Bug 245475 - net/samba41, net/samba411: Update to latest versions (security releases)
Summary: net/samba41, net/samba411: Update to latest versions (security releases)
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Timur I. Bakeyev
URL: https://bugs.freebsd.org/bugzilla/sho...
Keywords: needs-patch, needs-qa, security
Depends on: 247529
Blocks:
  Show dependency treegraph
 
Reported: 2020-04-09 13:53 UTC by Vladimir Druzenko
Modified: 2020-09-23 03:34 UTC (History)
6 users (show)

See Also:
koobs: maintainer-feedback? (timur)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Druzenko freebsd_committer freebsd_triage 2020-04-09 13:53:13 UTC
07 April 2020
Samba 4.12.1 Available for Download
This is the first stable release of the Samba 4.12 release series.
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2020-04-28 16:26:28 UTC
4.12.2 with fixed 2 CVEs:
o CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
o CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
Comment 2 Timur I. Bakeyev freebsd_committer freebsd_triage 2020-04-29 21:09:54 UTC
(In reply to VVD from comment #0)

Thanks for the reminder. I'm working on it, but as usual - it's time and money issue...
Comment 3 Mikhail Teterin freebsd_committer freebsd_triage 2020-05-05 13:48:28 UTC
Hi, Timur! Would've been nice to be able to build against the base Heimdal too...
Comment 5 Kubilay Kocak freebsd_committer freebsd_triage 2020-07-03 02:23:52 UTC
What is the full set of port origins affected? Currently there are only net/samba410 and net/samba411 in the tree
Comment 6 commit-hook freebsd_committer freebsd_triage 2020-07-05 00:27:36 UTC
A commit references this bug:

Author: timur
Date: Sun Jul  5 00:27:30 UTC 2020
New revision: 541243
URL: https://svnweb.freebsd.org/changeset/ports/541243

Log:
  Update Samba ports to close recent CVEs.

  PR:		245475
  Security:	CVE-2020-10730
  		CVE-2020-10745
  		CVE-2020-10760
  		CVE-2020-14303

Changes:
  head/net/samba410/Makefile
  head/net/samba410/distinfo
  head/net/samba410/files/patch-lib_util_util__paths.c
  head/net/samba410/files/patch-lib_util_wscript__build
  head/net/samba410/files/patch-source3_modules_vfs__zfsacl.c
  head/net/samba410/pkg-plist
  head/net/samba411/Makefile
  head/net/samba411/distinfo
  head/net/samba411/files/patch-lib_util_util__paths.c
  head/net/samba411/files/patch-lib_util_wscript__build
  head/net/samba411/files/patch-source3_modules_vfs__zfsacl.c
  head/net/samba411/pkg-plist
Comment 7 Vladimir Druzenko freebsd_committer freebsd_triage 2020-07-05 00:44:58 UTC
(In reply to commit-hook from comment #6)
But what about 4.12.5?
Comment 8 Vladimir Druzenko freebsd_committer freebsd_triage 2020-07-05 02:13:59 UTC
(In reply to commit-hook from comment #6)
smbclient without options coredumped:

Reading symbols from /usr/local/bin/smbclient...
(No debugging symbols found in /usr/local/bin/smbclient)
(gdb) run
Starting program: /usr/local/bin/smbclient 

Program received signal SIGSEGV, Segmentation fault.
0x000000080282a584 in ?? () from /lib/libc.so.7
(gdb) bt
#0  0x000000080282a584 in ?? () from /lib/libc.so.7
#1  0x0000000802831be5 in vasprintf_l () from /lib/libc.so.7
#2  0x000000080209b4b4 in POPT_fprintf () from /usr/local/lib/libpopt.so.0
#3  0x00000008020996bd in ?? () from /usr/local/lib/libpopt.so.0
#4  0x0000000802099c4e in poptPrintUsage () from /usr/local/lib/libpopt.so.0
#5  0x0000000001035de1 in main ()

12.1 amd64, samba 4.11.11, popt-1.18 just rebuilded.
Comment 9 Vladimir Druzenko freebsd_committer freebsd_triage 2020-07-05 02:15:52 UTC
(In reply to VVD from comment #8)
With samba 4.11.8 smbclient without options coredumps too.
Comment 10 Vladimir Druzenko freebsd_committer freebsd_triage 2020-07-05 02:47:54 UTC
Build samba with: make -DWITH_DEBUG
Reading symbols from smbclient...
(gdb) run
Starting program: /usr/local/bin/smbclient 

