Ubuntu
samba package

[Lunar FFE]: Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases

  1. Kinetic (22.10)
  2. Bug #2014052
Bug #2014052 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
High
Andreas Hasenack
Focal
In Progress
Undecided
Marc Deslauriers
Jammy
In Progress
Undecided
Marc Deslauriers
Kinetic
In Progress
Undecided
Marc Deslauriers
Lunar
Fix Released
High
Andreas Hasenack

Bug Description

Samba has released updates on 2023-03-29 that fix CVE-2023-0225, CVE-2023-0922 and CVE-2023-0614.

We should update Lunar to 4.17.7 as it only contains bug fixes since 4.17.5.

Release notes are here:

https://www.samba.org/samba/history/samba-4.17.6.html
https://www.samba.org/samba/history/samba-4.17.7.html

CVE-2023-0225: https://bugzilla.samba.org/show_bug.cgi?id=15276
CVE-2023-0922: https://bugzilla.samba.org/show_bug.cgi?id=15315
CVE-2023-0614: https://bugzilla.samba.org/show_bug.cgi?id=15270 (276kb patch)

## PPA with a lunar update: https://launchpad.net/~ahasenack/+archive/ubuntu/lunar-samba-4177-merge/

## DEP8 results with above PPA

Recent updates to the samba package in lunar added more DEP8 test coverage, namely:
- Active Directory Domain Controller provisioning
- server join tests using a lxd container. These are done using adcli/sssd, and winbind

What's definitely lacking in these tests is interoperability with actual Windows machines.

$ lp-test-ppa -l -r lunar ppa:ahasenack/lunar-samba-4177-merge -u
Tests for PPA lunar-samba-4177-merge: https://launchpad.net/~ahasenack/+archive/ubuntu/lunar-samba-4177-merge
---- ---- ---- ----
Release: lunar
Sources:
  SRC: samba @ 2:4.17.7+dfsg-1ubuntu1~ppa1 - Published
Triggers on published Sources:
Using Release Packages ♻️
  http://autopkgtest.ubuntu.com/request.cgi?release=lunar&package=samba&ppa=ahasenack/lunar-samba-4177-merge&arch=amd64&trigger=samba/2%3A4.17.7%2Bdfsg-1ubuntu1~ppa1
  http://autopkgtest.ubuntu.com/request.cgi?release=lunar&package=samba&ppa=ahasenack/lunar-samba-4177-merge&arch=s390x&trigger=samba/2%3A4.17.7%2Bdfsg-1ubuntu1~ppa1
  http://autopkgtest.ubuntu.com/request.cgi?release=lunar&package=samba&ppa=ahasenack/lunar-samba-4177-merge&arch=ppc64el&trigger=samba/2%3A4.17.7%2Bdfsg-1ubuntu1~ppa1
  http://autopkgtest.ubuntu.com/request.cgi?release=lunar&package=samba&ppa=ahasenack/lunar-samba-4177-merge&arch=arm64&trigger=samba/2%3A4.17.7%2Bdfsg-1ubuntu1~ppa1
  http://autopkgtest.ubuntu.com/request.cgi?release=lunar&package=samba&ppa=ahasenack/lunar-samba-4177-merge&arch=armhf&trigger=samba/2%3A4.17.7%2Bdfsg-1ubuntu1~ppa1
  http://autopkgtest.ubuntu.com/request.cgi?release=lunar&package=samba&ppa=ahasenack/lunar-samba-4177-merge&arch=riscv64&trigger=samba/2%3A4.17.7%2Bdfsg-1ubuntu1~ppa1

(...)

Results: (from http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/?format=plain)
  samba @ amd64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/amd64/s/samba/20230331_174545_44c99@/log.gz
    31.03.23 17:45:45 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  sssd @ amd64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/amd64/s/sssd/20230331_165534_492f7@/log.gz
    31.03.23 16:55:34 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  samba @ arm64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/arm64/s/samba/20230331_182212_a1240@/log.gz
    31.03.23 18:22:12 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  sssd @ arm64:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/arm64/s/sssd/20230331_170544_f64b1@/log.gz
    31.03.23 17:05:44 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  samba @ armhf:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/armhf/s/samba/20230331_165310_a1240@/log.gz
    31.03.23 16:53:10 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  sssd @ armhf:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/armhf/s/sssd/20230331_165759_62e4f@/log.gz
    31.03.23 16:57:59 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  samba @ ppc64el:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/ppc64el/s/samba/20230331_190345_0edba@/log.gz
    31.03.23 19:03:45 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  sssd @ ppc64el:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/ppc64el/s/sssd/20230331_182600_d9745@/log.gz
    31.03.23 18:26:00 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  samba @ s390x:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/s390x/s/samba/20230331_181255_11351@/log.gz
    31.03.23 18:12:55 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
  sssd @ s390x:
    http://autopkgtest.ubuntu.com/results/autopkgtest-lunar-ahasenack-lunar-samba-4177-merge/lunar/s390x/s/sssd/20230331_175403_929c5@/log.gz
    31.03.23 17:54:03 ✅ Triggers: samba/2:4.17.7+dfsg-1ubuntu1~ppa1
Running: (none)
Waiting: (none)

## DIFF
debdiff attached, or:

git ubuntu clone samba
cd samba
git ubuntu remote add ahasenack
git diff pkg/import/2%4.17.5+dfsg-2ubuntu3 ahasenack/lunar-samba-4177-merge

## REMARKS

DEP8 tests of samba and sssd (the latter, without a rebuild: it's sssd from the lunar archive) are green.

