CVE-2011-0719 – Samba unsafe fd_set usage
https://notcve.org/view.php?id=CVE-2011-0719
Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of the FD_SET macro, which allows remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening a large number of files, related to (1) Winbind or (2) smbd. Samba versión 3.x anterior a 3.3.15, versión 3.4.x anterior a 3.4.12 y versión 3.5.x anterior a 3.5.7, no realiza comprobaciones de rango para los descriptores de archivo antes del uso de la macro FD_SET, que permite a los atacantes remotos causar una denegación de servicio (corrupción de la memoria de la pila y el bucle infinito o la fallo del demonio) abriendo una gran cantidad de archivos, relacionados con (1) Winbind o (2) smbd. • http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056229.html http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056241.html http://marc.info/?l=bugtraq&m=130835366526620&w=2 http://samba.org/samba/security/CVE-2011-0719.html http://secunia.com/advisories/43482 http://secunia.com/advisories/43503 http://secunia.com/advisories/43512 http://secunia.com/advisories/43517 http: • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2010-3069 – Samba: Stack-based buffer overflow by processing specially-crafted SID records
https://notcve.org/view.php?id=CVE-2010-3069
Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share. Un desbordamiento de búfer basado en pila en las funciones (1) sid_parse y (2) dom_sid_parse en Samba anterior a v3.5.5 permite a los atacantes remotos causar una denegación de servicio (caída) y posiblemente ejecutar código a su elección a través de Windows Security ID (SID) manipulados en un fichero compartido. • http://lists.apple.com/archives/security-announce/2011//Jun/msg00000.html http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047650.html http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047697.html http://lists.fedoraproject.org/pipermail/package-announce/2010-September/047758.html http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00000.html http://lists.opensuse.org/opensuse-sec • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVE-2010-1635
https://notcve.org/view.php?id=CVE-2010-1635
The chain_reply function in process.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) via a Negotiate Protocol request with a certain 0x0003 field value followed by a Session Setup AndX request with a certain 0x8003 field value. La función chain_reply de process.c de smbd de Samba anterior a v3.4.8, y v3.5.x anterior a v3.5.2 permite a atacantes remotos provocar una denegación de servicio (referencia a puntero nulo -NULL- y caída del proceso) mediante una solicitud de negociación de protocolo (Negotiate Protocol) con determinado valor de campo 0x003 seguido de una solicitud Session Setup AndX con determinado valor de campo 0x8003. • http://git.samba.org/?p=samba.git%3Ba=commit%3Bh=25452a2268ac7013da28125f3df22085139af12d http://samba.org/samba/history/samba-3.4.8.html http://samba.org/samba/history/samba-3.5.2.html http://security-tracker.debian.org/tracker/CVE-2010-1635 http://www.mandriva.com/security/advisories?name=MDVSA-2010:141 http://www.securityfocus.com/bid/40097 http://www.stratsec.net/Research/Advisories/Samba-Multiple-DoS-Vulnerabilities-%28SS-2010-005%29 http://www.vupen.com/english/advisories/2010 •
CVE-2010-1642
https://notcve.org/view.php?id=CVE-2010-1642
The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to trigger an out-of-bounds read, and cause a denial of service (process crash), via a \xff\xff security blob length in a Session Setup AndX request. La función reply_sesssetup_and_X_spnego de sesssetup.c de smbd de Samba anterior a v3.4.8, y v3.5.x anterior a v3.5.2, permite a atacantes remotos provocar una lectura fuera de rango y ocasionar una denegación de servicio (caída del proceso), a través de una longitud blob -binary large object- de seguridad \xff\xff en una solicitud Session Setup AndX. • http://git.samba.org/?p=samba.git%3Ba=commit%3Bh=9280051bfba337458722fb157f3082f93cbd9f2b http://samba.org/samba/history/samba-3.4.8.html http://samba.org/samba/history/samba-3.5.2.html http://security-tracker.debian.org/tracker/CVE-2010-1642 http://www.mandriva.com/security/advisories?name=MDVSA-2010:141 http://www.securityfocus.com/bid/40097 http://www.stratsec.net/Research/Advisories/Samba-Multiple-DoS-Vulnerabilities-%28SS-2010-005%29 http://www.vupen.com/english/advisories/2010 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVE-2010-0728
https://notcve.org/view.php?id=CVE-2010-0728
smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled, runs with the CAP_DAC_OVERRIDE capability, which allows remote authenticated users to bypass intended file permissions via standard filesystem operations with any client. smbd en Samba v3.3.11, v3.4.6, y v3.5.0, cuando el soporte libcap está activado, se ejecuta con la capacidad CAP_DAC_OVERRIDE, lo que permite a usuarios autenticados remotamente superar los permisos establecidos de archivos establecidos a través de operaciones filesystem con cualquier cliente. • http://lists.samba.org/archive/samba-announce/2010/000211.html http://www.samba.org/samba/history/samba-3.3.12.html http://www.samba.org/samba/history/samba-3.4.7.html http://www.samba.org/samba/history/samba-3.5.1.html http://www.samba.org/samba/security/CVE-2010-0728 https://bugzilla.samba.org/show_bug.cgi?id=7222 • CWE-264: Permissions, Privileges, and Access Controls •