Samba team remedies three flaws
The Samba team has released security advisories for three holes found over the course of the past two months; patches have now been provided. The first flaw is found in the program logic of the smbd server service, which may get caught in an infinite loop, causing the server to freeze.
The other two flaws theoretically allow code to be remotely injected and executed, although only under very specific conditions. On specially configured Solaris systems using winbindd, name resolution queries can cause a buffer overflow. In addition, a flaw in Samba servers that share AFS file systems and are set up to use the ACL plug-in afsacl.so, can be exploited by means of special filenames. When snprintf() is called, it is used directly as a format string, a situation that attackers can almost always exploit.
All three flaws have been remedied in version 3.0.24 of Samba. In addition, the team of developers has also provided individual source code patches so that users can manually upgrade older versions affected, up to and including 3.0.23d. Some distributors are already offering upgraded packets.
- CVE-2007-0452: Potential Denial of Service bug in smbd, security advisory from the Samba team
- CVE-2007-0453: Buffer overrun in NSS host lookup Winbind library on Solaris, security advisory from the Samba team
- CVE-2007-0454: Format string bug in afsacl.so VFS plugin, security advisory from the Samba team