Gerald (Jerry) Carter
2002-Nov-20 15:21 UTC
The Samba Team announces Samba 2.2.7 - security release
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Samba Team is proud to announce the release of Samba 2.2.7.
A security hole has been discovered in versions 2.2.2 through 2.2.6
of Samba that could potentially allow an attacker to gain root access
on the target machine. The word "potentially" is used because there
is no known exploit of this bug, and the Samba Team has not been able to
craft one ourselves. However, the seriousness of the problem warrants
this immediate 2.2.7 release.
In addition to addressing this security issue, Samba 2.2.7 also includes
thirteen unrelated improvements. These improvements result from our
process of continuous quality assurance and code review, and are part of
the Samba team''s commitment to excellence.
The source code can be downloaded from :
http://download.samba.org/samba/ftp/
All current source releases have been signed as well using the
Samba Distribution Key (http://web/samba/ftp/samba-pubkey.asc)
Binary packages for major platforms can be found at
http://download.samba.org/samba/ftp/Binary_Packages/
The release notes follow.
As always, all bugs are our responsibility.
--Enjoy
The Samba Team
WHAT''S NEW IN Samba 2.2.7 - 20th November 2002
=============================================
This is the latest stable release of Samba. This is the version
that all production Samba servers should be running for all current
bug-fixes.
IMPORTANT: Security bugfix for Samba
- ------------------------------------
Summary
- -------
A security hole has been discovered in versions 2.2.2 through 2.2.6
of Samba that could potentially allow an attacker to gain root access
on the target machine. The word "potentially" is used because there
is no known exploit of this bug, and the Samba Team has not been able to
craft one ourselves. However, the seriousness of the problem warrants
this immediate 2.2.7 release.
In addition to addressing this security issue, Samba 2.2.7 also includes
thirteen unrelated improvements. These improvements result from our
process of continuous quality assurance and code review, and are part of
the Samba team''s commitment to excellence.
Details
- -------
There was a bug in the length checking for encrypted password change
requests from clients. A client could potentially send an encrypted
password, which, when decrypted with the old hashed password could be
used as a buffer overrun attack on the stack of smbd. The attach would
have to be crafted such that converting a DOS codepage string to little
endian UCS2 unicode would translate into an executable block of code.
All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
to this problem. This version of Samba 2.2.7 contains a fix for this
problem.
Earlier versions of Samba are not vulnerable.
There is no known exploit or exploit code for this vulnerability,
it was discovered by a code audit by Debian Samba maintainers.
Credit
- ------
Thanks to Steve Langasek and Eloy Paris
for bringing this vulnerability to our notice.
Patch for Samba versions 2.2.2 to 2.2.6
- ---------------------------------------
The following patch applies cleanly to the above Samba versions
and will fix the vulnerability for sites that do not wish to upgrade
to 2.2.7 at this time.
- -------------------------------cut here---------------------------------
- --- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002
+++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
@@ -63,7 +63,7 @@
if(len > 128)
len = 128;
/* Password must be converted to NT unicode - null terminated. */
- - dos_struni2((char *)wpwd, (const char *)passwd, 256);
+ dos_struni2((char *)wpwd, (const char *)passwd, len);
/* Calculate length in bytes */
len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
- -------------------------------cut here---------------------------------
Changes since 2.2.6
- --------------------
See the cvs log for SAMBA_2_2 for more details
1) ensure we send the notify message in the same way it is expected
to be received by srv_spoolss_receive_message().
2) attribute matching on truncate only matters when opening truncate
with current SYSTEM|HIDDEN -> NONE. It''s fine to truncate on
open
with current NONE -> SYSTEM | HIDDEN.
