Privilege escalation in mount.cifs

Debian Bug report logs - #567554
Privilege escalation in mount.cifs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Privilege escalation in mount.cifs

Date: Fri, 29 Jan 2010 19:17:47 +0100

Package: smbfs
Severity: grave
Tags: security

This is CVE-2009-3297:
https://bugzilla.samba.org/show_bug.cgi?id=6853

/usr/share/doc/smbfs/TODO.Debian states:
  There is concern about the setuid status of binaries in this package.
  The audit status of the concerned binaries is unclear.  We should
  figure out whether it is reasonable to provide the flexible user mount
  capabilities or whether a more restricted setup is better, at least by
  default.

Given that Jeremy Allison writes in the bug above you should probably
drop the setuid for Squeeze:

   ------- Comment [88]#2 From [89]Jeremy Allison 2009-10-28 12:51:31 CST -------

 I object strongly to dealing with this as a Samba security issue. This code has
 not bee audited AND MUST NOT BE SHIPPED SETUID root.

Cheers,
        Moritz

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-trunk-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages smbfs depends on:
ii  libc6                2.10.2-2            GNU C Library: Shared libraries
ii  libcomerr2           1.41.9-1            common error description library
ii  libkeyutils1         1.2-12              Linux Key Management Utilities (li
ii  libkrb53             1.6.dfsg.4~beta1-13 Transitional library package/krb4 
ii  libldap-2.4-2        2.4.17-2.1          OpenLDAP libraries
ii  libpopt0             1.15-1              lib for parsing cmdline parameters
pn  libtalloc1           <none>              (no description available)
ii  libwbclient0         2:3.4.3-2           Samba winbind client library
ii  netbase              4.40                Basic TCP/IP networking system
pn  samba-common         <none>              (no description available)

smbfs recommends no packages.

Versions of packages smbfs suggests:
pn  smbclient                     <none>     (no description available)

Message #10 received at 567554@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: Moritz Muehlenhoff <jmm@debian.org>, 567554@bugs.debian.org

Subject: Re: [Pkg-samba-maint] Bug#567554: Privilege escalation in mount.cifs

Date: Sun, 31 Jan 2010 13:09:22 +0100

[Message part 1 (text/plain, inline)]

Quoting Moritz Muehlenhoff (jmm@debian.org):
> Package: smbfs
> Severity: grave
> Tags: security
> 
> This is CVE-2009-3297:
> https://bugzilla.samba.org/show_bug.cgi?id=6853
> 
> /usr/share/doc/smbfs/TODO.Debian states:
>   There is concern about the setuid status of binaries in this package.
>   The audit status of the concerned binaries is unclear.  We should
>   figure out whether it is reasonable to provide the flexible user mount
>   capabilities or whether a more restricted setup is better, at least by
>   default.
> 
> Given that Jeremy Allison writes in the bug above you should probably
> drop the setuid for Squeeze:

My concern here is that it would definitely be a regression for users
who rely on user mounting of CIFS volumes.

A compromise could be a debconf question about adding the setuid bit
to mount.cifs (with a default to False, of course).

Steve, your advice?

[signature.asc (application/pgp-signature, inline)]

Message #15 received at 567554@bugs.debian.org (full text, mbox, reply):

From: Julien Cristau <jcristau@debian.org>

To: Christian PERRIER <bubulle@debian.org>, 567554@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: [Pkg-samba-maint] Bug#567554: Bug#567554: Privilege escalation in mount.cifs

Date: Sun, 31 Jan 2010 13:30:04 +0100

On Sun, Jan 31, 2010 at 13:09:22 +0100, Christian PERRIER wrote:

> My concern here is that it would definitely be a regression for users
> who rely on user mounting of CIFS volumes.
> 
Doesn't fusesmb replace that?

Cheers,
Julien

Message #20 received at 567554@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: 567554@bugs.debian.org, Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: [Pkg-samba-maint] Bug#567554: Bug#567554: Privilege escalation in mount.cifs

Date: Sun, 31 Jan 2010 15:23:15 +0100

[Message part 1 (text/plain, inline)]

Quoting Julien Cristau (jcristau@debian.org):
> On Sun, Jan 31, 2010 at 13:09:22 +0100, Christian PERRIER wrote:
> 
> > My concern here is that it would definitely be a regression for users
> > who rely on user mounting of CIFS volumes.
> > 
> Doesn't fusesmb replace that?

