[SCM] Samba Shared Repository - branch v4-3-stable updated

Karolin Seeger kseeger at samba.org
Tue Mar 8 12:50:44 UTC 2016


The branch, v4-3-stable has been updated
       via  c7a93d7 VERSION: Disable git snapshots for the 4.3.6 release.
       via  d6bd81e WHATSNEW: Add release notes for Samba 4.3.6.
       via  b428ecb CVE-2016-0771: tests/dns: Remove dependencies on env variables
       via  7a11d99 CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
       via  0dea999 CVE-2016-0771: tests: rename test getopt to get_opt
       via  ad5e885 CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
       via  2b4c7db CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
       via  eb46848 CVE-2016-0771: tests/dns: modify tests to check via RPC
       via  63103d1 CVE-2016-0771: tests/dns: Add some more test cases for TXT records
       via  3bca5fc CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
       via  4011a52 CVE-2016-0771: tests/dns: restore formerly segfaulting test
       via  9f7a2a1 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
       via  51ac36e CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
       via  18faca0 CVE-2016-0771: tests/dns: prepare script for further testing
       via  3196b9e CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
       via  1c69840 CVE-2016-0771: dns.idl: make use of dnsp_hinfo
       via  df431a3 CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
       via  7693d68 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
       via  efaf509 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
       via  7ee8a4c CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
       via  c68280d CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
       via  ceb6dcc CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
       via  444ba8f CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
       via  25963b1 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
       via  63ae57f CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
       via  062876f CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
       via  e27f9a4 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
       via  2907193 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
       via  0be03f1 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
       via  774e210 CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
       via  fa1c482 CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
       via  76f6cf5 CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
       via  c23f677 VERSION: Bump version up to 4.3.6...
      from  8a42885 VERSION: Disable git snapshots for the 4.3.5 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-stable


- Log -----------------------------------------------------------------
commit c7a93d73a64be116d52aea0972e9a47c3234c73c
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 24 12:28:14 2016 +0100

    VERSION: Disable git snapshots for the 4.3.6 release.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit d6bd81ecdb638d1761edd815eb108d77ac6ad55e
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 24 12:27:27 2016 +0100

    WHATSNEW: Add release notes for Samba 4.3.6.
    
    CVE-2015-7560 Getting and setting Windows ACLs on symlinks can change
    permissions on link target.
    CVE-2016-0771: Read of uninitialized memory DNS TXT handling
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit b428ecb28cfef407a91d0048a3769f8421fa252a
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Jan 29 17:28:54 2016 +1300

    CVE-2016-0771: tests/dns: Remove dependencies on env variables
    
    Now that it is invoked as a normal script, there should be less of them.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7a11d9990af8aa87c16fb593cc181468962984fd
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Jan 29 17:03:56 2016 +1300

    CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
    
    This makes it easier to invoke, particularly against Windows.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 0dea999de7eb30db1162e467e93daa15839696ca
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Jan 22 11:35:03 2016 +1300

    CVE-2016-0771: tests: rename test getopt to get_opt
    
    This avoids any conflicts in this directory with the original toplevel
    getopt.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ad5e885c2b0f58888237b409076113d4b06686db
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 28 12:54:58 2016 +1300

    CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
    
    Make sure that TXT entries stored via RPC come out the same in DNS.
    
    This has one caveat in that adding over RPC in Windows eats slashes,
    and so fails there.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 2b4c7dbc15465911be35a1bdb1f10e396118fb1c
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 28 12:36:43 2016 +1300

    CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
    
    While using a charset is not entirely logical, it allows testing of non
    UTF-8 data (like inserting 0xFF into the TXT string).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit eb4684895c347bfb6675e11ef8bf2e737db71657
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Jan 27 17:41:44 2016 +1300

    CVE-2016-0771: tests/dns: modify tests to check via RPC
    
    This checks that TXT records added over DNS, look the same over RPC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 63103d1035ad8857e1cbb932a51f8c36dcdf9f34
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Jan 18 12:39:46 2016 +1300

    CVE-2016-0771: tests/dns: Add some more test cases for TXT records
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 3bca5fcee8d8847297d96795054c2c0696419846
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 10:25:44 2016 +1300

    CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
    
    Both Samba and Windows returned NXRRSET
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 4011a52e1645ef00c21ba27a0204de08b7ec2108
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Dec 15 17:22:32 2015 +1300

    CVE-2016-0771: tests/dns: restore formerly segfaulting test
    
    This was on the client side, due the a strlen(NULL) on the previously
    DOS-encoded TXT field. With a new IDL structure, this segfault no longer exists.
    Note that both Samba and Windows return NXRRSET instead of FORMERR.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 9f7a2a1fef9735a15163b73e13f38e1666601666
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 17:08:18 2016 +1300

    CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 51ac36e014cfbf5f7d0efdb65490d66e6edc3d6f
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 15:43:55 2016 +1300

    CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
    
    Two requests with identical parameters which are poorly formatted, can
    non-deterministically return FORMERR or simply fail to give a response.
    
