Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 910606 (CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968) - <net-fs/samba-{4.16.11,4.17.10,4.18.5}: multiple vulnerabilities
Summary: <net-fs/samba-{4.16.11,4.17.10,4.18.5}: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords:
Depends on: 915562
Blocks:
  Show dependency tree
 
Reported: 2023-07-21 00:46 UTC by Krzysztof Olędzki
Modified: 2024-02-19 06:16 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Krzysztof Olędzki 2023-07-21 00:46:45 UTC 
==============================
                   Release Notes for Samba 4.18.5
                           July 19, 2023
                   ==============================


This is a security release in order to address the following defects:

o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
                  crafted request can trigger an out-of-bounds read in winbind
                  and possibly crash it.
                  https://www.samba.org/samba/security/CVE-2022-2127.html

o CVE-2023-3347:  SMB2 packet signing is not enforced if an admin configured
                  "server signing = required" or for SMB2 connections to Domain
                  Controllers where SMB2 packet signing is mandatory.
                  https://www.samba.org/samba/security/CVE-2023-3347.html

o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
                  Spotlight can be triggered by an unauthenticated attacker by
                  issuing a malformed RPC request.
                  https://www.samba.org/samba/security/CVE-2023-34966.html

o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
                  Spotlight can be used by an unauthenticated attacker to
                  trigger a process crash in a shared RPC mdssvc worker process.
                  https://www.samba.org/samba/security/CVE-2023-34967.html

o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
                  side absolute path of shares and files and directories in
                  search results.
                  https://www.samba.org/samba/security/CVE-2023-34968.html


Changes since 4.18.4
--------------------

o  Ralph Boehme <slow@samba.org>
   * BUG 15072: CVE-2022-2127.
   * BUG 15340: CVE-2023-34966.
   * BUG 15341: CVE-2023-34967.
   * BUG 15388: CVE-2023-34968.
   * BUG 15397: CVE-2023-3347.

o  Volker Lendecke <vl@samba.org>
   * BUG 15072: CVE-2022-2127.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.



                   ===============================
                   Release Notes for Samba 4.17.10
                            July 19, 2023
                   ===============================


This is a security release in order to address the following defects:

o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
                  crafted request can trigger an out-of-bounds read in winbind
                  and possibly crash it.
                  https://www.samba.org/samba/security/CVE-2022-2127.html

o CVE-2023-3347:  SMB2 packet signing is not enforced if an admin configured
                  "server signing = required" or for SMB2 connections to Domain
                  Controllers where SMB2 packet signing is mandatory.
                  https://www.samba.org/samba/security/CVE-2023-3347.html

o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
                  Spotlight can be triggered by an unauthenticated attacker by
                  issuing a malformed RPC request.
                  https://www.samba.org/samba/security/CVE-2023-34966.html

o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
                  Spotlight can be used by an unauthenticated attacker to
                  trigger a process crash in a shared RPC mdssvc worker process.
                  https://www.samba.org/samba/security/CVE-2023-34967.html

o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
                  side absolute path of shares and files and directories in
                  search results.
                  https://www.samba.org/samba/security/CVE-2023-34968.html


Changes since 4.17.9
--------------------

o  Ralph Boehme <slow@samba.org>
   * BUG 15072: CVE-2022-2127.
   * BUG 15340: CVE-2023-34966.
   * BUG 15341: CVE-2023-34967.
   * BUG 15388: CVE-2023-34968.
   * BUG 15397: CVE-2023-3347.

o  Volker Lendecke <vl@samba.org>
   * BUG 15072: CVE-2022-2127.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.





                   ===============================
                   Release Notes for Samba 4.16.11
                            July 19, 2023
                   ===============================


This is a security release in order to address the following defects:

o CVE-2022-2127:  When winbind is used for NTLM authentication, a maliciously
                  crafted request can trigger an out-of-bounds read in winbind
                  and possibly crash it.
                  https://www.samba.org/samba/security/CVE-2022-2127.html

o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
                  Spotlight can be triggered by an unauthenticated attacker by
                  issuing a malformed RPC request.
                  https://www.samba.org/samba/security/CVE-2023-34966.html

o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
                  Spotlight can be used by an unauthenticated attacker to
                  trigger a process crash in a shared RPC mdssvc worker process.
                  https://www.samba.org/samba/security/CVE-2023-34967.html

o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
                  side absolute path of shares and files and directories in
                  search results.
                  https://www.samba.org/samba/security/CVE-2023-34968.html


Changes since 4.16.10
---------------------

o  Ralph Boehme <slow@samba.org>
   * BUG 15072: CVE-2022-2127.
   * BUG 15340: CVE-2023-34966.
   * BUG 15341: CVE-2023-34967.
   * BUG 15388: CVE-2023-34968.

o  Samuel Cabrero <scabrero@samba.org>
   * BUG 15072: CVE-2022-2127.

o  Volker Lendecke <vl@samba.org>
   * BUG 15072: CVE-2022-2127.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
Comment 1 Krzysztof Olędzki 2023-07-21 00:57:13 UTC 
Regarding 4.17, some of the discussion is here: https://bugs.gentoo.org/910334#c5 (and below)

If it helps, for 4.17 we can just re-use https://gitweb.gentoo.org/repo/gentoo.git/plain/net-fs/samba/samba-4.17.8.ebuild?id=d1e7521fb883fa4dd2d65487fdffda4903bd0d4a give no additional patches are needed.

