4.173. samba3x
Updated samba3x packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Samba is a suite of programs used by machines to share files, printers, and other information.
Security Fixes
- CVE-2011-2694
- A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session.
- CVE-2011-2522
- It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user.
- CVE-2011-2724
- It was found that the fix for CVE-2010-0547, provided by the Samba rebase in RHBA-2011:0054, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially-crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set.
- CVE-2011-1678
- It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs.
Note
mount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs.
Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522.
Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
Updated samba3x packages that fix several bugs and provide multiple enhancements are now available for Red Hat Enterprise Linux 5.
Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.
Note
The samba3x package has been upgraded to upstream version 3.5.10, which provides a number of bug fixes and enhancements over the previous version. In particular, this upgrade includes improvements to ntlm_auth for dealing with wrong passwords and repeated authentication attempts. As a result ntlm_auth now operates reliably, including with older Domain Controllers. (BZ#719369, BZ#593825, BZ#713466)
Bug Fixes
- BZ#716182
- If plain text passwords were used by setting
encrypt passwords = no
in/etc/samba/smb.conf
, Samba clients running on the Windows XP or Windows Server 2003 operating system may not have been able to access Samba shares after installing Microsoft Security Bulletin MS11-043. This update corrects this bug, allowing such clients to use plain-text passwords to access Samba shares. - BZ#719852
- Samba failed to verify Kerberos authentication of an SMB Session Setup from a Windows Vista or Windows Server 2008 Common Internet File System(CIFS) client when the Kerberos ticket size was greater than 16 KB. Consequently, if the connecting account was a member of more than 500 security groups, and the domain was configured to create tickets greater than 12Kb, authentication failed. The following error message was logged:
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
An upstream patch has been applied and Samba can now use Kerberos authentication for Windows Vista or Windows Server 2008 CIFS clients in the scenario described. - BZ#725875
- Previously, in certain environments with many users, the pam_winbind module stopped operating. As a result, failures occurred when users attempted to log in. With this update, the bug has been fixed so that pam_winbind now works as expected in the scenario described.
- BZ#735165
- The group ID (GID) of
ServerName\None
was incremented every time the Identity Mapping (IDMAP) cache expired. Given enough time the GID would eventually reach the top of the range specified by theidmap gid
directive in thesmb.conf
file. Consequently, new allocation of GIDs would not be possible and a group would no longer resolve properly. This update includes an upstream fix and the cache expiry no longer causes GIDs to increment. - BZ#736375
- The Name Service Switch daemon
winbind
produces excessive debug output messages when attempting to register an already-registered IDMAP module. Previously, the messages were set to debug level0
. Consequently, the messages could not be filtered by lowering thelog level
parameter insmb.conf
. With this update, a patch has been applied to increase the debug level of the messages to5
. As a result, the debug messages can now be filtered by setting thesmb.conf
log level
parameter. - BZ#743467
- If Linux clients used the CIFS client in the kernel to mount a Samba share, the
force create mode
parameter was not honored properly. As a result, files created on a mounted Samba share did not properly follow theumask
parameter, and files with undesired permissions were created. With this update, the bug has been fixed and files are now created with the correct permissions. - BZ#743895
- Due to a regression in Samba, Windows Internet Explorer 9 running on Windows 7 could not download files to a Samba share. Consequently, some Windows 7 users could not make use of Samba shares. This update includes upstream improvements to Samba to address this bug. As a result, Windows 7 users can now save files on Samba shares using Internet Explorer 9.
- BZ#747153
- Previously, the man pages for certain Samba components did not document that primary group membership is not calculated based on the
gidNumber
LDAP attribute if Windows Services for UNIX (SFU) are enabled, or if the standard RFC 2307 LDAP attributes in the Active Directory (AD) are used. Instead, Winbind uses theprimaryGroupID
LDAP attribute. With this update, the man pages have been updated accordingly to reflect the aforementioned limitation. - BZ#748515
- Previously, extracting files from a ZIP archive failed on the Distributed File System (DFS) shares if the following
symlinks = yes
parameter was not set. This bug has been fixed in this update so that extracting files from a ZIP archive now works as expected. - BZ#753828
- If winbind was joined to the domain with
idmap_ad
specified as the backend, enumerating users was enabled, and most of the users had UIDs, then when callinggetent passwd
for a user who had no UID, the enumeration stopped and the following error was displayed:NT_STATUS_NONE_MAPPED
This update implements an upstream patch to correct the problem. As a result, if a user cannot be mapped, winbind no longer stops but continues enumerating users in the scenario described. - BZ#754154
- Previously, the winbindd-locator tool could not correctly find a Domain Controller (DC) using Samba and DNS SRV records when outside the networks that are known to AD and are mapped to AD sites. Consequently, when a host was a member of a Windows Server 2008 R2 domain, and the host was in a network that was not mapped to any known site of the AD, the host could not locate a DC and an error message in the following format was logged:
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COM
With this update a patch has been applied and winbindd-locator can now locate a DC in the scenario described. - BZ#755346
- The smbclient tool sometimes failed to return the expected exit status code; it returned
0
instead of1
. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status. - BZ#766497
- Previously, the Winbind IDMAP interface cache did not expire as specified in the
smb.conf
file. Consequently, the positive and negative entries in the cache would not expire until the opposite type of query was made. This update contains a backported fix for the problem. As a result, theidmap cache time
andidmap negative cache time
directives now work as expected. - BZ#771375
- Previously, the net(8) man page did not document the
-k
option for using Kerberos authentication. Consequently, users were not aware how to use Kerberos authentication with the net utility. This update adds the missing documentation to the man page.
Users of samba3x should upgrade to these updated packages, which fix these bugs and add these enhancements.