Sure. There are very certainly better options. But, well, the
principle of least surprise tells us that breaking existing setups
without notice is not a good idea.

[signature.asc (application/pgp-signature, inline)]

Message #25 received at 567554@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Christian PERRIER <bubulle@debian.org>, 567554@bugs.debian.org

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#567554: [Pkg-samba-maint] Bug#567554: Privilege escalation in mount.cifs

Date: Sun, 31 Jan 2010 23:57:41 -0800

[Message part 1 (text/plain, inline)]

On Sun, Jan 31, 2010 at 01:09:22PM +0100, Christian PERRIER wrote:
> Quoting Moritz Muehlenhoff (jmm@debian.org):
> > Package: smbfs
> > Severity: grave
> > Tags: security
> > 
> > This is CVE-2009-3297:
> > https://bugzilla.samba.org/show_bug.cgi?id=6853
> > 
> > /usr/share/doc/smbfs/TODO.Debian states:
> >   There is concern about the setuid status of binaries in this package.
> >   The audit status of the concerned binaries is unclear.  We should
> >   figure out whether it is reasonable to provide the flexible user mount
> >   capabilities or whether a more restricted setup is better, at least by
> >   default.

> > Given that Jeremy Allison writes in the bug above you should probably
> > drop the setuid for Squeeze:

> My concern here is that it would definitely be a regression for users
> who rely on user mounting of CIFS volumes.

> A compromise could be a debconf question about adding the setuid bit
> to mount.cifs (with a default to False, of course).

> Steve, your advice?

Upstream has been increasingly unsupportive of this configuration over time,
and given Jeremy's latest comments on this bug, I think the only reasonable
action here is to drop support for this is the package entirely and document
it in NEWS.Debian on upgrade.

(Users who must have this continue to work can use dpkg-statoverride to set
the suid bit; but I wouldn't even suggest that in NEWS.Debian, because users
shouldn't be encouraged to set programs suid when they're not meant to be
used that way.)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 567554@bugs.debian.org (full text, mbox, reply):

From: Marc Deslauriers <marc.deslauriers@ubuntu.com>

To: Debian Bug Tracking System <567554@bugs.debian.org>

Subject: samba: Ubuntu patch for the issue

Date: Sun, 07 Feb 2010 11:04:26 -0500

[Message part 1 (text/plain, inline)]

Package: samba
Version: 2:3.4.0-3
Severity: normal
Tags: patch
User: ubuntu-devel@lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch



*** /tmp/tmpUnTGqJ
In Ubuntu, we've applied the attached patch in our current releases:

  * SECURITY UPDATE: privilege escalation via mount.cifs race
    - debian/patches/security-CVE-2009-3297.patch: validate mount point and
      perform mount in "." to prevent race in source3/client/mount.cifs.c.
    - CVE-2009-3297

We thought you might be interested in doing the same. 


-- System Information:
Debian Release: squeeze/sid
  APT prefers lucid-updates
  APT policy: (500, 'lucid-updates'), (500, 'lucid-security'), (500, 'lucid')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-12-generic (SMP w/2 CPU cores)
Locale: LANG=en_CA.utf8, LC_CTYPE=en_CA.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

[tmpEqJFay (text/x-diff, attachment)]

Message #37 received at 567554-close@bugs.debian.org (full text, mbox, reply):

