Re: [gentoo-hardened] Samba's borked - gentoo-hardened

From:	Brian Kroth <bpkroth@××××.edu>
To:	gentoo-hardened@l.g.o
Subject:	Re: [gentoo-hardened] Samba's borked
Date:	Wed, 14 Mar 2007 02:37:32
Message-Id:	`45F75F75.6040507@wisc.edu`
In Reply to:	[gentoo-hardened] Samba's borked by "Brian A. Davis"

1

Brian A. Davis wrote:

2

> emerge brought into 3.0.24. Now I'm hosed :(.

3

>

4

> Anyone else seeing this:

5

>

6

> smbd: stack smashing attack in function open_sockets_smbd()

7

>

8

> Thanks,

9

> Brian

10

>

11

>

12

>

13

>

14

15

No problems here.  Did you file a bug with various emerge --info and 

16

whatnot?  Here's some of my info just for comparison.  No grsec policies 

17

defined yet.

18

19

20

# emerge --info && emerge -pv samba

21

Portage 2.1.2-r9 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5, 

22

2.6.17-hardened-r1 i686)

23

=================================================================

24

System uname: 2.6.17-hardened-r1 i686 Intel(R) Xeon(TM) CPU 3.00GHz

25

Gentoo Base System release 1.12.9

26

Timestamp of tree: Tue, 13 Mar 2007 06:00:01 +0000

27

distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) 

28

[enabled]

29

ccache version 2.4 [enabled]

30

dev-lang/python:     2.4.3-r4

31

dev-python/pycrypto: 2.0.1-r5

32

dev-util/ccache:     2.4-r6

33

sys-apps/sandbox:    1.2.17

34

sys-devel/autoconf:  2.13, 2.60

35

sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10

36

sys-devel/binutils:  2.16.1-r3

37

sys-devel/gcc-config: 1.3.14

38

sys-devel/libtool:   1.5.22

39

virtual/os-headers:  2.6.17-r2

40

ACCEPT_KEYWORDS="x86"

41

AUTOCLEAN="yes"

42

CBUILD="i686-pc-linux-gnu"

43

CFLAGS="-march=pentium4 -O2 -pipe -fforce-addr"

44

CHOST="i686-pc-linux-gnu"

45

CONFIG_PROTECT="/etc"

46

CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/hotplug /etc/hotplug.d 

47

/etc/init.d /etc/revdep-rebuild /etc/terminfo /etc/udev"

48

CXXFLAGS="-march=pentium4 -O2 -pipe -fforce-addr"

49

DISTDIR="/usr/portage/distfiles"

50

FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks 

51

metadata-transfer parallel-fetch sandbox sfperms strict userfetch"

52

GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/ 

53

ftp://gentoo.chem.wisc.edu/gentoo/ http://gentoo.mirrors.tds.net/gentoo 

54

ftp://gentoo.mirrors.tds.net/gentoo http://gentoo.osuosl.org/ 

55

ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/ 

56

http://distro.ibiblio.org/pub/linux/distributions/gentoo/ 

57

http://distfiles.gentoo.org"

58

MAKEOPTS="-j5"

59

PKGDIR="/mnt/build/packages"

60

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times 

61

--compress --force --whole-file --delete --delete-after --stats 

62

--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

63

PORTAGE_TMPDIR="/var/tmp"

64

PORTDIR="/mnt/build/portage"

65

PORTDIR_OVERLAY="/mnt/build/portage-local"

66

SYNC="rsync://tux-mc.hslc.wisc.edu/gentoo-portage"

67

USE="acl acpi apache2 bash-completion berkdb bzip2 caps chroot cracklib 

68

crypt erandom fam gmp gpm hardened jpeg lm_sensors logrotate maildir mmx 

69

ncurses nls nptl pam pcre perl pic png python readline smp snmp sse sse2 

70

ssl syslog tcpd threads vhosts x86 xattr xml xpm" 

71

ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug 

72

file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null 

73

plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse 

74

keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk 

75

hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"

76

Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, 

77

LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, 

78

PORTAGE_RSYNC_EXTRA_OPTS

79

80

81

These are the packages that would be merged, in order:

82

83

Calculating dependencies... done!

