Bug 24061 - samba new security issues CVE-2018-14629, CVE-2018-16841, CVE-2018-16851
Summary: samba new security issues CVE-2018-14629, CVE-2018-16841, CVE-2018-16851
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-25 20:52 CET by David Walser
Modified: 2019-01-05 19:31 CET (History)
5 users (show)

See Also:
Source RPM: samba-4.6.16-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-12-25 20:52:17 CET
Upstream has issued advisories:
https://www.samba.org/samba/security/CVE-2018-14629.html
https://www.samba.org/samba/security/CVE-2018-16841.html
https://www.samba.org/samba/security/CVE-2018-16851.html

It sounds like the first two issues might actually be in ldb and talloc.
Comment 1 David Walser 2018-12-26 01:42:08 CET
Debian has issued an advisory for this on November 27:
https://www.debian.org/security/2018/dsa-4345
Comment 2 Marja Van Waes 2018-12-26 07:50:04 CET
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => bgmilne

Comment 3 Buchan Milne 2018-12-30 23:31:15 CET
The security issues announced on 2018-11-28 are:

CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD Internal DNS server),
CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT),
CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server),
CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers), (only affects 4.9.x)
CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos configuration (unsupported)) and
CVE-2018-16857 (Bad password count in AD DC not always effective). (only affects 4.9.x).

4.6.x is EOL as of 2018-09-13:

 series 	git branch 	status 	started 	maintenance 	security 	discontinued (EOL)
4.10 (details) 	master 	next upcoming release series 				
4.9 (details) 	v4-9-test 	current stable release series 	2018-09-13 			
4.8 (details) 	v4-8-test 	maintenance mode 	2018-03-13 	2018-09-13 		
4.7 (details) 	v4-7-test 	security fixes only 	2017-09-21 	2018-03-13 	2018-09-13 	
4.6 (details) 	v4-6-test 	discontinued (EOL) 	2017-03-07 	2017-09-21 	2018-03-13 	2018-09-13 

It looks like our best option here is to upgrade to 4.7.12 (which fixes all of the above issues except the ones specific to 4.9.x).

I have submitted builds of the following to updates_testing for 6:
tdb 1.3.14
talloc 2.1.11
tevent 0.9.36
ldb 1.2.3 (bundles a newer version of cmocka than is available, requires 1.1.1, 6 has 1.0.1)
samba 4.7.12 (also bundles cmocka 1.1.1, though I didn't enable this myself)

SRPMS required:
tdb-1.3.14-1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347250 )
talloc-2.1.11-1.1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347251 )
tevent-0.9.36-1.1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347252 ) 
ldb-1.2.3-1.mga6 ( http://svnweb.mageia.org/packages?view=revision&revision=1347277 )
samba-4.7.12-1.mga6.src.rpm (still building on the build system, but built fine locally on mga6) ( http://svnweb.mageia.org/packages?view=revision&revision=1347278 )

I have done minimal testing (e.g. smbclient 4.7.12 can browse and connect to 4.6.x server, and to a 4.7.12 server) and it works for those tests.

CC: (none) => bgmilne
Assignee: bgmilne => qa-bugs
Status: NEW => ASSIGNED

Comment 4 David Walser 2018-12-30 23:50:10 CET
Thanks.  Is there a reason we can't just update cmocka too?
Comment 5 Buchan Milne 2018-12-31 07:24:14 CET
> Is there a reason we can't just update cmocka too?

I have submitted cmocka too. In the ldb case ( http://svnweb.mageia.org/packages/updates/6/ldb/current/SPECS/ldb.spec?r1=1347277&r2=1347359&pathrev=1347359 , not submitted ), building with this installed doesn't change which binaries are shipped, cmocka is only used as a build tool when bundled.

In the case of samba, building with cmocka >= 1.1.1 avoids shipping %{_libdir}/samba/libcmocka-samba4.so

Submitted as: samba-4.7.12-1.1.mga6.src.rpm (still building)


(I am AFK for the next week)
Comment 6 David Walser 2018-12-31 17:51:55 CET
Advisory:
========================

Updated ldb, talloc, and samba packages fix security vulnerabilities:

Florian Stuelpner discovered that Samba is vulnerable to infinite query
recursion caused by CNAME loops, resulting in denial of service
(CVE-2018-14629).

Alex MacCuish discovered that a user with a valid certificate or smart card
can crash the Samba AD DC's KDC when configured to accept smart-card
authentication (CVE-2018-16841).

