Applying patch for Samba version 4.1.17


 
Thread Tools Search this Thread
Operating Systems Linux Debian Applying patch for Samba version 4.1.17
# 1  
Old 06-15-2017
Applying patch for Samba version 4.1.17

The version of Samba in our billing server is 4.1.17-Debian.
I have been reminded by our management to implement the patch for Samba on this server.

However, I am not sure how to implement the patch. I have browsed some websites for the correct patch to implement for Samba 4.1.17, and the patch recommended is the patch to address the vulnerability "Unexpected code execution in smbd".

There is no patch specifically for Samba version 4.1.17, however there is one for 4.1.16, and the patch is the same as for 4.1.17, which is to address the "Unexpected code execution in smbd" vulnerability.

When I click on the patch link, I am redirected to a page that displays this :

Code:
From cc4100701bec64cda6fae6a5650c2114f3862579 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 28 Jan 2015 14:47:31 -0800
Subject: [PATCH 1/2] CVE-2015-0240: s3: netlogon: Ensure we don't call
 talloc_free on an uninitialized pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index c903ae8..cab635f 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1101,6 +1101,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
 	struct loadparm_context *lp_ctx;
 
+	if (creds_out != NULL) {
+		*creds_out = NULL;
+	}
+
 	if (schannel_global_required) {
 		status = schannel_check_required(&p->auth,
 						 computer_name,
@@ -1258,7 +1262,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
 {
 	NTSTATUS status = NT_STATUS_OK;
 	int i;
-	struct netlogon_creds_CredentialState *creds;
+	struct netlogon_creds_CredentialState *creds = NULL;
 
 	DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
 
-- 
2.3.0


From 57c186ee4deda5e75d3588fa0252d9817492bb1f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 16 Feb 2015 10:59:23 +0100
Subject: [PATCH 2/2] s3-netlogon: Make sure we do not deference a NULL
 pointer.

This is an additional patch for CVE-2015-0240.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index cab635f..2ba3278 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1275,9 +1275,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
 	unbecome_root();
 
 	if (!NT_STATUS_IS_OK(status)) {
+		const char *computer_name = "<unknown>";
+
+		if (creds != NULL && creds->computer_name != NULL) {
+			computer_name = creds->computer_name;
+		}
 		DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
 			"request from client %s machine account %s\n",
-			r->in.computer_name, creds->computer_name));
+			r->in.computer_name, computer_name));
 		TALLOC_FREE(creds);
 		return status;
 	}
-- 
2.3.0

Please provide some guide/steps on how to implement this patch on the server?
# 2  
Old 06-15-2017
patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions.

You apply the patch file using patch command:

The patch command takes a patch file as the input and applies the change to one or more original file(s), producing new patched versions.

Code:
patch -p[num] < patchfile
patch [options] originalfile patchfile

Suggest you review the man page here: man patch
# 3  
Old 07-19-2017
Thanks for the information.

However, to apply a patch file, the patch filename has to have a '.patch' extension. Eg something like this :

Code:
patch -p0 < $HOME/Desktop/gui_track_filter.patch

Do I just put the patch code above in a file and rename in to "Something.patch"?
# 4  
Old 07-21-2017
I just did some research on how patches are applied in Debian, and they suggest downloading the main package; in this case it is "Samba".
Then cd into the downloaded directory, and run

Code:
# ls debian/patches

to see all available patches. This is because to install a new patch like what I want, then all the other patches have to be installed also. However, when I do the same, there is no "debian/patches" folder in the Samba directory.

Does this mean that there are no other patches for Samba, and I can just go ahead and install the patch above?
# 5  
Old 07-21-2017
You have to build from source to apply a patch. So it's not enough to merely install samba, you have to do so using the source package, if available.
# 6  
Old 08-02-2017
According the patch guide, the patch has to be installed, then only build samba from source. However, when I apply the patch, this is the error I receive :

Code:
root@TestVM:/home/aigini/samba-4.6.6# patch -p1 < samba-4.1.16-CVE-2015-0240.patch
patching file source3/rpc_server/netlogon/srv_netlog_nt.c
Reversed (or previously applied) patch detected!  Assume -R? [n] y
Hunk #1 succeeded at 1113 (offset 12 lines).
Hunk #2 FAILED at 1258.
1 out of 2 hunks FAILED -- saving rejects to file source3/rpc_server/netlogon/srv_netlog_nt.c.rej
patching file source3/rpc_server/netlogon/srv_netlog_nt.c
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] y
Hunk #1 FAILED at 1275.
1 out of 1 hunk FAILED -- saving rejects to file source3/rpc_server/netlogon/srv_netlog_nt.c.rej
root@TestVM:/home/aigini/samba-4.6.6#

What does the error mean, and how do I resolve this error?