Optionally, if we want it to be as much similar as possible with the 4.18 one, we can change:

-PYTHON_COMPAT=( python3_{10..11} )
+PYTHON_COMPAT=( python3_{9..11} )


and:
 PATCHES=(
-       "${FILESDIR}"/${PN}-4.4.0-pam.patch
-       "${FILESDIR}"/${PN}-4.16.1-netdb-defines.patch
-       "${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch
+       "${FILESDIR}/${PN}-4.4.0-pam.patch"
+       "${FILESDIR}/${PN}-4.16.1-netdb-defines.patch"
+       "${FILESDIR}/ldb-2.5.2-skip-wav-tevent-check.patch"
 )

If you want, I can attach the samba-4.17.10.ebuild build file.

I have been running 4.17.10 on both i386 and x86_64 for several hours, they also complied without problems.

No testing for 4.18.5, yet. Also, I have no interest in 4.16 but mentioned it for the completes given it is still in the tree and [1] suggests we still have 2-3 months before it reaches EOL.

[1] https://wiki.samba.org/index.php/Samba_Release_Planning#General_information
Comment 2 Krzysztof Olędzki 2023-07-21 00:58:18 UTC 
Sorry, inverted my diff - the correct one:

-PYTHON_COMPAT=( python3_{9..11} )
+PYTHON_COMPAT=( python3_{10..11} )

 PATCHES=(
-       "${FILESDIR}/${PN}-4.4.0-pam.patch"
-       "${FILESDIR}/${PN}-4.16.1-netdb-defines.patch"
-       "${FILESDIR}/ldb-2.5.2-skip-wav-tevent-check.patch"
+       "${FILESDIR}"/${PN}-4.4.0-pam.patch
+       "${FILESDIR}"/${PN}-4.16.1-netdb-defines.patch
+       "${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch
 )
Comment 3 Joakim Tjernlund 2023-08-11 11:16:20 UTC 
ping ?
Comment 4 Larry the Git Cow gentoo-dev 2023-08-11 14:13:20 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=535bf0b4ef4a2f4b0908478b98b5db29832fc0f1

commit 535bf0b4ef4a2f4b0908478b98b5db29832fc0f1
Author:     Ben Kohler <bkohler@gentoo.org>
AuthorDate: 2023-08-11 14:12:44 +0000
Commit:     Ben Kohler <bkohler@gentoo.org>
CommitDate: 2023-08-11 14:13:10 +0000

    net-fs/samba: add 4.18.5
    
    Bug: https://bugs.gentoo.org/910606
    
    Signed-off-by: Ben Kohler <bkohler@gentoo.org>

 net-fs/samba/Manifest            |   1 +
 net-fs/samba/samba-4.18.5.ebuild | 383 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 384 insertions(+)
Comment 5 Krzysztof Olędzki 2023-09-29 07:04:07 UTC 
What is the next step here?

Note that while we now have both samba-4.18.5 and samba-4.18.6, samba-4.18.4 
is the last "stable" ebuild and is impacted by all the security issues mentioned in the subject.

Also, samba-4.18.7 (not yet in portage) is the first "usable" 4.18 version for many users, see https://bugs.gentoo.org/914842
Comment 6 Krzysztof Olędzki 2023-10-10 23:12:00 UTC 
The target for stabilization should be samba-4.18.8, see https://bugs.gentoo.org/915556
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-10-11 00:08:33 UTC 
(In reply to Krzysztof Olędzki from comment #5)
> What is the next step here?
> 

For security bugs, please file them in Gentoo Security -> Vulnerabilities. They will then be closed once stabilisation is done and a GLSA is issued if appropriate.

Filing bugs in the 'Current packages' component leads to ambiguity because after the bump, is it done or not? And it means we don't have any sort of tracking for missing stables.

> Note that while we now have both samba-4.18.5 and samba-4.18.6, samba-4.18.4 
> is the last "stable" ebuild and is impacted by all the security issues
> mentioned in the subject.
> 
> Also, samba-4.18.7 (not yet in portage) is the first "usable" 4.18 version
> for many users, see https://bugs.gentoo.org/914842

Please do consider reviewing the documentation at e.g. https://wiki.gentoo.org/wiki/Project:Proxy_Maintainers/User_Guide#Proxied_maintainer_in_metadata.xml and adopting Samba.
Comment 8 Larry the Git Cow gentoo-dev 2024-02-19 06:11:03 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=9df376ebb50854c82bdbbc1e4f71d408e449fc54

commit 9df376ebb50854c82bdbbc1e4f71d408e449fc54
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-19 06:05:38 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-19 06:10:22 +0000

    [ GLSA 202402-28 ] Samba: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/891267
    Bug: https://bugs.gentoo.org/910606
    Bug: https://bugs.gentoo.org/915556
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-28.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)