Due to incorrect values used as the limit for a loop and as the
‘count’ parameter to memcpy(), the server, receiving a specially
crafted message, leaves an array of structures partially
uninitialised, or accesses an arbitrary element beyond the end of an
array.
Outcomes achievable by an attacker include segmentation faults and
corresponding loss of availability. Depending on the contents of the
uninitialised memory, confidentiality may also be affected.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L (5.4)
None.
Initial report, patches, and this advisory by Joseph Sutton of
Catalyst and the Samba Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team