84

[ebuild   R   ] net-fs/samba-3.0.24  USE="acl caps%* fam pam python 

85

readline syslog -async -automount -cups -doc -examples -kerberos -ldap 

86

-oav -quotas (-selinux) -swat -winbind" LINGUAS="-ja -pl" 0 kB

87

88

Total: 1 package (1 reinstall), Size of downloads: 0 kB

# grep -i 'sec\|pax' /usr/src/linux/.config

93

94

CONFIG_SECCOMP=y

95

CONFIG_EXT2_FS_SECURITY=y

96

CONFIG_EXT3_FS_SECURITY=y

97

CONFIG_REISERFS_FS_SECURITY=y

98

CONFIG_XFS_SECURITY=y

99

# CONFIG_RPCSEC_GSS_KRB5 is not set

100

# CONFIG_RPCSEC_GSS_SPKM3 is not set

101

# Security options

102

# PaX

103

CONFIG_PAX=y

104

# PaX Control

105

# CONFIG_PAX_SOFTMODE is not set

106

CONFIG_PAX_EI_PAX=y

107

CONFIG_PAX_PT_PAX_FLAGS=y

108

CONFIG_PAX_NO_ACL_FLAGS=y

109

# CONFIG_PAX_HAVE_ACL_FLAGS is not set

110

# CONFIG_PAX_HOOK_ACL_FLAGS is not set

111

CONFIG_PAX_NOEXEC=y

112

# CONFIG_PAX_PAGEEXEC is not set

113

CONFIG_PAX_SEGMEXEC=y

114

CONFIG_PAX_EMUTRAMP=y

115

CONFIG_PAX_MPROTECT=y

116

# CONFIG_PAX_NOELFRELOCS is not set

117

# CONFIG_PAX_KERNEXEC is not set

118

CONFIG_PAX_ASLR=y

119

CONFIG_PAX_RANDKSTACK=y

120

CONFIG_PAX_RANDUSTACK=y

121

CONFIG_PAX_RANDMMAP=y

122

CONFIG_PAX_NOVSYSCALL=y

123

# CONFIG_PAX_MEMORY_SANITIZE is not set

124

# CONFIG_PAX_MEMORY_UDEREF is not set

125

# Grsecurity

126

CONFIG_GRKERNSEC=y

127

# CONFIG_GRKERNSEC_LOW is not set

128

# CONFIG_GRKERNSEC_MEDIUM is not set

129

# CONFIG_GRKERNSEC_HIGH is not set

130

CONFIG_GRKERNSEC_CUSTOM=y

131

CONFIG_GRKERNSEC_KMEM=y

132

CONFIG_GRKERNSEC_IO=y

133

CONFIG_GRKERNSEC_PROC_MEMMAP=y

134

CONFIG_GRKERNSEC_BRUTE=y

135

CONFIG_GRKERNSEC_MODSTOP=y

136

CONFIG_GRKERNSEC_HIDESYM=y

137

CONFIG_GRKERNSEC_ACL_HIDEKERN=y

138

CONFIG_GRKERNSEC_ACL_MAXTRIES=3

139

CONFIG_GRKERNSEC_ACL_TIMEOUT=30

140

CONFIG_GRKERNSEC_PROC=y

141

CONFIG_GRKERNSEC_PROC_USER=y

142

CONFIG_GRKERNSEC_PROC_ADD=y

143

CONFIG_GRKERNSEC_LINK=y

144

CONFIG_GRKERNSEC_FIFO=y

145

CONFIG_GRKERNSEC_CHROOT=y

146

CONFIG_GRKERNSEC_CHROOT_MOUNT=y

147

CONFIG_GRKERNSEC_CHROOT_DOUBLE=y

148

CONFIG_GRKERNSEC_CHROOT_PIVOT=y

149

CONFIG_GRKERNSEC_CHROOT_CHDIR=y

150

CONFIG_GRKERNSEC_CHROOT_CHMOD=y

151

CONFIG_GRKERNSEC_CHROOT_FCHDIR=y

152

CONFIG_GRKERNSEC_CHROOT_MKNOD=y

153

CONFIG_GRKERNSEC_CHROOT_SHMAT=y

154

CONFIG_GRKERNSEC_CHROOT_UNIX=y

155

CONFIG_GRKERNSEC_CHROOT_FINDTASK=y

156

CONFIG_GRKERNSEC_CHROOT_NICE=y

157

CONFIG_GRKERNSEC_CHROOT_SYSCTL=y

158

CONFIG_GRKERNSEC_CHROOT_CAPS=y

159

CONFIG_GRKERNSEC_AUDIT_GROUP=y

160

CONFIG_GRKERNSEC_AUDIT_GID=10005

161

CONFIG_GRKERNSEC_EXECLOG=y

162

CONFIG_GRKERNSEC_RESLOG=y

163

CONFIG_GRKERNSEC_CHROOT_EXECLOG=y

164

CONFIG_GRKERNSEC_AUDIT_CHDIR=y

165

CONFIG_GRKERNSEC_AUDIT_MOUNT=y

166

