search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Samba contains a remotely exploitable stack buffer overflow

Vulnerability Note VU#958321

Original Release Date: 2002-12-13 | Last Revised: 2003-05-16

Overview

A remotely exploitable stack buffer overflow exists in the Samba server daemon (smbd).

Description

Versions 2.2.2 through 2.2.6 of Samba contain a remotely exploitable stack buffer overflow. The Samba Team describes Samba as follows:

The Samba software suite is a collection of programs that implements the Server Message Block (commonly abbreviated as SMB) protocol for UNIX systems. This protocol is sometimes also referred to as the Common Internet File System (CIFS), LanManager or NetBIOS protocol.
The Samba Team describes the vulnerability as follows:
There was a bug in the length checking for encrypted password change requests from clients. A client could potentially send an encrypted password, which, when decrypted with the old hashed password could be used as a buffer overrun attack on the stack of smbd. The attach would have to be crafted such that converting a DOS codepage string to little endian UCS2 unicode would translate into an executable block of code.

Impact

A remote attacker can execute arbitrary code with superuser privileges or can cause smbd to crash.

Solution

Apply a patch from your vendor.

Vendor Information

958321
 
Affected   Unknown   Unaffected

Conectiva

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --------------------------------------------------------------------------

PACKAGE   : samba
SUMMARY   : Buffer overflow vulnerability
DATE      : 2002-11-22 16:13:00
ID        : CLA-2002:550
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -------------------------------------------------------------------------

DESCRIPTION
Samba is a server that provides SMB services such as file and printer
sharing for other SMB clients, such as Windows(R).

 Steve Langasek and Eloy Paris discovered a vulnerability in Samba
versions 2.2.2 to 2.2.6 which may allow a remote attacker to execute
arbitrary code in the server context. The vulnerability, which is a
buffer overflow in a function used to decrypt hashed passwords, can
be exploited by an attacker when authenticating a valid account in
the samba server. In order to sucessfully run arbitrary code, the
overflow must be crafted such that converting a DOS codepage string
to little endian UCS2 unicode translates into an executable block of
code.

 This update also adds other fixes for potential buffer overflows from
samba 2.2.7 that are not part of the standard patch supplied by the
samba authors in their announcement[1]. The samba package distributed
in Conectiva Linux 6.0 (samba-2.0.9) is not vulnerable to the
announced buffer overflow, but it is being upgraded with these
aditional fixes.


SOLUTION
All samba users should upgrade their packages immediately. This
update will automatically restart the samba service if it is already
running.


 REFERENCES:
1.http://us1.samba.org/samba/whatsnew/samba-2.2.7.html


DIRECT DOWNLOAD LINKS TO THE UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-2.0.9-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-clients-2.0.9-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-doc-2.0.9-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/samba-swat-2.0.9-2U60_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/samba-2.0.9-2U60_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-2.2.1a-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-clients-2.2.1a-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-codepagesource-2.2.1a-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-common-2.2.1a-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-doc-2.2.1a-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/samba-swat-2.2.1a-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/samba-2.2.1a-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-2.2.3a-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-clients-2.2.3a-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-codepagesource-2.2.3a-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-common-2.2.3a-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-doc-2.2.3a-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/samba-swat-2.2.3a-2U80_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/samba-2.2.3a-2U80_1cl.src.rpm


ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:
- add the following line to /etc/apt/sources.list if it is not there yet
  (you may also use linuxconf to do this):

 rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates

(replace 6.0 with the correct version number if you are not running CL6.0)

 - run:                 apt-get update
- after that, execute: apt-get upgrade

 Detailed instructions reagarding the use of apt and upgrade examples
can be found at
http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -------------------------------------------------------------------------
All packages are signed with Conectiva's GPG key. The key and instructions
on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can be
found at
http://distro.conectiva.com.br/seguranca/politica/?idioma=en
- -------------------------------------------------------------------------
All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en

- -------------------------------------------------------------------------
subscribe: conectiva-updates-subscribe@papaleguas.conectiva.com.br
unsubscribe: conectiva-updates-unsubscribe@papaleguas.conectiva.com.br
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

iD8DBQE93nQm42jd0JmAcZARArgCAJ9YPRJ1FpbqRjsEGxzJyNwFVpx+5wCghRqK
z0/Pjh2DW/QHKDirF+aPSMM=
=YuUd
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

- ------------------------------------------------------------------------
Debian Security Advisory DSA-200-1                   security@debian.org
http://www.debian.org/security/                         Wichert Akkerman
November 22, 2002
- ------------------------------------------------------------------------


Package        : samba
Problem type   : remote exploit
Debian-specific: no

Steve Langasek found an exploitable bug in the password handling
code in samba: when converting from DOS code-page to little endian
UCS2 unicode a buffer length was not checked and a buffer could
be overflowed. There is no known exploit for this, but an upgrade
is strongly recommended.

This problem has been fixed in version 2.2.3a-12 of the Debian
samba packages and upstream version 2.2.7.


- ------------------------------------------------------------------------

Obtaining updates:

  By hand:
   wget URL
       will fetch the file for you.
   dpkg -i FILENAME.deb
       will install the fetched file.

  With apt:
   deb
http://security.debian.org/ stable/updates main
       added to /etc/apt/sources.list will provide security updates

Additional information can be found on the Debian security webpages
at
http://www.debian.org/security/

- ------------------------------------------------------------------------


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Woody was released for alpha, arm, hppa, i386, ia64, m68k, mips, mipsel,
 powerpc, s390 and sparc. At this moments updates for m68k, mips and
 mipsel are not yet available.

  Source archives:

    http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.dsc
     Size/MD5 checksum:     1469 5db10f38dc411972fed1e8e79ac9e2cb
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz
     Size/MD5 checksum:  5460531 b6ec2f076af69331535a82b586f55254
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.diff.gz
     Size/MD5 checksum:   116834 55b9c9ed1e423608838b5493eec9f727

  Architecture independent packages:

    http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-12_all.deb
     Size/MD5 checksum:  2446440 dca2cc174c245ee12e601f1ba2b115e9

  alpha architecture (DEC Alpha)

    http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_alpha.deb
     Size/MD5 checksum:   415200 163bd412f5fd1ec9a2a125e0b1b024ba
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_alpha.deb
     Size/MD5 checksum:   598938 037ca8de5dbf1462e0c17a88c7cd35bc
   
http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_alpha.deb
     Size/MD5 checksum:   946742 47bdd6c9a6088326e6842265e3de6f8e
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_alpha.deb
     Size/MD5 checksum:  1130570 8f88729028cd3cd368435bc5feb282fb
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_alpha.deb
     Size/MD5 checksum:   622300 c22e7b482598b6c61a99410d50e1c0d6
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_alpha.deb
     Size/MD5 checksum:   488062 858e115dc3176c975c096e1328c08d49
   
http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_alpha.deb
     Size/MD5 checksum:  1105314 0bd614d744080ebd3383898871f73fd3
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_alpha.deb
     Size/MD5 checksum:  1153962 8d1fcb828d6640136aaa93397fef3a4c
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_alpha.deb
     Size/MD5 checksum:  2951852 f880e61a41534119a50a9ae282212421

  arm architecture (ARM)

    http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_arm.deb
     Size/MD5 checksum:   827734 e3592bb5e8c72aa3345176ac04374ae7
   
http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_arm.deb
     Size/MD5 checksum:   971194 b57cf8b4f59e0494d40faa01727068d3
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_arm.deb
     Size/MD5 checksum:   555212 485db779cf0088b7517c16f9db37563c
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_arm.deb
     Size/MD5 checksum:  2538940 fcfac695c9519b47a1a8d88816567461
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_arm.deb
     Size/MD5 checksum:  1020942 1546a075896de1bdffcf7b94f73237c5
   
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_arm.deb
     Size/MD5 checksum:   396136 b89712a3f81a1517c03d72e92f2f0d8a
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_arm.deb
     Size/MD5 checksum:   545278 868d941841b8202fdd31e3abdfcccae0
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_arm.deb
     Size/MD5 checksum:   997842 b5ddde05fb712e4caece39742729587d
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_arm.deb
     Size/MD5 checksum:   460106 c172491c4ee37bf799984a365102ee2c

  hppa architecture (HP PA RISC)

    http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_hppa.deb
     Size/MD5 checksum:   490226 27845f64f50ff1e878b6c35c630d6c33
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_hppa.deb
     Size/MD5 checksum:   588196 f0cfc0eca799ac5367ac00d1fb557b07
   
http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_hppa.deb
     Size/MD5 checksum:  1058852 38f1ac012369422463a7795a5d8347c2
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_hppa.deb
     Size/MD5 checksum:  1080408 33784c32dfe825aad5f8a532e960e1de
   
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_hppa.deb
     Size/MD5 checksum:   419192 830dda3c6340905e50846b052e861633
   
http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_hppa.deb
     Size/MD5 checksum:   899680 c3a982a826f2e1e0741532ea9b3b713c
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_hppa.deb
     Size/MD5 checksum:   589188 01adde49d328f27cc03dc07cf67680fe
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_hppa.deb
     Size/MD5 checksum:  1083762 bfea5fc49e57c1605057777e9f3109e8
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_hppa.deb
     Size/MD5 checksum:  2788718 7eb604a2b4a480096b695e5cd4d8da84

  i386 architecture (Intel ia32)

    http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_i386.deb
     Size/MD5 checksum:   445374 a85056ba4ba3b87ada684a8014eb7990
   
http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_i386.deb
     Size/MD5 checksum:   928972 81833ccd4b60b1d29adcf7447ae22ca9
   
http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_i386.deb
     Size/MD5 checksum:   792318 9f067eee4ed00ff7697f9564eff78b1f
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_i386.deb
     Size/MD5 checksum:   952666 ed2648d7c6b58ea6d7213c77c1f48bbd
   
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_i386.deb
     Size/MD5 checksum:   388394 bdd346a1fea3b494cbcb3cb11dc9ef96
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_i386.deb
     Size/MD5 checksum:  2415034 d868491571d191a813dbaf57a7d4708f
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_i386.deb
     Size/MD5 checksum:   992248 6c4ae105bed3341a7f75c72088fc6b4a
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_i386.deb
     Size/MD5 checksum:   499028 462a7b14146f2260605f812864b3d76f
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_i386.deb
     Size/MD5 checksum:   534722 9390c2ec3763ac36d0b721c5504b3e82

  ia64 architecture (Intel ia64)

    http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_ia64.deb
     Size/MD5 checksum:   552692 042613b1ccb5558434143cf36ae80753
   
http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_ia64.deb
     Size/MD5 checksum:  1095708 fe153731989182f94daeed671f5b708b
   
