[SCM] Samba Shared Repository - branch v4-4-test updated
Karolin Seeger
kseeger at samba.org
Mon Dec 19 13:33:02 UTC 2016
The branch, v4-4-test has been updated
via 2a69018 VERSION: Disable GIT_SNAPSHOTS for the 4.4.8 release.
via 2b9cb93 WHATSNEW: Add release notes for Samba 4.4.8.
via 5ed800f CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
via 6362514 CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
via 1da911b CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
via ac3ce22 CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
via 4b095f1 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
from 42d2d38 s3: ntlm_auth: Don't corrupt the output stream with debug messages.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit 2a69018eca849af03f8ebec1b52de175aa9177d8
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 10:59:57 2016 +0100
VERSION: Disable GIT_SNAPSHOTS for the 4.4.8 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
Autobuild-User(v4-4-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-4-test): Mon Dec 19 14:32:43 CET 2016 on sn-devel-144
commit 2b9cb935ccb1fa894e2106a4fbc662f43d6a2cbc
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Dec 9 10:59:27 2016 +0100
WHATSNEW: Add release notes for Samba 4.4.8.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 5ed800f4c4d709acdeb21efa3a3c303cc75b912e
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 17:08:46 2016 +0100
CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 6362514cb8a698e6678b09f6d0bc7c564c0685e4
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:44:22 2016 +0100
CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit 1da911bf29c0c712670a445943292bfb98107ffc
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:42:59 2016 +0100
CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit ac3ce22fe960b9b6c6368a0b5bf95a1ae0180ae7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 11:41:10 2016 +0100
CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Simo Sorce <idra at samba.org>
commit 4b095f105db846158b227a7bdd3ddc91e14a5b59
Author: Volker Lendecke <vl at samba.org>
Date: Sat Nov 5 21:22:46 2016 +0100
CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl at samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 86 ++++++++++++++++++++++++++++++++++++-
auth/kerberos/kerberos_pac.c | 22 ++++++++++
librpc/ndr/ndr_dnsp.c | 9 ++++
source3/librpc/crypto/gse.c | 1 -
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
7 files changed, 118 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index b31b515..51e5478 100644
--- a/VERSION
+++ b/VERSION
@@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
-SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
+SAMBA_VERSION_IS_GIT_SNAPSHOT=no
########################################################
# This is for specifying a release nickname #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 7268196..1fee16b 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,86 @@
=============================
+ Release Notes for Samba 4.4.8
+ December 19, 2016
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+ Overflow Remote Code Execution Vulnerability).
+o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+ trusted realms).
+o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+ elevation).
+
+=======
+Details
+=======
+
+o CVE-2016-2123:
+ The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+ leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+ parses data from the Samba Active Directory ldb database. Any user
+ who can write to the dnsRecord attribute over LDAP can trigger this
+ memory corruption.
+
+ By default, all authenticated LDAP users can write to the dnsRecord
+ attribute on new DNS objects. This makes the defect a remote privilege
+ escalation.
+
+o CVE-2016-2125
+ Samba client code always requests a forwardable ticket
+ when using Kerberos authentication. This means the
+ target server, which must be in the current or trusted
+ domain/realm, is given a valid general purpose Kerberos
+ "Ticket Granting Ticket" (TGT), which can be used to
+ fully impersonate the authenticated user or service.
+
+o CVE-2016-2126
+ A remote, authenticated, attacker can cause the winbindd process
+ to crash using a legitimate Kerberos ticket due to incorrect
+ handling of the arcfour-hmac-md5 PAC checksum.
+
+ A local service with access to the winbindd privileged pipe can
+ cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.4.7:
+--------------------
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+ * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+ check_pac_checksum().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.4.7
October 26, 2016
=============================
@@ -96,8 +178,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.4.6
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 3cb96f9..0541261 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..c4c4bbc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list