Univention Bugzilla – Bug 43678
Samba: Multiple issues (4.1)
Last modified: 2017-03-23 13:26:39 CET
Created attachment 8475 [details] CVE-2017-2619.txt A security update for Samba is planned. Deadline is 2017-03-29. * Symlink race allows access outside share definition (CVE-2017-2619). In UCS 4.1 we currently ship Samba 4.5.1. Release of Samba 4.5.6 is scheduled for March 15, this is supposed to contain - quote "a large set of supporting fixes". The actual security update will be 4.5.7.
Created attachment 8476 [details] 4.5-racefix.diff diffstat: dir.c | 171 ++++++++++++++++++++++++++--------- open.c | 310 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 412 insertions(+), 69 deletions(-)
The patch applied to samba 4.5.3. Remarkable patches in patches/samba/4.1-0-0-ucs/2:4.5.1-1-errata4.1-4: * 00_samba-4.5.1-4.5.2.diffs.quilt * 00_samba-4.5.2-4.5.3.diffs.quilt * 99_fix_CVE-2017-2619.quilt I've rebuilt winexe too Advisory: samba.yaml
Additional patches are required, I've committed them as: 99_sambabug12499.quilt 99_sambabug12531-squashed.quilt 99_sambabug12546.quilt 99_sambabug12591.quilt Samba is rebuilding, yaml adjusted.
There is a problem with shares and windows 8.1. I i create a folder via the windows explorer in a samba share, the folder is not visible until i reload the explorer. And if i reload very often or change into a share folder and back very fast and very often i get a windows error message: Das Handle ist ungültig: In both cases the final smbd error message (log 10) is smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_INVALID_HANDLE] body[8] dyn[yes:1] at ../source3/smbd/smb2_server.c:3145 This does not happen with windows 7.
Created attachment 8576 [details] window error after multiple explorer reloads on samba share
Created attachment 8577 [details] smbd log - created dir in windows explorer, not visible
Created attachment 8578 [details] smbd log - many reloads, windows error
This happens with 2:4.5.1-1.854.201703162118, but not with the released version 2:4.5.1-1.851.201701050832.
Created attachment 8579 [details] OK smbd log - create Neuer Ordner (7) with old version succeededa
Ok, the patch 99_fix_CVE-2017-2619.quilt could introduce this. It adds code to OpenDir_fsp (in dir.c) which returns EBADF under certain conditions, and EBADF gets mapped to NT_STATUS_INVALID_HANDLE. OpenDir_fsp may get called by dptr_create: ================================================================================ [2017/03/17 15:54:54.905298, 5, pid=26913, effective(2013, 5001), real(2013, 0)] ../source3/smbd/dir.c:474(dptr_create) dptr_create dir=. [2017/03/17 15:54:54.905327, 3, pid=26913, effective(2013, 5001), real(2013, 0)] ../source3/smbd/smb2_server.c:3097(smbd_smb2_request_error_ex) smbd_smb2_request_error_ex: smbd_smb2_request_error_ex: idx[1] status[NT_STATUS_INVALID_HANDLE] || at ../source3/smbd/smb2_query_directory.c:154 ================================================================================ No idea yet what's going on. I've reported this upstream. One other code that might play into this is the 99_sambabug12531-squashed.quilt, where set_conn_connectpath -> canonicalize_absolute_path probably transforms "." to "/" in Felix's "smbd log - many reloads, windows error". One option would be to update to 4.5.7 when it's released on Monday. That way we are the closest to upstream and better collaborate in case this really turns out to be a problem. I favor this approach currently.
Created attachment 8592 [details] CVE-2017-2619-v45.patch Upstream updated the patch. The package has been rebuilt and the advisory is updated.
* install (master, slave, backup + 2 win clients) OK - ucs install / join OK - win join, logon OK - user sync, password sync OK - shares OK - gpo OK - patches OK - printer * update OK - update works, minimal samba test
<http://errata.software-univention.de/ucs/4.1/408.html>