THERE ARE symbols additions to libldb2, which is getting bumped. In fact, the CVEs fixed in 4.17.7 are all about LDB.

The only non-samba reverse-dep of libldb2 is sssd. If this is accepted, maybe we should rebuild it just to be safe.

$ git diff pkg/import/2%4.17.5+dfsg-2ubuntu3 ahasenack/lunar-samba-4177-merge -- debian/*.symbols*
diff --git a/debian/libldb2.symbols b/debian/libldb2.symbols
index 45054de99c4..f042df4c639 100644
--- a/debian/libldb2.symbols
+++ b/debian/libldb2.symbols
@@ -78,6 +78,7 @@ libldb.so.2 #PACKAGE# #MINVER#
  LDB_2.5.0@LDB_2.5.0 2:2.5.0
  LDB_2.6.0@LDB_2.6.0 2:2.6.0
  LDB_2.6.1@LDB_2.6.1 2:2.6.1
+ LDB_2.6.2@LDB_2.6.2 2:2.6.2
  ldb_check_critical_controls@LDB_0.9.22 0.9.22
  ldb_controls_except_specified@LDB_0.9.22 0.9.22
  ldb_control_to_string@LDB_1.0.2 1.0.2~git20110403
@@ -167,6 +168,7 @@ libldb.so.2 #PACKAGE# #MINVER#
  ldb_extended@LDB_0.9.10 0.9.21
  ldb_extended_default_callback@LDB_0.9.10 0.9.21
  ldb_filter_attrs@LDB_2.0.1 2:2.0.1
+ ldb_filter_attrs_in_place@LDB_2.6.2 2:2.6.2
  ldb_filter_from_tree@LDB_0.9.10 0.9.21
  ldb_get_config_basedn@LDB_0.9.10 0.9.21
  ldb_get_create_perms@LDB_0.9.10 0.9.21
@@ -206,6 +208,7 @@ libldb.so.2 #PACKAGE# #MINVER#
  ldb_match_msg@LDB_0.9.10 0.9.21
  ldb_match_msg_error@LDB_0.9.15 0.9.21
  ldb_match_msg_objectclass@LDB_0.9.10 0.9.21
+ ldb_match_scope@LDB_2.6.2 2:2.6.2
  ldb_mod_register_control@LDB_0.9.10 0.9.21
  ldb_modify@LDB_0.9.10 0.9.21
  ldb_modify_default_callback@LDB_0.9.12 0.9.21
@@ -230,6 +233,7 @@ libldb.so.2 #PACKAGE# #MINVER#
  ldb_modules_list_from_string@LDB_0.9.10 0.9.21
  ldb_modules_load@LDB_0.9.18 0.9.21
  ldb_msg_add@LDB_0.9.10 0.9.21
+ ldb_msg_add_distinguished_name@LDB_2.6.2 2:2.6.2
  ldb_msg_add_empty@LDB_0.9.10 0.9.21
  ldb_msg_add_fmt@LDB_0.9.10 0.9.21
  ldb_msg_add_linearized_dn@LDB_0.9.10 0.9.21
@@ -255,6 +259,9 @@ libldb.so.2 #PACKAGE# #MINVER#
  ldb_msg_element_compare@LDB_0.9.10 0.9.21
  ldb_msg_element_compare_name@LDB_0.9.10 0.9.21
  ldb_msg_element_equal_ordered@LDB_1.1.6 1:1.1.6
+ ldb_msg_element_is_inaccessible@LDB_2.6.2 2:2.6.2
+ ldb_msg_element_mark_inaccessible@LDB_2.6.2 2:2.6.2
+ ldb_msg_elements_take_ownership@LDB_2.6.2 2:2.6.2
  ldb_msg_find_attr_as_bool@LDB_0.9.10 0.9.21
  ldb_msg_find_attr_as_dn@LDB_0.9.10 0.9.21
  ldb_msg_find_attr_as_double@LDB_0.9.10 0.9.21
@@ -272,8 +279,10 @@ libldb.so.2 #PACKAGE# #MINVER#
  ldb_msg_normalize@LDB_0.9.15 0.9.21
  ldb_msg_remove_attr@LDB_0.9.10 0.9.21
  ldb_msg_remove_element@LDB_0.9.10 0.9.21
+ ldb_msg_remove_inaccessible@LDB_2.6.2 2:2.6.2
  ldb_msg_rename_attr@LDB_0.9.10 0.9.21
  ldb_msg_sanity_check@LDB_0.9.10 0.9.21
+ ldb_msg_shrink_to_fit@LDB_2.6.2 2:2.6.2
  ldb_msg_sort_elements@LDB_0.9.10 0.9.21
  ldb_next_del_trans@LDB_0.9.10 0.9.21
  ldb_next_end_trans@LDB_0.9.10 0.9.21
@@ -294,12 +303,14 @@ libldb.so.2 #PACKAGE# #MINVER#
  ldb_parse_tree@LDB_0.9.10 0.9.21
  ldb_parse_tree_attr_replace@LDB_0.9.10 0.9.21
  ldb_parse_tree_copy_shallow@LDB_0.9.10 0.9.21
+ ldb_parse_tree_get_attr@LDB_2.6.2 2:2.6.2
  ldb_parse_tree_walk@LDB_1.1.2 1.1.2~
  ldb_qsort@LDB_0.9.10 0.9.21
  ldb_register_backend@LDB_0.9.10 0.9.21
  ldb_register_extended_match_rule@LDB_1.1.19 1:1.1.20
  ldb_register_hook@LDB_0.9.18 0.9.21
  ldb_register_module@LDB_0.9.10 0.9.21
+ ldb_register_redact_callback@LDB_2.6.2 2:2.6.2
  ldb_rename@LDB_0.9.10 0.9.21
  ldb_reply_add_control@LDB_0.9.10 0.9.21
  ldb_reply_get_control@LDB_0.9.10 0.9.21
diff --git a/debian/python3-ldb.symbols.in b/debian/python3-ldb.symbols.in
index df81fbd55f3..da17a512468 100755
--- a/debian/python3-ldb.symbols.in
+++ b/debian/python3-ldb.symbols.in
@@ -61,6 +61,7 @@
  PYLDB_UTIL_2.5.0@PYLDB_UTIL_2.5.0 2:2.5.0
  PYLDB_UTIL_2.6.0@PYLDB_UTIL_2.6.0 2:2.6.0
  PYLDB_UTIL_2.6.1@PYLDB_UTIL_2.6.1 2:2.6.1
+ PYLDB_UTIL_2.6.2@PYLDB_UTIL_2.6.2 2:2.6.2
  pyldb_Dn_FromDn@PYLDB_UTIL_1.1.2 2:2.0.7
  pyldb_Object_AsDn@PYLDB_UTIL_1.1.2 2:2.0.7
  pyldb_check_type@PYLDB_UTIL_2.1.0 2:2.1.0

