Ubuntu
samba package

samba-tool user password: uncaught exception when updating old password containing regular expression metacharacters

Bug #2002949 reported by Renaud Miel
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
Fix Released
Undecided
Michał Małoszewski
Focal
Fix Released
Undecided
Michał Małoszewski
Jammy
Fix Released
Undecided
Michał Małoszewski
Kinetic
Won't Fix
Undecided
Unassigned
Lunar
Fix Released
Undecided
Michał Małoszewski

Bug Description

[Impact]

* Users of samba reported an issue on Focal, Jammy and Lunar while trying to update an old password containing regex metacharacters.

* This crash is caused by the fact, that 'opt_str' and 'secret_data' were not treated as literal characters in the regex pattern. The fix is to use the re.escape() function that will solve that issue.

[Test Plan]

We need to setup a VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server.

The first step is to create a dedicated virtual network for our tests.

The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "network1"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".

Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr0".

We need to setup a Samba AD DC server. Note that we have to use "-n virbr0" when creating the VM, otherwise it won't use our virtual network.

$ lxc launch ubuntu-daily:jammy test1 -n virbr0 --vm
where <release-version>=Focal, Jammy or Lunar depending on what release we test.

$ lxc shell test1

# apt update

# ip a

Make sure to grab this VM's IP address.

# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE test1 test1.test.lan
_EOF_

# reboot

$ lxc shell test1
# apt install -y samba winbind python3-setproctitle

# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1

# systemctl mask smbd.service nmbd.service winbind.service
# systemctl disable --now smbd.service nmbd.service winbind.service
# systemctl unmask samba-ad-dc.service
# systemctl enable --now samba-ad-dc.service

We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.

You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.

# systemctl disable --now systemd-resolved.service
# unlink /etc/resolv.conf
# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_

# reboot

This should be enough to configure Samba as an AD DC.

$ lxc shell test1

# smbpasswd -a ubuntu

You will be prompted for the password. Type in the one used in --password later on in the password change command.

# apt install smbclient
# smbclient -L <server_ip> -U ubuntu

Here for testing that, there is a need to set password age'ing to 0.
# samba-tool domain passwordsettings set --min-pwd-age=0

# samba-tool user password --username=ubuntu --password='123$?**(' --newpassword='1234bdt7q6q7'

Example of failed output:

ERROR(<class 're.error'>): uncaught exception - missing ), unterminated subpattern at position 8
  File "/usr/bin/samba-tool", line 44, in <module>
    retval = cmd._run("samba-tool", subcommand, *args)
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 153, in _run
    opts, args = parser.parse_args(list(argv))
  File "/usr/lib/python3.8/optparse.py", line 1387, in parse_args
    stop = self._process_args(largs, rargs, values)
  File "/usr/lib/python3.8/optparse.py", line 1427, in _process_args
    self._process_long_opt(rargs, values)
  File "/usr/lib/python3.8/optparse.py", line 1501, in _process_long_opt
    option.process(opt, value, values, self)
  File "/usr/lib/python3.8/optparse.py", line 784, in process
    return self.take_action(
  File "/usr/lib/python3.8/optparse.py", line 805, in take_action
    self.callback(self, opt, value, parser, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 250, in _set_password
    self._ensure_secure_proctitle(opt_str, arg, "password")
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 202, in _ensure_secure_proctitle
    pass_opt_re = re.compile(pass_opt_re_str)
  File "/usr/lib/python3.8/re.py", line 252, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.8/re.py", line 304, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.8/sre_compile.py", line 764, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.8/sre_parse.py", line 948, in parse
    p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib/python3.8/sre_parse.py", line 443, in _parse_sub
    itemsappend(_parse(source, state, verbose, nested + 1,
  File "/usr/lib/python3.8/sre_parse.py", line 836, in _parse
    raise source.error("missing ), unterminated subpattern",

Example of successful output:

No error like that is present.
Message: Changed password OK

smbclient -L <server_ip> -U ubuntu

Type in the password used in --newpassword in the password change command.

You will be able to log in without any issues.

[Where problems could occur]

* There might be regression in the future related to handling credentials and authentication options.

