[Bug 1584485] [NEW] Upgrading samba to latest security fixes together with winbind in nsswitch.conf can harm entire OS

Rafael David Tinoco rafael.tinoco at canonical.com
Sun May 22 15:39:58 UTC 2016 

Public bug reported:

It was brought to my attention that, because of latest security fixes
for samba:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium

when library symbols changed, a samba upgrade MAY jeopardize an entire
Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
(specially if used before compat mechanism).

----

How to reproduce easily:

$ cat /etc/nsswitch.conf
passwd: winbind compat
shadow: compat
group: winbind compat

(winbind is usually used after compat, in this case it was used before)

to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:

$ sudo apt-get update

and FINALLY:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1

Leading into an unusable system in the following state:

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2

## state

Workaround:

DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
"pam-auth-update") before ANY attempt of upgrading samba to latest
version.

** Affects: samba (Ubuntu)
     Importance: High
     Assignee: Rafael David Tinoco (inaddy)
         Status: Confirmed

** Changed in: samba (Ubuntu)
       Status: New => Confirmed

** Changed in: samba (Ubuntu)
     Assignee: (unassigned) => Rafael David Tinoco (inaddy)

** Changed in: samba (Ubuntu)
   Importance: Undecided => High

** Description changed:

  It was brought to my attention that, because of latest security fixes
  for samba:
  
  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739
  
  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium
  
  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).
  
  ----
  
  How to reproduce easily:
  
  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
- group: winbind compat 
+ group: winbind compat
  
  (winbind is usually used after compat, in this case it was used before)
  
  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do a:
  
  $ sudo apt-get update
  
  and FINALLY:
  
  """
- $  sudo apt-get --only-upgrade install samba
- Reading package lists... Done
- Building dependency tree
- Reading state information... Done
- The following packages were automatically installed and are no longer required:
-   libhdb9-heimdal libkdc2-heimdal libntdb1 python-ntdb
- Use 'apt-get autoremove' to remove them.
- The following extra packages will be installed:
-   libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
-   python-ldb python-samba python-tdb samba-common samba-common-bin
-   samba-dsdb-modules samba-libs samba-vfs-modules winbind
- Suggested packages:
-   bind9 bind9utils ldb-tools smbldap-tools heimdal-clients
- The following packages will be upgraded:
-   libldb1 libnss-winbind libpam-winbind libtdb1 libtevent0 libwbclient0
-   python-ldb python-samba python-tdb samba samba-common samba-common-bin
-   samba-dsdb-modules samba-libs samba-vfs-modules winbind
- 16 upgraded, 0 newly installed, 0 to remove and 219 not upgraded.
- Need to get 8,877 kB of archives.
- After this operation, 5,632 kB of additional disk space will be used.
- Do you want to continue? [Y/n] y
- Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-ldb amd64 1:1.1.24-0ubuntu0.14.04.1 [29.2 kB]
- Get:2 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-tdb amd64 1.3.8-0ubuntu0.14.04.1 [10.8 kB]
- Get:3 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtdb1 amd64 1.3.8-0ubuntu0.14.04.1 [38.3 kB]
- Get:4 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libtevent0 amd64 0.9.28-0ubuntu0.14.04.1 [26.2 kB]
- Get:5 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-dsdb-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [219 kB]
- Get:6 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libnss-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [12.6 kB]
- Get:7 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/universe libpam-winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [28.2 kB]
- Get:8 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main winbind amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [411 kB]
- Get:9 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libwbclient0 amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [30.8 kB]
- Get:10 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [903 kB]
- Get:11 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common-bin amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [508 kB]
- Get:12 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-common all 2:4.3.9+dfsg-0ubuntu0.14.04.1 [82.9 kB]
- Get:13 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main python-samba amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [1,068 kB]
- Get:14 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-vfs-modules amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [259 kB]
- Get:15 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main samba-libs amd64 2:4.3.9+dfsg-0ubuntu0.14.04.1 [5,144 kB]
- Get:16 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main libldb1 amd64 1:1.1.24-0ubuntu0.14.04.1 [107 kB]
- Fetched 8,877 kB in 14s (594 kB/s)
- Preconfiguring packages ...
- (Reading database ... 115393 files and directories currently installed.)
- Preparing to unpack .../python-ldb_1%3a1.1.24-0ubuntu0.14.04.1_amd64.deb ...
- Unpacking python-ldb (1:1.1.24-0ubuntu0.14.04.1) over (1:1.1.16-1ubuntu0.1) ...
- Preparing to unpack .../python-tdb_1.3.8-0ubuntu0.14.04.1_amd64.deb ...
- Unpacking python-tdb (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ...
- Preparing to unpack .../libtdb1_1.3.8-0ubuntu0.14.04.1_amd64.deb ...
- Unpacking libtdb1:amd64 (1.3.8-0ubuntu0.14.04.1) over (1.2.12-1) ...
- Preparing to unpack .../libtevent0_0.9.28-0ubuntu0.14.04.1_amd64.deb ...
- Unpacking libtevent0:amd64 (0.9.28-0ubuntu0.14.04.1) over (0.9.19-1) ...
- Preparing to unpack .../samba-dsdb-modules_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ...
- Unpacking samba-dsdb-modules (2:4.3.9+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2.14.04.13) ...
- Preparing to unpack .../libnss-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb ...
- Unpacking libnss-winbind:amd64 (2:4.3.9+dfsg-0ubuntu0.14.04.1) over (2:4.1.6+dfsg-1ubuntu2.14.04.13) ...
- dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
- dpkg: error processing archive /var/cache/apt/archives/libpam-winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack):
-  subprocess dpkg-deb --control returned error exit status 2
- dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
- dpkg: error processing archive /var/cache/apt/archives/winbind_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack):
-  subprocess dpkg-deb --control returned error exit status 2
- dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
- dpkg: error processing archive /var/cache/apt/archives/libwbclient0_2%3a4.3.9+dfsg-0ubuntu0.14.04.1_amd64.deb (--unpack):
-  subprocess dpkg-deb --control returned error exit status 2
- dpkg-deb: error: subprocess tar was killed by signal (Segmentation fault), core dumped
+ 
  """
  