CONFIG_GRKERNSEC_AUDIT_IPC=y

167

CONFIG_GRKERNSEC_SIGNAL=y

168

CONFIG_GRKERNSEC_FORKFAIL=y

169

CONFIG_GRKERNSEC_TIME=y

170

CONFIG_GRKERNSEC_PROC_IPADDR=y

171

# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set

172

CONFIG_GRKERNSEC_EXECVE=y

173

CONFIG_GRKERNSEC_SHM=y

174

CONFIG_GRKERNSEC_DMESG=y

175

CONFIG_GRKERNSEC_RANDPID=y

176

CONFIG_GRKERNSEC_TPE=y

177

CONFIG_GRKERNSEC_TPE_ALL=y

178

# CONFIG_GRKERNSEC_TPE_INVERT is not set

179

CONFIG_GRKERNSEC_TPE_GID=10006

180

CONFIG_GRKERNSEC_RANDNET=y

181

CONFIG_GRKERNSEC_SOCKET=y

182

CONFIG_GRKERNSEC_SOCKET_ALL=y

183

CONFIG_GRKERNSEC_SOCKET_ALL_GID=10004

184

CONFIG_GRKERNSEC_SOCKET_CLIENT=y

185

CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=10003

186

CONFIG_GRKERNSEC_SOCKET_SERVER=y

187

CONFIG_GRKERNSEC_SOCKET_SERVER_GID=10002

188

CONFIG_GRKERNSEC_SYSCTL=y

189

# CONFIG_GRKERNSEC_SYSCTL_ON is not set

190

CONFIG_GRKERNSEC_FLOODTIME=5

191

CONFIG_GRKERNSEC_FLOODBURST=5

192

CONFIG_SECURITY=y

193

# CONFIG_SECURITY_NETWORK is not set

194

CONFIG_SECURITY_CAPABILITIES=y

195

# CONFIG_SECURITY_ROOTPLUG is not set

196

# CONFIG_SECURITY_SECLVL is not set

197

--

198

gentoo-hardened@g.o mailing list

1	Brian A. Davis wrote:
2	> emerge brought into 3.0.24. Now I'm hosed :(.
3	>
4	> Anyone else seeing this:
5	>
6	> smbd: stack smashing attack in function open_sockets_smbd()
7	>
8	> Thanks,
9	> Brian
10	>
11	>
12	>
13	>
14
15	No problems here. Did you file a bug with various emerge --info and
16	whatnot? Here's some of my info just for comparison. No grsec policies
17	defined yet.
18
19
20	# emerge --info && emerge -pv samba
21	Portage 2.1.2-r9 (hardened/x86/2.6, gcc-3.4.6, glibc-2.3.6-r5,
22	2.6.17-hardened-r1 i686)
23	=================================================================
24	System uname: 2.6.17-hardened-r1 i686 Intel(R) Xeon(TM) CPU 3.00GHz
25	Gentoo Base System release 1.12.9
26	Timestamp of tree: Tue, 13 Mar 2007 06:00:01 +0000
27	distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632)
28	[enabled]
29	ccache version 2.4 [enabled]
30	dev-lang/python: 2.4.3-r4
31	dev-python/pycrypto: 2.0.1-r5
32	dev-util/ccache: 2.4-r6
33	sys-apps/sandbox: 1.2.17
34	sys-devel/autoconf: 2.13, 2.60
35	sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
36	sys-devel/binutils: 2.16.1-r3
37	sys-devel/gcc-config: 1.3.14
38	sys-devel/libtool: 1.5.22
39	virtual/os-headers: 2.6.17-r2
40	ACCEPT_KEYWORDS="x86"
41	AUTOCLEAN="yes"
42	CBUILD="i686-pc-linux-gnu"
43	CFLAGS="-march=pentium4 -O2 -pipe -fforce-addr"
44	CHOST="i686-pc-linux-gnu"
45	CONFIG_PROTECT="/etc"
46	CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/hotplug /etc/hotplug.d
47	/etc/init.d /etc/revdep-rebuild /etc/terminfo /etc/udev"
48	CXXFLAGS="-march=pentium4 -O2 -pipe -fforce-addr"
