Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 568432 (CVE-2015-3223) - <net-fs/samba-{4.1.22,4.2.7,4.3.3} - <sys-libs/ldb-1.1.24: Multiple vulnerabilities (CVE-2015-{3223,5252,5296,5299,5330,7540,8467})
Summary: <net-fs/samba-{4.1.22,4.2.7,4.3.3} - <sys-libs/ldb-1.1.24: Multiple vulnerabi...
Status: RESOLVED FIXED
Alias: CVE-2015-3223
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [glsa cve]
Keywords:
Depends on: 578498
Blocks:
  Show dependency tree
 
Reported: 2015-12-16 13:43 UTC by Brian Evans
Modified: 2016-12-24 07:26 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Brian Evans Gentoo Infrastructure gentoo-dev 2015-12-16 13:43:25 UTC
This is a security release in order to address the following CVEs:

o  CVE-2015-7540 (Remote DoS in Samba (AD) LDAP server)
o  CVE-2015-3223 (Denial of service in Samba Active Directory
		  server)
o  CVE-2015-5252 (Insufficient symlink verification in smbd)
o  CVE-2015-5299 (Missing access control check in shadow copy
		  code)
o  CVE-2015-5296 (Samba client requesting encryption vulnerable
		  to downgrade attack)
o  CVE-2015-8467 (Denial of service attack against Windows
		  Active Directory server)
o  CVE-2015-5330 (Remote memory read in Samba LDAP server)

Please note that if building against a system libldb, the required
version has been bumped to ldb-1.1.24.  This is needed to ensure
we build against a system ldb library that contains the fixes
for CVE-2015-5330 and CVE-2015-3223.

=======
Details
=======

o  CVE-2015-7540:
   All versions of Samba from 4.0.0 to 4.1.21 inclusive are vulnerable to
   an anonymous memory exhaustion attack in the samba daemon LDAP server.

   A malicious client can send packets that cause the LDAP server provided
   by the AD DC in the samba daemon process to consume unlimited memory
   and be terminated.

o  CVE-2015-3223:
   All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
   ldb versions up to 1.1.23 inclusive) are vulnerable to
   a denial of service attack in the samba daemon LDAP server.

   A malicious client can send packets that cause the LDAP server in the
   samba daemon process to become unresponsive, preventing the server
   from servicing any other requests.

   This flaw is not exploitable beyond causing the code to loop expending
   CPU resources.

o  CVE-2015-5252:
   All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
   a bug in symlink verification, which under certain circumstances could
   allow client access to files outside the exported share path.

   If a Samba share is configured with a path that shares a common path
   prefix with another directory on the file system, the smbd daemon may
   allow the client to follow a symlink pointing to a file or directory
   in that other directory, even if the share parameter "wide links" is
   set to "no" (the default).

o  CVE-2015-5299:
   All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
   a missing access control check in the vfs_shadow_copy2 module. When
   looking for the shadow copy directory under the share path the current
   accessing user should have DIRECTORY_LIST access rights in order to
   view the current snapshots.

   This was not being checked in the affected versions of Samba.

o  CVE-2015-5296:
   Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
   signing is negotiated when creating an encrypted client connection to
   a server.

   Without this a man-in-the-middle attack could downgrade the connection
   and connect using the supplied credentials as an unsigned, unencrypted
   connection.

o  CVE-2015-8467:
   Samba, operating as an AD DC, is sometimes operated in a domain with a
   mix of Samba and Windows Active Directory Domain Controllers.

   All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
   an AD DC in the same domain with Windows DCs, could be used to
   override the protection against the MS15-096 / CVE-2015-2535 security
   issue in Windows.

   Prior to MS16-096 it was possible to bypass the quota of machine
   accounts a non-administrative user could create.  Pure Samba domains
   are not impacted, as Samba does not implement the
   SeMachineAccountPrivilege functionality to allow non-administrator
   users to create new computer objects.

o  CVE-2015-5330:
   All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
   ldb versions up to 1.1.23 inclusive) are vulnerable to
   a remote memory read attack in the samba daemon LDAP server.

   A malicious client can send packets that cause the LDAP server in the
   samba daemon process to return heap memory beyond the length of the
   requested value.

   This memory may contain data that the client should not be allowed to
   see, allowing compromise of the server.

   The memory may either be returned to the client in an error string, or
   stored in the database by a suitabily privileged user.  If untrusted
   users can create objects in your database, please confirm that all DN
   and name attributes are reasonable.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================

================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6568B7EA).  The source code can be downloaded
from:

        https://download.samba.org/pub/samba/stable/

Patches addressing this defect have been posted to

        https://www.samba.org/samba/history/security.html

The release notes are available online at:

        https://www.samba.org/samba/history/samba-4.3.3.html
        https://www.samba.org/samba/history/samba-4.2.7.html
        https://www.samba.org/samba/history/samba-4.1.22.html

The uncompressed ldb tarball has been signed using GnuPG (ID 13084025).
The ldb-1.1.24 source code can be downloaded from:

        https://download.samba.org/pub/ldb/ldb-1.1.24.tar.gz

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2015-12-16 14:27:36 UTC
commit c0a1144a4485149c25782a5b3b4dfddaca79dbcd
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Dec 16 14:57:40 2015

    sys-libs/ldb: Security bump to version 1.1.24 (bug #568432).