    Setting the timeout to a number allows Windows to succeed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 18faca0c946d51370e973726cc929c00814fc9f7
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 16:58:40 2016 +1300

    CVE-2016-0771: tests/dns: prepare script for further testing
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 3196b9e51252f6e59768cebc71d707c596ffb82f
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Jan 6 14:12:35 2016 +1300

    CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1c69840ef5e50e8f05be1b615c52cbe4cc309c96
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: dns.idl: make use of dnsp_hinfo
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit df431a39e4781cf84d119cfbf52aacf29e1dd802
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
    
    From RFC 1035:
    
        3.3.14. TXT RDATA format
    
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
            /                   TXT-DATA                    /
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    
        where:
    
        TXT-DATA        One or more <character-string>s.
    
        TXT RRs are used to hold descriptive text.  The semantics of the text
        depends on the domain where it is found.
    
    Each record contains an array of strings instead of just one string.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7693d683b5fa3ee3e311f4ad21a0237b0d61e3ca
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit efaf50945f9d6bcb21b4e55568e84e085d9b525f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
    
    RPC_NDR_DNSSERVER is the client interface NDR_DNSP contains just
    marshalling helpers.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7ee8a4c0fd61b9be6cbac59cff06b7b92d2b78e8
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit c68280d930d658b40085d442004284ef73d288f0
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jan 7 14:26:35 2016 -0800

    CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit ceb6dcc5df067354c5617b32d9c2ed860c0805e8
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jan 7 12:58:34 2016 -0800

    CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 444ba8f42003622fb64e9c0ae2e2deda158a1c2a
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jan 6 17:02:52 2016 -0800

    CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 25963b1be1e46e4f4d9eb0121c6db808fdfa7032
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jan 6 17:17:24 2016 -0800

    CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 63ae57f412c5d1b6de20062cfc7c94dabdcae021
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:33:48 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 062876f6dd9db6ce573a69f644571b75eb894efb
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:29:38 2016 -0800

    CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit e27f9a419420ed49190fc5ca44e984a021d8de15
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:05:48 2016 -0800

    CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 2907193961139c5398c95815aaa4c501af35a507
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:24:36 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 0be03f1b14f8da5d6657f660c5c4853fe3dfc0c5
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:22:12 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 774e210f891023bbd76aba14545b0e5eb0cc1512
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 10:52:50 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit fa1c482083cc1b0f124490bd40ad79dd7e94de2c
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 10:38:28 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit 76f6cf5bbfc1eececa3c76f492372fd66f5fa7ed
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:18:12 2016 -0800

    CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Michael Adam <obnox at samba.org>

commit c23f6775c1b0310db03ae6d8ef45fa4b6e2a3e3e
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Feb 22 10:33:44 2016 +0100

    VERSION: Bump version up to 4.3.6...
    
    and re-enable git snapshots.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>
    (cherry picked from commit 150d1f6bde7140665185167310e685c4228e1b2d)