Program received signal SIGSEGV, Segmentation fault.
0x0000000802fb8584 in ?? () from /lib/libc.so.7
(gdb) bt -full
#0  0x0000000802fb8584 in ?? () from /lib/libc.so.7
No symbol table info available.
#1  0x0000000802fbfbe5 in vasprintf_l () from /lib/libc.so.7
No symbol table info available.
#2  0x00000008028294b4 in POPT_fprintf () from /usr/local/lib/libpopt.so.0
No symbol table info available.
#3  0x00000008028276bd in ?? () from /usr/local/lib/libpopt.so.0
No symbol table info available.
#4  0x0000000802827c4e in poptPrintUsage () from /usr/local/lib/libpopt.so.0
No symbol table info available.
#5  0x0000000001035985 in main (argc=1, argv=0x7fffffffea50) at ../../source3/client/client.c:6664
        new_name_resolve_order = 0x0
        const_argv = 0x7fffffffea50
        base_directory = 0x0
        opt = -1
        query_host = 0x0
        message = false
        pc = 0x803de8000
        p = 0x0
        rc = 0
        tar_opt = false
        service_opt = false
        tar_ctx = 0x1052b18 <tar_ctx>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x80282a030 <poptHelpOptions>, val = 0, 
            descrip = 0x102e551 "Help options:", argDescrip = 0x0}, {longName = 0x1029ab5 "name-resolve", shortName = 82 'R', 
            argInfo = 1, arg = 0x1055058 <main.new_name_resolve_order>, val = 82, 
            descrip = 0x1029ac2 "Use these name resolution services only", argDescrip = 0x102fb14 "NAME-RESOLVE-ORDER"}, {
            longName = 0x102ad45 "message", shortName = 77 'M', argInfo = 1, arg = 0x0, val = 77, 
            descrip = 0x102f53a "Send message", argDescrip = 0x102b366 "HOST"}, {longName = 0x102f843 "ip-address", 
            shortName = 73 'I', argInfo = 1, arg = 0x0, val = 73, descrip = 0x102a469 "Use this IP to connect to", 
            argDescrip = 0x102a792 "IP"}, {longName = 0x102c85d "stderr", shortName = 69 'E', argInfo = 0, arg = 0x0, 
            val = 69, descrip = 0x102bfdb "Write messages to stderr instead of stdout", argDescrip = 0x0}, {
            longName = 0x102a202 "list", shortName = 76 'L', argInfo = 1, arg = 0x0, val = 76, 
            descrip = 0x102d94b "Get a list of shares available on a host", argDescrip = 0x102b366 "HOST"}, {
            longName = 0x102c864 "max-protocol", shortName = 109 'm', argInfo = 1, arg = 0x0, val = 109, 
            descrip = 0x1029aea "Set the max protocol level", argDescrip = 0x102c2f4 "LEVEL"}, {longName = 0x102c006 "tar", 
            shortName = 84 'T', argInfo = 1, arg = 0x0, val = 84, descrip = 0x102b6d7 "Command line tar", 
            argDescrip = 0x102a483 "<c|x>IXFqgbNan"}, {longName = 0x102cf1e "directory", shortName = 68 'D', argInfo = 1, 
            arg = 0x0, val = 68, descrip = 0x102e975 "Start from directory", argDescrip = 0x1029e84 "DIR"}, {
            longName = 0x102f547 "command", shortName = 99 'c', argInfo = 1, arg = 0x1055060 <cmdstr>, val = 99, 
            descrip = 0x1029e88 "Execute semicolon separated commands", argDescrip = 0x0}, {
            longName = 0x102c00a "send-buffer", shortName = 98 'b', argInfo = 2, arg = 0x1055054 <io_bufsize>, val = 98, 
            descrip = 0x102c871 "Changes the transmit/send buffer", argDescrip = 0x102d5b9 "BYTES"}, {
            longName = 0x102b6e8 "timeout", shortName = 116 't', argInfo = 2, arg = 0x1052024 <io_timeout>, val = 98, 
            descrip = 0x102b0c3 "Changes the per-operation timeout", argDescrip = 0x102e206 "SECONDS"}, {
            longName = 0x102a795 "port", shortName = 112 'p', argInfo = 2, arg = 0x1055068 <port>, val = 112, 
            descrip = 0x102f54f "Port to connect to", argDescrip = 0x102df0c "PORT"}, {longName = 0x102ebe6 "grepable", 
--Type <RET> for more, q to quit, c to continue without paging--
            shortName = 103 'g', argInfo = 0, arg = 0x0, val = 103, descrip = 0x102b36b "Produce grepable output", 
            argDescrip = 0x0}, {longName = 0x102cf28 "quiet", shortName = 113 'q', argInfo = 0, arg = 0x0, val = 113, 
            descrip = 0x102cf2e "Suppress help message", argDescrip = 0x0}, {longName = 0x102fb27 "browse", 
            shortName = 66 'B', argInfo = 0, arg = 0x0, val = 66, descrip = 0x102a79a "Browse SMB servers using DNS", 
            argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x801a37140 <popt_common_samba>, 
            val = 0, descrip = 0x102f562 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', 
            argInfo = 4, arg = 0x801a37020 <popt_common_connection>, val = 0, descrip = 0x1029ead "Connection options:", 
            argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, 
            arg = 0x80109c020 <popt_common_credentials>, val = 0, descrip = 0x102f328 "Authentication options:", 
            argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, 
            argDescrip = 0x0}}
        frame = 0x803d71320


