Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 664316 (CVE-2018-10858, CVE-2018-10918, CVE-2018-10919, CVE-2018-1139, CVE-2018-1140) - <net-fs/samba-{4.6.16,4.7.9,4.8.4}: multiple vulnerabilities (CVE-2018-{1139,1140,10858,10918,10919})
Summary: <net-fs/samba-{4.6.16,4.7.9,4.8.4}: multiple vulnerabilities (CVE-2018-{1139,...
Status: RESOLVED FIXED
Alias: CVE-2018-10858, CVE-2018-10918, CVE-2018-10919, CVE-2018-1139, CVE-2018-1140
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords:
: 671572 (view as bug list)
Depends on: 664314 669618
Blocks:
  Show dependency tree
 
Reported: 2018-08-22 21:57 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-25 16:36 UTC (History)
2 users (show)

See Also:
Package list:
sys-libs/tevent-0.9.37 sys-libs/talloc-2.1.14 sys-libs/tdb-1.3.16 dev-db/lmdb-0.9.23 sys-libs/ldb-1.3.6 net-fs/samba-4.8.6-r2 dev-util/lttng-ust-2.8.1 dev-libs/userspace-rcu-0.10.1
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-08-22 21:57:58 UTC
CVE-2018-10858 (https://nvd.nist.gov/vuln/detail/CVE-2018-10858):
  A heap-buffer overflow was found in the way samba clients processed extra
  long filename in a directory listing. A malicious samba server could use
  this flaw to cause arbitrary code execution on a samba client. Samba
  versions before 4.6.16, 4.7.9 and 4.8.4 are vulnerable.

CVE-2018-10918 (https://nvd.nist.gov/vuln/detail/CVE-2018-10918):
  A null pointer dereference flaw was found in the way samba checked database
  outputs from the LDB database layer. An authenticated attacker could use
  this flaw to crash a samba server in an Active Directory Domain Controller
  configuration. Samba versions before 4.7.9 and 4.8.4 are vulnerable.

CVE-2018-10919 (https://nvd.nist.gov/vuln/detail/CVE-2018-10919):
  The Samba Active Directory LDAP server was vulnerable to an information
  disclosure flaw because of missing access control checks. An authenticated
  attacker could use this flaw to extract confidential attribute values using
  LDAP search expressions. Samba versions before 4.6.16, 4.7.9 and 4.8.4 are
  vulnerable.

CVE-2018-1139 (https://nvd.nist.gov/vuln/detail/CVE-2018-1139):
  A flaw was found in the way samba before 4.7.9 and 4.8.4 allowed the use of
  weak NTLMv1 authentication even when NTLMv1 was explicitly disabled. A
  man-in-the-middle attacker could use this flaw to read the credential and
  other details passed between the samba server and client.

CVE-2018-1140 (https://nvd.nist.gov/vuln/detail/CVE-2018-1140):
  A missing input sanitization flaw was found in the implementation of LDP
  database used for the LDAP server. An attacker could use this flaw to cause
  a denial of service against a samba server, used as a Active Directory
  Domain Controller. All versions of Samba from 4.8.0 onwards are vulnerable
Comment 1 Thomas Deutschmann gentoo-dev Security 2018-08-22 22:14:54 UTC
This will need some preparation like bug 664314 but I suggest to switch to 4.8.x branch.
Comment 2 Thomas Deutschmann gentoo-dev Security 2018-08-22 22:22:37 UTC
Adding proposed package list.
Comment 3 Frank Krömmelbein 2018-10-22 18:13:53 UTC
Could you please now start the stabilization process, after 2 months have passed?

