Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 915556 (CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669, CVE-2023-42670)

Summary: <net-fs/samba-{4.18.8,4.19.1}: multiple vulnerabilities
Product: Gentoo Security Reporter: Krzysztof Olędzki <ole+gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: critical CC: ajak, joakim.tjernlund, sam, samba
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://bugs.gentoo.org/show_bug.cgi?id=910606
https://bugs.gentoo.org/show_bug.cgi?id=915867
Whiteboard: A1 [glsa+]
Package list:
Runtime testing required: ---
Bug Depends on: 915562    
Bug Blocks:    

Description Krzysztof Olędzki 2023-10-10 17:40:31 UTC
Once done, can we please also stabilize net-fs/samba-4.18.8 and then remove old versions from the tree (samba-4.18.4-r1, samba-4.18.5-r1, samba-4.18.6-r1, samba-4.18.7 and samba-4.19.0-r1)



                   ==============================
                   Release Notes for Samba 4.18.8
                          October 10, 2023
                   ==============================


This is a security release in order to address the following defects:


o CVE-2023-3961:  Unsanitized pipe names allow SMB clients to connect as root to
                  existing unix domain sockets on the file system.
                  https://www.samba.org/samba/security/CVE-2023-3961.html

o CVE-2023-4091:  SMB client can truncate files to 0 bytes by opening files with
                  OVERWRITE disposition when using the acl_xattr Samba VFS
                  module with the smb.conf setting
                  "acl_xattr:ignore system acls = yes"
                  https://www.samba.org/samba/security/CVE-2023-4091.html

o CVE-2023-4154:  An RODC and a user with the GET_CHANGES right can view all
                  attributes, including secrets and passwords.  Additionally,
                  the access check fails open on error conditions.
                  https://www.samba.org/samba/security/CVE-2023-4154.html

o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
                  server block for a user-defined amount of time, denying
                  service.
                  https://www.samba.org/samba/security/CVE-2023-42669.html

o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
                  listeners, disrupting service on the AD DC.
                  https://www.samba.org/samba/security/CVE-2023-42670.html





                   ==============================
                   Release Notes for Samba 4.19.1
                          October 10, 2023
                   ==============================


This is a security release in order to address the following defects:


o CVE-2023-3961:  Unsanitized pipe names allow SMB clients to connect as root to
                  existing unix domain sockets on the file system.
                  https://www.samba.org/samba/security/CVE-2023-3961.html

o CVE-2023-4091:  SMB client can truncate files to 0 bytes by opening files with
                  OVERWRITE disposition when using the acl_xattr Samba VFS
                  module with the smb.conf setting
                  "acl_xattr:ignore system acls = yes"
                  https://www.samba.org/samba/security/CVE-2023-4091.html

o CVE-2023-4154:  An RODC and a user with the GET_CHANGES right can view all
                  attributes, including secrets and passwords.  Additionally,
                  the access check fails open on error conditions.
                  https://www.samba.org/samba/security/CVE-2023-4154.html

o CVE-2023-42669: Calls to the rpcecho server on the AD DC can request that the
                  server block for a user-defined amount of time, denying
                  service.
                  https://www.samba.org/samba/security/CVE-2023-42669.html

o CVE-2023-42670: Samba can be made to start multiple incompatible RPC
                  listeners, disrupting service on the AD DC.
                  https://www.samba.org/samba/security/CVE-2023-42670.html

Note that 4.19.1 should not be used in production yet. While it does fixes the mentioned security bugs, there are still several functionality / stability fixes that are planned to be included in 4.19.2 with 2023-10-16 ETA (a week from now).
Comment 1 Larry the Git Cow gentoo-dev 2023-10-10 18:04:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f9ca8ab1fb4782d6517f9e5b96d4da7ece2196e

commit 1f9ca8ab1fb4782d6517f9e5b96d4da7ece2196e
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2023-10-10 18:03:18 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2023-10-10 18:04:31 +0000

    net-fs/samba: add 4.18.8
    
    Bug: https://bugs.gentoo.org/915556
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-fs/samba/Manifest            |   1 +
 net-fs/samba/samba-4.18.8.ebuild | 383 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 384 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fe87bbb5572ebbd784dc0d7825d745c3ea5fddcf

