Bug 152791 - CAN-2004-0815 samba Potential Arbitrary File Access
CAN-2004-0815 samba Potential Arbitrary File Access
Status: CLOSED CURRENTRELEASE
Product: Fedora Legacy
Classification: Retired
Component: Package request (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
http://us4.samba.org/samba/news/#secu...
LEGACY, QA, rh73, rh90
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-09-30 10:00 EDT by David Lawrence
Modified: 2008-05-01 11:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David Lawrence 2005-03-30 18:27:35 EST
Subject:        Potential Arbitrary File Access
                                                                                
Affected
Versions:       Samba 2.2.x <= 2.2.11 and Samba 3.0.x <= 3.0.5
                                                                                
Summary:        A remote attacker may be able to gain access
                to files which exist outside of the share's
                defined path. Such files must still be readable
                by the account used for the connection.
                                                                                
                                                                                
Patch Availability
- ------------------
The patch for Samba 3.0.5 and earlier releases
(samba-3.0.5-reduce_name.patch) can be downloaded
from http://download.samba.org/samba/ftp/patches/security/
                                                                                
Samba 2.2.12 has been released to specifically address
this bug.



------- Additional Comments From ckelley@ibnads.com 2004-09-30 10:00:30 ----

See Bug #2057



------- Additional Comments From ckelley@ibnads.com 2004-09-30 10:29:23 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Source:
cb16d259312e9ab0bd937ec31dc0d53fa065c096  samba-2.2.12-0.73.0.legacy.src.rpm
 
Binaries:
cbf6e0b1f51b84d63a128b9e40ec6e6311956647  samba-2.2.12-0.73.0.legacy.i386.rpm
2b74bf5eae4e06a40a6ec66692cbb5864c09d23a  samba-client-2.2.12-0.73.0.legacy.i386.rpm
4ff9efb3df421fd6f5ba9f8900ffe3f1e7ea43a2  samba-common-2.2.12-0.73.0.legacy.i386.rpm
9f960f1de7505e038e7adc1406917caa30861c7c  samba-swat-2.2.12-0.73.0.legacy.i386.rpm
 
http://www.ibnads.com/fedora_legacy/samba/
 
This is simply the 2.2.10 sources from bug #1924 with the samba
project's 2.2.12 release; Redhat 7.3 has gone through pretty much
every minor version of 2.2 (starting with 2.2.3a), so I don't see a
problem with another one.  The 2.2.11 release was for a minor DOS fix
(see bug #2057) and the 2.2.12 release is for CAN-2004-0815.  I don't
have a Redhat 9 box to build those on, so if someone could make
packages for RH9 that would be great.  FC1 should be fine already,
since this bug only affects 3.0.5 and lower.
 
Also, as mentioned in the comments for bug #2057 : "Please note that
the Samba 2.2 code tree will reach its End-Of-Life on October 1,
2004."
 
I tested smbd, nmbd, smbclient, smbmount, smbumount and nmblookup
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBXGyMyQ+yTHz+jJkRAnynAJ4rZNRF0sDnXguDmxdUz7FU9t6lpgCeJU1Q
pJtCLUo8Qp4ik5DtWDYLS+c=
=IREb
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-03 11:56:30 ----

Craig, can you update the changelog in:

cb16d259312e9ab0bd937ec31dc0d53fa065c096  samba-2.2.12-0.73.0.legacy.src.rpm

and put something in regarding this issue, like:
- Updated to 2.2.12 to fix CAN-2004-0815





------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-03 12:50:17 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages for rh9 to QA:

Changelog:
* Mon Oct 04 2004 Marc Deslauriers <marcdeslauriers@videotron.ca>
2.2.12-0.90.0.legacy
- - Updated to samba-2.2.12 to fix CAN-2004-0815

a0bb99769faf8bc5efef4f61ddc50567279a4982  samba-2.2.12-0.90.0.legacy.i386.rpm
76c492aa5385dfbfcc4edfe716f9f4b4ea494d87  samba-2.2.12-0.90.0.legacy.src.rpm
9a077d2b881e4237df5774a506a010b744078652  samba-client-2.2.12-0.90.0.legacy.i386.rpm
e00cadeeeceba43f3c0d4631aba59680035c0861  samba-common-2.2.12-0.90.0.legacy.i386.rpm
07f1f8af90c475516b0530cc69965fba5ad3deb0  samba-swat-2.2.12-0.90.0.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/9/samba-2.2.12-0.90.0.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-2.2.12-0.90.0.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-client-2.2.12-0.90.0.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-common-2.2.12-0.90.0.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/samba-swat-2.2.12-0.90.0.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBYIIwLMAs/0C4zNoRAm0DAKCL3hxmj9flWZmCQAvO0nfdLEXzdgCfcLz7
aVW7e6wyp9A2kG2xuQOJfr4=
=UqJP
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley@ibnads.com 2004-10-04 05:00:06 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Source:
2fcf608c88de076be6bcb4f583467787fc64eefd  samba-2.2.12-0.73.1.legacy.src.rpm
 
