You are not logged in.

#1 2009-01-07 16:45:21

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

samba 3.2.6 patch for security issue

I know the security issue is hard to trigger, but I created a new PKGBUILD for samba 3.2.6 containing the patch.

Excerpt from the patch commentary:

commit 288fa94ac7cfdf7457b5098c33fc840bed3d5410
Author:     Michael Adam <obnox@samba.org>
AuthorDate: Thu Dec 18 18:01:55 2008 +0100
Commit:     Karolin Seeger <kseeger@samba.org>
CommitDate: Fri Dec 19 08:30:23 2008 +0100

    smbd: prevent access to root filesystem when connecting with empty service name
    
    This only applies to a setup with "registry shares = yes"
    
    Michael

And here's the PKGBUILD:

# $Id: PKGBUILD 22200 2008-12-22 22:24:26Z tpowa $
# Maintainer: judd <jvinet@zeroflux.org>
pkgname=samba
pkgver=3.2.6
# We use the 'A' to fake out pacman's version comparators.  Samba chooses
# to append 'a','b',etc to their subsequent releases, which pamcan
# misconstrues as alpha, beta, etc.  Bad samba!
_realver=3.2.6
pkgrel=2.1
pkgdesc="Tools to access a server's filespace and printers via SMB"
arch=(i686 x86_64)
url="http://www.samba.org"
license=('GPL3')
backup=(etc/logrotate.d/samba etc/pam.d/samba etc/samba/smb.conf etc/xinetd.d/swat etc/conf.d/samba)
depends=('db>=4.7' 'popt' 'libcups' 'acl' 'libldap' 'smbclient=3.2.6' 'libcap' 'heimdal>=1.2-1' 'pam' 'fam' 'gnutls>=2.4.1' 'tdb=3.2.6')
options=(!makeflags)
source=(http://us1.samba.org/samba/ftp/stable/${pkgname}-${_realver}.tar.gz \
        no-clients.patch samba samba.logrotate swat.xinetd samba.pam samba.conf.d \
    ftp://us1.samba.org/pub/samba/patches/security/samba-3.2.6-CVE-2009-0022.patch)

build() {
  cd ${srcdir}/${pkgname}-${_realver}/source
  patch -Np2 -i ${srcdir}/no-clients.patch || return 1
  patch -Np2 -i ${srcdir}/samba-3.2.6-CVE-2009-0022.patch || return 1

  ./configure --prefix=/usr --with-configdir=/etc/samba \
              --with-lockdir=/var/cache/samba \
              --with-piddir=/var/run/samba \
              --with-fhs --with-pam --with-ads --with-acl-support \
              --without-cifsmount --without-libsmbclient \
              --with-syslog --with-pam_smbpass \
              --localstatedir=/var --disable-dnssd --libdir=/usr/lib/samba
  make || return 1
  mkdir -p ${pkgdir}/var/log/samba
  mkdir -p ${pkgdir}/etc/samba/private
  chmod 700 ${pkgdir}/etc/samba/private
  make DESTDIR=$startdir/pkg install
  chmod 644 ${pkgdir}/usr/include/*.h
  rm -rf ${pkgdir}/usr/var
  (cd script; cp installbin.sh i; cat i | sed 's/\/sbin\///' > installbin.sh)
  install -D -m755 ../../samba ${pkgdir}/etc/rc.d/samba
  install -D -m644 ../../samba.conf.d ${pkgdir}/etc/conf.d/samba
  mkdir -p ${pkgdir}/etc/samba
  cat ../examples/smb.conf.default | \
    sed 's|log file = .*$|log file = /var/log/samba/log.%m|g' >${pkgdir}/etc/samba/smb.conf.default
  install -D -m644 ../../samba.logrotate ${pkgdir}/etc/logrotate.d/samba
  install -D -m644 ../../swat.xinetd ${pkgdir}/etc/xinetd.d/swat
  install -D -m644 ../../samba.pam ${pkgdir}/etc/pam.d/samba
  # symlink libs
  for i in ${pkgdir}/usr/lib/samba/libsmbshare*; do
    ln -sf samba/$(basename $i) ${pkgdir}/usr/lib/$(basename $i)
  done
  # spool directory
  install -d -m1777 ${pkgdir}/var/spool/samba
  sed -i 's|/usr/spool/samba|/var/spool/samba|g' ${pkgdir}/etc/samba/smb.conf.default
  # fix logrotate
  sed -i -e 's|log.%m|%m.log|g' ${pkgdir}/etc/samba/smb.conf.default
  # nsswitch libraries
  install -D -m755 nsswitch/libnss_wins.so ${pkgdir}/lib/libnss_wins.so
  ln -s libnss_wins.so ${pkgdir}/lib/libnss_wins.so.2
  install -D -m755 nsswitch/libnss_winbind.so ${pkgdir}/lib/libnss_winbind.so
  install -D -m755 bin/pam_winbind.so ${pkgdir}/lib/security/pam_winbind.so
  # remove conflict files of smbclient and tdb
  for man in libsmbclient smbspool \
      umount.cifs mount.cifs net; do
    rm -f ${pkgdir}/usr/share/man/man8/${man}.8
  done
  for i in libnetapi* libtdb* libtalloc* libwbclient*; do
      rm -f ${pkgdir}/usr/lib/samba/$i
  done
  rm -f ${pkgdir}/usr/bin/tdbbackup
  rm -f ${pkgdir}/usr/include/{tdb.h,talloc.h,netapi.h}
  for man in rpcclient smbcacls smbclient smbcquotas \
      smbtree smbtar nmblookup smbget; do
    rm -f ${pkgdir}/usr/share/man/man1/${man}.1
  done
  rm -f ${pkgdir}/usr/share/man/man7/libsmbclient.7

  rm -f ${pkgdir}/usr/include/libsmbclient.h
}
md5sums=('0cd27c7afbb8211616eea4010f32271c'
         'a676f0dde2c434aeb5125376b8797a64'
         'e93533fa2296c07c1f645dfdd373657f'
         '5697da77590ec092cc8a883bae06093c'
         'a4bbfa39fee95bba2e7ad6b535fae7e6'
         '96f82c38f3f540b53f3e5144900acf17'
         'f2f2e348acd1ccb566e95fa8a561b828'
     'e15ab37115101cf3a8d110f0c1f8e29e')

I think a security task force should be initiated (I know discussions existed, but I don't know what were the consequences), so that important packages (like those providing services) could be updated in a timely manner. This is a minor issue as I stated earlier, but it could be worse. Those interested, let's initiate a discussion with the developers of important packages and try to get some things working. People (mostly trusted users) who can generate early packages are welcome, so that they can provide early versions of unvulnerable packages.


In love I believe and in Linux I trust

Offline

#2 2009-01-07 17:31:07

tdy
Member
From: Sacremende
Registered: 2008-12-14
Posts: 440

Re: samba 3.2.6 patch for security issue

I believe security issues should be submitted as high/critical bug reports.

Offline

#3 2009-01-07 18:08:03

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: samba 3.2.6 patch for security issue

Submitting them as bug reports only will create too much fuss. The developers might be overwhelmed at some point and cannot provide packages in a timely manner. But if a member of the security task force sees earlier the vulnerability announce, it would modify the PKGBUILD with the required patch, or the new version. After that, he'll compile the package to see if it compiles fine and submit the PKGBUILD to the developer or a trusted user, who can create an early patched version of the package. This is how I see the things going. Please correct me if I'm wrong.

P.S.: An advice on the bug report site tells you "REPEAT: Do NOT report bugs for outdated packages!". I think this makes it more clear that this kind of problems should be treated in some other way(s), tdy.

Last edited by ckristi (2009-01-07 21:28:09)


In love I believe and in Linux I trust

Offline

#4 2009-01-08 22:32:02

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: samba 3.2.6 patch for security issue

Please submit a bug report to make sure the maintainer know that it's a security update. . Security updates are different than simple regular update.

Offline

#5 2009-01-08 23:00:55

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: samba 3.2.6 patch for security issue

Aye, aye. smile


In love I believe and in Linux I trust

Offline

#6 2009-01-08 23:13:44

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: samba 3.2.6 patch for security issue


In love I believe and in Linux I trust

Offline

#7 2009-01-08 23:19:21

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: samba 3.2.6 patch for security issue

ckristi wrote:

P.S.: An advice on the bug report site tells you "REPEAT: Do NOT report bugs for outdated packages!".

To clarify: that warning on the bugtracker is to prevent users posting bugs for packages simply because a new upstream release is available. We have the out-of-date flag on archlinux.org/packages for that. Security issues should definitely be filed as bugs, and will be treated with the highest priority.

Offline

#8 2009-01-08 23:22:21

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: samba 3.2.6 patch for security issue

I understand what you're saying. The only thing that kept me from filing it as a bug report was the fact that it's not triggered in a default installation of samba. But it's good to know for the future. Thanks for letting me know.

Oh, and sorry for the confusion... my mistake.

Last edited by ckristi (2009-01-08 23:23:46)


In love I believe and in Linux I trust

Offline

#9 2009-01-08 23:27:22

tomk
Forum Fellow
From: Ireland
Registered: 2004-07-21
Posts: 9,839

Re: samba 3.2.6 patch for security issue

No problem - it's great that we have users who have the enthusiasm to dig into stuff like this.

One other point - the Arch approach will always be to use the latest stable upstream release, so in this case, we won't patch 3.2.6 - we will upgrade to 3.2.7.

Offline

#10 2009-01-08 23:32:08

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: samba 3.2.6 patch for security issue

No problem with me with 3.2.7. I just used the backwards compatible patch to break things as little as possible on my fileserver, until a tested package appears in the repository.

Thanks for understanding and support.


In love I believe and in Linux I trust

Offline

#11 2009-01-09 01:36:11

BKJ
Member
Registered: 2008-09-19
Posts: 71

Re: samba 3.2.6 patch for security issue

Sounds great about the bug tracker.  But what is arch doing about these? 

http://dev.archlinux.org/~hugo/sheriff/

and on my system these are the actual packages installed in regards to the list/link above:

dbus
faad2
imlib2
jasper
libsndfile
libtiff
libvorbis
libwmf
libxml2
libxslt
lynx
mplayer
openssl
php
ruby
unzip
vorbis-tools

Please don't take this as a negative because I love arch and all the work the devs put into this great distro. I know its easy to say well we will just upgrade to the next version but it seems there are a few packages that dont have a newer version and just patches by upstream are provided.   Things like mplayer, unzip just to name a few....  Any thoughts?

Offline

#12 2009-01-09 06:53:51

ckristi
Member
From: Bucharest, Romania
Registered: 2006-11-21
Posts: 225

Re: samba 3.2.6 patch for security issue

I don't know about other packages, but I believe when I checked the PKGBUILD for PHP, that the security fix was included in 5.2.7.
Check http://repos.archlinux.org/viewvc.cgi/p … iew=markup for more info.
And don't get me wrong, I am a little bit concerned about the way vulnerabilities are treated in Arch, 'cause my home server is running this distro.
And I really would think we should start some serious discussions about this security issues and the way they should be treated. I know the developers are doing their best and I'm not going to put fingers at all. They should be helped in maintaining packages for important services. We'll benefit from it and their tasks would be easier.


In love I believe and in Linux I trust

Offline

#13 2009-01-09 07:55:56

u_no_hu
Member
Registered: 2008-06-15
Posts: 453

Re: samba 3.2.6 patch for security issue

ckristi wrote:

I don't know about other packages, but I believe when I checked the PKGBUILD for PHP, that the security fix was included in 5.2.7.
Check http://repos.archlinux.org/viewvc.cgi/p … iew=markup for more info.
And don't get me wrong, I am a little bit concerned about the way vulnerabilities are treated in Arch, 'cause my home server is running this distro.
And I really would think we should start some serious discussions about this security issues and the way they should be treated. I know the developers are doing their best and I'm not going to put fingers at all. They should be helped in maintaining packages for important services. We'll benefit from it and their tasks would be easier.

Why don't you start a wiki page tracking the latest vulnerabilities disclosed on various security mailing lists which are not fixed in arch. This will make it much easier for the devs.

This thing has been already discussed multiple times and already a wiki page exists for Arch Security Team but it seems nobody followed up with that.

http://wiki.archlinux.org/index.php/Security_Task_Force


Don't be a HELP VAMPIRE. Please search before you ask.

Subscribe to The Arch Daily News.

Offline

Board footer

Powered by FluxBB