Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 152874 - CAN-2004-1154: Samba <= 3.0.9 : Integer overflow could lead to remote code execution
Summary: CAN-2004-1154: Samba <= 3.0.9 : Integer overflow could lead to remote code ex...
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: samba
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Whiteboard: 1, LEGACY, QA, rh73, rh90
: 152847 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2004-12-17 09:55 UTC by David Lawrence
Modified: 2007-03-27 04:29 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-07-16 02:11:59 UTC

Attachments (Terms of Use)

Description David Lawrence 2005-03-30 23:30:35 UTC
Remote exploitation of an integer overflow vulnerability
in the smbd daemon included in Samba 2.0.x, Samba 2.2.x,
and Samba 3.0.x prior to and including 3.0.9 could
allow an attacker to cause controllable heap corruption,
leading to execution of arbitrary commands with root

Successful remote exploitation allows an attacker to
gain root privileges on a vulnerable system. In order
to exploit this vulnerability an attacker must possess
credentials that allow access to a share on the Samba server.
Unsuccessful exploitation attempts will cause the process
serving the request to crash with signal 11, and may leave
evidence of an attack in logs.

------- Additional Comments From 2004-12-23 21:03:33 ----

This is fixed in RHEL21 samba with the following patch
samba-2.2.12-CAN-2004-1154.patch which should apply cleanly to RHL73 and RHL9.

Likewise, RHEL3 includes patches for 1154 which are likely to apply rather
nicely to FC1.

Looks like this one can probably be folded back to the #2264.

------- Additional Comments From 2004-12-24 07:29:09 ----

re comment #1:

for fc1:

RHEL3 went to 3.0.9 and the patch they used, which is directly from samba, does
not apply nicely to samba-3.0.7-2.FC1.1.legacy.

FC2 went to 3.0.10.

so it is not clear to me what we should do for fc1.

for rh9/rh73:

RHEL2.1 added a patch to increase the maximum number of connections.  see:

the RHEL2.1 patch for CAN-2004-1154 includes support for the increased
connection scheme and one hunk fails.  it is safe to remove this hunk since the
code it applies to is not there.  however, it still fails to build since the rh9
build enables options that the RHEL2.1 build does not.

i'll see if i can cook up a patch for rh9/rh73 and get some packages out the
door before vacation...

------- Additional Comments From 2004-12-24 08:04:54 ----

Hash: SHA1
here are new samba rpms to QA for rh73 and rh9:
- - uses patch from RHEL 2.1
- - someone should closely review samba-2.2.12-CAN-2004-1154-malloc.patch
  to make sure i didn't screw something up.
- - none of this was installed or tested but it compiles. :)
- - should we rebuild FC-2 or RHEL3 samba for fc1?
this file is available at:
* Fri Dec 24 2004 Rob Myers <> 2.2.12-0.73.5.legacy
- - apply patch for CAN-2004-1154 (FL #2349)
* Fri Dec 24 2004 Rob Myers <> 2.2.12-0.90.4.legacy
- - apply patch for CAN-2004-1154 (FL #2349)
738cd7d0796ee45b888121b2b9353bd7b40e524e  samba-2.2.12-0.73.5.legacy.i386.rpm
a83c1df3ffc1ddbe29f0dbb4e77f6c87574e685e  samba-2.2.12-0.73.5.legacy.src.rpm
e48fac04c58f40b440050a1cf07caa77e0a9ae8b  samba-client-2.2.12-0.73.5.legacy.i386.rpm
e437ba6a207bf494782d65a8a7fb941283558511  samba-common-2.2.12-0.73.5.legacy.i386.rpm
733e7fa6064aa883812942ddbf44dd40255012f2  samba-swat-2.2.12-0.73.5.legacy.i386.rpm
d53dfde1c420af72e2d979466afba87c3bbc6549  samba-2.2.12-0.90.4.legacy.i386.rpm
7d2d04f89567e86acade6a6ecb50a1141b4bf5d0  samba-2.2.12-0.90.4.legacy.src.rpm
44a4acdcf0db90fc106c444a9bca39492e53971d  samba-client-2.2.12-0.90.4.legacy.i386.rpm
dd2f2be5f1696032b96f028c556cc5aea24689b2  samba-common-2.2.12-0.90.4.legacy.i386.rpm
c97487a4f746e7659aa5c7e4c8c8d4681f324818  samba-swat-2.2.12-0.90.4.legacy.i386.rpm
Version: GnuPG v1.2.3 (GNU/Linux)

