[Pkg-samba-maint] Bug#903971: ntdb: DoS issues upon offline data corruption, unmaintained upstream

Lionel Debroux lionel_debroux at yahoo.fr
Tue Jul 17 17:14:26 BST 2018 

Source: ntdb
Version: 1.0-9
Severity: important
Tags: upstream

Dear maintainers,

In March, I sent an e-mail to the list, about removing the NTDB 
packages because they are unmaintained upstream, have known security 
issues (if only DoS), and have no other users in Debian:
https://alioth-lists.debian.net/pipermail/pkg-samba-maint/2018-March/020680.html

AFAICT, I received no reply.

Since then:
* I described my findings in the DBM-type databases at
http://www.openwall.com/lists/oss-security/2018/06/17/1 ;
* a member of the security team requested filing a bug against ntdb 
for proper tracking; this is, belatedly, the requested tracking bug :)

Copying the relevant parts of the message here:
'
For NTDB, which has a trivial nullptr deref, and otherwise crashes due
to controlled asserts in the library (easy DoS upon data corruption),
the situation is different. Quoting Volker Lendecke after I mentioned
that inciting distros to remove NTDB from future versions could be part
of the solution, without hurting many third-party packages (per the
above dep list):
"
I don't see Samba upstream to have the capacity to fix this code. Samba
does not use it. It was intended as the successor to tdb, but this never
materialized. So we removed it a few years ago. It's really up to
debian to just dump it.
"
'

'
I noticed that the NTDB packages formed an island from Stretch onwards:

# apt-cache rdepends libntdb1
libntdb1
Reverse Depends:
  libntdb-dev
  python-ntdb
  ntdb-tools
  libntdb1-dbg
# apt-cache rdepends libntdb-dev
libntdb-dev
Reverse Depends:
# apt-cache rdepends python-ntdb
python-ntdb
Reverse Depends:
  python-ntdb-dbg
# apt-cache rdepends ntdb-tools
ntdb-tools
Reverse Depends:
# apt-cache rdepends libntdb1-dbg
libntdb1-dbg
Reverse Depends:
  python-ntdb-dbg
# apt-cache rdepends python-ntdb-dbg
python-ntdb-dbg
Reverse Depends:
'

There's still time before the Buster freeze.


Regards,
Lionel Debroux.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf, armel, arm64, mips

Kernel: Linux 4.17.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

More information about the Pkg-samba-maint mailing list