[Pkg-samba-maint] samba and ldb updates for bullseye-security

Salvatore Bonaccorso carnil at debian.org
Wed Aug 3 10:54:41 BST 2022 

Hi Michael,

On Tue, Aug 02, 2022 at 10:05:50PM +0200, Salvatore Bonaccorso wrote:
> Hi Michael,
> 
> On Mon, Aug 01, 2022 at 07:19:31PM +0300, Michael Tokarev wrote:
> > Below is the proposed updated packages for bullseye-security for
> > samba and ldb. Since the two are closely related I'm including both
> > in the same request.
> > 
> > The vulnerabilities fixed are known and has been disclosed at Jul-27,
> > but unfortunately I failed to process them before that date.
> > 
> > Here are the changelogs.
> > 
> >  ldb (2:2.2.3-2~deb11u2) bullseye-security; urgency=medium
> >  .
> >    * d/control: add myself to Uploaders
> >    * ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch:
> >      only the lib/ldb/* bits from the larger upstream patchset as
> >      found at https://bugzilla.samba.org/show_bug.cgi?id=15096 , as
> >      part of the fix for CVE-2022-32745
> >    * d/*.symbols*: add new symbols and versions
> > 
> > this is a preparational change which is required by the change in
> > samba which follows.
> > 
> > This is a single patchset prepared and verified by the upstream.
> > Since in Debian bullseye we used to use two separate source packages
> > (samba and ldb; in current testing both are built from the same
> > source), I had to strip non-ldb-related changes from this patchset
> > to be able to apply it to ldb source.  Some upstream changes touched
> > both samba and ldb in the same patch.
> > 
> > The patch adds a bunch of new symbols, which are added to d/symbols
> > files.  And since this is my first upload of ldb, I'm adding myself
> > to the list of Uploaders.
> > 
> > And here are the samba changes:
> > 
> >  samba (2:4.13.13+dfsg-1~deb11u5) stable-security; urgency=medium
> >  .
> >    * 3 patches:
> >      - CVE-2022-32742-bug-15085-4.13.patch
> >      - kpasswd_bugs_v15_4-13.patch
> >      - ldb-memory-bug-15096-4.13-v3.patch
> >      fixing:
> >      o CVE-2022-2031: Samba AD users can bypass certain restrictions associated
> >        with changing passwords.
> >        https://www.samba.org/samba/security/CVE-2022-2031.html
> >      o CVE-2022-32742: Server memory information leak via SMB1.
> >        https://www.samba.org/samba/security/CVE-2022-32742.html
> >      o CVE-2022-32744: Samba AD users can forge password change requests
> >        for any user.
> >        https://www.samba.org/samba/security/CVE-2022-32744.html
> >      o CVE-2022-32745: Samba AD users can crash the server process with an LDAP
> >        add or modify request.
> >        https://www.samba.org/samba/security/CVE-2022-32745.html
> >      o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
> >        process with an LDAP add or modify request.
> >        https://www.samba.org/samba/security/CVE-2022-32746.html
> >     * Closes: #1016449, CVE-2022-2031 CVE-2022-32742, CVE-2022-32744,
> >       CVE-2022-32745, CVE-2022-32746
> >     * Build-Depend on libldb-dev >= 2.2.3-2~deb11u2
> >       (which includes the new symbols in libldb used by this update)
> > 
> > These are actual patches taken from upstream. With small change: I removed
> > additions and deletions of files in tests/knownfail/ which were in the same
> > patchset, since quilt does not handle this situation.
> > 
> > Patchset ldb-memory-bug-15096-4.13-v3.patch is the one which is partially
> > included by ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch in ldb package.
> > This time it is a complete upstream changeset (minus the knownfail/ removals
> > mentioned above) - it includes ldb changes too, which are applied anyway but
> > aren't actually used in debian - just to make the patchset to be the same as
> > has been prepared and tested by upstream.
> > 
> > The diffstats:
> > 
> > ldb_2.2.3-2~deb11u2.debdiff
> >  changelog                                                 |   11
> >  control                                                   |    3
> >  libldb2.symbols                                           |    9
> >  patches/ldb-memory-bug-15096-CVE-2022-32745-4.13-v3.patch | 1012 ++++++++++++++
> >  patches/series                                            |    1
> >  python3-ldb.symbols.in                                    |    3
> >  6 files changed, 1037 insertions(+), 2 deletions(-)
> > 
> > samba_4.13.13+dfsg-1~deb11u5.debdiff
> >  changelog                                   |   28
> >  control                                     |    2
> >  patches/CVE-2022-32742-bug-15085-4.13.patch |  198
> >  patches/kpasswd_bugs_v15_4-13.patch         |11325 ++++++++++++++++++++++++++++
> >  patches/ldb-memory-bug-15096-4.13-v3.patch  | 2341 +++++
> >  patches/series                              |    3
> >  6 files changed, 13896 insertions(+), 1 deletion(-)
> > 
> > The majority of the change is kpasswd_bugs_v15_4-13.patch which comes from heimdal
> > source.
> > 
> > The samba itself, with these changes, has been tested by the upstream and
> > passed the upstream testsuite.  I myself does not have a test environment where
> > I can test the issues being fixed. Basic functionality, including some minimal
> > AD work, seems to be okay though.
> > 
> > However, there's one possible breakage: libldb2 is used not only by samba but
> > alsp by sssd package. So far I weren't able to test if sssd binaries continue
> > to work after updating libldb2.  Timo Aaltonen (tjaalton at kapsi.fi) - who is the
> > sssd maintainer - were not able to test my libldb build with sssd and I don't
> > know neither knowlege about sssd nor the test environment for it.  Maybe I should
> > check if other distributions already faced any issues there...
> > 
> > The whole thing seems to be okay, but overall, samba in bullseye has so many
> > issues it's difficult to have proper fixing there. Also I had only limited amount
> > of time to work with the update, but the issues seems to be serious enough to
> > have much quicker update. Oh well.
> > 
> > The debdiffs against the current versions in debian are attached.
> > 
> > I'll try to do some more testing but the whole thing looks more or less sane
> > now.
> 
> Thanks for your work on this, will try to look at the whole tomorrow.
> In any case please report back from your furhter testing and if you
> encounter any issue.

If you have not encountered any issues in meanwhile so far, please go
ahead with the upload to security-master (please for safety wait for
the accepted mail for the ldb upload first before uploading samba as
well).

I have a slight worry the version changes could be a problem but we
have to see.

Thank you!

Regards,
Salvatore

More information about the Pkg-samba-maint mailing list