[SCM] Samba Shared Repository - branch v4-5-test updated
Stefan Metzmacher
metze at samba.org
Tue Dec 20 07:46:02 UTC 2016
The branch, v4-5-test has been updated
via 9f718c5 VERSION: Bump version up to 4.5.4
via 59738fd Merge tag 'samba-4.5.3' into v4-5-test
via 3da5d75 VERSION: Disable git snapshots for the 4.5.3 release.
via b036f71 WHATSNEW: Add release notes for Samba 4.5.3.
via 913b555 CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum()
via 8c31d69 CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
via ff8a94c CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
via f609b3c CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
via c455677 CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
via 609d100 VERSION: Bump version up to 4.5.3...
from 80185ce s3: ntlm_auth: Don't corrupt the output stream with debug messages.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-test
- Log -----------------------------------------------------------------
commit 9f718c5121ff398b463f8e7a0a68af155656dcbc
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 20 08:44:27 2016 +0100
VERSION: Bump version up to 4.5.4
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 59738fd2de30aca77334d72f82dbbcb1c6663f86
Merge: 80185ce 3da5d75
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 20 08:41:11 2016 +0100
Merge tag 'samba-4.5.3' into v4-5-test
samba: tag release samba-4.5.3
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 86 ++++++++++++++++++++++++++++++++++++-
auth/kerberos/kerberos_pac.c | 22 ++++++++++
librpc/ndr/ndr_dnsp.c | 9 ++++
source3/librpc/crypto/gse.c | 1 -
source4/auth/gensec/gensec_gssapi.c | 2 +-
source4/scripting/bin/nsupdate-gss | 2 +-
7 files changed, 118 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index c02ce06..7941f31 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 6d7d5d9..63a0e9e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,86 @@
=============================
+ Release Notes for Samba 4.5.3
+ December 19, 2016
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
+ Overflow Remote Code Execution Vulnerability).
+o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
+ trusted realms).
+o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
+ elevation).
+
+=======
+Details
+=======
+
+o CVE-2016-2123:
+ The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
+ leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
+ parses data from the Samba Active Directory ldb database. Any user
+ who can write to the dnsRecord attribute over LDAP can trigger this
+ memory corruption.
+
+ By default, all authenticated LDAP users can write to the dnsRecord
+ attribute on new DNS objects. This makes the defect a remote privilege
+ escalation.
+
+o CVE-2016-2125
+ Samba client code always requests a forwardable ticket
+ when using Kerberos authentication. This means the
+ target server, which must be in the current or trusted
+ domain/realm, is given a valid general purpose Kerberos
+ "Ticket Granting Ticket" (TGT), which can be used to
+ fully impersonate the authenticated user or service.
+
+o CVE-2016-2126
+ A remote, authenticated, attacker can cause the winbindd process
+ to crash using a legitimate Kerberos ticket due to incorrect
+ handling of the arcfour-hmac-md5 PAC checksum.
+
+ A local service with access to the winbindd privileged pipe can
+ cause winbindd to cache elevated access permissions.
+
+
+Changes since 4.5.2:
+--------------------
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
+ * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
+ check_pac_checksum().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.5.2
December 07, 2016
=============================
@@ -93,8 +175,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.5.1
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index ff77bc7..974ff5e 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..c4c4bbc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
Samba Shared Repository
More information about the samba-cvs
mailing list