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_ia64.deb
     Size/MD5 checksum:   461212 ad9be5397fc945947a370532a0ff5255
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_ia64.deb
     Size/MD5 checksum:  3486514 05bfbd1f12b7bd86bbdc4bc045a646ca
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_ia64.deb
     Size/MD5 checksum:  1246972 dd178013fef5bc1dc26fcc3c26a2964b
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_ia64.deb
     Size/MD5 checksum:  1326550 a682d63e46dba34ef0616c35aa162300
   
http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_ia64.deb
     Size/MD5 checksum:  1280400 e726e9a101dc51e01fa0b390821f7f1b
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_ia64.deb
     Size/MD5 checksum:   694496 d0d3323d614f14a255c1f38a0c1d7a1e
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_ia64.deb
     Size/MD5 checksum:   623720 a6c3b79db8d814cd528675a70065f8cf

  powerpc architecture (PowerPC)

    http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:  1000492 5e2514849a99dd1b692ceea3371417d1
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:   559952 423f249ff3691860668f428b754f7578
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:   545346 157d1833143dee0f5cad3585ea363e46
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:  1035624 e4b852940d6bdce313cb3e7b668e2c21
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:  1020036 eeaef7fe954149cc547266323ab64433
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:  2605718 a77c4fe21962efddb97160bad6220bbb
   
http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:   851144 88fc9331f16c31a1ce2a07c82ffa98d7
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:   474558 19580f6109552c39453b9516aea7161b
   
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_powerpc.deb
     Size/MD5 checksum:   408470 a43d6edffd90cd457750226d18a914f9

  s390 architecture (IBM S/390)

    http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_s390.deb
     Size/MD5 checksum:   525784 7e251a6496d905a974d177c2f64968d8
   
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_s390.deb
     Size/MD5 checksum:   402670 45fe4eab1b2b2a5a453fb2fcb63d2bb8
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_s390.deb
     Size/MD5 checksum:   979614 9d159305c5bdf5f4d2859c70fea1fe49
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_s390.deb
     Size/MD5 checksum:   468906 ea0be1d14a305b21ffc2b61129756ee3
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_s390.deb
     Size/MD5 checksum:  1006360 25e9bdf52fdfa988f27ece4f0ed40dc2
   
http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_s390.deb
     Size/MD5 checksum:   829674 9733bce59be83972d401bd860e450ad5
   
http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_s390.deb
     Size/MD5 checksum:  2488818 06c9d8cb4d2f74d9befef7bdaf4585ae
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_s390.deb
     Size/MD5 checksum:   536106 8208c2b787bb676f3bcbefa2c39a5f57
   
http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_s390.deb
     Size/MD5 checksum:   962980 be1472ede7611310f2f38f6ff1748c6d

  sparc architecture (Sun SPARC/UltraSPARC)

    http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12_sparc.deb
     Size/MD5 checksum:  2511036 f0ff0e99290754f16fa1908fdddb45fe
   
http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12_sparc.deb
     Size/MD5 checksum:   827784 d9db5769e8cffc2c4f5b98782b500550
   
http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12_sparc.deb
     Size/MD5 checksum:   400106 42c72cde09e8e2004e46409d1a126f04
   
http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12_sparc.deb
     Size/MD5 checksum:   963226 b15cd5548aa1e860b6e9bb47f30522e9
   
http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12_sparc.deb
     Size/MD5 checksum:   983220 d502115d1ad1815f2dc11c4aca901857
   
http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12_sparc.deb
     Size/MD5 checksum:  1010096 3b23c98f66e6930f7c2b69d44df87c16
   
http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12_sparc.deb
     Size/MD5 checksum:   542824 c3781f7ce47e3539fdb2845b3035d0ad
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12_sparc.deb
     Size/MD5 checksum:   461100 0e332969cc1dfb58f28e2d5ad7ccb310
   
http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12_sparc.deb
     Size/MD5 checksum:   522938 ac87211100409cb76e6da6be7aedbc9e

- --
- ----------------------------------------------------------------------------
Debian Security team <team@security.debian.org>
http://www.debian.org/security/
Mailing-List: debian-security-announce@lists.debian.org


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQB1AwUBPd6RtajZR/ntlUftAQEf+wMAlu1wMw5wBrfe0NlmpNWJ1Kz+wpCk9/J6
W9XHAk1+oiwOiW3QLYJ56xt8RFfvTgaQA1urU8XLVCLCIHet6VOyA9EGAgudFspF
FuMKXgv/v8ZNZ45AyeqCJcRTNXoS64TH
=zLu1
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200211-007
- - --------------------------------------------------------------------

PACKAGE : samba
SUMMARY?: remote root access
DATE ?? : 2002-11-21 09:11 UTC
EXPLOIT : remote

- - --------------------------------------------------------------------

- From 2.2.7 release notes:

There was a bug in the length checking for encrypted password change
requests from clients. A client could potentially send an encrypted
password, which, when decrypted with the old hashed password could be
used as a buffer overrun attack on the stack of smbd. The attach would
have to be crafted such that converting a DOS codepage string to little
endian UCS2 unicode would translate into an executable block of code.

Read the full release notes at
http://se.samba.org/samba/whatsnew/samba-2.2.7.html

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-fs/samba-2.2.5-r1 and earlier update their systems as follows:

emerge rsync
emerge samba
emerge clean

- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
woodchip@gentoo.org
- - --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE93KKCfT7nyhUpoZMRAoZeAKCb7Jdu+glo0BIN3wq4+cDSbmQLKACgnbaY
2+7FwJUYxYALLzhRpckJuNE=
=PWpJ
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Updated:  December 12, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

HP Support Information Digests

===============================================================================
o  Security Bulletin Digest Split
  ------------------------------

   The security bulletins digest has been split into multiple digests
  based on the operating system (HP-UX, MPE/iX, and HP Secure OS
  Software for Linux).  You will continue to receive all security
  bulletin digests unless you choose to update your subscriptions.

   To update your subscriptions, use your browser to access the
  IT Resource Center on the World Wide Web at:

     http://support.itrc.hp.com/

   Under the Maintenance and Support Menu, click on the "more..." link.
  Then use the 'login' link at the left side of the screen to login
  using your IT Resource Center User ID and Password.

   Under the notifications section (near the bottom of the page), select
  Support Information Digests.

   To subscribe or unsubscribe to a specific security bulletin digest,
  select or unselect the checkbox beside it. Then click the
  "Update Subscriptions" button at the bottom of the page.

o  IT Resource Center World Wide Web Service
  ---------------------------------------------------

   If you subscribed through the IT Resource Center and would
  like to be REMOVED from this mailing list, access the
  IT Resource Center on the World Wide Web at:

     http://support.itrc.hp.com/

   Login using your IT Resource Center User ID and Password.
  Then select Support Information Digests (located under
  Maintenance and Support).  You may then unsubscribe from the
  appropriate digest.
===============================================================================


Digest Name:  daily HP-UX security bulletins digest
   Created:  Wed Dec 11  6:00:03 EST 2002

Table of Contents:

Document ID      Title
---------------  -----------
HPSBUX0212-232   SSRT2370 Sec. Vulnerability with ntpd on HP-UX
HPSBUX0212-230   SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2 2
HPSBUX0212-231   SSRT2434  Sec. vulnerability with HP-UX Visualize Conference

The documents are listed below.
-------------------------------------------------------------------------------


Document ID:  HPSBUX0212-232
Date Loaded:  20021210
     Title:  SSRT2370 Sec. Vulnerability with ntpd on HP-UX

TEXT





 -----------------------------------------------------------------
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0212-233
Originally issued: 10 Dec 2002
SSRT2370 Sec. Vulnerability with ntpd on HP-UX
-----------------------------------------------------------------

NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

The information in the following Security Bulletin should be
acted upon as soon as possible.  Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.

 ------------------------------------------------------------------
PROBLEM:  xntpd software may HANG or exhibit extremely poor
         performance.

IMPACT:   Potential denial of service (DoS).

PLATFORM: HP 9000 Series 700 and 800 running HP-UX releases 10.20,
         10.24, 11.00, 11.04 and 11.11 using the xntpd software.

SOLUTION: Retrieve and apply the following patches:

          for HP-UX 10.20:          PHNE_24510
         for HP-UX 10.24(VVOS):    PHNE_28002
         for HP-UX 11.00:          PHNE_27223
         for HP-UX 11.04(VVOS):    PHNE_27442
         for HP-UX 11.11:          PHNE_24512

MANUAL ACTIONS: No

AVAILABILITY:  All patches are currently available from <itrc.hp.com>.
------------------------------------------------------------------
A. Background
   Some HP-UX systems running the latest xntpd software may HANG
   or exhibit extremely poor performance.

 B. Recommended solution
   HP has made available a patch to upgrade NTP timeservices.
   Retrieve and apply the following patches to affected systems.
         for HP-UX 10.20:          PHNE_24510
                   10.24(VVOS):    PHNE_28002
                   11.00:          PHNE_27223
                   11.04(VVOS):    PHNE_27442
                   11.11:          PHNE_24512

    The patches do not require a reboot.  The problem is fixed in
   HP-UX release 11.22.

 C. To subscribe to automatically receive future NEW HP Security
   Bulletins from the HP IT Resource Center via electronic
   mail, do the following:

    Use your browser to get to the HP IT Resource Center page
   at:

       http://itrc.hp.com

    Use the 'Login' tab at the left side of the screen to login
   using your ID and password.  Use your existing login or the
   "Register" button at the left to create a login, in order to
   gain access to many areas of the ITRC.  Remember to save the
   User ID assigned to you, and your password.

    In the left most frame select "Maintenance and Support".

    Under the "Notifications" section (near the bottom of
   the page), select "Support Information Digests".

    To -subscribe- to future HP Security Bulletins or other
   Technical Digests, click the check box (in the left column)
   for the appropriate digest and then click the "Update
   Subscriptions" button at the bottom of the page.

    or

    To -review- bulletins already released, select the link
   (in the middle column) for the appropriate digest.

    To -gain access- to the Security Patch Matrix, select
   the link for "The Security Bulletins Archive".  (near the
   bottom of the page)  Once in the archive the third link is
   to the current Security Patch Matrix. Updated daily, this
   matrix categorizes security patches by platform/OS release,
   and by bulletin topic.  Security Patch Check completely
   automates the process of reviewing the patch matrix for
   11.XX systems.

    For information on the Security Patch Check tool, see:
   
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
   displayProductInfo.pl?productNumber=B6834AA

    The security patch matrix is also available via anonymous
   ftp:

    ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

    On the "Support Information Digest Main" page:
   click on the "HP Security Bulletin Archive".

