Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Roberto C . Sánchez]

On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote:
> Please wait a bit before uploading.
> 
> There is a regression in jessie when "follow symlinks = no" #858564,
> and a segfault with vfs_shadow2 (#858590).
> 

Hi Mathieu,

I was able to backport the fix for #858564 from the Bugzilla patch and
then I was able to verify against what the Ubuntu maintainers had
backported.

When I looked at the change you made for #858590 I found that it does
not apply at all.  Specifically, the function being patched to resolve
the segfault, shadow_copy2_connectpath, does not exist in the Wheezy
version of Samba.  It appears that in May 2012 the shadow_copy2 from
master was backported (the change is in shadow_copy2_backport.patch in
the Wheezy package).  That change replaced shadow_copy2_connectpath with
shadow_copy2_realpath.  The two functions are substantially different
and it does not appear to me that the problem is even present in Wheezy.

That said, I intend to leave the patch from #858590 out of the Wheezy
LTS update that I am preparing.

I wanted to mention it to you directly and via the mailing list to give
you and others the opportunity to speak up in case there was something I
overlooked.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Roberto C . Sánchez]

On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote:
> Hi,
> 
> Today samba has released a security fix for a symlink race (leading to
> information disclosure).
> 
> Salvatore will take care of the jessie upload, I have uploaded for
> sid, but we have not done anything on the wheezy side.
> 
> See attached the backported patches for 3.6 (those are from the samba
> bugzilla which is still embargoed).
> 
> Please take care of it.
> 

Hello all,

I have been able to figure out the minimum changes to cherry pick from
the v3-6-stable branch in upstream Git.  The commits are:

8234c6a
629e302
0a3b024
bc3714f
d302cb6
94f7d0c
33ead72
66ee839
77cacee

I was able to concatenate them into a single patch, which applied with
only two offsets.  After that the patch from upstream (3-6-racefix)
applied with a bunch of small offsets.

I have attached the consolidated and quilt-refreshed versions of both
patches to this email.  The patch containing the cherry picked commits
which I have determined to be pre-requisites for upstream's patch is
called 3-6-racefix-prereq.patch.  The other patch file is the
quilt-refreshed version of upstream's patch.

Both of the attached patches apply cleanly to the 3.6.6-6+deb7u11
version of samba currently in wheezy.

I have also built a 3.6.6-6+deb7u12 package with the two patches.  The
packages can be found here:

https://people.debian.org/~roberto/

I still need to clean up the changelog entry.  The packages could use
some testing as well.  I will try to do some testing, but give the scope
of the changes (~850 lines of diff in total) more testing would
certainly be a good thing.

Also, I would appreciate any suggestions/feedback on minimizing the
prereq patch.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com
--- samba-3.6.6.orig/source3/smbd/dir.c
+++ samba-3.6.6/source3/smbd/dir.c
@@ -50,6 +50,8 @@
 	struct name_cache_entry *name_cache;
 	unsigned int name_cache_index;
 	unsigned int file_number;
+	files_struct *fsp; /* Back pointer to containing fsp, only
+			  set from OpenDir_fsp(). */
 };
 
 struct dptr_struct {
@@ -1428,7 +1430,9 @@
 
 	if (fsp->is_directory && fsp->fh->fd != -1) {
 		dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-		if (dirp->dir == NULL) {
+		if (dirp->dir != NULL) {
+			dirp->fsp = fsp;
+		} else {
 			DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
 "NULL (%s)\n",
 dirp->dir_path,
--- samba-3.6.6.orig/source3/modules/vfs_dirsort.c
+++ samba-3.6.6/source3/modules/vfs_dirsort.c
@@ -30,40 +30,60 @@
 struct dirsort_privates {
 	long pos;
 	SMB_STRUCT_DIRENT *directory_list;
-	long number_of_entries;
-	time_t mtime;
+	unsigned int number_of_entries;
+	struct timespec mtime;
 	SMB_STRUCT_DIR *source_directory;
-	int fd;
+	files_struct *fsp; /* If open via FDOPENDIR. */
+	struct smb_filename *smb_fname; /* If open via OPENDIR */
 };
 
 static void free_dirsort_privates(void **datap) {
-	struct dirsort_privates *data = (struct dirsort_privates *) *datap;
-	SAFE_FREE(data->directory_list);
-	SAFE_FREE(data);
-	*datap = NULL;
-
-	return;
+	TALLOC_FREE(*datap);
 }
 
