[SCM] Samba Shared Repository - branch v4-2-test updated

Karolin Seeger kseeger at samba.org
Wed Dec 16 11:33:39 UTC 2015


The branch, v4-2-test has been updated
       via  b73894c VERSION: Bump version up to 4.2.8...
       via  f51d78c Merge tag 'samba-4.2.7' into v4-2-test
       via  b8077d8 Fix bug #11394 - Crash: Bad talloc magic value - access after free
       via  add4fe9 VERSION: Disable git snapshots for the 4.2.7 release.
       via  e59d852 WHATSNEW: Add release notes for Samba 4.2.7.
       via  2483d66 CVE-2015-8467: samdb: Match MS15-096 behaviour for userAccountControl
       via  41e1e8b CVE-2015-5296: libcli/smb: make sure we require signing when we demand encryption on a session
       via  3e8f112 CVE-2015-5296: s3:libsmb: force signing when requiring encryption in SMBC_server_internal()
       via  05d09fb CVE-2015-5296: s3:libsmb: force signing when requiring encryption in do_connect()
       via  1d8efe6 CVE-2015-5299: s3-shadow-copy2: fix missing access check on snapdir
       via  79e5023 CVE-2015-5252: s3: smbd: Fix symlink verification (file access outside the share).
       via  6dc18a6 ldb: bump version of the required system ldb to 1.1.24
       via  aa68bd3 CVE-2015-5330: ldb_dn_explode: copy strings by length, not terminators
       via  75b3ce6 CVE-2015-5330: next_codepoint_handle_ext: don't short-circuit UTF16 low bytes
       via  9c06833 CVE-2015-5330: strupper_talloc_n_handle(): properly count characters
       via  405170b CVE-2015-5330: Fix handling of unicode near string endings
       via  06f2d95 CVE-2015-5330: ldb_dn_escape_value: use known string length, not strlen()
       via  813ecea CVE-2015-5330: ldb_dn: simplify and fix ldb_dn_escape_internal()
       via  3c68b50 CVE-2015-3223: lib: ldb: Use memmem binary search, not strstr text search.
       via  9c7e988 CVE-2015-3223: lib: ldb: Cope with canonicalise_fn returning string "", length 0.
      from  5f9d311 VERSION: Bump version up to 4.2.7...

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test


- Log -----------------------------------------------------------------
commit b73894cdbd657ba7ea776bdbe40105488deb14c5
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Dec 16 12:32:20 2015 +0100

    VERSION: Bump version up to 4.2.8...
    
    and re-enable git snapshots.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit f51d78c717334f5e802c04f51a89171fac150fc6
Merge: b8077d8 add4fe9
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Dec 16 12:31:26 2015 +0100

    Merge tag 'samba-4.2.7' into v4-2-test
    
    samba: tag release samba-4.2.7

commit b8077d861f4fd04f1d5c4187b8bf0166e2d8ae29
Author: Karolin Seeger <kseeger at samba.org>
Date:   Fri Dec 11 12:00:51 2015 +0100