 D. To report new security vulnerabilities, send email to

    security-alert@hp.com

    Please encrypt any exploit information using the
   security-alert PGP key, available from your local key
   server, or by sending a message with a -subject- (not body)
   of 'get key' (no quotes) to security-alert@hp.com.

 ------------------------------------------------------------------

(c) Copyright 2002 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.

 ________________________________________________________________
--
-----End of Document ID:  HPSBUX0212-232--------------------------------------


Document ID:  HPSBUX0212-230
Date Loaded:  20021210
     Title:  SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2 2

TEXT





 -----------------------------------------------------------------
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0212-0230
Originally issued: 10 Dec 2002
SSRT2437 Sec. Vulnerability in CIFS/9000 Samba Server2.2
-----------------------------------------------------------------

NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

The information in the following Security Bulletin should be
acted upon as soon as possible.  Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.

 ------------------------------------------------------------------
PROBLEM: CIFS/9000 Server 2.2 buffer overflow vulnerability.

IMPACT: Potential root access.

PLATFORM: HP 9000 servers running the following CIFS Server versions:

          - A.01.08
         - A.01.08.01
         - A.01.09

SOLUTION: Update to CIFS Server 2.2 version A.01.09.01

MANUAL ACTIONS: Yes - Update to version A.01.09.01

AVAILABILITY: CIFS Server 2.2 version A.01.09.01 is currently
             available from:
         <
http://www.software.hp.com/NSM_products_list.html>

 ------------------------------------------------------------------

 A. Background
   A buffer overrun has been discovered in the HP CIFS Server
   version A.01.09 and earlier. There is no known exploit of
   this vulnerability, and the Samba Team has not been able to
   craft one themselves.
   Nevertheless, the Samba Team has judged the vulnerability
   significant and announced the defect and fix in their latest
   release.  HP has integrated the fix into the latest release
   of CIFS Server 2.2
   For additional details, see:
     
http://www.samba.org/samba/whatsnew/samba-2.2.7.html

 B. Recommended solution
   Upgrade to CIFS Server 2.2 version A.01.09.01
   which is currently available from:

    <http://www.software.hp.com/NSM_products_list.html>

    It is the product B8725AA, CIFS/9000 Server 2.2.c.


 C. To subscribe to automatically receive future NEW HP Security
   Bulletins from the HP IT Resource Center via electronic
   mail, do the following:

    Use your browser to get to the HP IT Resource Center page
   at:

       http://itrc.hp.com

    Use the 'Login' tab at the left side of the screen to login
   using your ID and password.  Use your existing login or the
   "Register" button at the left to create a login, in order to
   gain access to many areas of the ITRC.  Remember to save the
   User ID assigned to you, and your password.

    In the left most frame select "Maintenance and Support".

    Under the "Notifications" section (near the bottom of
   the page), select "Support Information Digests".
   To -subscribe- to future HP Security Bulletins or other
   Technical Digests, click the check box (in the left column)
   for the appropriate digest and then click the "Update
   Subscriptions" button at the bottom of the page.

    or

    To -review- bulletins already released, select the link
   (in the middle column) for the appropriate digest.

    To -gain access- to the Security Patch Matrix, select
   the link for "The Security Bulletins Archive".  (near the
   bottom of the page)  Once in the archive the third link is
   to the current Security Patch Matrix. Updated daily, this
   matrix categorizes security patches by platform/OS release,
   and by bulletin topic.  Security Patch Check completely
   automates the process of reviewing the patch matrix for
   11.XX systems.

    For information on the Security Patch Check tool, see:
   
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
   displayProductInfo.pl?productNumber=3DB6834AA

    The security patch matrix is also available via anonymous
   ftp:

    ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

    On the "Support Information Digest Main" page:
   click on the "HP Security Bulletin Archive".

 D. To report new security vulnerabilities, send email to

    security-alert@hp.com

    Please encrypt any exploit information using the
   security-alert PGP key, available from your local key
   server, or by sending a message with a -subject- (not body)
   of 'get key' (no quotes) to security-alert@hp.com.

 ------------------------------------------------------------------

(c) Copyright 2002 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.

 ________________________________________________________________
--
-----End of Document ID:  HPSBUX0212-230--------------------------------------


Document ID:  HPSBUX0212-231
Date Loaded:  20021210
     Title:  SSRT2434  Sec. vulnerability with HP-UX Visualize Conference

TEXT





 -----------------------------------------------------------------
Source: HEWLETT-PACKARD COMPANY
SECURITY BULLETIN: HPSBUX0212-231
Originally issued: 11 December 2002
SSRT2434  Security vulnerability with HP-UX Visualize Conference
-----------------------------------------------------------------

NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

The information in the following Security Bulletin should be
acted upon as soon as possible.  Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.

 ------------------------------------------------------------------
PROBLEM: The installation of HP-UX Visualize Conference leaves
        certain directories with insecure permissions.

IMPACT: Potential increase in privileges, unauthorized access.

PLATFORM: HP 9000 Series 700 and 800, HP-UX 11.00 and 11.11 systems
         which have ever installed HP-UX Visualize Conference
         version B.11.00.11.

SOLUTION: Change the insecure directory permissions.

MANUAL ACTIONS: Yes - NonUpdate
               Change ownership and permissions as follows:
                /etc/dt                     755 bin/bin
                /etc/dt/appconfig           755 root/sys
                /etc/dt/appconfig/icons     755 root/sys
                /etc/dt/appconfig/icons/C   755 root/sys
                /etc/dt/appconfig/types     755 root/sys
                /etc/dt/appconfig/types/C   755 root/sys

AVAILABILITY:  This bulletin will be revised when a product
              update is available.
------------------------------------------------------------------
A. Background
   If HP-UX Visualize Conference version B.11.00.11 has ever been
   installed on an 11.00 or 11.11 system the permissions of
   certain directories may be insecure.

    The installation of HP-UX Visualize Conference may leave
   certain directories with insecure permissions.  The
   vulnerability is not with the HP-UX Visualize Conference
   product itself, but rather with the state of the directory

    permissions after HP-UX Visualize Conference has been installed.
   The vulnerability remains even after HP-UX Visualize Conference
   is removed.

    The problem arises if the directories do not exist at the time
   HP-UX Visualize Conference version B.11.00.11 is installed.
   Therefore not all systems with HP-UX Visualize Conference
   version B.11.00.11 are vulnerable.  Also once the directory
   permissions are corrected a subsequent reinstallation of
   HP-UX Visualize Conference version B.11.00.11 will not alter
   the permissions.

 B. Recommended solution

    Change the insecure directory permissions using the following
   procedure or the equivalent:

    As root create a script "chown_chmod":

      #!/sbin/sh
     # chown_chmod root:sys 755 file
     chown $1 $3
     chmod $2 $3

    Then:

      chown_chmod bin:bin  755 /etc/dt
     chown_chmod root:sys 755 /etc/dt/appconfig
     chown_chmod root:sys 755 /etc/dt/appconfig/icons
     chown_chmod root:sys 755 /etc/dt/appconfig/icons/C
     chown_chmod root:sys 755 /etc/dt/appconfig/types
     chown_chmod root:sys 755 /etc/dt/appconfig/types/C


 C. To subscribe to automatically receive future NEW HP Security
   Bulletins from the HP IT Resource Center via electronic
   mail, do the following:

    Use your browser to get to the HP IT Resource Center page
   at:

       http://itrc.hp.com

    Use the 'Login' tab at the left side of the screen to login
   using your ID and password.  Use your existing login or the
   "Register" button at the left to create a login, in order to
   gain access to many areas of the ITRC.  Remember to save the
   User ID assigned to you, and your password.

    In the left most frame select "Maintenance and Support".

    Under the "Notifications" section (near the bottom of
   the page), select "Support Information Digests".

    To -subscribe- to future HP Security Bulletins or other
   Technical Digests, click the check box (in the left column)
   for the appropriate digest and then click the "Update
   Subscriptions" button at the bottom of the page.

    or

    To -review- bulletins already released, select the link
   (in the middle column) for the appropriate digest.

    To -gain access- to the Security Patch Matrix, select
   the link for "The Security Bulletins Archive".  (near the
   bottom of the page)  Once in the archive the third link is
   to the current Security Patch Matrix. Updated daily, this
   matrix categorizes security patches by platform/OS release,
   and by bulletin topic.  Security Patch Check completely
   automates the process of reviewing the patch matrix for
   11.XX systems.

    For information on the Security Patch Check tool, see:
   
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
   displayProductInfo.pl?productNumber=B6834AA

    The security patch matrix is also available via anonymous
   ftp:

    ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

    On the "Support Information Digest Main" page:
   click on the "HP Security Bulletin Archive".

 D. To report new security vulnerabilities, send email to

    security-alert@hp.com

    Please encrypt any exploit information using the
   security-alert PGP key, available from your local key
   server, or by sending a message with a -subject- (not body)
   of 'get key' (no quotes) to security-alert@hp.com.

 ------------------------------------------------------------------

(c)Copyright 2002 Hewlett-Packard Company
Hewlett-Packard Company shall not be liable for technical or
editorial errors or omissions contained herein. The information
in this document is subject to change without notice.
Hewlett-Packard Company and the names of HP products referenced
herein are trademarks and/or service marks of Hewlett-Packard
Company.  Other product and company names mentioned herein may be
trademarks and/or service marks of their respective owners.

 ________________________________________________________________
-----End of Document ID:  HPSBUX0212-231--------------------------------------

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

                Mandrake Linux Security Update Advisory
________________________________________________________________________

Package name:           samba
Advisory ID:            MDKSA-2002:081
Date:                   November 25th, 2002

Affected versions:      8.1, 8.2, 9.0
________________________________________________________________________

Problem Description:

 A vulnerability in samba versions 2.2.2 through 2.2.6 was discovered
by the Debian samba maintainers.  A bug in the length checking for
encrypted password change requests from clients could be exploited
using a buffer overrun attack on the smbd stack.  This attack would
have to crafted in such a way that converting a DOS codepage string to
little endian UCS2 unicode would translate into an executable block of
code.

