Bug 21743

Summary: samba new security issues CVE-2017-1215[01] and CVE-2017-12163
Product: Mageia Reporter: Zombie Ryushu <zombie_ryushu>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: bgmilne, davidwhodgins, geiger.david68210, jim, luigiwalser, marja11, sysadmin-bugs
Version: 5Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://www.samba.org/samba/history/samba-4.6.8.html
Whiteboard: MGA5-64-OK MGA5-32-OK
Source RPM: samba-4.6.7-1.mga7 CVE:
Status comment:
Bug Depends on: 22030    
Bug Blocks:    

Description Zombie Ryushu 2017-09-20 10:56:54 CEST 
DThis is a security release in order to address the following defects:

o  CVE-2017-12150 (SMB1/2/3 connections may not require signing where they
   should)
o  CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects)
o  CVE-2017-12163 (Server memory information leak over SMB1)


=======
Details
=======

o  CVE-2017-12150:
   A man in the middle attack may hijack client connections.

o  CVE-2017-12151:
   A man in the middle attack can read and may alter confidential
   documents transferred via a client connection, which are reached
   via DFS redirect when the original connection used SMB3.

o  CVE-2017-12163:
   Client with write access to a share can cause server memory contents to be
   written into a file or printer.

For more details and workarounds, please see the security advisories:

   o https://www.samba.org/samba/security/CVE-2017-12150.html
   o https://www.samba.org/samba/security/CVE-2017-12151.html
   o https://www.samba.org/samba/security/CVE-2017-12163.html
Comment 1 Marja Van Waes 2017-09-20 11:56:49 CEST 
Is only Cauldron affected?

Assigning to neoclust, because, IINM, he's pushed samba more often recently than bmilne. CC'ing the latter, though.

@ bmilne

Sorry if I should have assigned to you. If so: please grab this bug :-)

Source RPM: samba => samba-4.6.7-1.mga7
Assignee: bugsquad => mageia
CC: (none) => bgmilne, geiger.david68210, marja11

Marja Van Waes 2017-09-20 11:57:24 CEST

Summary: [UPDATE REQUEST] samba 4.6.8 CVE-2017-12150: => [UPDATE REQUEST] samba 4.6.8 CVE-2017-1215[01], CVE-2017-12163

Comment 2 David Walser 2017-09-20 13:01:57 CEST 
The upstream announcements were made today (September 20):
https://www.samba.org/samba/latest_news.html#4.6.8

Mageia 5 and Mageia 6 are also affected, but CVE-2017-12151 doesn't affect mga5.

Summary: [UPDATE REQUEST] samba 4.6.8 CVE-2017-1215[01], CVE-2017-12163 => samba new security issues CVE-2017-1215[01] and CVE-2017-12163
Whiteboard: (none) => MGA6TOO, MGA5TOO
CC: (none) => luigiwalser

Comment 3 David Walser 2017-09-21 03:56:41 CEST 
samba-4.6.8-1.mga7 uploaded for Cauldron.  4.6.8 checked into Mageia 6 SVN.  Hopefully Ubuntu or someone provides backported patches for Samba 3.5.x soon.

Version: Cauldron => 6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO

Comment 4 David Walser 2017-09-21 23:46:16 CEST 
Ubuntu has issued an advisory for this today (September 21):
https://usn.ubuntu.com/usn/usn-3426-1/

I'm not sure if they're still going to update 12.04LTS, but if so that'll be done separately.
Comment 5 David Walser 2017-11-03 16:59:12 CET 
Ubuntu has issued an advisory for this on November 2:
https://usn.ubuntu.com/usn/usn-3426-2/

This has the patches I've been waiting for for Mageia 5.
David Walser 2017-11-22 17:58:43 CET

Depends on: (none) => 22030

José Jorge 2017-11-22 18:03:16 CET

Depends on: 22030 => (none)

Comment 6 David Walser 2017-11-22 18:07:21 CET 
(In reply to David Walser from comment #5)
> Ubuntu has issued an advisory for this on November 2:
> https://usn.ubuntu.com/usn/usn-3426-2/
> 
> This has the patches I've been waiting for for Mageia 5.

Oh lovely, the source for this update has disappeared from Ubuntu's site.
David Walser 2017-11-22 18:08:05 CET

Depends on: (none) => 22030

Comment 7 David Walser 2017-11-22 18:14:09 CET 
The CVE-2017-15275 part of the latest security patch for 4.5.14:
https://www.samba.org/samba/ftp/patches/security/samba-4.5.14-security-2017-11-21.patch

applies fine to 3.6.25.  Unfortunately it's not the case with the CVE-2017-12150 and CVE-2017-12163 portions of the 4.4.15 patch with those fixes, so we need that Ubuntu source.
José Jorge 2017-11-22 18:22:51 CET

Depends on: 22030 => (none)

Comment 8 David Walser 2017-11-22 19:44:45 CET 
Ubuntu has issued an advisory for this on November 21:
https://usn.ubuntu.com/usn/usn-3486-2/

The link to the source still fails.

Depends on: (none) => 22030

Comment 9 David Walser 2017-12-29 19:34:46 CET 
I got patches from CVE-2017-12150 and CVE-2017-12163 from Debian.  Build submitted and will be available eventually.

Advisory:
========================

Updated samba packages fix security vulnerabilities:

Stefan Metzmacher discovered that Samba incorrectly enforced SMB signing in
certain situations. A remote attacker could use this issue to perform a man
in the middle attack. (CVE-2017-12150)

Yihan Lian and Zhibin Hu discovered that Samba incorrectly handled memory
when SMB1 is being used. A remote attacker could possibly use this issue to
obtain server memory contents. (CVE-2017-12163)

Volker Lendecke discovered that Samba incorrectly cleared memory when
returning data to a client. A remote attacker could possibly use this issue
to obtain sensitive information. (CVE-2017-15275)

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12163
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15275
https://www.samba.org/samba/security/CVE-2017-12150.html
https://www.samba.org/samba/security/CVE-2017-12163.html
https://www.samba.org/samba/security/CVE-2017-15275.html
https://usn.ubuntu.com/usn/usn-3426-2/
https://usn.ubuntu.com/usn/usn-3486-2/
========================

Updated packages in core/updates_testing:
========================
samba-server-3.6.25-2.8.mga5
samba-client-3.6.25-2.8.mga5
samba-common-3.6.25-2.8.mga5
samba-doc-3.6.25-2.8.mga5
samba-swat-3.6.25-2.8.mga5
samba-winbind-3.6.25-2.8.mga5
nss_wins-3.6.25-2.8.mga5
libsmbclient0-3.6.25-2.8.mga5
libsmbclient0-devel-3.6.25-2.8.mga5
libsmbclient0-static-devel-3.6.25-2.8.mga5
libnetapi0-3.6.25-2.8.mga5
libnetapi-devel-3.6.25-2.8.mga5
libsmbsharemodes0-3.6.25-2.8.mga5
libsmbsharemodes-devel-3.6.25-2.8.mga5
libwbclient0-3.6.25-2.8.mga5
libwbclient-devel-3.6.25-2.8.mga5
samba-virusfilter-clamav-3.6.25-2.8.mga5
samba-virusfilter-fsecure-3.6.25-2.8.mga5
samba-virusfilter-sophos-3.6.25-2.8.mga5
samba-domainjoin-gui-3.6.25-2.8.mga5

from samba-3.6.25-2.8.mga5.src.rpm

Version: 6 => 5
Whiteboard: MGA5TOO => (none)
Assignee: mageia => qa-bugs

Dave Hodgins 2018-01-01 07:35:58 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 10 James Kerr 2018-01-02 11:56:39 CET 
on mga5-64

packages installed cleanly:
- lib64smbclient0-3.6.25-2.8.mga5.x86_64
- samba-client-3.6.25-2.8.mga5.x86_64
- samba-common-3.6.25-2.8.mga5.x86_64
- samba-server-3.6.25-2.8.mga5.x86_64

smbtree continues to list all available shares on the LAN

can access share on this system from an mga6 system and from another mga5 system

can access shares on an mga6 system and on another mga5 system from this system

OK for mga5-64

Whiteboard: (none) => MGA5-64-OK
CC: (none) => jim

Comment 11 James Kerr 2018-01-02 12:21:43 CET 
on mga5-32 (in a vbox VM)

packages installed cleanly:
- libsmbclient0-3.6.25-2.8.mga5.i586
- samba-client-3.6.25-2.8.mga5.i586
- samba-common-3.6.25-2.8.mga5.i586
- samba-server-3.6.25-2.8.mga5.i586

smbtree continues to list available shares

can access shares on an mga6 system and on another mga5 system from this system

can access a share on this system from an mga6 system and from another mga5 system

OK for mga5-32

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 12 James Kerr 2018-01-02 12:25:45 CET 
This update is now validated and can be pushed to updates

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 13 James Kerr 2018-01-02 12:35:02 CET 
Why is this bug marked as depending on bug#22030 which is for mga6?
Comment 14 David Walser 2018-01-02 13:03:11 CET 
(In reply to James Kerr from comment #13)
> Why is this bug marked as depending on bug#22030 which is for mga6?

Because it fixes some of the same issues and we don't do that in older releases before newer ones.  Both updates need to be tested and they should be released together, just as if they would if I had kept them in the same bug.
Comment 15 Mageia Robot 2018-01-02 17:26:28 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0022.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED