Bug 43679 – Samba: Multiple issues (3.3)

Bug 43679 - Samba: Multiple issues (3.3)


Summary:	Samba: Multiple issues (3.3)

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 3.3
Hardware:	Other Linux

Importance:	P1 normal (vote)
Target Milestone:	UCS 3.3-1-errata
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:

Depends on:	43678
Blocks:
	Show dependency tree / graph

Reported:	2017-03-01 10:57 CET by Arvid Requate
Modified:	2017-03-23 13:25 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
4.4-racefix.diff (21.70 KB, patch) 2017-03-06 21:13 CET, Arvid Requate	Details \| Diff
99_sambabug12387.quilt (1.32 KB, application/mbox) 2017-03-16 20:55 CET, Arvid Requate	Details
99_sambabug12499.quilt (1.11 KB, application/mbox) 2017-03-16 20:56 CET, Arvid Requate	Details
99_sambabug12531.quilt (76.73 KB, application/mbox) 2017-03-16 21:01 CET, Arvid Requate	Details
99_sambabug12546.quilt (1.84 KB, application/mbox) 2017-03-16 21:01 CET, Arvid Requate	Details
99_sambabug12591.quilt (4.76 KB, application/mbox) 2017-03-16 21:02 CET, Arvid Requate	Details
4-2-total-fix (111.03 KB, application/mbox) 2017-03-16 21:04 CET, Arvid Requate	Details
git-am fix for 4.3.13 (v3) (110.00 KB, application/mbox) 2017-03-20 15:04 CET, Arvid Requate	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2017-03-01 10:57:24 CET

+++ This bug was initially created as a clone of Bug #43678 +++

A security update for Samba is planned. Deadline is 2017-03-29.

* Symlink race allows access outside share definition (CVE-2017-2619).

In UCS 3.3 we currently ship Samba 4.3.7.

As far as communicated, there will be backports for Samba 4.2 but there has been no mention of backports for 4.3. The 4.2 backports are announced to contain "a large set of supporting fixes".

Comment 4 Arvid Requate

2017-03-16 20:55:35 CET

Created attachment 8561 [details]
99_sambabug12387.quilt

Applies

Comment 5 Arvid Requate

2017-03-16 20:56:15 CET

Created attachment 8562 [details]
99_sambabug12499.quilt

Applies

Comment 6 Arvid Requate

2017-03-16 21:01:08 CET

Created attachment 8563 [details]
99_sambabug12531.quilt

Doesn't apply, due to differing paths and missing functions:

* source3/lib/util_path.c -> source3/lib/util.c
* source3/lib/util_path.h -> source3/include/proto.h
* function canonicalize_absolute_path doesn't exist yet in Samba 4.3.7
* maybe other things.

Maybe we can learn something from the 4-2-total-fix (I'll attach that below).

Comment 7 Arvid Requate

2017-03-16 21:01:38 CET

Created attachment 8564 [details]
99_sambabug12546.quilt

Applies

Comment 8 Arvid Requate

2017-03-16 21:02:31 CET

Created attachment 8565 [details]
99_sambabug12591.quilt

Applies

Comment 10 Arvid Requate

2017-03-17 21:41:09 CET

Ok, I've fiddled 99_sambabug12531.quilt though git-am and squashed it.
I've also send the patch set for Samba 4.3.13 upstream.

errata3.3-1 Advisory: samba.yaml

Comment 11 Arvid Requate

2017-03-20 15:04:38 CET

Created attachment 8593 [details]
git-am fix for 4.3.13 (v3)

I've upstreamed this backported git-am patch series:
  https://bugzilla.samba.org/show_bug.cgi?id=12496#c142

Samba has been rebuilt and the advisory is updated.

Comment 12 Felix Botner

2017-03-22 18:35:02 CET

 OK patches
 OK update
 OK installation
 OK ucs install / join
 OK win join, logon
 OK user sync, password sync
 OK shares
 OK gpo
 OK patches
 OK printer
 OK YAML

Comment 13 Janek Walkenhorst

2017-03-23 13:06:50 CET

<http://errata.software-univention.de/ucs/3.3/31.html>