https://www.samba.org/samba/security/CVE-2013-4124 " CVE-2013-4124.html: =========================================================== == Subject: Denial of service - CPU loop and memory allocation. == == CVE ID#: CVE-2013-4124 == == Versions: Samba 3.0.x - 4.0.7 (inclusive) == == Summary: Samba 3.0.x to 4.0.7 are affected by a == denial of service attack on authenticated == or guest connections. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a denial of service on an authenticated or guest connection. A malformed packet can cause the smbd server to loop the CPU performing memory allocations and preventing any further service. A connection to a file share, or a local account is needed to exploit this problem, either authenticated or unauthenticated if guest connections are allowed. This flaw is not exploitable beyond causing the code to loop allocating memory, which may cause the machine to exceed memory limits. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.5.22, 3.6.17 and 4.0.8 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found by an internal audit of the Samba code by Jeremy Allison of Google. "
packages for mga2/mga3 has been patched and submitted. 3.6.17 was submitted to cauldron.
====================================================== Name: CVE-2013-4124 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130612 Category: Reference: CONFIRM:http://ftp.samba.org/pub/samba/patches/security/samba-4.0.7-CVE-2013-4124.patch Reference: CONFIRM:http://www.samba.org/samba/history/samba-3.5.22.html Reference: CONFIRM:http://www.samba.org/samba/history/samba-3.6.17.html Reference: CONFIRM:http://www.samba.org/samba/history/samba-4.0.8.html Reference: CONFIRM:http://www.samba.org/samba/security/CVE-2013-4124 Reference: CONFIRM:https://bugzilla.redhat.com/show_bug.cgi?id=984401 Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet.
CC: (none) => mageiaHardware: i586 => AllVersion: 2 => 3Whiteboard: (none) => MGA2TOO
Advisory: ======================== Updated samba packages fix security vulnerability: Integer overflow in the read_nttrans_ea_list function in nttrans.c in smbd in Samba 3.x before 3.5.22, 3.6.x before 3.6.17, and 4.x before 4.0.8 allows remote attackers to cause a denial of service (memory consumption) via a malformed packet (CVE-2013-4124). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124 http://www.samba.org/samba/security/CVE-2013-4124 ======================== Updated packages in core/updates_testing: ======================== samba-server-3.6.5-2.3.mga2 samba-client-3.6.5-2.3.mga2 samba-common-3.6.5-2.3.mga2 samba-doc-3.6.5-2.3.mga2 samba-swat-3.6.5-2.3.mga2 samba-winbind-3.6.5-2.3.mga2 nss_wins-3.6.5-2.3.mga2 libsmbclient0-3.6.5-2.3.mga2 libsmbclient0-devel-3.6.5-2.3.mga2 libsmbclient0-static-devel-3.6.5-2.3.mga2 libnetapi0-3.6.5-2.3.mga2 libnetapi-devel-3.6.5-2.3.mga2 libsmbsharemodes0-3.6.5-2.3.mga2 libsmbsharemodes-devel-3.6.5-2.3.mga2 libwbclient0-3.6.5-2.3.mga2 libwbclient-devel-3.6.5-2.3.mga2 samba-virusfilter-clamav-3.6.5-2.3.mga2 samba-virusfilter-fsecure-3.6.5-2.3.mga2 samba-virusfilter-sophos-3.6.5-2.3.mga2 samba-domainjoin-gui-3.6.5-2.3.mga2 samba-server-3.6.15-1.1.mga3 samba-client-3.6.15-1.1.mga3 samba-common-3.6.15-1.1.mga3 samba-doc-3.6.15-1.1.mga3 samba-swat-3.6.15-1.1.mga3 samba-winbind-3.6.15-1.1.mga3 nss_wins-3.6.15-1.1.mga3 libsmbclient0-3.6.15-1.1.mga3 libsmbclient0-devel-3.6.15-1.1.mga3 libsmbclient0-static-devel-3.6.15-1.1.mga3 libnetapi0-3.6.15-1.1.mga3 libnetapi-devel-3.6.15-1.1.mga3 libsmbsharemodes0-3.6.15-1.1.mga3 libsmbsharemodes-devel-3.6.15-1.1.mga3 libwbclient0-3.6.15-1.1.mga3 libwbclient-devel-3.6.15-1.1.mga3 samba-virusfilter-clamav-3.6.15-1.1.mga3 samba-virusfilter-fsecure-3.6.15-1.1.mga3 samba-virusfilter-sophos-3.6.15-1.1.mga3 samba-domainjoin-gui-3.6.15-1.1.mga3 from SRPMS: samba-3.6.5-2.3.mga2.src.rpm samba-3.6.15-1.1.mga3.src.rpm
CC: (none) => luigiwalserAssignee: bugsquad => qa-bugs
Summary: CVE-2013-4124: samba - Denial of service - CPU loop and memory allocation. => samba - Denial of service - CPU loop and memory allocation (CVE-2013-4124)
Advisory 10926.adv uploaded to svn.
CC: (none) => davidwhodgins
Mandriva has issued an advisory for this today (August 6): http://www.mandriva.com/en/support/security/advisories/mbs1/MDVSA-2013:207/
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4124 => http://lwn.net/Vulnerabilities/562281/
Severity: normal => major
PoC is still private: https://bugzilla.samba.org/show_bug.cgi?id=10010
Source RPM: (none) => samba
Testing mga3 32 & 64 Procedure: https://bugs.mageia.org/show_bug.cgi?id=8907#c2
Whiteboard: MGA2TOO => MGA2TOO has_procedure
Testing complete mga3 32 & 64 Samba is always a pain to test for some reason. It's necessary to reboot between connecting one way and connecting the other or it gives an error and MCC isn't much use to connected to shares. Samba and swat OK though, tested as far as mounting a share in each direction and reconfiguring each through swat.
Whiteboard: MGA2TOO has_procedure => MGA2TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete mga2 32 & 64. Used mcc, which created an fstab entry like //x2v/homes /mnt/homes cifs credentials=/etc/samba/auth.x2v.dave,noauto 0 0 I'm surprised the password is kept in clear text, in the file, but at least it's only readable by root. Could someone from the sysadmin team push 10926.adv to updates.
Keywords: (none) => validated_updateWhiteboard: MGA2TOO has_procedure mga3-32-ok mga3-64-ok => MGA2TOO has_procedure mga3-32-ok mga3-64-ok mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0246.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED