2016-05-22 15:39:58 |
Rafael David Tinoco |
bug |
|
|
added bug |
2016-05-22 15:40:05 |
Rafael David Tinoco |
samba (Ubuntu): status |
New |
Confirmed |
|
2016-05-22 15:40:26 |
Rafael David Tinoco |
samba (Ubuntu): assignee |
|
Rafael David Tinoco (inaddy) |
|
2016-05-22 15:40:32 |
Rafael David Tinoco |
samba (Ubuntu): importance |
Undecided |
High |
|
2016-05-22 15:41:56 |
Rafael David Tinoco |
description |
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
"""
$ sudo apt-get --only-upgrade install samba
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
libhdb9-heimdal libkdc2-heimdal libntdb1 python-ntdb
Use 'apt-get autoremove' to remove them.
The following extra packages will be installed:
libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
python-ldb python-samba python-tdb samba-common samba-common-bin
samba-dsdb-modules samba-libs samba-vfs-modules winbind
Suggested packages:
bind9 bind9utils ldb-tools smbldap-tools heimdal-clients
The following packages will be upgraded:
libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
python-ldb python-samba python-tdb samba samba-common samba-common-bin
samba-dsdb-modules samba-libs samba-vfs-modules winbind
16 upgraded, 0 newly installed, 0 to remove and 219 not upgraded.
Need to get 8,877 kB of archives.
After this operation, 5,632 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-ldb amd64 1:1.1.24-0ubuntu0.14.04.1 [29.2 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-tdb amd64 1.3.8-0ubuntu0.14.04.1 [10.8 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtdb1 amd64 1.3.8-0ubuntu0.14.04.1 [38.3 kB]
Get:4 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtevent0 amd64 0.9.28-0ubuntu0.14.04.1 [26.2 kB]
Get:5 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-dsdb-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [219 kB]
Get:6 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libnss-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [12.6 kB]
Get:7 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libpam-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [28.2 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [411 kB]
Get:9 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libwbclient0 amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [30.8 kB]
Get:10 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [903 kB]
Get:11 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common-bin amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [508 kB]
Get:12 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common all 2:4.3.9+dfsg-0ubuntu0.14.04.1 [82.9 kB]
Get:13 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [1,068 kB]
Get:14 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-vfs-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [259 kB]
Get:15 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-libs amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [5,144 kB]
Get:16 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libldb1 amd64 1:1.1.24-0ubuntu0.14.04.1 [107 kB]
Fetched 8,877 kB in 14s (594 kB/s)
Preconfiguring packages ...
(Reading database ... 115393 files and directories currently installed.)
Preparing to unpack .../python-ldb_1%3a1.1.24-0ubuntu0.14.04.1_amd64.deb ...
Unpacking python-ldb (1:1.1.24-0ubuntu0.14.04.1) over (1:1.1.16-1ubuntu0.1) ...
Preparing to unpack .../python-tdb_1.3.8-0ubuntu0.14.04.1_amd64.deb ...
Unpacking python-tdb (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ...
Preparing to unpack .../libtdb1_1.3.8-0ubuntu0.14.04.1_amd64.deb ...
Unpacking libtdb1:amd64 (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ...
Preparing to unpack .../libtevent0_0.9.28-0ubuntu0.14.04.1_amd64.deb ...
Unpacking libtevent0:amd64 (0.9.28-0ubuntu0.14.04.1) over (0.9.19-1) ...
Preparing to unpack .../samba-dsdb-modules_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ...
Unpacking samba-dsdb-modules (2:4.3.9+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2.14.04.13) ...
Preparing to unpack .../libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ...
Unpacking libnss-winbind:amd64 (2:4.3.9+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2.14.04.13) ...
dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack):
subprocess dpkg-deb --control returned error exit status 2
dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
dpkg: error processing archive /var/cache/apt/archives/winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack):
subprocess dpkg-deb --control returned error exit status 2
dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
dpkg: error processing archive /var/cache/apt/archives/libwbclient0_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack):
subprocess dpkg-deb --control returned error exit status 2
dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
"""
Leading into an unusable system.
