[SCM] Samba Shared Repository - branch v4-2-stable updated
Karolin Seeger
kseeger at samba.org
Tue Mar 8 12:52:56 UTC 2016
The branch, v4-2-stable has been updated
via c0aa427 VERSION: Disable git snapshots for the 4.2.9 release.
via c3eeba3 WHATSNEW: Add release notes for Samba 4.2.9.
via 981cbe1 CVE-2016-0771: tests/dns: Remove dependencies on env variables
via 4dfa41d CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
via 409ec58 CVE-2016-0771: tests: rename test getopt to get_opt
via 93662cf CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
via b9c595f CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
via 43de2c0 CVE-2016-0771: tests/dns: modify tests to check via RPC
via 18a1a7c CVE-2016-0771: tests/dns: Add some more test cases for TXT records
via 1cae991 CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
via ffe5757 CVE-2016-0771: tests/dns: restore formerly segfaulting test
via 9f1f669 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
via 5462a4c CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
via 356cc26 CVE-2016-0771: tests/dns: prepare script for further testing
via d076289 CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
via 9c50144 CVE-2016-0771: dns.idl: make use of dnsp_hinfo
via 50972cc CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
via 69a4def CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
via 192a619 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
via 8070e38 CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
via 6296447 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
via db00d27 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
via 6122a71 CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
via 10e5700 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
via 5923745 CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
via e77fb42 CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
via ef5f235 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
via 3898806 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
via cb5b446 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
via 478ed76 CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
via cc73ba9 CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
via e20deaf CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
via 0549f6e VERSION: Bump version up to 4.2.9...
from ba74960 VERSION: Disable git snapshots for the 4.2.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-stable
- Log -----------------------------------------------------------------
commit c0aa42785d6b942b58a167da80f5e64385beff02
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Feb 24 12:23:53 2016 +0100
VERSION: Disable git snapshots for the 4.2.9 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit c3eeba393fb92e006597fffb09720ce33be5795b
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Feb 24 12:22:26 2016 +0100
WHATSNEW: Add release notes for Samba 4.2.9.
CVE-2015-7560 Getting and setting Windows ACLs on symlinks can change
permissions on link target.
CVE-2016-0771: Read of uninitialized memory DNS TXT handling
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 981cbe1e9be9de8d9775ba1fc9a53b2f719472d6
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 29 17:28:54 2016 +1300
CVE-2016-0771: tests/dns: Remove dependencies on env variables
Now that it is invoked as a normal script, there should be less of them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4dfa41df9a87cb4793de3e9cd36d9b38f215d7cb
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 29 17:03:56 2016 +1300
CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
This makes it easier to invoke, particularly against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 409ec584519b4ef45e28a7078ea2d234f6164081
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 22 11:35:03 2016 +1300
CVE-2016-0771: tests: rename test getopt to get_opt
This avoids any conflicts in this directory with the original toplevel
getopt.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 93662cf283a8eaf84b67646f80f92847e073209a
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 28 12:54:58 2016 +1300
CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
Make sure that TXT entries stored via RPC come out the same in DNS.
This has one caveat in that adding over RPC in Windows eats slashes,
and so fails there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b9c595feff54d415aadfcce4a5bfc982ff10ce14
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 28 12:36:43 2016 +1300
CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
While using a charset is not entirely logical, it allows testing of non
UTF-8 data (like inserting 0xFF into the TXT string).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 43de2c0ddfe81617c927750438c02407b47e5cb5
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 27 17:41:44 2016 +1300
CVE-2016-0771: tests/dns: modify tests to check via RPC
This checks that TXT records added over DNS, look the same over RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 18a1a7c4a14cdf0960635f152bcdbafbdba739e5
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jan 18 12:39:46 2016 +1300
CVE-2016-0771: tests/dns: Add some more test cases for TXT records
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1cae991b029ec6e0ce4d18c1b3299889e23230b1
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 10:25:44 2016 +1300
CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
Both Samba and Windows returned NXRRSET
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ffe575725bb5b921b63810c629f93dd71178ce93
Author: Garming Sam <garming at catalyst.net.nz>
Date: Tue Dec 15 17:22:32 2015 +1300
CVE-2016-0771: tests/dns: restore formerly segfaulting test
This was on the client side, due the a strlen(NULL) on the previously
DOS-encoded TXT field. With a new IDL structure, this segfault no longer exists.
