Remote memory read in Samba LDAP server.

Description

All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
ldb versions up to 1.1.23 inclusive) are vulnerable to
a remote memory read attack in the samba daemon LDAP server.

A malicious client can send packets that cause the LDAP server in the
samba daemon process to return heap memory beyond the length of the
requested value.

This memory may contain data that the client should not be allowed to
see, allowing compromise of the server.

The memory may either be returned to the client in an error string, or
stored in the database by a suitabily privileged user. If untrusted
users can create objects in your database, please confirm that all DN
and name attributes are reasonable. (A script to assist in this
search will be put in the wiki or bugzilla).

Patch Availability

Patches addressing this defect have been posted to

https://www.samba.org/samba/history/security.html

Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 (resp. ldb 1.1.24)
have been issued as security releases to correct the defect.
Samba vendors and administrators running affected versions are
advised to upgrade or apply the patch as soon as possible.

Workaround

None.

Credits

This problem was found by Douglas Bagnall
<[email protected]> of Catalyst (www.catalyst.net.nz),
who also provided the fix.