Red Hat Bugzilla – Bug 407091
Critical Regression caused by CVE-2007-4572
Last modified: 2008-05-21 13:26:37 EDT
+++ This bug was initially created as a clone of Bug #407081 +++
+++ This bug was initially created as a clone of Bug #389021 +++
Description of problem:
When either a request for a directory listing of a share using a wildcard (e.g.,
"ls /mnt/share/redhat*") is entered or a directory listing (e.g., "ls
/mnt/share") the action generates trans2 error messages in the client and the
following in the server:
[2007/11/16 17:47:14, 0] lib/fault.c:dump_core(181)
dumping core in /var/log/samba/cores/smbd
[2007/11/16 17:47:14, 1] smbd/service.c:make_connection_snum(1033)
192.168.1.14 (192.168.1.14) connect to service ben initially as user ben
(uid=500, gid=500) (pid 6208)
[2007/11/16 17:47:14, 0] lib/util.c:smb_panic(1654)
PANIC (pid 6208): push_ascii - dest_len == -1
[2007/11/16 17:47:14, 0] lib/util.c:log_stack_trace(1758)
BACKTRACE: 12 stack frames:
#0 smbd(log_stack_trace+0x1c) [0x555555776cdc]
#1 smbd(smb_panic+0x43) [0x555555776dc3]
#2 smbd(push_ascii+0x113) [0x555555762893]
#3 smbd [0x5555556037c9]
#4 smbd [0x555555606eb3]
#5 smbd(handle_trans2+0x25e) [0x55555560a12e]
#6 smbd(reply_trans2+0x6ec) [0x55555561077c]
#7 smbd [0x555555629384]
#8 smbd(smbd_process+0x7b1) [0x55555562a321]
#9 smbd(main+0xa20) [0x55555582b2d0]
#10 /lib64/libc.so.6(__libc_start_main+0xf4) [0x2aaaad3728a4]
#11 smbd [0x5555555bc009]
This problem ONLY occurs in linux to linux transfers. I have not been able to
detect a problem with linux-windows transactions. Also, if you enter a complete
qualified file name (e.g., "ls /mnt/<SHARE/mytest.png " the process works
perfectly without errors.
Version-Release number of selected component (if applicable):
This occurs if the client is samba-3.0.9-1.3E.14.1 in RHEL 3 and if the server
is samba-3.0.25b-1 in RHEL 5 or samba-3.0.9-1.3E.14.1 in RHEL3. This problem is
alleviated if the previous version is installed.
Again, client in samba-3.0.25b-1 in RHEL 5 does not exhibit this issue.
Completely, hardware independent.
Note the RHEL5 client does not exhibit this problem.
Steps to Reproduce:
1. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " work before update.
2. Update samba on RHEL3 to latest rpm.
3. Verify "ls /mnt/<SHARE>" and "ls /mnt/<SHARE/<something>* " hang after update.
Error messages, no returned results.
Note (possibly completely unrelated) the samba patch as released caused bad nmbd
fail on Ubuntu and I understand they released a second update.
-- Additional comment from firstname.lastname@example.org on 2007-11-19 19:00 EST --
Upstream we have a patch, starting testing to insure all is ok.
And just for the records, Ubuntu ""fixed"" this problem by completely reverting
the security fix, so their packages are now vulnerable.
-- Additional comment from email@example.com on 2007-11-21 13:11 EST --
1) On RHEL3 smbclient work fine, but smbmount doesn't.
2) On RHEL4 the same problem occurs when I do listing after "mount -t smbfs",
and ls after "mount -t cifs" works without errors.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.