    Fix bug #11394 - Crash: Bad talloc magic value - access after free

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                 |   2 +-
 WHATSNEW.txt                            | 151 ++++++++++++++++++++++-
 lib/dbwrap/dbwrap_rbt.c                 | 208 +++++++++++++++++++-------------
 lib/ldb/common/ldb_dn.c                 |  67 +++++-----
 lib/ldb/common/ldb_match.c              |  33 ++++-
 lib/ldb/wscript                         |   5 +-
 lib/util/charset/charset.h              |   9 +-
 lib/util/charset/codepoints.c           |  29 +++--
 lib/util/charset/util_str.c             |   3 +-
 lib/util/charset/util_unistr.c          |   6 +-
 libcli/smb/smbXcli_base.c               |  11 ++
 script/autobuild.py                     |   2 +-
 source3/libsmb/clidfs.c                 |   7 +-
 source3/libsmb/libsmb_server.c          |  15 ++-
 source3/modules/vfs_shadow_copy2.c      |  45 +++++++
 source3/smbd/vfs.c                      |  13 +-
 source3/torture/torture.c               |  39 ++++++
 source4/dsdb/samdb/ldb_modules/samldb.c |  24 +++-
 18 files changed, 516 insertions(+), 153 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 9195002..8268fb6 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a13c837..055f03f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,151 @@
                    =============================
+                   Release Notes for Samba 4.2.7
+                         December 16, 2015
+                   =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o  CVE-2015-3223 (Denial of service in Samba Active Directory
+		  server)
+o  CVE-2015-5252 (Insufficient symlink verification in smbd)
+o  CVE-2015-5299 (Missing access control check in shadow copy
+		  code)
+o  CVE-2015-5296 (Samba client requesting encryption vulnerable
+		  to downgrade attack)
+o  CVE-2015-8467 (Denial of service attack against Windows
+		  Active Directory server)
+o  CVE-2015-5330 (Remote memory read in Samba LDAP server)
+
+Please note that if building against a system libldb, the required
+version has been bumped to ldb-1.1.24.  This is needed to ensure
+we build against a system ldb library that contains the fixes
+for CVE-2015-5330 and CVE-2015-3223.
+
+=======
+Details
+=======
+
+o  CVE-2015-3223:
+   All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+   ldb versions up to 1.1.23 inclusive) are vulnerable to
+   a denial of service attack in the samba daemon LDAP server.
+
+   A malicious client can send packets that cause the LDAP server in the
+   samba daemon process to become unresponsive, preventing the server
+   from servicing any other requests.
+
+   This flaw is not exploitable beyond causing the code to loop expending
+   CPU resources.
+
+o  CVE-2015-5252:
+   All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
+   a bug in symlink verification, which under certain circumstances could
+   allow client access to files outside the exported share path.
+
+   If a Samba share is configured with a path that shares a common path
+   prefix with another directory on the file system, the smbd daemon may
+   allow the client to follow a symlink pointing to a file or directory
+   in that other directory, even if the share parameter "wide links" is
+   set to "no" (the default).
+
+o  CVE-2015-5299:
+   All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
+   a missing access control check in the vfs_shadow_copy2 module. When
+   looking for the shadow copy directory under the share path the current
+   accessing user should have DIRECTORY_LIST access rights in order to
+   view the current snapshots.
+
+   This was not being checked in the affected versions of Samba.
+
+o  CVE-2015-5296:
+   Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
+   signing is negotiated when creating an encrypted client connection to
+   a server.
+
+   Without this a man-in-the-middle attack could downgrade the connection
+   and connect using the supplied credentials as an unsigned, unencrypted
+   connection.
+
+o  CVE-2015-8467:
+   Samba, operating as an AD DC, is sometimes operated in a domain with a
+   mix of Samba and Windows Active Directory Domain Controllers.
+
+   All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
+   an AD DC in the same domain with Windows DCs, could be used to
+   override the protection against the MS15-096 / CVE-2015-2535 security
+   issue in Windows.
+
+   Prior to MS16-096 it was possible to bypass the quota of machine
+   accounts a non-administrative user could create.  Pure Samba domains
+   are not impacted, as Samba does not implement the
+   SeMachineAccountPrivilege functionality to allow non-administrator
+   users to create new computer objects.
+
+o  CVE-2015-5330:
+   All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+   ldb versions up to 1.1.23 inclusive) are vulnerable to
+   a remote memory read attack in the samba daemon LDAP server.
+
+   A malicious client can send packets that cause the LDAP server in the
+   samba daemon process to return heap memory beyond the length of the
+   requested value.
+
+   This memory may contain data that the client should not be allowed to
+   see, allowing compromise of the server.
+
+   The memory may either be returned to the client in an error string, or
+   stored in the database by a suitabily privileged user.  If untrusted
+   users can create objects in your database, please confirm that all DN
+   and name attributes are reasonable.
+
+
+Changes since 4.2.6:
+--------------------
+
+o  Andrew Bartlett <abartlet at samba.org>
+   * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
+     userAccountControl.
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
+   * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
+     access outside the share).
+   * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
+     snapdir.
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
+     smb encryption on the client side.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.2.6
                          December 08, 2015
                    =============================
@@ -80,10 +227,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
 
-======================================================================
 
                    =============================
                    Release Notes for Samba 4.2.5
diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c
index 3f97086..a9cc641 100644
--- a/lib/dbwrap/dbwrap_rbt.c
+++ b/lib/dbwrap/dbwrap_rbt.c
@@ -22,11 +22,15 @@
 #include "dbwrap/dbwrap_private.h"
 #include "dbwrap/dbwrap_rbt.h"
 #include "../lib/util/rbtree.h"
+#include "../lib/util/dlinklist.h"
 
 #define DBWRAP_RBT_ALIGN(_size_) (((_size_)+15)&~15)
 
 struct db_rbt_ctx {
 	struct rb_root tree;
+	struct db_rbt_node *nodes;
+	size_t traverse_read;
+	struct db_rbt_node **traverse_nextp;
 };
 
 struct db_rbt_rec {
@@ -38,13 +42,7 @@ struct db_rbt_rec {
 struct db_rbt_node {
 	struct rb_node rb_node;
 	size_t keysize, valuesize;
-
-	/*
-	 * key and value are appended implicitly, "data" is only here as a
-	 * target for offsetof()
-	 */
-
-	char data[1];
+	struct db_rbt_node *prev, *next;
 };
 
