Bug#1001068: samba: Missing upstream commit 0a546be0 on bullseye, bookworm and sid (part of CVE-2020-25717)

[Jörg Behrmann]

Package: samba
Version: 2:4.13.13+dfsg-1~deb11u2
Severity: important
X-Debbugs-Cc: te...@security.debian.org

The upstream samba commit 0a546be0 is included in the buster security release
2:4.9.5+dfsg-5+deb10u2 via the patch file bug-14901-v4-9.patch, but is missing
in the bullseye security release 2:4.13.13+dfsg-1~deb11u2.

Pleae apply that patch in bullseye as well, so that the idmap_nss fallback via
SID mapping works.

-- Package-specific info:
* /etc/samba/smb.conf present, but not attached
* /var/lib/samba/dhcp.conf not present

-- System Information:
Debian Release: 11.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-8-amd64 (SMP w/48 CPU threads)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages samba depends on:
ii adduser 3.118
ii dpkg 1.20.9
ii init-system-helpers 1.60
ii libbsd0 0.11.3-1
ii libc6 2.31-13+deb11u2
ii libgnutls30 3.7.1-5
ii libldb2 2:2.2.3-2~deb11u1
ii libpam-modules 1.4.0-9+deb11u1
ii libpam-runtime 1.4.0-9+deb11u1
ii libpopt0 1.18-2
ii libpython3.9 3.9.2-1
ii libtalloc2 2.3.1-2+b1
ii libtasn1-6 4.16.0-2
ii libtdb1 1.4.3-1+b1
ii libtevent0 0.10.2-1
ii libwbclient0 2:4.13.13+dfsg-1~deb11u2
ii lsb-base 11.1.0
ii procps 2:3.3.17-5
ii python3 3.9.2-3
ii python3-dnspython 2.0.0-1
ii python3-samba 2:4.13.13+dfsg-1~deb11u2
ii samba-common 2:4.13.13+dfsg-1~deb11u2
ii samba-common-bin 2:4.13.13+dfsg-1~deb11u2
ii samba-libs 2:4.13.13+dfsg-1~deb11u2
ii tdb-tools 1.4.3-1+b1

Versions of packages samba recommends:
ii attr 1:2.4.48-6
ii logrotate 3.18.0-2
ii python3-markdown 3.3.4-1
pn samba-dsdb-modules <none>
pn samba-vfs-modules <none>

Versions of packages samba suggests:
pn bind9 <none>
pn bind9utils <none>
pn ctdb <none>
pn ldb-tools <none>
pn ntp | chrony <none>
pn smbldap-tools <none>
pn ufw <none>
ii winbind 2:4.13.13+dfsg-1~deb11u2

-- no debconf information

[Salvatore Bonaccorso]

On Fri, Dec 03, 2021 at 03:44:02PM +0100, Jörg Behrmann wrote:
> Package: samba
> Version: 2:4.13.13+dfsg-1~deb11u2
> Severity: important
> X-Debbugs-Cc: te...@security.debian.org
>
> The upstream samba commit 0a546be0 is included in the buster security release
> 2:4.9.5+dfsg-5+deb10u2 via the patch file bug-14901-v4-9.patch, but is missing
> in the bullseye security release 2:4.13.13+dfsg-1~deb11u2.
>
> Pleae apply that patch in bullseye as well, so that the idmap_nss fallback via
> SID mapping works.

It would be sensible indeed to apply
https://bugzilla.samba.org/show_bug.cgi?id=14901#c9 as well for
bullseye to not regress in this case.

Can you push such a change to bullseye-pu (not via security) given the
point release window for uploads is closing on next weekend?

https://lists.debian.org/795fc739fd9f27e75975ecf...@adam-barratt.org.uk

Regards,
Salvatore

[Paul Gevers]

Dear all,

On Fri, 03 Dec 2021 15:44:02 +0100 =?utf-8?q?J=C3=B6rg_Behrmann?=
<behr...@physik.fu-berlin.de> wrote:
> The upstream samba commit 0a546be0 is included in the buster security release
> 2:4.9.5+dfsg-5+deb10u2 via the patch file bug-14901-v4-9.patch, but is missing
> in the bullseye security release 2:4.13.13+dfsg-1~deb11u2.

This bug shows up in the list of RC bugs for bookworm, because according
to the fixed versions, it still applies to unstable and testing. I
*assume* this has been fixed in the mean time in unstable. It would be
great if somebody could confirm that, ideally with the appropriate
"Control: -1 fixed ....." line at the start of the mail.

Paul