Bug 407101

Summary: Critical Regression caused by CVE-2007-4572
Product: Red Hat Enterprise Linux 4 Reporter: Simo Sorce <ssorce>
Component: sambaAssignee: Simo Sorce <ssorce>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: high    
Version: 4.7CC: gdeschner, jplans, pasteur, ralph+rh-bugzilla, sfolkwil, sputhenp
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0711 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-07-24 19:54:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 407071    
Bug Blocks:    

Description Simo Sorce 2007-12-01 00:51:12 UTC 
+++ This bug was initially created as a clone of Bug #407071 +++

+++ This bug was initially created as a clone of Bug #389021 +++

Description of problem:

When either a request for a directory listing of a share using a wildcard (e.g.,
"ls /mnt/share/redhat*") is entered or a directory listing (e.g., "ls
/mnt/share") the action generates trans2 error messages in the client and the
following in the server:
[2007/11/16 17:47:14, 0] lib/fault.c:dump_core(181)
  dumping core in /var/log/samba/cores/smbd
[2007/11/16 17:47:14, 1] smbd/service.c:make_connection_snum(1033)
  192.168.1.14 (192.168.1.14) connect to service ben initially as user ben
(uid=500, gid=500) (pid 6208)
[2007/11/16 17:47:14, 0] lib/util.c:smb_panic(1654)
  PANIC (pid 6208): push_ascii - dest_len == -1
[2007/11/16 17:47:14, 0] lib/util.c:log_stack_trace(1758)
  BACKTRACE: 12 stack frames:
   #0 smbd(log_stack_trace+0x1c) [0x555555776cdc]
   #1 smbd(smb_panic+0x43) [0x555555776dc3]
   #2 smbd(push_ascii+0x113) [0x555555762893]
   #3 smbd [0x5555556037c9]
   #4 smbd [0x555555606eb3]
   #5 smbd(handle_trans2+0x25e) [0x55555560a12e]
   #6 smbd(reply_trans2+0x6ec) [0x55555561077c]
   #7 smbd [0x555555629384]
   #8 smbd(smbd_process+0x7b1) [0x55555562a321]
   #9 smbd(main+0xa20) [0x55555582b2d0]
   #10 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2aaaad3728a4]
   #11 smbd [0x5555555bc009]

This problem ONLY occurs in linux to linux transfers. I have not been able to
detect a problem with linux-windows transactions. Also, if you enter a complete
qualified file name (e.g., "ls /mnt/<SHARE/mytest.png " the process works
perfectly without errors.

Version-Release number of selected component (if applicable):
This occurs if the client is samba-3.0.9-1.3E.14.1 in RHEL 3 and if the server
is samba-3.0.25b-1 in RHEL 5 or samba-3.0.9-1.3E.14.1 in RHEL3. This problem is
alleviated if the previous version is installed.

Again, client in samba-3.0.25b-1 in RHEL 5 does not exhibit this issue.

How reproducible:
Completely, hardware independent. 
Note the RHEL5 client does not exhibit this problem.  

Steps to Reproduce:
1. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " work before update.
2. Update samba on RHEL3 to latest rpm.
3. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " hang after  update.
  
Actual results:
Error messages, no returned results.

Expected results:
Directory listing.

Additional info:
Note (possibly completely unrelated) the samba patch as released caused bad nmbd
fail on Ubuntu and I understand they released a second update.

-- Additional comment from ssorce on 2007-11-19 19:00 EST --
Upstream we have a patch, starting testing to insure all is ok.

And just for the records, Ubuntu ""fixed"" this problem by completely reverting
the security fix, so their packages are now vulnerable.

-- Additional comment from sergeyco on 2007-11-21 13:11 EST --
1) On RHEL3 smbclient work fine, but smbmount doesn't.
2) On RHEL4 the same problem occurs when I do listing after "mount -t smbfs", 
and ls after "mount -t cifs" works without errors.
Comment 1 RHEL Program Management 2007-12-01 00:54:35 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 3 RHEL Program Management 2008-02-06 16:39:28 UTC 
This bugzilla has Keywords: Regression.  

Since no regressions are allowed between releases, 
it is also being proposed as a blocker for this release.  

Please resolve ASAP.
Comment 8 errata-xmlrpc 2008-07-24 19:54:14 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0711.html