-static bool open_and_sort_dir (vfs_handle_struct *handle)
+static bool get_sorted_dir_mtime(vfs_handle_struct *handle,
+struct dirsort_privates *data,
+struct timespec *ret_mtime)
 {
-	SMB_STRUCT_DIRENT *dp;
-	struct stat dir_stat;
-	long current_pos;
-	struct dirsort_privates *data = NULL;
+	int ret;
+	struct timespec mtime;
 
-	SMB_VFS_HANDLE_GET_DATA(handle, data, struct dirsort_privates,
-return false);
+	if (data->fsp) {
+		ret = fsp_stat(data->fsp);
+		mtime = data->fsp->fsp_name->st.st_ex_mtime;
+	} else {
+		ret = SMB_VFS_STAT(handle->conn, data->smb_fname);
+		mtime = data->smb_fname->st.st_ex_mtime;
+	}
+
+	if (ret == -1) {
+		return false;
+	}
+
+	*ret_mtime = mtime;
+
+	return true;
+}
+
+static bool open_and_sort_dir(vfs_handle_struct *handle,
+struct dirsort_privates *data)
+{
+	unsigned int i = 0;
+	unsigned int total_count = 0;
 
 	data->number_of_entries = 0;
 
-	if (fstat(data->fd, _stat) == 0) {
-		data->mtime = dir_stat.st_mtime;
+	if (get_sorted_dir_mtime(handle, data, >mtime) == false) {
+		return false;
 	}
 
 	while (SMB_VFS_NEXT_READDIR(handle, data->source_directory, NULL)
 	   != NULL) {
-		data->number_of_entries++;
+		total_count++;
+	}
+
+	if (total_count == 0) {
+		return false;
 	}
 
 	/* Open the underlying directory and count the number of entries
@@ -71,21 +91,26 @@
 	SMB_VFS_NEXT_REWINDDIR(handle, data->source_directory);
 
 	/* Set up an array and read the directory entries into it */
-	SAFE_FREE(data->directory_list); /* destroy previous cache if needed */
-	data->directory_list = (SMB_STRUCT_DIRENT *)SMB_MALLOC(
-		data->number_of_entries * sizeof(SMB_STRUCT_DIRENT));
+	TALLOC_FREE(data->directory_list); /* destroy previous cache if needed */
+	data->directory_list = talloc_zero_array(data,
+		 SMB_STRUCT_DIRENT,
+		 total_count);
 	if 

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Roberto C . Sánchez]

On Tue, Mar 28, 2017 at 10:18:07PM +0200, Mathieu Parent wrote:
> 2017-03-28 21:07 GMT+02:00 Ola Lundqvist :
> > Hi Mathieu and Roberto
> 
> Hi,
> 
> > Mathieu, do you mean that they patches should apply cleanly and if they do
> > not, then we have missed some other important patch, or do you just mean
> > that they should generally apply cleanly?
> 
> I don't know for sure, but I think that if a hunk doesn't apply it is
> an indication of
> a change that may be a requirement.
> 
> For Roberto question on patch not applicable can be explained by:
> https://git.samba.org/?p=samba.git;a=commitdiff;h=8234c6a3c7
> 
> This doesn't look to be a requirement (not related to path traversal).
> 
I agree that it does not appear related.