------- Additional Comments From 2004-12-24 08:57:08 ----

At least Ubuntu seems to ship samba-3.0.7, and they've released a patch for 
this.  Maybe we could take their patch (and compare it against redhat's) for 
FC1?  That said, I'd personally have no problems updating to samba-3.0.10 but 
others probably have different opinions.

Taking a look at the 2.2.x patches now..

------- Additional Comments From 2004-12-24 10:09:45 ----

FWIW, several other vendors are also using 3.0.7, I recall Mandrake and SuSe.

In any case, regarding the malloc patch, I was not 100% of your
methodology to be able to verify it.  Did you just check for different compile 
options (acl-support, pam_smbpass, msdfs) and the resulting file changes from 
the 3.0.9 patch?  If so, how, or if not, how instead?

Did you just apply red hat's patch and rely on  smb_macros.h redefinitions of 
the dangerous macros to error out on those that weren't yet fixed?  But does 
that catch everything (like talloc_zero, and many others)?  I played around 
with an idea of identifying the function names that the 3.0.9 patch is 
substituting and doing a grep of them in the source tree after the patches have 
been applied to see what else needs to be changed.

It's difficult to try to verify its scope (and in more general, whether 
everything has been fixed in Red Hat's patch) for correctness as apparently 
samba-3.0.9 patch is huge, Red Hat's 2.2.x patch half the size of that, but I 
guess they are not patching everything, and e.g., SuSe's 2.2.8 patch half the 
size of Red Hat's.

FWIW, I reviewed the current patch and it seems correct except that the 
printing_cups change should use SMB_REALLOC_ARRAY instead of SMB_REALLOC.

------- Additional Comments From 2004-12-25 07:13:11 ----

i just relied on the smb_macros.h to catch everything.  maybe it would be wise
to go over those other modules more closely?  and perhaps other distros patches
running 2.2.x with those modules enabled?

can you tell i was in a hurry to get out the door for vacation? ;)  and merry
christmas if you're into that sort of thing. :)

------- Additional Comments From 2005-01-02 21:11:53 ----

I took a second look at this.  The compile process uncomments in
source/include/smb_macros.h uncomment #define PARANOID_MALLOC_CHECKER, you will
also see the errors about memory allocation functions used unwisely -- and
talloc uses malloc internally, so this should be able to catch it, and the patch
is good.

So, if you will update the malloc patch to use SMB_REALLOC_ARRAY in
printing_cups (as mentioned in comment #2), I can give RHL73/RHL9 a +PUBLISH.

As for FC1.. FC2 seems to have made a couple of bigger changes like changing the
pid file directory for winbindd and changes %{initddir} to %{_initrddir}.  This
may be a bit too intrusive, but I don't use FC1 myself, so I'm OK if people want
to test more extensively for regressions etc.  If we don't do that, I suggest
taking a 3.0.7 patch from some other vendor, applying, trying to compile and
fixing the rest using the RHEL3 patch as a guide..

------- Additional Comments From 2005-01-04 03:24:33 ----

i will upgrade the rh73 and rh9 patch and rpms today.

mandrake seems to have gone to samba 3.0.10.  ubuntu seems to still be at 3.0.7.
 i'll take a look at those for fc1.

------- Additional Comments From 2005-01-04 04:00:23 ----

Personally, I'd have no objection to moving to 3.0.10, but if we do that, we
IMHO should not backport FC2/FC3 3.0.10 packages to FC1, but instead just plug
in the 3.0.10 tarball and update the non-related patches to compile.  This is
less intrusive than the numerous changes to the spec file, new patches, etc.

