Bug 43678 - Samba: Multiple issues (4.1)
Samba: Multiple issues (4.1)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 4.1
Other Linux
: P1 normal (vote)
: UCS 4.1-4-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on: 43681
Blocks: 43679
  Show dependency treegraph
 
Reported: 2017-03-01 10:46 CET by Arvid Requate
Modified: 2017-03-23 13:26 CET (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:


Attachments
window error after multiple explorer reloads on samba share (10.22 KB, image/png)
2017-03-17 17:10 CET, Felix Botner
Details
smbd log - created dir in windows explorer, not visible (652.91 KB, text/plain)
2017-03-17 17:11 CET, Felix Botner
Details
smbd log - many reloads, windows error (402.43 KB, text/plain)
2017-03-17 17:11 CET, Felix Botner
Details
OK smbd log - create Neuer Ordner (7) with old version (844.02 KB, text/plain)
2017-03-17 17:40 CET, Felix Botner
Details
CVE-2017-2619-v45.patch (28.17 KB, patch)
2017-03-20 14:51 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2017-03-01 10:46:59 CET
Created attachment 8475 [details]
CVE-2017-2619.txt

A security update for Samba is planned. Deadline is 2017-03-29.

* Symlink race allows access outside share definition (CVE-2017-2619).

In UCS 4.1 we currently ship Samba 4.5.1.

Release of Samba 4.5.6 is scheduled for March 15, this is supposed to contain - quote "a large set of supporting fixes". The actual security update will be 4.5.7.
Comment 1 Arvid Requate univentionstaff 2017-03-01 10:48:46 CET
Created attachment 8476 [details]
4.5-racefix.diff

diffstat:
 dir.c  |  171 ++++++++++++++++++++++++++---------
 open.c |  310 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-----
 2 files changed, 412 insertions(+), 69 deletions(-)
Comment 2 Arvid Requate univentionstaff 2017-03-13 16:27:31 CET
The patch applied to samba 4.5.3.

Remarkable patches in patches/samba/4.1-0-0-ucs/2:4.5.1-1-errata4.1-4:

* 00_samba-4.5.1-4.5.2.diffs.quilt
* 00_samba-4.5.2-4.5.3.diffs.quilt
* 99_fix_CVE-2017-2619.quilt

I've rebuilt winexe too

Advisory: samba.yaml
Comment 3 Arvid Requate univentionstaff 2017-03-16 21:21:04 CET
Additional patches are required, I've committed them as:

 99_sambabug12499.quilt
 99_sambabug12531-squashed.quilt
 99_sambabug12546.quilt
 99_sambabug12591.quilt

Samba is rebuilding, yaml adjusted.
Comment 4 Felix Botner univentionstaff 2017-03-17 17:09:17 CET
There is a problem with shares and windows 8.1.

I i create a folder via the windows explorer in a samba share, the folder is not visible until i reload the explorer. And if i reload very often or change into a share folder and back very fast and very often i get a windows error message:
Das Handle ist ungültig:


In both cases the final smbd error message (log 10) is

smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_INVALID_HANDLE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3145

This does not happen with windows 7.
Comment 5 Felix Botner univentionstaff 2017-03-17 17:10:40 CET
Created attachment 8576 [details]
window error after multiple explorer reloads on samba share
Comment 6 Felix Botner univentionstaff 2017-03-17 17:11:18 CET
Created attachment 8577 [details]
smbd log - created dir in windows explorer, not visible
Comment 7 Felix Botner univentionstaff 2017-03-17 17:11:48 CET
Created attachment 8578 [details]
smbd log - many reloads, windows error
Comment 8 Felix Botner univentionstaff 2017-03-17 17:13:29 CET
This happens with 2:4.5.1-1.854.201703162118, but not with the released version 2:4.5.1-1.851.201701050832.
Comment 9 Felix Botner univentionstaff 2017-03-17 17:40:58 CET
Created attachment 8579 [details]
OK smbd log - create Neuer Ordner (7) with old version

succeededa
Comment 10 Arvid Requate univentionstaff 2017-03-18 20:02:17 CET
Ok, the patch 99_fix_CVE-2017-2619.quilt could introduce this. It adds code to OpenDir_fsp (in dir.c) which returns EBADF under certain conditions, and EBADF gets mapped to NT_STATUS_INVALID_HANDLE. OpenDir_fsp may get called by dptr_create:

================================================================================
[2017/03/17 15:54:54.905298,  5, pid=26913, effective(2013, 5001), real(2013, 0)] ../source3/smbd/dir.c:474(dptr_create)
  dptr_create dir=.
[2017/03/17 15:54:54.905327,  3, pid=26913, effective(2013, 5001), real(2013, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex)
  smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_HANDLE] || at ../source3/smbd/smb2_query_directory.c:154
================================================================================

No idea yet what's going on. I've reported this upstream.

One other code that might play into this is the 99_sambabug12531-squashed.quilt, where set_conn_connectpath -> canonicalize_absolute_path probably transforms "." to "/" in Felix's "smbd log - many reloads, windows error".


One option would be to update to 4.5.7 when it's released on Monday. That way we are the closest to upstream and better collaborate in case this really turns out to be a problem. I favor this approach currently.
Comment 11 Arvid Requate univentionstaff 2017-03-20 14:51:49 CET
Created attachment 8592 [details]
CVE-2017-2619-v45.patch

Upstream updated the patch.
The package has been rebuilt and the advisory is updated.
Comment 12 Felix Botner univentionstaff 2017-03-22 12:23:33 CET
* install (master, slave, backup + 2 win clients)
 OK - ucs install / join
 OK - win join, logon
 OK - user sync, password sync
 OK - shares
 OK - gpo
 OK - patches
 OK - printer

* update 
 OK - update works, minimal samba test
Comment 13 Janek Walkenhorst univentionstaff 2017-03-23 12:00:58 CET
<http://errata.software-univention.de/ucs/4.1/408.html>