Samba QFILEPATHINFO buffer overflow

samba-qfilepathinfo-bo (18070)

High Risk

Description:

Samba is vulnerable to a buffer overflow in the QFILEPATHINFO request handler. A remote authenticated attacker could send a specially-crafted TRANSACT2_QFILEPATHINFO request for a specific file name containing unicode characters to overflow a buffer and execute arbitrary code on the system.

Consequences:

Gain Access

Remedy:

Upgrade to the latest version of Samba (3.0.8 or later), available from the Samba Download Web page. See References.

For SuSE Linux:
Upgrade to the latest Samba package, as listed below. Refer to SuSE Security Announcement SuSE-SUSE-SA:2004:040 for more information. See References.

SuSE Linux 9.1: 3.0.7-5.2 or later
SuSE Linux 9.2: 3.0.4-1.34.3 or later

For Trustix Secure Linux:
Upgrade to the latest samba package, as listed below. Refer to Trustix Secure Linux Security Advisory #2004-0058 for more information. See References.

Trustix Secure Linux 2.2: 3.0.7-2tr or later
Trustix Secure Linux 2.1: 3.0.7-2tr or later

For Red Hat Linux:
Upgrade to the latest samba package, as listed below. Refer to RHSA-2004:632-17 for more information. See References.

Red Hat Enterprise Linux AS (v. 2.1), ES (v. 2.1), WS (v. 2.1), and Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor: 2.2.12-1.21as.1 or later
Red Hat Enterprise Linux AS (v. 3), ES (v. 3), WS (v. 3), Desktop: 3.0.7-1.3E.1.x86_64 or later

For Mandrake Linux:
Upgrade to the latest samba package, as listed below. Refer to MandrakeSoft Security Advisory MDKSA-2004:136 for more information. See References.

Mandrake Linux 10.0: 3.0.6-4.3.100mdk or later
Mandrake Linux 10.1: 3.0.7-2.2.101mdk or later

For Conectiva Linux:
Upgrade to the latest samba package, as listed below. Refer to Conectiva Linux Security Announcement CLSA-2004:899 for more information. See References.

Conectiva Linux 10.0: 3.0.7-62749U10_6cl or later

For Ubuntu Linux:
Upgrade to the latest samba package (3.0.7-1ubuntu6.2 or later), as listed in USN-29-1. See References.

For Fedora Core 3:
Upgrade to the latest samba package (3.0.9-1.fc3 or later), as listed in Fedora Update Notification FEDORA-2004-460. See References.

For Fedora Core 2:
Upgrade to the latest samba package (3.0.9-1.fc2 or later), as listed in Fedora Update Notification FEDORA-2004-459. See References.

For TurboLinux:
Upgrade to the latest samba package, as listed below. Refer to TurboLinux Security Advisory TLSA-2004-32 for more information. See References.

TurboLinux 10 Server: 3.0.6-9 or later

For SCO UnixWare 7.1.4:
Upgrade to the appropriate fixed binaries, as listed in SCO Security Advisory SCOSA-2005.17. See References.

For OpenPKG:
Refer to OpenPKG Security Advisory OpenPKG-SA-2004.054 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

References:

• CIAC Information Bulletin P-038: Samba Vulnerabilities.
• Conectiva Linux Security Announcement CLSA-2004:899: Fix for Samba's denial of service vulnerability.
• Fedora Update Notification FEDORA-2004-459: samba-3.0.9-1.fc2 update.
• Fedora Update Notification FEDORA-2004-460: samba-3.0.9-1.fc3 update.
• Samba Download Web page: Download Samba.
• SCO Security Advisory SCOSA-2005.17: UnixWare 7.1.4 : Samba multiple security issues.
• Securiteam: Samba 3.x QFILEPATHINFO unicode filename buffer overflow.
• Trustix Secure Linux Security Advisory #2004-0058: Various security fixes.
• BID-11678: Samba QFILEPATHINFO Unicode Filename Remote Buffer Overflow Vulnerability
• CVE-2004-0882: Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small maximum data bytes value.
• GLSA-200411-21: Samba: Multiple vulnerabilities
• MDKSA-2004:136: Updated samba packages fix remote vulnerability
• OpenPKG-SA-2004.054: Samba
• RHSA-2004-632: samba security update
• SA13189: Samba QFILEPATHINFO Request Handler Buffer Overflow Vulnerability
• SECTRACK ID: 1012235: Samba QFILEPATHINFO Buffer Overflow Lets Remote Authenticated Users Execute Arbitrary Code
• SUSE-SA:2004:040: samba: remote denial of service

Platforms Affected:

• Canonical Ubuntu 4.10
• Conectiva Linux 10
• FedoraProject Fedora Core 2
• FedoraProject Fedora Core 3
• Gentoo Linux
• MandrakeSoft Mandrake Linux 10.0 AMD64
• MandrakeSoft Mandrake Linux 10.0
• MandrakeSoft Mandrake Linux 10.1 X86_64
• MandrakeSoft Mandrake Linux 10.1
• Novell Linux Desktop 9
• OpenPKG OpenPKG 2.1
• OpenPKG OpenPKG 2.2
• OpenPKG OpenPKG CURRENT
• RedHat Enterprise Linux 2.1 WS
• RedHat Enterprise Linux 2.1 AS
• RedHat Enterprise Linux 2.1 ES
• RedHat Enterprise Linux 3 WS
• RedHat Enterprise Linux 3 ES
• RedHat Enterprise Linux 3 Desktop
• RedHat Enterprise Linux 3 AS
• RedHat Linux Advanced Workstation 2.1 Itanium
• Samba Samba 3.0 Alpha
• Samba Samba 3.0.0
• Samba Samba 3.0.1
• Samba Samba 3.0.2
• Samba Samba 3.0.2a
• Samba Samba 3.0.3
• Samba Samba 3.0.4
• Samba Samba 3.0.4 R1
• Samba Samba 3.0.5
• Samba Samba 3.0.6
• Samba Samba 3.0.7
• SCO SCO UnixWare 7.1.4
• SuSE Linux Enterprise Server 9
• SUSE SuSE Linux 9.1
• SUSE SuSE Linux 9.2
• Trustix Secure Linux 2.1
• Trustix Secure Linux 2.2
• Turbolinux Turbolinux 10 Server

Reported:

Nov 15, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page