[SCM] Samba Shared Repository - branch v4-4-stable updated
Karolin Seeger
kseeger at samba.org
Mon Dec 19 09:11:42 UTC 2016
The branch, v4-4-stable has been updated
via bb02ee9 VERSION: Disable GIT_SNAPSHOTS for the 4.4.8 release.
via 51a750c WHATSNEW: Add release notes for Samba 4.4.8.
via ce31a69 CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
via 58586ce CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
via 07ef0f6 CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
via 0f1b36b CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
via 4aa6b11 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
via 8f02f43 VERSION: Bump version up to 4.4.8...
from b2d2088 VERSION: Disable git snapshots for the 4.4.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-stable
- Log -----------------------------------------------------------------
commit bb02ee99eadd74bf471d1fff9a2be24d1ba2a52d
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 10:59:57 2016 +0100
VERSION: Disable GIT_SNAPSHOTS for the 4.4.8 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 51a750cdd7d0f5cb194b9dcefe037c54571b7175
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 10:59:27 2016 +0100
WHATSNEW: Add release notes for Samba 4.4.8.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit ce31a69a32d2bd6975006e428afe4584f6b7bc43
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 17:08:46 2016 +0100
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 58586ceae7fe628453e6bffdc463d4309ced15fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:44:22 2016 +0100
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit 07ef0f6ce0fb9d9735710ab79c2ee91d7a72a974
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:42:59 2016 +0100
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit 0f1b36b7d5514f8d16c60ebcd5c59753113b4334
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:41:10 2016 +0100
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit 4aa6b11d64a0a8133ef39a7e626f289f769e9415
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 5 21:22:46 2016 +0100
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl at samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
commit 8f02f43279b9fbd34d24929dece92ddba978c4f1
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Oct 25 12:39:39 2016 +0200
VERSION: Bump version up to 4.4.8...
and re-enable git snapshots.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit d6a814c770d5888e5340a5a677c5324c2fe734f8)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 86 ++++++++++++++++++++++++++++++++++++-
auth/kerberos/kerberos_pac.c | 22 ++++++++++
librpc/ndr/ndr_dnsp.c | 9 ++++
source3/librpc/crypto/gse.c | 1 -
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
7 files changed, 118 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 0770a98..51e5478 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=4
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7268196..1fee16b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,86 @@
=============================
+ Release Notes for Samba 4.4.8
+ December 19, 2016
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+ Overflow Remote Code Execution Vulnerability).
+o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+ trusted realms).
+o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+ elevation).
+
+=======
+Details
+=======
+
+o CVE-2016-2123:
+ The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+ leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+ parses data from the Samba Active Directory ldb database. Any user
+ who can write to the dnsRecord attribute over LDAP can trigger this
+ memory corruption.
+
+ By default, all authenticated LDAP users can write to the dnsRecord
+ attribute on new DNS objects. This makes the defect a remote privilege
+ escalation.
+
+o CVE-2016-2125
+ Samba client code always requests a forwardable ticket
+ when using Kerberos authentication. This means the
+ target server, which must be in the current or trusted
+ domain/realm, is given a valid general purpose Kerberos
+ "Ticket Granting Ticket" (TGT), which can be used to
+ fully impersonate the authenticated user or service.
+
+o CVE-2016-2126
+ A remote, authenticated, attacker can cause the winbindd process
+ to crash using a legitimate Kerberos ticket due to incorrect
+ handling of the arcfour-hmac-md5 PAC checksum.
+
+ A local service with access to the winbindd privileged pipe can
+ cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.4.7:
+--------------------
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+ * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+ check_pac_checksum().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.4.7
October 26, 2016
=============================
@@ -96,8 +178,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.4.6
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 3cb96f9..0541261 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..c4c4bbc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list