[Pkg-samba-maint] Partial mitigations for the Nov Samba CVEs

Salvatore Bonaccorso carnil at debian.org
Mon Nov 22 19:54:50 GMT 2021 

Hi Andrew,

On Tue, Nov 23, 2021 at 06:43:50AM +1300, Andrew Bartlett wrote:
> On Mon, 2021-11-22 at 15:01 +0100, Salvatore Bonaccorso wrote:
> > 
> > Thank you helping identifying the bare minimum to pick. I'm working
> > on
> > 
> > this for Debian (for buster) and based on the above I have test
> > 
> > packages at:
> > 
> > 
> > 
> > https://people.debian.org/~carnil/tmp/samba/2021-11-09/
> > 
> 
> Great, thanks for picking this up.
> 
> > 
> > (they are not signed! So anyone reading this, they should not be
> > 
> > considered production ready)
> > 
> > 
> > 
> > What is missing from here with that: The above referenced update
> > would
> > 
> > still require admins of the setups described in
> > 
> > https://www.samba.org/samba/security/CVE-2020-25717.html to apply the
> > 
> > 'username map' and 'username map script'. So a followup in the form
> > of
> > 
> > https://bugzilla.samba.org/show_bug.cgi?id=14901 as well for 4.9
> > would
> > 
> > be good to have (help on that part as well much appreciated if
> > 
> > possible).
> > 
> > 
> > 
> > I see there are patches for 4.10, so I will try to take your patches
> > 
> > for 4.9.
> 
> The trick there would be to take the C parts, as the new testsuite is
> Python 3.6 only anyway.  The C code hasn't changed much, I hope it will
> drop in OK.
> 
> The same would apply for almost all the patches really, I'm not
> expecting big dramas to take the tested C patches from 4.10 to 4.9 but
> the more that is changed the riskier it becomes, and I don't 'do'
> untested patches :-)

Done, and the updated packages are now at the same location. There was
the need to as well cherry-pick "lib: Add dom_sid_str_buf" commit. And
on top of that "CVE-2020-25717: idmap_nss: verify that the name of the
sid belongs to the configured domain" and "CVE-2020-25717: s3:auth:
Fallback to a SID/UID based mapping if the named based lookup fails"
to restore setups and not needing to use "username map [script]".

I did not want to take more risk than needed, and so I'm not trying to
go applying the massive backport done for 4.10 to 4.9 and only
concentrate on your above list.

I do not know if you have spare cycles to review what is applied for
Debian, but if you have I will defintively wait for your ack. 

Regards,
Salvatore
-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba_4.9.5+dfsg-5+deb10u2.debdiff.xz
Type: application/x-xz
Size: 23596 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20211122/8e95a05e/attachment-0001.xz>

More information about the Pkg-samba-maint mailing list