3) Fix bug in rpcclient''s deldriver command
4) Don''t set global_machine_password_needs_changing if
lp_machine_password_timeout() is set to zero
5) don''t parse the BUFFER5 if the buffer length is zero
6) fix core dump if pdbedit is run as non-root or smbpasswd file does
not exist
7) Ensure can_delete() returns correct error code
8) correctly return NT_STATUS_DELETE_PENDING from open code
9) fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes
10) check the long_archi name is not null when deleting a printer driver.
fixes core dump in smbd when using rpcclient''s deldriver
11) fix fd leak with kernel change notify on Linux 2.4 kernels
12) must add one to the extra_data size to transfer the 0 string
terminator. This was causing "wbinfo --sequence" to access past
the
end of malloced memory
13) fix for large systems allowing more than 65536 files open in
NTcreate&X
14) Fix bug in %U expansion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE926iLIR7qMdg1EfYRArYdAJsH14XvFpst5RubPYqhkaL3zNJgEwCdGPY+
N0H1i07NSgSz8XRZFklPWU4=67//
-----END PGP SIGNATURE-----
Nicholas Brealey
2002-Nov-20 18:37 UTC
[Samba] The Samba Team announces Samba 2.2.7 - security release
"Gerald (Jerry) Carter" wrote:> > The source code can be downloaded from : > > http://download.samba.org/samba/ftp/ >Is there a permissions problem on the samba-2.2.7.tar.gz.asc file? I don't seem to be able to download it, although I can download the samba-2.2.7.tar.bz2.asc file. In view of trojans that have been installed in sendmail, tcpdump and OpenSSH recently I think it is very important to check the signature. It would be good to include the signatures in the announcement e-mail. Thanks Nick Brealey
Gerald (Jerry) Carter
2002-Nov-21 02:21 UTC
The Samba Team announces Samba 2.2.7 - security release
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The Samba Team is proud to announce the release of Samba 2.2.7.
A security hole has been discovered in versions 2.2.2 through 2.2.6
of Samba that could potentially allow an attacker to gain root access
on the target machine. The word "potentially" is used because there
is no known exploit of this bug, and the Samba Team has not been able to
craft one ourselves. However, the seriousness of the problem warrants
this immediate 2.2.7 release.
In addition to addressing this security issue, Samba 2.2.7 also includes
thirteen unrelated improvements. These improvements result from our
process of continuous quality assurance and code review, and are part of
the Samba team's commitment to excellence.
The source code can be downloaded from :
http://download.samba.org/samba/ftp/
All current source releases have been signed as well using the
Samba Distribution Key (http://web/samba/ftp/samba-pubkey.asc)
Binary packages for major platforms can be found at
http://download.samba.org/samba/ftp/Binary_Packages/
The release notes follow.
As always, all bugs are our responsibility.
--Enjoy
The Samba Team
WHAT'S NEW IN Samba 2.2.7 - 20th November 2002
=============================================
This is the latest stable release of Samba. This is the version
that all production Samba servers should be running for all current
bug-fixes.
IMPORTANT: Security bugfix for Samba
- ------------------------------------
Summary
- -------
A security hole has been discovered in versions 2.2.2 through 2.2.6
of Samba that could potentially allow an attacker to gain root access
on the target machine. The word "potentially" is used because there
is no known exploit of this bug, and the Samba Team has not been able to
craft one ourselves. However, the seriousness of the problem warrants
this immediate 2.2.7 release.
In addition to addressing this security issue, Samba 2.2.7 also includes
thirteen unrelated improvements. These improvements result from our
process of continuous quality assurance and code review, and are part of
the Samba team's commitment to excellence.
Details
- -------
There was a bug in the length checking for encrypted password change
requests from clients. A client could potentially send an encrypted
password, which, when decrypted with the old hashed password could be
used as a buffer overrun attack on the stack of smbd. The attach would
have to be crafted such that converting a DOS codepage string to little
endian UCS2 unicode would translate into an executable block of code.
All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
to this problem. This version of Samba 2.2.7 contains a fix for this
problem.
Earlier versions of Samba are not vulnerable.
There is no known exploit or exploit code for this vulnerability,
it was discovered by a code audit by Debian Samba maintainers.
Credit
- ------
Thanks to Steve Langasek and Eloy Paris
for bringing this vulnerability to our notice.
Patch for Samba versions 2.2.2 to 2.2.6
- ---------------------------------------
The following patch applies cleanly to the above Samba versions
and will fix the vulnerability for sites that do not wish to upgrade
to 2.2.7 at this time.
