CVE-2010-3069:

===========================================================
== Subject:     Buffer Overrun Vulnerability
==
== CVE ID#:     CVE-2010-3069
==
== Versions:    Samba 3.0.x - 3.5.x (inclusive)
==
== Summary:     Samba 3.0.x to 3.5.x are affected by a
==              buffer overrun vulnerability.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to
a buffer overrun vulnerability. The sid_parse() function
(and related dom_sid_parse() function in the source4 code)
do not correctly check their input lengths when reading a
binary representation of a Windows SID (Security ID). This
allows a malicious client to send a sid that can overflow
the stack variable that is being used to store the SID in the
Samba smbd server.

A connection to a file share is needed to exploit this
vulnerability, either authenticated or unauthenticated
(guest connection).

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.5.5 has been issued as security release to correct the
defect.  Patches against older Samba versions are available at
http://samba.org/samba/patches/.  Samba administrators running affected
versions are advised to upgrade to 3.5.5 or apply the patch as soon
as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This problem was found by an internal audit of the Samba code by
Andrew Bartlett of Cisco. Thanks to Andrew for his careful code
review.