Also, If I were to re-build samba from source, what will happen to the current samba which is installed on the server? Will it cause any problems/crash?

---------- Post updated at 01:33 PM ---------- Previous update was at 11:56 AM ----------

I tried changing the option for -p to 0 instead of 1 :

Code:
patch -p0 < samba-4.1.16-CVE-2015-0240.patch

This is the output I get :

Code:
root@TestVM:/home/aigini# patch -p0 < samba-4.1.16-CVE-2015-0240.patch
can't find file to patch at input line 19
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|From cc4100701bec64cda6fae6a5650c2114f3862579 Mon Sep 17 00:00:00 2001
|From: Jeremy Allison <jra@samba.org>
|Date: Wed, 28 Jan 2015 14:47:31 -0800
|Subject: [PATCH 1/2] CVE-2015-0240: s3: netlogon: Ensure we don't call
| talloc_free on an uninitialized pointer.
|
|Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
|
|Signed-off-by: Jeremy Allison <jra@samba.org>
|Reviewed-by: Stefan Metzmacher <metze@samba.org>
|---
| source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
| 1 file changed, 5 insertions(+), 1 deletion(-)
|
|diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|index c903ae8..cab635f 100644
|--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
--------------------------
File to patch:

What do I do next? Is the option I use for patching correct?
# 7  
Old 08-02-2017
"hunk failed", "reverse patched", etc, means you're trying to put the patch on the wrong version of samba.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Ubuntu

Recompile the kernel after applying a patch in Ubuntu.

I have applied a patch using this command: patch -p1 < (file) then I did git commit -a. Now I want to recompile the kernel for making this patch live. Should I use make oldconfig or make localmodconfig After that, make -j$(grep -c "processor" /proc/cpuinfo) sudo make... (1 Reply)
Discussion started by: BHASKAR JUPUDI
1 Replies

2. HP-UX

Samba version on HP-UX

I am running HP-UX 11iv3 March 2013 release. smbstatus -V #output Version 3.4.3 based HP CIFS Server A.03.01.03 What exactly version i am running? is it 3.4.3 or A.03.01.03? Thank you! (1 Reply)
Discussion started by: lamoul
1 Replies

3. UNIX for Dummies Questions & Answers

Typical steps to be followed while applying an application patch upgrade on linux

what are the typical steps used by system adminstrators while applying an application patch upgrade (1 Reply)
Discussion started by: ramky79
1 Replies

4. HP-UX

Patch For SAMBA.

Hi guys, Question: I downloaded a security update for samba: samba-3.0.7-CAN-2004-0882.patch The question is how can I get in installed? I cannot find instructions anywhere and it is not a tar file. Little help? (1 Reply)
Discussion started by: 300zxmuro
1 Replies

5. Solaris

Jumpstart and Applying Recommended Patch Cluster

I'm trying to setup our jumpstart server to automatically apply the latest patch cluster during installs, but I'm running into an issue. Every time Jumpstart runs it has this error. Obviously it's processing the patch_order file, so I'm not sure what I'm missing. ... (0 Replies)
Discussion started by: christr
0 Replies

6. Solaris

Applying Recommended Patch Cluster to Whole Root Zone

Hi there, Apologies if this question has been asked and answered already but I've not been able to find the thread. Question: Is it possible to apply the Solaris 10 Recommended Patch Cluster to a whole root (non-global) zone locally? I.E. apply the patch cluster from the non-global in... (3 Replies)
Discussion started by: nm146332
3 Replies

7. Solaris

What kind of steps should be followed while applying patch in real time?

Hi, As in the solaris material i know that the patch is added through the command "patchadd <patch no.>". But i need to know, what are all the steps we have to follow while applying a patch in a production server. My friend says that we have to detach mirror before applying patch and not... (6 Replies)
Discussion started by: Sesha
6 Replies

8. Red Hat

Command to know the Patch Version

Hi, Is there any command to know the patch version?Suppose i installed RTlinux patch in rethat linux.How can i know the patch version installed?Any helps appreciated. Thanks, Sathi. (2 Replies)
Discussion started by: sathiyaraj V
2 Replies

9. Solaris

How can i see kernel patch version?

Hello experts. How can i see kernel patch version? what are advantages applying that patch? Thanx in advance (5 Replies)
Discussion started by: younus_syed
5 Replies

10. Solaris

How to disply the patch version ?!

Hi , I need to collect all information about the patches in my server , I want to know what is the required patch and how to apply it. Regards (2 Replies)
Discussion started by: ArabOracle.com
2 Replies
Login or Register to Ask a Question