I contacted Andrew Tridgell yesterday and forwarded him a copy of Drago's recent post re: unchecked sprintf's vs. snprintf's. He responded immediately. Here is a message he sent to samba-announce this morning about a new, patched version of Samba. Some details from the cvs log: "changed to use slprintf() instead of sprintf() just about everywhere. I've implemented slprintf() as a bounds checked sprintf() using mprotect() and a non-writeable page." Hank Leininger <hlein@progressive-comp.com> ---- http://www.progressive-comp.com/Lists/?m=89488564505526 List: samba-announce Subject: new release of Samba 1.9.18p6 - fixes security hole From: Andrew Tridgell <tridgeat_private> Date: 1998-05-11 11:25:10 I've just released version 1.9.18p6 of Samba. This release is in response to a potential security hole pointed out by Drago on BugTraq. The security hole involed a buffer overflow in the filename handling in reply_*() It is not at all clear that the security hole is actually exploitable. The existing code that checks for buffer overflows in Samba does catch the proposed exploit as posted to BugTraq but we considered it a grave enough risk that an immediate patch release is warranted. Note that if the hole is exploitable then it will only be possible to exploit it if the attacker already has write access to the exported filesystem. It is highly recommended that everyone upgrade to version 1.9.18p6 of Samba to avoid any possible exposure to this security hole. The new release is available from ftp://samba.anu.edu.au/pub/samba/ Cheers, Andrew
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:53:08 PDT