You are not logged in.
I know the security issue is hard to trigger, but I created a new PKGBUILD for samba 3.2.6 containing the patch.
Excerpt from the patch commentary:
commit 288fa94ac7cfdf7457b5098c33fc840bed3d5410
Author: Michael Adam <obnox@samba.org>
AuthorDate: Thu Dec 18 18:01:55 2008 +0100
Commit: Karolin Seeger <kseeger@samba.org>
CommitDate: Fri Dec 19 08:30:23 2008 +0100
smbd: prevent access to root filesystem when connecting with empty service name
This only applies to a setup with "registry shares = yes"
MichaelAnd here's the PKGBUILD:
# $Id: PKGBUILD 22200 2008-12-22 22:24:26Z tpowa $
# Maintainer: judd <jvinet@zeroflux.org>
pkgname=samba
pkgver=3.2.6
# We use the 'A' to fake out pacman's version comparators. Samba chooses
# to append 'a','b',etc to their subsequent releases, which pamcan
# misconstrues as alpha, beta, etc. Bad samba!
_realver=3.2.6
pkgrel=2.1
pkgdesc="Tools to access a server's filespace and printers via SMB"
arch=(i686 x86_64)
url="http://www.samba.org"
license=('GPL3')
backup=(etc/logrotate.d/samba etc/pam.d/samba etc/samba/smb.conf etc/xinetd.d/swat etc/conf.d/samba)
depends=('db>=4.7' 'popt' 'libcups' 'acl' 'libldap' 'smbclient=3.2.6' 'libcap' 'heimdal>=1.2-1' 'pam' 'fam' 'gnutls>=2.4.1' 'tdb=3.2.6')
options=(!makeflags)
source=(http://us1.samba.org/samba/ftp/stable/${pkgname}-${_realver}.tar.gz \
no-clients.patch samba samba.logrotate swat.xinetd samba.pam samba.conf.d \
ftp://us1.samba.org/pub/samba/patches/security/samba-3.2.6-CVE-2009-0022.patch)
build() {
cd ${srcdir}/${pkgname}-${_realver}/source
patch -Np2 -i ${srcdir}/no-clients.patch || return 1
patch -Np2 -i ${srcdir}/samba-3.2.6-CVE-2009-0022.patch || return 1
./configure --prefix=/usr --with-configdir=/etc/samba \
--with-lockdir=/var/cache/samba \
--with-piddir=/var/run/samba \
--with-fhs --with-pam --with-ads --with-acl-support \
--without-cifsmount --without-libsmbclient \
--with-syslog --with-pam_smbpass \
--localstatedir=/var --disable-dnssd --libdir=/usr/lib/samba
make || return 1
mkdir -p ${pkgdir}/var/log/samba
mkdir -p ${pkgdir}/etc/samba/private
chmod 700 ${pkgdir}/etc/samba/private
make DESTDIR=$startdir/pkg install
chmod 644 ${pkgdir}/usr/include/*.h
rm -rf ${pkgdir}/usr/var
(cd script; cp installbin.sh i; cat i | sed 's/\/sbin\///' > installbin.sh)
install -D -m755 ../../samba ${pkgdir}/etc/rc.d/samba
install -D -m644 ../../samba.conf.d ${pkgdir}/etc/conf.d/samba
mkdir -p ${pkgdir}/etc/samba
cat ../examples/smb.conf.default | \
sed 's|log file = .*$|log file = /var/log/samba/log.%m|g' >${pkgdir}/etc/samba/smb.conf.default
install -D -m644 ../../samba.logrotate ${pkgdir}/etc/logrotate.d/samba
install -D -m644 ../../swat.xinetd ${pkgdir}/etc/xinetd.d/swat
install -D -m644 ../../samba.pam ${pkgdir}/etc/pam.d/samba
# symlink libs
for i in ${pkgdir}/usr/lib/samba/libsmbshare*; do
ln -sf samba/$(basename $i) ${pkgdir}/usr/lib/$(basename $i)
done
# spool directory
install -d -m1777 ${pkgdir}/var/spool/samba
sed -i 's|/usr/spool/samba|/var/spool/samba|g' ${pkgdir}/etc/samba/smb.conf.default
# fix logrotate
sed -i -e 's|log.%m|%m.log|g' ${pkgdir}/etc/samba/smb.conf.default
# nsswitch libraries
install -D -m755 nsswitch/libnss_wins.so ${pkgdir}/lib/libnss_wins.so
ln -s libnss_wins.so ${pkgdir}/lib/libnss_wins.so.2
install -D -m755 nsswitch/libnss_winbind.so ${pkgdir}/lib/libnss_winbind.so
install -D -m755 bin/pam_winbind.so ${pkgdir}/lib/security/pam_winbind.so
# remove conflict files of smbclient and tdb
for man in libsmbclient smbspool \
umount.cifs mount.cifs net; do
rm -f ${pkgdir}/usr/share/man/man8/${man}.8
done
for i in libnetapi* libtdb* libtalloc* libwbclient*; do
rm -f ${pkgdir}/usr/lib/samba/$i
done
rm -f ${pkgdir}/usr/bin/tdbbackup
rm -f ${pkgdir}/usr/include/{tdb.h,talloc.h,netapi.h}
for man in rpcclient smbcacls smbclient smbcquotas \
smbtree smbtar nmblookup smbget; do
rm -f ${pkgdir}/usr/share/man/man1/${man}.1
done
rm -f ${pkgdir}/usr/share/man/man7/libsmbclient.7
rm -f ${pkgdir}/usr/include/libsmbclient.h
}
md5sums=('0cd27c7afbb8211616eea4010f32271c'
'a676f0dde2c434aeb5125376b8797a64'
'e93533fa2296c07c1f645dfdd373657f'
'5697da77590ec092cc8a883bae06093c'
'a4bbfa39fee95bba2e7ad6b535fae7e6'
'96f82c38f3f540b53f3e5144900acf17'
'f2f2e348acd1ccb566e95fa8a561b828'
'e15ab37115101cf3a8d110f0c1f8e29e')I think a security task force should be initiated (I know discussions existed, but I don't know what were the consequences), so that important packages (like those providing services) could be updated in a timely manner. This is a minor issue as I stated earlier, but it could be worse. Those interested, let's initiate a discussion with the developers of important packages and try to get some things working. People (mostly trusted users) who can generate early packages are welcome, so that they can provide early versions of unvulnerable packages.
