Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2004-1154: samba: Remote code execution in samba|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Marcus Meissner <meissner>|
|Component:||Incidents||Assignee:||Thomas Biege <thomas>|
|Status:||RESOLVED DUPLICATE||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||lmuelle, lnussel, security-team|
|Found By:||---||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
|Bug Depends on:||64221, 64804, 64947|
patch that was included in advisory
Description Ludwig Nussel 2004-12-10 17:16:04 UTC
Comment 1 Ludwig Nussel 2004-12-10 17:17:34 UTC
Created attachment 26942 [details] patch that was included in advisory
Comment 2 Lars Müller 2004-12-11 00:21:37 UTC
Ralf: We should include this into SP 1. The patch is a generic fix of the problem.
Comment 3 Ralf Flaxa 2004-12-11 00:53:16 UTC
Can we be sure that the release deadline will stay at Thu Dec 16th? This would match our RC2 release date, so we could integrate this in the RC2 code on Monday and I would approve it as we have to retest it anyways and remote code execution is a serious problem.
Comment 4 Lars Müller 2004-12-12 22:31:19 UTC
Ralf: Gerald (Jerry) Carter confirmed the release date also to another vendor. IM: Could you please ask vendor-sec if one of the vendors did the backport for Samba 2.2. If not I'll have to do this on Tuesday.
Comment 5 Jim McDonough 2004-12-13 23:55:24 UTC
This patch appears clean to me, but as with anything this pervasive, the more testing done, the better. The actual functional change is to a very small piece of the code, but the changes were made far beyond that to centralize memory allocation.
Comment 6 Lars Müller 2004-12-14 05:40:52 UTC
Done the work on SLES 9 SP 1. If we got 3.0.10 till tomorrow morning we'll make the version update. If not we have to stay with 3.0.9. This was already approved by Ralf <rf>. Todo: Backport 3.0.4 for SLES 9 GA relase or version update to the SLES 9 SP 1 level. Might in this case be the most effective approach as the patch is really large and we have the testing for SLES 9 SP 1. Backport to the 3.0.7 of 9.2 and 2.2.8a of SLES 8.
Comment 7 Lars Müller 2004-12-14 18:36:01 UTC
After discussion with Marcus <meissner>, Ralf <rf> and Andreas <aj> we decided to use the Samba 3.0.9 as from SLES 9 SP 1 also for the current security fix of SLES 9 GA, 9.1, and 9.2. The version updates to SLES 9 GA and 9.2 are approved by the project managers. Packages submitted for 9.1 and 9.2. Both are mbuilded and slightly tested. Todo: Samba 2.2.8a of SLES 8 and older SuSE Linux versions.
Comment 8 Thomas Biege 2004-12-14 21:41:10 UTC
SM-Tracker - 73
Comment 9 Thomas Biege 2004-12-14 21:45:57 UTC
Created attachment 27037 [details] patchinfo-box.smb
Comment 10 Thomas Biege 2004-12-14 21:46:16 UTC
Created attachment 27038 [details] patchinfo-box.smb-winbind
Comment 11 Thomas Biege 2004-12-14 21:46:36 UTC
Created attachment 27039 [details] patchinfo.smb-slec
Comment 12 Thomas Biege 2004-12-14 21:46:54 UTC
Created attachment 27040 [details] patchinfo.smb-sles8
Comment 13 Thomas Biege 2004-12-14 21:47:12 UTC
Created attachment 27041 [details] patchinfo.smb-sles9
Comment 14 Lars Müller 2004-12-16 19:10:58 UTC
Packages submitted for 9.1 and 9.2 again. The have now the same code base as the package for SLES 9 SP 1.
Comment 15 Lars Müller 2004-12-16 22:07:11 UTC
Attention: For 9.2 we have to ensure to remove the samba-doc package as there is a broken preun scriptlet in an installed package. It is without any risk to deinstall the samba-doc package as this package only includes documentation (surprise) and no config at all. This should be done by some kind of script in the patchinfo.
Comment 16 Ludwig Nussel 2004-12-16 22:14:01 UTC
* This comment was added by mail. Evil, evil, evil!
Comment 17 Marcus Meissner 2004-12-17 00:29:01 UTC
issue is now public: From: Gerald Carter <email@example.com> User-Agent: Mozilla Thunderbird 0.9 (X11/20041103) To: firstname.lastname@example.org Cc: email@example.com Subject: [SAMBA] CAN-2004-1154 : Integer overflow could lead to remote code execution in Samba 2.x, 3.0.x <= 3.0.9 Old-Content-Type: text/plain; charset=ISO-8859-1; format=flowed [-- PGP Ausgabe folgt (aktuelle Zeit: Do 16 Dez 2004 17:28:40 CET) --] gpg: Unterschrift vom Do 16 Dez 2004 13:17:29 CET, DSA Schlüssel ID D83511F6 gpg: Unterschrift kann nicht geprüft werden: Öffentlicher Schlüssel nicht +gefunden [-- Ende der PGP-Ausgabe --] [-- BEGIN PGP SIGNED MESSAGE --] ========================================================== == == Subject: Possible remote code execution == CVE ID#: CAN-2004-1154 == == Versions: Samba 2.x & 3.0.x <= 3.0.9 == == Summary: A potential integer overflow when == unmarshalling specific MS-RPC requests == from clients could lead to heap == corruption and remote code execution. == ========================================================== =========== Description =========== Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges. Successful remote exploitation allows an attacker to gain root privileges on a vulnerable system. In order to exploit this vulnerability an attacker must possess credentials that allow access to a share on the Samba server. Unsuccessful exploitation attempts will cause the process serving the request to crash with signal 11, and may leave evidence of an attack in logs. ================== Patch Availability ================== A patch for Samba 3.0.9 (samba-3.0.9-CAN-2004-1154.patch) can be downloaded from http://www.samba.org/samba/ftp/patches/security/ The patch has been signed with the "Samba Distribution Verification Key" (ID F17F9772). ============================= Protecting Unpatched Servers ============================= The Samba Team always encourages users to run the latest stable release as a defense against attacks. However, under certain circumstances it may not be possible to immediately upgrade important installations. In such cases, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html. ======= Credits ======= This security issue was reported to Samba developers by iDEFENSE Labs. The vulnerability was discovered by Greg MacManus, iDEFENSE Labs. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Comment 18 Lars Müller 2004-12-17 01:46:19 UTC
Samba 3 packages at ftp.SuSE.com and download.Samba.org are update to darte.
