Regression in USN 544-1 causes nmbd crash after update

Bug #163042 reported by Rod Roark on 2007-11-16
76
Affects Status Importance Assigned to Milestone
samba
Fix Released
Critical
samba (Ubuntu)
Critical
Jamie Strandboge
Dapper
Critical
Jamie Strandboge
Edgy
Critical
Jamie Strandboge

Bug Description

A security update deployed with USN 544-1 caused a regression which may prevent the Samba service from starting in some configurations. The symptom of this regression is a segmentation fault when the nmbd daemon starts. If you are affected by the regression, available workarounds include:

 * Revert to the old version of the samba package, using the following command: sudo apt-get install samba=3.0.26a-1ubuntu2

 * Modify clients to use the cifs filesystem (e.g. in /etc/fstab) in place of the deprecated smbfs filesystem

The security issue fixed is not believed to be serious (denial of service only), and so it is recommended that users do not install the update at this time due to the risk of regression. Further downloads of the affected files from the security archive have been disabled for this reason.

The security team is preparing a new update to fix the regression, and more information will be posted here when it is available.

CVE References

Thomas.Plant (thomas-plant) wrote :

I'm having exact the same problem since the upgrade this morning.

Greetings.

Martijn vdS (martijn) wrote :

I'm seeing this as well.

Changed in samba:
status: New → Confirmed
glance (glance-acc) wrote :

Same problem here.

Downgrade keeps stuff running.

Valentijn Sessink (valentijn) wrote :

samba 3.0.22-1ubuntu3.4 breaks things, 3.0.22-1ubuntu3.3 is OK.
samba-3.0.22 /source/lib/charcnv.c is where the panic comes from:
      /* No longer allow a length of -1 */
       if (dest_len == (size_t)-1)
              dest_len = sizeof(pstring);
              smb_panic("push_ascii - dest_len == -1");

Changed in samba:
importance: Undecided → High
Changed in samba:
assignee: nobody → jamie-strandboge
status: Confirmed → Triaged
Jamie Strandboge (jdstrand) wrote :

Confirmed on Dapper and Edgy. Feisty and Gutsy ok.

Martin Pitt (pitti) wrote :

We will make the current dapper-security binaries inaccessible for the time being, so that we prevent more people from getting the faulty upgrade. Apologies!

Changed in samba:
importance: High → Critical

Here's my workaround (from the mail list) -- Just back out the latest fix and forbid its install until the
next version comes along.

On Edgy:
# aptitude remove samba=3.0.22-1ubuntu4.3
# aptitude install samba=3.0.22-1ubuntu4.2
# aptitude forbid-version samba=3.0.22-1ubuntu4.3

On Dapper:
# aptitude remove samba=3.0.22-1ubuntu3.4
# aptitude install samba=3.0.22-1ubuntu3.3
# aptitude forbid-version samba=3.0.22-1ubuntu3.4

Changed in samba:
status: Triaged → In Progress
Kees Cook (kees) on 2007-11-16
Changed in samba:
assignee: nobody → jamie-strandboge
importance: Undecided → Critical
status: New → In Progress
assignee: nobody → jamie-strandboge
importance: Undecided → Critical
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :

Turns out that upstream's fix for CVE-2007-4572 was incomplete and Feisty and Gutsy are also affected. As such, feisty and gutsy packages have been disabled. I have also linked to the upstream bug report. Updated packages without this patch will be provided for all releases. CVE-2007-4572 is a DoS but believed to not be exploitable.

When a proper fix is found, updated packages will be provided.

Benjamin Heil (benjamin-heil) wrote :

I have this issue also with Ubuntu Gutsy. When upgrading to 3.0.26a-1ubuntu2.1 I cannot access network shares I've included in fstab on the client. After doing a downgrade to 3.0.26a-1ubuntu2 it works again.

samba.log:

