samba: mtab corruption via malicious crafted string

Debian Bug report logs - #568942
samba: mtab corruption via malicious crafted string

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Pedro R <pedrib@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: samba: mtab corruption via malicious crafted string

Date: Mon, 08 Feb 2010 22:52:15 +0000

Package: samba
Version: 2:3.4.5~dfsg-1
Severity: grave
Tags: security
Justification: user security hole


Hi,

a security bug has been discovered in all versions of Samba up to and 
including 3.4.5. 
It is possible to cause mtab corruption via a specially crafted string.
More information at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054

Regards,
Pedro

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (900, 'testing'), (650, 'unstable'), (600, 'experimental'), (500, 'testing-proposed-updates')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.33-rc7 (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages samba depends on:
ii  adduser                3.112             add and remove users and groups
ii  debconf [debconf-2.0]  1.5.28            Debian configuration management sy
ii  libacl1                2.2.49-2          Access control list shared library
ii  libattr1               1:2.4.44-1        Extended attribute shared library
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  libcap2                1:2.17-2          support for getting/setting POSIX.
ii  libcomerr2             1.41.9-1          common error description library
ii  libcups2               1.4.2-4           Common UNIX Printing System(tm) - 
ii  libgnutls26            2.8.5-2           the GNU TLS library - runtime libr
ii  libgssapi-krb5-2       1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - k
ii  libk5crypto3           1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries - C
ii  libkrb5-3              1.8+dfsg~alpha1-5 MIT Kerberos runtime libraries
ii  libldap-2.4-2          2.4.17-2.1        OpenLDAP libraries
ii  libpam-modules         1.1.0-4           Pluggable Authentication Modules f
ii  libpam-runtime         1.1.0-4           Runtime support for the PAM librar
ii  libpam0g               1.1.0-4           Pluggable Authentication Modules l
ii  libpopt0               1.15-1            lib for parsing cmdline parameters
ii  libtalloc2             2.0.1-1           hierarchical pool based memory all
ii  libwbclient0           2:3.4.5~dfsg-1    Samba winbind client library
ii  lsb-base               3.2-23            Linux Standard Base 3.2 init scrip
ii  procps                 1:3.2.8-2         /proc file system utilities
ii  samba-common           2:3.4.5~dfsg-1    common files used by both the Samb
ii  update-inetd           4.35              inetd configuration file updater
ii  zlib1g                 1:1.2.3.4.dfsg-3  compression library - runtime

Versions of packages samba recommends:
ii  logrotate                     3.7.8-4    Log rotation utility

Versions of packages samba suggests:
pn  ctdb                        <none>       (no description available)
pn  ldb-tools                   <none>       (no description available)
ii  openbsd-inetd [inet-superse 0.20080125-4 The OpenBSD Internet Superserver
pn  smbldap-tools               <none>       (no description available)

-- debconf information excluded

Message #10 received at 568942@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Pedro R <pedrib@gmail.com>, 568942@bugs.debian.org

Subject: Re: Bug#568942: samba: mtab corruption via malicious crafted string

Date: Tue, 9 Feb 2010 21:34:39 +0100

Pedro R wrote:
> Package: samba
> Version: 2:3.4.5~dfsg-1
> Severity: grave
> Tags: security
> Justification: user security hole
> 
> 
> Hi,
> 
> a security bug has been discovered in all versions of Samba up to and 
> including 3.4.5. 
> It is possible to cause mtab corruption via a specially crafted string.
> More information at
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
> http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054

Since 567554 is tagged pending, I suppose the setuid root bit on
mount.cifs is going to be dropped. Once done, this issue is moot.

Cheers,
        Moritz

Message #15 received at 568942@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 568942@bugs.debian.org

Cc: Pedro R <pedrib@gmail.com>

Subject: Re: [Pkg-samba-maint] Bug#568942: samba: mtab corruption via malicious crafted string

Date: Wed, 10 Feb 2010 07:44:52 +0100

[Message part 1 (text/plain, inline)]

Quoting Moritz Muehlenhoff (jmm@inutil.org):

> > a security bug has been discovered in all versions of Samba up to and 
> > including 3.4.5. 
> > It is possible to cause mtab corruption via a specially crafted string.
> > More information at
> > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0547
> > http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
> 
> Since 567554 is tagged pending, I suppose the setuid root bit on
> mount.cifs is going to be dropped. Once done, this issue is moot.

In unstable, then squeeze, yes. This is the change we'll do.

OTOH, we still have lenny that's affected. Dropping the setuid bit in
lenny would break the behaviour of the package in a too invasive way,
so we need to use patches that have been proposed in upstream bug
report by Jeff Layton.

