[Pkg-samba-maint] samba and ldb updates for bullseye-security

Tue Aug 2 21:05:50 BST 2022

Hi Michael,

On Mon, Aug 01, 2022 at 07:19:31PM +0300, Michael Tokarev wrote:
> Below is the proposed updated packages for bullseye-security for
> samba and ldb. Since the two are closely related I'm including both
> in the same request.
> 
> The vulnerabilities fixed are known and has been disclosed at Jul-27,
> but unfortunately I failed to process them before that date.
> 
> Here are the changelogs.
> 
>  ldb (2:2.2.3-2~deb11u2) bullseye-security; urgency=medium
>  .
>    * d/control: add myself to Uploaders
>    * ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch:
>      only the lib/ldb/* bits from the larger upstream patchset as
>      found at https://bugzilla.samba.org/show_bug.cgi?id=15096 , as
>      part of the fix for CVE-2022-32745
>    * d/*.symbols*: add new symbols and versions
> 
> this is a preparational change which is required by the change in
> samba which follows.
> 
> This is a single patchset prepared and verified by the upstream.
> Since in Debian bullseye we used to use two separate source packages
> (samba and ldb; in current testing both are built from the same
> source), I had to strip non-ldb-related changes from this patchset
> to be able to apply it to ldb source.  Some upstream changes touched
> both samba and ldb in the same patch.
> 
> The patch adds a bunch of new symbols, which are added to d/symbols
> files.  And since this is my first upload of ldb, I'm adding myself
> to the list of Uploaders.
> 
> And here are the samba changes:
> 
>  samba (2:4.13.13+dfsg-1~deb11u5) stable-security; urgency=medium
>  .
>    * 3 patches:
>      - CVE-2022-32742-bug-15085-4.13.patch
>      - kpasswd_bugs_v15_4-13.patch
>      - ldb-memory-bug-15096-4.13-v3.patch
>      fixing:
>      o CVE-2022-2031: Samba AD users can bypass certain restrictions associated
>        with changing passwords.
>        https://www.samba.org/samba/security/CVE-2022-2031.html
>      o CVE-2022-32742: Server memory information leak via SMB1.
>        https://www.samba.org/samba/security/CVE-2022-32742.html
>      o CVE-2022-32744: Samba AD users can forge password change requests
>        for any user.
>        https://www.samba.org/samba/security/CVE-2022-32744.html
>      o CVE-2022-32745: Samba AD users can crash the server process with an LDAP
>        add or modify request.
>        https://www.samba.org/samba/security/CVE-2022-32745.html
>      o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
>        process with an LDAP add or modify request.
>        https://www.samba.org/samba/security/CVE-2022-32746.html
>     * Closes: #1016449, CVE-2022-2031 CVE-2022-32742, CVE-2022-32744,
>       CVE-2022-32745, CVE-2022-32746
>     * Build-Depend on libldb-dev >= 2.2.3-2~deb11u2
>       (which includes the new symbols in libldb used by this update)
> 
> These are actual patches taken from upstream. With small change: I removed
> additions and deletions of files in tests/knownfail/ which were in the same
> patchset, since quilt does not handle this situation.
> 
> Patchset ldb-memory-bug-15096-4.13-v3.patch is the one which is partially
> included by ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch in ldb package.
> This time it is a complete upstream changeset (minus the knownfail/ removals
> mentioned above) - it includes ldb changes too, which are applied anyway but
> aren't actually used in debian - just to make the patchset to be the same as
> has been prepared and tested by upstream.
> 
> The diffstats:
> 
> ldb_2.2.3-2~deb11u2.debdiff
>  changelog                                                 |   11
>  control                                                   |    3
>  libldb2.symbols                                           |    9
>  patches/ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch | 1012 ++++++++++++++
>  patches/series                                            |    1
>  python3-ldb.symbols.in                                    |    3
>  6 files changed, 1037 insertions(+), 2 deletions(-)
> 
> samba_4.13.13+dfsg-1~deb11u5.debdiff
>  changelog                                   |   28
>  control                                     |    2
>  patches/CVE-2022-32742-bug-15085-4.13.patch |  198
>  patches/kpasswd_bugs_v15_4-13.patch         |11325 ++++++++++++++++++++++++++++
>  patches/ldb-memory-bug-15096-4.13-v3.patch  | 2341 +++++
>  patches/series                              |    3
>  6 files changed, 13896 insertions(+), 1 deletion(-)
> 
> The majority of the change is kpasswd_bugs_v15_4-13.patch which comes from heimdal
> source.
> 
> The samba itself, with these changes, has been tested by the upstream and
> passed the upstream testsuite.  I myself does not have a test environment where
> I can test the issues being fixed. Basic functionality, including some minimal
> AD work, seems to be okay though.
> 
> However, there's one possible breakage: libldb2 is used not only by samba but
> alsp by sssd package. So far I weren't able to test if sssd binaries continue
> to work after updating libldb2.  Timo Aaltonen (tjaalton at kapsi.fi) - who is the
> sssd maintainer - were not able to test my libldb build with sssd and I don't
> know neither knowlege about sssd nor the test environment for it.  Maybe I should
> check if other distributions already faced any issues there...
> 
> The whole thing seems to be okay, but overall, samba in bullseye has so many
> issues it's difficult to have proper fixing there. Also I had only limited amount
> of time to work with the update, but the issues seems to be serious enough to
> have much quicker update. Oh well.
> 
> The debdiffs against the current versions in debian are attached.
> 
> I'll try to do some more testing but the whole thing looks more or less sane
> now.

Thanks for your work on this, will try to look at the whole tomorrow.
In any case please report back from your furhter testing and if you
encounter any issue.

Regards,
Salvatore