> > I'm asking as it is rather expected that patches do not apply cleanly when
> > we are dealing with these old versions in wheezy. I do not want to give a
> > precise estimate but something between 20 and 60% of the patches that I have
> > applied to the packages I have done updates to in wheezy have not applied
> > cleanly. Usually it is just minor things, but in some cases quite a lot of
> > work have to be put in understanding the problem and finding out a new fix.
> >
> > We should not be afraid to do that kind of work.
> >
> > We do have the possibility to update to the latest software also in wheezy
> > but that should really be done as a last resort, or only for packages that
> > have a very good reputation on backwards compatibility. At least that is how
> > I have understood the current practices. I mean we do not want to introduce
> > unnecessary regressions.
> 
> The 3.6 branch was in maintenance mode since 2012-12-11, i.e after 3.6.10.
> So it is probably better to only cherry-pick the fixes and continue
> like Roberto did.
> 
OK.  I will continue working on integrating the patch from upstream.

> I can help the testing.
> 
I will announce when I have packages available for testing.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Mathieu Parent]

2017-03-28 21:07 GMT+02:00 Ola Lundqvist :
> Hi Mathieu and Roberto

Hi,

> Mathieu, do you mean that they patches should apply cleanly and if they do
> not, then we have missed some other important patch, or do you just mean
> that they should generally apply cleanly?

I don't know for sure, but I think that if a hunk doesn't apply it is
an indication of
a change that may be a requirement.

For Roberto question on patch not applicable can be explained by:
https://git.samba.org/?p=samba.git;a=commitdiff;h=8234c6a3c7

This doesn't look to be a requirement (not related to path traversal).

> I'm asking as it is rather expected that patches do not apply cleanly when
> we are dealing with these old versions in wheezy. I do not want to give a
> precise estimate but something between 20 and 60% of the patches that I have
> applied to the packages I have done updates to in wheezy have not applied
> cleanly. Usually it is just minor things, but in some cases quite a lot of
> work have to be put in understanding the problem and finding out a new fix.
>
> We should not be afraid to do that kind of work.
>
> We do have the possibility to update to the latest software also in wheezy
> but that should really be done as a last resort, or only for packages that
> have a very good reputation on backwards compatibility. At least that is how
> I have understood the current practices. I mean we do not want to introduce
> unnecessary regressions.

The 3.6 branch was in maintenance mode since 2012-12-11, i.e after 3.6.10.
So it is probably better to only cherry-pick the fixes and continue
like Roberto did.

I can help the testing.

> Best regards

Regards

-- 
Mathieu

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Ola Lundqvist]

Hi Mathieu and Roberto

Mathieu, do you mean that they patches should apply cleanly and if they do
not, then we have missed some other important patch, or do you just mean
that they should generally apply cleanly?

I'm asking as it is rather expected that patches do not apply cleanly when
we are dealing with these old versions in wheezy. I do not want to give a
precise estimate but something between 20 and 60% of the patches that I
have applied to the packages I have done updates to in wheezy have not
applied cleanly. Usually it is just minor things, but in some cases quite a
lot of work have to be put in understanding the problem and finding out a
new fix.

We should not be afraid to do that kind of work.

We do have the possibility to update to the latest software also in wheezy
but that should really be done as a last resort, or only for packages that
have a very good reputation on backwards compatibility. At least that is
how I have understood the current practices. I mean we do not want to
introduce unnecessary regressions.

Best regards

// Ola

On 28 March 2017 at 12:55, Roberto C. Sánchez  wrote:

> On Tue, Mar 28, 2017 at 11:34:44AM +0200, Mathieu Parent wrote:
> > Hi,
> >
> > 2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez :
> > > On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote:
> > >>
> > >> See attached the backported patches for 3.6 (those are from the samba
> > >> bugzilla which is still embargoed).
> > >>
> > >> Please take care of it.
> > >>
> > >
> > > Hi Mathieu,
> > >
> > > I wanted to let you know that I had to make a minor tweak to patch
> 08/15
> > > in order to get the build to succeed on wheezy.  I wanted let everyone
> > > know in the event that I have missed something important and for
> general
> > > awareness.
> >
> > Again, don't upload yet. We have 2 regressions (maybe 3) in jessie.
> >
> Yes, of course.  I am still waiting for the resolution of at least
> #858564 and #858590.
>
> > > I had to change this hunk:
> > [...]
> >
> > Me too, I'm not a samba developer. If a patch doesn't apply, it's
> > because of one in debian/patches, or
> > maybe a requirement from 3.6.
> >
> > debian wheezy is based on 3.6.6, while latest 3.6 is 3.6.25. Maybe the
> > first thing to do is to update to 3.6.25.
> >
> OK.  I did wonder at first why jessie was updated to the latest 4.2 but
> wheezy was not updated to the latest 3.6.
>
> > >
> > > The resolution for this one is not obvious to me.  I intend to dig into
> > > it, but if anyone has a suggestion, I welcome it.
> >
> > Don't change the patches. They should apply cleanly.
> >
> OK.  That is good to know.
>
> > Hope this helps.
> >
> It does help.  I certainly don't want to cause a problem with a package
> so widely used as Samba.
>
> Regards,
>
> -Roberto
>
> --
> Roberto C. Sánchez
> http://people.connexer.com/~roberto
> http://www.connexer.com
>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Mathieu Parent]