However, they don't apply cleanly on our 3.2.5. They were meant for
upstream 3-2-test branch, so for 3.2.15

I started working on them yesterday and it seems feasible to port
them. Surprisingly, though, some of the 7 patches proposed by Jeff in
the attached tarball are reported as "already applied" on our 3.2.5
sources.

I end up with only 4 patches needed. See
patches-setuid-lenny.tar.gz. I did not try compiling lenny's samba
with them yet.

[patches-setuid.tar.gz (application/octet-stream, attachment)]

[patches-setuid-lenny.tar.gz (application/octet-stream, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 568942@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Christian PERRIER <bubulle@debian.org>

Cc: 568942@bugs.debian.org, Pedro R <pedrib@gmail.com>

Subject: Re: [Pkg-samba-maint] Bug#568942: samba: mtab corruption via malicious crafted string

Date: Wed, 10 Feb 2010 20:00:28 +0100

Christian PERRIER wrote:
> OTOH, we still have lenny that's affected. Dropping the setuid bit in
> lenny would break the behaviour of the package in a too invasive way,
> so we need to use patches that have been proposed in upstream bug
> report by Jeff Layton.
> 
> However, they don't apply cleanly on our 3.2.5. They were meant for
> upstream 3-2-test branch, so for 3.2.15
> 
> I started working on them yesterday and it seems feasible to port
> them. Surprisingly, though, some of the 7 patches proposed by Jeff in
> the attached tarball are reported as "already applied" on our 3.2.5
> sources.
> 
> I end up with only 4 patches needed. See
> patches-setuid-lenny.tar.gz. I did not try compiling lenny's samba
> with them yet.

While there may be a patch for the specific issue, Jeremy made it pretty
clear that it's not suitable for setuid root status. This second bug
about the mtab corruption is another indicative.

While it's a little more intrusive than other fixes, it appears to me
that the only correct fix for Lenny is also dropping the setuid root
bit while documenting the necessary dpkg-statoverride calls.

I also fail to see why mount.cifs/umount.cifs should be accessible
for a non-privileged user in the first place. Noone would even think
about doing that for NFS, so why should CIFS be any different?

Cheers,
        Moritz

Message #25 received at 568942@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 568942@bugs.debian.org, vorlon@debian.org

Subject: Re: [Pkg-samba-maint] Bug#568942: samba: mtab corruption via malicious crafted string

Date: Sat, 13 Feb 2010 09:32:43 +0100

[Message part 1 (text/plain, inline)]

> While there may be a patch for the specific issue, Jeremy made it pretty
> clear that it's not suitable for setuid root status. This second bug
> about the mtab corruption is another indicative.
> 
> While it's a little more intrusive than other fixes, it appears to me
> that the only correct fix for Lenny is also dropping the setuid root
> bit while documenting the necessary dpkg-statoverride calls.

I went agin through upstream #6853
(https://bugzilla.samba.org/show_bug.cgi?id=6853) and I begin to be
convinced that, yes, we should drop the setuid bit *even in Lenny*.

It is very likely to break some existing setup but that really seems
to be a trade-off with high security concerns.

Steve, when discussing this, you were OK with dropping the setuid bit
in squeeze (which we did...though I need now to upload) but at first
glance, dropping it in lenny didn't have your favor. While I was
originally having the same advice, I'm much more balanced right now,
also because I looked at patches proposed in #6853 and I have doubts
that my work on them to have them apply on Debian's 3.2.5 is correct.

So, really now, I'm wondering whether dropping that setuid but
wouldn't much safer. That's obviously breaking the principle of least
surprise and need to document things in NEWS.Debian, including the use
of dpkg-statoverride.

Something like what we did put in NEWS.Debian for squeeze, but
slightly more complete.

  * As of this version, the mount.cifs binary is no longer setuid.
    Upstream has always been increasingly unsupportive of this
    configuration over time. For instance, in bugs like
    https://bugzilla.samba.org/show_bug.cgi?id=6853, it is clearly
    mentioned that having it setuid root is discouraged.
    If you really rely on moiunt.cifs being setuid root, you
    need to use the following command:
    "dpkg-statoverride --add root root 4755 /sbin/mount.cifs"
    Be aware that this is highly discouraged by the Samba Team
    because mount.cifs code has not been deeply audited.

> I also fail to see why mount.cifs/umount.cifs should be accessible
> for a non-privileged user in the first place. Noone would even think
> about doing that for NFS, so why should CIFS be any different?


In #6853, there are mentions of KDE network browser relying on this.

