Debian Bug report logs -
#568942
samba: mtab corruption via malicious crafted string
Reported by: Pedro R <pedrib@gmail.com>
Date: Mon, 8 Feb 2010 22:57:05 UTC
Severity: important
Tags: security
Found in versions samba/2:3.2.5-4, samba/2:3.4.5~dfsg-1
Fixed in versions 2:3.2.5-4lenny9, 2:3.4.5~dfsg-2
Done: Christian PERRIER <bubulle@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, pedrib@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Mon, 08 Feb 2010 22:57:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Pedro R <pedrib@gmail.com>
:
New Bug report received and forwarded. Copy sent to pedrib@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Mon, 08 Feb 2010 22:57:08 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: samba
Version: 2:3.4.5~dfsg-1
Severity: grave
Tags: security
Justification: user security hole
Hi,
a security bug has been discovered in all versions of Samba up to and
including 3.4.5.
It is possible to cause mtab corruption via a specially crafted string.
More information at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
Regards,
Pedro
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 'testing-proposed-updates')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.33-rc7 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages samba depends on:
ii adduser 3.112 add and remove users and groups
ii debconf [debconf-2.0] 1.5.28 Debian configuration management sy
ii libacl1 2.2.49-2 Access control list shared library
ii libattr1 1:2.4.44-1 Extended attribute shared library
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libcap2 1:2.17-2 support for getting/setting POSIX.
ii libcomerr2 1.41.9-1 common error description library
ii libcups2 1.4.2-4 Common UNIX Printing System(tm) -
ii libgnutls26 2.8.5-2 the GNU TLS library - runtime libr
ii libgssapi-krb5-2 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii libk5crypto3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii libkrb5-3 1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii libpam-modules 1.1.0-4 Pluggable Authentication Modules f
ii libpam-runtime 1.1.0-4 Runtime support for the PAM librar
ii libpam0g 1.1.0-4 Pluggable Authentication Modules l
ii libpopt0 1.15-1 lib for parsing cmdline parameters
ii libtalloc2 2.0.1-1 hierarchical pool based memory all
ii libwbclient0 2:3.4.5~dfsg-1 Samba winbind client library
ii lsb-base 3.2-23 Linux Standard Base 3.2 init scrip
ii procps 1:3.2.8-2 /proc file system utilities
ii samba-common 2:3.4.5~dfsg-1 common files used by both the Samb
ii update-inetd 4.35 inetd configuration file updater
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages samba recommends:
ii logrotate 3.7.8-4 Log rotation utility
Versions of packages samba suggests:
pn ctdb <none> (no description available)
pn ldb-tools <none> (no description available)
ii openbsd-inetd [inet-superse 0.20080125-4 The OpenBSD Internet Superserver
pn smbldap-tools <none> (no description available)
-- debconf information excluded
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Tue, 09 Feb 2010 20:36:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Tue, 09 Feb 2010 20:36:04 GMT) (full text, mbox, link).
Message #10 received at 568942@bugs.debian.org (full text, mbox, reply):
Pedro R wrote:
> Package: samba
> Version: 2:3.4.5~dfsg-1
> Severity: grave
> Tags: security
> Justification: user security hole
>
>
> Hi,
>
> a security bug has been discovered in all versions of Samba up to and
> including 3.4.5.
> It is possible to cause mtab corruption via a specially crafted string.
> More information at
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
> http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
Since 567554 is tagged pending, I suppose the setuid root bit on
mount.cifs is going to be dropped. Once done, this issue is moot.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Wed, 10 Feb 2010 07:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian PERRIER <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 10 Feb 2010 07:09:04 GMT) (full text, mbox, link).
Message #15 received at 568942@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Moritz Muehlenhoff (jmm@inutil.org):
> > a security bug has been discovered in all versions of Samba up to and
> > including 3.4.5.
> > It is possible to cause mtab corruption via a specially crafted string.
> > More information at
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
> > http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
>
> Since 567554 is tagged pending, I suppose the setuid root bit on
> mount.cifs is going to be dropped. Once done, this issue is moot.
In unstable, then squeeze, yes. This is the change we'll do.
OTOH, we still have lenny that's affected. Dropping the setuid bit in
lenny would break the behaviour of the package in a too invasive way,
so we need to use patches that have been proposed in upstream bug
report by Jeff Layton.
However, they don't apply cleanly on our 3.2.5. They were meant for
upstream 3-2-test branch, so for 3.2.15
I started working on them yesterday and it seems feasible to port
them. Surprisingly, though, some of the 7 patches proposed by Jeff in
the attached tarball are reported as "already applied" on our 3.2.5
sources.
