*** Bug 2950 has been marked as a duplicate of this bug. ***

CC: (none) => boklm

patches added and rpm pushed in the BS

CC: (none) => dmorganec
Assignee: bgmilne => qa-bugs

The following 3 packages are going to be installed:

- samba-client-3.5.8-1.1.mga1.x86_64
- samba-common-3.5.8-1.1.mga1.x86_64
- samba-server-3.5.8-1.1.mga1.x86_64

Testing x86_64 using the same procedure as bug 2950 but with x86_64 as host - OK

Also for samba-client:

# findsmb3

IP ADDR         NETBIOS NAME   WORKGROUP/OS/VERSION
---------------------------------------------------------------------
Domain=[MGAGROUP] OS=[Unix] Server=[Samba 3.5.8]
Domain=[MGAGROUP] OS=[Unix] Server=[Samba 3.5.8]
192.168.1.21            MGA           [        MGAGROUP      ]

$ findsmb3

IP ADDR         NETBIOS NAME   WORKGROUP/OS/VERSION
---------------------------------------------------------------------
192.168.1.21    unknown nis name
192.168.1.60    unknown nis name

$ smbprint3 --help
/usr/bin/smbprint3: eval: line 64: syntax error near unexpected token `('
/usr/bin/smbprint3: eval: line 64: `Usage: cat [OPTION]... [FILE]... Concatenate FILE(s), or standard input, to standard output. -A, --show-all equivalent to -vET -b, --number-nonblank number nonempty output lines, overrides -n -e equivalent to -vE -E, --show-ends display $ at end of each line -n, --number number all output lines -s, --squeeze-blank suppress repeated empty output lines -t equivalent to -vT -T, --show-tabs display TAB characters as ^I -u (ignored) -v, --show-nonprinting use ^ and M- notation, except for LFD and TAB --help display this help and exit --version output version information and exit With no FILE, or when FILE is -, read standard input. Examples: cat f - g Output f's contents, then standard input, then g's contents. cat Copy standard input to standard output. Report cat bugs to bug-coreutils@gnu.org GNU coreutils home page: <http://www.gnu.org/software/coreutils/> General help using GNU software: <http://www.gnu.org/gethelp/> For complete documentation, run: info coreutils 'cat invocation''


Something wrong there. Looking for more info I found an old Mandriva bug against cooker (12217) which was closed as old in 2007. I'm guessing it is still relevant.

$ nmblookup MGA
querying MGA on 192.168.2.255
192.168.1.21 MEGA<00>

$ smbget3 -u=testuser -p=testpass smb://192.168.1.60/testshare/17.png
params.c:OpenConfFile() - Unable to open configuration file "/home/testuser/.smb/smb.conf":
        No such file or directory
params.c:OpenConfFile() - Unable to open configuration file "/home/testuser/.smb/smb.conf.append":
        No such file or directory
Using workgroup MGAGROUP, user testuser
smb://192.168.2.60/testshare/17.png
Downloaded 51.13kb in 1 seconds

Hardware: i586 => All

Testing that should be done to verify basic functionality of software affected by the CVEs:

CVE-2011-2724: Mount with mount.cifs, and verify that file access works correctly

CVE-2011-2522: Verify basic functionality in samba-swat
CVE-2011-2694: Verify password change functionality in samba-swat works

Testing other unrelated features in the software should focus on the common use cases (unrelated to mount.cifs that was already tested):
-nmblookup
-smbpasswd
-smbclient (enumerate shares, access a share)
-printing via CUPS to an SMB printer (which uses smbspool3, via /usr/lib*/cups/backend/smb3)
-administration of user accounts with pdbedit
-Use of 'net' tool (advanced)
-NTLM authentication with freeradius, apache, squid with ntlm_auth (advanced)


findsmb, smbget etc. are more esoteric uses, and need not be tested unless all the above has been tested.

I can try and find time to assist in writing more test cases, but I would prefer if there were at least some kind of framework to provide some level of automation.

As there are no public proof of concept's we will await your custom POC code.

Meanwhile, functionality testing shows no regressions but does highlight an unresolved bug dating back to at least 2007. I trust in light of the thoroughness expected of us that this will now be addressed ;)

Tested the srpm samba-client-3.5.8-1.1.mga1 on Mageia release 1 (Official) for x86_64 ,and for me it's seems Ok ,nothing to report.

Except with the exception that this bug 1903 is not resolved with this update.

CC: (none) => geiger.david68210

Bug #1903 is unrelated to the actual SMB/CIFS software in question, it is about the default firewall rules and SMB netbios name lookups/broadcasts.

If you disable the firewall on both machines, you should see that everything works.

There are other possible enhancements I need to verify, but nothing is going to change this behaviour for Mageia 1, except possibly an update to drakx-net.

(In reply to comment #6)
> Tested the srpm samba-client-3.5.8-1.1.mga1 on Mageia release 1 (Official) for
> x86_64 ,and for me it's seems Ok ,nothing to report.
> 
> Except with the exception that this bug 1903 is not resolved with this update.

Well, there's new:

Since the srpm update package shorewall-4.4.19.1-3.1.mga1.src.rpm in Core_Updates_Testing everything is back to normal, the bug 1903 seems to be resolved.

Testing complete on i586 using an xp vb guest to access host samba server,
using smbclient to access the vb guest shares, and http://localhost:901 to
test swat.

Could someone from the sysadmin team push the srpm
samba-3.5.8-1.1.mga1.src.rpm
from Core Updates Testing to Core Updates.

Advisory: This security update for samba addresses three security issues.

CVE-2011-2724 - The check_mtab function in client/mount.cifs.c in mount.cifs
 in smbfs in Samba 3.5.10 and earlier does not properly verify that the
 (1) device name and (2) mountpoint strings are composed of valid characters,
 which allows local users to cause a denial of service (mtab corruption) via
 a crafted string. NOTE: this vulnerability exists because of an incorrect
 fix for CVE-2010-0547

CVE-2011-2522 - Multiple cross-site request forgery (CSRF) vulnerabilities in
 the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow
 remote attackers to hijack the authentication of administrators for requests
 that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove
 shares, (5) add printers, (6) remove printers, (7) add user accounts, or
 (8) remove user accounts, as demonstrated by certain start, stop, and restart
 parameters to the status program.

CVE-2011-2694 - Cross-site scripting (XSS) vulnerability in the chg_passwd
 function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba
 3.x before 3.5.10 allows remote authenticated administrators to inject
 arbitrary web script or HTML via the username parameter to the passwd program
 (aka the user field to the Change Password page).

https://bugs.mageia.org/show_bug.cgi?id=3980

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED