[csw-users] Security Vulnerabilities in Samba.

Jeremiah Johnson jeremiah.johnson at gmail.com
Fri Jul 20 17:27:43 CEST 2007 

Bogdan,

Thanks for pointing that out.  Patches like that are what maintainers
are good for.  If there are problems, the maintainer should include
that patch and release it.  I personally would rather see more
frequent releases that fix problems, than waiting 6+ months for a
update.  There is a stable and unstable branch, and afaict the
unstable version is still that older version.  I realize that much
testing goes into each release, but I also realize that there is only
so much testing a volunteer can do.  Without accepting input from the
user base at large you'll constantly end up in situations like this.
The stable branch is supposed to be updated only every 3 months, and
unstable constantly, but I'm not seeing any visible action in unstable
with regards to samba.

Ken,

Thanks, I appreciate it.  Sun and SFW have released updates, but our
maintance policy is a bit odd for installing sun patches which is why
we're using Blastwave.

-miah

On 7/20/07, Bogdan Iamandei <bogdan at its.uq.edu.au> wrote:
> -----Original Message-----
> From: users-bounces+bogdan=its.uq.edu.au at lists.blastwave.org on behalf of Jeremiah Johnson
> Sent: Fri 7/20/2007 8:54 AM
> To: users at lists.blastwave.org
> Subject: [csw-users] Security Vulnerabilities in Samba.
>
> Hello,
>
> I contacted the maintainer of the Samba package well over a month ago
> about some vulnerabilities in the Samba package.  I've never received
> a response from him, and there is no other clear method of resolving
> security issues in Blastwave packages.
>
> Samba has the following problems:
> o CVE-2007-2444
>         Versions: Samba 3.0.23d - 3.0.25pre2
>         Local SID/Name translation bug can result in
>         user privilege elevation
> o CVE-2007-2446
>         Versions: Samba 3.0.0 - 3.0.24
>         Multiple heap overflows allow remote code execution
> o CVE-2007-2447
>         Versions: Samba 3.0.0 - 3.0.24
>         Unescaped user input parameters are passed as
>         arguments to /bin/sh allowing for remote command
>         execution
>
> These problems were fixed in Samba 3.0.25(released on May 14, 2007),
> 3.0.25b is current, 3.0.23,REV=2006.08.09b is what Blastwave packages.
> FWIW, the blastwave package is also vuln to:
>
> (Fixed in Samba 3.0.24 Feb 5, 2007)
> - CVE-2007-0452 (Potential Denial of Service bug in smbd)
> - CVE-2007-0453 (Buffer overrun in NSS host lookup Winbind
>   NSS library on Solaris)
> - CVE-2007-0454 (Format string bug in afsacl.so VFS plugin)
>
> Further, there should be some clearly defined Blastwave policy
> regarding security issues.  If the maintainer cannot get to it,
> somebody else from the Blastwave team should be able to handle it.
> The maintainer, and a security user/list at Blastwave should probably
> be subscribed to samba-announce, and similar lists for other packages
> so security announcements are not missed.
>
> Considering that one of your standards is "Efforts are focused on
> providing a greater, more timely set of packages than SFW, while also
> having consistency and dependancies that are not offered by
> sunfreeware.com" its fairly sad that SFW has actually updated the
> package before Blastwave.
>
> FWIW, Sun has actually updated the SFW packages that they distribute
> to fix this problem.
> http://sunsolve.sun.com/search/document.do?assetkey=1-26-102964-1
>
> I really like the Blastwave distribution, after having SFW cause more
> problems than it was worth, I was glad to have a friend tell me about
> Blastwave.  If there is any way I can actually help rectify this
> problem, please let me know.
>
> -miah
> _______________________________________________
>
>
> Heys,
>
> I was pretty much in the same boat as you are. I since I haven't got a
> proper answer on this case, I have decided to ditch the CSW samba package
> and build my own. It works great and have no problems with it (now).
>
> However - if you decide to do the same, I will  give you a word of warning.
> 3.0.25b has a major flaw wich if you don't know about will send you and your
> users absolutely bonkers. In short, your users will randomly be disconnected
>  (i.e. get error messages right in the middle of doing something with the mapped
> share, stating that "the network path is no longer available" ) *and* to top it off,
> they will end up with corrupted or truncated files.
>
> See : http://lists.samba.org/archive/samba/2007-July/133789.html for more details.
> Also - to fix it - you download the 3.0.25b sources and apply the patch located here:
> https://bugzilla.samba.org/attachment.cgi?id=2827&action=view
>
> Allegedly this patch will make it in 3.0.25c... whenever that happens.
>
> At any rate - this crap took me 4 days to track down, and it was an absolute bastard of
> a thing... it was mostly affecting just a very limited group of users, with a few spikes here
> and there... nothing you could've put down to smbd being buggy. I even got to the point
> where I suspected that the network driver dealing with NIC aggregation on Solaris was
> brain-dead and reverted to a more "normal" configuration using IPMP.
>
> Anyways, that's the warning. Choose your poison! :)
>
> Ino!~
>
> _______________________________________________
> users mailing list
> users at lists.blastwave.org
> https://lists.blastwave.org/mailman/listinfo/users
>
>

More information about the users mailing list