Garming Sam of the Samba Team and Catalyst discovered a NULL pointer
dereference vulnerability in the Samba AD DC LDAP server allowing a user able
to read more than 256MB of LDAP entries to crash the Samba AD DC's LDAP server
(CVE-2018-16851).

Samba has been updated to version 4.7.12 of the 4.7.x stable branch, and the
tdb, talloc, tevent, ldb, and cmocka packages have also been updated.

The sssd package has also been rebuilt against the updated ldb.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14629
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16851
https://www.samba.org/samba/security/CVE-2018-14629.html
https://www.samba.org/samba/security/CVE-2018-16841.html
https://www.samba.org/samba/security/CVE-2018-16851.html
https://www.samba.org/samba/history/samba-4.7.0.html
https://www.samba.org/samba/history/samba-4.7.1.html
https://www.samba.org/samba/history/samba-4.7.2.html
https://www.samba.org/samba/history/samba-4.7.3.html
https://www.samba.org/samba/history/samba-4.7.4.html
https://www.samba.org/samba/history/samba-4.7.5.html
https://www.samba.org/samba/history/samba-4.7.6.html
https://www.samba.org/samba/history/samba-4.7.7.html
https://www.samba.org/samba/history/samba-4.7.8.html
https://www.samba.org/samba/history/samba-4.7.9.html
https://www.samba.org/samba/history/samba-4.7.10.html
https://www.samba.org/samba/history/samba-4.7.11.html
https://www.samba.org/samba/history/samba-4.7.12.html
https://www.debian.org/security/2018/dsa-4345
========================

Updated packages in core/updates_testing:
========================
libtdb1-1.3.14-1.mga6
tdb-utils-1.3.14-1.mga6
libtdb-devel-1.3.14-1.mga6
python-tdb-1.3.14-1.mga6
libtalloc2-2.1.11-1.1.mga6
libtalloc-devel-2.1.11-1.1.mga6
python-talloc-2.1.11-1.1.mga6
libpytalloc-util2-2.1.11-1.1.mga6
libpytalloc-util-devel-2.1.11-1.1.mga6
libtevent0-0.9.36-1.1.mga6
libtevent-devel-0.9.36-1.1.mga6
python-tevent-0.9.36-1.1.mga6
libldb1-1.2.3-1.mga6
ldb-utils-1.2.3-1.mga6
libldb-devel-1.2.3-1.mga6
python-ldb-1.2.3-1.mga6
libpyldb-util1-1.2.3-1.mga6
libpyldb-util-devel-1.2.3-1.mga6
libcmocka0-1.1.3-1.mga6
libcmocka0-static-devel-1.1.3-1.mga6
libcmocka-devel-1.1.3-1.mga6
sssd-1.13.4-9.3.mga6
sssd-common-1.13.4-9.3.mga6
sssd-client-1.13.4-9.3.mga6
libsss_sudo-1.13.4-9.3.mga6
libsss_autofs-1.13.4-9.3.mga6
sssd-tools-1.13.4-9.3.mga6
python-sssdconfig-1.13.4-9.3.mga6
python3-sssdconfig-1.13.4-9.3.mga6
python-sss-1.13.4-9.3.mga6
python3-sss-1.13.4-9.3.mga6
python-sss-murmur-1.13.4-9.3.mga6
python3-sss-murmur-1.13.4-9.3.mga6
sssd-ldap-1.13.4-9.3.mga6
sssd-krb5-common-1.13.4-9.3.mga6
sssd-krb5-1.13.4-9.3.mga6
sssd-common-pac-1.13.4-9.3.mga6
sssd-ipa-1.13.4-9.3.mga6
sssd-ad-1.13.4-9.3.mga6
sssd-proxy-1.13.4-9.3.mga6
libsss_idmap-1.13.4-9.3.mga6
libsss_idmap-devel-1.13.4-9.3.mga6
libipa_hbac-1.13.4-9.3.mga6
libipa_hbac-devel-1.13.4-9.3.mga6
python-libipa_hbac-1.13.4-9.3.mga6
python3-libipa_hbac-1.13.4-9.3.mga6
libsss_nss_idmap-1.13.4-9.3.mga6
libsss_nss_idmap-devel-1.13.4-9.3.mga6
python-libsss_nss_idmap-1.13.4-9.3.mga6
python3-libsss_nss_idmap-1.13.4-9.3.mga6
sssd-dbus-1.13.4-9.3.mga6
libsss_simpleifp-1.13.4-9.3.mga6
libsss_simpleifp-devel-1.13.4-9.3.mga6
sssd-libwbclient-1.13.4-9.3.mga6
sssd-libwbclient-devel-1.13.4-9.3.mga6
samba-4.7.12-1.1.mga6
samba-client-4.7.12-1.1.mga6
samba-common-4.7.12-1.1.mga6
samba-dc-4.7.12-1.1.mga6
libsamba-dc0-4.7.12-1.1.mga6
libkdc-samba4_2-4.7.12-1.1.mga6
libsamba-devel-4.7.12-1.1.mga6
samba-krb5-printing-4.7.12-1.1.mga6
libsamba1-4.7.12-1.1.mga6
libsmbclient0-4.7.12-1.1.mga6
libsmbclient-devel-4.7.12-1.1.mga6
libwbclient0-4.7.12-1.1.mga6
libwbclient-devel-4.7.12-1.1.mga6
python-samba-4.7.12-1.1.mga6
samba-pidl-4.7.12-1.1.mga6
samba-test-4.7.12-1.1.mga6
libsamba-test0-4.7.12-1.1.mga6
samba-winbind-4.7.12-1.1.mga6
samba-winbind-clients-4.7.12-1.1.mga6
samba-winbind-krb5-locator-4.7.12-1.1.mga6
samba-winbind-modules-4.7.12-1.1.mga6
ctdb-4.7.12-1.1.mga6
ctdb-tests-4.7.12-1.1.mga6

