Bug 43679

Summary: Samba: Multiple issues (3.3)
Product: UCS Reporter: Arvid Requate <requate>
Component: Security updatesAssignee: Arvid Requate <requate>
Status: CLOSED FIXED QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P1 CC: michelsmidt
Version: UCS 3.3   
Target Milestone: UCS 3.3-1-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score:
Bug Depends on: 43678    
Bug Blocks:    
Attachments: 4.4-racefix.diff
99_sambabug12387.quilt
99_sambabug12499.quilt
99_sambabug12531.quilt
99_sambabug12546.quilt
99_sambabug12591.quilt
4-2-total-fix
git-am fix for 4.3.13 (v3)

Description Arvid Requate univentionstaff 2017-03-01 10:57:24 CET 
+++ This bug was initially created as a clone of Bug #43678 +++

A security update for Samba is planned. Deadline is 2017-03-29.

* Symlink race allows access outside share definition (CVE-2017-2619).

In UCS 3.3 we currently ship Samba 4.3.7.

As far as communicated, there will be backports for Samba 4.2 but there has been no mention of backports for 4.3. The 4.2 backports are announced to contain "a large set of supporting fixes".
Comment 4 Arvid Requate univentionstaff 2017-03-16 20:55:35 CET 
Created attachment 8561 [details]
99_sambabug12387.quilt

Applies
Comment 5 Arvid Requate univentionstaff 2017-03-16 20:56:15 CET 
Created attachment 8562 [details]
99_sambabug12499.quilt

Applies
Comment 6 Arvid Requate univentionstaff 2017-03-16 21:01:08 CET 
Created attachment 8563 [details]
99_sambabug12531.quilt

Doesn't apply, due to differing paths and missing functions:

* source3/lib/util_path.c -> source3/lib/util.c
* source3/lib/util_path.h -> source3/include/proto.h
* function canonicalize_absolute_path doesn't exist yet in Samba 4.3.7
* maybe other things.

Maybe we can learn something from the 4-2-total-fix (I'll attach that below).
Comment 7 Arvid Requate univentionstaff 2017-03-16 21:01:38 CET 
Created attachment 8564 [details]
99_sambabug12546.quilt

Applies
Comment 8 Arvid Requate univentionstaff 2017-03-16 21:02:31 CET 
Created attachment 8565 [details]
99_sambabug12591.quilt

Applies
Comment 10 Arvid Requate univentionstaff 2017-03-17 21:41:09 CET 
Ok, I've fiddled 99_sambabug12531.quilt though git-am and squashed it.
I've also send the patch set for Samba 4.3.13 upstream.

errata3.3-1 Advisory: samba.yaml
Comment 11 Arvid Requate univentionstaff 2017-03-20 15:04:38 CET 
Created attachment 8593 [details]
git-am fix for 4.3.13 (v3)

I've upstreamed this backported git-am patch series:
  https://bugzilla.samba.org/show_bug.cgi?id=12496#c142

Samba has been rebuilt and the advisory is updated.
Comment 12 Felix Botner univentionstaff 2017-03-22 18:35:02 CET 
 OK patches
 OK update
 OK installation
 OK ucs install / join
 OK win join, logon
 OK user sync, password sync
 OK shares
 OK gpo
 OK patches
 OK printer
 OK YAML
Comment 13 Janek Walkenhorst univentionstaff 2017-03-23 13:06:50 CET 
<http://errata.software-univention.de/ucs/3.3/31.html>