=========================================================== == Subject: Buffer Overrun Vulnerability == == CVE ID#: CVE-2010-3069 == == Versions: Samba 3.0.x - 3.5.x (inclusive) == == Summary: Samba 3.0.x to 3.5.x are affected by a == buffer overrun vulnerability. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a buffer overrun vulnerability. The sid_parse() function (and related dom_sid_parse() function in the source4 code) do not correctly check their input lengths when reading a binary representation of a Windows SID (Security ID). This allows a malicious client to send a sid that can overflow the stack variable that is being used to store the SID in the Samba smbd server. A connection to a file share is needed to exploit this vulnerability, either authenticated or unauthenticated (guest connection). ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.5.5 has been issued as security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba administrators running affected versions are advised to upgrade to 3.5.5 or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found by an internal audit of the Samba code by Andrew Bartlett of Cisco. Thanks to Andrew for his careful code review.