Bug#813406: marked as done (ctdb, raw sockets and CVE-2015-8543)

[Debian Bug Tracking System]

Your message dated Thu, 04 Feb 2016 15:41:12 +0000
with message-id <e1arm1w-0005uz...@franck.debian.org>
and subject line Bug#813406: fixed in samba 2:4.3.3+dfsg-2
has caused the Debian Bug report #813406,
regarding ctdb, raw sockets and CVE-2015-8543
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
813406: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=813406
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: ctdb
Severity: grave
Tags: patch,upstream

Hi!

The kernel upgrade for CVE-2015-8543 showed a bug in CTDB that leads to a
broken cluster:
  | s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
htons(IPPROTO_RAW) leads to 0xff00 which causes "-1 EINVAL (Invalid
argument)" because of CVE-2015-8543.
The fix for the issue is quite simple: remove IPPROTO_RAW; to make the fix
more consistent with what was used before, use IPPROTO_IP (which is 0).

Error messages related to this bug are:
  | We are still serving a public IP 'x.x.x.x' that we should not be serving. 
Removing it
  | common/system_common.c:89 failed to open raw socket (Invalid argument)
  | Could not find which interface the ip address is hosted on. can not release 
it
and 
  | common/system_linux.c:344 failed to open raw socket (Invalid argument)
As a result, IP addresses cannot be released and multiple nodes in the
cluster serve the same address, which obviously does not work.

Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=11705 and mailing
list conversation: 
https://lists.samba.org/archive/samba/2016-January/197389.html

-- Adi

--- a/common/system_common.c    2016-01-19 15:20:37.437683526 +0100
+++ b/common/system_common.c    2016-01-19 15:20:50.417683526 +0100
@@ -83,7 +83,7 @@
        struct ifconf ifc;
        char *ptr;

-       s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+       s = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
        if (s == -1) {
                DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
                         strerror(errno)));
--- a/common/system_linux.c     2016-01-19 16:06:53.021491231 +0100
+++ b/common/system_linux.c     2016-01-19 16:07:05.817491231 +0100
@@ -338,7 +338,7 @@
                ip4pkt.tcp.check    = tcp_checksum((uint16_t *)&ip4pkt.tcp, sizeof(ip4pkt.tcp), &ip4pkt.ip);

                /* open a raw socket to send this segment from */
-               s = socket(AF_INET, SOCK_RAW, htons(IPPROTO_RAW));
+               s = socket(AF_INET, SOCK_RAW, IPPROTO_IP);
                if (s == -1) {
                        DEBUG(DEBUG_CRIT,(__location__ " failed to open raw socket (%s)\n",
                                 strerror(errno)));