 /*
@@ -83,12 +81,43 @@ static int db_rbt_compare(TDB_DATA a, TDB_DATA b)
 static void db_rbt_parse_node(struct db_rbt_node *node,
 			      TDB_DATA *key, TDB_DATA *value)
 {
-	key->dptr = ((uint8_t *)node) + offsetof(struct db_rbt_node, data);
+	size_t key_offset, value_offset;
+
+	key_offset = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node));
+	key->dptr = ((uint8_t *)node) + key_offset;
 	key->dsize = node->keysize;
-	value->dptr = key->dptr + node->keysize;
+
+	value_offset = DBWRAP_RBT_ALIGN(node->keysize);
+	value->dptr = key->dptr + value_offset;
 	value->dsize = node->valuesize;
 }
 
+static ssize_t db_rbt_reclen(size_t keylen, size_t valuelen)
+{
+	size_t len, tmp;
+
+	len = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node));
+
+	tmp = DBWRAP_RBT_ALIGN(keylen);
+	if (tmp < keylen) {
+		goto overflow;
+	}
+
+	len += tmp;
+	if (len < tmp) {
+		goto overflow;
+	}
+
+	len += valuelen;
+	if (len < valuelen) {
+		goto overflow;
+	}
+
+	return len;
+overflow:
+	return -1;
+}
+
 static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
 {
 	struct db_rbt_ctx *db_ctx = talloc_get_type_abort(
@@ -97,10 +126,16 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
 	struct db_rbt_node *node;
 
 	struct rb_node ** p;
-	struct rb_node * parent;
+	struct rb_node *parent = NULL;
+	struct db_rbt_node *parent_node = NULL;
 
+	ssize_t reclen;
 	TDB_DATA this_key, this_val;
 
+	if (db_ctx->traverse_read > 0) {
+		return NT_STATUS_MEDIA_WRITE_PROTECTED;
+	}
+
 	if (rec_priv->node != NULL) {
 
 		/*
@@ -123,21 +158,30 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
 		}
 	}
 
-	node = (struct db_rbt_node *)talloc_size(db_ctx,
-		offsetof(struct db_rbt_node, data) + rec->key.dsize
-		+ data.dsize);
+	reclen = db_rbt_reclen(rec->key.dsize, data.dsize);
+	if (reclen == -1) {
+		return NT_STATUS_INSUFFICIENT_RESOURCES;
+	}
 
+	node = talloc_zero_size(db_ctx, reclen);
 	if (node == NULL) {
 		return NT_STATUS_NO_MEMORY;
 	}
 
 	if (rec_priv->node != NULL) {
+		if (db_ctx->traverse_nextp != NULL) {
+			if (*db_ctx->traverse_nextp == rec_priv->node) {
+				*db_ctx->traverse_nextp = node;
+			}
+		}
+
 		/*
 		 * We need to delete the key from the tree and start fresh,
 		 * there's not enough space in the existing record
 		 */
 
 		rb_erase(&rec_priv->node->rb_node, &db_ctx->tree);
+		DLIST_REMOVE(db_ctx->nodes, rec_priv->node);
 
 		/*
 		 * Keep the existing node around for a while: If the record
@@ -145,8 +189,6 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
 		 */
 	}
 
-	ZERO_STRUCT(node->rb_node);
-
 	node->keysize = rec->key.dsize;
 	node->valuesize = data.dsize;
 
@@ -166,10 +208,11 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
 		TDB_DATA search_key, search_val;
 		int res;
 
-		parent = (*p);
-
 		r = db_rbt2node(*p);
 
+		parent = (*p);
+		parent_node = r;
+
 		db_rbt_parse_node(r, &search_key, &search_val);
 
 		res = db_rbt_compare(this_key, search_key);
@@ -186,6 +229,7 @@ static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
 	}
 
 	rb_link_node(&node->rb_node, parent, p);
+	DLIST_ADD_AFTER(db_ctx->nodes, node, parent_node);
 	rb_insert_color(&node->rb_node, &db_ctx->tree);
 
 	return NT_STATUS_OK;
@@ -197,26 +241,27 @@ static NTSTATUS db_rbt_delete(struct db_record *rec)
 		rec->db->private_data, struct db_rbt_ctx);
 	struct db_rbt_rec *rec_priv = (struct db_rbt_rec *)rec->private_data;
 
+	if (db_ctx->traverse_read > 0) {
+		return NT_STATUS_MEDIA_WRITE_PROTECTED;
+	}
+
 	if (rec_priv->node == NULL) {
 		return NT_STATUS_OK;
 	}
 
