4.173. samba3x

Updated samba3x packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links associated with each description below.
Samba is a suite of programs used by machines to share files, printers, and other information.

Security Fixes

CVE-2011-2694
A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session.
CVE-2011-2522
It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially-crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user.
CVE-2011-2724
It was found that the fix for CVE-2010-0547, provided by the Samba rebase in RHBA-2011:0054, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially-crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set.
CVE-2011-1678
It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs.

Note

mount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs.
Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522.
Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
Updated samba3x packages that fix several bugs and provide multiple enhancements are now available for Red Hat Enterprise Linux 5.
Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

Note

The samba3x package has been upgraded to upstream version 3.5.10, which provides a number of bug fixes and enhancements over the previous version. In particular, this upgrade includes improvements to ntlm_auth for dealing with wrong passwords and repeated authentication attempts. As a result ntlm_auth now operates reliably, including with older Domain Controllers. (BZ#719369, BZ#593825, BZ#713466)

Bug Fixes

BZ#716182
If plain text passwords were used by setting encrypt passwords = no in /etc/samba/smb.conf, Samba clients running on the Windows XP or Windows Server 2003 operating system may not have been able to access Samba shares after installing Microsoft Security Bulletin MS11-043. This update corrects this bug, allowing such clients to use plain-text passwords to access Samba shares.
BZ#719852
Samba failed to verify Kerberos authentication of an SMB Session Setup from a Windows Vista or Windows Server 2008 Common Internet File System(CIFS) client when the Kerberos ticket size was greater than 16 KB. Consequently, if the connecting account was a member of more than 500 security groups, and the domain was configured to create tickets greater than 12Kb, authentication failed. The following error message was logged:
Failed to verify incoming ticket with error NT_STATUS_LOGON_FAILURE!
An upstream patch has been applied and Samba can now use Kerberos authentication for Windows Vista or Windows Server 2008 CIFS clients in the scenario described.
BZ#725875
Previously, in certain environments with many users, the pam_winbind module stopped operating. As a result, failures occurred when users attempted to log in. With this update, the bug has been fixed so that pam_winbind now works as expected in the scenario described.
BZ#735165
The group ID (GID) of ServerName\None was incremented every time the Identity Mapping (IDMAP) cache expired. Given enough time the GID would eventually reach the top of the range specified by the idmap gid directive in the smb.conf file. Consequently, new allocation of GIDs would not be possible and a group would no longer resolve properly. This update includes an upstream fix and the cache expiry no longer causes GIDs to increment.
BZ#736375
The Name Service Switch daemon winbind produces excessive debug output messages when attempting to register an already-registered IDMAP module. Previously, the messages were set to debug level 0. Consequently, the messages could not be filtered by lowering the log level parameter in smb.conf. With this update, a patch has been applied to increase the debug level of the messages to 5. As a result, the debug messages can now be filtered by setting the smb.conf log level parameter.
BZ#743467
If Linux clients used the CIFS client in the kernel to mount a Samba share, the force create mode parameter was not honored properly. As a result, files created on a mounted Samba share did not properly follow the umask parameter, and files with undesired permissions were created. With this update, the bug has been fixed and files are now created with the correct permissions.
BZ#743895
Due to a regression in Samba, Windows Internet Explorer 9 running on Windows 7 could not download files to a Samba share. Consequently, some Windows 7 users could not make use of Samba shares. This update includes upstream improvements to Samba to address this bug. As a result, Windows 7 users can now save files on Samba shares using Internet Explorer 9.
BZ#747153
Previously, the man pages for certain Samba components did not document that primary group membership is not calculated based on the gidNumber LDAP attribute if Windows Services for UNIX (SFU) are enabled, or if the standard RFC 2307 LDAP attributes in the Active Directory (AD) are used. Instead, Winbind uses the primaryGroupID LDAP attribute. With this update, the man pages have been updated accordingly to reflect the aforementioned limitation.
BZ#748515
Previously, extracting files from a ZIP archive failed on the Distributed File System (DFS) shares if the following symlinks = yes parameter was not set. This bug has been fixed in this update so that extracting files from a ZIP archive now works as expected.
BZ#753828
If winbind was joined to the domain with idmap_ad specified as the backend, enumerating users was enabled, and most of the users had UIDs, then when calling getent passwd for a user who had no UID, the enumeration stopped and the following error was displayed:
NT_STATUS_NONE_MAPPED
This update implements an upstream patch to correct the problem. As a result, if a user cannot be mapped, winbind no longer stops but continues enumerating users in the scenario described.
BZ#754154
Previously, the winbindd-locator tool could not correctly find a Domain Controller (DC) using Samba and DNS SRV records when outside the networks that are known to AD and are mapped to AD sites. Consequently, when a host was a member of a Windows Server 2008 R2 domain, and the host was in a network that was not mapped to any known site of the AD, the host could not locate a DC and an error message in the following format was logged:
ads_dns_lookup_srv: Failed to resolve _ldap._tcp.._sites.dc._msdcs.AD.EXAMPLE.COM
With this update a patch has been applied and winbindd-locator can now locate a DC in the scenario described.
BZ#755346
The smbclient tool sometimes failed to return the expected exit status code; it returned 0 instead of 1. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status.
BZ#766497
Previously, the Winbind IDMAP interface cache did not expire as specified in the smb.conf file. Consequently, the positive and negative entries in the cache would not expire until the opposite type of query was made. This update contains a backported fix for the problem. As a result, the idmap cache time and idmap negative cache time directives now work as expected.
BZ#771375
Previously, the net(8) man page did not document the -k option for using Kerberos authentication. Consequently, users were not aware how to use Kerberos authentication with the net utility. This update adds the missing documentation to the man page.
Users of samba3x should upgrade to these updated packages, which fix these bugs and add these enhancements.