Ubuntu
samba package

Potential Remote Denial of Service Vulnerability in Samba 3.0.x <= 3.0.7

Bug #10017 reported by Gerardo Di Giacomo on 2004-11-09

Affects		Status	Importance	Assigned to	Milestone
	samba (Ubuntu)	Fix Released	Critical	Martin Pitt

Bug Description

It has been reported a potential remote denial of service vulnerability in Samba
and it *seems* that ubuntu packages are vulnerable. The patch provided by
samba.org can be applied to fix the vulnerability.

The URL of the page is:
http://us4.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-0930.patch

CVE References

2004-0930

Revision history for this message

Martin Pitt (pitti) wrote on 2004-11-09:

interdiff for security update -1ubuntu6.1 Edit (11.5 KiB, text/plain)

Created an attachment (id=720)
interdiff for security update -1ubuntu6.1

Revision history for this message

Martin Pitt (pitti) wrote on 2004-11-09:

I already prepared an updated package yesterday, interdiff attached. I used the
patch provided by the Samba developers:

http://us4.samba.org/samba/ftp/patches/security/samba-3.0.7-CAN-2004-0930.patch

Package builds and works fine, however I did not yet scrutinize the patch myself.

Revision history for this message

Martin Pitt (pitti) wrote on 2004-11-10:

Fixed in Warty:
samba (3.0.7-1ubuntu6.1) warty-security; urgency=low
.
   * SECURITY UPDATE: fix potential remote Denial of Service
   * Added patch CAN-2004-0930:
     A remote attacker could cause and smbd process to consume abnormal amounts
     of system resources due to an input validation error when matching filenames
     containing wildcard characters.
   * References:
     CAN-2004-0930
     http://www.securityfocus.com/archive/1/380551

Fixed in Hoary in version 3.0.7-1ubuntu7.