Bugzilla – Bug 883758
VUL-0: CVE-2014-3493: samba: Segmentation fault in smbd_marshall_dir_entry()'s SMB_FIND_FIL...
Last modified: 2014-07-30 18:45:24 UTC
embargoed via https://bugzilla.samba.org/show_bug.cgi?id=10654 --------------- When handling SMB_FIND_FILE_UNIX, srvstr_push() calls push_ascii() which returns (uint32_t)-1 because the filename contains Unicode characters. The request does not have FLAGS2_UNICODE_STRINGS set. Forcing Unicode with STR_UNICODE avoids the crash but the client can't handle the response. Note: the "∕" in the filename is DIVISION SLASH (U+2215) not the directory separator "/" (U+002F) ----------------------------
CRD is TODAY, draft advisory: =========================================================== == Subject: Denial of service - Server crash/memory corruption == == CVE ID#: CVE-2014-3493 == == Versions: Samba 3.6.0 - 4.1.8 (inclusive) == == Summary: Samba 3.6.x to 4.1.8 are affected by a == denial of service crash involving overwriting == memory on an authenticated connection to the == smbd file server. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a denial of service on the smbd file server daemon. Valid unicode path names stored on disk can cause smbd to crash if an authenticated client attempts to read them using a non-unicode request. The crash is caused by memory being overwritten by zeros at a 4GB offset from the expected return buffer area, due to an invalid return code from a bad unicode to Windows character set conversion. Currently it is not believed to be exploitable by an attacker, as there is no way to control the exact area of memory being overwritten. However, in the interests of safety this is being treated as a security issue. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.9, 4.0.19 and 3.6.24 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found and reported by Simon Arlott. The analysis and fix were provided by Jeremy Allison of Google.
is public now, see samba.org 23 June 2014 Samba 4.1.9, 4.0.19 and 3.6.24 Security Releases Available for Download These are security releases in order to address CVE-2014-0244 (Denial of service - CPU loop) and CVE-2014-3493 (Denial of service - Server crash/memory corruption).
Fixed and submit requests filed. Passing to the security team for further handling.
This is an autogenerated message for OBS integration: This bug (883758) was mentioned in https://build.opensuse.org/request/show/238390 12.3 / samba https://build.opensuse.org/request/show/238391 13.1 / samba
This is an autogenerated message for OBS integration: This bug (883758) was mentioned in https://build.opensuse.org/request/show/238432 Factory / samba
bugbot adjusting priority
This is an autogenerated message for OBS integration: This bug (883758) was mentioned in https://build.opensuse.org/request/show/238618 13.1 / samba https://build.opensuse.org/request/show/238620 13.1 / samba
This is an autogenerated message for OBS integration: This bug (883758) was mentioned in https://build.opensuse.org/request/show/238632 Factory / samba
openSUSE-SU-2014:0857-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 685093,872396,879390,880962,883758 CVE References: CVE-2014-0178,CVE-2014-0244,CVE-2014-3493 Sources used: openSUSE 12.3 (src): samba-3.6.12-59.23.1, samba-doc-3.6.12-59.23.1
openSUSE-SU-2014:0859-1: An update that solves four vulnerabilities and has 13 fixes is now available. Category: security (moderate) Bug References: 846586,866354,866927,869707,870570,870607,870957,871701,872396,873177,873658,874180,874656,875046,879390,880962,883758 CVE References: CVE-2014-0178,CVE-2014-0239,CVE-2014-0244,CVE-2014-3493 Sources used: openSUSE 13.1 (src): samba-4.1.9-3.22.1
Update released for: cifs-mount, ldapsmb, libldb-devel, libldb1, libldb1-32bit, libldb1-64bit, libldb1-x86, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbclient0-32bit, libsmbclient0-64bit, libsmbclient0-x86, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtalloc1-32bit, libtalloc1-64bit, libtalloc1-x86, libtalloc2, libtalloc2-32bit, libtalloc2-64bit, libtalloc2-x86, libtdb-devel, libtdb1, libtdb1-32bit, libtdb1-64bit, libtdb1-x86, libtevent-devel, libtevent0, libtevent0-32bit, libtevent0-64bit, libtevent0-x86, libwbclient-devel, libwbclient0, libwbclient0-32bit, libwbclient0-64bit, libwbclient0-x86, samba, samba-32bit, samba-64bit, samba-client, samba-client-32bit, samba-client-64bit, samba-client-x86, samba-debuginfo, samba-debuginfo-32bit, samba-debuginfo-64bit, samba-debuginfo-x86, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind, samba-winbind-32bit, samba-winbind-64bit, samba-winbind-x86, samba-x86 Products: SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11-SP3 (i386, x86_64) SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: cifs-mount, ldapsmb, libldb-devel, libldb1, libldb1-32bit, libldb1-x86, libnetapi-devel, libnetapi0, libsmbclient-devel, libsmbclient0, libsmbclient0-32bit, libsmbclient0-x86, libsmbsharemodes-devel, libsmbsharemodes0, libtalloc-devel, libtalloc1, libtalloc1-32bit, libtalloc1-x86, libtalloc2, libtalloc2-32bit, libtalloc2-x86, libtdb-devel, libtdb1, libtdb1-32bit, libtdb1-x86, libtevent-devel, libtevent0, libtevent0-32bit, libtevent0-x86, libwbclient-devel, libwbclient0, libwbclient0-32bit, libwbclient0-x86, samba, samba-32bit, samba-client, samba-client-32bit, samba-client-x86, samba-debuginfo, samba-debuginfo-32bit, samba-debuginfo-x86, samba-debugsource, samba-devel, samba-doc, samba-krb-printing, samba-vscan, samba-winbind, samba-winbind-32bit, samba-winbind-x86, samba-x86 Products: SLE-DEBUGINFO 11-SP2 (i386, s390x, x86_64) SLE-SERVER 11-SP2-LTSS (i386, s390x, x86_64)
SUSE-SU-2014:0899-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 872396,879390,880962,883758 CVE References: CVE-2014-0178,CVE-2014-0244,CVE-2014-3493 Sources used: SUSE Linux Enterprise Software Development Kit 11 SP3 (src): samba-3.6.3-0.52.5 SUSE Linux Enterprise Server 11 SP3 for VMware (src): samba-3.6.3-0.52.5, samba-doc-3.6.3-0.52.5 SUSE Linux Enterprise Server 11 SP3 (src): samba-3.6.3-0.52.5, samba-doc-3.6.3-0.52.5 SUSE Linux Enterprise Desktop 11 SP3 (src): samba-3.6.3-0.52.5, samba-doc-3.6.3-0.52.5
SUSE-SU-2014:0901-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (moderate) Bug References: 437293,726937,786677,844307,849224,863748,865561,872396,879390,880962,883758 CVE References: CVE-2013-4496,CVE-2014-0178,CVE-2014-0244,CVE-2014-3493 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): samba-3.4.3-1.54.4, samba-3.6.3-0.33.41.2, samba-doc-3.6.3-0.33.41.2
openSUSE-SU-2014:0944-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 880962,883758 CVE References: CVE-2014-0244,CVE-2014-3493 Sources used: openSUSE 11.4 (src): samba-3.6.3-134.1, samba-doc-3.6.3-134.1