Summary: | <net-fs/samba-4.12.9: Multiple vulnerabilities (CVE-2020-{14318,14323,14383}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | samba |
Priority: | Normal | Flags: | nattka:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://lists.samba.org/archive/samba-announce/2020/000540.html | ||
Whiteboard: | B3 [glsa+ cve] | ||
Package list: |
sys-libs/ldb-2.1.4-r1 amd64 ppc ppc64 sparc
net-fs/samba-4.12.9-r1 amd64 arm arm64 ppc ppc64 sparc x86
sys-libs/liburing-0.7-r1 amd64 ppc ppc64 sparc
dev-perl/Parse-Yapp-1.210.0 amd64 ppc ppc64 sparc
|
Runtime testing required: | --- |
Description
Sam James
2020-10-29 09:53:00 UTC
Please bump to 4.11.15, 4.12.9, 4.13.1. ---- o CVE-2020-14318: The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs. A missing permissions check on a directory handle requesting ChangeNotify meant that a client with a directory handle open only for FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change notify replies from the server. These replies contain information that should not be available to directory handles open for FILE_READ_ATTRIBUTE only. o CVE-2020-14323: winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also offer this batch operation on the winbind unix domain stream socket that is available to local processes on the Samba server to reduce network round-trips to the domain controller. Due to improper input validation a hand-crafted packet can make winbind perform a NULL pointer dereference and thus crash. o CVE-2020-14383: Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd9d18055cfcabd4fc41f983549efa70873a7a0a commit fd9d18055cfcabd4fc41f983549efa70873a7a0a Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2020-10-29 10:08:06 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2020-10-29 10:21:09 +0000 net-fs/samba: Security bump to versions 4.12.9 and 4.13.1 Bug: https://bugs.gentoo.org/751724 Package-Manager: Portage-3.0.8, Repoman-3.0.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-fs/samba/Manifest | 2 + net-fs/samba/samba-4.12.9.ebuild | 318 ++++++++++++++++++++++++++++++++++++++ net-fs/samba/samba-4.13.1.ebuild | 321 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 641 insertions(+) We're not supporting samba-4.11.x any longer x86 stable amd64 stable arm64 done arm done Unable to check for sanity:
> no match for package: sys-libs/liburing-0.7
Unable to check for sanity:
> no match for package: net-fs/samba-4.12.9
sparc done ppc, ppc64, sparc: ping (In reply to Sam James from comment #11) > ppc, ppc64, sparc: ping uh, just ppc{,64} ppc done Added to an existing GLSA. This issue was resolved and addressed in GLSA 202012-24 at https://security.gentoo.org/glsa/202012-24 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architecture. ppc64 done all arches done Please cleanup, thanks! The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd36e0d021a4f14c9dec5126148aa069a9be41ef commit fd36e0d021a4f14c9dec5126148aa069a9be41ef Author: Lars Wendler <polynomial-c@gentoo.org> AuthorDate: 2021-01-09 21:19:50 +0000 Commit: Lars Wendler <polynomial-c@gentoo.org> CommitDate: 2021-01-09 21:20:41 +0000 net-fs/samba: Security cleanup Bug: https://bugs.gentoo.org/751724 Package-Manager: Portage-3.0.12, Repoman-3.0.2 Signed-off-by: Lars Wendler <polynomial-c@gentoo.org> net-fs/samba/Manifest | 4 - net-fs/samba/samba-4.11.13-r1.ebuild | 321 ----------------------------------- net-fs/samba/samba-4.12.7-r2.ebuild | 318 ---------------------------------- net-fs/samba/samba-4.12.8-r1.ebuild | 318 ---------------------------------- net-fs/samba/samba-4.13.1-r1.ebuild | 321 ----------------------------------- 5 files changed, 1282 deletions(-) All done! |