From: Christian Perrier <bubulle@debian.org>

To: 567554-close@bugs.debian.org

Subject: Bug#567554: fixed in samba 2:3.4.5~dfsg-2

Date: Sun, 14 Feb 2010 06:33:44 +0000

Source: samba
Source-Version: 2:3.4.5~dfsg-2

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive:

libpam-smbpass_3.4.5~dfsg-2_i386.deb
  to main/s/samba/libpam-smbpass_3.4.5~dfsg-2_i386.deb
libsmbclient-dev_3.4.5~dfsg-2_i386.deb
  to main/s/samba/libsmbclient-dev_3.4.5~dfsg-2_i386.deb
libsmbclient_3.4.5~dfsg-2_i386.deb
  to main/s/samba/libsmbclient_3.4.5~dfsg-2_i386.deb
libwbclient0_3.4.5~dfsg-2_i386.deb
  to main/s/samba/libwbclient0_3.4.5~dfsg-2_i386.deb
samba-common-bin_3.4.5~dfsg-2_i386.deb
  to main/s/samba/samba-common-bin_3.4.5~dfsg-2_i386.deb
samba-common_3.4.5~dfsg-2_all.deb
  to main/s/samba/samba-common_3.4.5~dfsg-2_all.deb
samba-dbg_3.4.5~dfsg-2_i386.deb
  to main/s/samba/samba-dbg_3.4.5~dfsg-2_i386.deb
samba-doc-pdf_3.4.5~dfsg-2_all.deb
  to main/s/samba/samba-doc-pdf_3.4.5~dfsg-2_all.deb
samba-doc_3.4.5~dfsg-2_all.deb
  to main/s/samba/samba-doc_3.4.5~dfsg-2_all.deb
samba-tools_3.4.5~dfsg-2_i386.deb
  to main/s/samba/samba-tools_3.4.5~dfsg-2_i386.deb
samba_3.4.5~dfsg-2.debian.tar.gz
  to main/s/samba/samba_3.4.5~dfsg-2.debian.tar.gz
samba_3.4.5~dfsg-2.dsc
  to main/s/samba/samba_3.4.5~dfsg-2.dsc
samba_3.4.5~dfsg-2_i386.deb
  to main/s/samba/samba_3.4.5~dfsg-2_i386.deb
smbclient_3.4.5~dfsg-2_i386.deb
  to main/s/samba/smbclient_3.4.5~dfsg-2_i386.deb
smbfs_3.4.5~dfsg-2_i386.deb
  to main/s/samba/smbfs_3.4.5~dfsg-2_i386.deb
swat_3.4.5~dfsg-2_i386.deb
  to main/s/samba/swat_3.4.5~dfsg-2_i386.deb
winbind_3.4.5~dfsg-2_i386.deb
  to main/s/samba/winbind_3.4.5~dfsg-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 567554@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 13 Feb 2010 14:36:33 +0100
Source: samba
Binary: samba samba-common-bin samba-common samba-tools smbclient swat samba-doc samba-doc-pdf smbfs libpam-smbpass libsmbclient libsmbclient-dev winbind samba-dbg libwbclient0
Architecture: source all i386
Version: 2:3.4.5~dfsg-2
Distribution: unstable
Urgency: low
Maintainer: Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 libpam-smbpass - pluggable authentication module for Samba
 libsmbclient - shared library for communication with SMB/CIFS servers
 libsmbclient-dev - development files for libsmbclient
 libwbclient0 - Samba winbind client library
 samba      - SMB/CIFS file, print, and login server for Unix
 samba-common - common files used by both the Samba server and client
 samba-common-bin - common files used by both the Samba server and client
 samba-dbg  - Samba debugging symbols
 samba-doc  - Samba documentation
 samba-doc-pdf - Samba documentation in PDF format
 samba-tools - Samba testing utilities
 smbclient  - command-line SMB/CIFS clients for Unix