- Leading into an unusable system.
+ Leading into an unusable system in the following state:
+ 
+ ## state
+ 
  
  Workaround:
  
  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d with
  "pam-auth-update") before ANY attempt of upgrading samba to latest
  version.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1584485

Title:
  Upgrading samba to latest security fixes together with winbind in
  nsswitch.conf can harm entire OS

Status in samba package in Ubuntu:
  Confirmed

Bug description:
  It was brought to my attention that, because of latest security fixes
  for samba:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1577739

  samba (2:4.3.9+dfsg-0ubuntu0.14.04.1) trusty-security; urgency=medium
  samba (2:4.3.8+dfsg-0ubuntu0.14.04.2) trusty-security; urgency=medium
  samba (2:4.1.6+dfsg-1ubuntu2.14.04.13) trusty-security; urgency=medium

  when library symbols changed, a samba upgrade MAY jeopardize an entire
  Ubuntu OS installation IF /etc/nsswitch.conf uses winbind as a service
  (specially if used before compat mechanism).

  ----

  How to reproduce easily:

  $ cat /etc/nsswitch.conf
  passwd: winbind compat
  shadow: compat
  group: winbind compat

  (winbind is usually used after compat, in this case it was used
  before)

  to have samba version "4.1.6+dfsg-1ubuntu2.14.04.13" installed and do
  a:

  $ sudo apt-get update

  and FINALLY:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/1

  Leading into an unusable system in the following state:

  https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/2

  ## state

  Workaround:

  DO REMOVE winbind from /etc/nsswitch.conf (and possibly from pam.d
  with "pam-auth-update") before ANY attempt of upgrading samba to
  latest version.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/+subscriptions

More information about the foundations-bugs mailing list