[Samba] Re: The Samba Team announces Samba 2.2.7 - security release
Tim Winders
twinders at southplainscollege.edu
Mon Nov 25 22:07:01 GMT 2002
I just upgraded to 2.2.7 and noticed a problem. I use samba as a domain
controller for my Win98 machines. After the upgrade to 2.2.7 all the
users but myself were getting a failure to login to the domain. In the
log file for the machine, I see this error.
[2002/11/25 15:04:32, 0] smbd/service.c:(597)
sisrael (64.69.243.114) Can't change directory to /data/Lkr_Usr_/twinders/tmp (Permission denied)
In this case, the user trying to login is sisrael, but the service.c
package is trying to change the the TMP directory that was set when I
configured samba.
I've tried to reinstall 2.2.6, but I'm having the same problem.
I am not sure if this is a 2.2.7 issue, a local config issue, or what.
But, I'm very confused and current samba is "down" for my users. <sigh>
**********************************************
Tim Winders, MCSE, CNE, CCNA
Associate Dean of Information Technology
South Plains College
Levelland, TX 79336
Phone: 806-894-9611 x 2369
FAX: 806-894-1549
Email: TWinders at SouthPlainsCollege.edu
**********************************************
On Wed, 20 Nov 2002, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> The Samba Team is proud to announce the release of Samba 2.2.7.
>
> A security hole has been discovered in versions 2.2.2 through 2.2.6
> of Samba that could potentially allow an attacker to gain root access
> on the target machine. The word "potentially" is used because there
> is no known exploit of this bug, and the Samba Team has not been able to
> craft one ourselves. However, the seriousness of the problem warrants
> this immediate 2.2.7 release.
>
> In addition to addressing this security issue, Samba 2.2.7 also includes
> thirteen unrelated improvements. These improvements result from our
> process of continuous quality assurance and code review, and are part of
> the Samba team's commitment to excellence.
>
> The source code can be downloaded from :
>
> http://download.samba.org/samba/ftp/
>
> All current source releases have been signed as well using the
> Samba Distribution Key (http://web/samba/ftp/samba-pubkey.asc)
>
> Binary packages for major platforms can be found at
>
> http://download.samba.org/samba/ftp/Binary_Packages/
>
> The release notes follow.
>
> As always, all bugs are our responsibility.
>
> --Enjoy
> The Samba Team
>
>
>
> WHAT'S NEW IN Samba 2.2.7 - 20th November 2002
> ==============================================
>
> This is the latest stable release of Samba. This is the version
> that all production Samba servers should be running for all current
> bug-fixes.
>
> IMPORTANT: Security bugfix for Samba
> - ------------------------------------
>
> Summary
> - -------
>
> A security hole has been discovered in versions 2.2.2 through 2.2.6
> of Samba that could potentially allow an attacker to gain root access
> on the target machine. The word "potentially" is used because there
> is no known exploit of this bug, and the Samba Team has not been able to
> craft one ourselves. However, the seriousness of the problem warrants
> this immediate 2.2.7 release.
>
> In addition to addressing this security issue, Samba 2.2.7 also includes
> thirteen unrelated improvements. These improvements result from our
> process of continuous quality assurance and code review, and are part of
> the Samba team's commitment to excellence.
>
> Details
> - -------
>
> There was a bug in the length checking for encrypted password change
> requests from clients. A client could potentially send an encrypted
> password, which, when decrypted with the old hashed password could be
> used as a buffer overrun attack on the stack of smbd. The attach would
> have to be crafted such that converting a DOS codepage string to little
> endian UCS2 unicode would translate into an executable block of code.
>
> All versions of Samba between 2.2.2 to 2.2.6 inclusive are vulnerable
> to this problem. This version of Samba 2.2.7 contains a fix for this
> problem.
>
> Earlier versions of Samba are not vulnerable.
>
> There is no known exploit or exploit code for this vulnerability,
> it was discovered by a code audit by Debian Samba maintainers.
>
> Credit
> - ------
>
> Thanks to Steve Langasek and Eloy Paris
> for bringing this vulnerability to our notice.
>
> Patch for Samba versions 2.2.2 to 2.2.6
> - ---------------------------------------
>
> The following patch applies cleanly to the above Samba versions
> and will fix the vulnerability for sites that do not wish to upgrade
> to 2.2.7 at this time.
>
> - -------------------------------cut here---------------------------------
> - --- libsmb/smbencrypt.c.orig Tue Nov 19 17:21:57 2002
> +++ libsmb/smbencrypt.c Tue Nov 19 17:22:12 2002
> @@ -63,7 +63,7 @@
> if(len > 128)
> len = 128;
> /* Password must be converted to NT unicode - null terminated. */
> - - dos_struni2((char *)wpwd, (const char *)passwd, 256);
> + dos_struni2((char *)wpwd, (const char *)passwd, len);
> /* Calculate length in bytes */
> len = strlen_w((const smb_ucs2_t *)wpwd) * sizeof(int16);
> - -------------------------------cut here---------------------------------
>
>
> Changes since 2.2.6
> - --------------------
>
> See the cvs log for SAMBA_2_2 for more details
>
> 1) ensure we send the notify message in the same way it is expected
> to be received by srv_spoolss_receive_message().
> 2) attribute matching on truncate only matters when opening truncate
> with current SYSTEM|HIDDEN -> NONE. It's fine to truncate on open
> with current NONE -> SYSTEM | HIDDEN.
> 3) Fix bug in rpcclient's deldriver command
> 4) Don't set global_machine_password_needs_changing if
> lp_machine_password_timeout() is set to zero
> 5) don't parse the BUFFER5 if the buffer length is zero
> 6) fix core dump if pdbedit is run as non-root or smbpasswd file does
> not exist
> 7) Ensure can_delete() returns correct error code
> 8) correctly return NT_STATUS_DELETE_PENDING from open code
> 9) fix bug that assumed dos_unistr2 length was in ucs2 units, not bytes
> 10) check the long_archi name is not null when deleting a printer driver.
> fixes core dump in smbd when using rpcclient's deldriver
> 11) fix fd leak with kernel change notify on Linux 2.4 kernels
> 12) must add one to the extra_data size to transfer the 0 string
> terminator. This was causing "wbinfo --sequence" to access past the
> end of malloced memory
> 13) fix for large systems allowing more than 65536 files open in
> NTcreate&X
> 14) Fix bug in %U expansion
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.0 (GNU/Linux)
> Comment: For info see http://quantumlab.net/pine_privacy_guard/
>
> iD8DBQE926iLIR7qMdg1EfYRArYdAJsH14XvFpst5RubPYqhkaL3zNJgEwCdGPY+
> N0H1i07NSgSz8XRZFklPWU4=
> =67//
> -----END PGP SIGNATURE-----
>
More information about the samba
mailing list