From http://www.securityfocus.com/archive/1/373619 Version(s): prior to 3.0.6, prior to 2.2.11 Description: A vulnerability was reported in Samba. A remote authenticated user can cause smbd to crash. The vendor reported that a remote authenticated user can send a FindNextPrintChangeNotify() request without having previously sent a corresponding FindFirstPrintChangeNotify() requeste to cause smbd to crash. This behavior can be triggered by a Windows XP SP2 client. The flaw resides in printer_notify_info() in 'rpc_server/srv_spoolss_nt.c'. Craig Huegen reported this flaw to the vendor. Impact: A remote authenticated user can cause smbd to crash. Solution: The vendor has released a fixed version (3.0.6 and 2.2.11), available at: http://samba.org/samba/download/
We already have samba-3.0.6-r2 in portage is it ready to be marked stable on arches? From Samba.org: Samba 3.0.7 Coming Soon Samba 3.0.7 is scheduled for release next week in order to fix a couple of fairly visible bugs in 3.0.6, which include (from Jerry Carter's post to samba-technical): snum mismatches on home directories after relogin from Windows domain member (Samba domain) winbind bug that causes 'getent passwd DOMAIN\user' to fail when filling in the information using the samlogon_cache possible printing bugs (still working on this one). bugzilla #id: 1464 unconfirmed upgrade bugs with XP clients (still not sure about this one) (no bug #id) Until the release is available, those in need of immediate fixes can find patches here.
just committed samba-3.0.6-r3 (as 3.0.6-r2, with all latest Jerry Carter's patches). This could be made stable for arm, mips, sparc, x86. Support for alpha, amd64, hppa, ia64, ppc, ppc64, s390 still misses because of a perl dependency in case of ldap use: this is only (i think ;) due to lack of arch test. Bug 58529 was opened for this, but these arches are still pending.
arm, mips, sparc, x86 : please test and mark 3.0.6-r3 stable if OK. Other arches are blocked by bug 58529. We'll have to wait for this one to be solved to issue a GLSA about this.
samba-3.0.6-r3 fine for sparc, stabled.
Please mark >=3.0.6 stable. Note that some archs need to mark Bug #58529 stable also
=3.0.6* won't configure on amd64 due to problems with libpam. It would have been nice if the samba maintainer would have filed a bug when he masked samba-3.0.6* on some archs (as the policy for version bumps suggests). I'll work on this problem now to get us stable. This could take some time. I still have no clue what's wrong with libpam.
Ok, i think i got it. Configure checks if /usr/{lib32,lib} is a directory (in that order). However, on archs with CONF_LIBDIR != lib, this is not necessarily true for /usr/lib. For us, it is a symlink. In my eyes, the easiest (and quickest) way to fix this is to "append-ldflags -L/usr/$(get_libdir)". This should be done unconditionally. Samba-Maintainer: Are you ok for me applying this change to =samba-3.0.6* ?
CC'ing satya back on the bug. Christian please take a look at comment #7
Danny (comment #7): ok. You're right: this could have been done before :( Note for all interested: it's another bug to be opened, but since we're talking about security :) ... samba-3.0.6-r4 ships with the suid BIND_NOW linker flag active: see mail thread on gentoo-core about 'suid handing with portage >=51_pre21', http://lwn.net/Articles/99137 or bug #62674 (not only on samba).
stable on amd64.
moved a few archs to stable
***bump*** please mark x86 ***bump***
Stable on alpha.
moved x86 to stable myself
GLSA 200409-14 mips, ppc64, s390 please mark stable to benifit from the GLSA.
Just got the following mail from <jerry@samba.org>. Satya please verify | | Impact | ====== | | A remote authorized user could potentially crash a Samba server after | issuing these out of sequence requests. This is incorrect.
Just got the following mail from <jerry@samba.org>. Satya please verify | | Impact | ====== | | A remote authorized user could potentially crash a Samba server after | issuing these out of sequence requests. This is incorrect. You cannot crash the smbd server. You can only crash your own smbd process. So the only thing you can do is DyS (deny yourself service). This really is not a security issue. btw....I maintain a security list for Samba pkg maintainers. You can have you pkg maintainer contact me if you would like to be subscribed.
https://bugzilla.samba.org/show_bug.cgi?id=1520 Gives some informaion on the bug. It seems to be a windows issue. From http://de.samba.org/samba/history/samba-3.0.6.html * BUG 1520: Work around bug in Windows XP SP2 RC2 where the client sends a FindNextPrintChangeNotify() request without previously sending a FindFirstPrintChangeNotify(). Return the same error code as Windows 2000 SP4.
Ok, we'll remove the stable flag. 3.0.6 doesn't compile on all machines, on those which compile there were network problems. Satya: seems we need a backport of the security patches to 3.0.5.
Looks like it's not a security bug at all. So I would say no backport needed, keep your ebuilds like they are. We'll try to fix the GLSA mess ASAP so that arches marking ebuilds back ~ won't get hurt too much by users that can't apply GLSAs.
ok, if we screwed up, then we should issue an errata glsa and remove this from CVS. (not to hide it, but because tools like glsa-check are going to be looking for published GLSAs) Additionally, we should definitely subscribe security@gentoo.org to the list Jeremy mentioned in his email.
GLSA 200409-14 removed from CVS. Errata coming soon.
This is not a security issue. GLSA 200409-14 have been recommitted explaining this and an errata released.
