Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 891267 (CVE-2018-14628) - <net-fs/samba-4.19.3: insufficient object deletion
Summary: <net-fs/samba-4.19.3: insufficient object deletion
Status: IN_PROGRESS
Alias: CVE-2018-14628
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.samba.org/samba/history/s...
Whiteboard: B4 [stable?]
Keywords:
Depends on:
Blocks:
 
Reported: 2023-01-18 04:48 UTC by John Helmert III
Modified: 2023-11-28 16:11 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-01-18 04:48:04 UTC
CVE-2018-14628 (https://bugzilla.samba.org/show_bug.cgi?id=13595):
https://bugzilla.redhat.com/show_bug.cgi?id=1625445

An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store.

Doesn't seem like fixes ever made it to git.
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-27 18:40:45 UTC
4.19.3 has been released with a fix according to the release notes:

"This is the latest stable release of the Samba 4.19 release series.
It contains the security-relevant bug CVE-2018-14628:

    Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
    allow read of object tombstones over LDAP
    (Administrator action required!)
    https://www.samba.org/samba/security/CVE-2018-14628.html"

Note that manual administrator intervention will be required to fix this.
Comment 2 Larry the Git Cow gentoo-dev 2023-11-27 20:46:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f65207b4f907c4ca868ce51d94fe24bb9e9e9924

commit f65207b4f907c4ca868ce51d94fe24bb9e9e9924
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2023-11-27 20:44:27 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2023-11-27 20:46:16 +0000

    net-fs/samba: add 4.19.3
    
    Bug: https://bugs.gentoo.org/891267
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-fs/samba/Manifest            |   1 +
 net-fs/samba/samba-4.19.3.ebuild | 382 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 383 insertions(+)
Comment 3 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-11-28 00:20:18 UTC
Hm, new branch, are we able to stabilize? If not, are we sure there's no fixes in older branches that we'd be able to stabilize?
Comment 4 Ben Kohler gentoo-dev 2023-11-28 16:11:46 UTC
I think we're ok to start stabilization on 4.19.3, I don't know of any outstanding regressions on the new series.