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 568942@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 568942@bugs.debian.org, Christian PERRIER <bubulle@debian.org>

Cc: Pedro R <pedrib@gmail.com>

Subject: Re: Bug#568942: [Pkg-samba-maint] Bug#568942: samba: mtab corruption via malicious crafted string

Date: Sat, 13 Feb 2010 15:18:55 -0800

[Message part 1 (text/plain, inline)]

severity 568942 important
found 568942 2:3.2.5-4
thanks

On Wed, Feb 10, 2010 at 08:00:28PM +0100, Moritz Muehlenhoff wrote:
> While there may be a patch for the specific issue, Jeremy made it pretty
> clear that it's not suitable for setuid root status. This second bug
> about the mtab corruption is another indicative.

In spite of Jeremy's strident insistence that the code hasn't been audited
(by whom? he doesn't say), it was clearly written (and not by him!) with
secure operation by root in mind.  TTBOMK, these are the only two security
issues that have been found in mount.cifs; the first is also an issue on any
system with mount points specified in /etc/fstab that are subdirectories of
user-controlled directories, and the second is documented as a denial of
service with no evidence of privilege escalation.

Minimizing the amount of suid code (and the amount of code running as root
generally) is important for security, but dropping the setuid bit on this
program in a stable release and breaking existing installations would be an
overreaction.

> While it's a little more intrusive than other fixes, it appears to me
> that the only correct fix for Lenny is also dropping the setuid root
> bit while documenting the necessary dpkg-statoverride calls.

I disagree.  That's not a correct fix, that's caving to FUD from samba
upstream.

Note that this mount helper originally had the setuid bit added because the
*upstream kernel documentation* indicated this was the correct way to
support per-user mounts; and for years before mount.cifs we were using
smbmount, which was also setuid-root and AFAIR had a similar audit status.

> I also fail to see why mount.cifs/umount.cifs should be accessible
> for a non-privileged user in the first place. Noone would even think
> about doing that for NFS, so why should CIFS be any different?

The difference is that unlike NFS, CIFS *mounts* are typically authenticated
using per-user, not per-system, credentials.  Nowadays FUSE may be a good
replacement for this, but that's not a reason to break the behavior of the
stable releases.

On Sat, Feb 13, 2010 at 09:32:43AM +0100, Christian PERRIER wrote:
> Steve, when discussing this, you were OK with dropping the setuid bit
> in squeeze (which we did...though I need now to upload) but at first
> glance, dropping it in lenny didn't have your favor. While I was
> originally having the same advice, I'm much more balanced right now,
> also because I looked at patches proposed in #6853 and I have doubts
> that my work on them to have them apply on Debian's 3.2.5 is correct.

The tarball attached to your earlier mail includes a number of patches that
are not related to bug #6853, and which have not been posted to bug #6853.
Where did you get this tarball?

In particular, the patches
0001-Revert-cifs-mount-did-not-properly-display-version-s.patch,
0002-s3-mount.cifs-make-mount.cifs-V-print-the-version-no.patch, and
0003-mount.cifs-directly-include-sys-stat.h-in-mtab.c.patch are unrelated to
either of the identified security issues and should not be applied to
stable; and 0004-mount.cifs-properly-check-for-mount-being-in-fstab-w.patch
and 0007-mount.cifs-don-t-allow-it-to-be-run-as-setuid-root-p.patch
deliberately change the behavior of mount.cifs with the rationale that
allowing users to mount shares on directories they own, or shipping
mount.cifs suid-root, is not "safe", which is upstream backpedalling on
previous design decisions and not related to either of the CVEs.

The only patches that are relevant for stable are
0005-mount.cifs-take-extra-care-that-mountpoint-isn-t-cha.patch and
0006-mount.cifs-check-for-invalid-characters-in-device-na.patch,
corresponding to CVE-2009-3297 and CVE-2010-0547 respectively.  I've applied
these to the lenny package and will be uploading to the lenny security queue
shortly.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@ubuntu.com                                     vorlon@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #41 received at 568942@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: Moritz Muehlenhoff <jmm@inutil.org>, 568942@bugs.debian.org, Pedro R <pedrib@gmail.com>

Subject: Re: Bug#568942: [Pkg-samba-maint] Bug#568942: samba: mtab corruption via malicious crafted string

Date: Sun, 14 Feb 2010 07:12:37 +0100

[Message part 1 (text/plain, inline)]

Quoting Steve Langasek (vorlon@debian.org):

Thanks for helping out on that issue. It was very clearly going beyond
my skills and knowledge. This is why we have a team..:-)

> The tarball attached to your earlier mail includes a number of patches that
> are not related to bug #6853, and which have not been posted to bug #6853.
> Where did you get this tarball?

https://bugzilla.samba.org/show_bug.cgi?id=6853#c13

Indeed that bug report is quite messy and really mixes many things
together, hence /me being puzzled.