 smbfs      - Samba file system utilities
 swat       - Samba Web Administration Tool
 winbind    - Samba nameservice integration server
Closes: 566946 567554
Changes: 
 samba (2:3.4.5~dfsg-2) unstable; urgency=low
 .
   [ Steve langasek ]
   * Revert the "bashisms" fix from version 2:3.3.0~rc2-4; "local foo=bar"
     is explicitly allowed by Policy now, and this change introduced a
     syntax error.  Closes: #566946.
 .
   [ Christian Perrier ]
   * No longer maker (u)mount.cifs setuid root. Add a notice
     about this in the package's NEWS.Debian file
     Closes: #567554
   * Use dh_lintian instead of manual install of lintian overrides
   * Updated Standards to 3.8.4 (checked, no change)
Checksums-Sha1: 
 9b6457da7fa853b5226b23e50c749930a8999ffe 2289 samba_3.4.5~dfsg-2.dsc
 a8b1395e5ca7af0d86e99c7f6e49a9cc587b90ad 475591 samba_3.4.5~dfsg-2.debian.tar.gz
 ce96d12229dd7ca3a2a3bd3919973c6c852ea876 383214 samba-common_3.4.5~dfsg-2_all.deb
 10a65af279a496c7ee5ac82d272e7a989dc572f7 8014302 samba-doc_3.4.5~dfsg-2_all.deb
 639f66abe642310d61fb363676a7e57fd6450672 6717290 samba-doc-pdf_3.4.5~dfsg-2_all.deb
 f67f1cac130b4eaac378040da06c707c7f39be55 6255600 samba_3.4.5~dfsg-2_i386.deb
 570872a30243bd0f1d253310fd52b97dcee20637 4780062 samba-common-bin_3.4.5~dfsg-2_i386.deb
 91a33d3ded32d88587f07a73401e6dc537147b7d 9823972 samba-tools_3.4.5~dfsg-2_i386.deb
 e0b8d5114342d562cb7d38dc5cdfd87c0899816b 11397994 smbclient_3.4.5~dfsg-2_i386.deb
 8341110ea3748d80382a1e23d99bb9cc83101cc4 1888328 swat_3.4.5~dfsg-2_i386.deb
 62493a4ef0fdd8ec86ce47b6347460de67fa6ec9 1825806 smbfs_3.4.5~dfsg-2_i386.deb
 b378ba6da3010d9d6701f9ce3eced4d17fb92256 668506 libpam-smbpass_3.4.5~dfsg-2_i386.deb
 02972dbffc8954c4f22c17479a800d7b7de1fa07 1644894 libsmbclient_3.4.5~dfsg-2_i386.deb
 1935a9fcdc9706aa494637f17ae00da874ed4765 2429320 libsmbclient-dev_3.4.5~dfsg-2_i386.deb
 c0af8cbf89630d24037c30f265d528172a8188ea 4374238 winbind_3.4.5~dfsg-2_i386.deb
 950a016130abcc2cd2bcf1ecf854f20e5526f35a 49003040 samba-dbg_3.4.5~dfsg-2_i386.deb
 6bdf224b6e158e81369d47471986dc78417f97c9 90406 libwbclient0_3.4.5~dfsg-2_i386.deb
Checksums-Sha256: 
 ebe1ff6b1db0c2f83813d1ec6485c8a7845b195f5dd2dc2729102b88f2c64e40 2289 samba_3.4.5~dfsg-2.dsc
 0f32cdc9defd2d57b114f89e1bbc810e78726b6e242714ff3180182d5e71ee6d 475591 samba_3.4.5~dfsg-2.debian.tar.gz
 09083d47510e854e2754f90952f2c5296f7e865f162ae3c9f7ff4c806e3e6f95 383214 samba-common_3.4.5~dfsg-2_all.deb
 ff1dd552e4602067160b7167422932651dbb1d900583cfcacff38e8b7364ff62 8014302 samba-doc_3.4.5~dfsg-2_all.deb
 32c765479d015b0327be364fbaf9885bdcb5de1134416d2fb0336475b2d4eeb2 6717290 samba-doc-pdf_3.4.5~dfsg-2_all.deb
 c8b200e01eac9757ef2be3bc21d8b8d5af89cbda430b4792ad3db29fd3ac159c 6255600 samba_3.4.5~dfsg-2_i386.deb
