Bug 219514

Summary: net/samba{35+}: Security vulnerability: CVE-2017-7494 (RCE)
Product: Ports & Packages Reporter: Kubilay Kocak <koobs>
Component: Individual Port(s)Assignee: Timur I. Bakeyev <timur>
Status: Closed Overcome By Events    
Severity: Affects Many People CC: brnrd, emaste, koobs, ports-secteam, timur
Priority: Normal Keywords: security
Version: LatestFlags: koobs: maintainer-feedback? (timur)
koobs: merge-quarterly?
Hardware: Any   
OS: Any   
URL: https://www.samba.org/samba/security/CVE-2017-7494.html
Attachments:
Description Flags
svn diff for net/samba46
none
svn diff for net/samba4[23] brnrd: maintainer-approval?

Description Kubilay Kocak freebsd_committer freebsd_triage 2017-05-25 00:57:56 UTC
All versions of Samba from 3.5.0 onwards are vulnerable to a remote
code execution vulnerability, allowing a malicious client to upload a
shared library to a writable share, and then cause the server to load
and execute it.

Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/
Comment 1 Bernard Spil freebsd_committer freebsd_triage 2017-05-25 10:06:27 UTC
Created attachment 182878 [details]
svn diff for net/samba46

Created the vuxml entry yesterday.
fwiw... Simply updating to 4.6.4 in ports worked for me.
https://brnrd.eu/poudriere/data/110libre-default/2017-05-24_11h36m05s/logs/samba46-4.6.4.log

net/samba46: Security update to 4.6.4

 - Upstream security update

PR: 219514
MFH: 2017Q2
Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf
Security: CVE-2017-7494
Comment 2 Timur I. Bakeyev freebsd_committer freebsd_triage 2017-05-25 11:14:43 UTC
(In reply to Bernard Spil from comment #1)

Hi, Bernard!

I'm not certain, what should I do regarding this ticket...

Author: timur
Date: Wed May 24 14:53:46 2017
New Revision: 441602
URL: https://svnweb.freebsd.org/changeset/ports/441602

Log:
  Urgent upgrade of the Samba 4.[4-6] ports to address RCE in the Samba code(CVE-2017-7494). All versions starting from 3.5+ are affected.

  Security:     CVE-2017-7494
Comment 3 Bernard Spil freebsd_committer freebsd_triage 2017-05-25 11:44:36 UTC
Hi Timur, (In reply to Timur I. Bakeyev from comment #2)

Hi Timur, as you've updated the 4.4, 4.5 and 4.6 ports we need to figure out what to do with the older ports. These should be marked deprecated.
Comment 4 Bernard Spil freebsd_committer freebsd_triage 2017-05-25 11:59:47 UTC
Created attachment 182879 [details]
svn diff for net/samba4[23]

net/samba43: Mark 4.2, 4.3 deprecated

 - Mark net/amba42, 43 deprecated
 - Update conflicts (assume all future conflict)

PR: 219514
Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf
Comment 5 Bernard Spil freebsd_committer freebsd_triage 2017-05-25 12:00:40 UTC
Shoot! Missed MFH: 2017Q2

net/samba43: Mark 4.2, 4.3 deprecated

 - Mark net/amba42, 43 deprecated
 - Update conflicts (assume all future conflict)

PR: 219514
MFH: 2017Q2
Security: 6f4d96c0-4062-11e7-b291-b499baebfeaf
Comment 6 Timur I. Bakeyev freebsd_committer freebsd_triage 2017-05-25 12:30:52 UTC
(In reply to Bernard Spil from comment #4)

I'm all for the deprecation of the 4.2 and 4.3 ports. So, go for it!
Comment 7 commit-hook freebsd_committer freebsd_triage 2017-05-25 12:37:36 UTC
A commit references this bug:

Author: brnrd
Date: Thu May 25 12:36:49 UTC 2017
New revision: 441680
URL: https://svnweb.freebsd.org/changeset/ports/441680

Log:
  net/samba43: Mark 4.2 and 4.3 deprecated

   - Add deprecation date and message
   - Update/simplify conflicts

  PR:		219514
  Approved by:	timur (maintainer)
  MFH:		2017Q2
  Security:	6f4d96c0-4062-11e7-b291-b499baebfeaf

Changes:
  head/net/samba42/Makefile
  head/net/samba43/Makefile
Comment 8 Kubilay Kocak freebsd_committer freebsd_triage 2017-05-26 03:16:07 UTC
base r441602 requires MFH to 2016Q2
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2017-05-26 03:16:38 UTC
Uh, ports r441602 rather.
Comment 10 commit-hook freebsd_committer freebsd_triage 2017-05-30 13:19:30 UTC
A commit references this bug:

Author: feld
Date: Tue May 30 13:18:38 UTC 2017
New revision: 442060
URL: https://svnweb.freebsd.org/changeset/ports/442060

Log:
  MFH: r441602

  Urgent upgrade of the Samba 4.[4-6] ports to address RCE in the Samba code(CVE-2017-7494). All versions starting from 3.5+ are affected.

  Security:	CVE-2017-7494

  Approved by:	ports-secteam (with hat)
  PR:	219514

Changes:
_U  branches/2017Q2/
  branches/2017Q2/net/samba44/Makefile
  branches/2017Q2/net/samba44/distinfo
  branches/2017Q2/net/samba45/Makefile
  branches/2017Q2/net/samba45/distinfo
  branches/2017Q2/net/samba46/Makefile
  branches/2017Q2/net/samba46/distinfo
  branches/2017Q2/net/samba46/files/patch-source3__librpc__crypto__gse.c
  branches/2017Q2/net/samba46/pkg-plist
Comment 11 commit-hook freebsd_committer freebsd_triage 2017-05-30 13:20:33 UTC
A commit references this bug:

Author: feld
Date: Tue May 30 13:20:14 UTC 2017
New revision: 442061
URL: https://svnweb.freebsd.org/changeset/ports/442061

Log:
  MFH: r441680

  net/samba43: Mark 4.2 and 4.3 deprecated

   - Add deprecation date and message
   - Update/simplify conflicts

  PR:		219514
  Approved by:	timur (maintainer)
  Security:	6f4d96c0-4062-11e7-b291-b499baebfeaf

  Approved by:	ports-secteam (with hat)

Changes:
_U  branches/2017Q2/
  branches/2017Q2/net/samba42/Makefile
  branches/2017Q2/net/samba43/Makefile