Hi,

2017-03-26 14:39 GMT+02:00 Roberto C. Sánchez :
> On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote:
>>
>> See attached the backported patches for 3.6 (those are from the samba
>> bugzilla which is still embargoed).
>>
>> Please take care of it.
>>
>
> Hi Mathieu,
>
> I wanted to let you know that I had to make a minor tweak to patch 08/15
> in order to get the build to succeed on wheezy.  I wanted let everyone
> know in the event that I have missed something important and for general
> awareness.

Again, don't upload yet. We have 2 regressions (maybe 3) in jessie.

> I had to change this hunk:
[...]

Me too, I'm not a samba developer. If a patch doesn't apply, it's
because of one in debian/patches, or
maybe a requirement from 3.6.

debian wheezy is based on 3.6.6, while latest 3.6 is 3.6.25. Maybe the
first thing to do is to update to 3.6.25.

>
> The resolution for this one is not obvious to me.  I intend to dig into
> it, but if anyone has a suggestion, I welcome it.

Don't change the patches. They should apply cleanly.

Hope this helps.


-- 
Mathieu

Re: Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Roberto C . Sánchez]

On Thu, Mar 23, 2017 at 11:30:09AM +0100, Mathieu Parent wrote:
> 
> See attached the backported patches for 3.6 (those are from the samba
> bugzilla which is still embargoed).
> 
> Please take care of it.
> 

Hi Mathieu,

I wanted to let you know that I had to make a minor tweak to patch 08/15
in order to get the build to succeed on wheezy.  I wanted let everyone
know in the event that I have missed something important and for general
awareness.

I had to change this hunk:

-   if (fsp->is_directory && fsp->fh->fd != -1) {
-   dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-   if (dirp->dir != NULL) {
-   dirp->fsp = fsp;
-   } else {
-   DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s 
returned "
-   "NULL (%s)\n",
-   dirp->dir_path,
-   strerror(errno)));
-   if (errno != ENOSYS) {
-   return NULL;
-   }
+   dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+   if (dirp->dir != NULL) {
+   dirp->fsp = fsp;
+   } else {
+   DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
+   "NULL (%s)\n",
+   dirp->dir_path,
+   strerror(errno)));
+   if (errno != ENOSYS) {
+   return NULL;

At first the hunk failed to apply cleanly (because dirp->dir != NULL
was present as dirp->dir == NULL) and the code from the else was in the
if.  I made the change manually and refreshed the patch but then the
build failed.  Apparently, the smb_Dir struct does not have a member
called fsp (a back pointer to the file_structure, based on looking in
the Samba 4 source code), so it would not compile.  I ended up changing
it to this:

-   if (fsp->is_directory && fsp->fh->fd != -1) {
-   dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
-   if (dirp->dir == NULL) {
-   DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s 
returned "
-   "NULL (%s)\n",
-   dirp->dir_path,
-   strerror(errno)));
-   if (errno != ENOSYS) {
-   return NULL;
-   }
+   dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+   if (dirp->dir == NULL) {
+   DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
+   "NULL (%s)\n",
+   dirp->dir_path, 
+   strerror(errno)));
+   if (errno != ENOSYS) {
+   return NULL;

