[Pkg-samba-maint] samba and ldb updates for bullseye-security
Salvatore Bonaccorso
carnil at debian.org
Wed Aug 3 10:54:41 BST 2022
Hi Michael,
On Tue, Aug 02, 2022 at 10:05:50PM +0200, Salvatore Bonaccorso wrote:
> Hi Michael,
>
> On Mon, Aug 01, 2022 at 07:19:31PM +0300, Michael Tokarev wrote:
> > Below is the proposed updated packages for bullseye-security for
> > samba and ldb. Since the two are closely related I'm including both
> > in the same request.
> >
> > The vulnerabilities fixed are known and has been disclosed at Jul-27,
> > but unfortunately I failed to process them before that date.
> >
> > Here are the changelogs.
> >
> > ldb (2:2.2.3-2~deb11u2) bullseye-security; urgency=medium
> > .
> > * d/control: add myself to Uploaders
> > * ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch:
> > only the lib/ldb/* bits from the larger upstream patchset as
> > found at https://bugzilla.samba.org/show_bug.cgi?id=15096 , as
> > part of the fix for CVE-2022-32745
> > * d/*.symbols*: add new symbols and versions
> >
> > this is a preparational change which is required by the change in
> > samba which follows.
> >
> > This is a single patchset prepared and verified by the upstream.
> > Since in Debian bullseye we used to use two separate source packages
> > (samba and ldb; in current testing both are built from the same
> > source), I had to strip non-ldb-related changes from this patchset
> > to be able to apply it to ldb source. Some upstream changes touched
> > both samba and ldb in the same patch.
> >
> > The patch adds a bunch of new symbols, which are added to d/symbols
> > files. And since this is my first upload of ldb, I'm adding myself
> > to the list of Uploaders.
> >
> > And here are the samba changes:
> >
> > samba (2:4.13.13+dfsg-1~deb11u5) stable-security; urgency=medium
> > .
> > * 3 patches:
> > - CVE-2022-32742-bug-15085-4.13.patch
> > - kpasswd_bugs_v15_4-13.patch
> > - ldb-memory-bug-15096-4.13-v3.patch
> > fixing:
> > o CVE-2022-2031: Samba AD users can bypass certain restrictions associated
> > with changing passwords.
> > https://www.samba.org/samba/security/CVE-2022-2031.html
> > o CVE-2022-32742: Server memory information leak via SMB1.
> > https://www.samba.org/samba/security/CVE-2022-32742.html
> > o CVE-2022-32744: Samba AD users can forge password change requests
> > for any user.
> > https://www.samba.org/samba/security/CVE-2022-32744.html
> > o CVE-2022-32745: Samba AD users can crash the server process with an LDAP
> > add or modify request.
> > https://www.samba.org/samba/security/CVE-2022-32745.html
> > o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
> > process with an LDAP add or modify request.
> > https://www.samba.org/samba/security/CVE-2022-32746.html
> > * Closes: #1016449, CVE-2022-2031 CVE-2022-32742, CVE-2022-32744,
> > CVE-2022-32745, CVE-2022-32746
> > * Build-Depend on libldb-dev >= 2.2.3-2~deb11u2
> > (which includes the new symbols in libldb used by this update)
> >
> > These are actual patches taken from upstream. With small change: I removed
> > additions and deletions of files in tests/knownfail/ which were in the same
> > patchset, since quilt does not handle this situation.
> >
> > Patchset ldb-memory-bug-15096-4.13-v3.patch is the one which is partially
> > included by ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch in ldb package.
> > This time it is a complete upstream changeset (minus the knownfail/ removals
> > mentioned above) - it includes ldb changes too, which are applied anyway but
> > aren't actually used in debian - just to make the patchset to be the same as
> > has been prepared and tested by upstream.
> >
> > The diffstats:
> >
> > ldb_2.2.3-2~deb11u2.debdiff
> > changelog | 11
> > control | 3
> > libldb2.symbols | 9
> > patches/ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch | 1012 ++++++++++++++
> > patches/series | 1
> > python3-ldb.symbols.in | 3
> > 6 files changed, 1037 insertions(+), 2 deletions(-)
> >
> > samba_4.13.13+dfsg-1~deb11u5.debdiff
> > changelog | 28
> > control | 2
> > patches/CVE-2022-32742-bug-15085-4.13.patch | 198
> > patches/kpasswd_bugs_v15_4-13.patch |11325 ++++++++++++++++++++++++++++
> > patches/ldb-memory-bug-15096-4.13-v3.patch | 2341 +++++
> > patches/series | 3
> > 6 files changed, 13896 insertions(+), 1 deletion(-)
> >
> > The majority of the change is kpasswd_bugs_v15_4-13.patch which comes from heimdal
> > source.
> >
> > The samba itself, with these changes, has been tested by the upstream and
> > passed the upstream testsuite. I myself does not have a test environment where
> > I can test the issues being fixed. Basic functionality, including some minimal
> > AD work, seems to be okay though.
> >
> > However, there's one possible breakage: libldb2 is used not only by samba but
> > alsp by sssd package. So far I weren't able to test if sssd binaries continue
> > to work after updating libldb2. Timo Aaltonen (tjaalton at kapsi.fi) - who is the
> > sssd maintainer - were not able to test my libldb build with sssd and I don't
> > know neither knowlege about sssd nor the test environment for it. Maybe I should
> > check if other distributions already faced any issues there...
> >
> > The whole thing seems to be okay, but overall, samba in bullseye has so many
> > issues it's difficult to have proper fixing there. Also I had only limited amount
> > of time to work with the update, but the issues seems to be serious enough to
> > have much quicker update. Oh well.
> >
> > The debdiffs against the current versions in debian are attached.
> >
> > I'll try to do some more testing but the whole thing looks more or less sane
> > now.
>
> Thanks for your work on this, will try to look at the whole tomorrow.
> In any case please report back from your furhter testing and if you
> encounter any issue.
If you have not encountered any issues in meanwhile so far, please go
ahead with the upload to security-master (please for safety wait for
the accepted mail for the ldb upload first before uploading samba as
well).
I have a slight worry the version changes could be a problem but we
have to see.
Thank you!
Regards,
Salvatore
More information about the Pkg-samba-maint
mailing list