- -------------------------------cut here---------------------------------
- --- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002
+++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
@@ -63,7 +63,7 @@
if(len > 128)
len = 128;
/* Password must be converted to NT unicode - null terminated. */
- - dos_struni2((char *)wpwd, (const char *)passwd, 256);
+ dos_struni2((char *)wpwd, (const char *)passwd, len);
/* Calculate length in bytes */
len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
- -------------------------------cut here---------------------------------
Changes since 2.2.6
- --------------------
See the cvs log for SAMBA_2_2 for more details
1) ensure we send the notify message in the same way it is expected
to be received by srv_spoolss_receive_message().
2) attribute matching on truncate only matters when opening truncate
with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open
with current NONE -> SYSTEM | HIDDEN.
3) Fix bug in rpcclient's deldriver command
4) Don't set global_machine_password_needs_changing if
lp_machine_password_timeout() is set to zero
5) don't parse the BUFFER5 if the buffer length is zero
6) fix core dump if pdbedit is run as non-root or smbpasswd file does
not exist
7) Ensure can_delete() returns correct error code
8) correctly return NT_STATUS_DELETE_PENDING from open code
9) fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes
10) check the long_archi name is not null when deleting a printer driver.
fixes core dump in smbd when using rpcclient's deldriver
11) fix fd leak with kernel change notify on Linux 2.4 kernels
12) must add one to the extra_data size to transfer the 0 string
terminator. This was causing "wbinfo --sequence" to access past
the
end of malloced memory
13) fix for large systems allowing more than 65536 files open in
NTcreate&X
14) Fix bug in %U expansion
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/
iD8DBQE926iLIR7qMdg1EfYRArYdAJsH14XvFpst5RubPYqhkaL3zNJgEwCdGPY+
N0H1i07NSgSz8XRZFklPWU4=67//
-----END PGP SIGNATURE-----
Tim Winders
2002-Nov-25 22:07 UTC
[Samba] Re: The Samba Team announces Samba 2.2.7 - security release
I just upgraded to 2.2.7 and noticed a problem. I use samba as a domain
controller for my Win98 machines. After the upgrade to 2.2.7 all the
users but myself were getting a failure to login to the domain. In the
log file for the machine, I see this error.
[2002/11/25 15:04:32, 0] smbd/service.c:(597)
sisrael (64.69.243.114) Can't change directory to
/data/Lkr_Usr_/twinders/tmp (Permission denied)
In this case, the user trying to login is sisrael, but the service.c
package is trying to change the the TMP directory that was set when I
configured samba.
I've tried to reinstall 2.2.6, but I'm having the same problem.
I am not sure if this is a 2.2.7 issue, a local config issue, or what.
But, I'm very confused and current samba is "down" for my users.
<sigh>
**********************************************
Tim Winders, MCSE, CNE, CCNA
Associate Dean of Information Technology
South Plains College
Levelland, TX 79336
Phone: 806-894-9611 x 2369
FAX: 806-894-1549
Email: TWinders@SouthPlainsCollege.edu
**********************************************
On Wed, 20 Nov 2002, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Samba Team is proud to announce the release of Samba 2.2.7.
>
> A security hole has been discovered in versions 2.2.2 through 2.2.6
> of Samba that could potentially allow an attacker to gain root access
> on the target machine. The word "potentially" is used because
there
> is no known exploit of this bug, and the Samba Team has not been able to
> craft one ourselves. However, the seriousness of the problem warrants
> this immediate 2.2.7 release.
>
> In addition to addressing this security issue, Samba 2.2.7 also includes
> thirteen unrelated improvements. These improvements result from our
> process of continuous quality assurance and code review, and are part of
> the Samba team's commitment to excellence.
>
> The source code can be downloaded from :
>
> http://download.samba.org/samba/ftp/
>
> All current source releases have been signed as well using the
> Samba Distribution Key (http://web/samba/ftp/samba-pubkey.asc)
>
> Binary packages for major platforms can be found at
>
> http://download.samba.org/samba/ftp/Binary_Packages/
>
> The release notes follow.