---------------------------------original report--------------------------

1) The release of Ubuntu I am using:
$ lsb_release -rd
Description: Ubuntu 22.04.1 LTS
Release: 22.04

2) The version of the package I am using
apt-cache policy python3-samba
$ apt-cache policy python3-samba
python3-samba:
  Installed: 2:4.15.9+dfsg-0ubuntu0.2
  Candidate: 2:4.15.9+dfsg-0ubuntu0.3
  Version table:
     2:4.15.9+dfsg-0ubuntu0.3 500
        500 http://jp.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
 *** 2:4.15.9+dfsg-0ubuntu0.2 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.5~dfsg-0ubuntu5 500
        500 http://jp.archive.ubuntu.com/ubuntu jammy/main amd64 Packages

3) What you expected to happen
I expected the old password to be updated with the provided new password

4) What happened instead
The old password was not updated and the error shown below occurred.

Furthermore, from the final error message:
source.error("missing ), unterminated subpattern"
one can infer that the non-updated old password includes a ( character.

It looks like this is because in:

file: getopt.py,
function: _ensure_secure_proctitle(self, opt_str, secret_data, data_type="password")
line 201: pass_opt_re_str = "(.*[ ]+)(%s[= ]%s)([ ]*.*)" % (opt_str, secret_data)

the old password passed through argument secret_data is used as-is
to form a regular expression, instead of being properly escaped.

Suggested fix:
pass_opt_re_str = "(.*[ ]+)(%s[= ]%s)([ ]*.*)" % (re.escape(opt_str), re.escape(secret_data))

ERROR(): uncaught exception - missing ), unterminated subpattern at position 8
  File "/usr/bin/samba-tool", line 44, in
    retval = cmd._run("samba-tool", subcommand, *args)
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 153, in _run
    opts, args = parser.parse_args(list(argv))
  File "/usr/lib/python3.10/optparse.py", line 1387, in parse_args
    stop = self._process_args(largs, rargs, values)
  File "/usr/lib/python3.10/optparse.py", line 1427, in _process_args
    self._process_long_opt(rargs, values)
  File "/usr/lib/python3.10/optparse.py", line 1501, in _process_long_opt
    option.process(opt, value, values, self)
  File "/usr/lib/python3.10/optparse.py", line 784, in process
    return self.take_action(
  File "/usr/lib/python3.10/optparse.py", line 805, in take_action
    self.callback(self, opt, value, parser, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 250, in _set_password
    self._ensure_secure_proctitle(opt_str, arg, "password")
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 202, in _ensure_secure_proctitle
    pass_opt_re = re.compile(pass_opt_re_str)
  File "/usr/lib/python3.10/re.py", line 251, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.10/re.py", line 303, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.10/sre_compile.py", line 788, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.10/sre_parse.py", line 955, in parse
    p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib/python3.10/sre_parse.py", line 444, in _parse_sub
    itemsappend(_parse(source, state, verbose, nested + 1,
  File "/usr/lib/python3.10/sre_parse.py", line 843, in _parse
    raise source.error("missing ), unterminated subpattern",

See original description

Related branches

~ahasenack/ubuntu/+source/samba:mantic-samba-merge-3
git-ubuntu bot: Approve
Bryce Harrington (community): Approve
Canonical Server Reporter: Pending requested
Diff: 3480 lines (+3080/-8)
6 files modified
debian/changelog (+2558/-0)
debian/control (+8/-6)
debian/rules (+1/-1)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+111/-1)
~michal-maloszewski99/ubuntu/+source/samba:samba-tool-usrpassword-focal-fix
git-ubuntu bot: Approve
Simon Quigley (community): Approve
Canonical Server Reporter: Pending requested
Diff: 57 lines (+35/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/issue-when-updating-old-passwd-containing-regex-metachars.patch (+25/-0)
debian/patches/series (+1/-0)
~michal-maloszewski99/ubuntu/+source/samba:samba-tool-usrpassword-jammy-fix
git-ubuntu bot: Approve
Simon Quigley (community): Approve
Canonical Server Reporter: Pending requested
Diff: 57 lines (+35/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/issue-when-updating-old-passwd-containing-regex-metachars.patch (+25/-0)
debian/patches/series (+1/-0)
~michal-maloszewski99/ubuntu/+source/samba:samba-tool-usrpassword-lunar-fix
git-ubuntu bot: Approve
Simon Quigley (community): Approve
Canonical Server Reporter: Pending requested
Diff: 57 lines (+35/-0)
3 files modified
debian/changelog (+9/-0)
debian/patches/issue-when-updating-old-passwd-containing-regex-metachars.patch (+25/-0)
debian/patches/series (+1/-0)
~michal-maloszewski99/ubuntu/+source/samba:samba-tool-password-mantic
git-ubuntu bot: Approve
Andreas Hasenack: Approve
Canonical Server Reporter: Pending requested
Canonical Server Reporter: Pending requested
Diff: 741 lines (+683/-0)
9 files modified
debian/changelog (+15/-0)
debian/patches/lib-cmdline-Also-burn-the-password2-parameter-if-giv.patch (+41/-0)
debian/patches/lib-cmdline-Also-redact-newpassword-in-samba_cmdline.patch (+31/-0)
debian/patches/lib-cmdline-Return-if-the-commandline-was-redacted-i.patch (+69/-0)
debian/patches/python-Add-glue.burn_commandline-method.patch (+116/-0)
debian/patches/python-Move-PyList_AsStringList-to-common-code-so-we.patch (+158/-0)
debian/patches/python-Remove-const-from-PyList_AsStringList.patch (+82/-0)
debian/patches/samba-tool-Use-samba.glue.get_burnt_cmdline-rather-t.patch (+164/-0)
debian/patches/series (+7/-0)
Renaud Miel (r-miel)
description: updated
Seth Arnold (seth-arnold)
information type: Private Security → Public
Changed in samba (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Hello Renaud, thanks for the report; the samba team is working this on:

https://bugzilla.samba.org/show_bug.cgi?id=15289
https://gitlab.com/samba-team/samba/-/merge_requests/2902

Thanks

Revision history for this message
Renaud Miel (r-miel) wrote :

Hello Seth,

Thank you for having forwarded this report to the samba team.

Michał Małoszewski (michal-maloszewski99)
Changed in samba (Ubuntu):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Michał Małoszewski (michal-maloszewski99)
Changed in samba (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote (last edit ):

Hi Renaud Miel,

I see from your description that this issue affects Jammy.

First, before backporting the fix, I need to check if the issue is present in the current devel release, and if so, fix it there first.

As getopt.py suggests - it is.

I am willing to take care of that bug, but I do not want to fix it blindly; therefore, I would like you to provide me with the exact steps to reproduce the issue (including Samba AD DC configuration because it may vary depending on the situation). It will be helpful for me to continue with the SRU later, after the current devel is fixed.

Is that something you can help me with?

Revision history for this message
Renaud Miel (r-miel) wrote :

Hi Michal,

I can reproduce the issue by running the command shown below in P.S.,
where:
* bash shell variables username, current_password, new_password and ipaddress have been set to their correct values
* the current password of user "$username" ends with a '(' character.

Does this help ?

P.S.: step to reproduce the issue:

$ samba-tool user password --username="$username" --password="$current_password" --newpassword="$new_password" --ipaddress="$ipaddress"
ERROR(<class 're.error'>): uncaught exception - missing ), unterminated subpattern at position 8
  File "/bin/samba-tool", line 44, in <module>
    retval = cmd._run("samba-tool", subcommand, *args)
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 153, in _run
    opts, args = parser.parse_args(list(argv))
  File "/usr/lib/python3.10/optparse.py", line 1387, in parse_args
    stop = self._process_args(largs, rargs, values)
  File "/usr/lib/python3.10/optparse.py", line 1427, in _process_args
    self._process_long_opt(rargs, values)
  File "/usr/lib/python3.10/optparse.py", line 1501, in _process_long_opt
    option.process(opt, value, values, self)
  File "/usr/lib/python3.10/optparse.py", line 784, in process
    return self.take_action(
  File "/usr/lib/python3.10/optparse.py", line 805, in take_action
    self.callback(self, opt, value, parser, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 251, in _set_password
    self._ensure_secure_proctitle(opt_str, arg, "password")
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 203, in _ensure_secure_proctitle
    pass_opt_re = re.compile(pass_opt_re_str)
  File "/usr/lib/python3.10/re.py", line 251, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.10/re.py", line 303, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.10/sre_compile.py", line 788, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.10/sre_parse.py", line 955, in parse
    p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib/python3.10/sre_parse.py", line 444, in _parse_sub
    itemsappend(_parse(source, state, verbose, nested + 1,
  File "/usr/lib/python3.10/sre_parse.py", line 843, in _parse
    raise source.error("missing ), unterminated subpattern",

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote (last edit ):

Hi,

Thank you for your response.
It helps a bit more, but: did you set up Samba as an Active Directory Domain Controller?