signature.asc
Description: Digital signature

--- End Message ---

--- Begin Message ---

Source: samba
Source-Version: 2:4.3.3+dfsg-2

We believe that the bug you reported is fixed in the latest version of
samba, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 813...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mathieu Parent <sath...@debian.org> (supplier of updated samba package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 04 Feb 2016 13:25:01 +0100
Source: samba
Binary: samba samba-libs samba-common samba-common-bin smbclient 
samba-testsuite registry-tools libparse-pidl-perl samba-dev python-samba 
samba-dsdb-modules samba-vfs-modules libsmbclient libsmbclient-dev winbind 
libpam-winbind libnss-winbind samba-dbg libwbclient0 libwbclient-dev ctdb
Architecture: source amd64 all
Version: 2:4.3.3+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Samba Maintainers <pkg-samba-ma...@lists.alioth.debian.org>
Changed-By: Mathieu Parent <sath...@debian.org>
Description:
 ctdb       - clustered database to store temporary data
 libnss-winbind - Samba nameservice integration plugins
 libpam-winbind - Windows domain authentication integration plugin
 libparse-pidl-perl - IDL compiler written in Perl
 libsmbclient - shared library for communication with SMB/CIFS servers
 libsmbclient-dev - development files for libsmbclient
 libwbclient-dev - Samba winbind client library - development files
 libwbclient0 - Samba winbind client library
 python-samba - Python bindings for Samba
 registry-tools - tools for viewing and manipulating the Windows registry
 samba      - SMB/CIFS file, print, and login server for Unix
 samba-common - common files used by both the Samba server and client
 samba-common-bin - Samba common files used by both the server and the client
 samba-dbg  - Samba debugging symbols
 samba-dev  - tools for extending Samba
 samba-dsdb-modules - Samba Directory Services Database
 samba-libs - Samba core libraries
 samba-testsuite - test suite from Samba
 samba-vfs-modules - Samba Virtual FileSystem plugins
 smbclient  - command-line SMB/CIFS clients for Unix
 winbind    - service to resolve user and group information from Windows NT ser
Closes: 813406
Changes:
 samba (2:4.3.3+dfsg-2) unstable; urgency=medium
 .
   [ Jelmer Vernooij ]
   * Add dependency on libtevent-dev in samba-dev.
 .
   [ Mathieu Parent ]
   * Fix CTDB behavior since CVE-2015-8543 (Closes: #813406)
Checksums-Sha1:
 e6147bfd2c97446b648b01df29678b7155c0eb89 3963 samba_4.3.3+dfsg-2.dsc
 840f83d4074ba36d3157b9303ee81b0a14051526 223316 
samba_4.3.3+dfsg-2.debian.tar.xz
 4389989d749ffea8308b81005ff5ea1349744c93 520670 ctdb_4.3.3+dfsg-2_amd64.deb
 6330ad42da9b9b958942408e98f6d69359589742 103122 
libnss-winbind_4.3.3+dfsg-2_amd64.deb
 30cbc55a6067de838af2d1223757a0aa6b4ff2a5 119102 
libpam-winbind_4.3.3+dfsg-2_amd64.deb
 a53c4a2f06e002404bd0358edfaaf655307220b3 182330 
libparse-pidl-perl_4.3.3+dfsg-2_amd64.deb
 d60970af4b52cc1c371ef85f1fffa7109cdd0492 131684 
libsmbclient-dev_4.3.3+dfsg-2_amd64.deb
 d8d4a1211ca881f0230ec2d742e3aa620e8eee49 143590 
libsmbclient_4.3.3+dfsg-2_amd64.deb
 30d10e03da3f1d3f6b02c4cefad3e3bfa0ba4279 103180 
libwbclient-dev_4.3.3+dfsg-2_amd64.deb
 759669113ca3b33000bef89a5784eb23cc86bdb4 117190 
libwbclient0_4.3.3+dfsg-2_amd64.deb
