Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 62476 - net-fs/samba Remote Print Change Notify Denial Of Service Vulnerability
Summary: net-fs/samba Remote Print Change Notify Denial Of Service Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.securityfocus.com/bid/11055
Whiteboard: ? [?] jaervosz
Keywords:
Depends on: 58529
Blocks:
  Show dependency tree
 
Reported: 2004-08-31 23:43 UTC by Sune Kloppenborg Jeppesen
Modified: 2011-10-30 22:39 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2004-08-31 23:43:22 UTC
From http://www.securityfocus.com/archive/1/373619

Version(s): prior to 3.0.6, prior to 2.2.11 
 
Description:  A vulnerability was reported in Samba. A remote authenticated user can
cause smbd to crash. 

The vendor reported that a remote authenticated user can send a FindNextPrintChangeNotify()
request without having previously sent a corresponding FindFirstPrintChangeNotify()
requeste to cause smbd to crash.

This behavior can be triggered by a Windows XP SP2 client.

The flaw resides in printer_notify_info() in 'rpc_server/srv_spoolss_nt.c'.

Craig Huegen reported this flaw to the vendor. 
 
Impact:  A remote authenticated user can cause smbd to crash.
 
Solution:  The vendor has released a fixed version (3.0.6 and 2.2.11), available at:

http://samba.org/samba/download/
Comment 1 Sune Kloppenborg Jeppesen gentoo-dev 2004-08-31 23:50:45 UTC
We already have samba-3.0.6-r2 in portage is it ready to be marked stable on arches?

From Samba.org:

Samba 3.0.7 Coming Soon


Samba 3.0.7 is scheduled for release next week in order to fix a couple of fairly visible bugs in 3.0.6, which include (from Jerry Carter's post to samba-technical):

snum mismatches on home directories after relogin from Windows domain member (Samba domain)
winbind bug that causes 'getent passwd DOMAIN\user' to fail when filling in the information using the samlogon_cache
possible printing bugs (still working on this one). bugzilla #id: 1464 
unconfirmed upgrade bugs with XP clients (still not sure about this one) (no bug #id)

Until the release is available, those in need of immediate fixes can find patches here.
Comment 2 Christian Andreetta (RETIRED) gentoo-dev 2004-09-01 02:39:58 UTC
just committed samba-3.0.6-r3 (as 3.0.6-r2, with all latest Jerry Carter's patches). This could be made stable for arm, mips, sparc, x86.
Support for alpha, amd64, hppa, ia64, ppc, ppc64, s390 still misses because of a perl dependency in case of ldap use: this is only (i think ;) due to lack of arch test.
Bug 58529 was opened for this, but these arches are still pending.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-09-01 03:13:21 UTC
arm, mips, sparc, x86 : please test and mark 3.0.6-r3 stable if OK.

Other arches are blocked by bug 58529. We'll have to wait for this one to be solved to issue a GLSA about this.
Comment 4 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-01 06:11:08 UTC
samba-3.0.6-r3 fine for sparc, stabled.
Comment 5 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-06 10:53:37 UTC
Please mark >=3.0.6 stable.

Note that some archs need to mark Bug #58529 stable also
Comment 6 Danny van Dyk (RETIRED) gentoo-dev 2004-09-06 14:46:38 UTC
=3.0.6* won't configure on amd64 due to problems with libpam. It would have been
nice if the samba maintainer would have filed a bug when he masked samba-3.0.6* on
some archs (as the policy for version bumps suggests). I'll work on this problem
now to get us stable. This could take some time. I still have no clue what's wrong
with libpam.
Comment 7 Danny van Dyk (RETIRED) gentoo-dev 2004-09-06 15:23:14 UTC
Ok, i think i got it. Configure checks if /usr/{lib32,lib} is a directory (in
that order). However, on archs with CONF_LIBDIR != lib, this is not necessarily true for /usr/lib. For us, it is a symlink. In my eyes, the easiest (and quickest) way to fix this is to "append-ldflags -L/usr/$(get_libdir)". This should be done
unconditionally.