[2007/11/16 18:56:46, 1] smbd/service.c:make_connection_snum(1033)
  192.168.178.24 (192.168.178.24) connect to service BHeil initially as user bheil (uid=1000, gid=1000) (pid 12173)
[2007/11/16 18:56:47, 0] lib/util.c:smb_panic(1632)
  PANIC (pid 12173): push_ascii - dest_len == -1
[2007/11/16 18:56:47, 0] lib/util.c:log_stack_trace(1736)
  BACKTRACE: 14 stack frames:
   #0 /usr/sbin/smbd(log_stack_trace+0x2d) [0x828b1bd]
   #1 /usr/sbin/smbd(smb_panic+0x5d) [0x828b2ed]
   #2 /usr/sbin/smbd(push_ascii+0xf7) [0x8273b47]
   #3 /usr/sbin/smbd(push_string_fn+0x4c) [0x8273b9c]
   #4 /usr/sbin/smbd(srvstr_push_fn+0x54) [0x80fffd4]
   #5 /usr/sbin/smbd [0x80ea2e3]
   #6 /usr/sbin/smbd [0x80ebd95]
   #7 /usr/sbin/smbd(handle_trans2+0x237) [0x80ec5d7]
   #8 /usr/sbin/smbd(reply_trans2+0x6c4) [0x80f2d54]
   #9 /usr/sbin/smbd [0x810f6f0]
   #10 /usr/sbin/smbd(smbd_process+0x836) [0x8110ac6]
   #11 /usr/sbin/smbd(main+0xbdd) [0x836440d]
   #12 /lib/tls/i686/cmov/libc.so.6(__libc_start_main+0xe0) [0xb7b4c050]
   #13 /usr/sbin/smbd [0x8094061]
[2007/11/16 18:56:47, 0] lib/util.c:smb_panic(1637)
  smb_panic(): calling panic action [/usr/share/samba/panic-action 12173]
[2007/11/16 18:56:47, 0] lib/util.c:smb_panic(1645)
  smb_panic(): action returned status 0
[2007/11/16 18:56:47, 0] lib/fault.c:dump_core(181)
  dumping core in /var/log/samba/cores/smbd

This line is in /etc/fstab on the client machine:
//192.168.178.23/BHeil /media/homeserver/bheil smbfs credentials=/home/bheil/.smbcredentials,uid=1000,gid=1000 0 0

Accessing the share with "smb://192.168.178.23/BHeil" works in Dolphin (it's Kubuntu on the client), but not with the mounted directory:

bheil@bheil-pc:/media/homeserver/bheil$ ls
ls: lese Verzeichnis .: Input/output error

I also cannot install samba-dbg at the moment because the package is forbidden. Aptitude says:

Feh http://security.ubuntu.com gutsy-security/main samba-dbg 3.0.26a-1ubuntu2.1
  403 Forbidden

John Dong (jdong) wrote :

Please don't take this as a criticism/flame, I mean it with all respect and seriousness, how did a regression such as this happen on Dapper/Edgy? If I understand the report correctly, Samba refuses to even start up with the updated package, which should've been caught with even a basic install test, right? Is adequate QA going into these updates?

Steve Langasek (vorlon) wrote :

Benjamin, the smbfs kernel driver is considered deprecated by Samba upstream. We of course need to continue to support it for existing releases, and upstream is working on a fix to samba for this issue which will be made available as soon as possible, but as a workaround you might consider instead using the cifs filesystem type, which is not affected by this issue.

Benjamin Heil (benjamin-heil) wrote :

Thank you very much for this information, Steve. I didn't know that smbfs is deprecated. I will change my config to cifs tomorrow.

John Dong (jdong) wrote :

Disregard my comment #10. I've been informed that this regression only happens with specific setups and understand how it could've easily slipped past testing.

upgrade manager wont let me upgrade to gutsy without these updates, is there any way for me to upgrade without them, or do i have to wait?

Apparently these packages have not been blocked on mirrors. I just got them installed in Gutsy:

2007-11-16 21:17:28 upgrade samba-common 3.0.26a-1ubuntu2 3.0.26a-1ubuntu2.1
2007-11-16 21:17:28 status half-configured samba-common 3.0.26a-1ubuntu2
2007-11-16 21:17:28 status unpacked samba-common 3.0.26a-1ubuntu2

(time is UTC + 1)

sources.list:
deb ftp://ftp.tudelft.nl/pub/Linux/archive.ubuntu.com/ gutsy-security main restricted

Nico Burns (nico-burns) wrote :

thankyou!

i actually got it to work:

currently installing,

now lets hope i dont get the bug and get locked out

Albert Damen (albrt) wrote :

Hmm, I didn't add my comment for the purpose of overriding the blocking. It was aimed at the people who may be able to block this upgrade on mirrors as well. Hopefully things won't break for you.

Nico Burns (nico-burns) wrote :

o dear, well it works well, and nothing has broken for me

NoOp (glgxg) wrote :

It appears that the block has not reached the mirrors yet. On a test machine (7.10) that I can afford to break, I just now allowed update manager to proceed. Using 'kernel.mirrors.org' the update proceeded and downloaded without errors, or a 403 msg. Install completed & samba appears to still be working, but I've only performed a cursory network share test.

