Re: Samba Root CVE-2012-1182 - Possibly countered with hardening@compiletime ?

To: debian-security@lists.debian.org
Subject: Re: Samba Root CVE-2012-1182 - Possibly countered with hardening@compiletime ?
From: Michael Gilbert <michael.s.gilbert@gmail.com>
Date: Tue, 17 Apr 2012 12:51:27 -0400
Message-id: <[🔎] CANTw=MPC0FNfb3KbfhW2xHXvMatjZDhUhfcfA2P6+DotXi6DrQ@mail.gmail.com>
In-reply-to: <[🔎] CAGT+gWw1VrxtpqXy=JeST_qByY74KG+7T+rap0=FnKH+rn+vvQ@mail.gmail.com>
References: <[🔎] CAGT+gWw1VrxtpqXy=JeST_qByY74KG+7T+rap0=FnKH+rn+vvQ@mail.gmail.com>

On Tue, Apr 17, 2012 at 6:15 AM, Crusty Saint wrote:
> Hi,
>
> Regarding https://www.samba.org/samba/security/CVE-2012-1182
>
> I'm currently step-by-step looking into compiling my own debs and
> recompiling existing once ( ignoring that optimisations are often
> overrated ) What i'm most interested in though is the
> hardening@compile-time of packages. Even if this means generic
> protection. Thinking some is better then none. For this i've, so far,
> used hardening-wrapper and hardening-includes packages. Though i'm not
> sure if i'm even using hardening-includes correctly at this time i
> dare to present a question.
>
> Part of the description of the CVE reads :
>
> "The flaw caused checks on the variable containing the length of an
> allocated array to be done independently from the checks on the
> variable used to allocate the memory for that array.  As both these
> variables are controlled by the connecting client it makes it possible
> for a specially crafted RPC call to cause the server to execute
> arbitrary code."
>
>
> Would recompiling with a DEB_BUILD_HARDENING=1 and corresponding
> configuration as below in /etc/hardening-wrapper.conf have mitigated
> against this particular exploit vector ? Though part of the attack
> depends on logic i assume the 'specially crafted RPC call' could've
> been mitigated against.

I don't really have an answer since I have not personally studied this
issue, but anyone that may have interest in any particularr security
issue can made use of the informative debian security tracker as a
spring board for their own research.

For example, if I wanted to better understand this issue, I would
start at [0], which would eventually lead me to [1], which includes
patches that samba applied.  I could then study those to see if
hardening made a difference.

> *glops* My /etc/hardening-wrapper.conf looks like
>
> DEB_BUILD_HARDENING=1
> DEB_BUILD_HARDENING_DEBUG=0
> DEB_BUILD_HARDENING_STACKPROTECTOR=1
> DEB_BUILD_HARDENING_RELRO=1
> DEB_BUILD_HARDENING_FORTIFY=1
> DEB_BUILD_HARDENING_PIE=1
> DEB_BUILD_HARDENING_FORMAT=1

It's quite a bit easier now.  You can set debian/compat to 9 in the
source package, and hardening will be done automagically (you may also
want to set "export DEB_BUILT_MAINT_OPTIONS=hardening=+all" in
debian/rules to get all hardening enabled).

Best wishes,
Mike

[0] http://security-tracker.debian.org/tracker/CVE-2012-1182
[1] https://bugzilla.samba.org/show_bug.cgi?id=8815

Reply to:

References:
- Samba Root CVE-2012-1182 - Possibly countered with hardening@compiletime ?
  - From: Crusty Saint <saintcrusty@gmail.com>

Prev by Date: Re: security fix prevent Gajim to be run
Next by Date: MySQL Local Crash Vulnerability
Previous by thread: Samba Root CVE-2012-1182 - Possibly countered with hardening@compiletime ?
Next by thread: security fix prevent Gajim to be run
Index(es):
- Date
- Thread