 This vulnerability has been fixed in samba version 2.2.7, and the
updated packages have had a patch applied to fix the problem.
________________________________________________________________________

References:

  http://www.samba.org/samba/whatsnew/samba-2.2.7.html
________________________________________________________________________

Updated Packages:

 Mandrake Linux 8.1:
b10451e71a1ba27d45956f57fb203118  8.1/RPMS/samba-2.2.2-3.3mdk.i586.rpm
22a6f9977518bbe2923ec7d2f68a698e  8.1/RPMS/samba-client-2.2.2-3.3mdk.i586.rpm
74d59e5578aaa0a23e760c828a6d8688  8.1/RPMS/samba-common-2.2.2-3.3mdk.i586.rpm
6d6a2835fd6e21b4c93dbaa5fe6f2d13  8.1/RPMS/samba-doc-2.2.2-3.3mdk.i586.rpm
4c7511781a263f633cab5bf1831ad69b  8.1/SRPMS/samba-2.2.2-3.3mdk.src.rpm

 Mandrake Linux 8.1/IA64:
2456e2af90d2e71e877a16f2ff034c73  ia64/8.1/RPMS/samba-2.2.2-3.3mdk.ia64.rpm
66043b111988d82d2800763950ea07e3  ia64/8.1/RPMS/samba-client-2.2.2-3.3mdk.ia64.rpm
6954d750eae921eece5e1e2ece9c42e5  ia64/8.1/RPMS/samba-common-2.2.2-3.3mdk.ia64.rpm
cf5545988b8d07299b776a25d6dc2e56  ia64/8.1/RPMS/samba-doc-2.2.2-3.3mdk.ia64.rpm
4c7511781a263f633cab5bf1831ad69b  ia64/8.1/SRPMS/samba-2.2.2-3.3mdk.src.rpm

 Mandrake Linux 8.2:
5552fadd8509fc7222099f88dad0f5a9  8.2/RPMS/nss_wins-2.2.3a-10.1mdk.i586.rpm
58da182a9a84a02010ddaf939e97bc7c  8.2/RPMS/samba-2.2.3a-10.1mdk.i586.rpm
91dcff33758dca1ca9a4779186a6917d  8.2/RPMS/samba-client-2.2.3a-10.1mdk.i586.rpm
ce98076728c73ca79b78fc9d69b94b47  8.2/RPMS/samba-common-2.2.3a-10.1mdk.i586.rpm
983c2de083b240971026bb054b449fde  8.2/RPMS/samba-doc-2.2.3a-10.1mdk.i586.rpm
fe4c7a8ebedede8ac10ff98eac2b84a5  8.2/RPMS/samba-swat-2.2.3a-10.1mdk.i586.rpm
ec00eed80e135dd79b56608bbd2c0574  8.2/RPMS/samba-winbind-2.2.3a-10.1mdk.i586.rpm
5677dee51659f50acee4e55346ca737d  8.2/SRPMS/samba-2.2.3a-10.1mdk.src.rpm

 Mandrake Linux 8.2/PPC:
32e41a8c06f1b5b24b13de0f65dfa3cc  ppc/8.2/RPMS/nss_wins-2.2.3a-10.1mdk.ppc.rpm
275bf7b8a2792e11bf94dc24557f8ebc  ppc/8.2/RPMS/samba-2.2.3a-10.1mdk.ppc.rpm
66232f77afcacc83090e3cf848717962  ppc/8.2/RPMS/samba-client-2.2.3a-10.1mdk.ppc.rpm
912ccb4cc81f89de6de871aa1c4833c0  ppc/8.2/RPMS/samba-common-2.2.3a-10.1mdk.ppc.rpm
af73612d4ea52c4a391ca75afd0dae8b  ppc/8.2/RPMS/samba-doc-2.2.3a-10.1mdk.ppc.rpm
2117cd7af96f6467c867faef73a425b6  ppc/8.2/RPMS/samba-swat-2.2.3a-10.1mdk.ppc.rpm
ab0402b7173a04be1cbc6c415807b98a  ppc/8.2/RPMS/samba-winbind-2.2.3a-10.1mdk.ppc.rpm
5677dee51659f50acee4e55346ca737d  ppc/8.2/SRPMS/samba-2.2.3a-10.1mdk.src.rpm

 Mandrake Linux 9.0:
25b264e1b5ee43b26d861f5b5e07d7d2  9.0/RPMS/nss_wins-2.2.7-2.1mdk.i586.rpm
619a0506a84d25099ca0653be0f5fd3a  9.0/RPMS/samba-client-2.2.7-2.1mdk.i586.rpm
d7ed710067f71285cc616fe07efd7753  9.0/RPMS/samba-common-2.2.7-2.1mdk.i586.rpm
2b5667097a398ef87e9e721c26bb613b  9.0/RPMS/samba-doc-2.2.7-2.1mdk.i586.rpm
ff124b4103dd84e51f5be82dd9244b1f  9.0/RPMS/samba-server-2.2.7-2.1mdk.i586.rpm
a7b976a81f59d7ce7111cb5f44d89bcd  9.0/RPMS/samba-swat-2.2.7-2.1mdk.i586.rpm
0859d8665e9d2ea2f1f96365a7456e3f  9.0/RPMS/samba-winbind-2.2.7-2.1mdk.i586.rpm
b93cd8ca9319a628ee7015bbd5d2196e  9.0/SRPMS/samba-2.2.7-2.1mdk.src.rpm
________________________________________________________________________

Bug IDs fixed (see https://qa.mandrakesoft.com for more information):
________________________________________________________________________

To upgrade automatically, use MandrakeUpdate.  The verification of md5
checksums and GPG signatures is performed automatically for you.

If you want to upgrade manually, download the updated package from one
of our FTP server mirrors and upgrade with "rpm -Fvh *.rpm".  A list of
FTP mirrors can be obtained from:

  http://www.mandrakesecure.net/en/ftp.php

Please verify the update prior to upgrading to ensure the integrity of
the downloaded package.  You can do this with the command:

  rpm --checksig <filename>

All packages are signed by MandrakeSoft for security.  You can obtain
the GPG public key of the Mandrake Linux Security Team from:

  https://www.mandrakesecure.net/RPM-GPG-KEYS

Please be aware that sometimes it takes the mirrors a few hours to
update.

You can view other update advisories for Mandrake Linux at:

  http://www.mandrakesecure.net/en/advisories/

MandrakeSoft has several security-related mailing list services that
anyone can subscribe to.  Information on these lists can be obtained by
visiting:

  http://www.mandrakesecure.net/en/mlist.php

If you want to report vulnerabilities, please contact

  security_linux-mandrake.com

Type Bits/KeyID     Date       User ID
pub  1024D/22458A98 2000-07-10 Linux Mandrake Security Team
 <security linux-mandrake.com>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.7 (GNU/Linux)

mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
/NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulqIRgQQEQIA
BgUCOtNVGQAKCRBZ5w3um0pAJJWQAKDUoL5He+mKbfrMaTuyU5lmRyJ0fwCgoFAP
WdvQlu/kFjphF740XeOwtOqIRgQQEQIABgUCOu8A6QAKCRBynDnb9lq3CnpjAJ4w
Pk0SEE9U4r40IxWpwLU+wrWVugCdFfSPllPpZRCiaC7HwbFcfExRmPaIRgQQEQIA
BgUCPI+UAwAKCRDniYrgcHcf8xK5AKCm/Mq8qP8GE0o1hEX22QsJMZwH5gCfZ72H
8TacOb3oAmBdprf+K6gkdOiIRgQQEQIABgUCOtOieAAKCRCv2bZyU0yB80MeAJ9K
+jXt0cKuaUonRU+CRGetk6t9dgCfTRRL6/puOKdD6md70+K5EBBSvsG0OE1hbmRy
YWtlIExpbnV4IFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QG1hbmRyYWtlc29mdC5j
b20+iFcEExECABcFAjyPnuUFCwcKAwQDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmFi+
AJsHhohgnU3ik4+gy3EdFlB2i/MBoACg6lHn5cnVvTcmgNccWxeNxLLZI5e5AQ0E
OWnn7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ
9F779FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzR
xBXVJb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z
269s+A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN
6SCXVl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZ
jTcl3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo
0NAiRYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJ
EJGXlA==
=yGlX
- -----END PGP PUBLIC KEY BLOCK-----

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE94uCrmqjQ0CJFipgRAtH9AKDZ5fi6/mGdx4HldnVAgaWwTGSzDgCg53+K
XVuJ3G64lSEO7Q2wvP4C2zo=
=CVQZ
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat Inc.

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

---------------------------------------------------------------------
                  Red Hat, Inc. Red Hat Security Advisory

Synopsis:          New samba packages available to fix potential security vulnerability
Advisory ID:       RHSA-2002:266-05
Issue date:        2002-11-22
Updated on:        2002-11-21
Product:           Red Hat Linux
Keywords:          samba security encrypted password change
Cross references:
Obsoletes:
---------------------------------------------------------------------

1. Topic:

New samba packages are available that fix a security vulnerability present
in samba versions 2.2.2 through 2.2.6. A potential attacker could gain
root access on the target machine. It is strongly encouraged that all Samba
users update to the fixed packages.

As of this time, there are no known exploits for this vulnerability.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 8.0 - i386

3. Problem description:

There was a bug in the length checking for encrypted password change
requests from clients. A client could potentially send an encrypted
password, which, when decrypted with the old hashed password, could be
used as a buffer overrun attack on smbd's stack. The attack would
have to be crafted such that converting a DOS codepage string to little
endian UCS2 unicode would translate into an executable block of code.

Thanks to the Debian Samba maintainers for discovering this issue, and to
the Samba team for providing the fix (and the problem description text above.)

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. RPMs required:

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/samba-2.2.7-1.7.3.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/samba-2.2.7-1.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/samba-common-2.2.7-1.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/samba-client-2.2.7-1.7.3.i386.rpm
ftp://updates.redhat.com/7.3/en/os/i386/samba-swat-2.2.7-1.7.3.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/samba-2.2.7-2.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/samba-2.2.7-2.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/samba-common-2.2.7-2.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/samba-client-2.2.7-2.i386.rpm
ftp://updates.redhat.com/8.0/en/os/i386/samba-swat-2.2.7-2.i386.rpm



6. Verification:

MD5 sum                          Package Name
--------------------------------------------------------------------------
5c8ba729bb3e6d2f0614fd543053e6e9 7.3/en/os/SRPMS/samba-2.2.7-1.7.3.src.rpm
92178f0aa6c7ec0cb2b55c0f32c59ca4 7.3/en/os/i386/samba-2.2.7-1.7.3.i386.rpm
6915d467d9572737dfbfcac916734084 7.3/en/os/i386/samba-client-2.2.7-1.7.3.i386.rpm
56ce43d49614bf5a79b90dfbd4a77235 7.3/en/os/i386/samba-common-2.2.7-1.7.3.i386.rpm
82cbcb8e2c3be661e0e6c1c7f9856ecd 7.3/en/os/i386/samba-swat-2.2.7-1.7.3.i386.rpm
9b5ded05dc9cc2c49c40b686ec78caf7 8.0/en/os/SRPMS/samba-2.2.7-2.src.rpm
4e2339d23bad01690938748d84dac186 8.0/en/os/i386/samba-2.2.7-2.i386.rpm
a7a48f9d6d8e45966172ae1b941e0208 8.0/en/os/i386/samba-client-2.2.7-2.i386.rpm
3bd309562e0cdefc8d4cd5b02ee0b71c 8.0/en/os/i386/samba-common-2.2.7-2.i386.rpm
0efdfc0d8de8294c0dd4978a82d15991 8.0/en/os/i386/samba-swat-2.2.7-2.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at
http://www.redhat.com/about/contact/pgpkey.html

You can verify each package with the following command:

    rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:

    md5sum <filename>

7. Contact:

The Red Hat security contact is <security@redhat.com>.  More contact
details at
http://www.redhat.com/solutions/security/news/contact.html

Copyright(c) 2000, 2001, 2002 Red Hat, Inc.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SCO

Updated:  May 05, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

SCO Security Advisory

Subject:OpenLinux: Various serious Samba vulnerabilities
Advisory number: CSSA-2003-017.0
Issue date: 2003 May 02
Cross reference:
______________________________________________________________________________


1. Problem Description

This update addresses the following Samba issues:

A bug in the length checking for encrypted password change
requests from clients could be exploited using a buffer
overrun attack on the smbd stack.