In the meantime net-fs/samba-4.8.4 was removed from the tree. 
Available now are 4.8.5 and 4.8.6.
Comment 4 Stabilization helper bot gentoo-dev 2018-10-24 08:08:06 UTC
An automated check of this bug failed - repoman reported dependency errors (169 lines truncated): 

> dependency.bad net-fs/samba/samba-4.8.6.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-util/lttng-ust']
> dependency.bad net-fs/samba/samba-4.8.6.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['dev-util/lttng-ust']
> dependency.bad net-fs/samba/samba-4.8.6.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['dev-util/lttng-ust']
Comment 5 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2018-10-25 17:15:06 UTC
amd64 stable
Comment 6 Thomas Deutschmann gentoo-dev Security 2018-10-25 18:02:10 UTC
Re-adding amd64... please wait until stable-bot sets "+" so you won't miss packages like now.
Comment 7 Stabilization helper bot gentoo-dev 2018-10-25 18:06:48 UTC
An automated check of this bug failed - repoman reported dependency errors (169 lines truncated): 

> dependency.bad net-fs/samba/samba-4.8.6.ebuild: DEPEND: alpha(default/linux/alpha/13.0) ['dev-util/lttng-ust']
> dependency.bad net-fs/samba/samba-4.8.6.ebuild: RDEPEND: alpha(default/linux/alpha/13.0) ['dev-util/lttng-ust']
> dependency.bad net-fs/samba/samba-4.8.6.ebuild: DEPEND: alpha(default/linux/alpha/13.0/desktop) ['dev-util/lttng-ust']
Comment 8 Sven Wegener gentoo-dev 2018-10-25 18:59:09 UTC
sambsa-4.8.6 has

    >=sys-libs/ldb-1.3.6[ldap(+)?,python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}]
    <sys-libs/ldb-1.4.0[ldap(+)?,python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}]

in its dependencies, hence is not matching ldb-1.5.1
Comment 9 Lars Wendler (Polynomial-C) gentoo-dev 2018-10-25 19:26:23 UTC
(In reply to Sven Wegener from comment #8)
> sambsa-4.8.6 has
> 
>    
> >=sys-libs/ldb-1.3.6[ldap(+)?,python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}]
>     <sys-libs/ldb-1.4.0[ldap(+)?,python?,${PYTHON_USEDEP},${MULTILIB_USEDEP}]
> 
> in its dependencies, hence is not matching ldb-1.5.1

Fixed in Package list.
Comment 10 Thomas Deutschmann gentoo-dev Security 2018-10-26 00:54:31 UTC
x86 stable
Comment 11 Agostino Sarubbo gentoo-dev 2018-10-26 14:58:18 UTC
amd64 stable
Comment 12 Sergei Trofimovich gentoo-dev 2018-11-08 08:04:03 UTC
ppc64 stable
Comment 13 Sergei Trofimovich gentoo-dev 2018-11-08 08:07:45 UTC
ppc stable
Comment 14 Ian Stakenvicius gentoo-dev 2018-11-08 17:52:02 UTC
Remaining arches please note, samba package has been stable-revbumped to 4.8.6-r1 to fix a file installation issue.
Comment 15 Lars Wendler (Polynomial-C) gentoo-dev 2018-11-20 15:52:13 UTC
*** Bug 671572 has been marked as a duplicate of this bug. ***
Comment 16 marco 2018-11-20 16:24:24 UTC
It is possible to stabilze also net-fs/samba-4.7.11 for amd64 ?
Comment 17 Agostino Sarubbo gentoo-dev 2019-06-04 21:00:26 UTC
ia64 stable
Comment 18 Rolf Eike Beer 2019-07-06 20:41:08 UTC
hppa stable
Comment 19 Thomas Deutschmann gentoo-dev Security 2019-10-26 13:38:55 UTC
@ maintainer(s): Please cleanup and drop <net-fs/samba-4.8.6-r2!
Comment 20 Thomas Deutschmann gentoo-dev Security 2020-03-25 16:10:20 UTC
Added to an existing GLSA.
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2020-03-25 16:36:41 UTC
This issue was resolved and addressed in
 GLSA 202003-52 at https://security.gentoo.org/glsa/202003-52
by GLSA coordinator Thomas Deutschmann (whissi).