Jeremy Allison
2010-Mar-08 22:08 UTC
Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11
Security problem with Samba on Linux ------------------------------------ In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code was added to fix a problem with Linux asynchronous IO handling. This code introduced a severe security flaw which was undetected until now. We are releasing new binaries and fixed source code as release numbers: 3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only fix included in these release numbers. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms where binaries were built without libcap support. Also note that 3.4.5 and prior 3.4.x versions and 3.3.10 and prior 3.3.x versions are NOT affected. How did this happen ? --------------------- Our testing procedures failed. Errors in code always happen, and we guard against them by writing tests which we run against the code continuously. As Samba runs as a root process, many of our test environments run under a build farm "shim" that allows people to test Samba without granting it root privilege. Unfortunately, this means that some of the tests cannot be run correctly. This is the "make test" that developers run frequently. Extra tests are run as root to detect these areas, but are not run as often as the normal "make test" that the developers run. This problem affects only binaries compiled with capabilities support. The libcap development packages need to be installed at build time for samba to be vulnerable. Unfortunately, although most developers do have the package, it was absent on the machines used to do pre-release validation, causing the flawed code not to be compiled into the tested binary. None of our third party testers or partners discovered this flaw before release. How are we intending to fix this ? ---------------------------------- We will be fixing "make test" so it can be run as root for all the developers to regularly test with elevated privilege. In addition we will be adding extra tests to check for this specific issue, to ensure we do not ever release with such a regression again. As this was such a serious flaw, we will not be doing any further Samba 3.x releases other than the security fix until these tests are in place. Please accept our apologies for such a serious error, and our assurances that we will do everything within our power to ensure this will not happen again. With our most sincere regrets, The Samba Team
Jeremy Allison
2010-Mar-08 22:08 UTC
[Samba] Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11
Security problem with Samba on Linux ------------------------------------ In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code was added to fix a problem with Linux asynchronous IO handling. This code introduced a severe security flaw which was undetected until now. We are releasing new binaries and fixed source code as release numbers: 3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only fix included in these release numbers. The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE capabilities, allowing all file system access to be allowed even when permissions should have denied access. Please note this security problem does not affect any platform that does not support capabilities and platforms where binaries were built without libcap support. Also note that 3.4.5 and prior 3.4.x versions and 3.3.10 and prior 3.3.x versions are NOT affected. How did this happen ? --------------------- Our testing procedures failed. Errors in code always happen, and we guard against them by writing tests which we run against the code continuously. As Samba runs as a root process, many of our test environments run under a build farm "shim" that allows people to test Samba without granting it root privilege. Unfortunately, this means that some of the tests cannot be run correctly. This is the "make test" that developers run frequently. Extra tests are run as root to detect these areas, but are not run as often as the normal "make test" that the developers run. This problem affects only binaries compiled with capabilities support. The libcap development packages need to be installed at build time for samba to be vulnerable. Unfortunately, although most developers do have the package, it was absent on the machines used to do pre-release validation, causing the flawed code not to be compiled into the tested binary. None of our third party testers or partners discovered this flaw before release. How are we intending to fix this ? ---------------------------------- We will be fixing "make test" so it can be run as root for all the developers to regularly test with elevated privilege. In addition we will be adding extra tests to check for this specific issue, to ensure we do not ever release with such a regression again. As this was such a serious flaw, we will not be doing any further Samba 3.x releases other than the security fix until these tests are in place. Please accept our apologies for such a serious error, and our assurances that we will do everything within our power to ensure this will not happen again. With our most sincere regrets, The Samba Team
Christian PERRIER
2010-Mar-10 06:07 UTC
[Samba] Security problem with Samba on Linux: situation for Debian
Quoting Jeremy Allison (jra at samba.org):> Security problem with Samba on Linux > ------------------------------------ > > In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code > was added to fix a problem with Linux asynchronous IO handling.Situation for Debian: - Debian stable isn't affected by this issue (we have 3.2.5+patches there) - Official backports from www.backports.org aren't affected too (we have 3.4.5) - Debian unstable has 3.4.7 since yesterday, a few hours after the official annoucement. As it had 3.4.6 earlier, users of Debian unstable *are strongly advised to "apt-get upgrade"* - Debian experimental has 3.5.1 since about the same time. Users who follow samba in experimental to have 3.5 should also upgrade The most important info: ------------------------ - Debian testing (squeeze) *is* affected as of now. By a very very infortunate sequence of events, yesterday was the day where 3.4.6 packages that were in unstable aged enough to enter testing. And they did. Before I could notice (I happen to do paid work during the day..:-)) So, users of Debian testing should either avoid upgrading today if they still have 3.4.5 packages or upgrade their systems ASAP with the packages uploaded yesterday in unstable (you need to do this manually) if they already upgraded to 3.4.6 3.4.7 packages were bumped to "high" urgency, which means they will enter testing by Thursday March 11th (I'm unsure about the exact time). I don't think that Ubuntu is affected by all this, even the soon to come Lucid....but this is unverified information.
Lars Müller
2010-Mar-12 18:40 UTC
[Samba] CVE-2010-0728 and SUSE based products (was: Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11)
On Mon, Mar 08, 2010 at 02:08:27PM -0800, Jeremy Allison wrote:> Security problem with Samba on Linux > ------------------------------------ > > In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code > was added to fix a problem with Linux asynchronous IO handling.As the SUSE Samba binaries are not linked against libcap, we are not affected in any shipping products. Therefore no action is required from SUSE users. Nevertheless https://bugzilla.samba.org/show_bug.cgi?id=7222 CVE-2010-0728 and https://bugzilla.novell.com/show_bug.cgi?id=586683 are noted in the package change log as reference to this security issue. 3.5.1 got already merged into the current openSUSE development tree (Factory). Binaries of current Samba version are available from the openSUSE Build Service by the network:samba:STABLE repository. More information about this service, Samba and SUSE is available from http://en.openSUSE.org/Samba Lars -- Lars M?ller [?la?(r)z ?m?l?] Samba Team SUSE Linux, Maxfeldstra?e 5, 90409 N?rnberg, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 190 bytes Desc: not available URL: <http://lists.samba.org/pipermail/samba/attachments/20100312/adf8643c/attachment.pgp>