[Pkg-samba-maint] Situation of current samba security issues

Christian Perrier bubulle at debian.org
Tue Oct 6 05:25:19 UTC 2009 

OK, now I'm back from my marathon week-end and can resume on samba
issues.

The situation is currently:

There are 3 security issues:
CVE-2009-2813: Misconfigured /etc/passwd file may share folders unexpectedly
CVE-2009-2906: Remote DoS against smbd on authenticated connections
CVE-2009-2948: Information disclosure by setuid mount.cifs

The first two issues are anything but minor. Not the very highest
severity but 2906 can lead to severe data loss if a server is attacked
through this DoS, while 2813 and 2948 are two different ways to get
information disclosed to authenticated users.

In short, we should give as much attention as possible to these
issues. And *I* need help for this. Please read on.


Situation for packages:

Unstable
---------
I built and uploaded samba 3.4.2 with high urgency.

Testing
-------
3.4.* did not enter testing as of now (because of silly non-free RFC
bug reports), so we still have a vulnerable 3.3 there.

From what I recently read in aba's blog
(http://blogs.turmzimmer.net/2009/10/04#squeeze-8), there are issues
having samba transition in unstable because of CUPS.

Even if that's solved, we may have to deal with #538034 that was
reopen for 3.4.1 by the bug submitter. My opinion is that this could
be ignored for the moment. We will anyway deal with upstream about
this.

Stable
------
Here lies the main problem.

Patches provided by upstream do *not* apply cleanly. They were created
against samba 3.2.14 while we have 3.2.5 in lenny.

The problem lies in samba-3.2.14-CVE-2009-2948-2.patch

Its last chunk deal with a part of code in source/client/mount.cifs.c
that was modified between 3.2.5 and 3.2.14. I have been unable to find
a solution to this and I'll be very very likely missing the needed
skills to do The Right Thing.

Steve Langasek being busy doing Ubuntu stuff hasn't got time to look
into this and we're at this very moment left in the dark...and I don't
like this..:-)

Backports
---------
We have an "official" backport on backports.org, for lenny. This is
still 3.3.4 as this is the version in testing. It is of course then
vulnerable to these issues.

I plan to upload 3.4.2 in bpo ASAP, if I get approval by bpo
admins that this is preferrable over patching 3.3.4.

Unofficial backports
--------------------
We have some in http://pkg-samba.alioth.debian.org

While I was having time and nothing else to do, I began working on
3.2.15 for lenny and will upload it there.

Not sure if I'll deal with etch backports here or in bpo.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.2.14-CVE-2009-2948-2.patch
Type: text/x-diff
Size: 4340 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20091006/e5fba62d/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20091006/e5fba62d/attachment.pgp>

More information about the Pkg-samba-maint mailing list