OpenPKG Security Advisory
OpenPKG-SA-2004.054
Publisher Name: OpenPKG GmbH Publisher Home: http://openpkg.com/ Advisory Id (public): OpenPKG-SA-2004.054 Advisory Type: OpenPKG Security Advisory (SA) Advisory Directory: http://openpkg.com/go/OpenPKG-SA Advisory Document: http://openpkg.com/go/OpenPKG-SA-2004.054 Advisory Published: 2008-10-06 23:08 UTC Issue Id (internal): OpenPKG-SI-20041217.01 Issue First Created: 2004-12-17 Issue Last Modified: 2006-11-28 Issue Revision: 06
Subject Name: Samba Subject Summary: SMB/CIFS Server Subject Home: http://www.samba.org/ Subject Versions: * <= 3.0.9 Vulnerability Id: CVE-2004-0882, CVE-2004-0930, CVE-2004-1154 Vulnerability Scope: global (not OpenPKG specific) Attack Feasibility: run-time Attack Vector: remote network Attack Impact: denial of service, arbitrary code execution Description: Several vulnerabilities exist in the Samba SMB/CIFS server [1]. The OpenPKG team applied official patches where available and backported others to address all known issues. According to a security advisory [2] from Stefan Esser a Unicode filename buffer overflow within the handling of "TRANSACT2_QFILEPATHINFO" replies was discovered that allows remote execution of arbitrary code. CVE-2004-0882 A problem in the ms_fnmatch() function allows remote authenticated users to consume excessive CPU horsepower and cause a denial of service via a SMB request that contains multiple asterisk characters. CVE-2004-0930 According to a security advisory [3] from the Samba team, an integer overflow vulnerability in the "smbd" daemon could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. CVE-2004-1154 References: [1] http://www.samba.org/ [2] http://security.e-matters.de/advisories/132004.html [3] http://us4.samba.org/samba/security/CVE-2004-1154.html [4] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0882 [5] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0930 [6] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1154 [7] http://www.openpkg.org/tutorial.html#regular-source [8] http://www.openpkg.org/tutorial.html#regular-binary [9] ftp://ftp.openpkg.org/release/2.2/UPD/samba-3.0.7-2.2.1.src.rpm [10] ftp://ftp.openpkg.org/release/2.1/UPD/samba-3.0.4-2.1.3.src.rpm [11] ftp://ftp.openpkg.org/release/2.2/UPD/ [12] ftp://ftp.openpkg.org/release/2.1/UPD/ [13] http://www.openpkg.org/security.html#signature
Primary Package Name: samba Primary Package Home: http://openpkg.org/go/package/samba Affected Distribution: Affected Branch: Affected Package: OpenPKG Community 2.1-SOLID samba-3.0.4-2.1.2 OpenPKG Community 2.2-SOLID samba-3.0.7-2.2.0 OpenPKG Community CURRENT samba-3.0.9-20041119 Corrected Distribution: Corrected Branch: Corrected Package: OpenPKG Community 2.1-SOLID samba-3.0.4-2.1.3 OpenPKG Community 2.2-SOLID samba-3.0.7-2.2.1 OpenPKG Community CURRENT samba-3.0.10-20041216