from SRPMS:
tdb-1.3.14-1.mga6.src.rpm
talloc-2.1.11-1.1.mga6.src.rpm
tevent-0.9.36-1.1.mga6.src.rpm
ldb-1.2.3-1.mga6.src.rpm
cmocka-1.1.3-1.mga6.src.rpm
sssd-1.13.4-9.3.mga6.src.rpm
samba-4.7.12-1.1.mga6.src.rpm
Comment 7 James Kerr 2019-01-03 10:14:08 CET
on mga6-64

packages installed cleanly:
- lib64kdc-samba4_2-4.7.12-1.1.mga6.x86_64
- lib64ldb1-1.2.3-1.mga6.x86_64
- lib64pytalloc-util2-2.1.11-1.1.mga6.x86_64
- lib64samba-dc0-4.7.12-1.1.mga6.x86_64
- lib64samba1-4.7.12-1.1.mga6.x86_64
- lib64smbclient0-4.7.12-1.1.mga6.x86_64
- lib64talloc2-2.1.11-1.1.mga6.x86_64
- lib64tdb1-1.3.14-1.mga6.x86_64
- lib64tevent0-0.9.36-1.1.mga6.x86_64
- lib64wbclient0-4.7.12-1.1.mga6.x86_64
- samba-4.7.12-1.1.mga6.x86_64
- samba-client-4.7.12-1.1.mga6.x86_64
- samba-common-4.7.12-1.1.mga6.x86_64

I can read/write to a share on 4.6.16 from 4.7.12
I can read/write to a share on 4.7.12 from 4.7.12
I can read/write to a share on 4.7.12 from 4.6.16

OK for mga6.64

CC: (none) => jim
Whiteboard: (none) => MGA6-64-OK

Comment 8 James Kerr 2019-01-03 11:13:59 CET
on mga6-32

packages installed cleanly:
- libkdc-samba4_2-4.7.12-1.1.mga6.i586
- libldb1-1.2.3-1.mga6.i586
- libpytalloc-util2-2.1.11-1.1.mga6.i586
- libsamba-dc0-4.7.12-1.1.mga6.i586
- libsamba1-4.7.12-1.1.mga6.i586
- libsmbclient0-4.7.12-1.1.mga6.i586
- libtalloc2-2.1.11-1.1.mga6.i586
- libtdb1-1.3.14-1.mga6.i586
- libtevent0-0.9.36-1.1.mga6.i586
- libwbclient0-4.7.12-1.1.mga6.i586
- samba-4.7.12-1.1.mga6.i586
- samba-client-4.7.12-1.1.mga6.i586
- samba-common-4.7.12-1.1.mga6.i586

I can read/write to/from shares on 4.6.16 and 4.7.12

I can read/write to/from shares on Windows 7.

OK for mga6-32

Whiteboard: MGA6-64-OK => MGA6-64-OK MGA6-32-OK

Comment 9 Lewis Smith 2019-01-03 20:42:52 CET
@James
Many thanks for these tests, which are taxing. It is a big help that you do them.

Advisory from comment 6. Validating (you could have).

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 10 Mageia Robot 2019-01-05 19:31:54 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0011.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.