Now my next concern will be those machines for customers & relatives that I have set to automatically download & install security updates... Looks like it might be a long weekend. :-(

Nico Burns (nico-burns) wrote :

yep.

luckily i have none of them

Serge (serge-de-souza) wrote :

Is a new release going to be pushed without the broken packages in them ?

James Collins (james-collins) wrote :

This problem has also affected me on my Dapper LTS system when I updated my system this morning.

Glad to hear I'm not the only one having the problem.

James Collins (james-collins) wrote :

I downgraded to the previous version using:

sudo aptitude install samba=3.0.22-1ubuntu3.3

and now everything seems ok again.

EzNet (zeroezezero) wrote :

@ NoOp
I am on 7.10 currently and the block is in effect for http://security.ubuntu.com/ubuntu/pool/main/s/samba/* now - Hopefully some of those family members were not immediately able to update (powered off, for instance). :)

I don't know what time the block went into effect for 7.10, but it is currently 'forbidding' the update...

jm (jm-pppp) wrote :

i have the same problem on a LTS (ppc macmini)
please save me!!

From <email address hidden> Sat Nov 17 09:57:06 2007
X-Original-To: root
To: <email address hidden>
Subject: Segfault in Samba
Date: Sat, 17 Nov 2007 09:57:06 +0100 (CET)
From: <email address hidden> (root)
Content-Length: 2040
Lines: 52

The Samba 'panic action' script, /usr/share/samba/panic-action,
was called for pid 8635 (/usr/sbin/nmbd).

Below is a backtrace for this process generated with gdb, which shows
the state of the program at the time the error occurred.

If the problem persists, you are encouraged to first install the
samba-dbg package which contains the debugging symbols for samba
binaries. Then, submit the provided information as a bug report to Ubuntu.
For information about the procedure for submitting bug reports, please
see http://www.ubuntulinux.org/support/bugs/document_view

(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 805426016 (LWP 8635)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
0x0fc4f3a0 in waitpid () from /lib/libc.so.6
#0 0x0fc4f3a0 in waitpid () from /lib/libc.so.6
#1 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#2 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#3 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#4 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#5 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#6 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#7 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#8 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#9 0x0fbf4a2c in strtold_l () from /lib/libc.so.6
#10 0x0fbf4a2c in strtold_l () from /lib/libc.so.6

Changed in samba:
status: Unknown → In Progress
Matt Zimmerman (mdz) on 2007-11-17
description: updated
description: updated
Changed in samba:
status: In Progress → Fix Released
status: In Progress → Fix Released
status: In Progress → Fix Released
Jamie Strandboge (jdstrand) wrote :

Updated packages are now available for all releases. Please see http://www.ubuntu.com/usn/usn-544-2 for more information.

Rod Roark (rod) wrote :

Good work Jamie. Thanks for jumping on this so quickly and getting it resolved. I doubt a DoS vulnerability in Samba is a big deal anyway, as it should not be normal (among Samba users at least) to expose shares to the public Internet.

NoOp (glgxg) wrote :

Just to confirm: today's updates went in smoothly over the updates that I'd allowed on my test machine yesterday. Samba is working both ways again. Further, those machines that I had set for automatic security updates are all working as well. Thanks for the quick resolution & look forward to a re-release on a corrected CVE-2007-4572.

Ian, have you tried doing an "sudo apt-get update" first because I can see newer versions of some of those packages in the repo:-

http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.26a-1ubuntu2.2_i386.deb for example supersedes http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.26a-1ubuntu2.1_i386.deb that you tried to get.

Alan Pope wrote:
> Ian, have you tried doing an "sudo apt-get update" first because I can
> see newer versions of some of those packages in the repo:-
>
> http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.26a-
> 1ubuntu2.2_i386.deb for example supersedes
> http://security.ubuntu.com/ubuntu/pool/main/s/samba/smbclient_3.0.26a-
> 1ubuntu2.1_i386.deb that you tried to get.

Yup, I tried that, but to no avail. However, after another day my
desktop updated itself happily and my laptop (which had thrown up the
errors) suddenly became happy. I expect it was just a propagation delay
through the download servers.

Changed in samba:
status: In Progress → Fix Released
Changed in samba:
importance: Unknown → Critical
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.