smbd crashed on startup with newest libtevent

Bug #1639962 reported by fate on 2016-11-07
118
This bug affects 17 people
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
Critical
Nish Aravamudan

Bug Description

Current ubuntu samba package (Version 4.4.5-Ubuntu) is affectec by samba bug
12283
( https://bugzilla.samba.org/show_bug.cgi?id=12283 )

Seems to be fixed in samba 4.4.7

lsb_release:
Description: Ubuntu Zesty Zapus (development branch)
Release: 17.04
Codename: zesty

apt-cache policy samba
samba:
  Installed: 2:4.4.5+dfsg-2ubuntu6

Installed libtevent: 0.9.31

expected: samba start
what happened: smbd core dump

CVE References

fate (warpman-gmx) wrote :

Also downgrading tvent via: dpkg -i libtevent0_0.9.28-1_amd64.deb also fixes it

Joshua Powers (powersj) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Was able to reproduce in a zesty lxd:

Nov 09 17:05:31 zesty systemd[1]: Started Samba SMB Daemon.
Nov 09 17:05:31 zesty systemd[1]: smbd.service: Failed to reset devices.list: Operation not permitted
Nov 09 17:05:31 zesty systemd[1]: smbd.service: Failed to set invocation ID on control group /system.slice/smbd.service, ignoring: Operation not permitted
Nov 09 17:05:31 zesty systemd[1]: smbd.service: Main process exited, code=dumped, status=6/ABRT
Nov 09 17:05:31 zesty systemd[1]: smbd.service: Unit entered failed state.
Nov 09 17:05:31 zesty systemd[1]: smbd.service: Failed with result 'core-dump'.

I'll add this to our bug work for the current release.

tags: added: server-next
Changed in samba (Ubuntu):
status: New → Incomplete
status: Incomplete → Triaged
importance: Undecided → High
importance: High → Critical
Nazar Mokrynskyi (nazar-pc) wrote :

I confirm the bug and workaround with downgrading to libtevent0

Adding 17.04 milestone to not accidentally slip into the release as this is Crit as Joshua already tagged it.

Changed in samba (Ubuntu):
milestone: none → ubuntu-17.04
dino99 (9d9) wrote :

With samba 2:4.4.6+dfsg-2 and libtevent0 0.9.31-1, the problem does not
occur anymore.

4.4.7 is also published; please sync asap as actual zz crash on each cold boot

http://metadata.ftp-master.debian.org/changelogs/main/s/samba/samba_4.4.7+dfsg-1_changelog

I see:
Nov 30 12:02:43 corrado-zesty2 systemd[1]: Starting Samba SMB Daemon...
Nov 30 12:02:43 corrado-zesty2 systemd[1]: smbd.service: Supervising process 8007 which is not our child. We'll most likely not notice when it exits.
Nov 30 12:02:43 corrado-zesty2 systemd[1768]: Starting Notification regarding a crash report...
Nov 30 12:02:43 corrado-zesty2 update-notifier-crash[8016]: smbd
Nov 30 12:02:43 corrado-zesty2 system-crash-no[8023]: GtkDialog mapped without a transient parent. This is discouraged.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: Started Samba SMB Daemon.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: Reloading.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: apt-daily.timer: Adding 11h 26min 43.202586s random time.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: Reloading.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: apt-daily.timer: Adding 21min 19.329188s random time.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: smbd.service: Main process exited, code=dumped, status=6/ABRT
Nov 30 12:02:44 corrado-zesty2 systemd[1]: Starting Samba NMB Daemon...
Nov 30 12:02:44 corrado-zesty2 systemd[1]: Started Samba NMB Daemon.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: Reloading.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: apt-daily.timer: Adding 5h 41min 38.092533s random time.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: smbd.service: Unit entered failed state.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: smbd.service: Failed with result 'core-dump'.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: Reloading.
Nov 30 12:02:44 corrado-zesty2 systemd[1]: apt-daily.timer: Adding 5h 55min 24.324242s random time.
Nov 30 12:02:45 corrado-zesty2 systemd[1]: Reloading.
Nov 30 12:02:45 corrado-zesty2 systemd[1]: apt-daily.timer: Adding 13min 1.967499s random time.
Nov 30 12:02:45 corrado-zesty2 systemd[1]: nmbd.service: Main process exited, code=dumped, status=6/ABRT
Nov 30 12:02:45 corrado-zesty2 systemd[1]: nmbd.service: Unit entered failed state.
Nov 30 12:02:45 corrado-zesty2 systemd[1]: nmbd.service: Failed with result 'core-dump'.