Note that both Samba and Windows return NXRRSET instead of FORMERR.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9f1f669aa49dd9de80f18e97d2a28e094810ef97
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 17:08:18 2016 +1300
CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5462a4c4b449eb373062ebaa9e91619db6fd305f
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 15:43:55 2016 +1300
CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
Two requests with identical parameters which are poorly formatted, can
non-deterministically return FORMERR or simply fail to give a response.
Setting the timeout to a number allows Windows to succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 356cc2613394b76bae9c0eb9615323cb7426f474
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 16:58:40 2016 +1300
CVE-2016-0771: tests/dns: prepare script for further testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d0762899de57590a155d6058f2be560f98f5c3b9
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 6 14:12:35 2016 +1300
CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9c5014414693a4759c86e4cc55a89515da2b6a9f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: dns.idl: make use of dnsp_hinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 50972cc8f53045b38e58760c4c7b6c77fd7d2d5c
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
From RFC 1035:
3.3.14. TXT RDATA format
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
TXT-DATA One or more <character-string>s.
TXT RRs are used to hold descriptive text. The semantics of the text
depends on the domain where it is found.
Each record contains an array of strings instead of just one string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 69a4defe3e56030cc63b1e9b29c24f047c287bbf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 192a619b9a261e644fa66718731e733469a42d32
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
RPC_NDR_DNSSERVER is the client interface NDR_DNSP contains just
marshalling helpers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8070e388a7218a9caf3f341201ecbc3a047ced5b
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 62964476950500b13dcc14ae6d028044fec4de18
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 7 14:26:35 2016 -0800
CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit db00d27d3baac815b12917e5fa29791c1e76a040
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 7 12:58:34 2016 -0800
CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 6122a717b49a80674b370b334c5c437d6e0cb564
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 17:02:52 2016 -0800
CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 10e570043cd777690d1b040ac0280f91acb0668f
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 17:17:24 2016 -0800
CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 592374557dca8bc95fd37f9a2c1eee2cc5d97e18
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:33:48 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit e77fb42e9cafb438a1dcc73d6dd4b0bf9f032b3a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:29:38 2016 -0800
CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit ef5f235be01d37d42d9114c4cc2a8d1562623f64
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:05:48 2016 -0800
CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 3898806f26e668ee531a684afb4adc4af821ca5d
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:24:36 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit cb5b4460f401da1359759b29799141bfe2c6adc1
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:22:12 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 478ed76b8e1e12bba41f0de09ae5ba0201f748fa
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 10:52:50 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit cc73ba984b4e30fd7c826337bd865f0e747b68d9
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 10:38:28 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit e20deafd55197e1a94b6990929f52de483d590c5
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:18:12 2016 -0800
CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
commit 0549f6e48a8118c7394f34499f216351725ea435
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Feb 1 12:13:45 2016 +0100
VERSION: Bump version up to 4.2.9...
