Bug 1152

Summary: CVE-2011-0719 samba: Denial of service - memory corruption
Product: Mageia Reporter: Jérôme Soyer <saispo>
Component: SecurityAssignee: Mageia Bug Squad <bugsquad>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: Normal    
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://samba.org/samba/security/CVE-2010-3069.html
Whiteboard:
Source RPM: samba-3.5.5-2.mga1.src.rpm CVE:
Status comment:

Description Jérôme Soyer 2011-05-05 10:52:14 CEST 
All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.

A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).
Jérôme Soyer 2011-05-05 10:55:28 CEST

Summary: CVE-2010-3069 samba: Buffer Overrun Vulnerability => CVE-2011-0719 samba: Denial of service - memory corruption

Comment 1 Jérôme Soyer 2011-05-05 10:56:17 CEST 
Error in my paste comment, the real is here :

Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of the FD_SET macro, which allows remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening a large number of files, related to (1) Winbind or (2) smbd.
Comment 2 Jérôme Soyer 2011-05-05 13:02:14 CEST 
fixed in package samba-3.5.5-3.mga1

Status: NEW => RESOLVED
Resolution: (none) => FIXED