> In particular, the patches
> 0001-Revert-cifs-mount-did-not-properly-display-version-s.patch,
> 0002-s3-mount.cifs-make-mount.cifs-V-print-the-version-no.patch, and
> 0003-mount.cifs-directly-include-sys-stat.h-in-mtab.c.patch are unrelated to
> either of the identified security issues and should not be applied to
> stable; and 0004-mount.cifs-properly-check-for-mount-being-in-fstab-w.patch
> and 0007-mount.cifs-don-t-allow-it-to-be-run-as-setuid-root-p.patch
> deliberately change the behavior of mount.cifs with the rationale that
> allowing users to mount shares on directories they own, or shipping
> mount.cifs suid-root, is not "safe", which is upstream backpedalling on
> previous design decisions and not related to either of the CVEs.
> 
> The only patches that are relevant for stable are
> 0005-mount.cifs-take-extra-care-that-mountpoint-isn-t-cha.patch and
> 0006-mount.cifs-check-for-invalid-characters-in-device-na.patch,
> corresponding to CVE-2009-3297 and CVE-2010-0547 respectively.  I've applied
> these to the lenny package and will be uploading to the lenny security queue
> shortly.


Ack. THanks for your time and work on this hairy issue.

[signature.asc (application/pgp-signature, inline)]

Message #46 received at 568942@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Christian PERRIER <bubulle@debian.org>

Cc: team@security.debian.org, 568942@bugs.debian.org, Pedro R <pedrib@gmail.com>

Subject: Re: Bug#568942: [Pkg-samba-maint] Bug#568942: samba: mtab corruption via malicious crafted string

Date: Sun, 14 Feb 2010 12:19:39 +0100

On Sun, Feb 14, 2010 at 07:12:37AM +0100, Christian PERRIER wrote:
> Quoting Steve Langasek (vorlon@debian.org):
> 
> Thanks for helping out on that issue. It was very clearly going beyond
> my skills and knowledge. This is why we have a team..:-)
> 
> > The tarball attached to your earlier mail includes a number of patches that
> > are not related to bug #6853, and which have not been posted to bug #6853.
> > Where did you get this tarball?
> 
> https://bugzilla.samba.org/show_bug.cgi?id=6853#c13
> 
> Indeed that bug report is quite messy and really mixes many things
> together, hence /me being puzzled.
> 
> > In particular, the patches
> > 0001-Revert-cifs-mount-did-not-properly-display-version-s.patch,
> > 0002-s3-mount.cifs-make-mount.cifs-V-print-the-version-no.patch, and
> > 0003-mount.cifs-directly-include-sys-stat.h-in-mtab.c.patch are unrelated to
> > either of the identified security issues and should not be applied to
> > stable; and 0004-mount.cifs-properly-check-for-mount-being-in-fstab-w.patch
> > and 0007-mount.cifs-don-t-allow-it-to-be-run-as-setuid-root-p.patch
> > deliberately change the behavior of mount.cifs with the rationale that
> > allowing users to mount shares on directories they own, or shipping
> > mount.cifs suid-root, is not "safe", which is upstream backpedalling on
> > previous design decisions and not related to either of the CVEs.
> > 
> > The only patches that are relevant for stable are
> > 0005-mount.cifs-take-extra-care-that-mountpoint-isn-t-cha.patch and
> > 0006-mount.cifs-check-for-invalid-characters-in-device-na.patch,
> > corresponding to CVE-2009-3297 and CVE-2010-0547 respectively.  I've applied
> > these to the lenny package and will be uploading to the lenny security queue
> > shortly.
> 
> 
> Ack. THanks for your time and work on this hairy issue.

Fair enough, I'll leave this to the maintainer's judgement and process this
update.

Cheers,
        Moritz

Message #51 received at 568942-done@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: 568942-done@bugs.debian.org

Subject: Bugs fixed in lenny

Date: Thu, 12 May 2011 14:06:49 +0200

[Message part 1 (text/plain, inline)]

Version: 2:3.2.5-4lenny9

The above version fixed that bug for lenny. Dunno why this wasn't
recorded in the BTS.

-- 

[signature.asc (application/pgp-signature, inline)]

Message #56 received at 568942-done@bugs.debian.org (full text, mbox, reply):

From: Christian PERRIER <bubulle@debian.org>

To: 568942-done@bugs.debian.org

Subject: Bug fixed in squeeze and above

Date: Thu, 12 May 2011 14:08:25 +0200

[Message part 1 (text/plain, inline)]

Version: 2:3.4.5~dfsg-2

This version dropped the setuid bit in mount.cifs (that was later
moved to cifs-utils) and is thus considered to be the one fixing this
issue for squueeze.

-- 

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.