=========================================================== == Subject: Denial of service - memory corruption == == CVE ID#: CVE-2011-0719 == == Versions: Samba 3.0.x - 3.5.x (inclusive) == == Summary: Samba 3.0.x to 3.5.x are affected by a == denial of service caused by memory corruption. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a denial of service caused by memory corruption. Range checks on file descriptors being used in the FD_SET macro were not present allowing stack corruption. This can cause the Samba code to crash or to loop attempting to select on a bad file descriptor set. A connection to a file share, or a local account is needed to exploit this problem, either authenticated or unauthenticated (guest connection). Currently we do not believe this flaw is exploitable beyond a crash or causing the code to loop, but on the advice of our security reviewers we are releasing fixes in case an exploit is discovered at a later date. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.5.7 has been issued as security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba administrators running affected versions are advised to upgrade to 3.5.7 or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found by an internal audit of the Samba code by Volker Lendecke of SerNet. Thanks to Volker for his careful code review.