[Pkg-samba-maint] Bug#425680: samba: The security fix for CVE-2007-2446 broke Samba

Wed May 23 08:58:46 UTC 2007

Subject: samba: The security fix for CVE-2007-2446 broke Samba
Package: samba
Version: 3.0.24-6
Severity: grave
Justification: renders package unusable

This is a copy of a bug opened upstream. A patch is avaliable for
3.0.25 but not for 3.0.24 on etch.
It happens on i386, and alpha. 3.0.24-etch2 suffers from the bug too.

I'm using Gentoo (the stable tree) and Debian Etch. The recent update that
fixes three security bugs has broken my samba domain. I'm able to login in the
domain but when accessing the share of a machine which is not the PDC, the
sharing machine denies my access.

"smbclient -L with my user" against that sharig machine returns me
NT_STATUS_NO_LOGON_SERVERS. If I try smbclient against the PDC, the PDC returns
me the list of shares. The problem seems to be the fix for CVE-2007-2446. If I
recompile the samba package without that fix in my Gentoo boxes, the whole
domain works perfectly. The same goes for the Debian machines, if I downgrade
the version to the non fixed.

Gentoo: Samba 3.0.24-r2
Debian: 3.0.24-6etch1

The log on the sharing machine:
[2007/05/18 11:29:36, 0] auth/auth_domain.c:domain_client_validate(246)
  domain_client_validate: unable to validate password for user rafa in domain
CRIPTODOMINIO to Domain controller DILMUN. Error was NT_STATUS_UNSUCCESSFUL.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages samba depends on:
ii  debconf  1.5.11                          Debian configuration management sy
ii  libacl1  2.2.41-1                        Access control list shared library
ii  libattr1 2.4.32-1                        Extended attribute shared library
ii  libc6    2.3.6.ds1-13                    GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.11.14+dfsg-2 common error description library
ii  libcupsy 1.2.7-4                         Common UNIX Printing System(tm) -
ii  libgnutl 1.4.4-3                         the GNU TLS library - runtime libr
ii  libkrb53 1.4.4-7etch1                    MIT Kerberos runtime libraries
ii  libldap2 2.1.30-13.3                     OpenLDAP libraries
ii  libpam-m 0.79-4                          Pluggable Authentication Modules f
ii  libpam-r 0.79-4                          Runtime support for the PAM librar
ii  libpam0g 0.79-4                          Pluggable Authentication Modules l
ii  libpopt0 1.10-3                          lib for parsing cmdline parameters
ii  logrotat 3.7.1-3                         Log rotation utility
ii  lsb-base 3.1-23.1                        Linux Standard Base 3.1 init scrip
ii  netbase  4.29                            Basic TCP/IP networking system
ii  procps   1:3.2.7-3                       /proc file system utilities
ii  samba-co 3.0.24-6                        Samba common files used by both th
ii  zlib1g   1:1.2.3-13                      compression library - runtime

Versions of packages samba recommends:
pn  smbldap-tools                 <none>     (no description available)

-- debconf information excluded