In love I believe and in Linux I trust
Offline
I believe security issues should be submitted as high/critical bug reports.
Offline
Submitting them as bug reports only will create too much fuss. The developers might be overwhelmed at some point and cannot provide packages in a timely manner. But if a member of the security task force sees earlier the vulnerability announce, it would modify the PKGBUILD with the required patch, or the new version. After that, he'll compile the package to see if it compiles fine and submit the PKGBUILD to the developer or a trusted user, who can create an early patched version of the package. This is how I see the things going. Please correct me if I'm wrong.
P.S.: An advice on the bug report site tells you "REPEAT: Do NOT report bugs for outdated packages!". I think this makes it more clear that this kind of problems should be treated in some other way(s), tdy.
Last edited by ckristi (2009-01-07 21:28:09)
In love I believe and in Linux I trust
Offline
Please submit a bug report to make sure the maintainer know that it's a security update. . Security updates are different than simple regular update.
Offline
Aye, aye. ![]()
In love I believe and in Linux I trust
Offline
In love I believe and in Linux I trust
Offline
P.S.: An advice on the bug report site tells you "REPEAT: Do NOT report bugs for outdated packages!".
To clarify: that warning on the bugtracker is to prevent users posting bugs for packages simply because a new upstream release is available. We have the out-of-date flag on archlinux.org/packages for that. Security issues should definitely be filed as bugs, and will be treated with the highest priority.
Offline
I understand what you're saying. The only thing that kept me from filing it as a bug report was the fact that it's not triggered in a default installation of samba. But it's good to know for the future. Thanks for letting me know.
Oh, and sorry for the confusion... my mistake.
Last edited by ckristi (2009-01-08 23:23:46)
In love I believe and in Linux I trust
Offline
No problem - it's great that we have users who have the enthusiasm to dig into stuff like this.
One other point - the Arch approach will always be to use the latest stable upstream release, so in this case, we won't patch 3.2.6 - we will upgrade to 3.2.7.
Offline
No problem with me with 3.2.7. I just used the backwards compatible patch to break things as little as possible on my fileserver, until a tested package appears in the repository.
Thanks for understanding and support.
In love I believe and in Linux I trust
Offline
Sounds great about the bug tracker. But what is arch doing about these?
http://dev.archlinux.org/~hugo/sheriff/
and on my system these are the actual packages installed in regards to the list/link above:
dbus
faad2
imlib2
jasper
libsndfile
libtiff
libvorbis
libwmf
libxml2
libxslt
lynx
mplayer
openssl
php
ruby
unzip
vorbis-tools
Please don't take this as a negative because I love arch and all the work the devs put into this great distro. I know its easy to say well we will just upgrade to the next version but it seems there are a few packages that dont have a newer version and just patches by upstream are provided. Things like mplayer, unzip just to name a few.... Any thoughts?
Offline
I don't know about other packages, but I believe when I checked the PKGBUILD for PHP, that the security fix was included in 5.2.7.
Check http://repos.archlinux.org/viewvc.cgi/p … iew=markup for more info.
And don't get me wrong, I am a little bit concerned about the way vulnerabilities are treated in Arch, 'cause my home server is running this distro.
And I really would think we should start some serious discussions about this security issues and the way they should be treated. I know the developers are doing their best and I'm not going to put fingers at all. They should be helped in maintaining packages for important services. We'll benefit from it and their tasks would be easier.
In love I believe and in Linux I trust
Offline
I don't know about other packages, but I believe when I checked the PKGBUILD for PHP, that the security fix was included in 5.2.7.
Check http://repos.archlinux.org/viewvc.cgi/p … iew=markup for more info.
And don't get me wrong, I am a little bit concerned about the way vulnerabilities are treated in Arch, 'cause my home server is running this distro.
And I really would think we should start some serious discussions about this security issues and the way they should be treated. I know the developers are doing their best and I'm not going to put fingers at all. They should be helped in maintaining packages for important services. We'll benefit from it and their tasks would be easier.
Why don't you start a wiki page tracking the latest vulnerabilities disclosed on various security mailing lists which are not fixed in arch. This will make it much easier for the devs.
This thing has been already discussed multiple times and already a wiki page exists for Arch Security Team but it seems nobody followed up with that.
Offline