Re: Serious security hole in Samba
> >OK, apparently in your case gcc was able to link the final binary.
> >On my system, gcc wasn't able to do so, and probably rightly so.
>
> Why it is right to have a failed link in you system and a succesful one in
> mine? I don't want to be rude, I just want to know.
My argument is: your lined binary is not "successful". It linked, but
it _may_ segfault (and is actually quite likely to do so, in strange
places).
> >I don't know what it was, but I suspect it had to do with my system
> >being very recent-unstable. On a pure bo system, I was able to create
> >a libc5 binary, but on my system I couldn't create the libc5 binary
> >eighter.
>
> I don't think things are stable enough these days to do both libc5 and
> libc6 development in the same machine. I might be wrong, of course.
I've been doing fine with everything else. But the libaries _have_
to be explicidly linked against some version of libc, and at the
moment libpam isn't, so that's probably where it goes wrong.
$ ldd ./libpam*.so.*.*
./libpam.so.0.56:
statically linked
./libpam_misc.so.0.56:
statically linked
Every other libary or library-dev that samba uses. Quite a few.
> >Note that you _do_ have "hidden" libc5 dependencies, as libpam depends
> >on libc5. Only not explicit, so ldd doesn't notice (and ld.so doesn't
> >notice, you only may notice after a while with segfaults or whatever).
>
> Sounds reasonable.
This is what I mean with a "unsucessful" binary: OK, there is a binary,
but it's not quite right.
> >Yeah, a lot of programmes appear to run fine this way. But that realy
> >must be just luck, and I also know programmes that fail in very
> >misterious ways. I wouldn't want debian's security fix-release of
> >samba to be one of those.
>
> What is worse: a program that "might" seg. fault or a program with a
> security whole that allows any user to gain full root access? I choose the
> program that might seg. fault.
>
> The facts I see are: 1) building a Samba libc5 package is trivial, 2) a new
> Samba package that takes care of the security whole is mandatory and 3) a
> Samba libc6 package may not be stable.
Ah, here's my take:
1 building libc5 pakage is _not_ trivial on my system. (it is trivial
on a pure bo system, but not on mine. I don't know why, but that's
just what I noticed).
2 Yes, it's mandatory.
3 A samba libc6 package should be just as stable as a libc5 one.
But then I mean a _right_ libc6 package, linked against a libc6
libpam, (and all the other lib* should be libc6 too).
> My questions is: what should be
> uploaded to hamm? This libc5 version (an exception has to be made)? Or
> perhaps the possibly broken libc6 version?
The libc5 version, untill libpam etc are compiled for libc6
Notice that, although by just daily work the samba binary you've got
may seem to work nicely, it may well be easy to find segfaults in
your samba package by just looking at the source, and finding places
where libc5/libc6 variable sizes mismatch. After you've found such a
place, it may also be easy to exploit this hole. So, I'd consider
a mixed libc6/libc5 binary insecure.
> >... This must be because my libc5/libc6
> >libraries are somewhat more recent than yours, and have more explicid
> >libc dependancies. (I upgraded my unstable system only last friday).
>
> I have just checked on ftp.debian.org for newest versions of libc5 and
> libc6. I have the latest versions installed in my system. Same for -dev.
> Is there anything else I should check?
Every other libary or library-dev that samba uses. Quite a few.
> >But the mixed libc5/libc6 samba you have really cannot be thought
> >of as "truely" stable (OK, it appears to work, but given that there
> >is such a big opportunity for segfaults, I wouldn't think it's any
> >safer than what we had before).
>
> OK that's fine but if a package compiled against libc6 is not released how
> you are going to find out if it is broken or what is broken? I think the
> package should be released so users can test it and provide feedback.
As I say above, I do want the libc6 package released. But not one
that is linked against both libc5 and libc6 libraries. Take over
or upgrade libpam* (and the other libraries) first, and then release
a samba package linked against libc6.
> Anyway, what seems to be missing for a complete libc6 Samba package is a
> libc6 libpam package. Do you know if the maintainer of this package is
> releasing a libc6 version soon?
$ dpkg -s libpam0|grep Maintainer
Maintainer: Klee Dienes <klee@debian.org>
$ dpkg -s samba|grep Maintainer
Maintainer: Klee Dienes <klee@debian.org>
Does that say enough? (that's all I know,though).
(and, from another email):
> Hi Joost,
>
> so will you take it?
I never intended to take samba. I asked last saturday on debian-private
if anybody was working on it, and the only responce I got was
"please, go ahead with your non-maintainer release" (and a suggestion
on what else to fix). So, that's what I did. But please, the package
is yours!
--
joost witteveen, joostje@debian.org
#!/usr/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)
#what's this? see http://www.dcs.ex.ac.uk/~aba/rsa/
--
TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-devel-request@lists.debian.org .
Trouble? e-mail to templin@bucknell.edu .
Reply to: