Re: Fwd: [Full-disclosure] stratsec Security Advisory SS-2010-005: Samba Multiple DoS Vulnerabilities (3.3.x)

[Eren Türkay <eren () pardus org tr>]

On Fri, May 28, 2010 at 10:04:32AM +0200, Tomas Hoger wrote:
> Hi Eren!

Hi Tomas,

> Note that your bug id is off-by-one ;).  However, that's not the
> stratsec issue, you should be looking at this:

Ah, right. I confused the bug mentioned in 3.4.8 with the advisory.
Thank you for clarification and pointing this out!

>    o Fix an uninitialized variable read in smbd (bug #7254).
>
> https://bugzilla.samba.org/show_bug.cgi?id=7254
> http://git.samba.org/?p=samba.git;a=commitdiff;h=9280051bfba33745
>
> This issue should rather be described as OOB read as mentioned in Josh's
> CVE assignment.  This problem may affect fairly old samba version, I've
> seen the same code / issue in some oldish 3.0.x versions.  The crash is
> not too reliable though, I've only seen crash on some (recent) versions
> using stratsec reproducer (you've noticed already their advisory
> incorrectly labels reproducers and has them mixed-up, right?).

Right. I am going to pick up the fix, then.

> CVE-2010-1642 mentioned above.
>
> NULL deref CVE-2010-1635 should only affect 3.5.x, as it occurs in
> this code, which does not exist in 3.4.x:
>
> http://git.samba.org/?p=samba.git;a=commitdiff;h=c116652a3050a854
>
> On 3.3.x, reproducer causes smbd to follow error code path where
> smb_panic is called.

Thanks. To summarize, 3.3.x is only affected by OOB read (CVE-2010-1642)
As smbd follows error code path where smb_panic is called, I guess we
can say that 3.3.x is not affected by CVE-2010-1642.

Regards,
Eren