 f9854b1dca6fd476a1c20c2f1ba8aac85b29884b15228c515341166fcdc443e9 4780062 samba-common-bin_3.4.5~dfsg-2_i386.deb
 d4834cc1533aa8cb325abd5463c5c8449ccc4a1b7611403929b7fec7ffd45c17 9823972 samba-tools_3.4.5~dfsg-2_i386.deb
 7c6b30837a501f620e9f2571911ca916e4544fbcbb8129b3213f01585333b8d1 11397994 smbclient_3.4.5~dfsg-2_i386.deb
 6d196af002ca9701223b29ea7c6fcaeff499e4482bdd33635ba9b0a638b6615d 1888328 swat_3.4.5~dfsg-2_i386.deb
 4edb967ced091f9ff7b75054aaa36529c6c488f902345319f5fa8e4141eb3268 1825806 smbfs_3.4.5~dfsg-2_i386.deb
 0272ad4847c756cc66432cacddb5fb391a0ca1a786c4412a5a46938dc7d435b2 668506 libpam-smbpass_3.4.5~dfsg-2_i386.deb
 550bcede17b1b64a21a256c1f8f8188a0ac9e1f33fcf57507ceb9293373265ff 1644894 libsmbclient_3.4.5~dfsg-2_i386.deb
 eb0b09ff72ef34f56c196dc577c221ec7e321ca0c0201569e1bebc8e52c6aa4b 2429320 libsmbclient-dev_3.4.5~dfsg-2_i386.deb
 b95eab2e2e3dde5940be6247924903067a4eb24b03b817b5c06a8626d5a1cd6f 4374238 winbind_3.4.5~dfsg-2_i386.deb
 de837967a04da03953850c9ee6ccd4cd2695337e940e1720fa6bd0de6c431b7c 49003040 samba-dbg_3.4.5~dfsg-2_i386.deb
 48bb1d218b4bb39e94e9f5aa68a66f5f48660059c01111b69b6072ed7b4de2c4 90406 libwbclient0_3.4.5~dfsg-2_i386.deb
Files: 
 3d1f31035fa8033590049e3d9712fa52 2289 net optional samba_3.4.5~dfsg-2.dsc
 bf50f8c5847dcbd2941e5697313e259a 475591 net optional samba_3.4.5~dfsg-2.debian.tar.gz
 745d8f75c6b5ba755aa723b957ab8b85 383214 net optional samba-common_3.4.5~dfsg-2_all.deb
 312ae3733f2807fe8628fcd8330d7d0b 8014302 doc optional samba-doc_3.4.5~dfsg-2_all.deb
 afaa003cb447491960b40142733c3792 6717290 doc optional samba-doc-pdf_3.4.5~dfsg-2_all.deb
 14e95cd4fe67198d08b346d9ea692e19 6255600 net optional samba_3.4.5~dfsg-2_i386.deb
 bb65858960150ccd8ffd3497c82bb5f0 4780062 net optional samba-common-bin_3.4.5~dfsg-2_i386.deb
 eae1c4d8b26136a6f4afbfeed5082acc 9823972 net optional samba-tools_3.4.5~dfsg-2_i386.deb
 cbf4f317d9e93c6f2d8f0af5c34b12d0 11397994 net optional smbclient_3.4.5~dfsg-2_i386.deb
 f57351eaefee9de05352ede5f75a2f2d 1888328 net optional swat_3.4.5~dfsg-2_i386.deb
 537ae47f73640cfed6e21417ec2e1303 1825806 otherosfs optional smbfs_3.4.5~dfsg-2_i386.deb
 76de7fdab34491758e2132d5d6f54b42 668506 admin extra libpam-smbpass_3.4.5~dfsg-2_i386.deb
 a8efa586a8d9a93b9a0664833b731207 1644894 libs optional libsmbclient_3.4.5~dfsg-2_i386.deb
 7d7b3ef163a679d4615c781c65729335 2429320 libdevel extra libsmbclient-dev_3.4.5~dfsg-2_i386.deb
 48d07af29d2f13b1744852c2af3bbb38 4374238 net optional winbind_3.4.5~dfsg-2_i386.deb
 3f3adf9cf0c388d05b8f6fdfea561a0a 49003040 debug extra samba-dbg_3.4.5~dfsg-2_i386.deb
 7cc95e8f880d3213740c2fb650ec58fa 90406 libs optional libwbclient0_3.4.5~dfsg-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLdsqI1OXtrMAUPS0RAtwgAJ996g/4+3ubXtiXXrgSPUZnE1n4zACfVjcP
PR9tDfjJGM9zgx5kjNL6NmY=
=UdEU
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.