source3/client/client.c:6664 (call of function poptPrintUsage):
        if (!tar_to_process(tar_ctx) && !query_host && !service && !message) {
                poptPrintUsage(pc, stderr, 0);
                exit(1);
        }
Comment 11 Vladimir Druzenko freebsd_committer freebsd_triage 2020-07-05 03:36:06 UTC
Build popt with debug:

Reading symbols from smbclient...
(gdb) run
Starting program: /usr/local/bin/smbclient 

Program received signal SIGSEGV, Segmentation fault.
0x0000000802fbc584 in ?? () from /lib/libc.so.7
(gdb) bt -full
#0  0x0000000802fbc584 in ?? () from /lib/libc.so.7
No symbol table info available.
#1  0x0000000802fc3be5 in vasprintf_l () from /lib/libc.so.7
No symbol table info available.
#2  0x000000080282d50f in POPT_fprintf (stream=0x80302fa20, 
    format=0x444a008 <error: Cannot access memory at address 0x444a008>) at poptint.c:146
        b = 0x0
        ob = 0x0
        rc = 8
        ap = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffe420, reg_save_area = 0x7fffffffe310}}
#3  0x000000080282a014 in showHelpIntro (con=0x803dec000, fp=0x80302fa20) at popthelp.c:616
        len = 6
#4  0x000000080282a82f in poptPrintUsage (con=0x803dec000, fp=0x80302fa20, flags=0) at popthelp.c:863
        columns = 0x803da6090
        done_buf = {nopts = 1, maxopts = 64, opts = 0x803de2200}
        done = 0x7fffffffe4b8
#5  0x0000000001035985 in main (argc=1, argv=0x7fffffffea50) at ../../source3/client/client.c:6664
        new_name_resolve_order = 0x0
        const_argv = 0x7fffffffea50
        base_directory = 0x0
        opt = -1
        query_host = 0x0
        message = false
        pc = 0x803dec000
        p = 0x0
        rc = 0
        tar_opt = false
        service_opt = false
        tar_ctx = 0x1052b18 <tar_ctx>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x80282e040 <poptHelpOptions>, val = 0, 
            descrip = 0x102e551 "Help options:", argDescrip = 0x0}, {longName = 0x1029ab5 "name-resolve", shortName = 82 'R', 
            argInfo = 1, arg = 0x1055058 <main.new_name_resolve_order>, val = 82, 
            descrip = 0x1029ac2 "Use these name resolution services only", argDescrip = 0x102fb14 "NAME-RESOLVE-ORDER"}, {
            longName = 0x102ad45 "message", shortName = 77 'M', argInfo = 1, arg = 0x0, val = 77, 
            descrip = 0x102f53a "Send message", argDescrip = 0x102b366 "HOST"}, {longName = 0x102f843 "ip-address", 
            shortName = 73 'I', argInfo = 1, arg = 0x0, val = 73, descrip = 0x102a469 "Use this IP to connect to", 
            argDescrip = 0x102a792 "IP"}, {longName = 0x102c85d "stderr", shortName = 69 'E', argInfo = 0, arg = 0x0, 
            val = 69, descrip = 0x102bfdb "Write messages to stderr instead of stdout", argDescrip = 0x0}, {
            longName = 0x102a202 "list", shortName = 76 'L', argInfo = 1, arg = 0x0, val = 76, 
            descrip = 0x102d94b "Get a list of shares available on a host", argDescrip = 0x102b366 "HOST"}, {
            longName = 0x102c864 "max-protocol", shortName = 109 'm', argInfo = 1, arg = 0x0, val = 109, 
            descrip = 0x1029aea "Set the max protocol level", argDescrip = 0x102c2f4 "LEVEL"}, {longName = 0x102c006 "tar", 
            shortName = 84 'T', argInfo = 1, arg = 0x0, val = 84, descrip = 0x102b6d7 "Command line tar", 
            argDescrip = 0x102a483 "<c|x>IXFqgbNan"}, {longName = 0x102cf1e "directory", shortName = 68 'D', argInfo = 1, 
            arg = 0x0, val = 68, descrip = 0x102e975 "Start from directory", argDescrip = 0x1029e84 "DIR"}, {
            longName = 0x102f547 "command", shortName = 99 'c', argInfo = 1, arg = 0x1055060 <cmdstr>, val = 99, 
