CVE-2007-0453: Buffer overrun in NSS host lookup Winbind library on Solaris

== Subject:     Buffer overrun in NSS host lookup Winbind
==		library on Solaris
== CVE ID#:     CVE-2007-0453
== Versions:    Samba 3.0.21 - 3.0.23d (inclusive) running on
==		Sun Solaris
== Summary:     A potential overrun in the gethostbyname()
==		and getipnodebyname() in the
==		library on Solaris can potentially allow
==		for code execution.


NOTE: This security advisory only affects Sun Solaris
systems running Samba's winbindd daemon and configured to
make use of the library for gethostbyname()
and getipnodebyname() name resolution queries.  For example,

	## /etc/nsswitch.conf
	ipnodes: files winbind
	hosts: files winbind

The buffer overrun is caused by copying a string passed
into the NSS interface into a static buffer prior to sending
the request to the winbindd daemon.

Patch Availability

A patch against Samba 3.0.23d has been attached to this
email.  This fix has be incorporated into the Samba 3.0.24
release.  Patches are also available from at the Samba Security
page (


An unpatched Solaris server may be protected by removing
the 'winbind' entry from the hosts and ipnodes services in


This vulnerability was reported (including a proposed patch)
to Samba developers by Olivier Gay <>.   Much thanks
to Olivier for his cooperation and patience in the announcement
of this defect.  The time line is as follows:

* Dec 15, 2006: Defect first reported to the
  email alias.
* Dec 21, 2006: Initial developer response by Andrew Tridgell
  confirming the issue.
* Jan 29, 2007: Announcement to vendor-sec mailing list
* Feb 5, 2007: Public issue of security advisory.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team