49	DISTDIR="/usr/portage/distfiles"
50	FEATURES="autoconfig buildpkg ccache collision-protect distcc distlocks
51	metadata-transfer parallel-fetch sandbox sfperms strict userfetch"
52	GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo/
53	ftp://gentoo.chem.wisc.edu/gentoo/ http://gentoo.mirrors.tds.net/gentoo
54	ftp://gentoo.mirrors.tds.net/gentoo http://gentoo.osuosl.org/
55	ftp://distro.ibiblio.org/pub/linux/distributions/gentoo/
56	http://distro.ibiblio.org/pub/linux/distributions/gentoo/
57	http://distfiles.gentoo.org"
58	MAKEOPTS="-j5"
59	PKGDIR="/mnt/build/packages"
60	PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
61	--compress --force --whole-file --delete --delete-after --stats
62	--timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
63	PORTAGE_TMPDIR="/var/tmp"
64	PORTDIR="/mnt/build/portage"
65	PORTDIR_OVERLAY="/mnt/build/portage-local"
66	SYNC="rsync://tux-mc.hslc.wisc.edu/gentoo-portage"
67	USE="acl acpi apache2 bash-completion berkdb bzip2 caps chroot cracklib
68	crypt erandom fam gmp gpm hardened jpeg lm_sensors logrotate maildir mmx
69	ncurses nls nptl pam pcre perl pic png python readline smp snmp sse sse2
70	ssl syslog tcpd threads vhosts x86 xattr xml xpm"
71	ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug
72	file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null
73	plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="mouse
74	keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk
75	hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU"
76	Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL,
77	LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
78	PORTAGE_RSYNC_EXTRA_OPTS
79
80
81	These are the packages that would be merged, in order:
82
83	Calculating dependencies... done!
84	[ebuild R ] net-fs/samba-3.0.24 USE="acl caps%* fam pam python
85	readline syslog -async -automount -cups -doc -examples -kerberos -ldap
86	-oav -quotas (-selinux) -swat -winbind" LINGUAS="-ja -pl" 0 kB
87
88	Total: 1 package (1 reinstall), Size of downloads: 0 kB
89
90
91
92	# grep -i 'sec\\|pax' /usr/src/linux/.config
93
94	CONFIG_SECCOMP=y
95	CONFIG_EXT2_FS_SECURITY=y
96	CONFIG_EXT3_FS_SECURITY=y
97	CONFIG_REISERFS_FS_SECURITY=y
98	CONFIG_XFS_SECURITY=y
99	# CONFIG_RPCSEC_GSS_KRB5 is not set
100	# CONFIG_RPCSEC_GSS_SPKM3 is not set
101	# Security options
102	# PaX
103	CONFIG_PAX=y
104	# PaX Control
105	# CONFIG_PAX_SOFTMODE is not set
106	CONFIG_PAX_EI_PAX=y
107	CONFIG_PAX_PT_PAX_FLAGS=y
108	CONFIG_PAX_NO_ACL_FLAGS=y
109	# CONFIG_PAX_HAVE_ACL_FLAGS is not set
110	# CONFIG_PAX_HOOK_ACL_FLAGS is not set
111	CONFIG_PAX_NOEXEC=y
112	# CONFIG_PAX_PAGEEXEC is not set
113	CONFIG_PAX_SEGMEXEC=y
114	CONFIG_PAX_EMUTRAMP=y
115	CONFIG_PAX_MPROTECT=y
116	# CONFIG_PAX_NOELFRELOCS is not set
