07 April 2020 Samba 4.12.1 Available for Download This is the first stable release of the Samba 4.12 release series.
4.12.2 with fixed 2 CVEs: o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
(In reply to VVD from comment #0) Thanks for the reminder. I'm working on it, but as usual - it's time and money issue...
Hi, Timur! Would've been nice to be able to build against the base Heimdal too...
A lot of CVEs in all samba versions: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247725 https://www.samba.org/samba/history/samba-4.12.4.html https://www.samba.org/samba/history/samba-4.12.5.html
What is the full set of port origins affected? Currently there are only net/samba410 and net/samba411 in the tree
A commit references this bug: Author: timur Date: Sun Jul 5 00:27:30 UTC 2020 New revision: 541243 URL: https://svnweb.freebsd.org/changeset/ports/541243 Log: Update Samba ports to close recent CVEs. PR: 245475 Security: CVE-2020-10730 CVE-2020-10745 CVE-2020-10760 CVE-2020-14303 Changes: head/net/samba410/Makefile head/net/samba410/distinfo head/net/samba410/files/patch-lib_util_util__paths.c head/net/samba410/files/patch-lib_util_wscript__build head/net/samba410/files/patch-source3_modules_vfs__zfsacl.c head/net/samba410/pkg-plist head/net/samba411/Makefile head/net/samba411/distinfo head/net/samba411/files/patch-lib_util_util__paths.c head/net/samba411/files/patch-lib_util_wscript__build head/net/samba411/files/patch-source3_modules_vfs__zfsacl.c head/net/samba411/pkg-plist
(In reply to commit-hook from comment #6) But what about 4.12.5?
(In reply to commit-hook from comment #6) smbclient without options coredumped: Reading symbols from /usr/local/bin/smbclient... (No debugging symbols found in /usr/local/bin/smbclient) (gdb) run Starting program: /usr/local/bin/smbclient Program received signal SIGSEGV, Segmentation fault. 0x000000080282a584 in ?? () from /lib/libc.so.7 (gdb) bt #0 0x000000080282a584 in ?? () from /lib/libc.so.7 #1 0x0000000802831be5 in vasprintf_l () from /lib/libc.so.7 #2 0x000000080209b4b4 in POPT_fprintf () from /usr/local/lib/libpopt.so.0 #3 0x00000008020996bd in ?? () from /usr/local/lib/libpopt.so.0 #4 0x0000000802099c4e in poptPrintUsage () from /usr/local/lib/libpopt.so.0 #5 0x0000000001035de1 in main () 12.1 amd64, samba 4.11.11, popt-1.18 just rebuilded.
(In reply to VVD from comment #8) With samba 4.11.8 smbclient without options coredumps too.
Build samba with: make -DWITH_DEBUG Reading symbols from smbclient... (gdb) run Starting program: /usr/local/bin/smbclient Program received signal SIGSEGV, Segmentation fault. 0x0000000802fb8584 in ?? () from /lib/libc.so.7 (gdb) bt -full #0 0x0000000802fb8584 in ?? () from /lib/libc.so.7 No symbol table info available. #1 0x0000000802fbfbe5 in vasprintf_l () from /lib/libc.so.7 No symbol table info available. #2 0x00000008028294b4 in POPT_fprintf () from /usr/local/lib/libpopt.so.0 No symbol table info available. #3 0x00000008028276bd in ?? () from /usr/local/lib/libpopt.so.0 No symbol table info available. #4 0x0000000802827c4e in poptPrintUsage () from /usr/local/lib/libpopt.so.0 No symbol table info available. #5 0x0000000001035985 in main (argc=1, argv=0x7fffffffea50) at ../../source3/client/client.c:6664 new_name_resolve_order = 0x0 const_argv = 0x7fffffffea50 base_directory = 0x0 opt = -1 query_host = 0x0 message = false pc = 0x803de8000 p = 0x0 rc = 0 tar_opt = false service_opt = false tar_ctx = 0x1052b18 <tar_ctx> long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x80282a030 <poptHelpOptions>, val = 0, descrip = 0x102e551 "Help options:", argDescrip = 0x0}, {longName = 0x1029ab5 "name-resolve", shortName = 82 'R', argInfo = 1, arg = 0x1055058 <main.new_name_resolve_order>, val = 82, descrip = 0x1029ac2 "Use these name resolution services only", argDescrip = 0x102fb14 "NAME-RESOLVE-ORDER"}, { longName = 0x102ad45 "message", shortName = 77 'M', argInfo = 1, arg = 0x0, val = 77, descrip = 0x102f53a "Send message", argDescrip = 0x102b366 "HOST"}, {longName = 0x102f843 "ip-address", shortName = 73 'I', argInfo = 1, arg = 0x0, val = 73, descrip = 0x102a469 "Use this IP to connect to", argDescrip = 0x102a792 "IP"}, {longName = 0x102c85d "stderr", shortName = 69 'E', argInfo = 0, arg = 0x0, val = 69, descrip = 0x102bfdb "Write