Bug 407071 - Critical Regression caused by CVE-2007-4572
Critical Regression caused by CVE-2007-4572
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: samba (Show other bugs)
All Linux
high Severity medium
: ---
: ---
Assigned To: Simo Sorce
: Security
Depends On: 389021
Blocks: 407101
  Show dependency treegraph
Reported: 2007-11-30 19:48 EST by Simo Sorce
Modified: 2016-09-06 16:36 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHSA-2007-1114
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-12-10 11:53:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Simo Sorce 2007-11-30 19:48:13 EST
+++ This bug was initially created as a clone of Bug #389021 +++

Description of problem:

When either a request for a directory listing of a share using a wildcard (e.g.,
"ls /mnt/share/redhat*") is entered or a directory listing (e.g., "ls
/mnt/share") the action generates trans2 error messages in the client and the
following in the server:
[2007/11/16 17:47:14, 0] lib/fault.c:dump_core(181)
  dumping core in /var/log/samba/cores/smbd
[2007/11/16 17:47:14, 1] smbd/service.c:make_connection_snum(1033) ( connect to service ben initially as user ben
(uid=500, gid=500) (pid 6208)
[2007/11/16 17:47:14, 0] lib/util.c:smb_panic(1654)
  PANIC (pid 6208): push_ascii - dest_len == -1
[2007/11/16 17:47:14, 0] lib/util.c:log_stack_trace(1758)
  BACKTRACE: 12 stack frames:
   #0 smbd(log_stack_trace+0x1c) [0x555555776cdc]
   #1 smbd(smb_panic+0x43) [0x555555776dc3]
   #2 smbd(push_ascii+0x113) [0x555555762893]
   #3 smbd [0x5555556037c9]
   #4 smbd [0x555555606eb3]
   #5 smbd(handle_trans2+0x25e) [0x55555560a12e]
   #6 smbd(reply_trans2+0x6ec) [0x55555561077c]
   #7 smbd [0x555555629384]
   #8 smbd(smbd_process+0x7b1) [0x55555562a321]
   #9 smbd(main+0xa20) [0x55555582b2d0]
   #10 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2aaaad3728a4]
   #11 smbd [0x5555555bc009]

This problem ONLY occurs in linux to linux transfers. I have not been able to
detect a problem with linux-windows transactions. Also, if you enter a complete
qualified file name (e.g., "ls /mnt/<SHARE/mytest.png " the process works
perfectly without errors.

Version-Release number of selected component (if applicable):
This occurs if the client is samba-3.0.9-1.3E.14.1 in RHEL 3 and if the server
is samba-3.0.25b-1 in RHEL 5 or samba-3.0.9-1.3E.14.1 in RHEL3. This problem is
alleviated if the previous version is installed.

Again, client in samba-3.0.25b-1 in RHEL 5 does not exhibit this issue.

How reproducible:
Completely, hardware independent. 
Note the RHEL5 client does not exhibit this problem.  

Steps to Reproduce:
1. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " work before update.
2. Update samba on RHEL3 to latest rpm.
3. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " hang after  update.
Actual results:
Error messages, no returned results.

Expected results:
Directory listing.

Additional info:
Note (possibly completely unrelated) the samba patch as released caused bad nmbd
fail on Ubuntu and I understand they released a second update.

-- Additional comment from ssorce@redhat.com on 2007-11-19 19:00 EST --
Upstream we have a patch, starting testing to insure all is ok.

And just for the records, Ubuntu ""fixed"" this problem by completely reverting
the security fix, so their packages are now vulnerable.

-- Additional comment from sergeyco@gmail.com on 2007-11-21 13:11 EST --
1) On RHEL3 smbclient work fine, but smbmount doesn't.
2) On RHEL4 the same problem occurs when I do listing after "mount -t smbfs", 
and ls after "mount -t cifs" works without errors.
Comment 6 errata-xmlrpc 2007-12-10 11:53:18 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.