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                      |   2 +-
 WHATSNEW.txt                                 |  87 +++-
 librpc/idl/dns.idl                           |  18 +-
 librpc/idl/dnsp.idl                          |   4 +-
 librpc/idl/dnsserver.idl                     |   2 +-
 librpc/ndr/ndr_dns.c                         |  27 ++
 librpc/ndr/ndr_dnsp.c                        |  24 +
 librpc/ndr/ndr_dnsp.h                        |   4 +
 librpc/wscript_build                         |  20 +-
 python/samba/tests/dns.py                    | 640 ++++++++++++++++++++-------
 python/samba/tests/{getopt.py => get_opt.py} |   0
 selftest/knownfail                           |   2 +
 selftest/tests.py                            |   2 +-
 source3/client/client.c                      |   2 +-
 source3/libsmb/clifile.c                     | 130 +++++-
 source3/libsmb/proto.h                       |  17 +-
 source3/selftest/tests.py                    |   2 +-
 source3/smbd/nttrans.c                       |  13 +
 source3/smbd/trans2.c                        |  68 ++-
 source3/torture/torture.c                    | 376 ++++++++++++++++
 source4/dns_server/dns_query.c               |  15 +-
 source4/dns_server/dns_update.c              |  31 +-
 source4/librpc/wscript_build                 |   4 +-
 source4/selftest/tests.py                    |   3 +-
 24 files changed, 1232 insertions(+), 261 deletions(-)
 rename python/samba/tests/{getopt.py => get_opt.py} (100%)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 1bdc118..2dec4b2 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index add8af0..a47ede4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,87 @@
                    =============================
+                   Release Notes for Samba 4.3.6
+                           March 8, 2016
+                   =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o  CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
+o  CVE-2016-0771 (Out-of-bounds read in internal DNS server)
+
+=======
+Details
+=======
+
+o  CVE-2015-7560:
+   All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
+   a malicious client overwriting the ownership of ACLs using symlinks.
+
+   An authenticated malicious client can use SMB1 UNIX extensions to
+   create a symlink to a file or directory, and then use non-UNIX SMB1
+   calls to overwrite the contents of the ACL on the file or directory
+   linked to.
+
+o  CVE-2016-0771:
+   All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
+   an AD DC and choose to run the internal DNS server, are vulnerable to an
+   out-of-bounds read issue during DNS TXT record handling caused by users
+   with permission to modify DNS records.
+
+   A malicious client can upload a specially constructed DNS TXT record,
+   resulting in a remote denial-of-service attack. As long as the affected
+   TXT record remains undisturbed in the Samba database, a targeted DNS
+   query may continue to trigger this exploit.
+
+   While unlikely, the out-of-bounds read may bypass safety checks and
+   allow leakage of memory from the server in the form of a DNS TXT reply.
+
+   By default only authenticated accounts can upload DNS records,
+   as "allow dns updates = secure only" is the default.
+   Any other value would allow anonymous clients to trigger this
+   bug, which is a much higher risk.
+
+
+Changes since 4.3.5:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
+     change permissions on link target.
+
+o  Garming Sam <garming at catalyst.net.nz>
+   * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+     handling.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+     handling.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Older release notes to follow:
+------------------------------
+
+                   =============================
                    Release Notes for Samba 4.3.5
                          February 23, 2016
                    =============================
@@ -82,8 +165,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Older release notes to follow:
-------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.3.4
diff --git a/librpc/idl/dns.idl b/librpc/idl/dns.idl
index d247e0e..5435fcf 100644
--- a/librpc/idl/dns.idl
+++ b/librpc/idl/dns.idl
@@ -8,7 +8,7 @@
    encoding if it doesn't work out
 */
 
-import "misc.idl";
+import "misc.idl", "dnsp.idl";
 [
 	helper("librpc/ndr/ndr_dns.h"),
 	helpstring("DNS records"),
@@ -152,20 +152,12 @@ interface dns
 	} dns_soa_record;
 
 	typedef [public] struct {
-		[value(strlen(cpu))] uint8 cpu_length;
-		[charset(DOS)] uint8 cpu[cpu_length];
-		[value(strlen(os))] uint8 os_length;
-		[charset(DOS)] uint8 os[os_length];
-	} dns_hinfo_record;
-
-	typedef [public] struct {
 		uint16     preference;
 		dns_string exchange;
 	} dns_mx_record;
 
-	typedef [public] struct {
-		[value(strlen(txt))] uint8 length;
-		[charset(DOS)] uint8 txt[length];
+	typedef [public,nopull] struct {
+		dnsp_string_list txt;
 	} dns_txt_record;
 