A vulnerability that could lead to an anonymous user gaining
root access on a Samba serving system.


A chown race condition that could allow overwriting of
critical system files if exploited.


A buffer overflow in the call_trans2open function in trans2.c
allows remote attackers to execute arbitrary code.


Multiple buffer overflows that may allow remote attackers to
execute arbitrary code or cause a denial of service.



2. Vulnerable Supported Versions

SystemPackage
----------------------------------------------------------------------


OpenLinux 3.1.1 Serverprior to libsmbclient-2.2.2-7.i386.rpm
prior to samba-2.2.2-7.i386.rpm
prior to samba-doc-2.2.2-7.i386.rpm
prior to smbfs-2.2.2-7.i386.rpm
prior to swat-2.2.2-7.i386.rpm


OpenLinux 3.1.1 Workstationprior to libsmbclient-2.2.2-7.i386.rpm
prior to samba-2.2.2-7.i386.rpm
prior to samba-doc-2.2.2-7.i386.rpm
prior to smbfs-2.2.2-7.i386.rpm
prior to swat-2.2.2-7.i386.rpm



3. Solution

The proper solution is to install the latest packages. Many
customers find it easier to use the Caldera System Updater, called
cupdate (or kcupdate under the KDE environment), to update these
packages rather than downloading and installing them by hand.



4. OpenLinux 3.1.1 Server

4.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/RPMS

4.2 Packages

a4f667678f6a3c283491ae04480625d6libsmbclient-2.2.2-7.i386.rpm
8c95e0b81771bb703e08937125e8c9bfsamba-2.2.2-7.i386.rpm
2a590b5458186279fd3bb17bb87c5af3samba-doc-2.2.2-7.i386.rpm
fcabaf8b0567ed5faad0e2fe8e206f92smbfs-2.2.2-7.i386.rpm
bd13c1771c2267549916f3afb60ad019swat-2.2.2-7.i386.rpm


4.3 Installation

rpm -Fvh libsmbclient-2.2.2-7.i386.rpm
rpm -Fvh samba-2.2.2-7.i386.rpm
rpm -Fvh samba-doc-2.2.2-7.i386.rpm
rpm -Fvh smbfs-2.2.2-7.i386.rpm
rpm -Fvh swat-2.2.2-7.i386.rpm


4.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/SRPMS

4.5 Source Packages

403ddcea6384a309768066e06941a68fsamba-2.2.2-7.src.rpm


5. OpenLinux 3.1.1 Workstation

5.1 Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/RPMS

5.2 Packages

c04cb8377d18180c6b914ed9d0d1d4e3libsmbclient-2.2.2-7.i386.rpm
aad7fa4db863931a9c57b8720e17cbb6samba-2.2.2-7.i386.rpm
be052cbf6e77f05ad1cbc7fba57be7bdsamba-doc-2.2.2-7.i386.rpm
4bf70f287baf74e47ef5cff351a7a740smbfs-2.2.2-7.i386.rpm
906d1705b64767cd774e29287b5ab437swat-2.2.2-7.i386.rpm


5.3 Installation

rpm -Fvh libsmbclient-2.2.2-7.i386.rpm
rpm -Fvh samba-2.2.2-7.i386.rpm
rpm -Fvh samba-doc-2.2.2-7.i386.rpm
rpm -Fvh smbfs-2.2.2-7.i386.rpm
rpm -Fvh swat-2.2.2-7.i386.rpm


5.4 Source Package Location

ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/SRPMS

5.5 Source Packages

21c0df3f652692c3db10dd5783e78e93samba-2.2.2-7.src.rpm


6. References

Specific references for this advisory:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201

SCO security resources:

http://www.sco.com/support/security/index.html

This security fix closes SCO incidents sr876764, sr875830,
sr872195, fz527679, fz527532, fz526744, erg712283, erg712263,
erg712169.



7. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers intended
to promote secure installation and use of SCO products.



8. Acknowledgements

Steve Langasek (Debian), Sebastian Krahmer (SuSE), and Digital
Defense Inc. discovered and researched these vulnerabilities.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SGI

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                         SGI Security Advisory

Title    : Samba Security Vulnerability
Number   : 20021204-01-I
Date     : December 5, 2002
Reference: CVE CAN-2002-1318
Reference: SGI BUG 874162
Fixed in : Samba v2.2.7
______________________________________________________________________________

- -----------------------
- --- Issue Specifics ---
- -----------------------

It's been reported that versions of Samba prior to 2.2.7 have a security
vulnerability that could potentially allow an attacker to gain root access
on the target machine.  The word "potentially" is used because there
is no known exploit of this bug.  SGI has not found one, nor has the Samba
group found one.  Nevertheless, the vulnerability is considered serious.

See http://www.samba.org/samba/whatsnew/samba-2.2.7.html for additional
details.

This vulnerability was assigned the following CVE candidate:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected in Samba version 2.2.7.


- --------------
- --- Impact ---
- --------------

Samba is an optional product, and is not installed by default on IRIX 6.5
systems.

To determine the version of IRIX you are running, execute the following
command:

  # /bin/uname -R

That will return a result similar to the following:

  # 6.5 6.5.16f

The first number ("6.5") is the release name, the second ("6.5.16f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

To see if samba is installed, execute the following command:

% versions samba_irix
I = Installed, R = Removed

   Name                 Date        Description

   I  samba_irix           07/02/2002  Samba 2.2.4 for IRIX
  I  samba_irix.man       07/02/2002  Samba Online Documentation
  I  samba_irix.man.doc   07/02/2002  Samba 2.2.4 Documentation
  I  samba_irix.man.manpages  07/02/2002  Samba 2.2.4 Man Page
  I  samba_irix.man.relnotes  07/02/2002  Samba 2.2.4 Release Notes
  I  samba_irix.src       07/02/2002  Samba Source Code
  I  samba_irix.src.samba 07/02/2002  Samba 2.2.4 Source Code
  I  samba_irix.sw        07/02/2002  Samba Execution Environment
  I  samba_irix.sw.base   07/02/2002  Samba 2.2.4 Execution Environment

If the result is similar to the above and the version shown is less than
2.2.7, then the system is vulnerable.

- ----------------------------
- --- Temporary Workaround ---
- ----------------------------

There is no effective workaround available for these problems if Samba is
required.  SGI recommends upgrading to Samba version 2.2.7.


- ----------------
- --- Solution ---
- ----------------

SGI has provided an instable version of Samba for this vulnerability. Our
recommendation is to upgrade to Samba version 2.2.7.

Samba 2.2.7 can be downloaded from http://www.samba.org/ or
http://freeware.sgi.com/

For customers who have purchased the SGI supported version of Samba,
please contact your SGI Support Representative and request part
number 812-0893-008 -- Samba 2.2.7 for IRIX on CD.


   OS Version     Vulnerable?     Patch #      Other Actions
  ----------     -----------     -------      -------------
  IRIX 3.x        unknown                     Note 1
  IRIX 4.x        unknown                     Note 1
  IRIX 5.x        unknown                     Note 1
  IRIX 6.0.x      unknown                     Note 1
  IRIX 6.1        unknown                     Note 1
  IRIX 6.2        unknown                     Note 1
  IRIX 6.3        unknown                     Note 1
  IRIX 6.4        unknown                     Note 1
  IRIX 6.5          yes                       Notes 2 & 3
  IRIX 6.5.1        yes                       Notes 2 & 3
  IRIX 6.5.2        yes                       Notes 2 & 3
  IRIX 6.5.3        yes                       Notes 2 & 3
  IRIX 6.5.4        yes                       Notes 2 & 3
  IRIX 6.5.5        yes                       Notes 2 & 3
  IRIX 6.5.6        yes                       Notes 2 & 3
  IRIX 6.5.7        yes                       Notes 2 & 3
  IRIX 6.5.8        yes                       Notes 2 & 3
  IRIX 6.5.9        yes                       Notes 2 & 3
  IRIX 6.5.10       yes                       Notes 2 & 3
  IRIX 6.5.11       yes                       Notes 2 & 3
  IRIX 6.5.12       yes                       Notes 2 & 3
  IRIX 6.5.13       yes                       Notes 2 & 3
  IRIX 6.5.14       yes                       Notes 2 & 3
  IRIX 6.5.15       yes                       Notes 2 & 3
  IRIX 6.5.16       yes                       Notes 2 & 3
  IRIX 6.5.17       yes                       Notes 2 & 3
  IRIX 6.5.18       yes                       Notes 2 & 3

   NOTES

     1) This version of the IRIX operating has been retired. Upgrade to an
       actively supported IRIX operating system.  See
       
http://support.sgi.com/irix/news/index.html#policy for more
       information.

     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
       SGI Support Provider or URL:
http://support.sgi.com/irix/swupdates/

     3) This version of IRIX is vulnerable if a version of Samba prior to
       2.2.7 is installed.  Please install Samba 2.2.7.


- ------------------------
- --- Acknowledgments ----
- ------------------------

SGI wishes to thank Steve Langasek, Eloy Paris, the Samba Group and the
users of the Internet Community at large for their assistance in this
matter.


