Red Hat Bugzilla – Bug 407071
Critical Regression caused by CVE-2007-4572
Last modified: 2016-09-06 16:36:32 EDT
+++ This bug was initially created as a clone of Bug #389021 +++
Description of problem:
When either a request for a directory listing of a share using a wildcard (e.g.,
"ls /mnt/share/redhat*") is entered or a directory listing (e.g., "ls
/mnt/share") the action generates trans2 error messages in the client and the
following in the server:
[2007/11/16 17:47:14, 0] lib/fault.c:dump_core(181)
dumping core in /var/log/samba/cores/smbd
[2007/11/16 17:47:14, 1] smbd/service.c:make_connection_snum(1033)
192.168.1.14 (192.168.1.14) connect to service ben initially as user ben
(uid=500, gid=500) (pid 6208)
[2007/11/16 17:47:14, 0] lib/util.c:smb_panic(1654)
PANIC (pid 6208): push_ascii - dest_len == -1
[2007/11/16 17:47:14, 0] lib/util.c:log_stack_trace(1758)
BACKTRACE: 12 stack frames:
#0 smbd(log_stack_trace+0x1c) [0x555555776cdc]
#1 smbd(smb_panic+0x43) [0x555555776dc3]
#2 smbd(push_ascii+0x113) [0x555555762893]
#3 smbd [0x5555556037c9]
#4 smbd [0x555555606eb3]
#5 smbd(handle_trans2+0x25e) [0x55555560a12e]
#6 smbd(reply_trans2+0x6ec) [0x55555561077c]
#7 smbd [0x555555629384]
#8 smbd(smbd_process+0x7b1) [0x55555562a321]
#9 smbd(main+0xa20) [0x55555582b2d0]
#10 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2aaaad3728a4]
#11 smbd [0x5555555bc009]
This problem ONLY occurs in linux to linux transfers. I have not been able to
detect a problem with linux-windows transactions. Also, if you enter a complete
qualified file name (e.g., "ls /mnt/<SHARE/mytest.png " the process works
perfectly without errors.
Version-Release number of selected component (if applicable):
This occurs if the client is samba-3.0.9-1.3E.14.1 in RHEL 3 and if the server
is samba-3.0.25b-1 in RHEL 5 or samba-3.0.9-1.3E.14.1 in RHEL3. This problem is
alleviated if the previous version is installed.
Again, client in samba-3.0.25b-1 in RHEL 5 does not exhibit this issue.
Completely, hardware independent.
Note the RHEL5 client does not exhibit this problem.
Steps to Reproduce:
1. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " work before update.
2. Update samba on RHEL3 to latest rpm.
3. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " hang after update.
Error messages, no returned results.
Note (possibly completely unrelated) the samba patch as released caused bad nmbd
fail on Ubuntu and I understand they released a second update.
-- Additional comment from firstname.lastname@example.org on 2007-11-19 19:00 EST --
Upstream we have a patch, starting testing to insure all is ok.
And just for the records, Ubuntu ""fixed"" this problem by completely reverting
the security fix, so their packages are now vulnerable.
-- Additional comment from email@example.com on 2007-11-21 13:11 EST --
1) On RHEL3 smbclient work fine, but smbmount doesn't.
2) On RHEL4 the same problem occurs when I do listing after "mount -t smbfs",
and ls after "mount -t cifs" works without errors.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.