[SCM] Samba Shared Repository - branch v4-3-test updated
Karolin Seeger
kseeger at samba.org
Mon Dec 19 13:18:03 UTC 2016
The branch, v4-3-test has been updated
via 1667b47 VERSION: Disable git snapshots for the 4.3.13 release.
via 0fedf24 WHATSNEW: Add release notes for Samba 4.3.13.
via b5cc9bd CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
via e2c7a9f CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
via 08bff1a CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
via 205ec58 CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
via bf86df5 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
from e24f2f5 WHATSNEW: Bump version up 4.3.13...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-test
- Log -----------------------------------------------------------------
commit 1667b4711f554c899033e25465ffeef212256c8b
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 12:10:12 2016 +0100
VERSION: Disable git snapshots for the 4.3.13 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Autobuild-User(v4-3-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-3-test): Mon Dec 19 14:17:29 CET 2016 on sn-devel-104
commit 0fedf2442171b4f349be8ac6cdf3dc624d5267ac
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 12:09:25 2016 +0100
WHATSNEW: Add release notes for Samba 4.3.13.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit b5cc9bd4b2bec4bfe26c554a50551d8fd9bb9f6e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 17:08:46 2016 +0100
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit e2c7a9f328ee0ef7111aaa0c4abd1fa12bc959fa
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:44:22 2016 +0100
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit 08bff1a588c487cc06d71944f75655c2a1e91c87
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:42:59 2016 +0100
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit 205ec587d5ce361ff8967fe8feda8d973e8b8730
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:41:10 2016 +0100
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit bf86df5b921492d8c0f61e269af3887d3051caf4
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 5 21:22:46 2016 +0100
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl at samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 86 ++++++++++++++++++++++++++++++++++++-
auth/kerberos/kerberos_pac.c | 22 ++++++++++
librpc/ndr/ndr_dnsp.c | 9 ++++
source3/librpc/crypto/gse.c | 1 -
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
7 files changed, 118 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 6ab305f..12f3297 100644
--- a/VERSION
+++ b/VERSION
@@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
+SAMBA_VERSION_IS_GIT_SNAPSHOT=no
########################################################
# This is for specifying a release nickname #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b03de04..310b599 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,86 @@
==============================
+ Release Notes for Samba 4.3.13
+ December 19, 2016
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+ Overflow Remote Code Execution Vulnerability).
+o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+ trusted realms).
+o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+ elevation).
+
+=======
+Details
+=======
+
+o CVE-2016-2123:
+ The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+ leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+ parses data from the Samba Active Directory ldb database. Any user
+ who can write to the dnsRecord attribute over LDAP can trigger this
+ memory corruption.
+
+ By default, all authenticated LDAP users can write to the dnsRecord
+ attribute on new DNS objects. This makes the defect a remote privilege
+ escalation.
+
+o CVE-2016-2125
+ Samba client code always requests a forwardable ticket
+ when using Kerberos authentication. This means the
+ target server, which must be in the current or trusted
+ domain/realm, is given a valid general purpose Kerberos
+ "Ticket Granting Ticket" (TGT), which can be used to
+ fully impersonate the authenticated user or service.
+
+o CVE-2016-2126
+ A remote, authenticated, attacker can cause the winbindd process
+ to crash using a legitimate Kerberos ticket due to incorrect
+ handling of the arcfour-hmac-md5 PAC checksum.
+
+ A local service with access to the winbindd privileged pipe can
+ cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.3.12:
+---------------------
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+ * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+ check_pac_checksum().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.3.12
November 3, 2016
==============================
@@ -106,8 +188,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.3.11
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 3cb96f9..0541261 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index f1ebe19..9c9f55d 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a12447a..8823771 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -113,7 +113,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list