It is important in that case to give an example (what I expected):

1. I have installed samba ->  apt install samba
2. Then I changed something in my conf file -> what I changed is: ...
3. Then I typed in: " $ samba-tool user password --username="$username" --password="$current_password" --newpassword="$new_password" --ipaddress="$ipaddress" "

etc.

The problem occurred.

If you could help me with something like that, it would be excellent :)

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

To re-write my comment above in a bit more professional way, the SRU process requires an easy to follow test case be documented with the bug, to allow it to be easily validated. You can see an example of what we're looking for from the [Test Case] in this bug report:

  https://bugs.launchpad.net/ubuntu/+source/apache2/+bug/1988224

And again - if you could help me with something like that, it would be excellent :)

Best Regards,
Michal

Revision history for this message
Renaud Miel (r-miel) wrote :

I believe you don't need a working setup of Samba
configured as an Active Directory Domain Controller
to reproduce the issue, because the error occurs
at command line arguments parse time.

Please follow this test case to reproduce the bug.

[Test Case]
1. Install the package owning the file samba-tool
$ sudo apt install samba-common-bin

2. Run the following command
$ samba-tool user password --username=Michal --password='123&!(' --newpassword=1234bdt7q6q7wq

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

I tried to reproduce the issue with the steps you provided.

$ sudo apt install samba-common-bin
$ samba-tool user password --username=Michal --password='123&!(' --newpassword=1234bdt7q6q7wq

The error message is a bit different:

WARNING: Using password on command line is insecure. Please install the setproctitle python module.
ERROR: Failed to change password : (-1073741772, "Connection to SAMR pipe of PDC of domain 'WORKGROUP' failed: NT_STATUS_OBJECT_NAME_NOT_FOUND")

And it does not depend on the metacharacters.
The same error message occurred when I did get rid of the metacharacters.

root@mantic-samba-tool:~# samba-tool user password --username=Michal --password='123' --newpassword=1234bdt7q6q7wq
WARNING: Using password on command line is insecure. Please install the setproctitle python module.
ERROR: Failed to change password : (-1073741772, "Connection to SAMR pipe of PDC of domain 'WORKGROUP' failed: NT_STATUS_OBJECT_NAME_NOT_FOUND")

Revision history for this message
Renaud Miel (r-miel) wrote :

Thank you for your trial.
Apologies, I forgot that I also installed the setproctitle python module,
as recommended by the WARNING message.
Here is the updated bug reproduction procedure.

[Test Case]
1. Install the package owning the file samba-tool
$ sudo apt install samba-common-bin

2. Install the setproctitle python module
$ sudo apt install python3-setproctitle

3. Run the following command
$ samba-tool user password --username=Michal --password='123&!(' --newpassword=1234bdt7q6q7wq

4. If you cannot reproduce the issue, install the following versions of above packages,
   and retry 3.

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==========================-=========================-============-=========================================================
ii python3-setproctitle:amd64 1.2.2-2build1 amd64 Setproctitle implementation for Python 3
ii samba-common-bin 2:4.15.13+dfsg-0ubuntu1.1 amd64 Samba common files used by both the server and the client

You can check the version of your installation of above packages by running:

$ dpkg-query --list samba-common-bin python3-setproctitle

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Thank you!

I could reproduce the issue :)
Now I will take care of that and fix it!

Michał Małoszewski (michal-maloszewski99)
tags: added: server-todo
Michał Małoszewski (michal-maloszewski99)
Changed in samba (Ubuntu Jammy):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in samba (Ubuntu Focal):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in samba (Ubuntu Lunar):
assignee: nobody → Michał Małoszewski (michal-maloszewski99)
Changed in samba (Ubuntu Focal):
status: New → Confirmed
Changed in samba (Ubuntu Jammy):
status: New → Confirmed
Changed in samba (Ubuntu Kinetic):
status: New → Won't Fix
Changed in samba (Ubuntu Lunar):
status: New → Confirmed
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

The issue also affects Focal, Jammy, Lunar, and Kinetic - but Kinetic reaches EOSS in July 2023 - 2 days left; therefore, I marked it as Won't Fix.

P.S. IMO this does not count as a CVE.

Revision history for this message
Andrew Bartlett (abartlet) wrote :

I've been working on this today and we have a better fix here:

https://gitlab.com/samba-team/samba/-/merge_requests/2902

So this should be fixed soon, hopefully for 4.19 (and backports will be possible regardless)

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Thank you so much, Andrew, it really helps. I am working on adding that change to the current devel and from there I will backport it if appropriate. First, the mantic must have those changes.