+	if (db_ctx->traverse_nextp != NULL) {
+		if (*db_ctx->traverse_nextp == rec_priv->node) {
+			*db_ctx->traverse_nextp = rec_priv->node->next;
+		}
+	}
+
 	rb_erase(&rec_priv->node->rb_node, &db_ctx->tree);
+	DLIST_REMOVE(db_ctx->nodes, rec_priv->node);
 	TALLOC_FREE(rec_priv->node);
 
 	return NT_STATUS_OK;
 }
 
-static NTSTATUS db_rbt_store_deny(struct db_record *rec, TDB_DATA data, int flag)
-{
-	return NT_STATUS_MEDIA_WRITE_PROTECTED;
-}
-
-static NTSTATUS db_rbt_delete_deny(struct db_record *rec)
-{
-	return NT_STATUS_MEDIA_WRITE_PROTECTED;
-}
-
 struct db_rbt_search_result {
 	TDB_DATA key;
 	TDB_DATA val;
@@ -358,75 +403,65 @@ static NTSTATUS db_rbt_parse_record(struct db_context *db, TDB_DATA key,
 }
 
 static int db_rbt_traverse_internal(struct db_context *db,
-				    struct rb_node *n,
 				    int (*f)(struct db_record *db,
 					     void *private_data),
 				    void *private_data, uint32_t* count,
 				    bool rw)
 {
-	struct rb_node *rb_right;
-	struct rb_node *rb_left;
-	struct db_record rec;
-	struct db_rbt_rec rec_priv;
+	struct db_rbt_ctx *ctx = talloc_get_type_abort(
+		db->private_data, struct db_rbt_ctx);
+	struct db_rbt_node *cur = NULL;
+	struct db_rbt_node *next = NULL;
 	int ret;
 
-	if (n == NULL) {
-		return 0;
-	}
-
-	rb_left = n->rb_left;
-	rb_right = n->rb_right;
-
-	ret = db_rbt_traverse_internal(db, rb_left, f, private_data, count, rw);
-	if (ret != 0) {
-		return ret;
-	}
+	for (cur = ctx->nodes; cur != NULL; cur = next) {
+		struct db_record rec;
+		struct db_rbt_rec rec_priv;
 
-	rec_priv.node = db_rbt2node(n);
-	/* n might be altered by the callback function */
-	n = NULL;
+		rec_priv.node = cur;
+		next = rec_priv.node->next;
 
-	ZERO_STRUCT(rec);
-	rec.db = db;
-	rec.private_data = &rec_priv;
-	if (rw) {
+		ZERO_STRUCT(rec);
+		rec.db = db;
+		rec.private_data = &rec_priv;
 		rec.store = db_rbt_store;
 		rec.delete_rec = db_rbt_delete;
-	} else {
-		rec.store = db_rbt_store_deny;
-		rec.delete_rec = db_rbt_delete_deny;
-	}
-	db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value);
-
-	ret = f(&rec, private_data);
-	(*count) ++;
-	if (ret != 0) {
-		return ret;
-	}
+		db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value);
 
-	if (rec_priv.node != NULL) {
-		/*
-		 * If the current record is still there
-		 * we should take the current rb_right.
-		 */
-		rb_right = rec_priv.node->rb_node.rb_right;
+		if (rw) {
+			ctx->traverse_nextp = &next;
+		}
+		ret = f(&rec, private_data);
+		(*count) ++;
+		if (rw) {
+			ctx->traverse_nextp = NULL;
+		}
+		if (ret != 0) {
+			return ret;
+		}
+		if (rec_priv.node != NULL) {
+			next = rec_priv.node->next;
+		}
 	}
 
-	return db_rbt_traverse_internal(db, rb_right, f, private_data, count, rw);
+	return 0;
 }
 
-static int db_rbt_traverse(struct db_context *db,
-			   int (*f)(struct db_record *db,
-				    void *private_data),
-			   void *private_data)
+static int db_rbt_traverse_read(struct db_context *db,
+				int (*f)(struct db_record *db,
+					 void *private_data),
+				void *private_data)
 {
 	struct db_rbt_ctx *ctx = talloc_get_type_abort(
 		db->private_data, struct db_rbt_ctx);
 	uint32_t count = 0;
+	int ret;
 
-	int ret = db_rbt_traverse_internal(db, ctx->tree.rb_node,
-					   f, private_data, &count,
-					   true /* rw */);
+	ctx->traverse_read++;
+	ret = db_rbt_traverse_internal(db,
+				       f, private_data, &count,
+				       false /* rw */);
+	ctx->traverse_read--;
 	if (ret != 0) {
 		return -1;
 	}
@@ -436,18 +471,27 @@ static int db_rbt_traverse(struct db_context *db,
 	return count;
 }


-- 
Samba Shared Repository



More information about the samba-cvs mailing list