Issue metadata
Sign in to add a comment
|
Security: Samba CVEs were missed by Vomit, and an uprev is needed |
||||||||||||||||||||||
Issue descriptionVomit missed several CVEs for samba (this is being tracked by b/113281976), Consequently I filed this bug to track up-rev-ing the Samba package from 4.8.0 to 4.8.4 or later. These CVEs apply to 4.8.0 and are fixed in 4.8.4: https://nvd.nist.gov/vuln/detail/CVE-2018-10919 https://nvd.nist.gov/vuln/detail/CVE-2018-10918 https://nvd.nist.gov/vuln/detail/CVE-2018-10858 <- Arbitrary code execution. https://nvd.nist.gov/vuln/detail/CVE-2018-1140 https://nvd.nist.gov/vuln/detail/CVE-2018-1139
,
Aug 28
It's not really practical for us to do an uprev a few days before the branch point.
I already have the patches for backporting these 2 from jra@ (Samba maintainer), but was out on vacation. The backport patches will be sent for review today.
CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
is disabled via "ntlm auth"
CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
returns from malicious servers.
,
Aug 28
So we are gonna merge patches to 69 and 68?
,
Aug 28
I think merging the patches back to 69 and 68 are a good idea (especially for CVE-2018-10858).
,
Aug 28
NOTE also that CVE-2018-1139 probably doesn't affect us since we already enforce SMB2, however we are going to patch it anyway since it's not a big patch. These 3 only affect servers/domain controllers +jra@ to confirm. So they do not apply to our implementation. We are only running client portions of the Samba code. CVE-2018-10918 CVE-2018-10919 CVE-2018-1140 We don't even build the domain controller code. See USE flag mask below (-addc) which means we build with --without-ad-dc https://cs.corp.google.com/chromeos_public/src/third_party/chromiumos-overlay/profiles/targets/chromeos/package.use?sq=package:chromeos_public&dr&g=0&l=61 We don't run any of the ldap server code so those 3 shouldn't apply to us. Additionally I have this CL (not sure why this didn't land before) that just excludes all the ldap binaries so the LDAP server code wouldn't even be on the device. https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/431568
,
Aug 28
,
Aug 28
rsorokin@ ljusten@ - Can you confirm that Chromad never calls any ldap binaries? I don't remember if that is why I didn't end up landing the CL above. If you do, which ones and I can probably make the mask a little less aggressive to explicitly filter the server only binaries?
,
Aug 28
We only call kinit, klist, kpasswd, net, smbclient
,
Aug 28
,
Aug 29
I created a CL specifically for 10918 - https://chromium-review.googlesource.com/c/chromiumos/overlays/chromiumos-overlay/+/1194660 Since that's probably the only one we want to merge. The patch I have for 1139 doesn't apply cleanly so I need to spend a little time on that. However it shouldn't apply to us since we already require SMB2+.
,
Aug 29
Also note typo in #10 - I said 10918 but I meant 10858 Also just in case in matters in terms of when/where to patch for *10858* The samba code is behind a flag before 70 for SMB shares features. Plus also requires active user activity to mount a share. This code path could also be reached on Chromad devices for the last several versions, however the system controls the paths in the sense that there is no way to control which url's are reach directly. On chromad I'm pretty sure that this code path would only be hit by downloading active directory GPOs (ie. policy) at a fixed path on the domain controller. However this does happen automatically. So an evil domain controller could exploit this. There are currently fairly few users of Chromad.
,
Aug 30
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/07d4f3fb73cfab00379609c781f866ecc358b5e9 commit 07d4f3fb73cfab00379609c781f866ecc358b5e9 Author: Zentaro Kavanagh <zentaro@chromium.org> Date: Thu Aug 30 21:41:55 2018 net-fs/samba: Add patch to harden smbc_readdir_internal - Patch from upstream Samba BUG= chromium:878130 TEST=emerges Change-Id: Ie0c21a128c9d436895ebe72a106e7afb90629799 Reviewed-on: https://chromium-review.googlesource.com/1194660 Commit-Ready: Zentaro Kavanagh <zentaro@chromium.org> Tested-by: Zentaro Kavanagh <zentaro@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> [modify] https://crrev.com/07d4f3fb73cfab00379609c781f866ecc358b5e9/net-fs/samba/samba-4.8.0.ebuild [rename] https://crrev.com/07d4f3fb73cfab00379609c781f866ecc358b5e9/net-fs/samba/samba-4.8.0-r9.ebuild [add] https://crrev.com/07d4f3fb73cfab00379609c781f866ecc358b5e9/net-fs/samba/files/samba-4.8.0-CVE-2018-10858.patch
,
Sep 5
,
Sep 8
,
Sep 8
This bug requires manual review: Request affecting a post-stable build Please contact the milestone owner if you have questions. Owners: amineer@(Android), kariahda@(iOS), cindyb@(ChromeOS), govind@(Desktop) For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 11
Merge approved, M69.
,
Sep 14
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 14
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/8587f2df1ffbbe39d50a5d42b8778e01a064e515 commit 8587f2df1ffbbe39d50a5d42b8778e01a064e515 Author: Zentaro Kavanagh <zentaro@chromium.org> Date: Fri Sep 14 22:35:51 2018 net-fs/samba: Add patch to harden smbc_readdir_internal - Patch from upstream Samba BUG= chromium:878130 TEST=emerges Change-Id: Ie0c21a128c9d436895ebe72a106e7afb90629799 Reviewed-on: https://chromium-review.googlesource.com/1194660 Commit-Ready: Zentaro Kavanagh <zentaro@chromium.org> Tested-by: Zentaro Kavanagh <zentaro@chromium.org> Reviewed-by: Allen Webb <allenwebb@google.com> Reviewed-by: Mike Frysinger <vapier@chromium.org> (cherry picked from commit 07d4f3fb73cfab00379609c781f866ecc358b5e9) Reviewed-on: https://chromium-review.googlesource.com/1227434 Reviewed-by: Zentaro Kavanagh <zentaro@chromium.org> Commit-Queue: Zentaro Kavanagh <zentaro@chromium.org> [modify] https://crrev.com/8587f2df1ffbbe39d50a5d42b8778e01a064e515/net-fs/samba/samba-4.8.0.ebuild [add] https://crrev.com/8587f2df1ffbbe39d50a5d42b8778e01a064e515/net-fs/samba/samba-4.8.0-r9.ebuild [add] https://crrev.com/8587f2df1ffbbe39d50a5d42b8778e01a064e515/net-fs/samba/files/samba-4.8.0-CVE-2018-10858.patch
,
Sep 17
This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible! If all merges have been completed, please remove any remaining Merge-Approved labels from this issue. Thanks for your time! To disable nags, add the Disable-Nags label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Sep 17
,
Oct 4
I filed crbug.com/892289 for the uprev, the immediate issues have already been fixed.
,
Oct 5
,
Oct 17
,
Dec 5
,
Jan 11
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by sheriffbot@chromium.org
, Aug 28