[SCM] Samba Shared Repository - branch v4-5-test updated

Stefan Metzmacher metze at samba.org
Tue Dec 20 07:46:02 UTC 2016


The branch, v4-5-test has been updated
       via  9f718c5 VERSION: Bump version up to 4.5.4
       via  59738fd Merge tag 'samba-4.5.3' into v4-5-test
       via  3da5d75 VERSION: Disable git snapshots for the 4.5.3 release.
       via  b036f71 WHATSNEW: Add release notes for Samba 4.5.3.
       via  913b555 CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
       via  8c31d69 CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
       via  ff8a94c CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
       via  f609b3c CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
       via  c455677 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
       via  609d100 VERSION: Bump version up to 4.5.3...
      from  80185ce s3: ntlm_auth: Don't corrupt the output stream with debug messages.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test


- Log -----------------------------------------------------------------
commit 9f718c5121ff398b463f8e7a0a68af155656dcbc
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 20 08:44:27 2016 +0100

    VERSION: Bump version up to 4.5.4
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 59738fd2de30aca77334d72f82dbbcb1c6663f86
Merge: 80185ce 3da5d75
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 20 08:41:11 2016 +0100

    Merge tag 'samba-4.5.3' into v4-5-test
    
    samba: tag release samba-4.5.3

-----------------------------------------------------------------------

Summary of changes:
 VERSION                             |  2 +-
 WHATSNEW.txt                        | 86 ++++++++++++++++++++++++++++++++++++-
 auth/kerberos/kerberos_pac.c        | 22 ++++++++++
 librpc/ndr/ndr_dnsp.c               |  9 ++++
 source3/librpc/crypto/gse.c         |  1 -
 source4/auth/gensec/gensec_gssapi.c |  2 +-
 source4/scripting/bin/nsupdate-gss  |  2 +-
 7 files changed, 118 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index c02ce06..7941f31 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6d7d5d9..63a0e9e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,86 @@
                    =============================
+                   Release Notes for Samba 4.5.3
+                          December 19, 2016
+                   =============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+   Overflow Remote Code Execution Vulnerability).
+o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+   trusted realms).
+o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+   elevation).
+
+=======
+Details
+=======
+
+o  CVE-2016-2123:
+   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+   parses data from the Samba Active Directory ldb database.  Any user
+   who can write to the dnsRecord attribute over LDAP can trigger this
+   memory corruption.
+
+   By default, all authenticated LDAP users can write to the dnsRecord
+   attribute on new DNS objects. This makes the defect a remote privilege
+   escalation.
+
+o  CVE-2016-2125
+   Samba client code always requests a forwardable ticket
+   when using Kerberos authentication. This means the
+   target server, which must be in the current or trusted
+   domain/realm, is given a valid general purpose Kerberos
+   "Ticket Granting Ticket" (TGT), which can be used to
+   fully impersonate the authenticated user or service.
+
+o  CVE-2016-2126
+   A remote, authenticated, attacker can cause the winbindd process
+   to crash using a legitimate Kerberos ticket due to incorrect
+   handling of the arcfour-hmac-md5 PAC checksum.
+
+   A local service with access to the winbindd privileged pipe can
+   cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.5.2:
+--------------------
+
+o  Volker Lendecke <vl at samba.org>
+   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+     check_pac_checksum().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.5.2
                           December 07, 2016
                    =============================
@@ -93,8 +175,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.5.1
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 	krb5_boolean checksum_valid = false;
 	krb5_data input;
 
+	switch (sig->type) {
+	case CKSUMTYPE_HMAC_MD5:
+		/* ignores the key type */
+		break;
+	case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+			return EINVAL;
+		}
+		/* ok */
+		break;
+	case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+			return EINVAL;
+		}
+		/* ok */
+		break;
+	default:
+		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+			(int)sig->type));
+		return EINVAL;
+	}
+
 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
 	cksum.cksumtype	= (krb5_cksumtype)sig->type;
 	cksum.checksum.length	= sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index ff77bc7..974ff5e 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
 		uint8_t sublen, newlen;
 		NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
 		newlen = total_len + sublen;
+		if (newlen < total_len) {
+			return ndr_pull_error(ndr, NDR_ERR_RANGE,
+					      "Failed to pull dnsp_name");
+		}
 		if (i != count-1) {
+			if (newlen == UINT8_MAX) {
+				return ndr_pull_error(
+					ndr, NDR_ERR_RANGE,
+					"Failed to pull dnsp_name");
+			}
 			newlen++; /* for the '.' */
 		}
 		ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..c4c4bbc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
 
 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
-				GSS_C_DELEG_FLAG |
 				GSS_C_DELEG_POLICY_FLAG |
 				GSS_C_REPLAY_FLAG |
 				GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
 	}
-	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
 	}
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
     my $flags = 
 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
-	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+	GSS_C_INTEG_FLAG;
 
 
     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,


-- 
Samba Shared Repository



More information about the samba-cvs mailing list