Revision history for this message
Andrew Bartlett (abartlet) wrote :

The patch is now in master as the backport to 4.18 is on the bug.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.18.5+dfsg-1ubuntu2

---------------
samba (2:4.18.5+dfsg-1ubuntu2) mantic; urgency=medium

  * Add changes to fix uncaught exception when updating old password
    containing regex metacharacters by simplifying samba-tool password
    redaction (LP: #2002949).
    - d/p/lib-cmdline-Return-if-the-commandline-was-redacted-i.patch
    - d/p/lib-cmdline-Also-redact-newpassword-in-samba_cmdline.patch
    - d/p/lib-cmdline-Also-burn-the-password2-parameter-if-giv.patch
    - d/p/samba-tool-Use-samba.glue.get_burnt_cmdline-rather-t.patch
    - d/p/python-Add-glue.burn_commandline-method.patch
    - d/p/python-Move-PyList_AsStringList-to-common-code-so-we.patch
    - d/p/python-Remove-const-from-PyList_AsStringList.patch

 -- Michal Maloszewski <email address hidden> Fri, 28 Jul 2023 00:55:03 +0200

Changed in samba (Ubuntu):
status: In Progress → Fix Released
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
description: updated
Michał Małoszewski (michal-maloszewski99)
Changed in samba (Ubuntu Focal):
status: Confirmed → In Progress
Changed in samba (Ubuntu Jammy):
status: Confirmed → In Progress
Changed in samba (Ubuntu Lunar):
status: Confirmed → In Progress
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Michał Małoszewski (michal-maloszewski99)
description: updated
Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Lunar):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-lunar
Michał Małoszewski (michal-maloszewski99)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote : Please test proposed package

Hello Renaud, or anyone else affected,

Accepted samba into lunar-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.17.7+dfsg-1ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-lunar to verification-done-lunar. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-lunar. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Michał Małoszewski (michal-maloszewski99)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hello Renaud, or anyone else affected,

Accepted samba into jammy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-jammy to verification-done-jammy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-jammy. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in samba (Ubuntu Jammy):
status: In Progress → Fix Committed
tags: added: verification-needed-jammy
Changed in samba (Ubuntu Focal):
status: In Progress → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Hello Renaud, or anyone else affected,

Accepted samba into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/samba/2:4.15.13+dfsg-0ubuntu0.20.04.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Michał Małoszewski (michal-maloszewski99)
description: updated
description: updated
description: updated
Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (samba/2:4.17.7+dfsg-1ubuntu2.2)

All autopkgtests for the newly accepted samba (2:4.17.7+dfsg-1ubuntu2.2) for lunar have finished running.
The following regressions have been reported in tests triggered by the package:

freeradius/3.2.1+dfsg-1 (amd64)
gvfs/1.50.4-1 (arm64, s390x)
libsoup3/3.4.0-1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/lunar/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (samba/2:4.15.13+dfsg-0ubuntu1.4)

All autopkgtests for the newly accepted samba (2:4.15.13+dfsg-0ubuntu1.4) for jammy have finished running.
The following regressions have been reported in tests triggered by the package:

gvfs/1.48.2-0ubuntu1 (amd64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/jammy/update_excuses.html#samba

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote (last edit ):
Download full text (3.9 KiB)

Fix works, 2:4.15.13+dfsg-0ubuntu0.20.04.5 fixes the bug in Focal; 2:4.15.13+dfsg-0ubuntu1.4 fixes the bug in Jammy; 2:4.17.7+dfsg-1ubuntu2.2 fixes the bug in Lunar

Jammy:

I've setup a VM running a Samba Active Directory Domain Controller, followed the [Test Plan] section listed above in the Bug Description and inside that container I typed in:

$ apt policy samba

The output:

samba:
  Installed: 2:4.15.13+dfsg-0ubuntu1.3
  Candidate: 2:4.15.13+dfsg-0ubuntu1.3
  Version table:
 *** 2:4.15.13+dfsg-0ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        100 /var/lib/dpkg/status
     2:4.15.13+dfsg-0ubuntu1.2 500
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
     2:4.15.5~dfsg-0ubuntu5 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages

I've noticed that nothing has changed there, so the problem still existed, because as we could see in the output, the package version was not the one where the fix is.