117	# CONFIG_PAX_KERNEXEC is not set
118	CONFIG_PAX_ASLR=y
119	CONFIG_PAX_RANDKSTACK=y
120	CONFIG_PAX_RANDUSTACK=y
121	CONFIG_PAX_RANDMMAP=y
122	CONFIG_PAX_NOVSYSCALL=y
123	# CONFIG_PAX_MEMORY_SANITIZE is not set
124	# CONFIG_PAX_MEMORY_UDEREF is not set
125	# Grsecurity
126	CONFIG_GRKERNSEC=y
127	# CONFIG_GRKERNSEC_LOW is not set
128	# CONFIG_GRKERNSEC_MEDIUM is not set
129	# CONFIG_GRKERNSEC_HIGH is not set
130	CONFIG_GRKERNSEC_CUSTOM=y
131	CONFIG_GRKERNSEC_KMEM=y
132	CONFIG_GRKERNSEC_IO=y
133	CONFIG_GRKERNSEC_PROC_MEMMAP=y
134	CONFIG_GRKERNSEC_BRUTE=y
135	CONFIG_GRKERNSEC_MODSTOP=y
136	CONFIG_GRKERNSEC_HIDESYM=y
137	CONFIG_GRKERNSEC_ACL_HIDEKERN=y
138	CONFIG_GRKERNSEC_ACL_MAXTRIES=3
139	CONFIG_GRKERNSEC_ACL_TIMEOUT=30
140	CONFIG_GRKERNSEC_PROC=y
141	CONFIG_GRKERNSEC_PROC_USER=y
142	CONFIG_GRKERNSEC_PROC_ADD=y
143	CONFIG_GRKERNSEC_LINK=y
144	CONFIG_GRKERNSEC_FIFO=y
145	CONFIG_GRKERNSEC_CHROOT=y
146	CONFIG_GRKERNSEC_CHROOT_MOUNT=y
147	CONFIG_GRKERNSEC_CHROOT_DOUBLE=y
148	CONFIG_GRKERNSEC_CHROOT_PIVOT=y
149	CONFIG_GRKERNSEC_CHROOT_CHDIR=y
150	CONFIG_GRKERNSEC_CHROOT_CHMOD=y
151	CONFIG_GRKERNSEC_CHROOT_FCHDIR=y
152	CONFIG_GRKERNSEC_CHROOT_MKNOD=y
153	CONFIG_GRKERNSEC_CHROOT_SHMAT=y
154	CONFIG_GRKERNSEC_CHROOT_UNIX=y
155	CONFIG_GRKERNSEC_CHROOT_FINDTASK=y
156	CONFIG_GRKERNSEC_CHROOT_NICE=y
157	CONFIG_GRKERNSEC_CHROOT_SYSCTL=y
158	CONFIG_GRKERNSEC_CHROOT_CAPS=y
159	CONFIG_GRKERNSEC_AUDIT_GROUP=y
160	CONFIG_GRKERNSEC_AUDIT_GID=10005
161	CONFIG_GRKERNSEC_EXECLOG=y
162	CONFIG_GRKERNSEC_RESLOG=y
163	CONFIG_GRKERNSEC_CHROOT_EXECLOG=y
164	CONFIG_GRKERNSEC_AUDIT_CHDIR=y
165	CONFIG_GRKERNSEC_AUDIT_MOUNT=y
166	CONFIG_GRKERNSEC_AUDIT_IPC=y
167	CONFIG_GRKERNSEC_SIGNAL=y
168	CONFIG_GRKERNSEC_FORKFAIL=y
169	CONFIG_GRKERNSEC_TIME=y
170	CONFIG_GRKERNSEC_PROC_IPADDR=y
171	# CONFIG_GRKERNSEC_AUDIT_TEXTREL is not set
172	CONFIG_GRKERNSEC_EXECVE=y
173	CONFIG_GRKERNSEC_SHM=y
174	CONFIG_GRKERNSEC_DMESG=y
175	CONFIG_GRKERNSEC_RANDPID=y
176	CONFIG_GRKERNSEC_TPE=y
177	CONFIG_GRKERNSEC_TPE_ALL=y
178	# CONFIG_GRKERNSEC_TPE_INVERT is not set
179	CONFIG_GRKERNSEC_TPE_GID=10006
180	CONFIG_GRKERNSEC_RANDNET=y
181	CONFIG_GRKERNSEC_SOCKET=y
182	CONFIG_GRKERNSEC_SOCKET_ALL=y
183	CONFIG_GRKERNSEC_SOCKET_ALL_GID=10004
184	CONFIG_GRKERNSEC_SOCKET_CLIENT=y
185	CONFIG_GRKERNSEC_SOCKET_CLIENT_GID=10003
186	CONFIG_GRKERNSEC_SOCKET_SERVER=y
187	CONFIG_GRKERNSEC_SOCKET_SERVER_GID=10002
188	CONFIG_GRKERNSEC_SYSCTL=y
189	# CONFIG_GRKERNSEC_SYSCTL_ON is not set
190	CONFIG_GRKERNSEC_FLOODTIME=5
191	CONFIG_GRKERNSEC_FLOODBURST=5
192	CONFIG_SECURITY=y
193	# CONFIG_SECURITY_NETWORK is not set
194	CONFIG_SECURITY_CAPABILITIES=y
195	# CONFIG_SECURITY_ROOTPLUG is not set
196	# CONFIG_SECURITY_SECLVL is not set
197	--
198	gentoo-hardened@g.o mailing list

Gentoo Archives: gentoo-hardened