Summary: | net-fs/samba Privilege escalation (CVE-2007-{2444|2446|2447|}) Vendor-Sec | ||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||||||
Status: | RESOLVED FIXED | ||||||||||||||||
Severity: | blocker | CC: | bernd, chainsaw, craig, dev-zero | ||||||||||||||
Priority: | High | ||||||||||||||||
Version: | unspecified | ||||||||||||||||
Hardware: | All | ||||||||||||||||
OS: | Linux | ||||||||||||||||
URL: | http://news.samba.org/ | ||||||||||||||||
Whiteboard: | B0? [glsa] jaervosz | ||||||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2007-05-04 13:16:56 UTC
Created attachment 118137 [details, diff]
3.0.24-sid2name_elevation.patch
Tiziano please attach an updated ebuild to this bug and we will call arch security liaisons for testing. Do NOT commit anything to Portage yet. If you have any questions about how security bugs like this are handled just ask here or mail me. If you want someone else from the samba team to deal with this please CC them. Created attachment 118165 [details]
samba-3.0.24-r2.ebuild
This is the updated ebuild as requested.
The patch has to be named "3.0.24-sid2name_elevation.patch".
Tested on x86 (unstable).
... and there IS nobody else in the samba team :-)
Thx for the quick response Tiziano. Arch security liaisons please test and report back on this bug. Please do NOT commit anything yet. Works for hppa. looks good on ppc64, too x86 looks good looks good on sparc. looks ok on ppc Back to preebuild since more issues popped up. ========================================================== == == Subject: Unescaped user input parameters are passed == as arguments to /bin/sh allowing for remote == command execution == CVE ID#: CVE-2007-2447 == == Versions: Samba 3.0.0 - 3.0.25rc3 (inclusive) == == Summary: == ========================================================== =========== Description =========== This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the "username map script" smb.conf option (which is not enabled by default). After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the "username map script" vulnerability, the remote file and printer management scripts require an authenticated user session. ================== Patch Availability ================== A patch against Samba 3.0.24 has been attached to this email. At the time of public disclosure, the patch will be posted to http://www.samba.org/samba/security/. Back ports of the patch to to Samba 2.2.12, 3.0.9, and 3.0.10 are available upon request thanks to Samba/RedHat developer Simo Sorce <idra@samba.org>. ========== Workaround ========== This defect may be alleviated by removing all defined external script invocations (username map script, add printer command, etc...) from smb.conf. The Samba Team always encourages users to run the latest stable release as a defense against attacks. If this is not immediately possible, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html ======= Credits ======= This vulnerability was reported to Samba developers by Joshua J. Drake, iDefense Labs (http://www.idefense.com/), as part of their Vulnerability Contributor Program. The time line is as follows: * May 7, 2007: Initial defect disclosure to the security@samba.org email alias. * May 7, 2007: Initial developer response by Samba developer Gerald Carter. * May 9, 2007: Patch released by Samba developer Jeremy Allison to iDefense for testing. * May 10, Announcement to vendor-sec mailing list * May 14, 2007: Proposed date for public announcement of the security issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== Created attachment 118832 [details, diff]
3.0.24-shell_escape.patch
Upstream fix for CVE-2007-2447.
========================================================== == == Subject: Multiple Heap Overflows Allow Remote == Code Execution == CVE ID#: CVE-2007-2446 == == Versions: Samba 3.0.0 - 3.0.25rc3 (inclusive) == == Summary: Various bugs in Samba's NDR parsing == can allow a user to send specially == crafted MS-RPC requests that will == overwrite the heap space with user == defined data. == ========================================================== =========== Description =========== Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data. ================== Patch Availability ================== A patch against Samba 3.0.24 has been attached to this email. At the time of public disclosure, the patch will be posted to http://www.samba.org/samba/security/. Back ports of the patch to to Samba 2.2.12, 3.0.9, and 3.0.10 are available upon request thanks to Samba/RedHat developer Simo Sorce <idra@samba.org>. ========== Workaround ========== There is no immediate workaround for this defect that does not involve changing the server code in the smbd daemon. The Samba Team always encourages users to run the latest stable release as a defense against attacks. If this is not immediately possible, administrators should read the "Server Security" documentation found at http://www.samba.org/samba/docs/server_security.html ======= Credits ======= This vulnerability was reported to Samba developers by Brian Schafer, TippingPoint Security Response Lead, as part of the Zero Day Initiative (http://www.zerodayinitiative.com). The time line is as follows: * April 25, 2007: Four individual defects reported to the security@samba.org email alias. * April 25, 2007: Initial developer response by Samba developer Volker Lendecke. * April 28, 2007: Patches for four defects released by Samba developer Jeremy Allison to ZDI for testing. * May 3, 2007: Fixed confirmed by original reporter. * May 5, 2007: Fifth defect reported to security@samba.org. * May 5, 2007: Patches for fifth defects released to ZDI for testing by Samba developer Jeremy Allison. * May 10, Announcement to vendor-sec mailing list * May 14, 2007: Proposed date for public announcement of the security issue. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== Created attachment 118834 [details, diff]
3.0.24-heap_overflow.patch
Upstream fix for CVE-2007-2446.
Tiziano please attach an updated ebuild. Do NOT commit anything yet. Created attachment 118896 [details]
samba-3.0.24-r2.ebuild
Updated ebuild as requested. No revision bump.
Patches apply. Tests were successfully on ~x86.
Thx again for the quick response Tiziano. Arch security liaisons please test the updated ebuild and report back on this bug. Please do NOT commit anything yet. Note release date is two days away. Created attachment 118971 [details, diff]
3.0.24-shell_escape.patch
Updated patches from upstream:
Apologies but we found a problem caused by the backport to
3.0.24. The problem was a return value of -11 on string
conversion failures rather than -1. The result was an
immediate crash.
Tiziano please update ebuild. Release date is getting close so I'm not removing arch security liaisons from CC. @jaervosz: Sorry, but I can't do it. My machine is completely broken due to a harddrive failure. Since there's nobody else in the team, you'll have to find someone else to do the actual commit. @arch-team-meambers: Just use the new patch together with the already committed ebuild, it should work without problems. Arch security liaisons please give this a test, disclosure is getting close. The bugs have been announced today (on the samba website), together with the announcement of version 3.0.25. looks good on ppc64. Opening bug since this is public now. Arches please test and mark stable. NOTE: The first arch to test have to commit the ebuild and patches as Tiziano is unable to do it as per comment #20 (and I don't have x86 commit rights). Target keywords are: samba-3.0.24-r2.ebuild:KEYWORDS="alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" added ebuild/patches and marked stable on ppc64. Thx Markus. (In reply to comment #25) > added ebuild/patches and marked stable on ppc64. Thanks for keywording hppa as well. I guess this was not intentional, but HPPA is good to go anyway. That keyword seems to have been left in the attached ebuild somehow. sparc stable. x86 stable. ppc stable ia64 stable *** Bug 178617 has been marked as a duplicate of this bug. *** amd64 stable alpha stable, sorry for the delay. GLSA 200705-15 |