Debian Samba vulnerabilities

CVE-2013-0172 [LOW] CVE-2013-0172: samba - Samba 4.0.x before 4.0.1, in certain Active Directory domain-controller configur... Samba 4.0.x before 4.0.1, in certain Active Directory domain-controller configurations, does not properly interpret Access Control Entries that are based on an objectClass, which allows remote authenticated users to bypass intended restrictions on modifying LDAP directory objects by leveraging (1) objectClass access by a user, (2) objectClass access by a group, or (3) wr

CVE-2012-1182 [CRITICAL] CVE-2012-1182: samba - The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.... The RPC code generator in Samba 3.x before 3.4.16, 3.5.x before 3.5.14, and 3.6.x before 3.6.4 does not implement validation of an array length in a manner consistent with validation of array memory allocation, which allows remote attackers to execute arbitrary code via a crafted RPC call. Scope: local bookworm: resolved (fixed in 2:3.6.4-1) bullseye: resolved (fixe

CVE-2012-0870 [HIGH] CVE-2012-0870: samba - Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the fil... Heap-based buffer overflow in process.c in smbd in Samba 3.0, as used in the file-sharing service on the BlackBerry PlayBook tablet before 2.0.0.7971 and other products, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a Batched (aka AndX) request that triggers infinite recursion. Scope: local bookworm: resolved

CVE-2012-2111 [MEDIUM] CVE-2012-2111: samba - The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAcco... The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection. Scope: l

CVE-2012-6150 [LOW] CVE-2012-6150: samba - The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in S... The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake.

CVE-2012-0817 [MEDIUM] CVE-2012-0817: samba - Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote attackers to cause... Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote attackers to cause a denial of service (memory and CPU consumption) by making many connection requests. Scope: local bookworm: resolved (fixed in 2:3.6.3-1) bullseye: resolved (fixed in 2:3.6.3-1) forky: resolved (fixed in 2:3.6.3-1) sid: resolved (fixed in 2:3.6.3-1) trixie: resolved (fixed in 2:3.6.3-1)

CVE-2011-0719 [MEDIUM] CVE-2011-0719: samba - Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not pe... Samba 3.x before 3.3.15, 3.4.x before 3.4.12, and 3.5.x before 3.5.7 does not perform range checks for file descriptors before use of the FD_SET macro, which allows remote attackers to cause a denial of service (stack memory corruption, and infinite loop or daemon crash) by opening a large number of files, related to (1) Winbind or (2) smbd. Scope: local bookworm: res

CVE-2011-2724 [LOW] CVE-2011-2724: cifs-utils - The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs in Samba 3... The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs in Samba 3.5.10 and earlier does not properly verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. NOTE: this vulnerability exists because of an incorrect fix for C

CVE-2011-2522 [MEDIUM] CVE-2011-2522: samba - Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Admi... Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add printers, (6) remove printers, (7) add user accounts, or (8) remove

CVE-2011-3585 [MEDIUM] CVE-2011-3585: cifs-utils - Multiple race conditions in the (1) mount.cifs and (2) umount.cifs programs in S... Multiple race conditions in the (1) mount.cifs and (2) umount.cifs programs in Samba 3.6 allow local users to cause a denial of service (mounting outage) via a SIGKILL signal during a time window when the /etc/mtab~ file exists. Scope: local bookworm: resolved (fixed in 2:4.5-1) bullseye: resolved (fixed in 2:4.5-1) forky: resolved (fixed in 2:4.5-1) sid: resolve

CVE-2011-1678 [LOW] CVE-2011-1678: cifs-utils - smbfs in Samba 3.5.8 and earlier attempts to use (1) mount.cifs to append to the... smbfs in Samba 3.5.8 and earlier attempts to use (1) mount.cifs to append to the /etc/mtab file and (2) umount.cifs to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089. Sc

CVE-2011-2694 [LOW] CVE-2011-2694: samba - Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.... Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page). Scope: local bookworm: resolved (fixed

CVE-2010-0728 [HIGH] CVE-2010-0728: samba - smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled, runs wit... smbd in Samba 3.3.11, 3.4.6, and 3.5.0, when libcap support is enabled, runs with the CAP_DAC_OVERRIDE capability, which allows remote authenticated users to bypass intended file permissions via standard filesystem operations with any client. Scope: local bookworm: resolved (fixed in 2:3.4.7~dfsg-1) bullseye: resolved (fixed in 2:3.4.7~dfsg-1) forky: resolved (fixed in

CVE-2010-2063 [HIGH] CVE-2010-2063: samba - Buffer overflow in the SMB1 packet chaining implementation in the chain_reply fu... Buffer overflow in the SMB1 packet chaining implementation in the chain_reply function in process.c in smbd in Samba 3.0.x before 3.3.13 allows remote attackers to cause a denial of service (memory corruption and daemon crash) or possibly execute arbitrary code via a crafted field in a packet. Scope: local bookworm: resolved (fixed in 2:3.4.0~pre1-1) bullseye: resolved

CVE-2010-3069 [HIGH] CVE-2010-3069: samba - Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions... Stack-based buffer overflow in the (1) sid_parse and (2) dom_sid_parse functions in Samba before 3.5.5 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Windows Security ID (SID) on a file share. Scope: local bookworm: resolved (fixed in 2:3.5.5~dfsg-1) bullseye: resolved (fixed in 2:3.5.5~dfsg-1) forky: resol

CVE-2010-0547 [LOW] CVE-2010-0547: samba - client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not v... client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. Scope: local bookworm: resolved (fixed in 2:3.4.5~dfsg-2) bullseye: resolved (fixed in 2:3.4.5~dfsg-2) fork

CVE-2010-0787 [MEDIUM] CVE-2010-0787: samba - client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.... client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.2, 3.4.0, and 3.4.5 allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file. Scope: local bookworm: resolved (fixed in 2:3.4.5~dfsg-2) bullseye: resolved (fixed in 2:3.4.5~dfsg-2) forky: resolved (fixed

CVE-2010-1635 [MEDIUM] CVE-2010-1635: samba - The chain_reply function in process.c in smbd in Samba before 3.4.8 and 3.5.x be... The chain_reply function in process.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) via a Negotiate Protocol request with a certain 0x0003 field value followed by a Session Setup AndX request with a certain 0x8003 field value. Scope: local bookworm: resolved (fixed

CVE-2010-1642 [MEDIUM] CVE-2010-1642: samba - The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Samba before... The reply_sesssetup_and_X_spnego function in sesssetup.c in smbd in Samba before 3.4.8 and 3.5.x before 3.5.2 allows remote attackers to trigger an out-of-bounds read, and cause a denial of service (process crash), via a \xff\xff security blob length in a Session Setup AndX request. Scope: local bookworm: resolved (fixed in 2:3.5.4~dfsg-2) bullseye: resolved (fixed in

CVE-2010-0926 [LOW] CVE-2010-0926: samba - The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, an... The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of