CVE-2015-3223

Published: 16 December 2015

The ldb_wildcard_compare function in ldb_match.c in ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles certain zero values, which allows remote attackers to cause a denial of service (infinite loop) via crafted packets.

Priority

CVSS 3 base score: 5.3

Status

Package	Release	Status
ldb Launchpad, Ubuntu, Debian	precise	Does not exist (precise was released [1:1.1.4-1ubuntu0.1])
	trusty	Released (1:1.1.16-1ubuntu0.1)
	upstream	Needs triage
	vivid	Released (1:1.1.18-1ubuntu0.1)
	wily	Released (2:1.1.20-2ubuntu0.1)
	xenial	Released (2:1.1.24-1ubuntu1)
	yakkety	Released (2:1.1.24-1ubuntu1)
	zesty	Released (2:1.1.24-1ubuntu1)
samba Launchpad, Ubuntu, Debian	precise	Not vulnerable (2:3.6.3-2ubuntu2.12)
	trusty	Released (2:4.1.6+dfsg-1ubuntu2.14.04.11)
	upstream	Released (4.3.3,4.2.7,4.1.22)
	vivid	Released (2:4.1.13+dfsg-4ubuntu3.1)
	wily	Released (2:4.1.17+dfsg-4ubuntu3.1)
	xenial	Released (2:4.3.3+dfsg-1ubuntu1)
	yakkety	Released (2:4.3.3+dfsg-1ubuntu1)
	zesty	Released (2:4.3.3+dfsg-1ubuntu1)
	Patches: upstream: https://git.samba.org/?p=samba.git;a=commit;h=fb456954f332c07a645226d59b3b00ec252f8b26 (4.1) upstream: https://git.samba.org/?p=samba.git;a=commit;h=bb1b783ee9d7259cfc6a1fe882f22189747f8684 (4.1)
samba4 Launchpad, Ubuntu, Debian	precise	Does not exist (precise was needed)
	trusty	Does not exist
	upstream	Released (4.3.3,4.2.7,4.1.22)
	vivid	Does not exist
	wily	Does not exist
	xenial	Does not exist
	yakkety	Does not exist
	zesty	Does not exist

Notes

Author	Note
mdeslaur	says 4.0.0 to 4.3.2, need to check precise may require ldb update

CVE-2015-3223

Medium

Status

Notes

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading