OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Re: Samba problems

Re: Samba problems

Hank Leininger (hleinPROGRESSIVE-COMP.COM)
Mon, 11 May 1998 08:26:27 -0400 

I contacted Andrew Tridgell yesterday and forwarded him a copy of
Drago's recent post re: unchecked sprintf's vs. snprintf's.  He
responded immediately.  Here is a message he sent to samba-announce
this morning about a new, patched version of Samba.

Some details from the cvs log:

"changed to use slprintf() instead of sprintf() just about
everywhere. I've implemented slprintf() as a bounds checked sprintf()
using mprotect() and a non-writeable page."


Hank Leininger <hleinprogressive-comp.com>

----
http://www.progressive-comp.com/Lists/?m=89488564505526

List:     samba-announce
Subject:  new release of Samba 1.9.18p6 - fixes security hole
From:     Andrew Tridgell <tridgesamba.anu.edu.au>
Date:     1998-05-11 11:25:10

I've just released version 1.9.18p6 of Samba.

This release is in response to a potential security hole pointed out
by Drago on BugTraq. The security hole involed a buffer overflow in
the filename handling in reply_*()

It is not at all clear that the security hole is actually
exploitable. The existing code that checks for buffer overflows in
Samba does catch the proposed exploit as posted to BugTraq but we
considered it a grave enough risk that an immediate patch release is
warranted. Note that if the hole is exploitable then it will only be
possible to exploit it if the attacker already has write access to the
exported filesystem.

It is highly recommended that everyone upgrade to version 1.9.18p6 of
Samba to avoid any possible exposure to this security hole.

The new release is available from ftp://samba.anu.edu.au/pub/samba/

Cheers, Andrew