Result:

ERROR(<class 're.error'>): uncaught exception - missing ), unterminated subpattern at position 8
  File "/usr/bin/samba-tool", line 44, in <module>
    retval = cmd._run("samba-tool", subcommand, *args)
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 235, in _run
    return self.subcommands[subcommand]._run(
  File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 153, in _run
    opts, args = parser.parse_args(list(argv))
  File "/usr/lib/python3.8/optparse.py", line 1387, in parse_args
    stop = self._process_args(largs, rargs, values)
  File "/usr/lib/python3.8/optparse.py", line 1427, in _process_args
    self._process_long_opt(rargs, values)
  File "/usr/lib/python3.8/optparse.py", line 1501, in _process_long_opt
    option.process(opt, value, values, self)
  File "/usr/lib/python3.8/optparse.py", line 784, in process
    return self.take_action(
  File "/usr/lib/python3.8/optparse.py", line 805, in take_action
    self.callback(self, opt, value, parser, *args, **kwargs)
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 250, in _set_password
    self._ensure_secure_proctitle(opt_str, arg, "password")
  File "/usr/lib/python3/dist-packages/samba/getopt.py", line 202, in _ensure_secure_proctitle
    pass_opt_re = re.compile(pass_opt_re_str)
  File "/usr/lib/python3.8/re.py", line 252, in compile
    return _compile(pattern, flags)
  File "/usr/lib/python3.8/re.py", line 304, in _compile
    p = sre_compile.compile(pattern, flags)
  File "/usr/lib/python3.8/sre_compile.py", line 764, in compile
    p = sre_parse.parse(p, flags)
  File "/usr/lib/python3.8/sre_parse.py", line 948, in parse
    p = _parse_sub(source, state, flags & SRE_FLAG_VERBOSE, 0)
  File "/usr/lib/python3.8/sre_parse.py", line 443, in _parse_sub
    itemsappend(_parse(source, state, verbose, nested + 1,
  File "/usr/lib/python3.8/sre_parse.py", line 836, in _parse
    raise source.error("missing ), unterminated subpattern",

Then I've upgraded samba using:
$ apt install samba=2:4.15.13...

Read more...

tags: added: verification-done verification-done-focal verification-done-jammy verification-done-lunar
removed: verification-needed verification-needed-focal verification-needed-jammy verification-needed-lunar
Revision history for this message
Michał Małoszewski (michal-maloszewski99) wrote :

Btw, Forgot to mention but all tests are green now.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.17.7+dfsg-1ubuntu2.2

---------------
samba (2:4.17.7+dfsg-1ubuntu2.2) lunar; urgency=medium

  * d/p/issue-when-updating-old-passwd-containing-regex-metachars.patch:
    Add changes to fix uncaught exception when updating old password
    containing regex metacharacters by simplifying samba-tool password
    redaction (LP: #2002949).

samba (2:4.17.7+dfsg-1ubuntu2.1) lunar; urgency=medium

  * d/control: adjust breaks/replaces for file move that Debian did in
    4.16.6+dfsg-5, and Ubuntu only did in 4.17.7+dfsg-1ubuntu1, to avoid
    file conflict in a dist-upgrade from earlier Ubuntu releases, like
    Kinetic (LP: #2024663)

 -- Michal Maloszewski <email address hidden> Sun, 20 Aug 2023 13:57:29 +0200

Changed in samba (Ubuntu Lunar):
status: Fix Committed → Fix Released
Revision history for this message
Robie Basak (racb) wrote : Update Released

The verification of the Stable Release Update for samba has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.15.13+dfsg-0ubuntu1.4

---------------
samba (2:4.15.13+dfsg-0ubuntu1.4) jammy; urgency=medium

  * d/p/issue-when-updating-old-passwd-containing-regex-metachars.patch:
    Add changes to fix uncaught exception when updating old password
    containing regex metacharacters by simplifying samba-tool password
    redaction (LP: #2002949).

 -- Michal Maloszewski <email address hidden> Fri, 18 Aug 2023 15:53:14 +0200

Changed in samba (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.15.13+dfsg-0ubuntu0.20.04.5

---------------
samba (2:4.15.13+dfsg-0ubuntu0.20.04.5) focal; urgency=medium

  * d/p/issue-when-updating-old-passwd-containing-regex-metachars.patch:
    Add changes to fix uncaught exception when updating old password
    containing regex metacharacters by simplifying samba-tool password
    redaction (LP: #2002949).

 -- Michal Maloszewski <email address hidden> Fri, 18 Aug 2023 22:56:58 +0200

Changed in samba (Ubuntu Focal):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.