>
> As always, all bugs are our responsibility.
>
> --Enjoy
> The Samba Team
>
>
>
> WHAT'S NEW IN Samba 2.2.7 - 20th November 2002
> =============================================>
> This is the latest stable release of Samba. This is the version
> that all production Samba servers should be running for all current
> bug-fixes.
>
> IMPORTANT: Security bugfix for Samba
> - ------------------------------------
>
> Summary
> - -------
>
> A security hole has been discovered in versions 2.2.2 through 2.2.6
> of Samba that could potentially allow an attacker to gain root access
> on the target machine. The word "potentially" is used because
there
> is no known exploit of this bug, and the Samba Team has not been able to
> craft one ourselves. However, the seriousness of the problem warrants
> this immediate 2.2.7 release.
>
> In addition to addressing this security issue, Samba 2.2.7 also includes
> thirteen unrelated improvements. These improvements result from our
> process of continuous quality assurance and code review, and are part of
> the Samba team's commitment to excellence.
>
> Details
> - -------
>
> There was a bug in the length checking for encrypted password change
> requests from clients. A client could potentially send an encrypted
> password, which, when decrypted with the old hashed password could be
> used as a buffer overrun attack on the stack of smbd. The attach would
> have to be crafted such that converting a DOS codepage string to little
> endian UCS2 unicode would translate into an executable block of code.
>
> All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
> to this problem. This version of Samba 2.2.7 contains a fix for this
> problem.
>
> Earlier versions of Samba are not vulnerable.
>
> There is no known exploit or exploit code for this vulnerability,
> it was discovered by a code audit by Debian Samba maintainers.
>
> Credit
> - ------
>
> Thanks to Steve Langasek and Eloy Paris
> for bringing this vulnerability to our notice.
>
> Patch for Samba versions 2.2.2 to 2.2.6
> - ---------------------------------------
>
> The following patch applies cleanly to the above Samba versions
> and will fix the vulnerability for sites that do not wish to upgrade
> to 2.2.7 at this time.
>
> - -------------------------------cut here---------------------------------
> - --- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002
> +++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
> @@ -63,7 +63,7 @@
> if(len > 128)
> len = 128;
> /* Password must be converted to NT unicode - null terminated. */
> - - dos_struni2((char *)wpwd, (const char *)passwd, 256);
> + dos_struni2((char *)wpwd, (const char *)passwd, len);
> /* Calculate length in bytes */
> len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
> - -------------------------------cut here---------------------------------
>
>
> Changes since 2.2.6
> - --------------------
>
> See the cvs log for SAMBA_2_2 for more details
>
> 1) ensure we send the notify message in the same way it is expected
> to be received by srv_spoolss_receive_message().
> 2) attribute matching on truncate only matters when opening truncate
> with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on
open
> with current NONE -> SYSTEM | HIDDEN.
> 3) Fix bug in rpcclient's deldriver command
> 4) Don't set global_machine_password_needs_changing if
> lp_machine_password_timeout() is set to zero
> 5) don't parse the BUFFER5 if the buffer length is zero
> 6) fix core dump if pdbedit is run as non-root or smbpasswd file does
> not exist
> 7) Ensure can_delete() returns correct error code
> 8) correctly return NT_STATUS_DELETE_PENDING from open code
> 9) fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes
> 10) check the long_archi name is not null when deleting a printer driver.
> fixes core dump in smbd when using rpcclient's deldriver
> 11) fix fd leak with kernel change notify on Linux 2.4 kernels
> 12) must add one to the extra_data size to transfer the 0 string
> terminator. This was causing "wbinfo --sequence" to access
past the
> end of malloced memory
> 13) fix for large systems allowing more than 65536 files open in
> NTcreate&X
> 14) Fix bug in %U expansion
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
> iD8DBQE926iLIR7qMdg1EfYRArYdAJsH14XvFpst5RubPYqhkaL3zNJgEwCdGPY+
> N0H1i07NSgSz8XRZFklPWU4> =67//
> -----END PGP SIGNATURE-----
>