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
"""
"""
Leading into an unusable system in the following state:
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
|
2016-05-22 15:42:34 |
Rafael David Tinoco |
description |
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
"""
"""
Leading into an unusable system in the following state:
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
|
2016-05-22 15:49:12 |
Rafael David Tinoco |
bug |
|
|
added subscriber Marc Deslauriers |
2016-05-22 15:49:30 |
Rafael David Tinoco |
nominated for series |
|
Ubuntu Trusty |
|
2016-05-22 15:49:30 |
Rafael David Tinoco |
nominated for series |
|
Ubuntu Precise |
|
2016-05-22 21:30:23 |
Dominique Poulain |
bug |
|
|
added subscriber Dominique Poulain |
2016-05-24 19:43:32 |
Rafael David Tinoco |
nominated for series |
|
Ubuntu Wily |
|
2016-05-24 19:43:43 |
Rafael David Tinoco |
nominated for series |
|
Ubuntu Yakkety |
|
2016-05-24 19:43:43 |
Rafael David Tinoco |
nominated for series |
|
Ubuntu Xenial |
|
2016-05-25 02:26:28 |
Rafael David Tinoco |
attachment added |
|
trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669815/+files/trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff |
|
2016-05-25 02:27:18 |
Rafael David Tinoco |
attachment added |
|
wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669816/+files/wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff |
|
2016-05-25 02:27:32 |
Rafael David Tinoco |
attachment added |
|
xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669817/+files/xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff |
|
2016-05-25 02:27:44 |
Rafael David Tinoco |
attachment added |
|
yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669818/+files/yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff |
|
2016-05-25 02:31:32 |
Rafael David Tinoco |
description |
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
[Impact]
* Upgrading samba when using winbind as NSS can lead to loosing OS.
* Probable not noticed if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
* Comment #1 (to upgrade samba)
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
|
2016-05-25 02:34:48 |
Rafael David Tinoco |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
2016-05-25 02:34:56 |
Rafael David Tinoco |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2016-05-25 02:35:07 |
Rafael David Tinoco |
tags |
|
sts |
|
2016-05-25 02:36:04 |
Rafael David Tinoco |
description |
[Impact]
* Upgrading samba when using winbind as NSS can lead to loosing OS.
* Probable not noticed if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
* Comment #1 (to upgrade samba)
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
* Comment #1 (to upgrade samba)
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
|
2016-05-27 19:19:00 |
Rafael David Tinoco |
samba (Ubuntu): status |
Confirmed |
In Progress |
|
2016-06-06 19:55:38 |
Mathew Hodson |
tags |
sts |
patch sts |
|
2016-06-17 16:18:32 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2016-06-19 15:12:47 |
Marc Deslauriers |
removed subscriber Ubuntu Security Sponsors Team |
|
|
|
2016-06-19 15:13:01 |
Marc Deslauriers |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2016-07-07 01:14:58 |
Michael Hudson-Doyle |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2016-07-08 07:23:08 |
Louis Bouchard |
samba (Ubuntu): assignee |
Rafael David Tinoco (inaddy) |
Louis Bouchard (louis-bouchard) |
|
2016-08-02 14:24:35 |
Eric Desrochers |
bug watch added |
|
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287 |
|
2016-08-05 20:28:33 |
Eric Desrochers |
bug |
|
|
added subscriber Eric Desrochers |
2016-10-17 14:11:52 |
Jorge Niedbalski |
description |
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
* Comment #1 (to upgrade samba)
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
7.1) sudo restart smbd
7.2) sudo restart nmbd
7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
While installing, you will see things similar to this :
> Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
> dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
> -unpack):
> subprocess dpkg-deb --control returned error exit status 2
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
|
2016-10-17 14:12:08 |
Jorge Niedbalski |
samba (Ubuntu): assignee |
Louis Bouchard (louis-bouchard) |
Jorge Niedbalski (niedbalski) |
|
2016-10-17 14:29:17 |
Louis Bouchard |
bug task added |
|
samba (Ubuntu Precise) |
|
2016-10-17 14:29:27 |
Louis Bouchard |
bug task added |
|
samba (Ubuntu Trusty) |
|
2016-10-17 14:29:45 |
Louis Bouchard |
bug task added |
|
samba (Ubuntu Xenial) |
|
2016-10-17 14:29:52 |
Louis Bouchard |
bug task added |
|
samba (Ubuntu Yakkety) |
|
2016-10-17 14:41:48 |
Dariusz Gadomski |
bug |
|
|
added subscriber Dariusz Gadomski |
2016-10-17 18:22:53 |
Jorge Niedbalski |
attachment added |
|
Trusty Patch https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4762628/+files/fix-1584485-trusty.debdiff |
|
