Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 619516 (CVE-2017-7494) - <net-fs/samba-4.5.10: Loading shared modules from any path in the system leading to RCE
Summary: <net-fs/samba-4.5.10: Loading shared modules from any path in the system lead...
Status: RESOLVED FIXED
Alias: CVE-2017-7494
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL: https://www.samba.org/samba/security/...
Whiteboard: B1 [glsa+ cve]
Keywords:
: 619632 (view as bug list)
Depends on: CVE-2016-2119 591304 621624 CVE-2017-14746, CVE-2017-15275 CVE-2018-1050, CVE-2018-1057
Blocks: 616774
  Show dependency tree
 
Reported: 2017-05-24 08:27 UTC by Liferer
Modified: 2018-05-22 22:30 UTC (History)
5 users (show)

See Also:
Package list:
=net-dns/resolv_wrapper-1.1.5 =net-fs/samba-4.5.10-r1 =net-libs/socket_wrapper-1.1.7 =sys-libs/ldb-1.1.29-r1 =sys-libs/nss_wrapper-1.1.3 =sys-libs/talloc-2.1.9 =sys-libs/tdb-1.3.13 =sys-libs/tevent-0.9.31-r1 =sys-libs/uid_wrapper-1.2.1
Runtime testing required: ---
stable-bot: sanity-check-


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Liferer 2017-05-24 08:27:32 UTC
====================================================================
== Subject:     Remote code execution from a writable share.
==
== CVE ID#:     CVE-2017-7494
==
== Versions:    All versions of Samba from 3.5.0 onwards.
==
== Summary:     Malicious clients can upload and cause the smbd server
==              to execute a shared library from a writable share.
==
====================================================================

===========
Description
===========

All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Add the parameter:

nt pipe support = no

to the [global] section of your smb.conf and restart smbd. This
prevents clients from accessing any named pipe endpoints. Note this
can disable some expected functionality for Windows clients.

=======
Credits
=======

This problem was found by steelo <knownsteelo@gmail.com>. Volker
Lendecke of SerNet and the Samba Team provided the fix.
Comment 1 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-05-24 09:45:48 UTC
commit 495f960e6f59116bc5ed7359921dd5e64d3c8204
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Wed May 24 11:44:09 2017

    net-fs/samba: Security bump to versions 4.5.10 and 4.6.4 (bug #619516).
    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 2 John R. Graham gentoo-dev 2017-05-25 03:13:55 UTC
*** Bug 619632 has been marked as a duplicate of this bug. ***
Comment 3 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-05-26 09:25:49 UTC
Arches please test and mark stable the following list of packages:

=net-fs/samba-4.5.10
=sys-libs/ldb-1.1.29-r1
=sys-libs/talloc-2.1.9
=sys-libs/tdb-1.3.13
=sys-libs/tevent-0.9.31-r1


Target KEYWORDS are:

alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 4 Michael Weber (RETIRED) gentoo-dev 2017-05-26 10:44:46 UTC
src_configure failure on ppc and ppc64

Checking for system resolv_wrapper >= 1.1.4                                       : not found
ERROR: System library resolv_wrapper of version 1.1.4 not found, and bundling disabled
Comment 5 Michael Weber (RETIRED) gentoo-dev 2017-05-26 11:03:11 UTC
src_configure failure on ppc and ppc64

Checking for system socket_wrapper >= 1.1.7                                       : not found
ERROR: System library socket_wrapper of version 1.1.7 not found, and bundling disabled
Comment 6 Michael Weber (RETIRED) gentoo-dev 2017-05-26 11:24:09 UTC
You'd like to add

DEPEND+="test? ( >=net-libs/socket_wrapper-1.1.7
    >=net-dns/resolv_wrapper-1.1.4 )"
Comment 7 Michael Weber (RETIRED) gentoo-dev 2017-05-26 11:30:13 UTC
(In reply to Michael Weber from comment #6)
> You'd like to add
> 
> DEPEND+="test? ( >=net-libs/socket_wrapper-1.1.7
>     >=net-dns/resolv_wrapper-1.1.4 )"

sry, uncond. RDEPEND.
Comment 8 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-05-26 11:44:33 UTC
commit 03dddbf85b3437544b19947e16b05096f88c397d (HEAD -> master, origin/master, origin/HEAD)             
Author: Lars Wendler <polynomial-c@gentoo.org>      
Date:   Fri May 26 13:38:33 2017                    

    net-fs/samba: Added missing test deps. Removed missing keywords.                                     
                                                    
    Package-Manager: Portage-2.3.6, Repoman-2.3.2
Comment 9 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2017-05-26 11:47:15 UTC
Arches please test and mark stable the following list of packages:

=net-dns/resolv_wrapper-1.1.5 (USE="test" only)
=net-fs/samba-4.5.10
=net-libs/socket_wrapper-1.1.7 (USE="test" only)
=sys-libs/ldb-1.1.29-r1
=sys-libs/nss_wrapper-1.1.3 (USE="test" only)
=sys-libs/talloc-2.1.9
=sys-libs/tdb-1.3.13
=sys-libs/tevent-0.9.31-r1
=sys-libs/uid_wrapper-1.2.1 (USE="test" only)


Target KEYWORDS are:

alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 10 Agostino Sarubbo gentoo-dev 2017-05-26 13:48:36 UTC
amd64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-05-26 14:06:57 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2017-05-26 15:01:33 UTC
ppc64 stable
Comment 13 Tobias Klausmann (RETIRED) gentoo-dev 2017-05-27 13:24:42 UTC
Stable on alpha.
Comment 14 Agostino Sarubbo gentoo-dev 2017-06-10 13:47:15 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2017-06-10 15:20:16 UTC
ia64 stable
Comment 16 Agostino Sarubbo gentoo-dev 2017-06-21 12:00:07 UTC
ppc stable
Comment 17 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 15:08:54 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 18 Stabilization helper bot gentoo-dev 2017-09-30 11:00:33 UTC
An automated check of this bug failed - the following atom is unknown:

net-fs/samba-4.5.10

Please verify the atom list.
Comment 19 Stabilization helper bot gentoo-dev 2017-11-28 03:00:58 UTC
An automated check of this bug failed - the following atom is unknown:

net-fs/samba-4.5.10

Please verify the atom list.
Comment 20 Stabilization helper bot gentoo-dev 2018-03-14 23:00:27 UTC
An automated check of this bug failed - the following atom is unknown:

net-fs/samba-4.5.10-r1

Please verify the atom list.
Comment 21 Matt Turner gentoo-dev 2018-03-21 22:17:18 UTC
https://bugs.gentoo.org/639024#c19
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2018-05-22 22:30:45 UTC
This issue was resolved and addressed in
 GLSA 201805-07 at https://security.gentoo.org/glsa/201805-07
by GLSA coordinator Aaron Bauman (b-man).