Also, patch 02/15 introduces a change which fails the build for a
different reason:

+   if (ISDOT(data->smb_fname->base_name)) {
+   data->smb_fname->base_name = vfs_GetWd(data, handle->conn);
+   }
+

Compiling modules/vfs_dirsort.c
modules/vfs_dirsort.c: In function 'dirsort_fdopendir':
modules/vfs_dirsort.c:145:6: error: 'struct dirsort_privates' has no member 
named 'smb_fname'
modules/vfs_dirsort.c:145:6: error: 'struct dirsort_privates' has no member 
named 'smb_fname'
modules/vfs_dirsort.c:146:7: error: 'struct dirsort_privates' has no member 
named 'smb_fname'
The following command failed:
gcc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat 
-Werror=format-security -Wall -I. 
-I/network/scratch/roberto/freexian/samba-3.6.6/source3 
-I/network/scratch/roberto/freexian/samba-3.6.6/source3/../lib/iniparser/src 
-Iinclude -I./include  -I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc 
-I./.. -I/usr/include -DHAVE_CONFIG_H  -D_LARGEFILE64_SOURCE 
-D_FILE_OFFSET_BITS=64 -D_GNU_SOURCE -D_FORTIFY_SOURCE=2 -Iinclude -I./include 
-I. -I. -I./../lib/replace -I./../lib/tevent -I./librpc -I./.. -I./../lib/popt 
-DLDAP_DEPRECATED  -I/network/scratch/roberto/freexian/samba-3.6.6/source3/lib 
-I.. -D_SAMBA_BUILD_=3 -D_SAMBA_BUILD_=3 -fPIC -c modules/vfs_dirsort.c -o 
modules/vfs_dirsort.o
make[2]: *** [modules/vfs_dirsort.o] Error 1

The resolution for this one is not obvious to me.  I intend to dig into
it, but if anyone has a suggestion, I welcome it.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Roberto C . Sánchez]

On Fri, Mar 24, 2017 at 04:04:08PM +0100, Moritz Muehlenhoff wrote:
> On Fri, Mar 24, 2017 at 03:55:23PM +0100, Guido Günther wrote:
> > Hi Roberto,
> > On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote:
> > > On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote:
> > > > Please wait a bit before uploading.
> > > > 
> > > > There is a regression in jessie when "follow symlinks = no" #858564,
> > > > and a segfault with vfs_shadow2 (#858590).
> > > > 
> > > > 
> > > I am working on the wheezy LTS update for samba now.
> > > 
> > > There are 37 individual patches in jessie's CVE-2017-2619.patch, and not
> > > all apply cleanly to 3.6.6 in wheezy.  That said, I will wait on
> > > uploading until those bugs are resolved and I have incorportated their
> > > fixes.
> > 
> > Note that Jessie has samba4 while wheezy has samba3 (samba package) and
> > samba4 (samba4 package). 
> 
> samba4 in wheezy doesn't provide the Samba daemons, so is irrelevant here:
> https://packages.qa.debian.org/s/samba4/news/20140416T220212Z.html
> 
That, and the listing in dla-needed.txt is only for samba (not samba4).

Regards,

-Roberto
-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Moritz Muehlenhoff]

On Fri, Mar 24, 2017 at 03:55:23PM +0100, Guido Günther wrote:
> Hi Roberto,
> On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote:
> > On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote:
> > > Please wait a bit before uploading.
> > > 
> > > There is a regression in jessie when "follow symlinks = no" #858564,
> > > and a segfault with vfs_shadow2 (#858590).
> > > 
> > > 
> > I am working on the wheezy LTS update for samba now.
> > 
> > There are 37 individual patches in jessie's CVE-2017-2619.patch, and not
> > all apply cleanly to 3.6.6 in wheezy.  That said, I will wait on
> > uploading until those bugs are resolved and I have incorportated their
> > fixes.
> 
> Note that Jessie has samba4 while wheezy has samba3 (samba package) and
> samba4 (samba4 package). 

samba4 in wheezy doesn't provide the Samba daemons, so is irrelevant here:
https://packages.qa.debian.org/s/samba4/news/20140416T220212Z.html

Cheers,
Moritz

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Roberto C . Sánchez]

On Fri, Mar 24, 2017 at 03:55:23PM +0100, Guido Günther wrote:
> 
> Note that Jessie has samba4 while wheezy has samba3 (samba package) and
> samba4 (samba4 package). Mathieu attached the patches for samba3 to
> 
>  
> 
> mail. These should apply more cleanly.

