Bulletin d'alerte Debian
DSA-262-1 samba -- Exploitation à distance
- Date du rapport :
- 15 mars 2003
- Paquets concernés :
- samba
- Vulnérabilité :
- Oui
- Références dans la base de données de sécurité :
- Dans la base de données de suivi des bogues (chez SecurityFocus) : Identifiant BugTraq 7107, Identifiant BugTraq 7106.
Dans le dictionnaire CVE du Mitre : CVE-2003-0085, CVE-2003-0086. - Plus de précisions :
-
Sebastian Krahmer membre de l'équipe chargée des audits de sécurité chez SuSE a identifié deux problèmes dans samba, une implémentation populaire de SMB/CIFS. Ces deux problèmes sont :
- un débordement de tampons dans le code chargé de réassembler les fragments de paquets SMB/CIFS. Ce code est utilisé dans smbd. Étant donné que smbd fonctionne avec les privilèges de superutilisateur, un assaillant peut l'utiliser pour obtenir les privilèges de superutilisateur sur une machine faisant fonctionner smbd ;
- le code qui écrit dans les fichiers de registre était vulnérable à une « course » via la commande chown (chown race), ce qui offrait la possibilité à un utilisateur local de réécrire les fichiers systèmes.
Ces deux problèmes ont été corrigés dans la version 2.2.8 chez l'auteur (upstream version), et dans la version 2.2.3a-12.1 du paquet pour Debian GNU/Linux 3.0/woody.
- Corrigé dans :
-
Debian GNU/Linux 3.0 (woody)
- Source :
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1.dsc
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1.diff.gz
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a.orig.tar.gz
- Composant indépendant de l'architecture :
- http://security.debian.org/pool/updates/main/s/samba/samba-doc_2.2.3a-12.1_all.deb
- alpha (DEC Alpha):
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_alpha.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_alpha.deb
- arm (ARM):
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_arm.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_arm.deb
- hppa (HP PA RISC):
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_hppa.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_hppa.deb
- i386 (Intel ia32):
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_i386.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_i386.deb
- ia64 (Intel ia64):
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_ia64.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_ia64.deb
- mips (MIPS (Big Endian)):
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_mips.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_mips.deb
- mipsel (MIPS (Little Endian)):
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_mipsel.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_mipsel.deb
- powerpc (PowerPC):
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_powerpc.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_powerpc.deb
- s390 (IBM S/390):
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_s390.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_s390.deb
- sparc (Sun SPARC/UltraSPARC):
- http://security.debian.org/pool/updates/main/s/samba/smbclient_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient-dev_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/samba-common_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/smbfs_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/samba_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/libsmbclient_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/winbind_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/swat_2.2.3a-12.1_sparc.deb
- http://security.debian.org/pool/updates/main/s/samba/libpam-smbpass_2.2.3a-12.1_sparc.deb
Les sommes MD5 des fichiers indiqués sont disponibles sur la page originale de l'alerte de sécurité.