I end up with only 4 patches needed. See
patches-setuid-lenny.tar.gz. I did not try compiling lenny's samba
with them yet.
[patches-setuid.tar.gz (application/octet-stream, attachment)]
[patches-setuid-lenny.tar.gz (application/octet-stream, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Wed, 10 Feb 2010 19:03:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Wed, 10 Feb 2010 19:03:03 GMT) (full text, mbox, link).
Message #20 received at 568942@bugs.debian.org (full text, mbox, reply):
Christian PERRIER wrote:
> OTOH, we still have lenny that's affected. Dropping the setuid bit in
> lenny would break the behaviour of the package in a too invasive way,
> so we need to use patches that have been proposed in upstream bug
> report by Jeff Layton.
>
> However, they don't apply cleanly on our 3.2.5. They were meant for
> upstream 3-2-test branch, so for 3.2.15
>
> I started working on them yesterday and it seems feasible to port
> them. Surprisingly, though, some of the 7 patches proposed by Jeff in
> the attached tarball are reported as "already applied" on our 3.2.5
> sources.
>
> I end up with only 4 patches needed. See
> patches-setuid-lenny.tar.gz. I did not try compiling lenny's samba
> with them yet.
While there may be a patch for the specific issue, Jeremy made it pretty
clear that it's not suitable for setuid root status. This second bug
about the mtab corruption is another indicative.
While it's a little more intrusive than other fixes, it appears to me
that the only correct fix for Lenny is also dropping the setuid root
bit while documenting the necessary dpkg-statoverride calls.
I also fail to see why mount.cifs/umount.cifs should be accessible
for a non-privileged user in the first place. Noone would even think
about doing that for NFS, so why should CIFS be any different?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Sat, 13 Feb 2010 08:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian PERRIER <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Sat, 13 Feb 2010 08:36:03 GMT) (full text, mbox, link).
Message #25 received at 568942@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> While there may be a patch for the specific issue, Jeremy made it pretty
> clear that it's not suitable for setuid root status. This second bug
> about the mtab corruption is another indicative.
>
> While it's a little more intrusive than other fixes, it appears to me
> that the only correct fix for Lenny is also dropping the setuid root
> bit while documenting the necessary dpkg-statoverride calls.
I went agin through upstream #6853
(https://bugzilla.samba.org/show_bug.cgi?id=6853) and I begin to be
convinced that, yes, we should drop the setuid bit *even in Lenny*.
It is very likely to break some existing setup but that really seems
to be a trade-off with high security concerns.
Steve, when discussing this, you were OK with dropping the setuid bit
in squeeze (which we did...though I need now to upload) but at first
glance, dropping it in lenny didn't have your favor. While I was
originally having the same advice, I'm much more balanced right now,
also because I looked at patches proposed in #6853 and I have doubts
that my work on them to have them apply on Debian's 3.2.5 is correct.
So, really now, I'm wondering whether dropping that setuid but
wouldn't much safer. That's obviously breaking the principle of least
surprise and need to document things in NEWS.Debian, including the use
of dpkg-statoverride.
Something like what we did put in NEWS.Debian for squeeze, but
slightly more complete.
* As of this version, the mount.cifs binary is no longer setuid.
Upstream has always been increasingly unsupportive of this
configuration over time. For instance, in bugs like
https://bugzilla.samba.org/show_bug.cgi?id=6853, it is clearly
mentioned that having it setuid root is discouraged.
If you really rely on moiunt.cifs being setuid root, you
need to use the following command:
"dpkg-statoverride --add root root 4755 /sbin/mount.cifs"
Be aware that this is highly discouraged by the Samba Team
because mount.cifs code has not been deeply audited.
> I also fail to see why mount.cifs/umount.cifs should be accessible
> for a non-privileged user in the first place. Noone would even think
> about doing that for NFS, so why should CIFS be any different?
In #6853, there are mentions of KDE network browser relying on this.
[signature.asc (application/pgp-signature, inline)]
Added tag(s) pending.
Request was from vorlon@alioth.debian.org
to control@bugs.debian.org
.
(Sat, 13 Feb 2010 23:12:02 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Sat, 13 Feb 2010 23:21:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Steve Langasek <vorlon@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Sat, 13 Feb 2010 23:21:03 GMT) (full text, mbox, link).
Message #32 received at 568942@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
severity 568942 important
found 568942 2:3.2.5-4
thanks
On Wed, Feb 10, 2010 at 08:00:28PM +0100, Moritz Muehlenhoff wrote:
> While there may be a patch for the specific issue, Jeremy made it pretty
> clear that it's not suitable for setuid root status. This second bug
> about the mtab corruption is another indicative.