 a8793e64672f8415f94bbf94b4c8af2cde5465aa 1149134 
python-samba_4.3.3+dfsg-2_amd64.deb
 d948d48ded3b3c23180f5a94f758f1e8e72c961c 118968 
registry-tools_4.3.3+dfsg-2_amd64.deb
 9925e0d2c45f307a0debde7b759c1322ae1944b9 594008 
samba-common-bin_4.3.3+dfsg-2_amd64.deb
 799036bbdff108bf4f7773a6930d8922cc71ecdb 159002 
samba-common_4.3.3+dfsg-2_all.deb
 9d64cb1c8c920317ef5b41cc8e9a0fa53ce93ed6 33964926 
samba-dbg_4.3.3+dfsg-2_amd64.deb
 bdea843aed0f4564987b33643b8b441b347dbe54 369426 
samba-dev_4.3.3+dfsg-2_amd64.deb
 c0d3364b438eb20a7d5a19353f00941a30e16431 306210 
samba-dsdb-modules_4.3.3+dfsg-2_amd64.deb
 e9ca5ce52406bd98716ecd2dc2571ce967dbbc22 5295060 
samba-libs_4.3.3+dfsg-2_amd64.deb
 5962ebb3b0b0922ec47fa73bce32e972c17c79d0 1705386 
samba-testsuite_4.3.3+dfsg-2_amd64.deb
 d034a6815fd43560fd1693a0144645bece5adb37 344598 
samba-vfs-modules_4.3.3+dfsg-2_amd64.deb
 c5afdfdebc8decf41de0021e83b846871d8461f5 994074 samba_4.3.3+dfsg-2_amd64.deb
 cc111797ee91fe5d4e6e80a6e11207bd88400cf2 392222 
smbclient_4.3.3+dfsg-2_amd64.deb
 475d5e8aeab9c0c3e955d1efb237f19490b56561 500352 winbind_4.3.3+dfsg-2_amd64.deb
Checksums-Sha256:
 d8ba583a035e3547aa2082241cb6fb8e7db4e2a5060cf2abdda867da9328379a 3963 
samba_4.3.3+dfsg-2.dsc
 98770b60752653eae51708d8cd6c4ba2de1c8c183c7e3aacb103887301fa7f9a 223316 
samba_4.3.3+dfsg-2.debian.tar.xz
 83bf8a39f1b2953ab143990c105a3ff732dfc5108db54e64a9fb4df170ad3759 520670 
ctdb_4.3.3+dfsg-2_amd64.deb
 1374eea7189afff17ca7fc0d5f3efcd2ef35f635de23f956743ed8808171057b 103122 
libnss-winbind_4.3.3+dfsg-2_amd64.deb
 49e4fc8c7a0d94b6ba6fa8fe37e683ed572275e4a03d145c3cc04551bc6ca8dd 119102 
libpam-winbind_4.3.3+dfsg-2_amd64.deb
 f42904aff46776349d956182786a24ad7ee95b7a0572d5af70e1b589f9d34590 182330 
libparse-pidl-perl_4.3.3+dfsg-2_amd64.deb
 0495494e780292642de33228356775477cc5de8ceee96c7def2ab534c676dd0b 131684 
libsmbclient-dev_4.3.3+dfsg-2_amd64.deb
 4578246335a1ee064168baa69844cca65680ba7c151ce63272caa879a933dfc1 143590 
libsmbclient_4.3.3+dfsg-2_amd64.deb
 203b0e50b17a250e01e604d6d1023059368b626a5ce3809f76e210f609078c33 103180 
libwbclient-dev_4.3.3+dfsg-2_amd64.deb
 f57f8244c8f88b3e2a803bb9014e66efbc2fba7617a6614edeb62edf55ef5c2f 117190 
libwbclient0_4.3.3+dfsg-2_amd64.deb
 7980dc999ddca5928b09676f1b83d3bf7b23ba0012e4211895a96e33bd22a607 1149134 
python-samba_4.3.3+dfsg-2_amd64.deb
 c85a3a75127bd1d667cb2982f4b99f0ab563039f57c075c6af6fe48ce451584d 118968 
registry-tools_4.3.3+dfsg-2_amd64.deb
 b86bbaaa93bca777e4d80885f3f08df6c6e8209129458adc56e872c5d8b5f9ac 594008 
samba-common-bin_4.3.3+dfsg-2_amd64.deb
 a3447e88b7adb0994cc29fdfcc6410fa41f1db40936303fd8a4683e51dfb7640 159002 
samba-common_4.3.3+dfsg-2_all.deb
 dd3db25141236f257c150dbed4f2fd0a756a629bfc2c88ce9f0b3c919612f43c 33964926 
samba-dbg_4.3.3+dfsg-2_amd64.deb
 49f5b1d35b8d2439e3c3eddbecac523ca51732a067b8299fffcfd63738bfb8ff 369426 
samba-dev_4.3.3+dfsg-2_amd64.deb
 0e86804d5abda1dbd8e9c8b8893822f91eb037b5da79432ae849daf370836906 306210 
samba-dsdb-modules_4.3.3+dfsg-2_amd64.deb
 954a18065ce3faf77615418f333161a91c7b0ad29a3bfcc8d5aa33b38328b7f4 5295060 
samba-libs_4.3.3+dfsg-2_amd64.deb
 b1e489912f922403028268583dff70c18187555966d2070b83c6eeb135e7e662 1705386 
samba-testsuite_4.3.3+dfsg-2_amd64.deb
 abd3cf7b0381f8377263272cef7f78883eae90dac0211f7e2ae9f7a4c2a98978 344598 