Nish Aravamudan (nacc) wrote :

We will merge samba at some point this release.

Changed in samba (Ubuntu):
assignee: nobody → Nish Aravamudan (nacc)

works fine on yakkety: samba (2:4.4.5+dfsg-2ubuntu5.2) yakkety

USD Importer (usd-importer-bot) wrote :

I have the samba merge ready to go, but we're blocked on needing a new merge of ldb.

@corradoventu: I'm confused that you say yakkety works fine.

The only difference between 2:4.4.5+dfsg-2ubuntu7 (zesty) and 2:4.4.5+dfsg-2ubuntu5.2 (yakkety) [note the same upstream base] is libpam-winbind and libnss-winbind being statically linked and winbindd compiled statically.

Reading the Debian bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=840382), it seems like yakkety works only because of the older libtevent.

So, since libtevent was updated in zesty, we need to update samba accordingly.

Nish Aravamudan (nacc) wrote :

Err, apologies for the confusing user above! My own fault for managing two accounts from the same system. Rest assured, that was actually me (nacc) and I will follow-up on it.

fate (warpman-gmx) wrote :

Thanks for the effort here!

Just for curiosity what Version are you merging?

Samba is currently at 4.5.4 right?

hoping it will help i add nmdb crash

... and smdb crash

Nish Aravamudan (nacc) wrote :

Sorry for the delay! Yes, it will be 4.5.4 based.

-Nish

tags: added: zesty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.5.4+dfsg-1ubuntu1

---------------
samba (2:4.5.4+dfsg-1ubuntu1) zesty; urgency=medium

  * Merge from Debian unstable (LP: #1659707, LP: #1639962). Remaining
    changes:
    + debian/VERSION.patch: Update vendor string to "Ubuntu".
    + debian/smb.conf;
      - Add "(Samba, Ubuntu)" to server string.
      - Comment out the default [homes] share, and add a comment about "valid users = %s"
         to show users how to restrict access to \\server\username to only username.
    + debian/samba-common.config:
      - Do not change prioritiy to high if dhclient3 is installed.
    + Add apport hook:
      - Created debian/source_samba.py.
      - debian/rules, debia/samb-common-bin.install: install hook.
    + d/p/krb_zero_cursor.patch - apply proposed-upstream fix for
      pam_winbind krb5_ccache_type=FILE failure (LP #1310919)
    + debian/patches/winbind_trusted_domains.patch: make sure domain members
      can talk to trusted domains DCs.
      [ update patch based upon upstream discussion ]
    + d/p/fix-1584485.patch: Make libnss-winbind and libpam-winbind
      to be statically linked fixes LP #1584485.
    + d/rules: Compile winbindd/winbindd statically.
  * Drop:
    - Delete debian/.gitignore
    [ Previously undocumented ]
    - debian/patches/git_smbclient_cpu.patch:
      + backport upstream patch to fix smbclient users hanging/eating cpu on
        trying to contact a machine which is not there (lp #1572260)
    [ Fixed upstream ]
    - SECURITY UPDATE: remote code execution via heap overflow in NDR parsing
      + debian/patches/CVE-2016-2123.patch: check lengths in
        librpc/ndr/ndr_dnsp.c.
      + CVE-2016-2123
    [ Fixed in Debian ]
    - SECURITY UPDATE: unconditional privilege delegation to Kerberos servers
      + debian/patches/CVE-2016-2125.patch: don't use GSS_C_DELEG_FLAG in
        source4/scripting/bin/nsupdate-gss, source3/librpc/crypto/gse.c,
        source4/auth/gensec/gensec_gssapi.c.
      + CVE-2016-2125
    [ Fixed in Debian ]
    - SECURITY UPDATE: privilege elevation in Kerberos PAC validation
      + debian/patches/CVE-2016-2126.patch: only allow known checksum types
        in auth/kerberos/kerberos_pac.c.
      + CVE-2016-2126
    [ Fixed in Debian ]

 -- Nishanth Aravamudan <email address hidden> Thu, 26 Jan 2017 17:20:15 -0800

Changed in samba (Ubuntu):
status: Triaged → Fix Released

Installed: works fine; this solved also the problem in my Bug #1646096
Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.