messages to stderr instead of stdout", argDescrip = 0x0}, { longName = 0x102a202 "list", shortName = 76 'L', argInfo = 1, arg = 0x0, val = 76, descrip = 0x102d94b "Get a list of shares available on a host", argDescrip = 0x102b366 "HOST"}, { longName = 0x102c864 "max-protocol", shortName = 109 'm', argInfo = 1, arg = 0x0, val = 109, descrip = 0x1029aea "Set the max protocol level", argDescrip = 0x102c2f4 "LEVEL"}, {longName = 0x102c006 "tar", shortName = 84 'T', argInfo = 1, arg = 0x0, val = 84, descrip = 0x102b6d7 "Command line tar", argDescrip = 0x102a483 "<c|x>IXFqgbNan"}, {longName = 0x102cf1e "directory", shortName = 68 'D', argInfo = 1, arg = 0x0, val = 68, descrip = 0x102e975 "Start from directory", argDescrip = 0x1029e84 "DIR"}, { longName = 0x102f547 "command", shortName = 99 'c', argInfo = 1, arg = 0x1055060 <cmdstr>, val = 99, descrip = 0x1029e88 "Execute semicolon separated commands", argDescrip = 0x0}, { longName = 0x102c00a "send-buffer", shortName = 98 'b', argInfo = 2, arg = 0x1055054 <io_bufsize>, val = 98, descrip = 0x102c871 "Changes the transmit/send buffer", argDescrip = 0x102d5b9 "BYTES"}, { longName = 0x102b6e8 "timeout", shortName = 116 't', argInfo = 2, arg = 0x1052024 <io_timeout>, val = 98, descrip = 0x102b0c3 "Changes the per-operation timeout", argDescrip = 0x102e206 "SECONDS"}, { longName = 0x102a795 "port", shortName = 112 'p', argInfo = 2, arg = 0x1055068 <port>, val = 112, descrip = 0x102f54f "Port to connect to", argDescrip = 0x102df0c "PORT"}, {longName = 0x102ebe6 "grepable", --Type <RET> for more, q to quit, c to continue without paging-- shortName = 103 'g', argInfo = 0, arg = 0x0, val = 103, descrip = 0x102b36b "Produce grepable output", argDescrip = 0x0}, {longName = 0x102cf28 "quiet", shortName = 113 'q', argInfo = 0, arg = 0x0, val = 113, descrip = 0x102cf2e "Suppress help message", argDescrip = 0x0}, {longName = 0x102fb27 "browse", shortName = 66 'B', argInfo = 0, arg = 0x0, val = 66, descrip = 0x102a79a "Browse SMB servers using DNS", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x801a37140 <popt_common_samba>, val = 0, descrip = 0x102f562 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x801a37020 <popt_common_connection>, val = 0, descrip = 0x1029ead "Connection options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x80109c020 <popt_common_credentials>, val = 0, descrip = 0x102f328 "Authentication options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} frame = 0x803d71320 source3/client/client.c:6664 (call of function poptPrintUsage): if (!tar_to_process(tar_ctx) && !query_host && !service && !message) { poptPrintUsage(pc, stderr, 0); exit(1); }
Build popt with debug: Reading symbols from smbclient... (gdb) run Starting program: /usr/local/bin/smbclient Program received signal SIGSEGV, Segmentation fault. 0x0000000802fbc584 in ?? () from /lib/libc.so.7 (gdb) bt -full #0 0x0000000802fbc584 in ?? () from /lib/libc.so.7 No symbol table info available. #1 0x0000000802fc3be5 in vasprintf_l () from /lib/libc.so.7 No symbol table info available. #2 0x000000080282d50f in POPT_fprintf (stream=0x80302fa20, format=0x444a008 <error: Cannot access memory at address 0x444a008>) at poptint.c:146 b = 0x0 ob = 0x0 rc = 8 ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffe420, reg_save_area = 0x7fffffffe310}} #3 0x000000080282a014 in showHelpIntro (con=0x803dec000, fp=0x80302fa20) at popthelp.c:616 len = 6 #4 0x000000080282a82f in poptPrintUsage (con=0x803dec000, fp=0x80302fa20, flags=0) at popthelp.c:863 columns = 0x803da6090 done_buf = {nopts = 1, maxopts = 64, opts = 0x803de2200} done = 0x7fffffffe4b8 #5 0x0000000001035985 in main (argc=1, argv=0x7fffffffea50) at ../../source3/client/client.c:6664 new_name_resolve_order = 0x0 const_argv = 0x7fffffffea50 base_directory = 0x0 opt = -1 query_host = 0x0 message = false pc = 0x803dec000 p = 0x0 rc = 0 tar_opt = false service_opt = false tar_ctx = 0x1052b18 <tar_ctx> long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x80282e040 <poptHelpOptions>, val = 0, descrip = 0x102e551 "Help options:", argDescrip = 0x0}, {longName = 0x1029ab5 "name-resolve", shortName = 82 'R', argInfo = 1, arg = 0x1055058 <main.new_name_resolve_order>, val = 82, descrip = 0x1029ac2 "Use these name resolution services only", argDescrip = 0x102fb14 "NAME-RESOLVE-ORDER"}, { longName = 0x102ad45 "message", shortName = 77 'M', argInfo = 1, arg = 0x0, val = 77, descrip = 0x102f53a "Send message", argDescrip = 0x102b366 "HOST"}, {longName = 0x102f843 "ip-address", shortName = 73 'I', argInfo = 1, arg = 0x0, val = 73, descrip = 0x102a469 "Use this IP to connect to", argDescrip = 0x102a792 "IP"}, {longName = 0x102c85d "stderr", shortName = 69 'E', argInfo = 0, arg = 0x0, val = 69, descrip = 0x102bfdb "Write messages to stderr instead of stdout", argDescrip = 0x0}, { longName = 0x102a202 "list", shortName = 76 'L', argInfo = 1, arg = 0x0, val = 76, descrip = 0x102d94b "Get a list of shares available on a host", argDescrip = 0x102b366 "HOST"}, { longName = 0x102c864 "max-protocol", shortName = 109 'm', argInfo = 1, arg = 0x0, val = 109, descrip = 0x1029aea "Set the max protocol level", argDescrip = 0x102c2f4 "LEVEL"}, {longName = 0x102c006 "tar", shortName = 84 'T', argInfo = 1, arg = 0x0, val = 84, descrip = 0x102b6d7 "Command line tar", argDescrip = 0x102a483 "<c|x>IXFqgbNan"}, {longName = 0x102cf1e "directory", shortName = 68 'D', argInfo = 1, arg = 0x0, val = 68, descrip = 0x102e975 "Start from directory", argDescrip = 0x1029e84 "DIR"}, { longName = 0x102f547 "command", shortName = 99 'c', argInfo = 1, arg = 0x1055060 <cmdstr>, val = 99, descrip = 0x1029e88 "Execute semicolon separated commands", argDescrip = 0x0}, { longName = 0x102c00a "send-buffer", shortName = 98 'b', argInfo = 2, arg = 0x1055054 <io_bufsize>, val = 98, descrip = 0x102c871 "Changes the transmit/send buffer", argDescrip = 0x102d5b9 "BYTES"}, { longName = 0x102b6e8 "timeout", shortName = 116 't', argInfo = 2, arg = 0x1052024 <io_timeout>, val = 98, descrip = 0x102b0c3 "Changes the per-operation timeout", argDescrip = 0x102e206 "SECONDS"}, { longName = 0x102a795 "port", shortName = 112 'p', argInfo = 2, arg = 0x1055068 <port>, val = 112, descrip = 0x102f54f "Port to connect to", argDescrip = 0x102df0c "PORT"}, {longName = 0x102ebe6 "grepable", shortName = 103 'g', argInfo = 0, arg = 0x0, val = 103, descrip = 0x102b36b "Produce grepable output", argDescrip = 0x0}, {longName = 0x102cf28 "quiet", shortName = 113 'q', argInfo = 0, arg = 0x0, val = 113, descrip = 0x102cf2e "Suppress help message", argDescrip = 0x0}, {longName = 0x102fb27 "browse", shortName = 66 'B', argInfo = 0, arg = 0x0, val = 66, descrip = 0x102a79a "Browse SMB servers using DNS", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x801a37140 <popt_common_samba>, val = 0, descrip = 0x102f562 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x801a37020 <popt_common_connection>, val = 0, descrip = 0x1029ead "Connection options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x80109c020 <popt_common_credentials>, val = 0, descrip = 0x102f328 "Authentication options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0}} frame = 0x803d75320 ============================================================================== devel/popt was just updated: https://svnweb.freebsd.org/ports?view=revision&revision=540843 ============================================================================== popt 1.18 poptint.c:146 (call vasprintf): int POPT_fprintf (FILE * stream, const char * format, ...) { char * b = NULL, * ob = NULL; int rc; va_list ap; #if defined(HAVE_VASPRINTF) va_start(ap, format); if ((rc = vasprintf(&b, format, ap)) < 0) b = NULL; va_end(ap); #else ============================================================================== Same place at popt 1.16: int POPT_fprintf (FILE * stream, const char * format, ...) { char * b = NULL, * ob = NULL; int rc; va_list ap; #if defined(HAVE_VASPRINTF) && !defined(__LCLINT__) va_start(ap, format); if ((rc = vasprintf(&b, format, ap)) < 0) b = NULL; va_end(ap); #else ============================================================================== In both versions ifdef is true, but smbclient work fine with 1.16 only. So, bug is in devel/popt 1.18.
> devel/popt: Update to 1.18 and add test target > This broke runtime of a couple of ports. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247529#c2
https://svnweb.freebsd.org/changeset/ports/541348 is in head now. I'm holding https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247529 open until it is MFH'd into 2020Q3.