In spite of Jeremy's strident insistence that the code hasn't been audited
(by whom? he doesn't say), it was clearly written (and not by him!) with
secure operation by root in mind. TTBOMK, these are the only two security
issues that have been found in mount.cifs; the first is also an issue on any
system with mount points specified in /etc/fstab that are subdirectories of
user-controlled directories, and the second is documented as a denial of
service with no evidence of privilege escalation.
Minimizing the amount of suid code (and the amount of code running as root
generally) is important for security, but dropping the setuid bit on this
program in a stable release and breaking existing installations would be an
overreaction.
> While it's a little more intrusive than other fixes, it appears to me
> that the only correct fix for Lenny is also dropping the setuid root
> bit while documenting the necessary dpkg-statoverride calls.
I disagree. That's not a correct fix, that's caving to FUD from samba
upstream.
Note that this mount helper originally had the setuid bit added because the
*upstream kernel documentation* indicated this was the correct way to
support per-user mounts; and for years before mount.cifs we were using
smbmount, which was also setuid-root and AFAIR had a similar audit status.
> I also fail to see why mount.cifs/umount.cifs should be accessible
> for a non-privileged user in the first place. Noone would even think
> about doing that for NFS, so why should CIFS be any different?
The difference is that unlike NFS, CIFS *mounts* are typically authenticated
using per-user, not per-system, credentials. Nowadays FUSE may be a good
replacement for this, but that's not a reason to break the behavior of the
stable releases.
On Sat, Feb 13, 2010 at 09:32:43AM +0100, Christian PERRIER wrote:
> Steve, when discussing this, you were OK with dropping the setuid bit
> in squeeze (which we did...though I need now to upload) but at first
> glance, dropping it in lenny didn't have your favor. While I was
> originally having the same advice, I'm much more balanced right now,
> also because I looked at patches proposed in #6853 and I have doubts
> that my work on them to have them apply on Debian's 3.2.5 is correct.
The tarball attached to your earlier mail includes a number of patches that
are not related to bug #6853, and which have not been posted to bug #6853.
Where did you get this tarball?
In particular, the patches
0001-Revert-cifs-mount-did-not-properly-display-version-s.patch,
0002-s3-mount.cifs-make-mount.cifs-V-print-the-version-no.patch, and
0003-mount.cifs-directly-include-sys-stat.h-in-mtab.c.patch are unrelated to
either of the identified security issues and should not be applied to
stable; and 0004-mount.cifs-properly-check-for-mount-being-in-fstab-w.patch
and 0007-mount.cifs-don-t-allow-it-to-be-run-as-setuid-root-p.patch
deliberately change the behavior of mount.cifs with the rationale that
allowing users to mount shares on directories they own, or shipping
mount.cifs suid-root, is not "safe", which is upstream backpedalling on
previous design decisions and not related to either of the CVEs.
The only patches that are relevant for stable are
0005-mount.cifs-take-extra-care-that-mountpoint-isn-t-cha.patch and
0006-mount.cifs-check-for-invalid-characters-in-device-na.patch,
corresponding to CVE-2009-3297 and CVE-2010-0547 respectively. I've applied
these to the lenny package and will be uploading to the lenny security queue
shortly.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek@ubuntu.com vorlon@debian.org
[signature.asc (application/pgp-signature, inline)]
Severity set to 'important' from 'grave'
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Sat, 13 Feb 2010 23:21:04 GMT) (full text, mbox, link).
Bug Marked as found in versions samba/2:3.2.5-4.
Request was from Steve Langasek <vorlon@debian.org>
to control@bugs.debian.org
.
(Sat, 13 Feb 2010 23:21:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Sun, 14 Feb 2010 06:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Christian PERRIER <bubulle@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Sun, 14 Feb 2010 06:18:03 GMT) (full text, mbox, link).
Message #41 received at 568942@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Quoting Steve Langasek (vorlon@debian.org):
Thanks for helping out on that issue. It was very clearly going beyond
my skills and knowledge. This is why we have a team..:-)
> The tarball attached to your earlier mail includes a number of patches that
> are not related to bug #6853, and which have not been posted to bug #6853.
> Where did you get this tarball?
https://bugzilla.samba.org/show_bug.cgi?id=6853#c13
Indeed that bug report is quite messy and really mixes many things
together, hence /me being puzzled.
