[SCM] Samba Shared Repository - branch v4-5-stable updated
Karolin Seeger
kseeger at samba.org
Mon Dec 19 09:11:47 UTC 2016
The branch, v4-5-stable has been updated
via 3da5d75 VERSION: Disable git snapshots for the 4.5.3 release.
via b036f71 WHATSNEW: Add release notes for Samba 4.5.3.
via 913b555 CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
via 8c31d69 CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
via ff8a94c CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
via f609b3c CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
via c455677 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
via 609d100 VERSION: Bump version up to 4.5.3...
from 6ead525 VERSION: Disable git snapshots for the 4.5.2 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable
- Log -----------------------------------------------------------------
commit 3da5d752a987ec1e60d7e773dfe44d38a91d8776
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 10:36:38 2016 +0100
VERSION: Disable git snapshots for the 4.5.3 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit b036f719e883e3d1daf52038ba816412083baa3d
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 10:35:04 2016 +0100
WHATSNEW: Add release notes for Samba 4.5.3.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 913b5553bed688e9ae471de8b7d895c17f3ac6ab
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 17:08:46 2016 +0100
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 8c31d69461cb54cb7f5d7b04fda2e52718d9990d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:44:22 2016 +0100
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit ff8a94caab2b9705ef393791140380ad70291e12
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:42:59 2016 +0100
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit f609b3cda4b6b349ec7090ff6aa1dafe31ba495d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:41:10 2016 +0100
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit c455677d43fbda512f0178a244c90591de481d51
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 5 21:22:46 2016 +0100
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl at samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
commit 609d1000444cc06c7bfcafb5d155ce4f3bfc07c5
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 2 10:36:42 2016 +0100
VERSION: Bump version up to 4.5.3...
and re-enable git snapshots.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit d869ba094a6fdeeb14c88b176d914e6756d89c52)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 86 ++++++++++++++++++++++++++++++++++++-
auth/kerberos/kerberos_pac.c | 22 ++++++++++
librpc/ndr/ndr_dnsp.c | 9 ++++
source3/librpc/crypto/gse.c | 1 -
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
7 files changed, 118 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index d93f1ff..1d7d6a2 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=2
+SAMBA_VERSION_RELEASE=3
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6d7d5d9..63a0e9e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,86 @@
=============================
+ Release Notes for Samba 4.5.3
+ December 19, 2016
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+ Overflow Remote Code Execution Vulnerability).
+o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+ trusted realms).
+o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+ elevation).
+
+=======
+Details
+=======
+
+o CVE-2016-2123:
+ The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+ leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+ parses data from the Samba Active Directory ldb database. Any user
+ who can write to the dnsRecord attribute over LDAP can trigger this
+ memory corruption.
+
+ By default, all authenticated LDAP users can write to the dnsRecord
+ attribute on new DNS objects. This makes the defect a remote privilege
+ escalation.
+
+o CVE-2016-2125
+ Samba client code always requests a forwardable ticket
+ when using Kerberos authentication. This means the
+ target server, which must be in the current or trusted
+ domain/realm, is given a valid general purpose Kerberos
+ "Ticket Granting Ticket" (TGT), which can be used to
+ fully impersonate the authenticated user or service.
+
+o CVE-2016-2126
+ A remote, authenticated, attacker can cause the winbindd process
+ to crash using a legitimate Kerberos ticket due to incorrect
+ handling of the arcfour-hmac-md5 PAC checksum.
+
+ A local service with access to the winbindd privileged pipe can
+ cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.5.2:
+--------------------
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+ * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+ check_pac_checksum().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.5.2
December 07, 2016
=============================
@@ -93,8 +175,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.5.1
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index ff77bc7..974ff5e 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..c4c4bbc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list