Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 891267 (CVE-2018-14628)

Summary: <net-fs/samba-{4.18.9,4.19.3}: insufficient object deletion
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: ajak, bkohler, ole+gentoo, samba
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.samba.org/samba/history/samba-4.19.3.html
Whiteboard: B4 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 920512    
Bug Blocks:    

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-18 04:48:04 UTC
CVE-2018-14628 (https://bugzilla.samba.org/show_bug.cgi?id=13595):
https://bugzilla.redhat.com/show_bug.cgi?id=1625445

An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store.

Doesn't seem like fixes ever made it to git.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-27 18:40:45 UTC
4.19.3 has been released with a fix according to the release notes:

"This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bug CVE-2018-14628:

    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
    allow read of object tombstones over LDAP
    (Administrator action required!)
    https://www.samba.org/samba/security/CVE-2018-14628.html"

Note that manual administrator intervention will be required to fix this.
Comment 2 Larry the Git Cow gentoo-dev 2023-11-27 20:46:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f65207b4f907c4ca868ce51d94fe24bb9e9e9924

commit f65207b4f907c4ca868ce51d94fe24bb9e9e9924
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2023-11-27 20:44:27 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2023-11-27 20:46:16 +0000

    net-fs/samba: add 4.19.3
    
    Bug: https://bugs.gentoo.org/891267
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-fs/samba/Manifest            |   1 +
 net-fs/samba/samba-4.19.3.ebuild | 382 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 383 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 00:20:18 UTC
Hm, new branch, are we able to stabilize? If not, are we sure there's no fixes in older branches that we'd be able to stabilize?
Comment 4 Ben Kohler gentoo-dev 2023-11-28 16:11:46 UTC
I think we're ok to start stabilization on 4.19.3, I don't know of any outstanding regressions on the new series.
Comment 5 Krzysztof Olędzki 2023-12-02 01:16:05 UTC
Samba is a really large and complex system and my experience with the last several main releases was that it was often taking several months for all critical regressions to be first identified and then fixed.

So, while samba-4.19 was released 3 months ago and so 4.19.3 seems like a good target, perhaps we can also include 4.18.9 [1] which has the same fix?

At the same time, we probably also want to drop samba-4.18.4-r1.ebuild, samba-4.18.5-r1.ebuild, samba-4.18.6-r1.ebuild and samba-4.18.7.ebuild form the tree? See https://bugs.gentoo.org/915556

Same for samba-4.19.1.ebuild - https://bugs.gentoo.org/915867.

[1] https://www.samba.org/samba/history/samba-4.18.9.html
Comment 6 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-12-03 20:55:05 UTC
Ah, looks like 4.18.9 got a fix for this as well!
Comment 7 Larry the Git Cow gentoo-dev 2023-12-04 21:03:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=06001d963251a6b3fb59d2a17ad7a695789e70f0

commit 06001d963251a6b3fb59d2a17ad7a695789e70f0
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2023-12-04 21:02:44 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2023-12-04 21:03:34 +0000

    net-fs/samba: add 4.18.9
    
    Bug: https://bugs.gentoo.org/891267
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-fs/samba/Manifest            |   1 +
 net-fs/samba/samba-4.18.9.ebuild | 383 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 384 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2024-02-19 06:10:56 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9df376ebb50854c82bdbbc1e4f71d408e449fc54

commit 9df376ebb50854c82bdbbc1e4f71d408e449fc54
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-19 06:05:38 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-19 06:10:22 +0000

    [ GLSA 202402-28 ] Samba: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/891267
    Bug: https://bugs.gentoo.org/910606
    Bug: https://bugs.gentoo.org/915556
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-28.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)