Applying patch for Samba version 4.1.17

The version of Samba in our billing server is 4.1.17-Debian.
I have been reminded by our management to implement the patch for Samba on this server.

However, I am not sure how to implement the patch. I have browsed some websites for the correct patch to implement for Samba 4.1.17, and the patch recommended is the patch to address the vulnerability "Unexpected code execution in smbd".

There is no patch specifically for Samba version 4.1.17, however there is one for 4.1.16, and the patch is the same as for 4.1.17, which is to address the "Unexpected code execution in smbd" vulnerability.

When I click on the patch link, I am redirected to a page that displays this :

From cc4100701bec64cda6fae6a5650c2114f3862579 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 28 Jan 2015 14:47:31 -0800
Subject: [PATCH 1/2] CVE-2015-0240: s3: netlogon: Ensure we don't call
 talloc_free on an uninitialized pointer.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index c903ae8..cab635f 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1101,6 +1101,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
 	struct loadparm_context *lp_ctx;
 
+	if (creds_out != NULL) {
+		*creds_out = NULL;
+	}
+
 	if (schannel_global_required) {
 		status = schannel_check_required(&p->auth,
 						 computer_name,
@@ -1258,7 +1262,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
 {
 	NTSTATUS status = NT_STATUS_OK;
 	int i;
-	struct netlogon_creds_CredentialState *creds;
+	struct netlogon_creds_CredentialState *creds = NULL;
 
 	DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
 
-- 
2.3.0


From 57c186ee4deda5e75d3588fa0252d9817492bb1f Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 16 Feb 2015 10:59:23 +0100
Subject: [PATCH 2/2] s3-netlogon: Make sure we do not deference a NULL
 pointer.

This is an additional patch for CVE-2015-0240.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32

Pair-Programmed-With: Michael Adam <obnox@samba.org>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index cab635f..2ba3278 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1275,9 +1275,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
 	unbecome_root();
 
 	if (!NT_STATUS_IS_OK(status)) {
+		const char *computer_name = "<unknown>";
+
+		if (creds != NULL && creds->computer_name != NULL) {
+			computer_name = creds->computer_name;
+		}
 		DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
 			"request from client %s machine account %s\n",
-			r->in.computer_name, creds->computer_name));
+			r->in.computer_name, computer_name));
 		TALLOC_FREE(creds);
 		return status;
 	}
-- 
2.3.0

Please provide some guide/steps on how to implement this patch on the server?

patch takes a patch file containing a difference listing produced by the diff program and applies those differences to one or more original files, producing patched versions.

You apply the patch file using patch command:

The patch command takes a patch file as the input and applies the change to one or more original file(s), producing new patched versions.

patch -p[num] < patchfile
patch [options] originalfile patchfile 

Suggest you review the man page here: man patch

Thanks for the information.

However, to apply a patch file, the patch filename has to have a '.patch' extension. Eg something like this :

patch -p0 < $HOME/Desktop/gui_track_filter.patch

Do I just put the patch code above in a file and rename in to "Something.patch"?

I just did some research on how patches are applied in Debian, and they suggest downloading the main package; in this case it is "Samba".
Then cd into the downloaded directory, and run

# ls debian/patches

to see all available patches. This is because to install a new patch like what I want, then all the other patches have to be installed also. However, when I do the same, there is no "debian/patches" folder in the Samba directory.

Does this mean that there are no other patches for Samba, and I can just go ahead and install the patch above?

You have to build from source to apply a patch. So it's not enough to merely install samba, you have to do so using the source package, if available.

According the patch guide, the patch has to be installed, then only build samba from source. However, when I apply the patch, this is the error I receive :

root@TestVM:/home/aigini/samba-4.6.6# patch -p1 < samba-4.1.16-CVE-2015-0240.patch
patching file source3/rpc_server/netlogon/srv_netlog_nt.c
Reversed (or previously applied) patch detected!  Assume -R? [n] y
Hunk #1 succeeded at 1113 (offset 12 lines).
Hunk #2 FAILED at 1258.
1 out of 2 hunks FAILED -- saving rejects to file source3/rpc_server/netlogon/srv_netlog_nt.c.rej
patching file source3/rpc_server/netlogon/srv_netlog_nt.c
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] y
Hunk #1 FAILED at 1275.
1 out of 1 hunk FAILED -- saving rejects to file source3/rpc_server/netlogon/srv_netlog_nt.c.rej
root@TestVM:/home/aigini/samba-4.6.6#

What does the error mean, and how do I resolve this error?

Also, If I were to re-build samba from source, what will happen to the current samba which is installed on the server? Will it cause any problems/crash?

---------- Post updated at 01:33 PM ---------- Previous update was at 11:56 AM ----------

I tried changing the option for -p to 0 instead of 1 :

patch -p0 < samba-4.1.16-CVE-2015-0240.patch

This is the output I get :

root@TestVM:/home/aigini# patch -p0 < samba-4.1.16-CVE-2015-0240.patch
can't find file to patch at input line 19
Perhaps you used the wrong -p or --strip option?
The text leading up to this was:
--------------------------
|From cc4100701bec64cda6fae6a5650c2114f3862579 Mon Sep 17 00:00:00 2001
|From: Jeremy Allison <jra@samba.org>
|Date: Wed, 28 Jan 2015 14:47:31 -0800
|Subject: [PATCH 1/2] CVE-2015-0240: s3: netlogon: Ensure we don't call
| talloc_free on an uninitialized pointer.
|
|Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
|
|Signed-off-by: Jeremy Allison <jra@samba.org>
|Reviewed-by: Stefan Metzmacher <metze@samba.org>
|---
| source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
| 1 file changed, 5 insertions(+), 1 deletion(-)
|
|diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
|index c903ae8..cab635f 100644
|--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
|+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
--------------------------
File to patch:

What do I do next? Is the option I use for patching correct?

"hunk failed", "reverse patched", etc, means you're trying to put the patch on the wrong version of samba.

Means that the patch that I am trying to implement (4.1.16) won't work for the version of Samba in the server (4.1.17).

However, there is no patch specifically for 4.1.17 Samba version.

See the release note here.

It seems that 4.1.7 is a security release for this.

See also note on 'workaround'.

I read from the link you gave to implement the workaround for the security release for samba version 4.1.17.

Thank you for the suggestion.

And since there is no patch specifically for this version, is it a good idea to just upgrade samba itself?

If 4.1.7 contains a fix for the problem (which is what the release note says) that you are worried about, then unless you have other concerns and/or samba has other vulnerabilities, I suggest that if it's not broken, Don't try and fix it. You don't know whether an upgrade will break something else.

Look and see what patches have been issued for 4.1.7 and why. Apply the patches for anything that you're concerned about.

Upgrade to a newer version if that offers new functionality that you could use.

If 4.1.7 has the fix, and you have 4.1.17, you already have it.