[Pkg-samba-maint] Bug#864291: samba: Trivial DOS against servers running 4.2.14+dfsg-0+deb8u5 with Unix Extensions enabled

Tue Jun 6 13:31:52 UTC 2017

Package: samba
Version: 2:4.2.14+dfsg-0+deb8u6
Severity: important
Tags: upstream

Dear Maintainer,

On the current stable version of Samba, it is trivially easy to cause instances
of the Samba daemon, smbd, to eat CPU and leak memory. By launching
multiple connections, this can be used to cause a DOS of the machine running
the Samba service.

The fault relates to the handling of dangling symbolic links and can
be triggered as follows:

1. Create a broken symbolic link with Unix extensions enabled:

      smbclient //server/share -c "posix; symlink nothing broken"

2. Try to write to the broken symbolic link with Unix extensions disabled:

      smbclient //server/share -c "put /etc/issue broken"

Step 2 results in an instance of smbd running a busy loop and leaking 
memory *even after the client has disconnected*. By running step 2 
multiple times, CPU and memory resources on the machine can be exhausted.

The issue was fixed in the upstream version of Samba in February this year
(the fix is in 4.5.6):

https://github.com/samba-team/samba/commit/10c3e3923022485c720f322ca4f0aca5d7501310

Given the severity of the issue and the trivial ease with which it can be
triggered, is there any chance of this fix being backported to the version of
Samba currently supported by Jessie?

Thanks,
Alun.

-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/24 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba depends on:
ii  adduser                              3.113+nmu3
ii  dpkg                                 1.17.27
ii  libbsd0                              0.7.0-2
ii  libc6                                2.19-18+deb8u9
ii  libhdb9-heimdal [heimdal-hdb-api-8]  1.6~rc2+dfsg-9
ii  libldb1                              2:1.1.20-0+deb8u1
ii  libpam-modules                       1.1.8-3.1+deb8u2
ii  libpam-runtime                       1.1.8-3.1+deb8u2
ii  libpopt0                             1.16-10
ii  libpython2.7                         2.7.9-2+deb8u1
ii  libtalloc2                           2.1.2-0+deb8u1
ii  libtdb1                              1.3.6-0+deb8u1
ii  libtevent0                           0.9.28-0+deb8u1
ii  lsb-base                             4.1+Debian13+nmu1
ii  multiarch-support                    2.19-18+deb8u9
ii  procps                               2:3.3.9-9
ii  python                               2.7.9-1
ii  python-dnspython                     1.12.0-1
ii  python-ntdb                          1.0-5
ii  python-samba                         2:4.2.14+dfsg-0+deb8u6
pn  python2.7:any                        <none>
ii  samba-common                         2:4.2.14+dfsg-0+deb8u6
ii  samba-common-bin                     2:4.2.14+dfsg-0+deb8u6
ii  samba-dsdb-modules                   2:4.2.14+dfsg-0+deb8u6
ii  samba-libs                           2:4.2.14+dfsg-0+deb8u6
ii  tdb-tools                            1.3.6-0+deb8u1
ii  update-inetd                         4.43

Versions of packages samba recommends:
ii  attr               1:2.4.47-2
ii  logrotate          3.8.7-1+b1
ii  samba-vfs-modules  2:4.2.14+dfsg-0+deb8u6

Versions of packages samba suggests:
pn  bind9          <none>
pn  bind9utils     <none>
pn  ctdb           <none>
pn  ldb-tools      <none>
ii  ntp            1:4.2.6.p5+dfsg-7+deb8u2
pn  smbldap-tools  <none>
pn  winbind        <none>

-- debconf information:
  samba/run_mode: daemons
  samba-common/title: