=========================================================== == Subject: Remote code execution in nmbd == == CVE ID#: CVE-2014-3560 == == Versions: Samba 4.0.0 to 4.1.10 == == Summary: Samba 4.0.0 to 4.1.10 are affected by a == remote code execution attack on == unauthenticated nmbd NetBIOS name services. == =========================================================== =========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root). ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.11 and 4.0.21 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Do not run nmbd, the NetBIOS name services daemon. ======= Credits ======= This problem was found and the fix provided by Volker Lendecke, a Samba Team member working for SerNet <vl@sernet.de> https://www.sernet.de. Additional information in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756759 =========================================================== == Subject: Remote code execution in nmbd == == CVE ID#: CVE-2014-3560 == == Versions: Samba 4.0.0 to 4.1.10 == == Summary: Samba 4.0.0 to 4.1.10 are affected by a == remote code execution attack on == unauthenticated nmbd NetBIOS name services. == =========================================================== =========== Description =========== All current versions of Samba 4.x.x are vulnerable to a remote code execution vulnerability in the nmbd NetBIOS name services daemon. A malicious browser can send packets that may overwrite the heap of the target nmbd NetBIOS name services daemon. It may be possible to use this to generate a remote code execution vulnerability as the superuser (root). ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.1.11 and 4.0.21 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Do not run nmbd, the NetBIOS name services daemon. ======= Credits ======= This problem was found and the fix provided by Volker Lendecke, a Samba Team member working for SerNet <vl@sernet.de> https://www.sernet.de. Additional information in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=756759 http://git.samba.org/?p=samba.git;a=commitdiff;h=9b24abe2f7961c6c54ddc9cd90ff09bf429dd3c0
Sorry for the duplicate in the initial report.
+*samba-4.1.11 (01 Aug 2014) +*samba-4.0.21 (01 Aug 2014) + + 01 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -samba-4.0.18.ebuild, + +samba-4.0.21.ebuild, -samba-4.1.8.ebuild, +samba-4.1.11.ebuild: + Security bump (bug #518766). Removed old. +
Thanks. 4.1.9 and 4.0.19 ebuilds seems to be remaining and should probably be removed as well for cleanup.
ebuild net-fs/samba-4.1.11 does not compile for me: Checking for system ldb >= 1.1.17 : not found ERROR: System library ldb of version 1.1.17 not found, and bundling disabled * ERROR: net-fs/samba-4.1.11::gentoo failed (configure phase): * configure failed After manually updating ldb from 1.1.16 to the unstable version 1.1.17 it works. But this should be a dependency in the ebuild and not something I have to figure out on my own.
(In reply to Gerald from comment #4) > ebuild net-fs/samba-4.1.11 does not compile for me: > > Checking for system ldb >= 1.1.17 : not found > ERROR: System library ldb of version 1.1.17 not found, and bundling disabled > * ERROR: net-fs/samba-4.1.11::gentoo failed (configure phase): > * configure failed > > After manually updating ldb from 1.1.16 to the unstable version 1.1.17 it > works. But this should be a dependency in the ebuild and not something I > have to figure out on my own. Should be fixed. Thanks for the report.
This bug is invalid because we don't care about masked packages. | | u | | a a a p s | n | | l m r h i m m p s p | u s | r | p d a m p a 6 i p c 3 a x | s l | e | h 6 r 6 p 6 8 p p 6 9 s r 8 | e o | p | a 4 m 4 a 4 k s c 4 0 h c 6 | d t | o -------------+-----------------------------+-----+------- [M]3.5.21 | + + + o + + o ~ + + + + + + | o 0 | gentoo [M]3.5.22 | + + + o + + o ~ ~ + ~ ~ + + | o | gentoo 3.6.23 | + + + o + + o ~ + + o o + + | o | gentoo [I]3.6.23-r1 | ~ + ~ o ~ ~ o ~ + ~ o o ~ + | o | gentoo 3.6.24 | ~ ~ ~ o ~ ~ o ~ ~ ~ o o ~ ~ | o | gentoo [M]4.0.19 | o ~ o o ~ o o o o o o o o ~ | o | gentoo [M]4.0.21 | o ~ o o ~ o o o o o o o o ~ | o | gentoo [M]4.1.9 | o ~ o o ~ o o o o o o o o ~ | o | gentoo [M]4.1.11 | o ~ o o ~ o o o o o o o o ~ | o | gentoo
Ago, this was a valid bug. Bug 447022 is to unmask 4.0, Version 4.0.19 is still hard masked as part of the tree which means if bug 447022 is completed, we could potentially unmask a vulnerable version. I am re-opening this bug and setting it as a block of 447022.
(In reply to Yury German from comment #7) > Ago, this was a valid bug. > > Bug 447022 is to unmask 4.0, Version 4.0.19 is still hard masked as part of > the tree which means if bug 447022 is completed, we could potentially unmask > a vulnerable version. I am re-opening this bug and setting it as a block of > 447022. You are just make things in a 'reversed' manner. Atm, samba is masked and then this bug is INVALID. While you see samba-4 unmasked in tree, then you need to reopen this as ~2 [cleanup] instead of A2. I hope that this logic is clear. I'm not going to play with close another time, so if you guess I'm right after the explanation, please close.
+ 08 Aug 2014; Lars Wendler <polynomial-c@gentoo.org> -samba-4.0.19.ebuild, + -samba-4.1.9.ebuild: + Removed vulnerable versions. +
Thanks
CVE-2014-3560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-3560): NetBIOS name services daemon (nmbd) in Samba 4.0.x before 4.0.21 and 4.1.x before 4.1.11 allows remote attackers to execute arbitrary code via unspecified vectors that modify heap memory, involving a sizeof operation on an incorrect variable in the unstrcpy macro in string_wrappers.h.