Binaries:
948f1b3cfae1c4ae97a1ce69707385e2e65be29e  samba-2.2.12-0.73.1.legacy.i386.rpm
c0b937cf849886a56911f720b5a7fe81b8976edb  samba-client-2.2.12-0.73.1.legacy.i386.rpm
57212858ae0b1c9b98b8a0d2f18690937da5c39d  samba-common-2.2.12-0.73.1.legacy.i386.rpm
4b6117f024e70131b3c35a32b0c9d2e0989000dc  samba-swat-2.2.12-0.73.1.legacy.i386.rpm
 
http://www.ibnads.com/fedora_legacy/samba/
 
New packages for redhat 7.3; updated the changelog.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBYWVlyQ+yTHz+jJkRAoHXAJ9OciaAOtjzXnwBoukZ7ZPjVh9G+gCgs9pz
6UCuprqjfrGDy8PVMecMlqc=
=IhO2
-----END PGP SIGNATURE-----




------- Additional Comments From dom@earth.li 2004-10-04 06:55:42 ----

RHEL erratum: http://rhn.redhat.com/errata/RHSA-2004-498.html



------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-05 15:16:35 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the packages for 7.3:

2fcf608c88de076be6bcb4f583467787fc64eefd  samba-2.2.12-0.73.1.legacy.src.rpm

- - Source tarball matches upstream
- - Other source files match previous release
- - Spec file looks good
- - Matches RHEL release
- - Build, installs and seems to run fine.

+PUBLISH

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBY0eQLMAs/0C4zNoRAgA3AJ92azunizjNMqCgTdJ/wlE1ay9MzgCfS4B8
Oek/t31SYK9pi0ON/Zl1xFc=
=ASB+
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley@ibnads.com 2004-10-06 06:28:08 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
76c492aa5385dfbfcc4edfe716f9f4b4ea494d87  samba-2.2.12-0.90.0.legacy.src.rpm
 
 - SPEC file looks good
 - source matches upstream
 - builds fine
 - tested smbclient nmblookup rpcclient smbmount smbumount smbd - all OK
 
It's good to see that RHEL followed our lead by moving up to 2.2.12 :-)
 
 ++PUBLISH RH9
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBZBz4yQ+yTHz+jJkRAiC1AKC3U1HstxwbVS9z4qbJdatNHNMLKwCfYdMO
TPNUYmlbWATvgJdsO/waKfA=
=e21J
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers@videotron.ca 2004-10-06 11:54:07 ----

*** Bug 2130 has been marked as a duplicate of this bug. ***



------- Additional Comments From sheltren@cs.ucsb.edu 2004-10-12 07:17:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Verifying packages for RH9 from updates-testing:

dcafbbcb96a0848e8b4017bdf1745c275681db35  samba-2.2.12-0.90.1.legacy.i386.rpm
e7fe4b9425d535768fc17464f7879dd1f048a8b2  samba-client-2.2.12-0.90.1.legacy.i386.rpm
f590e48b6a9ad6841f7ea96070d08c8151ae12d7  samba-common-2.2.12-0.90.1.legacy.i386.rpm
75fbf38b5381ee7cf9b91c5723aa8d66f8e92fbc  samba-swat-2.2.12-0.90.1.legacy.i386.rpm

Signatures are OK
Packages install OK
Mounting as a samba client works fine, also tested as samba server and
was able to connect without any problems.

VERIFY++
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFBbBFnKe7MLJjUbNMRAkV7AKDPkEBDQ1wwas+JADNb2xORQnzZhACfQjux
vDHadPP2ZpfP014sHJgB0bk=
=oRtH
-----END PGP SIGNATURE-----



------- Additional Comments From ckelley@ibnads.com 2004-10-12 09:55:25 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Source:
664447fbbf1371174b601099d18102023537ecbf  samba-2.2.12-0.73.2.legacy.src.rpm
 
Binaries:
ab34e621cdaa5ad567276244eb2ed2234c418890  samba-2.2.12-0.73.2.legacy.i386.rpm
a6aeb418f4958114631d045bc197490419f9e6d5  samba-2.2.12-0.73.2.legacy.src.rpm
aaae87969ae3287e432503cee8fbcb83525d020e  samba-client-2.2.12-0.73.2.legacy.i386.rpm
728d7f6d68dc837fd874ac870e5d2241e2514a6d  samba-common-2.2.12-0.73.2.legacy.i386.rpm
3cb01bb47a5fa55151637050f01769898b7dc89c  samba-swat-2.2.12-0.73.2.legacy.i386.rpm
 
 - source builds fine
 - binaries from legacy fuzzily match rh-orig (7.3) and latest update
 - i did notice that smbcacls was missing in the 7.3 releaess, but is
   there in the rh9 releases (hopefully legacy's rh9 release contains
   smbcacls)
 - smbclient smbd nmblookup nmbd smbmount smbumount all check out OK
 
Looks good.  ++VERIFY RH73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBbDabyQ+yTHz+jJkRApHmAJ4yrn/XeT0wIvvJoomli9ZBXDYOqACgp7a9
6KL9JjOrtp3Zu/iHc9YuBZM=
=Dzzp
-----END PGP SIGNATURE-----



------- Additional Comments From twinprism@physics.isu.edu 2004-10-13 19:59:16 ----

I'm new at this, so I don't know if this is the appropriate place, but...