2016-10-17 18:26:08 |
Jorge Niedbalski |
samba (Ubuntu Trusty): status |
New |
In Progress |
|
2016-10-17 18:26:11 |
Jorge Niedbalski |
samba (Ubuntu Trusty): importance |
Undecided |
High |
|
2016-10-17 18:26:15 |
Jorge Niedbalski |
samba (Ubuntu Trusty): assignee |
|
Jorge Niedbalski (niedbalski) |
|
2016-10-18 15:36:04 |
Jorge Niedbalski |
bug task deleted |
samba (Ubuntu Precise) |
|
|
2016-10-18 15:36:15 |
Jorge Niedbalski |
samba (Ubuntu Xenial): status |
New |
In Progress |
|
2016-10-18 15:36:35 |
Jorge Niedbalski |
samba (Ubuntu Xenial): importance |
Undecided |
High |
|
2016-10-18 15:36:38 |
Jorge Niedbalski |
samba (Ubuntu Xenial): assignee |
|
Jorge Niedbalski (niedbalski) |
|
2016-10-18 15:40:33 |
Jorge Niedbalski |
attachment added |
|
Yakkety Patch for 1584485 https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4763305/+files/fix-1584485-yakkety.debdiff |
|
2016-10-18 15:49:26 |
Jorge Niedbalski |
attachment added |
|
Xenial Patch for 1584485 https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4763313/+files/fix-1584485-xenial.debdiff |
|
2016-10-18 15:51:46 |
Jorge Niedbalski |
attachment removed |
trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669815/+files/trusty_samba_4.3.9+dfsg-0ubuntu0.14.04.2.debdiff |
|
|
2016-10-18 15:52:00 |
Jorge Niedbalski |
attachment removed |
wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669816/+files/wily_samba_4.3.9+dfsg-0ubuntu0.15.10.2.debdiff |
|
|
2016-10-18 15:52:13 |
Jorge Niedbalski |
attachment removed |
xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669817/+files/xenial_samba_4.3.9+dfsg-0ubuntu0.16.04.2.debdiff |
|
|
2016-10-18 15:52:25 |
Jorge Niedbalski |
attachment removed |
yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4669818/+files/yakkety_samba_4.3.8+dfsg-0ubuntu2.debdiff |
|
|
2016-10-25 14:30:35 |
Martin Pitt |
bug task added |
|
samba (Debian) |
|
2016-10-26 06:24:51 |
Bug Watch Updater |
samba (Debian): status |
Unknown |
New |
|
2016-11-05 05:41:39 |
Launchpad Janitor |
samba (Ubuntu): status |
In Progress |
Fix Released |
|
2016-11-09 22:26:50 |
Martin Pitt |
samba (Ubuntu Yakkety): status |
In Progress |
Fix Committed |
|
2016-11-09 22:26:52 |
Martin Pitt |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2016-11-09 22:26:55 |
Martin Pitt |
bug |
|
|
added subscriber SRU Verification |
2016-11-09 22:26:58 |
Martin Pitt |
tags |
patch sts |
patch sts verification-needed |
|
2016-11-10 10:40:44 |
Martin Pitt |
samba (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2016-11-10 11:02:27 |
Martin Pitt |
samba (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2016-11-10 19:29:36 |
Jorge Niedbalski |
tags |
patch sts verification-needed |
patch sts verification-done-trusty verification-needed |
|
2016-11-23 13:47:17 |
Launchpad Janitor |
samba (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2016-11-24 12:41:25 |
Ian Gordon |
bug |
|
|
added subscriber Ian Gordon |
2016-11-24 15:06:36 |
Martin Pitt |
samba (Ubuntu Trusty): status |
Fix Released |
In Progress |
|
2016-11-24 15:06:53 |
Martin Pitt |
tags |
patch sts verification-done-trusty verification-needed |
patch sts verification-failed verification-needed |
|
2016-11-24 15:07:00 |
Martin Pitt |
tags |
patch sts verification-failed verification-needed |
patch sts verification-failed |
|
2016-11-24 15:38:01 |
Robert Euhus |
bug |
|
|
added subscriber Robert Euhus |
2016-11-25 12:55:47 |
Robie Basak |
description |
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case]
1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
7.1) sudo restart smbd
7.2) sudo restart nmbd
7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
While installing, you will see things similar to this :
> Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
> dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
> -unpack):
> subprocess dpkg-deb --control returned error exit status 2
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
[Impact]
* Upgrading samba when using winbind as NSS service can break OS.
* Probably not triggered if "compat" is BEFORE "winbind" in nsswitch.conf.
* Huge impact due to big version different between winbind and libraries.
[Test Case 1]
Verify that the regression reported in bug 1644428 has not recurred.
[Test Case 2]
1) Start an ubuntu Trusty container
2) cp /etc/apt/sources.list /etc/apt/sources.list.back
3) Disable the trusty-updates and trusty-security archives in /etc/apt/sources.list
4) sudo apt-get update
5) sudo apt-get install samba winbind libnss-winbind libpam-winbind
6) Set /etc/nsswitch.conf to : passwd: winbind compat
7) Restart the services
7.1) sudo restart smbd
7.2) sudo restart nmbd
7.3) sudo restart winbind
8) cp /etc/apt/sources.list.back /etc/apt/sources.list
9) sudo apt-get update
7) sudo apt-get install samba winbind libnss-winbind libpam-winbind
While installing, you will see things similar to this :
> Unpacking libnss-winbind:amd64 (2:4.3.11+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2) ...
