[Samba] Re: The Samba Team announces Samba 2.2.7 - security release

Tim Winders twinders at southplainscollege.edu
Mon Nov 25 22:07:01 GMT 2002 

I just upgraded to 2.2.7 and noticed a problem.  I use samba as a domain
controller for my Win98 machines.  After the upgrade to 2.2.7 all the
users but myself were getting a failure to login to the domain.  In the
log file for the machine, I see this error.

[2002/11/25 15:04:32, 0] smbd/service.c:(597)
  sisrael (64.69.243.114) Can't change directory to /data/Lkr_Usr_/twinders/tmp (Permission denied)

In this case, the user trying to login is sisrael, but the service.c
package is trying to change the the TMP directory that was set when I
configured samba.

I've tried to reinstall 2.2.6, but I'm having the same problem.

I am not sure if this is a 2.2.7 issue, a local config issue, or what.
But, I'm very confused and current samba is "down" for my users.  <sigh>

     **********************************************
        Tim Winders, MCSE, CNE, CCNA
        Associate Dean of Information Technology
        South Plains College
        Levelland, TX  79336

        Phone:	806-894-9611 x 2369
        FAX:	806-894-1549
        Email:	TWinders at SouthPlainsCollege.edu
     **********************************************


On Wed, 20 Nov 2002, Gerald (Jerry) Carter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Samba Team is proud to announce the release of Samba 2.2.7.
>
> A security hole has been discovered in versions 2.2.2 through 2.2.6
> of Samba that could potentially allow an attacker to gain root access
> on the target machine.  The word "potentially" is used because there
> is no known exploit of this bug, and the Samba Team has not been able to
> craft one ourselves. However, the seriousness of the problem warrants
> this immediate 2.2.7 release.
>
> In addition to addressing this security issue, Samba 2.2.7 also includes
> thirteen unrelated improvements. These improvements result from our
> process of continuous quality assurance and code review, and are part of
> the Samba team's commitment to excellence.
>
> The source code can be downloaded from :
>
>     http://download.samba.org/samba/ftp/
>
> All current source releases have been signed as well using the
> Samba Distribution Key (http://web/samba/ftp/samba-pubkey.asc)
>
> Binary packages for major platforms can be found at
>
>     http://download.samba.org/samba/ftp/Binary_Packages/
>
> The release notes follow.
>
> As always, all bugs are our responsibility.
>
>                                   --Enjoy
>                                   The Samba Team
>
>
>
>             WHAT'S NEW IN Samba 2.2.7 - 20th November 2002
>             ==============================================
>
> This is the latest stable release of Samba. This is the version
> that all production Samba servers should be running for all current
> bug-fixes.
>
> IMPORTANT: Security bugfix for Samba
> - ------------------------------------
>
> Summary
> - -------
>
> A security hole has been discovered in versions 2.2.2 through 2.2.6
> of Samba that could potentially allow an attacker to gain root access
> on the target machine.  The word "potentially" is used because there
> is no known exploit of this bug, and the Samba Team has not been able to
> craft one ourselves. However, the seriousness of the problem warrants
> this immediate 2.2.7 release.
>
> In addition to addressing this security issue, Samba 2.2.7 also includes
> thirteen unrelated improvements. These improvements result from our
> process of continuous quality assurance and code review, and are part of
> the Samba team's commitment to excellence.
>
> Details
> - -------
>
> There was a bug in the length checking for encrypted password change
> requests from clients. A client could potentially send an encrypted
> password, which, when decrypted with the old hashed password could be
> used as a buffer overrun attack on the stack of smbd. The attach would
> have to be crafted such that converting a DOS codepage string to little
> endian UCS2 unicode would translate into an executable block of code.
>
> All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
> to this problem. This version of Samba 2.2.7 contains a fix for this
> problem.
>
> Earlier versions of Samba are not vulnerable.
>
> There is no known exploit or exploit code for this vulnerability,
> it was discovered by a code audit by Debian Samba maintainers.
>
> Credit
> - ------
>
> Thanks to Steve Langasek  and Eloy Paris
>  for bringing this vulnerability to our notice.
>
> Patch for Samba versions 2.2.2 to 2.2.6
> - ---------------------------------------
>
> The following patch applies cleanly to the above Samba versions
> and will fix the vulnerability for sites that do not wish to upgrade
> to 2.2.7 at this time.
>
> - -------------------------------cut here---------------------------------
> - --- libsmb/smbencrypt.c.orig    Tue Nov 19 17:21:57 2002
> +++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
> @@ -63,7 +63,7 @@
>         if(len > 128)
>                 len = 128;
>         /* Password must be converted to NT unicode - null terminated. */
> - -       dos_struni2((char *)wpwd, (const char *)passwd, 256);
> +       dos_struni2((char *)wpwd, (const char *)passwd, len);
>         /* Calculate length in bytes */
>         len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
> - -------------------------------cut here---------------------------------
>
>
> Changes since 2.2.6
> - --------------------
>
> See the cvs log for SAMBA_2_2 for more details
>
> 1)  ensure we send the notify message in the same way it is expected
>     to be received by srv_spoolss_receive_message().
> 2)  attribute matching on truncate only matters when opening truncate
>     with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open
>     with current NONE -> SYSTEM | HIDDEN.
> 3)  Fix bug in rpcclient's deldriver command
> 4)  Don't set global_machine_password_needs_changing if
>     lp_machine_password_timeout() is set to zero
> 5)  don't parse the BUFFER5 if the buffer length is zero
> 6)  fix core dump if pdbedit is run as non-root or smbpasswd file does
>     not exist
> 7)  Ensure can_delete() returns correct error code
> 8)  correctly return NT_STATUS_DELETE_PENDING from open code
> 9)  fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes
> 10) check the long_archi name is not null when deleting a printer driver.
>     fixes core dump in smbd when using rpcclient's deldriver
> 11) fix fd leak with kernel change notify on Linux 2.4 kernels
> 12) must add one to the extra_data size to transfer the 0 string
>     terminator.  This was causing "wbinfo --sequence" to access past the
>     end of malloced memory
> 13) fix for large systems allowing more than 65536 files open in
>     NTcreate&X
> 14) Fix bug in %U expansion
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
> iD8DBQE926iLIR7qMdg1EfYRArYdAJsH14XvFpst5RubPYqhkaL3zNJgEwCdGPY+
> N0H1i07NSgSz8XRZFklPWU4=
> =67//
> -----END PGP SIGNATURE-----
>

More information about the samba mailing list