Bug 4643 - Patch for CVE-2007-2447 broke the use of ;
Summary: Patch for CVE-2007-2447 broke the use of ;
Status: RESOLVED WONTFIX
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: File Services (show other bugs)
Version: 3.0.25
Hardware: Other Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-21 07:25 UTC by Arno
Modified: 2007-05-22 06:58 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arno 2007-05-21 07:25:40 UTC
After some debugging I discovered that a strange problem I experienced was caused by the patched code added in Samba 3.0.25 for CVE-2007-2447 (Remote Command Injection Vulnerability). It is now no longer possible to use the ";" character in options like "preexec = " & "postexec =" causing the use of ie. (in my case) "root preexec = mkdir -p /home/software/Recycle; chown root:admins /home/software/.Recycle" to be executed as "root preexec = mkdir -p /home/software/Recycle chown root:admins /home/software/.Recycle" (The semicolon disappears!). 

As far as I can see now, it also breaks the use of (in my case) "passwd program = /usr/bin/passwd %u; /usr/local/lib/yp_make.sh"

This new unexpected behaviour can possibly break a lot of setups (that's why I've set the priority to major)! I think the easiest solution is to add the ";" to #define INCLUDE_LIST "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabdefghijklmnopqrstuvwxyz_/ \t.,"
Comment 1 Gerald (Jerry) Carter (dead mail address) 2007-05-21 07:53:34 UTC
Sorry.  We cannot add ';' to the list as this was part of the exploit.  
You will have to wrap the commands in a single script and refer to that 
from smb.conf.
Comment 2 Arno 2007-05-22 01:09:45 UTC
But shouldn't "/etc/init.d/samba start" or testparm at least generate a warning that characters were used that are not allowed, instead of silently replacing them with spaces, which in my case caused my whole filesystem to be polluted with chmod, chown etc. (because the first statement was mkdir)?
Comment 3 Gerald (Jerry) Carter (dead mail address) 2007-05-22 06:58:34 UTC
(In reply to comment #2)
> But shouldn't "/etc/init.d/samba start" or testparm at least 
> generate a warning that characters were used that are not allowed, 

Sure.  I would love to have this patch.  Historically, testparm 
makes no judgment on string values in smb.conf.  Please send any 
patches you may have in diff -u format to samba-technical@samba.org 
as an attachment.  Thanks.