samba-vfs-modules_4.3.3+dfsg-2_amd64.deb
 d38732854faa6ecca42df9060ca11c7279839cf0c0ab1c1e59aeabf92b44778b 994074 
samba_4.3.3+dfsg-2_amd64.deb
 ccc68d1413c00910b3deefb1c16c67aacfba8b22f54e5ff3d003ac61ac73b77d 392222 
smbclient_4.3.3+dfsg-2_amd64.deb
 69315c6f8257bab18f42be16b72861b1e4a6c11d6aff57efe2168623bc898cea 500352 
winbind_4.3.3+dfsg-2_amd64.deb
Files:
 dc3d2033927a907aa6cbd499852c2abc 3963 net optional samba_4.3.3+dfsg-2.dsc
 584e961320dc1675f1a05ffde61b150e 223316 net optional 
samba_4.3.3+dfsg-2.debian.tar.xz
 358295362d8a4c4d3bfab1e7ef04ccdf 520670 net optional 
ctdb_4.3.3+dfsg-2_amd64.deb
 e34f73f9902a2a0b81df6fd425243de0 103122 net optional 
libnss-winbind_4.3.3+dfsg-2_amd64.deb
 6ad18f6a5e10a4bccc7604f8e263ad2e 119102 net optional 
libpam-winbind_4.3.3+dfsg-2_amd64.deb
 568fe6bc1a4792e772aec875c545b84a 182330 perl optional 
libparse-pidl-perl_4.3.3+dfsg-2_amd64.deb
 e0728223efd9bb72f79377ee748ebc84 131684 libdevel extra 
libsmbclient-dev_4.3.3+dfsg-2_amd64.deb
 51aa82fece92103798fc71e4627ed9fd 143590 libs optional 
libsmbclient_4.3.3+dfsg-2_amd64.deb
 87021789c4a5b3c15aa02e4827daea9e 103180 libdevel optional 
libwbclient-dev_4.3.3+dfsg-2_amd64.deb
 ea17d185cef3074af54b2f614a8a5195 117190 libs optional 
libwbclient0_4.3.3+dfsg-2_amd64.deb
 b8d46935aa701ccd1244640ca5179020 1149134 python optional 
python-samba_4.3.3+dfsg-2_amd64.deb
 984664a52d884f4534c11367e4c630eb 118968 net optional 
registry-tools_4.3.3+dfsg-2_amd64.deb
 e7be756ca702006101e44807d119bdb5 594008 net optional 
samba-common-bin_4.3.3+dfsg-2_amd64.deb
 ed2443558b0dc234d28f1e0777c9a320 159002 net optional 
samba-common_4.3.3+dfsg-2_all.deb
 22fa80b57a14357efa728fc141473b79 33964926 debug extra 
samba-dbg_4.3.3+dfsg-2_amd64.deb
 d1fa735e8b411cd4e3beef6f3f8a4ac8 369426 devel optional 
samba-dev_4.3.3+dfsg-2_amd64.deb
 c269cb47741d650408f800fab24cbc12 306210 libs optional 
samba-dsdb-modules_4.3.3+dfsg-2_amd64.deb
 a3219898d01e8517555725f4b2038e0a 5295060 libs optional 
samba-libs_4.3.3+dfsg-2_amd64.deb
 ac4a3d50a7d4f7fad0166f7072d6fc40 1705386 net optional 
samba-testsuite_4.3.3+dfsg-2_amd64.deb
 00ad2424adde13e00a7587f6913de88f 344598 net optional 
samba-vfs-modules_4.3.3+dfsg-2_amd64.deb
 4a64c48af9585d225521a9f47bea80a9 994074 net optional 
samba_4.3.3+dfsg-2_amd64.deb
 9bf359a48ff2a99bb079765e01645ebc 392222 net optional 
smbclient_4.3.3+dfsg-2_amd64.deb
 9d16580f88cc0f66a4d4fe46a375fd93 500352 net optional 
winbind_4.3.3+dfsg-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWs2ZeAAoJEK4DmARmaB+lv7IP/i9Bsf9svVtm1BTty24wnKdE
HWcunOEyY3ydSLHavOgKxiz1Hm/CkVzvpTG9V/qeMAsgcbOnDawaBKuEQ2j0cMQL
tMm+M21RjyIXurDqgap44/m+BAd12QZREOQF3HdVVCvIKR+59lKz9mZfPvL6jF3+
3moBrxWCNkkZnTrjO6U2LIipxzuRyMvW3A224RkS4tL5xEhuPM7qOIk/B+PsFRho
4SRNw5UBCFrm14Tc0ktk0d7DubvK0C9hoH68KnzPB1IIC5ZDGGJ+1v68N0y5W6Gh
vcx5KJFcr7Xc7cBaUCab5QLw4z+i/DjKtmF+P1lgakkhdPMWdi1LqzCSia8jR++f
eALpXgQ7HRKkuwj0iezFZuE6Eif/6fNjOU+njn+vgQ8eJV3yHMksFmT2tamMke/8
Bes0/g4XErhPvZScKP/IrBpF0+gFZbVpV4HFpbWjBKmytxA3NwWk6aVOcfKPcVWM
yo7Dav8RG1yuyvN3f941skpbmmvlnjmXCEs+o4XdR2KmLxmr/Fs4DVqMqqxo+LyO
xik2ODaHsaivP6bELb7cMOptYqMknpznO8k0nNZ+Sr5cCYTXexXbUMRkiqE+cht9
itwatPR9542pIV4AcV81K2bbhuBvBBFei7wMfM073zkotOkLUgrBcfCWwGaCAKd5
uQjrZ4L4qmN4nmLIH00L
=zhEP
-----END PGP SIGNATURE-----

--- End Message ---