[CVE-2008-1105] Samba: boundary failure when parsing SMB responses

Bug #235912 reported by Till Ulen on 2008-05-30
258
Affects Status Importance Assigned to Milestone
samba (Arch Linux)
Fix Released
Undecided
Unassigned
samba (Debian)
Fix Released
Unknown
samba (Ubuntu)
Undecided
Unassigned
Dapper
High
Jamie Strandboge
Feisty
High
Jamie Strandboge
Gutsy
High
Jamie Strandboge
Hardy
High
Jamie Strandboge

Bug Description

Binary package hint: samba

CVE-2008-1105 description:

"Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29 allows remote attackers to execute arbitrary code via a crafted SMB response."

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2008-1105
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1105

"Boundary failure when parsing SMB responses can result in a buffer overrun

Specifically crafted SMB responses can result in a heap overflow in the Samba client code.
Because the server process, smbd, can itself act as a client during operations such as
printer notification and domain authentication, this issue affects both Samba client and
server installations."

http://www.samba.org/samba/security/CVE-2008-1105.html

Patch: http://www.samba.org/samba/ftp/patches/security/samba-3.0.29-CVE-2008-1105.patch

Till Ulen (tillulen) wrote :

DSA 1590-1: http://www.debian.org/security/2008/dsa-1590 (link not functioning yet)

Changed in samba:
status: Unknown → Fix Released
Jamie Strandboge (jdstrand) wrote :

 samba (1:3.0.30-1) unstable; urgency=high

   * New upstream release: fix a heap overflow when parsing SMB responses in
     client code. (CVE-2008-1105). Closes: #483410

Changed in samba:
status: New → Fix Released
Changed in samba:
assignee: nobody → jdstrand
importance: Undecided → High
status: New → Triaged
assignee: nobody → jdstrand
importance: Undecided → High
status: New → Triaged
assignee: nobody → jdstrand
importance: Undecided → High
status: New → Triaged
assignee: nobody → jdstrand
importance: Undecided → High
status: New → Triaged
André Klitzing (misery) on 2008-06-04
Changed in samba:
status: New → Fix Released
Changed in samba:
status: Triaged → In Progress
status: Triaged → In Progress
status: Triaged → In Progress
status: Triaged → In Progress
Changed in samba:
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 3.0.28a-1ubuntu4.2

---------------
samba (3.0.28a-1ubuntu4.2) hardy-security; urgency=low

  * SECURITY UPDATE: heap overflow when processing crafted SMB responses
  * debian/patches/security-CVE-2008-1105.patch: update util_sock.c to require
    specifying the buffer size and update client.c, smbctool.c, smbfilter.c,
    and process.c for these changes
  * References:
    CVE-2008-1105
    LP: #235912

 -- Jamie Strandboge <email address hidden> Tue, 17 Jun 2008 12:47:38 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 3.0.26a-1ubuntu2.4

---------------
samba (3.0.26a-1ubuntu2.4) gutsy-security; urgency=low

  * SECURITY UPDATE: heap overflow when processing crafted SMB responses
  * debian/patches/security-CVE-2008-1105.patch: update util_sock.c to require
    specifying the buffer size and update client.c, smbctool.c, smbfilter.c,
    and process.c for these changes
  * SECURITY UPDATE: buffer overrun in nmbd when processing crafted GETDC
    mailslot requests
  * debian/patches/security_CVE-2007-4572.patch: check return values and
    sizeof strings in charcnv.c, ntlmssp_parse.c, nmbd_processlogon.c.
    Backport regression fixes from upstream.
  * References:
    CVE-2008-1105
    CVE-2007-4572
    LP: #235912

 -- Jamie Strandboge <email address hidden> Tue, 03 Jun 2008 16:29:05 -0400

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 3.0.24-2ubuntu1.6

---------------
samba (3.0.24-2ubuntu1.6) feisty-security; urgency=low

  * SECURITY UPDATE: heap overflow when processing crafted SMB responses
  * debian/patches/security-CVE-2008-1105.patch: update util_sock.c to require
    specifying the buffer size and update client.c, smbctool.c, smbfilter.c,
    and process.c for these changes
  * SECURITY UPDATE: buffer overrun in nmbd when processing crafted GETDC
    mailslot requests
  * debian/patches/security_CVE-2007-4572.patch: check return values and
    sizeof strings in charcnv.c, ntlmssp_parse.c, nmbd_processlogon.c.
    Backport regression fixes from upstream.
  * References:
    CVE-2008-1105
    CVE-2007-4572
    LP: #235912

 -- Jamie Strandboge <email address hidden> Mon, 16 Jun 2008 14:24:29 -0400

Changed in samba:
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Jamie Strandboge (jdstrand) wrote :
Changed in samba:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.