See original description

Related branches

~ahasenack/ubuntu/+source/samba:lunar-samba-4177-merge
git-ubuntu bot: Approve
Robie Basak: Approve
Canonical Server Reporter: Pending requested
Diff: 3348 lines (+2994/-5)
5 files modified
debian/changelog (+2476/-0)
debian/control (+6/-5)
debian/tests/control (+4/-0)
debian/tests/samba-ad-dc-provisioning-internal-dns (+398/-0)
debian/tests/util (+110/-0)
Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Focal):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Jammy):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Kinetic):
status: New → In Progress
assignee: nobody → Marc Deslauriers (mdeslaur)
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

debdiff

You can also see it in git, with something like:

git ubuntu clone samba
cd samba
git ubuntu remote add ahasenack
git diff pkg/import/2%4.17.5+dfsg-2ubuntu3 ahasenack/lunar-samba-4177-merge

or your preferred workflow/cmdline options.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

aham

description: updated
Andreas Hasenack (ahasenack)
Changed in samba (Ubuntu Lunar):
status: New → In Progress
assignee: nobody → Andreas Hasenack (ahasenack)
importance: Undecided → High
Andreas Hasenack (ahasenack)
description: updated
description: updated
Andreas Hasenack (ahasenack)
description: updated
description: updated
description: updated
summary: - Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases
+ FFE: Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases
summary: - FFE: Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases
+ [Lunar FFE]: Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases
Andreas Hasenack (ahasenack)
description: updated
description: updated
Revision history for this message
Graham Inggs (ginggs) wrote :

FFe granted, please go ahead for Lunar.

Changed in samba (Ubuntu Lunar):
status: In Progress → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.17.7+dfsg-1ubuntu1

---------------
samba (2:4.17.7+dfsg-1ubuntu1) lunar; urgency=medium

  * Merge with Debian unstable (LP: #2014052). Remaining changes:
    - debian/control: Ubuntu i386 binary compatibility:
      + drop ceph support
      + enable the liburing vfs module, except on i386 where liburing is
        not available
      + build-depend on libglusterfs-dev only on !i386 arches
    - d/t/control, d/t/util,d/t/samba-ad-dc-provisioning-internal-dns:
      samba AD DC provisioning and domain join tests with internal DNS
      (LP #1977746, LP #2011745)

 -- Andreas Hasenack <email address hidden> Fri, 31 Mar 2023 15:26:11 -0300

Changed in samba (Ubuntu Lunar):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.