Samba-Maintainer: Are you ok for me applying this change to =samba-3.0.6* ?
Comment 8 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-06 23:49:32 UTC
CC'ing satya back on the bug. Christian please take a look at comment #7
Comment 9 Christian Andreetta (RETIRED) gentoo-dev 2004-09-07 02:47:08 UTC
Danny (comment #7): ok. You're right: this could have been done before :(
Note for all interested: it's another bug to be opened, but since we're talking about security :) ... samba-3.0.6-r4 ships with the suid BIND_NOW linker flag active: see mail thread on gentoo-core about 'suid handing with portage >=51_pre21', http://lwn.net/Articles/99137 or bug #62674 (not only on samba).
Comment 10 Danny van Dyk (RETIRED) gentoo-dev 2004-09-08 05:26:34 UTC
stable on amd64.
Comment 11 SpanKY gentoo-dev 2004-09-08 06:13:12 UTC
moved a few archs to stable
Comment 12 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-08 06:33:34 UTC
***bump***
please mark x86
***bump***
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-08 18:09:53 UTC
Stable on alpha.
Comment 14 SpanKY gentoo-dev 2004-09-08 20:02:38 UTC
moved x86 to stable myself
Comment 15 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-09 00:13:17 UTC
GLSA 200409-14

mips, ppc64, s390 please mark stable to benifit from the GLSA.
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-09 11:24:51 UTC
Just got the following mail from <jerry@samba.org>. Satya please verify
|
| Impact
| ======
|
| A remote authorized user could potentially crash a Samba server after
| issuing these out of sequence requests.

This is incorrect. 
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-09 11:24:51 UTC
Just got the following mail from <jerry@samba.org>. Satya please verify
|
| Impact
| ======
|
| A remote authorized user could potentially crash a Samba server after
| issuing these out of sequence requests.

This is incorrect.  You cannot crash the smbd server.  You
can only crash your own smbd process.  So the only thing you
can do is DyS (deny yourself service).

This really is not a security issue.

btw....I maintain a security list for Samba pkg maintainers.
You can have you pkg maintainer contact me if you would like
to be subscribed.
Comment 18 Tom Lynema 2004-09-09 11:49:04 UTC
https://bugzilla.samba.org/show_bug.cgi?id=1520

Gives some informaion on the bug.  It seems to be a windows issue.

From http://de.samba.org/samba/history/samba-3.0.6.html 

    * BUG 1520: Work around bug in Windows XP SP2 RC2 where the 
      client sends a FindNextPrintChangeNotify() request without 
      previously sending a FindFirstPrintChangeNotify().  Return 
      the same error code as Windows 2000 SP4.
Comment 19 Danny van Dyk (RETIRED) gentoo-dev 2004-09-09 11:52:19 UTC
Ok, we'll remove the stable flag. 3.0.6 doesn't compile on all machines, on those which compile there were network problems.

Satya: seems we need a backport of the security patches to 3.0.5.
Comment 20 Thierry Carrez (RETIRED) gentoo-dev 2004-09-09 13:05:13 UTC
Looks like it's not a security bug at all. So I would say no backport needed, keep your ebuilds like they are.

We'll try to fix the GLSA mess ASAP so that arches marking ebuilds back ~ won't get hurt too much by users that can't apply GLSAs.
Comment 21 Kurt Lieber (RETIRED) gentoo-dev 2004-09-09 14:12:31 UTC
ok, if we screwed up, then we should issue an errata glsa and remove this from CVS.  (not to hide it, but because tools like glsa-check are going to be looking for published GLSAs)

Additionally, we should definitely subscribe security@gentoo.org to the list Jeremy mentioned in his email.
Comment 22 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-10 00:11:35 UTC
GLSA 200409-14 removed from CVS.

Errata coming soon.
Comment 23 Sune Kloppenborg Jeppesen gentoo-dev 2004-09-10 06:37:06 UTC
This is not a security issue. GLSA 200409-14 have been recommitted explaining this and an errata released.