[Bug 215475] net/samba44 has applicable CVE's. Successfully built a samba-4.4.8

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Wed Dec 21 19:50:32 UTC 2016 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215475

            Bug ID: 215475
           Summary: net/samba44 has applicable CVE's. Successfully built a
                    samba-4.4.8
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: timur at FreeBSD.org
          Reporter: dewayne at heuristicsystems.com.au
             Flags: maintainer-feedback?(timur at FreeBSD.org)
          Assignee: timur at FreeBSD.org

Timur,
Unfortunately Samba has a few CVE's that are applicable.

Would you please review.  

1, CVE 2123 - Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow
Remote Code Execution Vulnerability. "Any user
who can write to the dnsRecord attribute over LDAP can trigger this
memory corruption." seems applicable. Perhaps another reason to NOT use the
internal dns ;).  Applicable to all Samba4*
2. CVE 2125 - Unconditional privilege delegation to Kerberos servers in trusted
realms, does apply to net/samba44
https://www.samba.org/samba/security/CVE-2016-2126.html.   Applicable to
Samba36 and all Samba4*
3. CVE 2126 As the port contains samba-4.4.5_1 then the second part of
https://www.samba.org/samba/security/CVE-2016-2126.html doesn't apply.  However
the first part may?  Applicable to all Samba4*

I've managed to build Samba 4.4.5_1 and Samba 4.4.8 on a FreeBSD 11.0 Stable
amd64 and i386 platform.  Unfortunately I needed to:
- add USE_GCC= 5  to the samba44/Makefile, 
- tweak (removed a few files from) pkg-plist and 
- removed a patch file (patch-source4__dns_server__dns_crypto.c. I spent 30
mins reviewing the updated code, it looks like the FreeBSD patch has been
incorporated, but I'm not sure about buffer_len in gensec_sign_packet.
Unfortunately (perhaps) we don't use the internal DNS, so I'm unable to test.
Unfortunately this was done over a few days and I suspect that a patch-kit may
be misleading.  

For others, Timur is occassionally on the samba tech list, and often defers
updating the ports because something is doubtful (hackish) or a work-around
patch is needed (& requires testing).  So as frustrating as this may be, I've
found that Timur always acts in the interests of the FreeBSD-SAMBA community. 
(So to patch/update 4.4.8 or wait for 4.4.9 on Jan 4/5?) :)

PS I used lang/gcc5 (gcc 5.4.0) in preference to lang/gcc (which is 4.9)
because there is a base/gcc that uses gcc 5.4 - so I've assumed that this is
the future direction for the base system(s)?

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list