------- Additional Comments From 2005-01-04 10:55:55 ----

Hash: SHA1
here are new samba rpms to QA for rh73, rh9, and fc1:
- - fixes samba-2.2.12-CAN-2004-1154-malloc.patch as pekka suggests
- - update fc1 samba to 3.0.10.  there are some changes from 3.0.7
  detailed here: (see
Change in Winbindd Behavior
- ---------------------------
All usernames returned by winbindd are now converted to lower
case for better consistency.  This means any winbind installation
relying on the winbind username will need to rename existing
directories and/or files based on the username (%u and %U) to lower
case (e.g. mv $name `echo $name | tr '[A-Z]' '[a-z]'`).  This may
include mail spool files, home directories, valid user lines in
smb.conf, etc....
Change in Username Map
- ----------------------
Previous Samba releases would only support reading the fully qualified
username (e.g. DOMAIN\user) from the username map when performing a
kerberos login from a client.  However, when looking up a map
entry for a user authenticated by NTLM[SSP], only the login name would be
used for matches.  This resulted in inconsistent behavior sometimes
even on the same server.
Samba 3.0.8 obeys the following rules when applying the username
map functionality:
  * When performing local authentication, the username map is
    applied to the login name before attempting to authenticate
    the connection.
  * When relying upon a external domain controller for validating
    authentication requests, smbd will apply the username map
    to the fully qualified username (i.e. DOMAIN\user) only
    after the user has been successfully authenticated.
smb.conf changes
- ----------------
    Parameter Name                      Action
    --------------                      ------
    force printername                   New
    sendfile                            disabled by default
* Tue Jan 04 2005 Rob Myers <> 2.2.12-0.73.6.legacy
- - correct one usage of SMB_REALLOC_ARRAY in patch
* Tue Jan 04 2005 Rob Myers <> 2.2.12-0.90.5.legacy
- - correct one usage of SMB_REALLOC_ARRAY in patch
* Tue Jan 04 2005 Rob Myers <> 3.0.10-1.legacy
- - upgrade to 3.0.10 fixes CAN-2004-1154 (FL #2349)
- - upgrade logfiles, pie patches from FC-2
- - disable old patches for CAN-2004-0882, CAN-2004-0930 since 3.0.10
  includes them
this file is available at:
a07396ded965c3f9fd65ecdb590e3d79611c094b  samba-2.2.12-0.73.6.legacy.i386.rpm
7a59a64f667de1c6cbae2a01129bda19ae7e4bec  samba-2.2.12-0.73.6.legacy.src.rpm
5cde97b3e234e48111fe1c9b3fb74bb8c2553dca  samba-client-2.2.12-0.73.6.legacy.i386.rpm
bec15dc3fd8533b82e2bdba18e37b80b873e4846  samba-common-2.2.12-0.73.6.legacy.i386.rpm
8b5bbcfe035074a5080d86f01a94f181f26c71cb  samba-swat-2.2.12-0.73.6.legacy.i386.rpm
c9cc3784b3edc018ddec0475632f3b2ae60c3595  samba-2.2.12-0.90.5.legacy.i386.rpm
1c8e4c4e032c2d11578b820159cf6446122aa366  samba-2.2.12-0.90.5.legacy.src.rpm
1e4815aea767f5577ba00d4e765153db5c961f19  samba-client-2.2.12-0.90.5.legacy.i386.rpm
8dd17b637ed4feebe25986532d0be4598a74b84e  samba-common-2.2.12-0.90.5.legacy.i386.rpm
86ba99fb3606cc567c4a79e82b3e4c28f665adf3  samba-swat-2.2.12-0.90.5.legacy.i386.rpm
491c222fc785c31911a47af31f1d231bba63a12f  samba-3.0.10-1.legacy.i386.rpm
c1c9f270dc2c6392d85ea7ddb8d42f306bd5be3b  samba-3.0.10-1.legacy.src.rpm
322e7fe608dc6db3c1e8ca23ba0af9fbaeb01fd7  samba-client-3.0.10-1.legacy.i386.rpm
3f35b62350d4c05f98d1b95d91dc4f661c27da37  samba-common-3.0.10-1.legacy.i386.rpm
ed72d14d557261258ab84d2cf779a5a6e97afa59  samba-debuginfo-3.0.10-1.legacy.i386.rpm
d510c2fd2de73e53410fb037f98425ca5bd885bd  samba-swat-3.0.10-1.legacy.i386.rpm
Version: GnuPG v1.2.3 (GNU/Linux)