            descrip = 0x1029e88 "Execute semicolon separated commands", argDescrip = 0x0}, {
            longName = 0x102c00a "send-buffer", shortName = 98 'b', argInfo = 2, arg = 0x1055054 <io_bufsize>, val = 98, 
            descrip = 0x102c871 "Changes the transmit/send buffer", argDescrip = 0x102d5b9 "BYTES"}, {
            longName = 0x102b6e8 "timeout", shortName = 116 't', argInfo = 2, arg = 0x1052024 <io_timeout>, val = 98, 
            descrip = 0x102b0c3 "Changes the per-operation timeout", argDescrip = 0x102e206 "SECONDS"}, {
            longName = 0x102a795 "port", shortName = 112 'p', argInfo = 2, arg = 0x1055068 <port>, val = 112, 
            descrip = 0x102f54f "Port to connect to", argDescrip = 0x102df0c "PORT"}, {longName = 0x102ebe6 "grepable", 
            shortName = 103 'g', argInfo = 0, arg = 0x0, val = 103, descrip = 0x102b36b "Produce grepable output", 
            argDescrip = 0x0}, {longName = 0x102cf28 "quiet", shortName = 113 'q', argInfo = 0, arg = 0x0, val = 113, 
            descrip = 0x102cf2e "Suppress help message", argDescrip = 0x0}, {longName = 0x102fb27 "browse", 
            shortName = 66 'B', argInfo = 0, arg = 0x0, val = 66, descrip = 0x102a79a "Browse SMB servers using DNS", 
            argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x801a37140 <popt_common_samba>, 
            val = 0, descrip = 0x102f562 "Common samba options:", argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', 
            argInfo = 4, arg = 0x801a37020 <popt_common_connection>, val = 0, descrip = 0x1029ead "Connection options:", 
            argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 4, 
            arg = 0x80109c020 <popt_common_credentials>, val = 0, descrip = 0x102f328 "Authentication options:", 
            argDescrip = 0x0}, {longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, 
            argDescrip = 0x0}}
        frame = 0x803d75320
==============================================================================
devel/popt was just updated: https://svnweb.freebsd.org/ports?view=revision&revision=540843
==============================================================================
popt 1.18 poptint.c:146 (call vasprintf):
int
POPT_fprintf (FILE * stream, const char * format, ...)
{
    char * b = NULL, * ob = NULL;
    int rc;
    va_list ap;
#if defined(HAVE_VASPRINTF)
    va_start(ap, format);
    if ((rc = vasprintf(&b, format, ap)) < 0)
        b = NULL;
    va_end(ap);
#else
==============================================================================
Same place at popt 1.16:
int
POPT_fprintf (FILE * stream, const char * format, ...)
{
    char * b = NULL, * ob = NULL;
    int rc;
    va_list ap;
            
#if defined(HAVE_VASPRINTF) && !defined(__LCLINT__)
    va_start(ap, format);
    if ((rc = vasprintf(&b, format, ap)) < 0)
        b = NULL;
    va_end(ap);
#else
==============================================================================
In both versions ifdef is true, but smbclient work fine with 1.16 only.
So, bug is in devel/popt 1.18.
Comment 12 Vladimir Druzenko freebsd_committer freebsd_triage 2020-07-05 03:52:38 UTC
> devel/popt: Update to 1.18 and add test target
> This broke runtime of a couple of ports.
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247529#c2
Comment 13 Josh Paetzel freebsd_committer freebsd_triage 2020-07-06 14:49:54 UTC
https://svnweb.freebsd.org/changeset/ports/541348 is in head now.  I'm holding https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=247529 open until it is MFH'd into 2020Q3.