Debian Security Advisory

DSA-280-1 samba -- buffer overflow

Date Reported:

07 Apr 2003

Affected Packages:

Vulnerable:

Yes

Security database references:

In the Bugtraq database (at SecurityFocus): BugTraq ID 7294, BugTraq ID 7295.
In Mitre's CVE dictionary: CVE-2003-0201, CVE-2003-0196.
CERT's vulnerabilities, advisories and incident notes: VU#267873.

More information:

Digital Defense, Inc. has alerted the Samba Team to a serious vulnerability in Samba, a LanManager-like file and printer server for Unix. This vulnerability can lead to an anonymous user gaining root access on a Samba serving system. An exploit for this problem is already circulating and in use.

Since the packages for potato are quite old it is likely that they contain more security-relevant bugs that we don't know of. You are therefore advised to upgrade your systems running Samba to woody soon.

Unofficial backported packages from the Samba maintainers for version 2.2.8 of Samba for woody are available at ~peloy and ~vorlon.

For the stable distribution (woody) this problem has been fixed in version 2.2.3a-12.3.

For the old stable distribution (potato) this problem has been fixed in version 2.0.7-5.1.

The unstable distribution (sid) is not affected since it contains version 3.0 packages already.

We recommend that you upgrade your Samba packages immediately.

Fixed in:

Debian GNU/Linux 2.2 (potato)

Source:: http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1.dsc; http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1.diff.gz; http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7.orig.tar.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.0.7-5.1_all.deb
Alpha:: http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_arm.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_arm.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_arm.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_arm.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_i386.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_i386.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_i386.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_i386.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_i386.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_m68k.deb
PowerPC:: http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_powerpc.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/s/samba/samba_2.0.7-5.1_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.0.7-5.1_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.0.7-5.1_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.0.7-5.1_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.0.7-5.1_sparc.deb

Debian GNU/Linux 3.0 (woody)

Source:: http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3.dsc; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3.diff.gz; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz
Architecture-independent component:: http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-12.3_all.deb
Alpha:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_alpha.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_arm.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_i386.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_ia64.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_hppa.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_m68k.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_mips.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_mipsel.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_powerpc.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_s390.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.3_sparc.deb; http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.3_sparc.deb

MD5 checksums of the listed files are available in the original advisory.