Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 491070 (CVE-2013-4475) - <net-fs/samba-{3.6.20, 4.0.11, 4.1.1}: Insecure File Permissions and Security Bypass Security Issues (CVE-2013-{4475,4476})
Summary: <net-fs/samba-{3.6.20, 4.0.11, 4.1.1}: Insecure File Permissions and Security...
Status: RESOLVED FIXED
Alias: CVE-2013-4475
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/55638/
Whiteboard: C3 [glsa]
Keywords:
: 490240 (view as bug list)
Depends on:
Blocks:
 
Reported: 2013-11-12 09:33 UTC by Lars Wendler (Polynomial-C)
Modified: 2015-02-26 08:59 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Lars Wendler (Polynomial-C) gentoo-dev 2013-11-12 09:33:30 UTC
From ${URL} :

Description

Two security issues have been reported in Samba, which can be exploited by malicious, local users to disclose certain sensitive information and by malicious users to bypass certain security restrictions.

1) The application does not properly apply access control list permissions when accessing alternate streams of a file or a directory. This can be exploited to e.g. disclose contents of otherwise inaccessible alternate streams.

Successful exploitation requires the "vfs_streams_depot" or "vfs_streams_xattr" module to be loaded (not loaded by default).

This security issue is reported in versions prior to 3.6.20, 4.0.11, and 4.1.1.

2) The application creates private keys that are used for the SSL/TLS encryption for ldaps with insecure world-readable permissions. This can be exploited to disclose the keys and subsequently e.g. disclose or manipulate HTTPS traffic.

Successful exploitation requires the "server services" option to contain "web" (does not contain by default).

This security issue is reported in versions prior to 4.0.11 and 4.1.1.

Solution:
Update to version 3.6.20, 4.0.11, or 4.1.1.

Provided and/or discovered by:
The vendor credits:
1) Hemanth Thummala.
2) Stefan Metzmacher and Björn Baumbach, SerNet.

Original Advisory:
http://www.samba.org/samba/security/CVE-2013-4475
http://www.samba.org/samba/security/CVE-2013-4476
Comment 1 Lars Wendler (Polynomial-C) gentoo-dev 2013-11-12 09:34:01 UTC
+*samba-4.1.1 (12 Nov 2013)
+*samba-4.0.11 (12 Nov 2013)
+*samba-3.6.20 (12 Nov 2013)
+
+  12 Nov 2013; Lars Wendler <polynomial-c@gentoo.org> -samba-3.6.16.ebuild,
+  +samba-3.6.20.ebuild, +samba-4.0.11.ebuild, +samba-4.1.1.ebuild,
+  +files/samba-4.1.0-remove-dmapi-automagic.patch:
+  Security bumps for CVE-2013-4475 and CVE-2013-4476. Removed automagic
+  dependency on dmapi. Thanks to Andreas Sturmlechner for providing a patch in
+  bug #474492. Removed old.
+
Comment 2 Lars Wendler (Polynomial-C) gentoo-dev 2013-11-20 12:18:02 UTC
Oh well...

arches please test and mark stable =net-fs/samba-3.6.20.

Target KEYWORDS are:
alpha amd64 arm hppa ia64 ~mips ppc ppc64 sparc x86 ~amd64-fbsd ~x86-fbsd ~arm-linux ~x86-linux
Comment 3 Jeroen Roovers gentoo-dev 2013-11-20 15:17:30 UTC
Stable for HPPA.
Comment 4 Agostino Sarubbo gentoo-dev 2013-11-23 11:13:01 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2013-11-23 11:13:11 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-11-23 11:13:22 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-11-23 11:13:31 UTC
ppc64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-11-23 11:13:39 UTC
arm stable
Comment 9 Agostino Sarubbo gentoo-dev 2013-11-23 11:13:47 UTC
sparc stable
Comment 10 Agostino Sarubbo gentoo-dev 2013-12-08 17:06:08 UTC
alpha stable
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2013-12-09 06:15:20 UTC
CVE-2013-4476 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4476):
  Samba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is
  provided over SSL, uses world-readable permissions for a private key, which
  allows local users to obtain sensitive information by reading the key file,
  as demonstrated by access to the local filesystem on an AD domain
  controller.

CVE-2013-4475 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4475):
  Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when
  vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers
  to bypass intended file restrictions by leveraging ACL differences between a
  file and an associated alternate data stream (ADS).
Comment 12 Agostino Sarubbo gentoo-dev 2014-01-13 17:39:12 UTC
*** Bug 490240 has been marked as a duplicate of this bug. ***
Comment 13 Agostino Sarubbo gentoo-dev 2014-01-13 17:40:37 UTC
Stabilized a newer version for ia64.

Maintainer: please cleanup.
Security: please vote
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2014-05-30 22:31:55 UTC
This has ben cleaned up by masking old packages by maintainer(s).

Added it to an existing GLSA Request.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2015-02-26 08:59:00 UTC
This issue was resolved and addressed in
 GLSA 201502-15 at http://security.gentoo.org/glsa/glsa-201502-15.xml
by GLSA coordinator Kristian Fiskerstrand (K_F).