuilt and a new version of a package is published on the ftp server, all md5 sums for the files are useless.
2) rpm package signatures provide an easy way to verify the authenticity of an rpm package. Use the command rpm -v --checksig <file.rpm> to verify the signature of the package, where <file.rpm> is the filename of the rpm package that you have downloaded. Of course, package authenticity verification can only target an un-installed rpm package file. Prerequisites: a) gpg is installed b) The package is signed using a certain key. The public part of this key must be installed by the gpg program in the directory ~/.gnupg/ under the user's home directory who performs the signature verification (usually root). You can import the key that is used by SuSE in rpm packages for SuSE Linux by saving this announcement to a file ("announcement.txt") and running the command (do "su -" to be root): gpg --batch; gpg < announcement.txt | gpg --import SuSE Linux distributions version 7.1 and thereafter install the key "build@suse.de" upon installation or upgrade, provided that the package gpg is installed. The file containing the public key is placed at the top-level directory of the first CD (pubring.gpg) and atftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .

- SuSE runs two security mailing lists to which any interested party may subscribe:
suse-security@suse.com - general/linux/SuSE security discussion. All SuSE security announcements are sent to this list. To subscribe, send an email to <suse-security-subscribe@suse.com>.
suse-security-announce@suse.com - SuSE's announce-only mailing list. Only SuSE's security announcements are sent to this list. To subscribe, send an email to <suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq) send mail to: <suse-security-info@suse.com> or <suse-security-faq@suse.com> respectively.
===================================================================== SuSE's security contact is <security@suse.com> or <security@suse.de>. The <security@suse.de> public key is listed below. ===================================================================== ______________________________________________________________________________
The information in this advisory may be distributed or reproduced, provided that the advisory is not modified in any way. In particular, it is desired that the clear-text signature shows proof of the authenticity of the text. SuSE Linux AG makes no warranties of any kind whatsoever with respect to the information contained in this security advisory.
Type Bits/KeyID Date User ID pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de> pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
- -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info seehttp://www.gnupg.org
mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff 4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3 0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot 1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/ HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM 523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q 2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8 QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ 1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1 wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol 0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J
/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8 RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ 8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X 11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA 8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM /3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7 whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE= =LRKC - -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv
iQEVAwUBPdvAOHey5gA9JdPZAQFBcwf6A+8lmCVrRiCgRW/SH+pzBMJ2+p8iywDd BhChCR0ekyrNcxwMRut1vFVRbt0iSzD3Kl43dAPOrTcvypkoBnxW4+/l1mD7/fqH WsF22vwhV/8u33tYFN7wsUxpBHzBSq3CguJF4XP5BpNCkvJvrLh5f5QDgonUoO+P 2z0sYNgSARxEKgniyp8YSm6UmC63ijzDhLb/JuDxNu/8652Xx35pptdOtBiriB9C yGKgJoy97co96oQrzS9ZRKjSGBfE5g6Q8/nAyDuCFpPOiIvDaLlkcab0u2Boawe+ GuCM6QwB7xmb6ElCehtCGxn9v6gE86hNFCOVrjIOhKgOrlY0V8h21w== =MrgG -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc. Affected

The OpenPKG Project Affected

Updated: December 13, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

________________________________________________________________________
OpenPKG Security Advisory The OpenPKG Projecthttp://www.openpkg.org/security.html http://www.openpkg.orgopenpkg-security@openpkg.org openpkg@openpkg.org OpenPKG-SA-2002.012 29-Nov-2002 ________________________________________________________________________
Package: samba Vulnerability: code execution, root exploit OpenPKG Specific: no
Dependent Packages: none
Affected Releases: Affected Packages: Corrected Packages: OpenPKG 1.0 <= samba-2.2.2-1.0.0 >= samba-2.2.2-1.0.1 OpenPKG 1.1 <= samba-2.2.5-1.1.0 >= samba-2.2.5-1.1.1 OpenPKG CURRENT <= samba-2.2.6-20021017 >= samba-2.2.7-20021120
Description: A vulnerability in Samba [0] versions 2.2.2 through 2.2.6 was discovered by the Debian Samba maintainers [1]. A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd(8) stack. This attack would have to be crafted in such a way that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code.
Check whether you are affected by running "<prefix>/bin/rpm -q samba". If you have an affected version of the samba package (see above), please upgrade it according to the solution below.
Solution: Update existing packages to newly patched versions of Samba. Select the updated source RPM appropriate for your OpenPKG release [2][3][4], and fetch it from the OpenPKG FTP service or a mirror location. Verify its integrity [5], build a corresponding binary RPM from it and update your OpenPKG installation by applying the binary RPM [6]. For the latest OpenPKG 1.1 release, perform the following operations to permanently fix the security problem (for other releases adjust accordingly).
$f t p f t p . o p e n p k g . o r g f t p > b i n f t p > c d r e l e a s e / 1.1 / U P D f t p > g e t s a m b a - 2.2 .5 - 1.1 .1 . s r c . r p m f t p > b y e$ <prefix>/bin/rpm -v --checksig samba-2.2.5-1.1.1.src.rpm $< p r e f i x > / b i n / r p m - - r e b u i l d s a m b a - 2.2 .5 - 1.1 .1 . s r c . r p m$ su - # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/samba-2.2.5-1.1.1.*.rpm # <prefix>/etc/rc samba stop start ________________________________________________________________________
References: [0]http://www.samba.org/ [1]http://www.debian.org/security/2002/dsa-200 [2]ftp://ftp.openpkg.org/release/1.0/UPD/ [3]ftp://ftp.openpkg.org/release/1.1/UPD/ [4]ftp://ftp.openpkg.org/current/SRC/ [5]http://www.openpkg.org/security.html#signature [6]http://www.openpkg.org/tutorial.html#regular-source________________________________________________________________________
For security reasons, this advisory was digitally signed with the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F) of the OpenPKG project which you can find under the official URLhttp://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To check the integrity of this advisory, verify its digital signature by using GnuPG (http://www.gnupg.org/). For example, pipe this message to the command "gpg --verify --keyserver keyserver.pgp.com". ________________________________________________________________________
-----BEGIN PGP SIGNATURE----- Comment: OpenPKG <openpkg@openpkg.org>
iEYEARECAAYFAj3nO9UACgkQgHWT4GPEy59p5QCfct5flSu1iV1a7dJGasM0J8iN kOMAoNvn9Q1524xufDzZb12THUscFpKd =HEHz -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux Affected

Updated: December 13, 2002

Status

Affected

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

- -------------------------------------------------------------------------- Trustix Secure Linux Security Advisory #2002-0080
Package name: samba Summary: Remote hole Date: 2002-11-21 Affected versions: TSL 1.5
- -------------------------------------------------------------------------- Package description: Samba provides an SMB server which can be used to provide network services to SMB (sometimes called "Lan Manager") clients, including various versions of MS Windows, OS/2, and other Linux machines. Samba uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI (Microsoft Raw NetBIOS frame) protocol.

Problem description: From the Samba 2.2.7 release notes:
There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attach would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code.
All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable to this problem. This version of Samba 2.2.7 contains a fix for this problem.

Action: We recommend that all systems with this package installed be upgraded. Please note that if you do not need the functionality provided by this package, you may want to remove it from your system.

Location: All TSL updates are available from <URI:http://www.trustix.net/pub/Trustix/updates/> <URI:ftp://ftp.trustix.net/pub/Trustix/updates/>

About Trustix Secure Linux: Trustix Secure Linux is a small Linux distribution for servers. With focus on security and stability, the system is painlessly kept safe and up to date from day one using swup, the automated software updater.

Automatic updates: Users of the SWUP tool can enjoy having updates automatically installed using 'swup --upgrade'.
Get SWUP from: <URI:ftp://ftp.trustix.net/pub/Trustix/software/swup/>

Public testing: These packages have been available for public testing for some time. If you want to contribute by testing the various packages in the testing tree, please feel free to share your findings on the tsl-discuss mailinglist. The testing tree is located at <URI:http://www.trustix.net/pub/Trustix/testing/> <URI:ftp://ftp.trustix.net/pub/Trustix/testing/>

Questions? Check out our mailing lists: <URI:http://www.trustix.net/support/>

Verification: This advisory along with all TSL packages are signed with the TSL sign key. This key is available from: <URI:http://www.trustix.net/TSL-GPG-KEY>
The advisory itself is available from the errata pages at <URI:http://www.trustix.net/errata/trustix-1.5/> or directly at <URI:http://www.trustix.net/errata/misc/2002/TSL-2002-0080-samba.asc.txt>

MD5sums of the packages: - -------------------------------------------------------------------------- 96e5c4eedf3d3e638954f3649acd4759 ./1.5/RPMS/samba-2.2.7-2tr.i586.rpm 1004f7c7d856db6933dd42cb3e1fdbcd ./1.5/RPMS/samba-client-2.2.7-2tr.i586.rpm 3bfce6f3114c2531e697749a7cb20b60 ./1.5/RPMS/samba-common-2.2.7-2tr.i586.rpm 8b072b4cd0e60ebd0b1e1ed60e2a178c ./1.5/SRPMS/samba-2.2.7-2tr.src.rpm - --------------------------------------------------------------------------

Trustix Security Team
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info seehttp://www.gnupg.org
iD8DBQE94iVPwRTcg4BxxS0RAmwUAJ42n4FkKBhe1ivkRovoHxT1Wyp+kQCffF6L qiCjChjM8LMHy9lrUUr7I/w= =Dg9h -----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc. Not Affected

View all 14 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was discovered by Steve Langasek and Eloy Paris.

This document was written by Ian A Finlay.

Other Information

CVE IDs:	CVE-2002-1318
Severity Metric:	45.56
Date Public:	2002-11-20
Date First Published:	2002-12-13
Date Last Updated:	2003-05-16 18:19 UTC
Document Revision:	23

Software Engineering Institute

CERT Coordination Center

Samba contains a remotely exploitable stack buffer overflow

Vulnerability Note VU#958321

Overview

Description

Impact

Solution

Vendor Information

Conectiva Affected

Debian Affected

Gentoo Linux Affected

Hewlett-Packard Company Affected

MandrakeSoft Affected

Red Hat Inc. Affected

SCO Affected

SGI Affected

Slackware Affected

SuSE Inc. Affected

Sun Microsystems Inc. Affected

The OpenPKG Project Affected

Trustix Secure Linux Affected

Apple Computer Inc. Not Affected

CVSS Metrics

References

Acknowledgements

Other Information

Contact CERT/CC