Public bug reported: It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). ---- How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1 Leading into an unusable system in the following state: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2 ## state Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. ** Affects: samba (Ubuntu) Importance: High Assignee: Rafael David Tinoco (inaddy) Status: Confirmed ** Changed in: samba (Ubuntu) Status: New => Confirmed ** Changed in: samba (Ubuntu) Assignee: (unassigned) => Rafael David Tinoco (inaddy) ** Changed in: samba (Ubuntu) Importance: Undecided => High ** Description changed: It was brought to my attention that, because of latest security fixes for samba: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739 samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism). ---- How to reproduce easily: $ cat /etc/nsswitch.conf passwd: winbind compat shadow: compat - group: winbind compat + group: winbind compat (winbind is usually used after compat, in this case it was used before) to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a: $ sudo apt-get update and FINALLY: """ - $ sudo apt-get --only-upgrade install samba - Reading package lists... Done - Building dependency tree - Reading state information... Done - The following packages were automatically installed and are no longer required: - libhdb9-heimdal libkdc2-heimdal libntdb1 python-ntdb - Use 'apt-get autoremove' to remove them. - The following extra packages will be installed: - libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0 - python-ldb python-samba python-tdb samba-common samba-common-bin - samba-dsdb-modules samba-libs samba-vfs-modules winbind - Suggested packages: - bind9 bind9utils ldb-tools smbldap-tools heimdal-clients - The following packages will be upgraded: - libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0 - python-ldb python-samba python-tdb samba samba-common samba-common-bin - samba-dsdb-modules samba-libs samba-vfs-modules winbind - 16 upgraded, 0 newly installed, 0 to remove and 219 not upgraded. - Need to get 8,877 kB of archives. - After this operation, 5,632 kB of additional disk space will be used. - Do you want to continue? [Y/n] y - Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-ldb amd64 1:1.1.24-0ubuntu0.14.04.1 [29.2 kB] - Get:2 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-tdb amd64 1.3.8-0ubuntu0.14.04.1 [10.8 kB] - Get:3 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtdb1 amd64 1.3.8-0ubuntu0.14.04.1 [38.3 kB] - Get:4 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtevent0 amd64 0.9.28-0ubuntu0.14.04.1 [26.2 kB] - Get:5 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-dsdb-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [219 kB] - Get:6 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libnss-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [12.6 kB] - Get:7 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libpam-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [28.2 kB] - Get:8 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [411 kB] - Get:9 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libwbclient0 amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [30.8 kB] - Get:10 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [903 kB] - Get:11 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common-bin amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [508 kB] - Get:12 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common all 2:4.3.9+dfsg-0ubuntu0.14.04.1 [82.9 kB] - Get:13 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [1,068 kB] - Get:14 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-vfs-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [259 kB] - Get:15 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-libs amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [5,144 kB] - Get:16 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libldb1 amd64 1:1.1.24-0ubuntu0.14.04.1 [107 kB] - Fetched 8,877 kB in 14s (594 kB/s) - Preconfiguring packages ... - (Reading database ... 115393 files and directories currently installed.) - Preparing to unpack .../python-ldb_1%3a1.1.24-0ubuntu0.14.04.1_amd64.deb ... - Unpacking python-ldb (1:1.1.24-0ubuntu0.14.04.1) over (1:1.1.16-1ubuntu0.1) ... - Preparing to unpack .../python-tdb_1.3.8-0ubuntu0.14.04.1_amd64.deb ... - Unpacking python-tdb (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ... - Preparing to unpack .../libtdb1_1.3.8-0ubuntu0.14.04.1_amd64.deb ... - Unpacking libtdb1:amd64 (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ... - Preparing to unpack .../libtevent0_0.9.28-0ubuntu0.14.04.1_amd64.deb ... - Unpacking libtevent0:amd64 (0.9.28-0ubuntu0.14.04.1) over (0.9.19-1) ... - Preparing to unpack .../samba-dsdb-modules_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ... - Unpacking samba-dsdb-modules (2:4.3.9+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2.14.04.13) ... - Preparing to unpack .../libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ... - Unpacking libnss-winbind:amd64 (2:4.3.9+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2.14.04.13) ... - dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped - dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack): - subprocess dpkg-deb --control returned error exit status 2 - dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped - dpkg: error processing archive /var/cache/apt/archives/winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack): - subprocess dpkg-deb --control returned error exit status 2 - dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped - dpkg: error processing archive /var/cache/apt/archives/libwbclient0_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack): - subprocess dpkg-deb --control returned error exit status 2 - dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped + """ - Leading into an unusable system. + Leading into an unusable system in the following state: + + ## state + Workaround: DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1584485 Title: Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs