Bug 28870

Summary: Samba new security issues: CVE-2020-27840 CVE-2021-20254 CVE-2021-20277
Product: Mageia Reporter: Nicolas Lécureuil <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED DUPLICATE QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: bgmilne, ouaurelien
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA7TOO
Source RPM: samba-4.12.11-1.mga8.src.rpm CVE: CVE-2020-27840, CVE-2021-20254, CVE-2021-20277
Status comment:

Description Nicolas Lécureuil 2021-05-03 12:24:00 CEST 
A new version has just been pushed into mageia8 updates_testing.

src:
    - samba-4.12.15-1.mga8


Below  is the list of fixed CVEs:

o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
o CVE-2020-27840: Heap corruption via crafted DN strings.
o CVE-2021-20277: Out of bounds read in AD DC LDAP server.
o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
  in the Samba file server process token.
Comment 1 Thomas Backlund 2021-05-03 16:55:53 CEST 
Please do remember to atleast cc maintainer when touching their packages

CC: (none) => bgmilne

Comment 2 Nicolas Lécureuil 2021-05-03 17:38:21 CEST 
yes right. Won't forget
Aurelien Oudelet 2021-05-04 15:42:16 CEST

CC: (none) => ouaurelien
Summary: Samba security fixes => Samba new security issues: CVE-2020-27840 CVE-2021-20254 CVE-2021-20277
Component: RPM Packages => Security
CVE: (none) => CVE-2020-27840, CVE-2021-20254, CVE-2021-20277
QA Contact: (none) => security
Severity: normal => major
Version: 8 => Cauldron

Comment 3 Aurelien Oudelet 2021-05-04 15:43:10 CEST 
Cauldron fixed.
Correcting SRPM.

Source RPM: (none) => samba-4.12.11-1.mga8.src.rpm
Version: Cauldron => 8

Comment 4 Aurelien Oudelet 2021-05-04 15:54:07 CEST 
Advisory:
========================

Updated samba packages fix multiple vulnerabilities:

Heap corruption via crafted DN strings:
An anonymous attacker can crash the Samba AD DC LDAP server by sending
easily crafted DNs as part of a bind request. More serious heap corruption
is likely also possible (CVE-2020-27840).

Negative idmap cache entries can cause incorrect group entries in
the Samba file server process token: A coding error converting SIDs to gids could allow unexpected group entries in a process token.
This could allow unauthorized access to files (CVE-2021-20254).

Out of bounds read in AD DC LDAP server: User-controlled LDAP filter strings
against the AD DC LDAP server may crash the LDAP server (CVE-2021-20277).


references:
- https://www.samba.org/samba/history/security.html
- https://www.samba.org/samba/security/CVE-2020-27840.html
- https://www.samba.org/samba/security/CVE-2021-20254.html
- https://www.samba.org/samba/security/CVE-2021-20277.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27840
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20254
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20277
========================

Updated i586 packages in 8/core/updates_testing:
========================
ctdb-4.12.15-1.mga8.i586.rpm
ctdb-tests-4.12.15-1.mga8.i586.rpm
libheimntlm-samba4_1-4.12.15-1.mga8.i586.rpm
libkdc-samba4_2-4.12.15-1.mga8.i586.rpm
libsamba-dc0-4.12.15-1.mga8.i586.rpm
libsamba-devel-4.12.15-1.mga8.i586.rpm
libsamba-test0-4.12.15-1.mga8.i586.rpm
libsamba1-4.12.15-1.mga8.i586.rpm
libsmbclient-devel-4.12.15-1.mga8.i586.rpm
libsmbclient0-4.12.15-1.mga8.i586.rpm
libwbclient-devel-4.12.15-1.mga8.i586.rpm
libwbclient0-4.12.15-1.mga8.i586.rpm
python3-samba-4.12.15-1.mga8.i586.rpm
samba-4.12.15-1.mga8.i586.rpm
samba-client-4.12.15-1.mga8.i586.rpm
samba-common-4.12.15-1.mga8.i586.rpm
samba-dc-4.12.15-1.mga8.i586.rpm
samba-krb5-printing-4.12.15-1.mga8.i586.rpm
samba-test-4.12.15-1.mga8.i586.rpm
samba-winbind-4.12.15-1.mga8.i586.rpm
samba-winbind-clients-4.12.15-1.mga8.i586.rpm
samba-winbind-krb5-locator-4.12.15-1.mga8.i586.rpm
samba-winbind-modules-4.12.15-1.mga8.i586.rpm


Updated x86_64 packages in 8/core/updates_testing:
========================
ctdb-4.12.15-1.mga8.x86_64.rpm
ctdb-tests-4.12.15-1.mga8.x86_64.rpm
lib64heimntlm-samba4_1-4.12.15-1.mga8.x86_64.rpm
lib64kdc-samba4_2-4.12.15-1.mga8.x86_64.rpm
lib64samba-dc0-4.12.15-1.mga8.x86_64.rpm
lib64samba-devel-4.12.15-1.mga8.x86_64.rpm
lib64samba-test0-4.12.15-1.mga8.x86_64.rpm
lib64samba1-4.12.15-1.mga8.x86_64.rpm
lib64smbclient-devel-4.12.15-1.mga8.x86_64.rpm
lib64smbclient0-4.12.15-1.mga8.x86_64.rpm
lib64wbclient-devel-4.12.15-1.mga8.x86_64.rpm
lib64wbclient0-4.12.15-1.mga8.x86_64.rpm
python3-samba-4.12.15-1.mga8.x86_64.rpm
samba-4.12.15-1.mga8.x86_64.rpm
samba-client-4.12.15-1.mga8.x86_64.rpm
samba-common-4.12.15-1.mga8.x86_64.rpm
samba-dc-4.12.15-1.mga8.x86_64.rpm
samba-krb5-printing-4.12.15-1.mga8.x86_64.rpm
samba-test-4.12.15-1.mga8.x86_64.rpm
samba-winbind-4.12.15-1.mga8.x86_64.rpm
samba-winbind-clients-4.12.15-1.mga8.x86_64.rpm
samba-winbind-krb5-locator-4.12.15-1.mga8.x86_64.rpm
samba-winbind-modules-4.12.15-1.mga8.x86_64.rpm

from SRPM:
========================
samba-4.12.15-1.mga8.src.rpm

Whiteboard: (none) => MGA7TOO

Comment 5 Aurelien Oudelet 2021-05-04 15:55:19 CEST 
Mageia 7 Update will follow.
Comment 6 David Walser 2021-05-04 16:00:17 CEST 
Please handle this in the original bug.  The sssd package still needs to be rebuilt as well.

*** This bug has been marked as a duplicate of bug 28686 ***

Resolution: (none) => DUPLICATE
Status: NEW => RESOLVED