Ubuntu
samba package

Bug #11243
Comment #10

Comment 10 for bug 11243

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-12-27:

#10

Message-Id: <email address hidden>
Date: Mon, 27 Dec 2004 23:16:13 +1100
From: Andrew Bartlett <email address hidden>
To: Moritz Muehlenhoff <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#286023: CAN-2004-1154 proposed fix for woody

--=-Lh6Y1E0WVTj66O7SuBnQ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2004-12-19 at 23:29, Moritz Muehlenhoff wrote:
> Hi,
> the upstream patch against 3.0.9 wraps all memory allocations, strdup()s,
> etc. into macros with boundary checks. Backporting this to 2.2.3 seems
> way too intrusive and error-prone, so may I suggest the following fix:
>=20
> According to the iDefense advisory it exploits an integer overflow in the
> allocation of memory in source/rpc_parse/parse_sec.c:218:
> If psa->num_aces is larger than 38347922, the value of 38347922+1 multipl=
ied
> with the value of ace[0] (112) is larger than an unsigned integer and
> it wraps around.
>=20
> So, as there is no way in regular Samba operation that a user requests
> more than 38 million ACL entries the simplest and least intrusive way to
> prevent this seems to be a simple sanity check that caps psa->num_aces:
>=20
> if (psa->num_aces > 38347922)
> psa->num_aces =3D 38347922;
>=20
> Does this seem like an acceptable solution? I haven't evaluated all possi=
ble
> call flow that leads to the vulnerable code, though.

I would suggest not. If you were to limit the number of ACL entries, I
would set it much lower, but there are just so many places this can
happen, and I'm sure there will be other bugs out there. I think SUSE
had (or was going to produce) a patch for their enterprise customers (in
a similar boat), so poke about in their SRPM when it's out (I've not
kept track).

Andrew Bartlett

--=20
Andrew Bartlett <email address hidden>
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College <email address hidden>

--=-Lh6Y1E0WVTj66O7SuBnQ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBz5Kcz4A8Wyi0NrsRAqgvAJ99fusMYkjRzxc3thCV9ttpfjv6EACgs2Vs
zgac/FjvM6A+quooTlIXK2c=
=pJrv
-----END PGP SIGNATURE-----

--=-Lh6Y1E0WVTj66O7SuBnQ--

Message-Id: <1104122524.2678.40088.camel@piglett.bartlett.house>
Date: Mon, 27 Dec 2004 23:16:13 +1100
From: Andrew Bartlett <abartlet@samba.org>
To: Moritz Muehlenhoff <jmm@inutil.org>, 286023@bugs.debian.org
Cc: security@debian.org
Subject: Re: Bug#286023: CAN-2004-1154 proposed fix for woody

--=-Lh6Y1E0WVTj66O7SuBnQ
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2004-12-19 at 23:29, Moritz Muehlenhoff wrote:
> Hi,
> the upstream patch against 3.0.9 wraps all memory allocations, strdup()s,
> etc. into macros with boundary checks. Backporting this to 2.2.3 seems
> way too intrusive and error-prone, so may I suggest the following fix:
>=20
> According to the iDefense advisory it exploits an integer overflow in the
> allocation of memory in source/rpc_parse/parse_sec.c:218:
> If psa->num_aces is larger than 38347922, the value of 38347922+1 multipl=
ied
> with the value of ace[0] (112) is larger than an unsigned integer and
> it wraps around.
>=20
> So, as there is no way in regular Samba operation that a user requests
> more than 38 million ACL entries the simplest and least intrusive way to
> prevent this seems to be a simple sanity check that caps psa->num_aces:
>=20
> if (psa->num_aces > 38347922)
> 	psa->num_aces =3D 38347922;
>=20
> Does this seem like an acceptable solution? I haven't evaluated all possi=
ble
> call flow that leads to the vulnerable code, though.

I would suggest not. If you were to limit the number of ACL entries, I
would set it much lower, but there are just so many places this can
happen, and I'm sure there will be other bugs out there.  I think SUSE
had (or was going to produce) a patch for their enterprise customers (in
a similar boat), so poke about in their SRPM when it's out (I've not
kept track).

Andrew Bartlett

--=20
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

--=-Lh6Y1E0WVTj66O7SuBnQ
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBBz5Kcz4A8Wyi0NrsRAqgvAJ99fusMYkjRzxc3thCV9ttpfjv6EACgs2Vs
zgac/FjvM6A+quooTlIXK2c=
=pJrv
-----END PGP SIGNATURE-----

--=-Lh6Y1E0WVTj66O7SuBnQ--

Ubuntusamba package

Comment 10 for bug 11243

Ubuntu
samba package