Quite right.  I missed that.

The good thing is I am only on patch 6 at this point and I haven't
encountered any difficult failures.  I will switch to the patches from
Mathieu.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Guido Günther]

Hi Roberto,
On Fri, Mar 24, 2017 at 10:45:44AM -0400, Roberto C. Sánchez wrote:
> On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote:
> > Please wait a bit before uploading.
> > 
> > There is a regression in jessie when "follow symlinks = no" #858564,
> > and a segfault with vfs_shadow2 (#858590).
> > 
> > 
> I am working on the wheezy LTS update for samba now.
> 
> There are 37 individual patches in jessie's CVE-2017-2619.patch, and not
> all apply cleanly to 3.6.6 in wheezy.  That said, I will wait on
> uploading until those bugs are resolved and I have incorportated their
> fixes.

Note that Jessie has samba4 while wheezy has samba3 (samba package) and
samba4 (samba4 package). Mathieu attached the patches for samba3 to

 

mail. These should apply more cleanly.
Cheers,
 -- Guido

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Roberto C . Sánchez]

On Fri, Mar 24, 2017 at 03:16:28PM +0100, Mathieu Parent wrote:
> Please wait a bit before uploading.
> 
> There is a regression in jessie when "follow symlinks = no" #858564,
> and a segfault with vfs_shadow2 (#858590).
> 
> 
I am working on the wheezy LTS update for samba now.

There are 37 individual patches in jessie's CVE-2017-2619.patch, and not
all apply cleanly to 3.6.6 in wheezy.  That said, I will wait on
uploading until those bugs are resolved and I have incorportated their
fixes.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


signature.asc
Description: Digital signature

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Mathieu Parent]

Please wait a bit before uploading.

There is a regression in jessie when "follow symlinks = no" #858564,
and a segfault with vfs_shadow2 (#858590).


Regards


-- 
Mathieu Parent

Re: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Ola Lundqvist]

Hi Mathieu

Thank you for this information. The LTS team will handle this. If nobody
else step up I will do it myself.

For the LTS team: I will add this to the dla-needed.txt file later today
but feel free to add that and claim yourself to this update.

Best regards

// Ola

On 23 March 2017 at 11:30, Mathieu Parent <math.par...@gmail.com> wrote:

