|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-1154: samba: Remote code execution in samba | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Thomas Biege <thomas> |
| Status: | RESOLVED DUPLICATE | QA Contact: | Security Team bot <security-team> |
| Severity: | Critical | ||
| Priority: | P3 - Medium | CC: | lmuelle, lnussel, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | 64221, 64804, 64947 | ||
| Bug Blocks: | |||
| Attachments: |
patch that was included in advisory
patchinfo-box.smb patchinfo-box.smb-winbind patchinfo.smb-slec patchinfo.smb-sles8 patchinfo.smb-sles9 samba2-secfix-intoverflow.diff samba-2.2.12-CAN-2004-1154.patch |
||
|
Description
Ludwig Nussel
2004-12-10 17:16:04 UTC
Created attachment 26942 [details]
patch that was included in advisory
Ralf: We should include this into SP 1. The patch is a generic fix of the problem. Can we be sure that the release deadline will stay at Thu Dec 16th? This would match our RC2 release date, so we could integrate this in the RC2 code on Monday and I would approve it as we have to retest it anyways and remote code execution is a serious problem. Ralf: Gerald (Jerry) Carter confirmed the release date also to another vendor. IM: Could you please ask vendor-sec if one of the vendors did the backport for Samba 2.2. If not I'll have to do this on Tuesday. This patch appears clean to me, but as with anything this pervasive, the more testing done, the better. The actual functional change is to a very small piece of the code, but the changes were made far beyond that to centralize memory allocation. Done the work on SLES 9 SP 1. If we got 3.0.10 till tomorrow morning we'll make the version update. If not we have to stay with 3.0.9. This was already approved by Ralf <rf>. Todo: Backport 3.0.4 for SLES 9 GA relase or version update to the SLES 9 SP 1 level. Might in this case be the most effective approach as the patch is really large and we have the testing for SLES 9 SP 1. Backport to the 3.0.7 of 9.2 and 2.2.8a of SLES 8. After discussion with Marcus <meissner>, Ralf <rf> and Andreas <aj> we decided to use the Samba 3.0.9 as from SLES 9 SP 1 also for the current security fix of SLES 9 GA, 9.1, and 9.2. The version updates to SLES 9 GA and 9.2 are approved by the project managers. Packages submitted for 9.1 and 9.2. Both are mbuilded and slightly tested. Todo: Samba 2.2.8a of SLES 8 and older SuSE Linux versions. SM-Tracker - 73 Created attachment 27037 [details]
patchinfo-box.smb
Created attachment 27038 [details]
patchinfo-box.smb-winbind
Created attachment 27039 [details]
patchinfo.smb-slec
Created attachment 27040 [details]
patchinfo.smb-sles8
Created attachment 27041 [details]
patchinfo.smb-sles9
Packages submitted for 9.1 and 9.2 again. The have now the same code base as the package for SLES 9 SP 1. Attention: For 9.2 we have to ensure to remove the samba-doc package as there is a broken preun scriptlet in an installed package. It is without any risk to deinstall the samba-doc package as this package only includes documentation (surprise) and no config at all. This should be done by some kind of script in the patchinfo. * This comment was added by mail. Evil, evil, evil! issue is now public: From: Gerald Carter <jerry@samba.org> User-Agent: Mozilla Thunderbird 0.9 (X11/20041103) To: bugtraq@securityfocus.com Cc: security@samba.org Subject: [SAMBA] CAN-2004-1154 : Integer overflow could lead to remote code execution in Samba 2.x, 3.0.x <= 3.0.9 Old-Content-Type: text/plain; charset=ISO-8859-1; format=flowed [-- PGP Ausgabe folgt (aktuelle Zeit: Do 16 Dez 2004 17:28:40 CET) --] gpg: Unterschrift vom Do 16 Dez 2004 13:17:29 CET, DSA Schlüssel ID D83511F6 gpg: Unterschrift kann nicht geprüft werden: Öffentlicher Schlüssel nicht +gefunden [-- Ende der PGP-Ausgabe --] [-- BEGIN PGP SIGNED MESSAGE --] ========================================================== == == Subject: Possible remote code execution == CVE ID#: CAN-2004-1154 == == Versions: Samba 2.x & 3.0.x <= 3.0.9 == == Summary: A potential integer overflow when == unmarshalling specific MS-RPC requests == from clients could lead to heap == corruption and remote code execution. == ========================================================== =========== Description =========== Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. Successful remote exploitation