[Debian] High CVE: CVE-2022-2127/CVE-2022-3437/CVE-2023-34966/CVE-2023-34967/CVE-2023-34968 samba : multiple CVEs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
High
|
Wentao Zhang |
Bug Description
CVE-2022-2127: https:/
An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_
CVE-2022-3437: https:/
A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.
CVE-2023-4091: https:/
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
CVE-2023-34966: https:/
An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.
CVE-2023-34967: https:/
A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_
CVE-2023-34968: https:/
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
Base Score: High
Reference:
['libsmbclient_
https:/
CVE References
tags: |
added: stx.10.0 removed: stx.9.0 |
summary: |
[Debian] High CVE: - CVE-2022-2127/CVE-2022-3437/.../CVE-2023-34967/CVE-2023-34968 samba : - multiple CVEs + CVE-2022-2127/CVE-2022-3437/CVE-2023-34966/CVE-2023-34967/CVE-2023-34968 + samba : multiple CVEs |
Changed in starlingx: | |
assignee: | nobody → Wentao Zhang (wzhang4) |
Fix proposed to branch: master /review. opendev. org/c/starlingx /tools/ +/917286
Review: https:/