samba - Mar 2010 - Security problem with Samba on Linux - affects 3.5.0, 3.4.6 and 3.3.11

Security problem with Samba on Linux
------------------------------------

In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
was added to fix a problem with Linux asynchronous IO handling.

This code introduced a severe security flaw which was undetected until
now.

We are releasing new binaries and fixed source code as release numbers:
3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only
fix included in these release numbers.

The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
capabilities, allowing all file system access to be allowed
even when permissions should have denied access.

Please note this security problem does not affect any platform that does
not support capabilities and platforms where binaries were built without
libcap support.

Also note that 3.4.5 and prior 3.4.x versions and 3.3.10 and prior 3.3.x
versions are NOT affected.

How did this happen ?
---------------------

Our testing procedures failed. Errors in code always happen,
and we guard against them by writing tests which we run against
the code continuously.

As Samba runs as a root process, many of our test environments
run under a build farm "shim" that allows people to test Samba
without granting it root privilege. Unfortunately, this means that
some of the tests cannot be run correctly. This is the "make test"
that developers run frequently.

Extra tests are run as root to detect these areas, but are
not run as often as the normal "make test" that the developers
run.

This problem affects only binaries compiled with capabilities support.
The libcap development packages need to be installed at build time for
samba to be vulnerable. Unfortunately, although most developers do have
the package, it was absent on the machines used to do pre-release
validation, causing the flawed code not to be compiled into the tested
binary.

None of our third party testers or partners discovered this
flaw before release.

How are we intending to fix this ?
----------------------------------

We will be fixing "make test" so it can be run as root for
all the developers to regularly test with elevated privilege.

In addition we will be adding extra tests to check for this
specific issue, to ensure we do not ever release with such
a regression again.

As this was such a serious flaw, we will not be doing any
further Samba 3.x releases other than the security fix
until these tests are in place.

Please accept our apologies for such a serious error, and
our assurances that we will do everything within our power
to ensure this will not happen again.



With our most sincere regrets,
The Samba Team

Security problem with Samba on Linux
------------------------------------

In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
was added to fix a problem with Linux asynchronous IO handling.

This code introduced a severe security flaw which was undetected until
now.

We are releasing new binaries and fixed source code as release numbers:
3.5.1, 3.4.7 and 3.3.12 with this fix included. This will be the only
fix included in these release numbers.

The flaw caused all smbd processes to inherit CAP_DAC_OVERRIDE
capabilities, allowing all file system access to be allowed
even when permissions should have denied access.

Please note this security problem does not affect any platform that does
not support capabilities and platforms where binaries were built without
libcap support.

Also note that 3.4.5 and prior 3.4.x versions and 3.3.10 and prior 3.3.x
versions are NOT affected.

How did this happen ?
---------------------

Our testing procedures failed. Errors in code always happen,
and we guard against them by writing tests which we run against
the code continuously.

As Samba runs as a root process, many of our test environments
run under a build farm "shim" that allows people to test Samba
without granting it root privilege. Unfortunately, this means that
some of the tests cannot be run correctly. This is the "make test"
that developers run frequently.

Extra tests are run as root to detect these areas, but are
not run as often as the normal "make test" that the developers
run.

This problem affects only binaries compiled with capabilities support.
The libcap development packages need to be installed at build time for
samba to be vulnerable. Unfortunately, although most developers do have
the package, it was absent on the machines used to do pre-release
validation, causing the flawed code not to be compiled into the tested
binary.

None of our third party testers or partners discovered this
flaw before release.

How are we intending to fix this ?
----------------------------------

We will be fixing "make test" so it can be run as root for
all the developers to regularly test with elevated privilege.

In addition we will be adding extra tests to check for this
specific issue, to ensure we do not ever release with such
a regression again.

As this was such a serious flaw, we will not be doing any
further Samba 3.x releases other than the security fix
until these tests are in place.

Please accept our apologies for such a serious error, and
our assurances that we will do everything within our power
to ensure this will not happen again.



With our most sincere regrets,
The Samba Team

Quoting Jeremy Allison (jra at samba.org):
> Security problem with Samba on Linux
> ------------------------------------
> 
> In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
> was added to fix a problem with Linux asynchronous IO handling.
Situation for Debian:

- Debian stable isn't affected by this issue (we have 3.2.5+patches there)
- Official backports from www.backports.org aren't affected too (we
  have 3.4.5)
- Debian unstable has 3.4.7 since yesterday, a few hours after the
  official annoucement. As it had 3.4.6 earlier, users of
  Debian unstable *are strongly advised to "apt-get upgrade"*
- Debian experimental has 3.5.1 since about the same time. Users who
  follow samba in experimental to have 3.5 should also upgrade

The most important info:
------------------------

- Debian testing (squeeze) *is* affected as of now. By a very very 
  infortunate sequence of events, yesterday was the day where 3.4.6
  packages that were in unstable aged enough to enter testing.
  And they did. Before I could notice (I happen to do paid work
  during the day..:-))

  So, users of Debian testing should either avoid upgrading today if
  they still have 3.4.5 packages or upgrade their systems ASAP
  with the packages uploaded yesterday in unstable (you need to do
  this manually) if they already upgraded to 3.4.6

  3.4.7 packages were bumped to "high" urgency, which means they will
  enter testing by Thursday March 11th (I'm unsure about the exact
  time).


I don't think that Ubuntu is affected by all this, even the soon to
come Lucid....but this is unverified information.

On Mon, Mar 08, 2010 at 02:08:27PM -0800, Jeremy Allison
wrote:
> Security problem with Samba on Linux
> ------------------------------------
> 
> In Samba releases 3.5.0, 3.4.6 and 3.3.11 new code
> was added to fix a problem with Linux asynchronous IO handling.
As the SUSE Samba binaries are not linked against libcap, we are not
affected in any shipping products.  Therefore no action is required from
SUSE users.

Nevertheless https://bugzilla.samba.org/show_bug.cgi?id=7222
CVE-2010-0728 and https://bugzilla.novell.com/show_bug.cgi?id=586683 are
noted in the package change log as reference to this security issue.

3.5.1 got already merged into the current openSUSE development tree
(Factory).

Binaries of current Samba version are available from the openSUSE Build
Service by the network:samba:STABLE repository.  More information about
this service, Samba and SUSE is available from
http://en.openSUSE.org/Samba

Lars
-- 
Lars M?ller [?la?(r)z ?m?l?]
Samba Team
SUSE Linux, Maxfeldstra?e 5, 90409 N?rnberg, Germany
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba/attachments/20100312/adf8643c/attachment.pgp>