Re: Samba problems

[hlein () PROGRESSIVE-COMP COM (Hank Leininger)]

I contacted Andrew Tridgell yesterday and forwarded him a copy of
Drago's recent post re: unchecked sprintf's vs. snprintf's.  He
responded immediately.  Here is a message he sent to samba-announce
this morning about a new, patched version of Samba.

Some details from the cvs log:

"changed to use slprintf() instead of sprintf() just about
everywhere. I've implemented slprintf() as a bounds checked sprintf()
using mprotect() and a non-writeable page."


Hank Leininger <hlein () progressive-comp com>

----
http://www.progressive-comp.com/Lists/?m=89488564505526

List:     samba-announce
Subject:  new release of Samba 1.9.18p6 - fixes security hole
From:     Andrew Tridgell <tridge () samba anu edu au>
Date:     1998-05-11 11:25:10

I've just released version 1.9.18p6 of Samba.

This release is in response to a potential security hole pointed out
by Drago on BugTraq. The security hole involed a buffer overflow in
the filename handling in reply_*()

It is not at all clear that the security hole is actually
exploitable. The existing code that checks for buffer overflows in
Samba does catch the proposed exploit as posted to BugTraq but we
considered it a grave enough risk that an immediate patch release is
warranted. Note that if the hole is exploitable then it will only be
possible to exploit it if the attacker already has write access to the
exported filesystem.

It is highly recommended that everyone upgrade to version 1.9.18p6 of
Samba to avoid any possible exposure to this security hole.

The new release is available from ftp://samba.anu.edu.au/pub/samba/

Cheers, Andrew