[Pkg-samba-maint] (forw) [Samba-pkg-sec] [Fwd: [SAMBA] GETDC mailslot processing buffer overrun in nmbd]

Steve Langasek vorlon at debian.org
Sat Nov 17 09:02:39 UTC 2007


On Fri, Nov 16, 2007 at 11:01:53AM -0800, Steve Langasek wrote:
> On Fri, Nov 16, 2007 at 10:56:51AM +0000, Steve Kemp wrote:
> > On Thu Nov 15, 2007 at 14:10:15 -0800, Steve Langasek wrote:

> > > Christian ran out of time today to upload packages build with the revised
> > > patch, so I've gone ahead with building the etch packages here as well.  The
> > > diff is attached, and these packages are also on their way to
> > > security-master now.

> >   Thanks, I'll release it once it is all built.

> FYI, there's a regression reported upstream as a result of the DoS fix
> (in spite of my noting the riskiness of the code change, and upstream
> assuring me they'd done an audit of the affected codepaths, sigh):

>   https://bugzilla.samba.org/show_bug.cgi?id=5087

> So far this is only reported to affect mounting of shares with the
> deprecated smbfs kernel driver on Linux, so given that it's been bound up
> with the fix for a remote code execution bug in a daemon that runs as root,
> I would recommend going ahead with releasing these security advisories as-is
> and I'll chase them up with a fix from upstream as soon as it's available.

Upstream has made the fixed patch available in
<http://lists.samba.org/archive/samba/2007-November/136390.html>.  I've
confirmed that adding this patch fixes the regression observed in 3.0.27
with smbfs clients, for 3.0.24; I haven't tested 3.0.14 due to lack of a
convenient test environment for sarge.

Updated packages, source+binary signed, are available at
<http://people.debian.org/~vorlon/samba/>.  I'll leave it up to the security
team to decide whether to accept these immediately, or push out the earlier
builds first.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/



More information about the Pkg-samba-maint mailing list