 	typedef [public] struct {
@@ -232,7 +224,7 @@ interface dns
 		[case(DNS_QTYPE_CNAME)] dns_string       cname_record;
 		[case(DNS_QTYPE_SOA)]   dns_soa_record   soa_record;
 		[case(DNS_QTYPE_PTR)]   dns_string       ptr_record;
-		[case(DNS_QTYPE_HINFO)] dns_hinfo_record  hinfo_record;
+		[case(DNS_QTYPE_HINFO)] dnsp_hinfo       hinfo_record;
 		[case(DNS_QTYPE_MX)]    dns_mx_record    mx_record;
 		[case(DNS_QTYPE_TXT)]	dns_txt_record   txt_record;
 		[case(DNS_QTYPE_RP)]	dns_rp_record    rp_record;
@@ -270,7 +262,7 @@ interface dns
         /*
 	   this is a convenience hook for ndrdump
 	*/
-	void decode_dns_name_packet(
+	[nopython] void decode_dns_name_packet(
 				    [in] dns_name_packet packet
 				   );
 }
diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl
index 4c49001..d705cfc 100644
--- a/librpc/idl/dnsp.idl
+++ b/librpc/idl/dnsp.idl
@@ -263,11 +263,11 @@ interface dnsp
 	/*
 	  these are convenience hooks for ndrdump
 	 */
-	void decode_DnssrvRpcRecord(
+	[nopython] void decode_DnssrvRpcRecord(
 		[in] dnsp_DnssrvRpcRecord blob
 		);
 
-	void decode_DnsProperty(
+	[nopython] void decode_DnsProperty(
 		[in] dnsp_DnsProperty blob
 		);
 }
diff --git a/librpc/idl/dnsserver.idl b/librpc/idl/dnsserver.idl
index ca9c371..c7742e7 100644
--- a/librpc/idl/dnsserver.idl
+++ b/librpc/idl/dnsserver.idl
@@ -73,7 +73,7 @@ import "misc.idl", "dnsp.idl";
 
 	typedef [public,gensize] struct {
 		[value(strlen(str))] uint8 len;
-		[charset(UTF8)] uint8 str[len];
+		[charset(UNIX)] uint8 str[len];
 	}
 	DNS_RPC_NAME;
 
diff --git a/librpc/ndr/ndr_dns.c b/librpc/ndr/ndr_dns.c
index 0b9e3b0..065d992 100644
--- a/librpc/ndr/ndr_dns.c
+++ b/librpc/ndr/ndr_dns.c
@@ -30,6 +30,7 @@
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_dns.h"
 #include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_dnsp.h"
 #include "system/locale.h"
 #include "lib/util/util_net.h"
 
@@ -230,6 +231,29 @@ _PUBLIC_ enum ndr_err_code ndr_push_dns_string(struct ndr_push *ndr,
 	return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
 }
 
+_PUBLIC_ enum ndr_err_code ndr_pull_dns_txt_record(struct ndr_pull *ndr, int ndr_flags, struct dns_txt_record *r)
+{
+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+	if (ndr_flags & NDR_SCALARS) {
+		enum ndr_err_code ndr_err;
+		uint32_t data_size = ndr->data_size;
+		uint32_t record_size = 0;
+		ndr_err = ndr_token_retrieve(&ndr->array_size_list, r,
+					     &record_size);
+		if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+			NDR_PULL_NEED_BYTES(ndr, record_size);
+			ndr->data_size = ndr->offset + record_size;
+		}
+		NDR_CHECK(ndr_pull_align(ndr, 1));
+		NDR_CHECK(ndr_pull_dnsp_string_list(ndr, NDR_SCALARS, &r->txt));
+		NDR_CHECK(ndr_pull_trailer_align(ndr, 1));
+		ndr->data_size = data_size;
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+	}
+	return NDR_ERR_SUCCESS;
+}
+
 _PUBLIC_ enum ndr_err_code ndr_push_dns_res_rec(struct ndr_push *ndr,
 						int ndr_flags,
 						const struct dns_res_rec *r)
@@ -302,6 +326,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dns_res_rec(struct ndr_pull *ndr,
 		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length));
 		_saved_offset1 = ndr->offset;
 		if (r->length > 0) {
+			NDR_CHECK(ndr_token_store(ndr, &ndr->array_size_list,
+						  &r->rdata,
+						  r->length));
 			NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->rdata,
 							    r->rr_type));
 			NDR_CHECK(ndr_pull_dns_rdata(ndr, NDR_SCALARS,
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 46141c1..3cb96f9 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -222,3 +222,27 @@ enum ndr_err_code ndr_push_dnsp_string_list(struct ndr_push *ndr, int ndr_flags,
 	}
 	return NDR_ERR_SUCCESS;
 }
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+					    const struct dnsp_string_list *src,
+					    struct dnsp_string_list *dst)
+{
+	size_t i;
+
+	dst->count = 0;
+	dst->str = talloc_zero_array(mem_ctx, const char *, src->count);
+	if (dst->str == NULL) {
+		return NDR_ERR_ALLOC;
+	}
+
+	for (i = 0; i < src->count; i++) {
+		dst->str[i] = talloc_strdup(dst->str, src->str[i]);
+		if (dst->str[i] == NULL) {
+			TALLOC_FREE(dst->str);
+			return NDR_ERR_ALLOC;
+		}
+	}
+
+	dst->count = src->count;
+	return NDR_ERR_SUCCESS;
+}
diff --git a/librpc/ndr/ndr_dnsp.h b/librpc/ndr/ndr_dnsp.h
index 67f952c..0d56633 100644
--- a/librpc/ndr/ndr_dnsp.h
+++ b/librpc/ndr/ndr_dnsp.h
@@ -27,3 +27,7 @@ void ndr_print_dnsp_string(struct ndr_print *ndr, const char *name,
 				  const char *dns_string);
 enum ndr_err_code ndr_pull_dnsp_string(struct ndr_pull *ndr, int ndr_flags, const char **string);
 enum ndr_err_code ndr_push_dnsp_string(struct ndr_push *ndr, int ndr_flags, const char *string);
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+					    const struct dnsp_string_list *src,
+					    struct dnsp_string_list *dst);
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 1594e72..d376bec 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -27,12 +27,12 @@ bld.SAMBA_SUBSYSTEM('NDR_NAMED_PIPE_AUTH',
 
 bld.SAMBA_SUBSYSTEM('NDR_DNSSERVER',
     source='gen_ndr/ndr_dnsserver.c ndr/ndr_dnsserver.c',
-    public_deps='ndr'
+    public_deps='ndr NDR_DNSP'
     )
 
 bld.SAMBA_SUBSYSTEM('NDR_DNS',
     source='gen_ndr/ndr_dns.c ndr/ndr_dns.c',
-    public_deps='ndr'
+    public_deps='ndr NDR_DNSP'
     )
 
 bld.SAMBA_SUBSYSTEM('NDR_DSBACKUP',
@@ -371,7 +371,7 @@ bld.SAMBA_LIBRARY('ndr-standard',
     pc_files='ndr_standard.pc',
     deps='''NDR_SECURITY NDR_LSA NDR_SAMR NDR_NETLOGON NDR_EVENTLOG NDR_DFS
     NDR_NTSVCS NDR_SVCCTL NDR_INITSHUTDOWN NDR_WKSSVC NDR_SRVSVC NDR_WINREG
-    NDR_ECHO security NDR_DNS NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
+    NDR_ECHO security NDR_DNS NDR_DNSP NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
     NDR_SERVER_ID NDR_NOTIFY''',
     public_deps='ndr',
     public_headers='gen_ndr/samr.h gen_ndr/ndr_samr.h gen_ndr/lsa.h gen_ndr/netlogon.h gen_ndr/atsvc.h gen_ndr/ndr_atsvc.h gen_ndr/ndr_svcctl.h gen_ndr/svcctl.h',
@@ -453,11 +453,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_AUDIOSRV',
     public_deps='NDR_AUDIOSRV dcerpc-binding'
     )
 
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNS',
-    source='gen_ndr/ndr_dns_c.c',
-    public_deps='dcerpc-binding NDR_DNS'
-    )
-
 bld.SAMBA_SUBSYSTEM('RPC_NDR_ECHO',
     source='gen_ndr/ndr_echo_c.c',
     public_deps='dcerpc-binding NDR_ECHO'
@@ -640,11 +635,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_BACKUPKEY',
     public_deps='dcerpc-binding NDR_BACKUPKEY'
     )
 
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSP',
-    source='gen_ndr/ndr_dnsp_c.c',
-    public_deps='dcerpc-binding NDR_DNSP'
-    )
-
 bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSSERVER',
     source='gen_ndr/ndr_dnsserver_c.c',
     public_deps='dcerpc-binding ndr-standard'
@@ -679,7 +669,7 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_MDSSVC',
 bld.SAMBA_LIBRARY('ndr-samba',
     source=[],
     deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_SCHANNEL NDR_MGMT
-    NDR_DNSP NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
+    NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
     NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''',
     private_library=True,
     grouping_library=True
@@ -691,7 +681,7 @@ bld.SAMBA_LIBRARY('dcerpc-samba',
     deps='''RPC_NDR_LSA RPC_NDR_SAMR RPC_NDR_NETLOGON RPC_NDR_EVENTLOG
     RPC_NDR_DFS RPC_NDR_NTSVCS RPC_NDR_SVCCTL RPC_NDR_INITSHUTDOWN
     RPC_NDR_WKSSVC RPC_NDR_SRVSVC RPC_NDR_WINREG RPC_NDR_ECHO RPC_NDR_EPMAPPER
-    RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNS''',
+    RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNSSERVER''',
     public_deps='ndr-standard',
     private_library=True,
     grouping_library=True
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index 04ac356..e0739d0 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -16,18 +16,67 @@
 #
 
