SCO Information for VU#958321

Samba contains a remotely exploitable stack buffer overflow

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

SCO Security Advisory

Subject: OpenLinux: Various serious Samba vulnerabilities
Advisory number: CSSA-2003-017.0
Issue date: 2003 May 02
Cross reference:
______________________________________________________________________________


1. Problem Description

This update addresses the following Samba issues:

A bug in the length checking for encrypted password change
requests from clients could be exploited using a buffer
overrun attack on the smbd stack.


A vulnerability that could lead to an anonymous user gaining
root access on a Samba serving system.


A chown race condition that could allow overwriting of
critical system files if exploited.


A buffer overflow in the call_trans2open function in trans2.c
allows remote attackers to execute arbitrary code.


Multiple buffer overflows that may allow remote attackers to
execute arbitrary code or cause a denial of service.



2. Vulnerable Supported Versions

System Package
----------------------------------------------------------------------


OpenLinux 3.1.1 Server prior to libsmbclient-2.2.2-7.i386.rpm
prior to samba-2.2.2-7.i386.rpm
prior to samba-doc-2.2.2-7.i386.rpm
prior to smbfs-2.2.2-7.i386.rpm
prior to swat-2.2.2-7.i386.rpm


OpenLinux 3.1.1 Workstation prior to libsmbclient-2.2.2-7.i386.rpm
prior to samba-2.2.2-7.i386.rpm
prior to samba-doc-2.2.2-7.i386.rpm
prior to smbfs-2.2.2-7.i386.rpm
prior to swat-2.2.2-7.i386.rpm



3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.



4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/RPMS

4.2 Packages

a4f667678f6a3c283491ae04480625d6 libsmbclient-2.2.2-7.i386.rpm
8c95e0b81771bb703e08937125e8c9bf samba-2.2.2-7.i386.rpm
2a590b5458186279fd3bb17bb87c5af3 samba-doc-2.2.2-7.i386.rpm
fcabaf8b0567ed5faad0e2fe8e206f92 smbfs-2.2.2-7.i386.rpm
bd13c1771c2267549916f3afb60ad019 swat-2.2.2-7.i386.rpm


4.3 Installation

rpm -Fvh libsmbclient-2.2.2-7.i386.rpm
rpm -Fvh samba-2.2.2-7.i386.rpm
rpm -Fvh samba-doc-2.2.2-7.i386.rpm
rpm -Fvh smbfs-2.2.2-7.i386.rpm
rpm -Fvh swat-2.2.2-7.i386.rpm


4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/SRPMS

4.5 Source Packages

403ddcea6384a309768066e06941a68f samba-2.2.2-7.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/RPMS

5.2 Packages

c04cb8377d18180c6b914ed9d0d1d4e3 libsmbclient-2.2.2-7.i386.rpm
aad7fa4db863931a9c57b8720e17cbb6 samba-2.2.2-7.i386.rpm
be052cbf6e77f05ad1cbc7fba57be7bd samba-doc-2.2.2-7.i386.rpm
4bf70f287baf74e47ef5cff351a7a740 smbfs-2.2.2-7.i386.rpm
906d1705b64767cd774e29287b5ab437 swat-2.2.2-7.i386.rpm


5.3 Installation

rpm -Fvh libsmbclient-2.2.2-7.i386.rpm
rpm -Fvh samba-2.2.2-7.i386.rpm
rpm -Fvh samba-doc-2.2.2-7.i386.rpm
rpm -Fvh smbfs-2.2.2-7.i386.rpm
rpm -Fvh swat-2.2.2-7.i386.rpm


5.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/SRPMS

5.5 Source Packages

21c0df3f652692c3db10dd5783e78e93 samba-2.2.2-7.src.rpm


6. References

Specific references for this advisory:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201

SCO security resources:

http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr876764, sr875830,
sr872195, fz527679, fz527532, fz526744, erg712283, erg712263,
erg712169.



7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.



8. Acknowledgements

Steve Langasek (Debian), Sebastian Krahmer (SuSE), and Digital
Defense Inc. discovered and researched these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.