------- Additional Comments From 2005-01-04 12:01:38 ----

Hash: SHA1

QA for the packages w/ rpm-build-compare:
 - spec file changes minimal (also for the FC1 3.0.7->3.0.10 update)
 - original sources etc. good (FC1 tarball also verified)
 - patches verified to be OK

Nit: samba-3.0.10-1.legacy.src.rpm should probably be renamed at mach to
samba-3.0.10-1.fc1.legacy.src.rpm or samba-3.0.10-1.fc1.1.legacy.src.rpm
because samba-3.0.10-1.fc2.src.rpm existst and the versioning might
otherwise get awry in FC1->FC2 updates.


c1c9f270dc2c6392d85ea7ddb8d42f306bd5be3b  samba-3.0.10-1.legacy.src.rpm
7a59a64f667de1c6cbae2a01129bda19ae7e4bec  samba-2.2.12-0.73.6.legacy.src.rpm
1c8e4c4e032c2d11578b820159cf6446122aa366  samba-2.2.12-0.90.5.legacy.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)


------- Additional Comments From 2005-01-06 21:57:41 ----

I found an unfixed bug in RH9's SRPM.

At line 870 of samba-2.2.12/source/rpc_parse/parse_prs.c.

- str->buffer = (uint16 *)prs_alloc_mem(ps,str->buf_len);
+ str->buffer = (uint16 *)prs_alloc_mem(ps,str->buf_len*sizeof(uint16));

RHEL2.1 fixed this bug by samba-2.2.12-CAN-2004-1154.patch in

Red Hat replaced prs_alloc_mem functions to PRS_ALLOC_MEM macros. Should we use
the same approach?

------- Additional Comments From 2005-01-07 01:46:56 ----

re comment #12:

yes, we should apply redhat's newer patch.  note that the same patch is used in
the rh73 package.

------- Additional Comments From 2005-01-25 07:20:41 ----

Perhaps I don't understand how the system works, but if these patches fix the
problem, why hasn't there been an advisory and why aren't the patches available
through yum?

------- Additional Comments From 2005-02-13 17:08:50 ----

Hash: SHA1

Here are updates packages for rh73, rh9 and fc1:

7.3 Changelog:
* Sun Feb 13 2005 Marc Deslauriers <>
- - Updated patch for CAN-2004-1154
- - Removed print_cups section from patch 103 as it is now included
  in the main CAN-2004-1154 patch

* Tue Jan 04 2005 Rob Myers <> 2.2.12-0.73.6.legacy
- - correct one usage of SMB_REALLOC_ARRAY in patch

9 Changelog:
* Sun Feb 13 2005 Marc Deslauriers <>
- - Updated patch for CAN-2004-1154
- - Removed print_cups section from patch 103 as it is now included
  in the main CAN-2004-1154 patch

* Tue Jan 04 2005 Rob Myers <> 2.2.12-0.90.5.legacy
- - correct one usage of SMB_REALLOC_ARRAY in patch

fc1 Changelog:
* Sun Feb 13 2005 Marc Deslauriers <>
- - Changed release tag to preserve upgrade path
- - Added changetrustpw patch to fix double-free bug