 import os
+import sys
 import struct
 import random
 import socket
 import samba.ndr as ndr
-import samba.dcerpc.dns as dns
 from samba import credentials, param
 from samba.tests import TestCase
-from samba.dcerpc import dnsp, dnsserver
-
+from samba.dcerpc import dns, dnsp, dnsserver
+from samba.netcmd.dns import TXTRecord, dns_record_match, data_to_dns_record
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+import samba.getopt as options
+import optparse
+
+parser = optparse.OptionParser("dns.py <server name> <server ip> [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
+
+# This timeout only has relevance when testing against Windows
+# Format errors tend to return patchy responses, so a timeout is needed.
+parser.add_option("--timeout", type="int", dest="timeout",
+                  help="Specify timeout for DNS requests")
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+opts, args = parser.parse_args()
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+timeout = opts.timeout
+
+if len(args) < 2:
+    parser.print_usage()
+    sys.exit(1)
+
+server_name = args[0]
+server_ip = args[1]
+creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
+
+def make_txt_record(records):
+    rdata_txt = dns.txt_record()
+    s_list = dnsp.string_list()
+    s_list.count = len(records)
+    s_list.str = records
+    rdata_txt.txt = s_list
+    return rdata_txt
 
 class DNSTest(TestCase):
 
+    def setUp(self):
+        global server, server_ip, lp, creds
+        super(DNSTest, self).setUp()
+        self.server = server_name
+        self.server_ip = server_ip
+        self.lp = lp
+        self.creds = creds
+
     def errstr(self, errcode):
         "Return a readable error code"
         string_codes = [
@@ -83,9 +132,10 @@ class DNSTest(TestCase):
 
     def get_dns_domain(self):
         "Helper to get dns domain"
-        return os.getenv('REALM', 'example.com').lower()
+        return self.creds.get_realm().lower()
 
-    def dns_transaction_udp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+    def dns_transaction_udp(self, packet, host=server_ip,
+                            dump=False, timeout=timeout):
         "send a DNS query and read the reply"
         s = None
         try:
@@ -93,6 +143,7 @@ class DNSTest(TestCase):
             if dump:
                 print self.hexdump(send_packet)
             s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
+            s.settimeout(timeout)
             s.connect((host, 53))
             s.send(send_packet, 0)
             recv_packet = s.recv(2048, 0)
@@ -103,7 +154,8 @@ class DNSTest(TestCase):
             if s is not None:
                 s.close()
 
-    def dns_transaction_tcp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+    def dns_transaction_tcp(self, packet, host=server_ip,
+                            dump=False, timeout=timeout):
         "send a DNS query and read the reply"
         s = None
         try:
@@ -111,6 +163,7 @@ class DNSTest(TestCase):
             if dump:
                 print self.hexdump(send_packet)
             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
+            s.settimeout(timeout)
             s.connect((host, 53))
             tcp_packet = struct.pack('!H', len(send_packet))
             tcp_packet += send_packet
@@ -123,6 +176,44 @@ class DNSTest(TestCase):
                 if s is not None:
                     s.close()
 
+    def make_txt_update(self, prefix, txt_array):
+        p = self.make_name_packet(dns.DNS_OPCODE_UPDATE)
+        updates = []
+
+        name = self.get_dns_domain()
+        u = self.make_name_question(name, dns.DNS_QTYPE_SOA, dns.DNS_QCLASS_IN)
+        updates.append(u)
+        self.finish_name_packet(p, updates)
+
+        updates = []
+        r = dns.res_rec()
+        r.name = "%s.%s" % (prefix, self.get_dns_domain())
+        r.rr_type = dns.DNS_QTYPE_TXT
+        r.rr_class = dns.DNS_QCLASS_IN
+        r.ttl = 900


-- 
Samba Shared Repository



More information about the samba-cvs mailing list