    Package-Manager: portage-2.2.26
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


commit 066e135c8b38e4d7960abbfbf446e43775c792f6
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed Dec 16 15:17:47 2015

    net-fs/samba: Security bump to versions 4.1.22, 4.2.7 and 4.3.3

    See also bug #568432

    Package-Manager: portage-2.2.26
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


Okay guys... we're now at that very unpleaseant point where we must decide how to further handle samba packages:
As this bug report clearly states that all of our stable samba packages are affected by one or more of these CVEs. Thus we need to get some 4.x samba version stable or we remove(/mask?) all stable samba packages and thus won't provide any samba package for stable users anymore.
I have neither the time nor the technical samba background knowledge to handle the task of stabilizing such an unthankful and complex package samba unfortuantely is.
Comment 2 Agostino Sarubbo gentoo-dev 2015-12-29 11:12:17 UTC
We can stabilize the libraries for now, and we will see what to do with samba later.

Arches, please test and mark stable:
=sys-libs/ldb-1.1.24
=sys-libs/talloc-2.1.5
=sys-libs/tevent-0.9.26
=sys-libs/tdb-1.3.8
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2015-12-29 11:43:10 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2015-12-29 11:43:59 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-02 15:40:39 UTC
Why exactly is it that samba 4 cannot go stable?
Comment 6 Víctor Ostorga (RETIRED) gentoo-dev 2016-01-03 01:52:00 UTC
(In reply to Jeroen Roovers from comment #5)
> Why exactly is it that samba 4 cannot go stable?

Let's make it stable
Comment 7 Lars Wendler (Polynomial-C) gentoo-dev 2016-01-04 16:27:13 UTC
(In reply to Víctor Ostorga from comment #6)
> (In reply to Jeroen Roovers from comment #5)
> > Why exactly is it that samba 4 cannot go stable?
> 
> Let's make it stable

If you want to cause more problems like 

  https://forums.gentoo.org/viewtopic-t-1036156.html

then go ahead. Sorry that I cannot add anything constructive here but when we stabilize samba-4 before it got multilib support we are going to make a lot of users even more unhappy.
Comment 8 Víctor Ostorga (RETIRED) gentoo-dev 2016-01-04 16:41:56 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #7)
> (In reply to Víctor Ostorga from comment #6)
> > (In reply to Jeroen Roovers from comment #5)
> > > Why exactly is it that samba 4 cannot go stable?
> > 
> > Let's make it stable
> 
> If you want to cause more problems like 
> 
>   https://forums.gentoo.org/viewtopic-t-1036156.html
> 
> then go ahead. Sorry that I cannot add anything constructive here but when
> we stabilize samba-4 before it got multilib support we are going to make a
> lot of users even more unhappy.

There will always be problems, that's why we are here, to fix them.
Multilib is still on work, I am reaching upstream to check how to fix it, but right now some samba software was not created with multilib on mind.

I vote to make samba 4 stable, even with the problems that would arise. Samba 3 is dead upstream.
Comment 9 Agostino Sarubbo gentoo-dev 2016-01-07 10:14:22 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-01-07 10:15:04 UTC
ppc64 stable
Comment 11 Markus Meier gentoo-dev 2016-01-07 20:32:31 UTC
arm stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-01-08 08:36:38 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-01-08 08:37:18 UTC
alpha stable
Comment 14 Agostino Sarubbo gentoo-dev 2016-01-09 06:26:45 UTC
sparc stable
Comment 15 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-12 07:26:12 UTC
(In reply to Lars Wendler (Polynomial-C) from comment #7)
> (In reply to Víctor Ostorga from comment #6)
> > (In reply to Jeroen Roovers from comment #5)
> > > Why exactly is it that samba 4 cannot go stable?
> > 
> > Let's make it stable
> 
> If you want to cause more problems like 

<vague forum reference>

I thought we had a bug tracker for tracking bugs. In this case we should have an additional tracker bug to track those, maybe?
Comment 16 Jeroen Roovers (RETIRED) gentoo-dev 2016-01-12 07:26:32 UTC
Stable for HPPA.
Comment 17 Yury German Gentoo Infrastructure gentoo-dev 2016-02-25 07:33:28 UTC
Following up on this bug.
Version 3.6.25 is vulnerable unless I missed some patching. 4.X still makes for bug-fixing.
Comment 18 Thomas Deutschmann gentoo-dev Security 2016-11-21 17:20:45 UTC
@ Security: Please vote!
Comment 19 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-22 03:19:18 UTC
GLSA Vote: No(In reply to Yury German from comment #17)
> Following up on this bug.
> Version 3.6.25 is vulnerable unless I missed some patching. 4.X still makes
> for bug-fixing.

As Yury mentioned 3.6.25 is vulnerable.  

@maintainers, now that 4.2.11 is stable can 3.6.25 be removed?

GLSA Vote: No
Comment 20 GLSAMaker/CVETool Bot gentoo-dev 2016-12-24 07:26:46 UTC
This issue was resolved and addressed in
 GLSA 201612-47 at https://security.gentoo.org/glsa/201612-47
by GLSA coordinator Aaron Bauman (b-man).