diff options
author | simon <simon@FreeBSD.org> | 2007-05-17 04:22:35 +0800 |
---|---|---|
committer | simon <simon@FreeBSD.org> | 2007-05-17 04:22:35 +0800 |
commit | 443cb9d4dae1a1661699ebf01938fe16057e9319 (patch) | |
tree | 227fe99bcb6b8e94ea7e5a4babc0514ce8f6577f | |
parent | 28ac3063af7bb833d95dbc6f1677092f798e7516 (diff) | |
download | freebsd-ports-gnome-443cb9d4dae1a1661699ebf01938fe16057e9319.tar.gz freebsd-ports-gnome-443cb9d4dae1a1661699ebf01938fe16057e9319.tar.zst freebsd-ports-gnome-443cb9d4dae1a1661699ebf01938fe16057e9319.zip |
Document samba -- multiple vulnerabilities.
Brought to you from Heathrow Airport and BSDCan 2007 Devsummit.
-rw-r--r-- | security/vuxml/vuln.xml | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index cd7e813963f8..c74b90abecc0 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -34,6 +34,69 @@ Note: Please add new entries to the beginning of this file. --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="3546a833-03ea-11dc-a51d-0019b95d4f14"> + <topic>samba -- multiple vulnerabilities</topic> + <affects> + <package> + <name>samba</name> + <name>ja-samba</name> + <range><gt>3.*</gt><lt>3.0.25,1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The Samba Team reports:</p> + <blockquote cite="http://de5.samba.org/samba/security/CVE-2007-2444.html"> + <p>A bug in the local SID/Name translation routines may + potentially result in a user being able to issue SMB/CIFS + protocol operations as root.</p> + <p>When translating SIDs to/from names using Samba local + list of user and group accounts, a logic error in the smbd + daemon's internal security stack may result in a + transition to the root user id rather than the non-root + user. The user is then able to temporarily issue SMB/CIFS + protocol operations as the root user. This window of + opportunity may allow the attacker to establish additional + means of gaining root access to the server.</p> + </blockquote> + <blockquote cite="http://de5.samba.org/samba/security/CVE-2007-2446.html"> + <p>Various bugs in Samba's NDR parsing can allow a user to + send specially crafted MS-RPC requests that will overwrite + the heap space with user defined data.</p> + </blockquote> + <blockquote cite="http://de5.samba.org/samba/security/CVE-2007-2447.html"> + <p>Unescaped user input parameters are passed as arguments + to /bin/sh allowing for remote command execution.</p> + <p>This bug was originally reported against the anonymous + calls to the SamrChangePassword() MS-RPC function in + combination with the "username map script" smb.conf option + (which is not enabled by default).</p> + <p>After further investigation by Samba developers, it was + determined that the problem was much broader and impacts + remote printer and file share management as well. The + root cause is passing unfiltered user input provided via + MS-RPC calls to /bin/sh when invoking externals scripts + defined in smb.conf. However, unlike the "username map + script" vulnerability, the remote file and printer + management scripts require an authenticated user + session.</p> + </blockquote> + </body> + </description> + <references> + <cvename>CVE-2007-2444</cvename> + <cvename>CVE-2007-2446</cvename> + <cvename>CVE-2007-2447</cvename> + <url>http://de5.samba.org/samba/security/CVE-2007-2444.html</url> + <url>http://de5.samba.org/samba/security/CVE-2007-2446.html</url> + <url>http://de5.samba.org/samba/security/CVE-2007-2447.html</url> + </references> + <dates> + <discovery>2007-05-14</discovery> + <entry>2007-05-16</entry> + </dates> + </vuln> + <vuln vid="f5e52bf5-fc77-11db-8163-000e0c2e438a"> <topic>php -- multiple vulnerabilities</topic> <affects> |