> Hi,
>
> Today samba has released a security fix for a symlink race (leading to
> information disclosure).
>
> Salvatore will take care of the jessie upload, I have uploaded for
> sid, but we have not done anything on the wheezy side.
>
> See attached the backported patches for 3.6 (those are from the samba
> bugzilla which is still embargoed).
>
> Please take care of it.
>
> Thanks
>
> Mathieu Parent
>
>
> -- Forwarded message --
> From: Karolin Seeger via samba-announce <samba-annou...@lists.samba.org>
> Date: 2017-03-23 10:11 GMT+01:00
> Subject: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases
> Available for Download
> To: samba-annou...@lists.samba.org, sa...@lists.samba.org,
> samba-techni...@lists.samba.org
>
>
> Release Announcements
> -
>
> These are a security releases in order to address the following defect:
>
> o  CVE-2017-2619 (Symlink race allows access outside share definition)
>
> ===
> Details
> ===
>
> o  CVE-2017-2619:
>All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
>a malicious client using a symlink race to allow access to areas of
>the server file system not exported under the share definition.
>
>Samba uses the realpath() system call to ensure when a client requests
>access to a pathname that it is under the exported share path on the
>server file system.
>
>Clients that have write access to the exported part of the file system
>via SMB1 unix extensions or NFS to create symlinks can race the server
>by renaming a realpath() checked path and then creating a symlink. If
>the client wins the race it can cause the server to access the new
>symlink target after the exported share path check has been done. This
>new symlink target can point to anywhere on the server file system.
>
>This is a difficult race to win, but theoretically possible. Note that
>the proof of concept code supplied wins the race reliably only when
>the server is slowed down using the strace utility running on the
>server. Exploitation of this bug has not been seen in the wild.
>
>
> Changes:
> 
>
> o  Jeremy Allison <j...@samba.org>
>* BUG 12496: CVE-2017-2619: Symlink race permits opening files outside
> share
>  directory.
>
> o  Ralph Boehme <s...@samba.org>
>* BUG 12496: CVE-2017-2619: Symlink race permits opening files outside
> share
>  directory.
>
>
> ###
> Reporting bugs & Development Discussion
> ###
>
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical IRC channel on irc.freenode.net.
>
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track down
> the problem then you will probably be ignored.  All bug reports should
> be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
> database (https://bugzilla.samba.org/).
>
>
> ==
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> ==
>
>
>
> 
> Download Details
> 
>
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
> from:
>
> https://download.samba.org/pub/samba/stable/
>
> The release notes are available online at:
>
> https://www.samba.org/samba/history/samba-4.6.1.html
> https://www.samba.org/samba/history/samba-4.5.7.html
> https://www.samba.org/samba/history/samba-4.4.12.html
>
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
>
> --Enjoy
> The Samba Team
>
>
> --
> Mathieu
>



-- 
 --- Inguza Technology AB --- MSc in Information Technology 
/  o...@inguza.comFolkebogatan 26\
|  o...@debian.org   654 68 KARLSTAD|
|  http://inguza.com/Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---

Fwd: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases Available for Download

[Mathieu Parent]

Hi,

Today samba has released a security fix for a symlink race (leading to
information disclosure).

Salvatore will take care of the jessie upload, I have uploaded for
sid, but we have not done anything on the wheezy side.

See attached the backported patches for 3.6 (those are from the samba
bugzilla which is still embargoed).

Please take care of it.

Thanks

Mathieu Parent


-- Forwarded message --
From: Karolin Seeger via samba-announce <samba-annou...@lists.samba.org>
Date: 2017-03-23 10:11 GMT+01:00
Subject: [Announce] Samba 4.6.1, 4.5.7 and 4.4.12 Security Releases
Available for Download
To: samba-annou...@lists.samba.org, sa...@lists.samba.org,
samba-techni...@lists.samba.org


Release Announcements
-

These are a security releases in order to address the following defect:

o  CVE-2017-2619 (Symlink race allows access outside share definition)

===
Details
===

o  CVE-2017-2619:
   All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to
   a malicious client using a symlink race to allow access to areas of
   the server file system not exported under the share definition.

   Samba uses the realpath() system call to ensure when a client requests
   access to a pathname that it is under the exported share path on the
   server file system.

   Clients that have write access to the exported part of the file system
   via SMB1 unix extensions or NFS to create symlinks can race the server
   by renaming a realpath() checked path and then creating a symlink. If
   the client wins the race it can cause the server to access the new
   symlink target after the exported share path check has been done. This
   new symlink target can point to anywhere on the server file system.

   This is a difficult race to win, but theoretically possible. Note that
   the proof of concept code supplied wins the race reliably only when
   the server is slowed down using the strace utility running on the
   server. Exploitation of this bug has not been seen in the wild.


Changes:


o  Jeremy Allison <j...@samba.org>
   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
 directory.

o  Ralph Boehme <s...@samba.org>
   * BUG 12496: CVE-2017-2619: Symlink race permits opening files outside share
 directory.


###
Reporting bugs & Development Discussion
###

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


==
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==




Download Details


The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
from:

https://download.samba.org/pub/samba/stable/

The release notes are available online at:

https://www.samba.org/samba/history/samba-4.6.1.html
https://www.samba.org/samba/history/samba-4.5.7.html
https://www.samba.org/samba/history/samba-4.4.12.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

--Enjoy
The Samba Team


-- 
Mathieu


3-6-racefix
Description: Binary data