commit fe87bbb5572ebbd784dc0d7825d745c3ea5fddcf
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2023-10-10 17:50:29 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2023-10-10 18:04:31 +0000

    net-fs/samba: add 4.19.1
    
    Bug: https://bugs.gentoo.org/915556
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-fs/samba/Manifest            |   1 +
 net-fs/samba/samba-4.19.1.ebuild | 382 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 383 insertions(+)
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-11 00:15:35 UTC
(In reply to Krzysztof Olędzki from comment #0)
> Once done, can we please also stabilize net-fs/samba-4.18.8 and then remove
> old versions from the tree (samba-4.18.4-r1, samba-4.18.5-r1,
> samba-4.18.6-r1, samba-4.18.7 and samba-4.19.0-r1)
> [...]
> Note that 4.19.1 should not be used in production yet. While it does fixes
> the mentioned security bugs, there are still several functionality /
> stability fixes that are planned to be included in 4.19.2 with 2023-10-16
> ETA (a week from now).

Going forward, please link to the upstream advisory as well, but also make separate remarks in an additional comment to make them harder to miss.

See also https://bugs.gentoo.org/910606#c7.
Comment 3 Krzysztof Olędzki 2023-10-11 03:27:15 UTC
Will do, thank you so much Sam!

By "link to the upstream advisor" you mean adding links like "https://www.samba.org/samba/security/CVE-2023-3961.html" to "See Also" or something else?
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-11 03:36:39 UTC
(In reply to Krzysztof Olędzki from comment #3)
> Will do, thank you so much Sam!
> 

No, thank you for keeping on top of all of this!

> By "link to the upstream advisor" you mean adding links like
> "https://www.samba.org/samba/security/CVE-2023-3961.html" to "See Also" or
> something else?

Maybe chuck it in URL? I usually dump them at the top of the first comment though if there's multiple.

I think See Also has a bunch of restrictions (it has to recognise the link as a bug tracker).
Comment 5 Krzysztof Olędzki 2023-10-16 23:57:59 UTC
What is left here? GLSA and removal of the old ebuilds?
Comment 6 Hans de Graaff gentoo-dev Security 2023-10-17 12:22:56 UTC
(In reply to Krzysztof Olędzki from comment #5)
> What is left here? GLSA and removal of the old ebuilds?

Yes, as indicated by the whiteboard (although in general that isn't always up-to-date).
Comment 7 Hans de Graaff gentoo-dev Security 2024-02-09 14:27:56 UTC
Ping. Please remove the vulnerable versions.
Comment 8 Larry the Git Cow gentoo-dev 2024-02-09 17:13:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1ba820011c7aaea8f57f4dc6370ebe39e6ca1227

commit 1ba820011c7aaea8f57f4dc6370ebe39e6ca1227
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2024-02-09 17:11:53 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2024-02-09 17:13:36 +0000

    net-fs/samba: drop versions
    
    Bug: https://bugs.gentoo.org/915556
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-fs/samba/Manifest               |   9 -
 net-fs/samba/samba-4.18.4-r1.ebuild | 384 ------------------------------------
 net-fs/samba/samba-4.18.5-r1.ebuild | 383 -----------------------------------
 net-fs/samba/samba-4.18.6-r1.ebuild | 383 -----------------------------------
 net-fs/samba/samba-4.18.7.ebuild    | 383 -----------------------------------
 net-fs/samba/samba-4.18.9.ebuild    | 383 -----------------------------------
 net-fs/samba/samba-4.19.0-r1.ebuild | 382 -----------------------------------
 net-fs/samba/samba-4.19.1.ebuild    | 382 -----------------------------------
 net-fs/samba/samba-4.19.2.ebuild    | 382 -----------------------------------
 net-fs/samba/samba-4.19.3.ebuild    | 382 -----------------------------------
 10 files changed, 3453 deletions(-)
Comment 9 Larry the Git Cow gentoo-dev 2024-02-19 06:10:54 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9df376ebb50854c82bdbbc1e4f71d408e449fc54

commit 9df376ebb50854c82bdbbc1e4f71d408e449fc54
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-19 06:05:38 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-19 06:10:22 +0000

    [ GLSA 202402-28 ] Samba: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/891267
    Bug: https://bugs.gentoo.org/910606
    Bug: https://bugs.gentoo.org/915556
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-28.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)