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
> dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.11+dfsg-0ubuntu0.14.04.1_amd64.deb (-
> -unpack):
> subprocess dpkg-deb --control returned error exit status 2
> dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
[Regression Potential]
* "preinst" and "postrm" maintainer scripts are acting only in "upgrade"
* uninstalling packages and reinstalling would bypass this change
[Other Info]
* Original Bug Description:
It was brought to my attention that, because of latest security fixes for samba:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
when library symbols changed, a samba upgrade MAY jeopardize an entire Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service (specially if used before compat mechanism).
----
How to reproduce easily:
$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat
(winbind is usually used after compat, in this case it was used before)
to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
$ sudo apt-get update
and FINALLY:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1
Leading into an unusable system in the following state:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2
## state
Workaround:
DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with "pam-auth-update") before ANY attempt of upgrading samba to latest version. |
|
2016-11-25 14:56:04 |
Robert Euhus |
attachment added |
|
Samba/Winbind config file /etc/samba/smb.conf https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783042/+files/smb.conf |
|
2016-11-25 14:57:58 |
Robert Euhus |
attachment added |
|
/etc/security/pam_winbind.conf https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783043/+files/pam_winbind.conf |
|
2016-11-25 14:58:47 |
Robert Euhus |
attachment added |
|
/etc/pam.d/common-auth https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783044/+files/common-auth |
|
2016-11-25 14:59:09 |
Robert Euhus |
attachment added |
|
/etc/pam.d/common-account https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783045/+files/common-account |
|
2016-11-25 14:59:37 |
Robert Euhus |
attachment added |
|
/etc/pam.d/common-session https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783046/+files/common-session |
|
2016-11-25 15:00:30 |
Robert Euhus |
attachment added |
|
/etc/pam.d/common-password https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783048/+files/common-password |
|
2016-11-25 15:01:15 |
Robert Euhus |
attachment added |
|
/etc/nsswitch.conf https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783062/+files/nsswitch.conf |
|
2016-11-25 15:30:51 |
Robert Euhus |
attachment added |
|
/var/log/auth.log https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783092/+files/auth.log |
|
2016-11-25 15:31:39 |
Robert Euhus |
attachment added |
|
/var/log/samba/log.winbindd https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783093/+files/log.winbindd |
|
2016-11-25 15:32:07 |
Robert Euhus |
attachment added |
|
/var/log/samba/log.wb-MYAD https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4783094/+files/log.wb-MYAD |
|
2016-12-19 16:48:51 |
Launchpad Janitor |
samba (Ubuntu Trusty): status |
In Progress |
Fix Released |
|
2016-12-19 16:48:51 |
Launchpad Janitor |
cve linked |
|
2016-2123 |
|
2016-12-19 16:48:51 |
Launchpad Janitor |
cve linked |
|
2016-2125 |
|
2016-12-19 16:48:51 |
Launchpad Janitor |
cve linked |
|
2016-2126 |
|
2017-06-14 08:10:46 |
Mathieu Parent |
bug |
|
|
added subscriber Mathieu Parent |
2017-07-13 14:09:53 |
Andreas Hasenack |
attachment added |
|
fix-1584485-take2.patch https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+attachment/4914111/+files/fix-1584485-take2.patch |
|
2017-07-13 14:14:40 |
Andreas Hasenack |
samba (Ubuntu): status |
Fix Released |
Triaged |
|
2017-07-13 14:16:30 |
Andreas Hasenack |
samba (Ubuntu): status |
Triaged |
Incomplete |
|
2017-07-13 14:16:38 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2019-05-18 16:56:35 |
Rafael David Tinoco |
removed subscriber Rafael David Tinoco |
|
|
|
2022-10-23 19:58:20 |
Andrew Bartlett |
bug watch added |
|
https://bugzilla.samba.org/show_bug.cgi?id=14780 |
|
2022-10-24 11:49:40 |
Bug Watch Updater |
samba (Debian): status |
New |
Fix Released |
|
2022-11-01 10:48:19 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Bionic |
|
2022-11-01 10:48:19 |
Lucas Kanashiro |
bug task added |
|
samba (Ubuntu Bionic) |
|
2022-11-01 10:48:19 |
Lucas Kanashiro |
nominated for series |
|
Ubuntu Focal |
|
2022-11-01 10:48:19 |
Lucas Kanashiro |
bug task added |
|
samba (Ubuntu Focal) |
|
2022-11-01 10:48:41 |
Lucas Kanashiro |
samba (Ubuntu): status |
Incomplete |
Fix Released |
|
2022-11-01 10:48:45 |
Lucas Kanashiro |
samba (Ubuntu Bionic): status |
New |
Triaged |
|
2022-11-01 10:48:48 |
Lucas Kanashiro |
samba (Ubuntu Focal): status |
New |
Triaged |
|
2022-11-01 10:49:58 |
Lucas Kanashiro |
bug |
|
|
added subscriber Ubuntu Server |