Bug 518766 (CVE-2014-3560)

Summary:	<net-fs/samba-{4.0.21,4.1.11}: Remote code execution (CVE-2014-3560)
Product:	Gentoo Security	Reporter:	Kristian Fiskerstrand (RETIRED) <k_f>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	samba
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.samba.org/samba/security/CVE-2014-3560
Whiteboard:	~2 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	447022

Description Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-01 22:16:30 UTC

===========================================================
== Subject:     Remote code execution in nmbd
==
== CVE ID#:     CVE-2014-3560
==
== Versions:    Samba 4.0.0 to 4.1.10
==
== Summary:     Samba 4.0.0 to 4.1.10 are affected by a
==              remote code execution attack on
==		unauthenticated nmbd NetBIOS name services.
==
===========================================================

===========
Description
===========

All current versions of Samba 4.x.x are vulnerable to a remote code
execution vulnerability in the nmbd NetBIOS name services daemon.

A malicious browser can send packets that may overwrite the heap of
the target nmbd NetBIOS name services daemon. It may be possible to
use this to generate a remote code execution vulnerability as the
superuser (root).

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.1.11 and 4.0.21 have been issued as security
releases to correct the defect. Patches against older Samba versions
are available at http://samba.org/samba/patches/. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.

==========
Workaround
==========

Do not run nmbd, the NetBIOS name services daemon.

=======
Credits
=======

This problem was found and the fix provided by Volker Lendecke, a
Samba Team member working for SerNet <vl@sernet.de>
https://www.sernet.de.

Additional information in 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756759
===========================================================
== Subject:     Remote code execution in nmbd
==
== CVE ID#:     CVE-2014-3560
==
== Versions:    Samba 4.0.0 to 4.1.10
==
== Summary:     Samba 4.0.0 to 4.1.10 are affected by a
==              remote code execution attack on
==		unauthenticated nmbd NetBIOS name services.
==
===========================================================

===========
Description
===========

All current versions of Samba 4.x.x are vulnerable to a remote code
execution vulnerability in the nmbd NetBIOS name services daemon.

A malicious browser can send packets that may overwrite the heap of
the target nmbd NetBIOS name services daemon. It may be possible to
use this to generate a remote code execution vulnerability as the
superuser (root).

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.1.11 and 4.0.21 have been issued as security
releases to correct the defect. Patches against older Samba versions
are available at http://samba.org/samba/patches/. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.

==========
Workaround
==========

Do not run nmbd, the NetBIOS name services daemon.

=======
Credits
=======

This problem was found and the fix provided by Volker Lendecke, a
Samba Team member working for SerNet <vl@sernet.de>
https://www.sernet.de.

Additional information in 
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756759
http://git.samba.org/?p=samba.git;a=commitdiff;h=9b24abe2f7961c6c54ddc9cd90ff09bf429dd3c0

Comment 1 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-01 22:19:54 UTC

Sorry for the duplicate in the initial report.

Comment 2 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2014-08-01 23:34:12 UTC

+*samba-4.1.11 (01 Aug 2014)
+*samba-4.0.21 (01 Aug 2014)
+
+  01 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -samba-4.0.18.ebuild,
+  +samba-4.0.21.ebuild, -samba-4.1.8.ebuild, +samba-4.1.11.ebuild:
+  Security bump (bug #518766). Removed old.
+

Comment 3 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-03 12:31:03 UTC

Thanks. 4.1.9 and 4.0.19 ebuilds seems to be remaining and should probably be removed as well for cleanup.

Comment 4 Gerald 2014-08-06 10:49:24 UTC

ebuild net-fs/samba-4.1.11 does not compile for me:

Checking for system ldb >= 1.1.17 : not found
ERROR: System library ldb of version 1.1.17 not found, and bundling disabled
 * ERROR: net-fs/samba-4.1.11::gentoo failed (configure phase):
 *   configure failed

After manually updating ldb from 1.1.16 to the unstable version 1.1.17 it works. But this should be a dependency in the ebuild and not something I have to figure out on my own.

Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2014-08-06 10:59:03 UTC

(In reply to Gerald from comment #4)
> ebuild net-fs/samba-4.1.11 does not compile for me:
> 
> Checking for system ldb >= 1.1.17 : not found
> ERROR: System library ldb of version 1.1.17 not found, and bundling disabled
>  * ERROR: net-fs/samba-4.1.11::gentoo failed (configure phase):
>  *   configure failed
> 
> After manually updating ldb from 1.1.16 to the unstable version 1.1.17 it
> works. But this should be a dependency in the ebuild and not something I
> have to figure out on my own.

Should be fixed. Thanks for the report.

Comment 6 Agostino Sarubbo gentoo-dev

2014-08-06 14:19:49 UTC

This bug is invalid because we don't care about masked packages.

             |                             | u   |  
             | a a   a           p     s   | n   |  
             | l m   r h i m m   p s   p   | u s | r
             | p d a m p a 6 i p c 3   a x | s l | e
             | h 6 r 6 p 6 8 p p 6 9 s r 8 | e o | p
             | a 4 m 4 a 4 k s c 4 0 h c 6 | d t | o
-------------+-----------------------------+-----+-------
[M]3.5.21    | + + + o + + o ~ + + + + + + | o 0 | gentoo
[M]3.5.22    | + + + o + + o ~ ~ + ~ ~ + + | o   | gentoo
   3.6.23    | + + + o + + o ~ + + o o + + | o   | gentoo
[I]3.6.23-r1 | ~ + ~ o ~ ~ o ~ + ~ o o ~ + | o   | gentoo
   3.6.24    | ~ ~ ~ o ~ ~ o ~ ~ ~ o o ~ ~ | o   | gentoo
[M]4.0.19    | o ~ o o ~ o o o o o o o o ~ | o   | gentoo
[M]4.0.21    | o ~ o o ~ o o o o o o o o ~ | o   | gentoo
 [M]4.1.9    | o ~ o o ~ o o o o o o o o ~ | o   | gentoo
[M]4.1.11    | o ~ o o ~ o o o o o o o o ~ | o   | gentoo

Comment 7 Yury German Gentoo Infrastructure

2014-08-06 18:24:46 UTC

Ago, this was a valid bug.

Bug 447022 is to unmask 4.0, Version 4.0.19 is still hard masked as part of the tree which means if bug 447022 is completed, we could potentially unmask a vulnerable version. I am re-opening this bug and setting it as a block of 447022.

Comment 8 Agostino Sarubbo gentoo-dev

2014-08-07 09:41:30 UTC

(In reply to Yury German from comment #7)
> Ago, this was a valid bug.
> 
> Bug 447022 is to unmask 4.0, Version 4.0.19 is still hard masked as part of
> the tree which means if bug 447022 is completed, we could potentially unmask
> a vulnerable version. I am re-opening this bug and setting it as a block of
> 447022.

You are just make things in a 'reversed' manner.


Atm, samba is masked and then this bug is INVALID.

While you see samba-4 unmasked in tree, then you need to reopen this as ~2 [cleanup] instead of A2.

I hope that this logic is clear.


I'm not going to play with close another time, so if you guess I'm right after the explanation, please close.

Comment 9 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2014-08-08 08:16:02 UTC

+  08 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -samba-4.0.19.ebuild,
+  -samba-4.1.9.ebuild:
+  Removed vulnerable versions.
+

Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev

2014-08-08 10:17:40 UTC

Thanks

Comment 11 GLSAMaker/CVETool Bot gentoo-dev

2014-08-08 14:55:56 UTC

CVE-2014-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3560):
  NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x
  before 4.1.11 allows remote attackers to execute arbitrary code via
  unspecified vectors that modify heap memory, involving a sizeof operation on
  an incorrect variable in the unstrcpy macro in string_wrappers.h.