Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 578004 (CVE-2016-2118)

Summary: <net-fs/samba-{4.2.11,4.3.8,4.4.2}: man-in-the-middle attack (CVE-2015-5370, CVE-2016-{2110,2111,2112,2113,2114,2115,2118}) (BADLOCK)
Product: Gentoo Security Reporter: Frank Krömmelbein <kroemmelbein>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gentoo, limanski, pinkbyte, samba, sergeev917
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 578498, 578668    
Bug Blocks:    

Description Frank Krömmelbein 2016-03-22 16:05:38 UTC
http://badlock.org/

On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock.

Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.

Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.)

Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.
Comment 1 Agostino Sarubbo gentoo-dev 2016-03-22 20:51:56 UTC
@samba, can we prepare to have 4.x stable?
Comment 2 Frank Krömmelbein 2016-03-26 17:07:47 UTC
Update:

Patches will be available for Samba 4.4, Samba 4.3 and Samba 4.2 on April 12th.

With the release of Samba 4.4.0 on March 22nd the 4.1 release branch has been marked DISCONTINUED.

Please be aware that Samba 4.1 and below are out of support, even for security fixes. We strongly advise users to upgrade to a supported release
Comment 3 Frank Krömmelbein 2016-04-12 18:14:59 UTC
Public:

Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases Available for Download

These are Security Releases in order to address CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115 and CVE-2016-2118.

Affected Versions: 3.6.x, 4.0.x, 4.1.x, 4.2.0-4.2.9, 4.3.0-4.3.6, 4.4.0 (earlier versions have not been assessed)

Patched Versions: 4.2.10 / 4.2.11, 4.3.7 / 4.3.8 and 4.4.1 / 4.4.2 (both the interim and final security release have the patches).
Comment 4 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-04-12 20:12:15 UTC
commit 058eb202b4c757f889daf21e114188c7119c3be6
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Tue Apr 12 22:08:22 2016

    net-fs/samba: Security bump to versions 4.2.11, 4.3.8 and 4.4.2 (bug #578004).

    Package-Manager: portage-2.2.28
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Feel free to start stabilization calls.
Comment 5 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-04-12 20:12:35 UTC
That is for samba-4.2.11
Comment 6 Sergey Popov gentoo-dev 2016-04-13 05:29:17 UTC
*** Bug 579802 has been marked as a duplicate of this bug. ***
Comment 7 Sergey Popov gentoo-dev 2016-04-13 05:33:55 UTC
Arches, please test and mark stable =net-fs/samba-4.2.11

Target keywords: amd64 arm ia64 ppc ppc64 sparc x86
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-04-13 05:44:39 UTC
CVE-2016-2118 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2118):
  The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before
  4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC
  connections, which allows man-in-the-middle attackers to perform
  protocol-downgrade attacks and impersonate users by modifying the
  client-server data stream, aka "BADLOCK."
Comment 9 Agostino Sarubbo gentoo-dev 2016-04-13 07:24:04 UTC
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-04-13 07:24:32 UTC
x86 stable
Comment 11 Mike Limansky 2016-04-13 16:57:41 UTC
According to https://www.samba.org/samba/history/security.html there is a patch for 3.6.25 as well.

It would be nice to have 3.6.25-r1 with the patch.
Comment 12 Markus Meier gentoo-dev 2016-04-19 15:58:42 UTC
arm stable
Comment 13 Jeroen Roovers (RETIRED) gentoo-dev 2016-04-23 10:31:06 UTC
Stable for HPPA PPC64.
Comment 14 Agostino Sarubbo gentoo-dev 2016-07-08 08:18:18 UTC
ppc stable
Comment 15 Agostino Sarubbo gentoo-dev 2016-07-08 08:42:49 UTC
sparc stable
Comment 16 Agostino Sarubbo gentoo-dev 2016-07-08 13:29:41 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-21 17:29:08 UTC
@ Maintainer(s): Please apply patches from https://www.samba.org/samba/ftp/patches/security/samba-v3-6-security-2016-04-12.tar.xz to =net-fs/samba-3.6.25 and do a rev bump.
Comment 18 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-24 16:00:52 UTC
@ Maintainer(s): I talked to Tobias (alpha arch). Bug 578668 is blocking alpha from using recent samba. Like posted by Matt in the same bug, a patch was sent upstream. Tobias will test the patch later this week. If it works we will cherry-pick the patch so alpha can move to stable samba as well and we can drop the remaining vulnerable version to proceed with this bug.
Comment 19 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-28 16:37:17 UTC
Short update: Thanks to the now resolved bug 578668 alpha is currently re-keywording net-fs/samba and will move to the fixed stable version as well. Once this is done we can proceed with the cleanup.
Comment 20 Tobias Klausmann (RETIRED) gentoo-dev 2016-12-19 10:56:34 UTC
Stable on alpha.
Comment 21 Thomas Deutschmann (RETIRED) gentoo-dev 2016-12-19 13:24:39 UTC
@ Maintainer(s): Please drop =net-fs/samba-3.6.25.
Comment 22 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2016-12-19 13:34:33 UTC
commit 0aa1ea43d64b5c40839f1fbb4c1a176c5826ba6c
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Mon Dec 19 14:33:06 2016

    net-fs/samba: Security cleanup (bug #578004).

    Package-Manager: Portage-2.3.3, Repoman-2.3.1
Comment 23 GLSAMaker/CVETool Bot gentoo-dev 2016-12-24 07:26:54 UTC
This issue was resolved and addressed in
 GLSA 201612-47 at https://security.gentoo.org/glsa/201612-47
by GLSA coordinator Aaron Bauman (b-man).