CVE-2011-0719:

===========================================================
== Subject:     Denial of service - memory corruption
==
== CVE ID#:     CVE-2011-0719
==
== Versions:    Samba 3.0.x - 3.5.x (inclusive)
==
== Summary:     Samba 3.0.x to 3.5.x are affected by a
==              denial of service caused by memory corruption.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to
a denial of service caused by memory corruption. Range
checks on file descriptors being used in the FD_SET macro
were not present allowing stack corruption. This can cause
the Samba code to crash or to loop attempting to select
on a bad file descriptor set.

A connection to a file share, or a local account is needed
to exploit this problem, either authenticated or unauthenticated
(guest connection).

Currently we do not believe this flaw is exploitable
beyond a crash or causing the code to loop, but on the
advice of our security reviewers we are releasing fixes
in case an exploit is discovered at a later date.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.5.7 has been issued as security release to correct the
defect.  Patches against older Samba versions are available at
http://samba.org/samba/patches/.  Samba administrators running affected
versions are advised to upgrade to 3.5.7 or apply the patch as soon
as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by
Volker Lendecke of SerNet. Thanks to Volker for his careful code
review.