> In particular, the patches
> 0001-Revert-cifs-mount-did-not-properly-display-version-s.patch,
> 0002-s3-mount.cifs-make-mount.cifs-V-print-the-version-no.patch, and
> 0003-mount.cifs-directly-include-sys-stat.h-in-mtab.c.patch are unrelated to
> either of the identified security issues and should not be applied to
> stable; and 0004-mount.cifs-properly-check-for-mount-being-in-fstab-w.patch
> and 0007-mount.cifs-don-t-allow-it-to-be-run-as-setuid-root-p.patch
> deliberately change the behavior of mount.cifs with the rationale that
> allowing users to mount shares on directories they own, or shipping
> mount.cifs suid-root, is not "safe", which is upstream backpedalling on
> previous design decisions and not related to either of the CVEs.
>
> The only patches that are relevant for stable are
> 0005-mount.cifs-take-extra-care-that-mountpoint-isn-t-cha.patch and
> 0006-mount.cifs-check-for-invalid-characters-in-device-na.patch,
> corresponding to CVE-2009-3297 and CVE-2010-0547 respectively. I've applied
> these to the lenny package and will be uploading to the lenny security queue
> shortly.
Ack. THanks for your time and work on this hairy issue.
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
:
Bug#568942
; Package samba
.
(Sun, 14 Feb 2010 11:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Samba Maintainers <pkg-samba-maint@lists.alioth.debian.org>
.
(Sun, 14 Feb 2010 11:21:06 GMT) (full text, mbox, link).
Message #46 received at 568942@bugs.debian.org (full text, mbox, reply):
On Sun, Feb 14, 2010 at 07:12:37AM +0100, Christian PERRIER wrote:
> Quoting Steve Langasek (vorlon@debian.org):
>
> Thanks for helping out on that issue. It was very clearly going beyond
> my skills and knowledge. This is why we have a team..:-)
>
> > The tarball attached to your earlier mail includes a number of patches that
> > are not related to bug #6853, and which have not been posted to bug #6853.
> > Where did you get this tarball?
>
> https://bugzilla.samba.org/show_bug.cgi?id=6853#c13
>
> Indeed that bug report is quite messy and really mixes many things
> together, hence /me being puzzled.
>
> > In particular, the patches
> > 0001-Revert-cifs-mount-did-not-properly-display-version-s.patch,
> > 0002-s3-mount.cifs-make-mount.cifs-V-print-the-version-no.patch, and
> > 0003-mount.cifs-directly-include-sys-stat.h-in-mtab.c.patch are unrelated to
> > either of the identified security issues and should not be applied to
> > stable; and 0004-mount.cifs-properly-check-for-mount-being-in-fstab-w.patch
> > and 0007-mount.cifs-don-t-allow-it-to-be-run-as-setuid-root-p.patch
> > deliberately change the behavior of mount.cifs with the rationale that
> > allowing users to mount shares on directories they own, or shipping
> > mount.cifs suid-root, is not "safe", which is upstream backpedalling on
> > previous design decisions and not related to either of the CVEs.
> >
> > The only patches that are relevant for stable are
> > 0005-mount.cifs-take-extra-care-that-mountpoint-isn-t-cha.patch and
> > 0006-mount.cifs-check-for-invalid-characters-in-device-na.patch,
> > corresponding to CVE-2009-3297 and CVE-2010-0547 respectively. I've applied
> > these to the lenny package and will be uploading to the lenny security queue
> > shortly.
>
>
> Ack. THanks for your time and work on this hairy issue.
Fair enough, I'll leave this to the maintainer's judgement and process this
update.
Cheers,
Moritz
Reply sent
to Christian PERRIER <bubulle@debian.org>
:
You have taken responsibility.
(Thu, 12 May 2011 12:09:41 GMT) (full text, mbox, link).
Notification sent
to Pedro R <pedrib@gmail.com>
:
Bug acknowledged by developer.
(Thu, 12 May 2011 12:09:43 GMT) (full text, mbox, link).
Message #51 received at 568942-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2:3.2.5-4lenny9
The above version fixed that bug for lenny. Dunno why this wasn't
recorded in the BTS.
--
[signature.asc (application/pgp-signature, inline)]
Reply sent
to Christian PERRIER <bubulle@debian.org>
:
You have taken responsibility.
(Thu, 12 May 2011 12:09:49 GMT) (full text, mbox, link).
Notification sent
to Pedro R <pedrib@gmail.com>
:
Bug acknowledged by developer.
(Thu, 12 May 2011 12:09:49 GMT) (full text, mbox, link).
Message #56 received at 568942-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 2:3.4.5~dfsg-2
This version dropped the setuid bit in mount.cifs (that was later
moved to cifs-utils) and is thus considered to be the one fixing this
issue for squueeze.
--
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Fri, 10 Jun 2011 07:33:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:56:30 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.