* Tue Jan 04 2005 Rob Myers <> 3.0.10-1.legacy
- - upgrade to 3.0.10 fixes CAN-2004-1154 (FL #2349)
- - upgrade logfiles, pie patches from FC-2
- - disable old patches for CAN-2004-0882, CAN-2004-0930 since 3.0.10
  includes them

ed52cb858fa64100c9d9a4be5c98e12415011d69  samba-2.2.12-0.73.7.legacy.i386.rpm
0cf30905e50c6e223576efd996253efbea304831  samba-2.2.12-0.73.7.legacy.src.rpm
bca58b60d10be62e04f56fa57063e207e1c812f1  samba-client-2.2.12-0.73.7.legacy.i386.rpm
a53ce814b81ca5b21975cc17ee726f837c9f0a84  samba-common-2.2.12-0.73.7.legacy.i386.rpm
e91372a273711546a19266c09493a23cf776c87a  samba-swat-2.2.12-0.73.7.legacy.i386.rpm

4c0359fc2267d0dec387c7402f9258ddade00900  samba-2.2.12-0.90.6.legacy.i386.rpm
4b08defd830aeb2364c50cfdd35739fb53d04f51  samba-2.2.12-0.90.6.legacy.src.rpm
94b5178d1e44a2162c2bb1d3236e6a2a6172fa19  samba-client-2.2.12-0.90.6.legacy.i386.rpm
a7ce8f3a7bdf71baeab16da0ad41d110ecfb82ae  samba-common-2.2.12-0.90.6.legacy.i386.rpm
210d2c69020d6bf9e0f0d4e08511327ed6a34932  samba-swat-2.2.12-0.90.6.legacy.i386.rpm

52c47d388218e6aaf07f34e3bd2a5bbd1a89ab4  samba-3.0.10-1.fc1.1.legacy.i386.rpm
4ad475051e17e551fbe38163175b0a67e2292d43  samba-3.0.10-1.fc1.1.legacy.src.rpm
4fa6f2d8a1a10347763b939e93a989c5165ddb8e  samba-swat-3.0.10-1.fc1.1.legacy.i386.rpm

Version: GnuPG v1.2.6 (GNU/Linux)


------- Additional Comments From 2005-02-15 00:16:54 ----

Hash: SHA1
Check the new RPMs w/
 - source integrity good
 - patch changes minimal
 - patches verified to come from upstream
The only thing I noted was that we did not patch examples/VFS/block/block.c,
but this is just an example, and probably even something that we don't ship,
so it should be OK.
4ad475051e17e551fbe38163175b0a67e2292d43  samba-3.0.10-1.fc1.1.legacy.src.rpm
0cf30905e50c6e223576efd996253efbea304831  samba-2.2.12-0.73.7.legacy.src.rpm
4b08defd830aeb2364c50cfdd35739fb53d04f51  samba-2.2.12-0.90.6.legacy.src.rpm
Version: GnuPG v1.0.7 (GNU/Linux)

------- Additional Comments From 2005-02-18 14:14:17 ----

Pushed to updates-testing.

------- Additional Comments From 2005-02-27 03:35:22 ----

Hash: SHA1

QA for RHL73:
 - GPG signature OK
 - installs nicely
 - seems to work OK (disk shares, printing)


42ecbf32e60d20aad26f484f56f3ff8238693476  samba-2.2.12-0.73.7.legacy.i386.rpm
8fd4d9cbba8086ccfd900d2f52606c2d54806988  samba-client-2.2.12-0.73.7.legacy.i386.rpm
6daa57cd26b5e821863c3eb9cfe2ae3f0c663ddb  samba-common-2.2.12-0.73.7.legacy.i386.rpm
e3675223b6b0bcd6dad4c2fe4012f4545ca7515a  samba-swat-2.2.12-0.73.7.legacy.i386.rpm
Version: GnuPG v1.0.7 (GNU/Linux)


------- Bug moved to this database by 2005-03-30 18:30 -------

This bug previously known as bug 2349 at
Originally filed under the Fedora Legacy product and General component.

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here,
   Previous reporter was
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.

Comment 1 Pekka Savola 2005-05-16 10:37:35 UTC
*** Bug 152847 has been marked as a duplicate of this bug. ***

Comment 2 Pekka Savola 2005-06-16 12:37:40 UTC
One verify, timeouts in 4 weeks.

Comment 3 Pekka Savola 2005-07-15 05:41:58 UTC
Timeout over.

Comment 4 Marc Deslauriers 2005-07-16 02:11:59 UTC
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.