- -------------
- --- Links ---
- -------------

SGI Security Advisories can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/advisories/

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

SGI patches for IRIX can be found at the following patch servers:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/

SGI freeware updates for IRIX can be found at:
http://freeware.sgi.com/

SGI fixes for SGI open sourced code can be found on:
http://oss.sgi.com/projects/

SGI patches and RPMs for Linux can be found at:
http://support.sgi.com/linux/ or
http://oss.sgi.com/projects/sgilinux-combined/download/security-fixes/

SGI patches for Windows NT or 2000 can be found at:
http://support.sgi.com/nt/

IRIX 5.2-6.4 Recommended/Required Patch Sets can be found at:
http://support.sgi.com/irix/ and ftp://patches.sgi.com/support/patchset/

IRIX 6.5 Maintenance Release Streams can be found at:
http://support.sgi.com/colls/patches/tools/relstream/index.html

IRIX 6.5 Software Update CDs can be obtained from:
http://support.sgi.com/irix/swupdates/

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL
ftp://patches.sgi.com/support/free/security/

For security and patch management reasons, ftp.sgi.com (mirrors
patches.sgi.com security FTP repository) lags behind and does not do a
real-time update.


- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

If there are questions about this document, email can be sent to
security-info@sgi.com.

                      ------oOo------

SGI provides security information and patches for use by the entire SGI
community.  This information is freely available to any person needing the
information and is available via anonymous FTP and the Web.

The primary SGI anonymous FTP site for security advisories and patches is
patches.sgi.com (216.32.174.211).  Security advisories and patches are
located under the URL
ftp://patches.sgi.com/support/free/security/

The SGI Security Headquarters Web page is accessible at the URL:
http://www.sgi.com/support/security/

For issues with the patches on the FTP sites, email can be sent to
security-info@sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

                      ------oOo------

SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web
(
http://www.sgi.com/support/security/wiretap.html) or by sending email to
SGI as outlined below.

% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress such as zedwatch@sgi.com >
end
^d

In the example above, <YourEmailAddress> is the email address that you wish
the mailing list information sent to.  The word end must be on a separate
line to indicate the end of the body of the message. The control-d (^d) is
used to indicate to the mail program that you are finished composing the
mail message.


                      ------oOo------

SGI provides a comprehensive customer World Wide Web site. This site is
located at
http://www.sgi.com/support/security/ .

                      ------oOo------

If there are general security questions on SGI systems, email can be sent to
security-info@sgi.com.

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A support
contract is not required for submitting a security report.

______________________________________________________________________________
     This information is provided freely to all interested parties
     and may be redistributed provided that it is not altered in any
     way, SGI is appropriately credited and the document retains and
     includes its valid PGP signature.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBPe+J4LQ4cFApAP75AQEZfAP+Pnm7uYFMAQHtMCa8Bzk+uNMWmt8qxvwb
OguoHlb8Sh81NiY6Y/SsvBB+aBADw7PwiVfd9eHU/KZL38I8a0nnB2kMrqady8fR
ERieXRJKPqs2BnOtUgbdBqgBnRu9Vf39K9IDWKV+iiL3j6LpmOmnBnfa40jIwwSP
Pl9jBQcLlxE=
=keNO
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

New Samba packages are available for Slackware 8.1 and -current to fix a security problem and provide other bugfixes and improvements.

Here are the details from the Slackware 8.1 ChangeLog:

----------------------------
Wed Nov 20 16:51:23 PST 2002
patches/packages/samba-2.2.7-i386-1.tgz:  Upgraded to samba-2.2.7.
 Some details (based on the WHATSNEW.txt file included in samba-2.2.7):
   This fixes a security hole discovered in versions 2.2.2 through 2.2.6 of
   Samba that could potentially allow an attacker to gain root access
   on the target machine.  The word "potentially" is used because there
   is no known exploit of this bug, and the Samba Team has not been able to
   craft one ourselves. However, the seriousness of the problem warrants
   this immediate 2.2.7 release.  There was a bug in the length checking for
   encrypted password change requests from clients. A client could potentially
   send an encrypted password, which, when decrypted with the old hashed
   password could be used as a buffer overrun attack on the stack of smbd. The
   attack would have to be crafted such that converting a DOS codepage string
   to little endian UCS2 unicode would translate into an executable block of
   code.  Thanks to Steve Langasek <vorlon@debian.org> and Eloy Paris
   <peloy@debian.org> for bringing this vulnerability to our notice.
 (* Security fix *)
----------------------------


WHERE TO FIND THE NEW PACKAGES:
-------------------------------
Updated Samba package for Slackware 8.1:
ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/samba-2.2.7-i386-1.tgz

Updated Samba package for Slackware-current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/samba-2.2.7-i386-1.tgz


MD5 SIGNATURES:
---------------

Here are the md5sums for the packages:

Slackware 8.1:
835f2069561251cf9649b1f60ebc21f0  samba-2.2.7-i386-1.tgz

Slackware-current:
18eff1898b289735c51895e628797733  samba-2.2.7-i386-1.tgz

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SuSE Inc.

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________

                        SuSE Security Announcement

        Package:                samba
       Announcement-ID:        SuSE-SA:2002:045
       Date:                   Wednesday, November 20th 2002 16:00 MET
       Affected products:      7.2, 7.3, 8.0, 8.1
                               SuSE Linux Database Server,
                               SuSE eMail Server III, 3.1
                               SuSE Linux Enterprise Server 7+8,
                               SuSE Linux Firewall on CD/Admin host
                               SuSE Linux Connectivity Server
                               SuSE Linux Office Server
       Vulnerability Type:     possible remote code execution
       Severity (1-10):        7
       SuSE default package:   no
       Cross References:      
http://www.samba.org/

    Content of this advisory:
       1) security vulnerability resolved: samba
          problem description, discussion, solution and upgrade information
       2) pending vulnerabilities, solutions, workarounds
       3) standard appendix (further information)

______________________________________________________________________________

1)  problem description, brief discussion, solution, upgrade information

    Samba developer Steve Langasek found a security problem in samba, the
   widely known free implementation of the SMB protocol.

    The error consists of a buffer overflow in a commonly used routine
   that accepts user input and may write up to 127 bytes past the end of
   the buffer allocated with static length, leaving enough room for
   an exploit. The resulting vulnerability can be exploited locally
   in applications using the pam_smbpass Pluggable Authentication Module
   (PAM). It may be possible to exploit this vulnerability remotely,
   causing the running smbd to crash or even to execute arbitrary code.

    The samba package is installed by default only on the SuSE Linux
   Enterprise Server. SuSE Linux products do not have the samba and
   samba-client packages installed by default.
   The samba packages in SuSE Linux version 7.1 and before are not affected
   by this vulnerability.
   For the bug to be exploited, your system has to be running the smbd
   samba server, or an administrator must have (manually) changed the
   configuration of the PAM authentification subsystem to enable the use
   of the pam_smbpass module. The samba server process(es) are not activated
   automatically after installation (of the package).

    The samba subsystem on SuSE products is split into two different
   subpackages: samba and smbclnt up to and including SuSE Linux 7.2, on
   SuSE Linux 7.3 and newer the package names are samba and samba-client.
   To completely remove the vulnerability, you should update all of the
   installed packages.

    We wish to express our gratitude to the samba development team and
   in particular to Steve Langasek and Volker Lendecke who provided the
   patches and communicated them to the vendors. Please know that the
   samba team will release the new version 2.2.7 of the samba software to
   address the security fix at the same time as this announcement gets
   published. More information about samba (and the security fix) is
   available at
http://www.samba.org.

    Please download the update package for your distribution and verify its
   integrity by the methods listed in section 3) of this announcement.
   Then, install the package using the command "rpm -Fhv file.rpm" to apply
   the update.
   Our maintenance customers are being notified individually. The packages
   are being offered to install from the maintenance web.

    SPECIAL INSTALL INSTRUCTIONS:
   ==============================
   After successfully installing the update packages, you should restart
   the samba server process(es) to make the changes in the system effective.
   If you do not have a samba server running on your system, no further
   action is required. If you have a samba server running, please run the
   following command as root:
       rcsmb restart      # SuSE Linux, all versions
       rcnmb restart      # only on SuSE Linux 8.1



    Intel i386 Platform:

    SuSE-8.1:
   
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-124.i586.rpm
     f0a94ef6cc49165d4dace59caaf359d7
   
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-124.i586.rpm
     f694fb4aaabffa98b6a76941cb2c0eaf
   patch rpm(s):
   
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-2.2.5-124.i586.patch.rpm
     af43bc1d5dc1b097389933f34ca5a625
   
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/samba-client-2.2.5-124.i586.patch.rpm
     bff278f9366df7efe72fa880c4f7618f
   source rpm(s):
   
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/samba-2.2.5-124.src.rpm
     674adb466663259c2117852b9525a29a

    SuSE-8.0:
   
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-165.i386.rpm
     8c7edd09c5acfc269467ecbcdcdfc21c
   
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-165.i386.rpm
     bfc08a1d64f0d85670041c7046d1e775
   patch rpm(s):
   
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n2/samba-2.2.3a-165.i386.patch.rpm
     7d08c2c07137d9da0b3d1a301295a084
   
ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/samba-client-2.2.3a-165.i386.patch.rpm
     887230d4ed61bec496dff73c50fa3de0
   source rpm(s):
   
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/samba-2.2.3a-165.src.rpm
     b208c4d5bcceb7f9cc18df75b7831d2d

    SuSE-7.3:
   
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/samba-2.2.1a-206.i386.rpm
     dc4232333a0babbb257cff346609625f
   
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/samba-client-2.2.1a-206.i386.rpm
     163a565a5a0b0320eae6ba1d0ebdfb27
   source rpm(s):
   
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/samba-2.2.1a-206.src.rpm
     6086e3bb296a320c28fced9068c931fc

    SuSE-7.2:
   
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/samba-2.2.0a-45.i386.rpm
     184b17987ca99325782f4c7f9e04b6a6
   
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/smbclnt-2.2.0a-45.i386.rpm
     b9926ade015ccaf271088da246814abb
   source rpm(s):
   
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/samba-2.2.0a-45.src.rpm
     384ec49b0b8a81d8ecf7c84ef0fa2689




    Sparc Platform:

    SuSE-7.3:
   
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/samba-2.2.1a-69.sparc.rpm
     61b72787bc8e0b333662962a60bce0c2
   
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/samba-client-2.2.1a-69.sparc.rpm
     6acd0ffd218d721d7c10b17e1194738d
   source rpm(s):
   
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/samba-2.2.1a-69.src.rpm
     77f57a3277bb1a270ae79bc94ee28345



    PPC Power PC Platform:

    SuSE-7.3:
   
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/samba-2.2.1a-141.ppc.rpm
     d127afabc7d5b764289f9b65ad4c4cd1
   
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/samba-client-2.2.1a-141.ppc.rpm
     894132f3b5041a54ec871d67eef072e5
   source rpm(s):
   
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/samba-2.2.1a-141.src.rpm
     ccff812fdddd3af9d62a399f63e0405e




______________________________________________________________________________

2)  Pending vulnerabilities in SuSE Distributions and Workarounds:

  - 7.0 update trees
   We will move the SuSE Linux 7.0 update tree structure to the
   /pub/suse/discontinued/ tree shortly, following the announcement about
   discontinued products on Tue, 29 Oct 2002.

