Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 751724 (CVE-2020-14318, CVE-2020-14323, CVE-2020-14383) - <net-fs/samba-4.12.9: Multiple vulnerabilities (CVE-2020-{14318,14323,14383})
Summary: <net-fs/samba-4.12.9: Multiple vulnerabilities (CVE-2020-{14318,14323,14383})
Status: RESOLVED FIXED
Alias: CVE-2020-14318, CVE-2020-14323, CVE-2020-14383
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://lists.samba.org/archive/samba...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-29 09:53 UTC by Sam James
Modified: 2021-01-09 21:39 UTC (History)
1 user (show)

See Also:
Package list:
sys-libs/ldb-2.1.4-r1 amd64 ppc ppc64 sparc net-fs/samba-4.12.9-r1 amd64 arm arm64 ppc ppc64 sparc x86 sys-libs/liburing-0.7-r1 amd64 ppc ppc64 sparc dev-perl/Parse-Yapp-1.210.0 amd64 ppc ppc64 sparc
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-10-29 09:53:00 UTC
o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
o CVE-2020-14323: Unprivileged user can crash winbind.
o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
		  crafted records.
Comment 1 Sam James archtester gentoo-dev Security 2020-10-29 09:53:59 UTC
Please bump to 4.11.15, 4.12.9, 4.13.1.

----
o  CVE-2020-14318:
  The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
  request file name notification on a directory handle when a condition such as
  "new file creation" or "file size change" or "file timestamp update" occurs.

  A missing permissions check on a directory handle requesting ChangeNotify
  meant that a client with a directory handle open only for
  FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
  notify replies from the server. These replies contain information that should
  not be available to directory handles open for FILE_READ_ATTRIBUTE only.

o  CVE-2020-14323:
  winbind in version 3.6 and later implements a request to translate multiple
  Windows SIDs into names in one request. This was done for performance
  reasons: Active Directory domain controllers can do multiple SID to name
  translations in one RPC call. It was an obvious extension to also offer this
  batch operation on the winbind unix domain stream socket that is available to
  local processes on the Samba server to reduce network round-trips to the
  domain controller.

  Due to improper input validation a hand-crafted packet can make winbind
  perform a NULL pointer dereference and thus crash.

o  CVE-2020-14383:
  Some DNS records (such as MX and NS records) usually contain data in the
  additional section. Samba's dnsserver RPC pipe (which is an administrative
  interface not used in the DNS server itself) made an error in handling the
  case where there are no records present: instead of noticing the lack of
  records, it dereferenced uninitialised memory, causing the RPC server to
  crash. This RPC server, which also serves protocols other than dnsserver,
  will be restarted after a short delay, but it is easy for an authenticated
  non-admin attacker to crash it again as soon as it returns. The Samba DNS
  server itself will continue to operate, but many RPC services will not.
Comment 2 Larry the Git Cow gentoo-dev 2020-10-29 10:21:15 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd9d18055cfcabd4fc41f983549efa70873a7a0a

commit fd9d18055cfcabd4fc41f983549efa70873a7a0a
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-10-29 10:08:06 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-10-29 10:21:09 +0000

    net-fs/samba: Security bump to versions 4.12.9 and 4.13.1
    
    Bug: https://bugs.gentoo.org/751724
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-fs/samba/Manifest            |   2 +
 net-fs/samba/samba-4.12.9.ebuild | 318 ++++++++++++++++++++++++++++++++++++++
 net-fs/samba/samba-4.13.1.ebuild | 321 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 641 insertions(+)
Comment 3 Lars Wendler (Polynomial-C) gentoo-dev 2020-10-29 10:45:21 UTC
We're not supporting samba-4.11.x any longer
Comment 4 Thomas Deutschmann gentoo-dev Security 2020-10-29 22:51:47 UTC
x86 stable
Comment 5 Piotr Karbowski archtester Gentoo Infrastructure gentoo-dev Security 2020-10-31 19:38:48 UTC
amd64 stable
Comment 6 Sam James archtester gentoo-dev Security 2020-11-01 14:33:39 UTC
arm64 done
Comment 7 Sam James archtester gentoo-dev Security 2020-11-03 13:35:01 UTC
arm done
Comment 8 NATTkA bot gentoo-dev 2020-11-06 10:28:54 UTC Comment hidden (obsolete)
Comment 9 NATTkA bot gentoo-dev 2020-11-07 01:20:56 UTC Comment hidden (obsolete)
Comment 10 Sam James archtester gentoo-dev Security 2020-11-10 17:43:40 UTC
sparc done
Comment 11 Sam James archtester gentoo-dev Security 2020-12-03 16:47:46 UTC
ppc, ppc64, sparc: ping
Comment 12 Sam James archtester gentoo-dev Security 2020-12-03 16:47:55 UTC
(In reply to Sam James from comment #11)
> ppc, ppc64, sparc: ping

uh, just ppc{,64}
Comment 13 Sam James archtester gentoo-dev Security 2020-12-17 00:48:11 UTC
ppc done
Comment 14 Thomas Deutschmann gentoo-dev Security 2020-12-23 17:12:42 UTC
Added to an existing GLSA.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-12-24 14:20:07 UTC
This issue was resolved and addressed in
 GLSA 202012-24 at https://security.gentoo.org/glsa/202012-24
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 16 Thomas Deutschmann gentoo-dev Security 2020-12-24 14:20:42 UTC
Re-opening for remaining architecture.
Comment 17 Sam James archtester gentoo-dev Security 2021-01-07 10:38:32 UTC
ppc64 done

all arches done
Comment 18 Sam James archtester gentoo-dev Security 2021-01-07 10:39:58 UTC
Please cleanup, thanks!
Comment 19 Larry the Git Cow gentoo-dev 2021-01-09 21:20:44 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fd36e0d021a4f14c9dec5126148aa069a9be41ef

commit fd36e0d021a4f14c9dec5126148aa069a9be41ef
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2021-01-09 21:19:50 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2021-01-09 21:20:41 +0000

    net-fs/samba: Security cleanup
    
    Bug: https://bugs.gentoo.org/751724
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-fs/samba/Manifest                |   4 -
 net-fs/samba/samba-4.11.13-r1.ebuild | 321 -----------------------------------
 net-fs/samba/samba-4.12.7-r2.ebuild  | 318 ----------------------------------
 net-fs/samba/samba-4.12.8-r1.ebuild  | 318 ----------------------------------
 net-fs/samba/samba-4.13.1-r1.ebuild  | 321 -----------------------------------
 5 files changed, 1282 deletions(-)
Comment 20 John Helmert III (ajak) 2021-01-09 21:39:08 UTC
All done!