CVE-2016-2123

Priority
Description
A flaw was found in samba versions 4.0.0 to 4.5.2. The Samba routine
ndr_pull_dnsp_name contains an integer wrap problem, leading to an
attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from
the Samba Active Directory ldb database. Any user who can write to the
dnsRecord attribute over LDAP can trigger this memory corruption. By
default, all authenticated LDAP users can write to the dnsRecord attribute
on new DNS objects. This makes the defect a remote privilege escalation.
Ubuntu-Description
Frederic Besler and others discovered that the routine
ndr_pull_dnsp_nam in Samba contained an integer overflow. An
authenticated attacker could use this to gain administrative
privileges.
Notes
mdeslaur4.0.0+ only
Package
Source: samba (LP Ubuntu Debian)
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):not-affected
Ubuntu 14.04 ESM (Trusty Tahr):released (2:4.3.11+dfsg-0ubuntu0.14.04.4)
Ubuntu 16.04 LTS (Xenial Xerus):released (2:4.3.11+dfsg-0ubuntu0.16.04.3)
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):DNE
More Information

Updated: 2020-03-18 22:43:52 UTC (commit 2ea7df7bd1e69e1e489978d2724a936eb3faa1b8)