=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN155
_____________________________________________________________________

DATE                      : 08/03/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Samba.

======================================================================

______________________________________________________________________________

			SCO Security Advisory

Subject:		UnixWare 7.1.4 : Samba multiple security issues
Advisory number: 	SCOSA-2005.17
Issue date: 		2005 February 11
Cross reference:	sr892475 fz530644 erg712754 sr892165 fz530486 erg712735 CAN-2004-0930 CAN-2004-0882 CAN-2004-1154
______________________________________________________________________________


1. Problem Description

	Samba provides file and print services to windows clients.
	Several security issues are fixed by this patch.

	The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly
	other versions allows remote authenticated users to cause
	a denial of service (CPU consumption) via a SAMBA request
	that contains multiple SCOSA-2005.17.in SCOSA-2005.17.txt
	samba.pkg (wildcard) characters.

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
	has assigned the name CAN-2004-0930 to this issue.

	Buffer overflow in the QFILEPATHINFO request handler in Samba
	3.0.x through 3.0.7 may allow remote attackers to execute
	arbitrary code via a TRANSACT2_QFILEPATHINFO request with
	a small "maximum data bytes" value.

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
	has assigned the name CAN-2004-0882 to this issue.

	Integer overflow in the Samba daemon (smbd) in Samba 2.x and
	3.0.x through 3.0.9 allows remote authenticated users to cause
	a denial of service (application crash) and possibly execute
	arbitrary code via a Samba request with a large number of
	security descriptors that triggers a heap-based buffer overflow.

	The Common Vulnerabilities and Exposures project (cve.mitre.org)
	has assigned the name CAN-2004-1154 to this issue.


2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
	UnixWare 7.1.4 			distribution	

3. Solution

	The proper solution is to install the latest packages.

4. UnixWare 7.1.4

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.17

	The fixes are also available in SCO UnixWare 7.1.4 Mantenance Pack 2

         http://www.sco.com/support/update/download/release.php?rid=58

	4.2 Verification

	MD5 (samba.pkg) = 95a6af2eb579624623ff0ceddc9e8c09

	or
	
	MD5 (uw714mp2.iso) = 335919be68f54253852cb8abca11814a

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	Download samba.pkg to the /var/spool/pkg directory

	# pkgadd -d /var/spool/pkg/samba.pkg

	or

         See ftp://ftp.sco.com/pub/unixware7/714/mp/mp2/uw714mp2.txt


5. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0930
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0882
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1154

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr892475 fz530644
	erg712754 sr892165 fz530486 erg712735.


6. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


7. Acknowledgments

	SCO would like to thank Karol Wiesek, Stefan Esser, and Greg MacManus.

______________________________________________________________________________

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================