______________________________________________________________________________

3)  standard appendix: authenticity verification, additional information

  - Package authenticity verification:

    SuSE update packages are available on many mirror ftp servers all over
   the world. While this service is being considered valuable and important
   to the free and open source software community, many users wish to be
   sure about the origin of the package and its content before installing
   the package. There are two verification methods that can be used
   independently from each other to prove the authenticity of a downloaded
   file or rpm package:
   1) md5sums as provided in the (cryptographically signed) announcement.
   2) using the internal gpg signatures of the rpm package.

    1) execute the command
       md5sum <name-of-the-file.rpm>
      after you downloaded the file from a SuSE ftp server or its mirrors.
      Then, compare the resulting md5sum with the one that is listed in the
      announcement. Since the announcement containing the checksums is
      cryptographically signed (usually using the key security@suse.de),
      the checksums show proof of the authenticity of the package.
      We disrecommend to subscribe to security lists which cause the
      email message containing the announcement to be modified so that
      the signature does not match after transport through the mailing
      list software.
      Downsides: You must be able to verify the authenticity of the
      announcement in the first place. If RPM packages are being rebuilt
      and a new version of a package is published on the ftp server, all
      md5 sums for the files are useless.

    2) rpm package signatures provide an easy way to verify the authenticity
      of an rpm package. Use the command
       rpm -v --checksig <file.rpm>
      to verify the signature of the package, where <file.rpm> is the
      filename of the rpm package that you have downloaded. Of course,
      package authenticity verification can only target an un-installed rpm
      package file.
      Prerequisites:
       a) gpg is installed
       b) The package is signed using a certain key. The public part of this
          key must be installed by the gpg program in the directory
          ~/.gnupg/ under the user's home directory who performs the
          signature verification (usually root). You can import the key
          that is used by SuSE in rpm packages for SuSE Linux by saving
          this announcement to a file ("announcement.txt") and
          running the command (do "su -" to be root):
           gpg --batch; gpg < announcement.txt | gpg --import
          SuSE Linux distributions version 7.1 and thereafter install the
          key "build@suse.de" upon installation or upgrade, provided that
          the package gpg is installed. The file containing the public key
          is placed at the top-level directory of the first CD (pubring.gpg)
          and at
ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .


  - SuSE runs two security mailing lists to which any interested party may
   subscribe:

    suse-security@suse.com
       -   general/linux/SuSE security discussion.
           All SuSE security announcements are sent to this list.
           To subscribe, send an email to
               <suse-security-subscribe@suse.com>.

    suse-security-announce@suse.com
       -   SuSE's announce-only mailing list.
           Only SuSE's security announcements are sent to this list.
           To subscribe, send an email to
               <suse-security-announce-subscribe@suse.com>.

    For general information or the frequently asked questions (faq)
   send mail to:
       <suse-security-info@suse.com> or
       <suse-security-faq@suse.com> respectively.

    =====================================================================
   SuSE's security contact is <security@suse.com> or <security@suse.de>.
   The <security@suse.de> public key is listed below.
   =====================================================================
______________________________________________________________________________

    The information in this advisory may be distributed or reproduced,
   provided that the advisory is not modified in any way. In particular,
   it is desired that the clear-text signature shows proof of the
   authenticity of the text.
   SuSE Linux AG makes no warranties of any kind whatsoever with respect
   to the information contained in this security advisory.

Type Bits/KeyID    Date       User ID
pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
pub  1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

mQGiBDnu9IERBACT8Y35+2vv4MGVKiLEMOl9GdST6MCkYS3yEKeueNWc+z/0Kvff
4JctBsgs47tjmiI9sl0eHjm3gTR8rItXMN6sJEUHWzDP+Y0PFPboMvKx0FXl/A0d
M+HFrruCgBlWt6FA+okRySQiliuI5phwqkXefl9AhkwR8xocQSVCFxcwvwCglVcO
QliHu8jwRQHxlRE0tkwQQI0D+wfQwKdvhDplxHJ5nf7U8c/yE/vdvpN6lF0tmFrK
XBUX+K7u4ifrZlQvj/81M4INjtXreqDiJtr99Rs6xa0ScZqITuZC4CWxJa9GynBE
D3+D2t1V/f8l0smsuYoFOF7Ib49IkTdbtwAThlZp8bEhELBeGaPdNCcmfZ66rKUd
G5sRA/9ovnc1krSQF2+sqB9/o7w5/q2qiyzwOSTnkjtBUVKn4zLUOf6aeBAoV6NM
CC3Kj9aZHfA+ND0ehPaVGJgjaVNFhPi4x0e7BULdvgOoAqajLfvkURHAeSsxXIoE
myW/xC1sBbDkDUIBSx5oej73XCZgnj/inphRqGpsb+1nKFvF+rQoU3VTRSBQYWNr
YWdlIFNpZ25pbmcgS2V5IDxidWlsZEBzdXNlLmRlPohcBBMRAgAcBQI57vSBBQkD
wmcABAsKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyl8sAJ98BgD40zw0GHJHIf6d
NfnwI2PAsgCgjH1+PnYEl7TFjtZsqhezX7vZvYCIRgQQEQIABgUCOnBeUgAKCRCe
QOMQAAqrpNzOAKCL512FZvv4VZx94TpbA9lxyoAejACeOO1HIbActAevk5MUBhNe
LZa/qM2JARUDBRA6cGBvd7LmAD0l09kBATWnB/9An5vfiUUE1VQnt+T/EYklES3t
XXaJJp9pHMa4fzFa8jPVtv5UBHGee3XoUNDVwM2OgSEISZxbzdXGnqIlcT08TzBU
D9i579uifklLsnr35SJDZ6ram51/CWOnnaVhUzneOA9gTPSr+/fT3WeVnwJiQCQ3
0kNLWVXWATMnsnT486eAOlT6UNBPYQLpUprF5Yryk23pQUPAgJENDEqeU6iIO9Ot
1ZPtB0lniw+/xCi13D360o1tZDYOp0hHHJN3D3EN8C1yPqZd5CvvznYvB6bWBIpW
cRgdn2DUVMmpU661jwqGlRz1F84JG/xe4jGuzgpJt9IXSzyohEJB6XG5+D0BiF0E
ExECAB0FAjxqqTQFCQoAgrMFCwcKAwQDFQMCAxYCAQIXgAAKCRCoTtronIAKyp1f
AJ9dR7saz2KPNwD3U+fy/0BDKXrYGACfbJ8fQcJqCBQxeHvt9yMPDVq0B0W5Ag0E
Oe70khAIAISR0E3ozF/la+oNaRwxHLrCet30NgnxRROYhPaJB/Tu1FQokn2/Qld/
HZnh3TwhBIw1FqrhWBJ7491iAjLR9uPbdWJrn+A7t8kSkPaF3Z/6kyc5a8fas44h
t5h+6HMBzoFCMAq2aBHQRFRNp9Mz1ZvoXXcI1lk1l8OqcUM/ovXbDfPcXsUVeTPT
tGzcAi2jVl9hl3iwJKkyv/RLmcusdsi8YunbvWGFAF5GaagYQo7YlF6UaBQnYJTM
523AMgpPQtsKm9o/w9WdgXkgWhgkhZEeqUS3m5xNey1nLu9iMvq9M/iXnGz4sg6Q
2Y+GqZ+yAvNWjRRou3zSE7Bzg28MI4sAAwYH/2D71Xc5HPDgu87WnBFgmp8MpSr8
QnSs0wwPg3xEullGEocolSb2c0ctuSyeVnCttJMzkukL9TqyF4s/6XRstWirSWaw
JxRLKH6Zjo/FaKsshYKf8gBkAaddvpl3pO0gmUYbqmpQ3xDEYlhCeieXS5MkockQ
1sj2xYdB1xO0ExzfiCiscUKjUFy+mdzUsUutafuZ+gbHog1CN/ccZCkxcBa5IFCH
ORrNjq9pYWlrxsEn6ApsG7JJbM2besW1PkdEoxak74z1senh36m5jQvVjA3U4xq1
wwylxadmmJaJHzeiLfb7G1ZRjZTsB7fyYxqDzMVul6o9BSwO/1XsIAnV1uuITAQY
EQIADAUCOe70kgUJA8JnAAAKCRCoTtronIAKyksiAJsFB3/77SkH3JlYOGrEe1Ol
0JdGwACeKTttgeVPFB+iGJdiwQlxasOfuXyITAQYEQIADAUCPGqpWQUJCgCCxwAK
CRCoTtronIAKyofBAKCSZM2UFyta/fe9WgITK9I5hbxxtQCfX+0ar2CZmSknn3co
SPihn1+OBNyZAQ0DNuEtBAAAAQgAoCRcd7SVZEFcumffyEwfLTcXQjhKzOahzxpo
omuF+HIyU4AGq+SU8sTZ/1SsjhdzzrSAfv1lETACA+3SmLr5KV40Us1w0UC64cwt
A46xowVq1vMlH2Lib+V/qr3b1hE67nMHjysECVx9Ob4gFuKNoR2eqnAaJvjnAT8J

/LoUC20EdCHUqn6v+M9t/WZgC+WNR8cq69uDy3YQhDP/nIan6fm2uf2kSV9A7ZxE
GrwsWl/WX5Q/sQqMWaU6r4az98X3z90/cN+eJJ3vwtA+rm+nxEvyev+jaLuOQBDf
ebh/XA4FZ35xmi+spdiVeJH4F/ubaGlmj7+wDOF3suYAPSXT2QAFEbQlU3VTRSBT
ZWN1cml0eSBUZWFtIDxzZWN1cml0eUBzdXNlLmRlPokBFQMFEDbhLUfkWLKHsco8
RQEBVw4H/1vIdiOLX/7hdzYaG9crQVIk3QwaB5eBbjvLEMvuCZHiY2COUg5QdmPQ
8SlWNZ6k4nu1BLcv2g/pymPUWP9fG4tuSnlUJDrWGm3nhyhAC9iudP2u1YQY37Gb
B6NPVaZiYMnEb4QYFcqv5c/r2ghSXUTYk7etd6SW6WCOpEqizhx1cqDKNZnsI/1X
11pFcO2N7rc6byDBJ1T+cK+F1Ehan9XBt/shryJmv04nli5CXQMEbiqYYMOu8iaA
8AWRgXPCWqhyGhcVD3LRhUJXjUOdH4ZiHCXaoF3zVPxpeGKEQY8iBrDeDyB3wHmj
qY9WCX6cmogGQRgYG6yJqDalLqrDOdmJARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYKiEYEEBECAAYFAjseYcMACgkQnkDjEAAKq6ROVACgjhDM
/3KM+iFjs5QXsnd4oFPOnbkAnjYGa1J3em+bmV2aiCdYXdOuGn4ZiQCVAwUQN7c7
whaQN/7O/JIVAQEB+QP/cYblSAmPXxSFiaHWB+MiUNw8B6ozBLK0QcMQ2YcL6+Vl
D+nSZP20+Ja2nfiKjnibCv5ss83yXoHkYk2Rsa8foz6Y7tHwuPiccvqnIC/c9Cvz
dbIsdxpfsi0qWPfvX/jLMpXqqnPjdIZErgxpwujas1n9016PuXA8K3MJwVjCqSKI
RgQQEQIABgUCOhpCpAAKCRDHUqoysN/3gCt7AJ9adNQMbmA1iSYcbhtgvx9ByLPI
DgCfZ5Wj+f7cnYpFZI6GkAyyczG09sE=
=LRKC
- -----END PGP PUBLIC KEY BLOCK-----