I think this update broke cups printing on RH9 with samba-2.2.12-0.90.1.legacy.

ldd /usr/sbin/smbd should show cups libraries and do not, it does on FC1.

I get log messages like this
printing/pcap.c:pcap_printer_fn(372)  Unable to open printcap file cups for 
read

Just a shot in the dark, but maybe cups-devel should be on build server?




------- Additional Comments From jpdalbec@ysu.edu 2004-10-14 02:30:53 ----

If so, then cups-devel is a missing BuildRequires: and the .spec file should be
changed and the packages rebuilt.



------- Additional Comments From ckelley@ibnads.com 2004-10-14 04:43:11 ----

Ben is right:

samba-2.2.7-3.7.3
# ldd /usr/sbin/smbd
        libcups.so.2 => /usr/lib/libcups.so.2 (0x40014000)
        libssl.so.2 => /lib/libssl.so.2 (0x40038000)
        libcrypto.so.2 => /lib/libcrypto.so.2 (0x40065000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40129000)
        libcrypt.so.1 => /lib/libcrypt.so.1 (0x4013e000)
        libpam.so.0 => /lib/libpam.so.0 (0x4016b000)
        libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40173000)
        libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
        libdl.so.2 => /lib/libdl.so.2 (0x4017b000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

samba-2.2.12-0.73.2.legacy:
# ldd /usr/sbin/smbd
        libdl.so.2 => /lib/libdl.so.2 (0x40020000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40024000)
        libpam.so.0 => /lib/libpam.so.0 (0x40039000)
        libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40041000)
        libc.so.6 => /lib/i686/libc.so.6 (0x42000000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)




------- Additional Comments From ckelley@ibnads.com 2004-10-14 05:05:23 ----

Created an attachment (id=883)
Patch to fix CUPS and OpenSSL link problems for mach

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
65a6270f91d48fe6c71114b9f7d2004add1a3c6a  2.2.12-0.73.3.legacy.patch
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBbpWkyQ+yTHz+jJkRAkpWAJ9ZCWY722zGLOnJqyTgyglqSncmLQCgplES
lU5pe1whplF0pjVwP8K64l8=
=wloi
-----END PGP SIGNATURE-----




------- Additional Comments From jpdalbec@ysu.edu 2004-10-14 05:08:06 ----

I guess that means BuildRequires: openssl-devel is also missing.



------- Additional Comments From dom@earth.li 2004-10-14 06:05:58 ----

Same problem with rh9 :(

2.2.7a-8.9.0:
        libacl.so.1 => /lib/libacl.so.1 (0x40025000)
        libcups.so.2 => /usr/lib/libcups.so.2 (0x4002c000)
        libssl.so.4 => /lib/libssl.so.4 (0x40046000)
        libcrypto.so.4 => /lib/libcrypto.so.4 (0x4007b000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x4016c000)
        libpam.so.0 => /lib/libpam.so.0 (0x40181000)
        libpopt.so.0 => /usr/lib/libpopt.so.0 (0x40189000)
        libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
        libdl.so.2 => /lib/libdl.so.2 (0x40192000)
        libattr.so.1 => /lib/libattr.so.1 (0x40196000)
        libgssapi_krb5.so.2 => /usr/kerberos/lib/libgssapi_krb5.so.2 (0x40199000
)
        libkrb5.so.3 => /usr/kerberos/lib/libkrb5.so.3 (0x401ac000)
        libcom_err.so.3 => /usr/kerberos/lib/libcom_err.so.3 (0x4020a000)
        libk5crypto.so.3 => /usr/kerberos/lib/libk5crypto.so.3 (0x4020d000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x4021d000)
        libz.so.1 => /usr/lib/libz.so.1 (0x4022f000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)

2.2.12-0.90.1.legacy:
        libacl.so.1 => /lib/libacl.so.1 (0x40025000)
        libdl.so.2 => /lib/libdl.so.2 (0x4002c000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x40030000)
        libpam.so.0 => /lib/libpam.so.0 (0x40045000)
        libpopt.so.0 => /usr/lib/libpopt.so.0 (0x4004d000)
        libc.so.6 => /lib/tls/libc.so.6 (0x42000000)
        libattr.so.1 => /lib/libattr.so.1 (0x40055000)
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000)




------- Bug moved to this database by dkl@redhat.com 2005-03-30 18:27 -------

This bug previously known as bug 2102 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=2102
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
Patch to fix CUPS and OpenSSL link problems for mach
https://bugzilla.fedora.us/attachment.cgi?action=view&id=883

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity critical. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl@redhat.com.
   Previous reporter was ckelley@ibnads.com.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.


Note You need to log in before you can comment on or make changes to this bug.