Comment 19 Thomas Biege 2004-12-17 01:53:52 UTC
samba2 patch ready. currently stressed in test builds.
Comment 20 Thomas Biege 2004-12-17 03:31:40 UTC
Created attachment 27150 [details] samba2-secfix-intoverflow.diff This patch compiles well under 9.0-i386.
Comment 21 Lars Müller 2004-12-17 15:09:40 UTC
At comment #15 and #16: Please do a rpm -F --noscripts to the samba-doc package for 9.2 only with a script called from the patchinfo. Then we don't have to deinstall samba-doc and everything should be fine. I'll prepared packages based on Thomas work. Thanks, thanks, thanks.
Comment 22 Thomas Biege 2004-12-17 17:40:24 UTC
This patch should be well tested b/c it's very huge and I coded it to the rhythm of some aggressive metal music. ;-D
Comment 23 Ludwig Nussel 2004-12-17 17:55:23 UTC
There is no way to add --noscripts in YOU patches AFAIK
Comment 24 Lars Müller 2004-12-17 20:26:00 UTC
Packages build fine with the patch added in comment #20. Tested for ul1 with LDAP sam. PDC domain join works, user authentication works.
Comment 25 Lars Müller 2004-12-17 23:01:31 UTC
At comment 15: It was bug 63160. This only happens on 9.2. The scripts were never part of the SLES GA version. For SLES SP 1 it was fixed early enought with the changes from 2004-11-11.
Comment 26 Michael Schröder 2004-12-17 23:48:50 UTC
Problem with samba-doc fixed workarounded in the preinstall script of the samba-doc update package. No need for extra YOU trickery.
Comment 27 Lars Müller 2004-12-17 23:51:41 UTC
Great. Hero of labour (at least of today). Thanks a lot. It's much less embarrassing to the outside.
Comment 28 Lars Müller 2004-12-20 05:49:54 UTC
The patchinfo files for the 3.0.9 might be wrong as they don't include all packages which are part of the Samba 3.0.9 package. The must contain: libsmbclient libsmbclient-devel samba samba samba-client samba-doc samba-pdb samba-python samba-vscan samba-winbind We don't need to update ldapsmb as it's only a perl script. As I'm on vacation for two weeks I move this bug to the security-team.
Comment 29 Thomas Biege 2004-12-20 16:22:43 UTC
Hello Harald, samba is already checked in so I can't change the package list. Can you handle it please?
Comment 30 Harald Mueller-Ney 2004-12-20 20:38:01 UTC
We rejected and adjusted the patchinfos as needed. All are checked in again.
Comment 31 Thomas Biege 2004-12-21 01:13:29 UTC
Thanks a lot. I'll write the Advisory tomorrow.
Comment 32 Sebastian Krahmer 2004-12-22 22:33:43 UTC
Packages approved, advisory released.
Comment 33 Marcus Meissner 2004-12-24 18:15:22 UTC
<!-- SBZ_reopen -->Reopened by firstname.lastname@example.org at Fri Dec 24 11:15:22 2004, took initial reporter email@example.com to cc
Comment 34 Marcus Meissner 2004-12-24 18:15:22 UTC
we received reports of this update causing problems on 8.2 and 9.1
Comment 35 Marcus Meissner 2004-12-24 18:17:30 UTC
From: Serkan Beyaz <firstname.lastname@example.org> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.1) Gecko/20040707 To: Sebastian Krahmer <email@example.com>, firstname.lastname@example.org Subject: Samba security update Hallo, sorry die Stoerung, aber kann es sein dass die letzten security rpms fuer Samba fehlerhaft sind ? Auf mehreren SuSE 9.1 Rechnern auf den der Patch installiert wurde liess sich Samba nicht mehr starten, sodass wir auf das rpm-Paket aus der Originaldistribution zurueckgreifen mussten. Ist da was bekannt bei Euch ? Liebe Gruesse, Serkan
Comment 36 Marcus Meissner 2004-12-24 18:21:23 UTC
Created attachment 27305 [details] samba-2.2.12-CAN-2004-1154.patch updated patch from redhat (not the same sources as ours from Thomas)!
Comment 37 Lars Müller 2004-12-24 21:36:05 UTC
Regrading comment #35: Please ask for more details. I've checked the Samba update process with samba-3.0.9-2.1.5 and samba-client-3.0.9-2.1.5 as from the update tree on a 9.1 system and everything works well.
Comment 38 Thomas Biege 2005-01-07 21:30:43 UTC
I need a reproduceable or more detailed bug-report to fix this.
Comment 39 Thomas Biege 2005-01-20 23:14:19 UTC
Ok, new patch is done (see bug 64804). Waiting for testing.
Comment 40 Thomas Biege 2005-01-21 21:02:01 UTC
*** This bug has been marked as a duplicate of 64804 ***