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv

iQEVAwUBPdvAOHey5gA9JdPZAQFBcwf6A+8lmCVrRiCgRW/SH+pzBMJ2+p8iywDd
BhChCR0ekyrNcxwMRut1vFVRbt0iSzD3Kl43dAPOrTcvypkoBnxW4+/l1mD7/fqH
WsF22vwhV/8u33tYFN7wsUxpBHzBSq3CguJF4XP5BpNCkvJvrLh5f5QDgonUoO+P
2z0sYNgSARxEKgniyp8YSm6UmC63ijzDhLb/JuDxNu/8652Xx35pptdOtBiriB9C
yGKgJoy97co96oQrzS9ZRKjSGBfE5g6Q8/nAyDuCFpPOiIvDaLlkcab0u2Boawe+
GuCM6QwB7xmb6ElCehtCGxn9v6gE86hNFCOVrjIOhKgOrlY0V8h21w==
=MrgG
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Sun Microsystems Inc.

Updated:  May 16, 2003

Status

  Vulnerable

Vendor Statement

Sun includes a version of Samba with Solaris 9 which is affected by this issue. Sun provides Samba on the Solaris Companion CD for Solaris 2.6, 7, and 8:

http://wwws.sun.com/software/solaris/freeware/index.html

as an unsupported package which installs to /opt/sfw and is vulnerable to this issue too. Sites using the freeware version of Samba from the Solaris Companion CD will have to upgrade to a later version from Samba.org. Sun has published Sun Alert 53580 for this issue describing the patches and workaround options here:

http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/53580

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Sun Alert 53580.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

The OpenPKG Project

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________

OpenPKG Security Advisory                            The OpenPKG Project
http://www.openpkg.org/security.html              http://www.openpkg.org
openpkg-security@openpkg.org                         openpkg@openpkg.org
OpenPKG-SA-2002.012                                          29-Nov-2002
________________________________________________________________________

Package:             samba
Vulnerability:       code execution, root exploit
OpenPKG Specific:    no

Dependent Packages:  none

Affected Releases:   Affected Packages:       Corrected Packages:
OpenPKG 1.0          <= samba-2.2.2-1.0.0     >= samba-2.2.2-1.0.1
OpenPKG 1.1          <= samba-2.2.5-1.1.0     >= samba-2.2.5-1.1.1
OpenPKG CURRENT      <= samba-2.2.6-20021017  >= samba-2.2.7-20021120

Description:
 A vulnerability in Samba [0] versions 2.2.2 through 2.2.6 was
 discovered by the Debian Samba maintainers [1]. A bug in the
 length checking for encrypted password change requests from clients
 could be exploited using a buffer overrun attack on the smbd(8)
 stack. This attack would have to be crafted in such a way that
 converting a DOS codepage string to little endian UCS2 unicode
 would translate into an executable block of code.

  Check whether you are affected by running "<prefix>/bin/rpm -q
 samba". If you have an affected version of the samba package (see
 above), please upgrade it according to the solution below.

Solution:
 Update existing packages to newly patched versions of Samba. Select the
 updated source RPM appropriate for your OpenPKG release [2][3][4], and
 fetch it from the OpenPKG FTP service or a mirror location. Verify its
 integrity [5], build a corresponding binary RPM from it and update your
 OpenPKG installation by applying the binary RPM [6]. For the latest
 OpenPKG 1.1 release, perform the following operations to permanently fix
 the security problem (for other releases adjust accordingly).

  $ ftp ftp.openpkg.org
 ftp> bin
 ftp> cd release/1.1/UPD
 ftp> get samba-2.2.5-1.1.1.src.rpm
 ftp> bye
 $ <prefix>/bin/rpm -v --checksig samba-2.2.5-1.1.1.src.rpm
 $ <prefix>/bin/rpm --rebuild samba-2.2.5-1.1.1.src.rpm
 $ su -
 # <prefix>/bin/rpm -Fvh <prefix>/RPM/PKG/samba-2.2.5-1.1.1.*.rpm
 # <prefix>/etc/rc samba stop start
________________________________________________________________________

References:
 [0]
http://www.samba.org/
 [1]
http://www.debian.org/security/2002/dsa-200
 [2]
ftp://ftp.openpkg.org/release/1.0/UPD/
 [3]
ftp://ftp.openpkg.org/release/1.1/UPD/
 [4]
ftp://ftp.openpkg.org/current/SRC/
 [5]
http://www.openpkg.org/security.html#signature
 [6]
http://www.openpkg.org/tutorial.html#regular-source
________________________________________________________________________

For security reasons, this advisory was digitally signed with
the OpenPGP public key "OpenPKG <openpkg@openpkg.org>" (ID 63C4CB9F)
of the OpenPKG project which you can find under the official URL
http://www.openpkg.org/openpkg.pgp or on http://keyserver.pgp.com/. To
check the integrity of this advisory, verify its digital signature by
using GnuPG (
http://www.gnupg.org/). For example, pipe this message to
the command "gpg --verify --keyserver keyserver.pgp.com".
________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Comment: OpenPKG <openpkg@openpkg.org>

iEYEARECAAYFAj3nO9UACgkQgHWT4GPEy59p5QCfct5flSu1iV1a7dJGasM0J8iN
kOMAoNvn9Q1524xufDzZb12THUscFpKd
=HEHz
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Secure Linux

Updated:  December 13, 2002

Status

  Vulnerable

Vendor Statement

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Trustix Secure Linux Security Advisory #2002-0080

Package name:      samba
Summary:           Remote hole
Date:              2002-11-21
Affected versions: TSL 1.5

- --------------------------------------------------------------------------
Package description:
 Samba provides an SMB server which can be used to provide network
 services to SMB (sometimes called "Lan Manager") clients, including
 various versions of MS Windows, OS/2, and other Linux machines. Samba
 uses NetBIOS over TCP/IP (NetBT) protocols and does NOT need NetBEUI
 (Microsoft Raw NetBIOS frame) protocol.


Problem description:
 From the Samba 2.2.7 release notes:

  There was a bug in the length checking for encrypted password change
 requests from clients. A client could potentially send an encrypted
 password, which, when decrypted with the old hashed password could be
 used as a buffer overrun attack on the stack of smbd. The attach would
 have to be crafted such that converting a DOS codepage string to little
 endian UCS2 unicode would translate into an executable block of code.

  All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
 to this problem. This version of Samba 2.2.7 contains a fix for this
 problem.


Action:
 We recommend that all systems with this package installed be upgraded.
 Please note that if you do not need the functionality provided by this
 package, you may want to remove it from your system.


Location:
 All TSL updates are available from
 <URI:
http://www.trustix.net/pub/Trustix/updates/>
 <URI:
ftp://ftp.trustix.net/pub/Trustix/updates/>


About Trustix Secure Linux:
 Trustix Secure Linux is a small Linux distribution for servers. With
 focus on security and stability, the system is painlessly kept safe
 and up to date from day one using swup, the automated software updater.


Automatic updates:
 Users of the SWUP tool can enjoy having updates automatically
 installed using 'swup --upgrade'.

  Get SWUP from:
 <URI:
ftp://ftp.trustix.net/pub/Trustix/software/swup/>


Public testing:
 These packages have been available for public testing for some time.
 If you want to contribute by testing the various packages in the
 testing tree, please feel free to share your findings on the
 tsl-discuss mailinglist.
 The testing tree is located at
 <URI:
http://www.trustix.net/pub/Trustix/testing/>
 <URI:
ftp://ftp.trustix.net/pub/Trustix/testing/>


Questions?
 Check out our mailing lists:
 <URI:
http://www.trustix.net/support/>


Verification:
 This advisory along with all TSL packages are signed with the TSL sign key.
 This key is available from:
 <URI:
http://www.trustix.net/TSL-GPG-KEY>

  The advisory itself is available from the errata pages at
 <URI:
http://www.trustix.net/errata/trustix-1.5/>
 or directly at
 <URI:
http://www.trustix.net/errata/misc/2002/TSL-2002-0080-samba.asc.txt>


MD5sums of the packages:
- --------------------------------------------------------------------------
96e5c4eedf3d3e638954f3649acd4759  ./1.5/RPMS/samba-2.2.7-2tr.i586.rpm
1004f7c7d856db6933dd42cb3e1fdbcd  ./1.5/RPMS/samba-client-2.2.7-2tr.i586.rpm
3bfce6f3114c2531e697749a7cb20b60  ./1.5/RPMS/samba-common-2.2.7-2tr.i586.rpm
8b072b4cd0e60ebd0b1e1ed60e2a178c  ./1.5/SRPMS/samba-2.2.7-2tr.src.rpm
- --------------------------------------------------------------------------


Trustix Security Team

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see
http://www.gnupg.org

iD8DBQE94iVPwRTcg4BxxS0RAmwUAJ42n4FkKBhe1ivkRovoHxT1Wyp+kQCffF6L
qiCjChjM8LMHy9lrUUr7I/w=
=Dg9h
-----END PGP SIGNATURE-----

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer Inc.

Updated:  February 14, 2003

Status

  Not Vulnerable

Vendor Statement

Apple: Not vulnerable. Mac OS X and Mac OS X Server do not make use of Samba's length checking for encrypted password change requests. Instead, the Open Directory service is used for this purpose. As an extra precaution, Mac OS X 10.2.4 has incorporated the fix from the Samba team in the event that the vulnerable function is ever invoked.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This vulnerability was discovered by Steve Langasek and Eloy Paris.

This document was written by Ian A Finlay.

Other Information

CVE IDs: CVE-2002-1318
Severity Metric: 45.56
Date Public: 2002-11-20
Date First Published: 2002-12-13
Date Last Updated: 2003-05-16 18:19 UTC
Document Revision: 23

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.