allows an attacker to gain root privileges on a vulnerable system. In order to exploit this vulnerability an attacker must possess credentials that allow access to a share on the Samba server. Unsuccessful exploitation attempts will cause the process serving the request to crash with signal 11, and may leave evidence of an attack in logs. ================== Patch Availability ================== A patch for Samba 3.0.9 (samba-3.0.9-CAN-2004-1154.patch) can be downloaded from http://www.samba.org/samba/ftp/patches/security/ The patch has been signed with the "Samba Distribution Verification Key" (ID F17F9772). ============================= Protecting Unpatched Servers ============================= The Samba Team always encourages users to run the latest stable release as a defense against attacks. However, under certain circumstances it may not be possible to immediately upgrade important installations. In such cases, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html. ======= Credits ======= This security issue was reported to Samba developers by iDEFENSE Labs. The vulnerability was discovered by Greg MacManus, iDEFENSE Labs. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== Samba 3 packages at ftp.SuSE.com and download.Samba.org are update to darte. samba2 patch ready. currently stressed in test builds. Created attachment 27150 [details]
samba2-secfix-intoverflow.diff
This patch compiles well under 9.0-i386.
At comment #15 and #16: Please do a rpm -F --noscripts to the samba-doc package for 9.2 only with a script called from the patchinfo. Then we don't have to deinstall samba-doc and everything should be fine. I'll prepared packages based on Thomas work. Thanks, thanks, thanks. This patch should be well tested b/c it's very huge and I coded it to the rhythm of some aggressive metal music. ;-D There is no way to add --noscripts in YOU patches AFAIK Packages build fine with the patch added in comment #20. Tested for ul1 with LDAP sam. PDC domain join works, user authentication works. At comment 15: It was bug 63160. This only happens on 9.2. The scripts were never part of the SLES GA version. For SLES SP 1 it was fixed early enought with the changes from 2004-11-11. Problem with samba-doc fixed workarounded in the preinstall script of the samba-doc update package. No need for extra YOU trickery. Great. Hero of labour (at least of today). Thanks a lot. It's much less embarrassing to the outside. The patchinfo files for the 3.0.9 might be wrong as they don't include all packages which are part of the Samba 3.0.9 package. The must contain: libsmbclient libsmbclient-devel samba samba samba-client samba-doc samba-pdb samba-python samba-vscan samba-winbind We don't need to update ldapsmb as it's only a perl script. As I'm on vacation for two weeks I move this bug to the security-team. Hello Harald, samba is already checked in so I can't change the package list. Can you handle it please? We rejected and adjusted the patchinfos as needed. All are checked in again. Thanks a lot. I'll write the Advisory tomorrow. Packages approved, advisory released. <!-- SBZ_reopen -->Reopened by meissner@suse.de at Fri Dec 24 11:15:22 2004, took initial reporter lnussel@suse.de to cc we received reports of this update causing problems on 8.2 and 9.1 From: Serkan Beyaz <snbeyaz@typ0.de> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 To: Sebastian Krahmer <krahmer@suse.de>, meissner@suse.de Subject: Samba security update Hallo, sorry die Stoerung, aber kann es sein dass die letzten security rpms fuer Samba fehlerhaft sind ? Auf mehreren SuSE 9.1 Rechnern auf den der Patch installiert wurde liess sich Samba nicht mehr starten, sodass wir auf das rpm-Paket aus der Originaldistribution zurueckgreifen mussten. Ist da was bekannt bei Euch ? Liebe Gruesse, Serkan Created attachment 27305 [details]
samba-2.2.12-CAN-2004-1154.patch
updated patch from redhat (not the same sources as ours from Thomas)!
Regrading comment #35: Please ask for more details. I've checked the Samba update process with samba-3.0.9-2.1.5 and samba-client-3.0.9-2.1.5 as from the update tree on a 9.1 system and everything works well. I need a reproduceable or more detailed bug-report to fix this. Ok, new patch is done (see bug 64804). Waiting for testing. *** This bug has been marked as a duplicate of 64804 *** |