From security@sco.com Tue May 6 17:13:23 2003 From: security@sco.com To: bugtraq@securityfocus.com, announce@lists.caldera.com, security-alerts@linuxsecurity.com Date: Fri, 2 May 2003 14:18:42 -0700 Reply-To: please_reply_to_security@sco.com Subject: Security Update: [CSSA-2003-017.0] OpenLinux: Various serious Samba vulnerabilities To: bugtraq@securityfocus.com announce@lists.caldera.com security-alerts@linuxsecurity.com ______________________________________________________________________________ SCO Security Advisory Subject: OpenLinux: Various serious Samba vulnerabilities Advisory number: CSSA-2003-017.0 Issue date: 2003 May 02 Cross reference: ______________________________________________________________________________ 1. Problem Description This update addresses the following Samba issues: A bug in the length checking for encrypted password change requests from clients could be exploited using a buffer overrun attack on the smbd stack. A vulnerability that could lead to an anonymous user gaining root access on a Samba serving system. A chown race condition that could allow overwriting of critical system files if exploited. A buffer overflow in the call_trans2open function in trans2.c allows remote attackers to execute arbitrary code. Multiple buffer overflows that may allow remote attackers to execute arbitrary code or cause a denial of service. 2. Vulnerable Supported Versions System Package ---------------------------------------------------------------------- OpenLinux 3.1.1 Server prior to libsmbclient-2.2.2-7.i386.rpm prior to samba-2.2.2-7.i386.rpm prior to samba-doc-2.2.2-7.i386.rpm prior to smbfs-2.2.2-7.i386.rpm prior to swat-2.2.2-7.i386.rpm OpenLinux 3.1.1 Workstation prior to libsmbclient-2.2.2-7.i386.rpm prior to samba-2.2.2-7.i386.rpm prior to samba-doc-2.2.2-7.i386.rpm prior to smbfs-2.2.2-7.i386.rpm prior to swat-2.2.2-7.i386.rpm 3. Solution The proper solution is to install the latest packages. Many customers find it easier to use the Caldera System Updater, called cupdate (or kcupdate under the KDE environment), to update these packages rather than downloading and installing them by hand. 4. OpenLinux 3.1.1 Server 4.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/RPMS 4.2 Packages a4f667678f6a3c283491ae04480625d6 libsmbclient-2.2.2-7.i386.rpm 8c95e0b81771bb703e08937125e8c9bf samba-2.2.2-7.i386.rpm 2a590b5458186279fd3bb17bb87c5af3 samba-doc-2.2.2-7.i386.rpm fcabaf8b0567ed5faad0e2fe8e206f92 smbfs-2.2.2-7.i386.rpm bd13c1771c2267549916f3afb60ad019 swat-2.2.2-7.i386.rpm 4.3 Installation rpm -Fvh libsmbclient-2.2.2-7.i386.rpm rpm -Fvh samba-2.2.2-7.i386.rpm rpm -Fvh samba-doc-2.2.2-7.i386.rpm rpm -Fvh smbfs-2.2.2-7.i386.rpm rpm -Fvh swat-2.2.2-7.i386.rpm 4.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Server/CSSA-2003-017.0/SRPMS 4.5 Source Packages 403ddcea6384a309768066e06941a68f samba-2.2.2-7.src.rpm 5. OpenLinux 3.1.1 Workstation 5.1 Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/RPMS 5.2 Packages c04cb8377d18180c6b914ed9d0d1d4e3 libsmbclient-2.2.2-7.i386.rpm aad7fa4db863931a9c57b8720e17cbb6 samba-2.2.2-7.i386.rpm be052cbf6e77f05ad1cbc7fba57be7bd samba-doc-2.2.2-7.i386.rpm 4bf70f287baf74e47ef5cff351a7a740 smbfs-2.2.2-7.i386.rpm 906d1705b64767cd774e29287b5ab437 swat-2.2.2-7.i386.rpm 5.3 Installation rpm -Fvh libsmbclient-2.2.2-7.i386.rpm rpm -Fvh samba-2.2.2-7.i386.rpm rpm -Fvh samba-doc-2.2.2-7.i386.rpm rpm -Fvh smbfs-2.2.2-7.i386.rpm rpm -Fvh swat-2.2.2-7.i386.rpm 5.4 Source Package Location ftp://ftp.sco.com/pub/updates/OpenLinux/3.1.1/Workstation/CSSA-2003-017.0/SRPMS 5.5 Source Packages 21c0df3f652692c3db10dd5783e78e93 samba-2.2.2-7.src.rpm 6. References Specific references for this advisory: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1318 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0085 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0086 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0196 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0201 SCO security resources: http://www.sco.com/support/security/index.html This security fix closes SCO incidents sr876764, sr875830, sr872195, fz527679, fz527532, fz526744, erg712283, erg712263, erg712169. 7. Disclaimer SCO is not responsible for the misuse of any of the information we provide on this website and/or through our security advisories. Our advisories are a service to our customers intended to promote secure installation and use of SCO products. 8. Acknowledgements Steve Langasek (Debian), Sebastian Krahmer (SuSE), and Digital Defense Inc. discovered and researched these vulnerabilities. ______________________________________________________________________________ [ Part 2, Application/PGP-SIGNATURE 245bytes. ] [ Unable to print this part. ]