and re-enable git snapshots.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit de7ad5d66a757e5b2c1e05ba0d0fe94990430dc2)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 87 +++-
librpc/idl/dns.idl | 18 +-
librpc/idl/dnsp.idl | 4 +-
librpc/idl/dnsserver.idl | 2 +-
librpc/ndr/ndr_dns.c | 27 ++
librpc/ndr/ndr_dnsp.c | 24 ++
librpc/ndr/ndr_dnsp.h | 4 +
librpc/wscript_build | 20 +-
python/samba/tests/dns.py | 620 +++++++++++++++++++++------
python/samba/tests/{getopt.py => get_opt.py} | 0
selftest/knownfail | 2 +
selftest/tests.py | 2 +-
source3/client/client.c | 2 +-
source3/libsmb/clifile.c | 130 +++++-
source3/libsmb/proto.h | 17 +-
source3/selftest/tests.py | 2 +-
source3/smbd/nttrans.c | 13 +
source3/smbd/trans2.c | 68 ++-
source3/torture/torture.c | 377 ++++++++++++++++
source4/dns_server/dns_query.c | 15 +-
source4/dns_server/dns_update.c | 31 +-
source4/librpc/wscript_build | 4 +-
source4/selftest/tests.py | 3 +-
24 files changed, 1233 insertions(+), 241 deletions(-)
rename python/samba/tests/{getopt.py => get_opt.py} (100%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 7b35079..9c7df70 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ae15c36..f03be3a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,87 @@
=============================
+ Release Notes for Samba 4.2.9
+ March 8, 2016
+ =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
+o CVE-2016-0771 (Out-of-bounds read in internal DNS server)
+
+=======
+Details
+=======
+
+o CVE-2015-7560:
+ All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
+ a malicious client overwriting the ownership of ACLs using symlinks.
+
+ An authenticated malicious client can use SMB1 UNIX extensions to
+ create a symlink to a file or directory, and then use non-UNIX SMB1
+ calls to overwrite the contents of the ACL on the file or directory
+ linked to.
+
+o CVE-2016-0771:
+ All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
+ an AD DC and choose to run the internal DNS server, are vulnerable to an
+ out-of-bounds read issue during DNS TXT record handling caused by users
+ with permission to modify DNS records.
+
+ A malicious client can upload a specially constructed DNS TXT record,
+ resulting in a remote denial-of-service attack. As long as the affected
+ TXT record remains undisturbed in the Samba database, a targeted DNS
+ query may continue to trigger this exploit.
+
+ While unlikely, the out-of-bounds read may bypass safety checks and
+ allow leakage of memory from the server in the form of a DNS TXT reply.
+
+ By default only authenticated accounts can upload DNS records,
+ as "allow dns updates = secure only" is the default.
+ Any other value would allow anonymous clients to trigger this
+ bug, which is a much higher risk.
+
+
+Changes since 4.2.8:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
+ change permissions on link target.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+ handling.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+ handling.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.2.8
February 2, 2016
=============================
@@ -67,8 +150,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.2.7
diff --git a/librpc/idl/dns.idl b/librpc/idl/dns.idl
index d247e0e..5435fcf 100644
--- a/librpc/idl/dns.idl
+++ b/librpc/idl/dns.idl
@@ -8,7 +8,7 @@
encoding if it doesn't work out
*/
-import "misc.idl";
+import "misc.idl", "dnsp.idl";
[
helper("librpc/ndr/ndr_dns.h"),
helpstring("DNS records"),
@@ -152,20 +152,12 @@ interface dns
} dns_soa_record;
typedef [public] struct {
- [value(strlen(cpu))] uint8 cpu_length;
- [charset(DOS)] uint8 cpu[cpu_length];
- [value(strlen(os))] uint8 os_length;
- [charset(DOS)] uint8 os[os_length];
- } dns_hinfo_record;
-
- typedef [public] struct {
uint16 preference;
dns_string exchange;
} dns_mx_record;
- typedef [public] struct {
- [value(strlen(txt))] uint8 length;
- [charset(DOS)] uint8 txt[length];
+ typedef [public,nopull] struct {
+ dnsp_string_list txt;
} dns_txt_record;
typedef [public] struct {
@@ -232,7 +224,7 @@ interface dns
[case(DNS_QTYPE_CNAME)] dns_string cname_record;
[case(DNS_QTYPE_SOA)] dns_soa_record soa_record;
[case(DNS_QTYPE_PTR)] dns_string ptr_record;
- [case(DNS_QTYPE_HINFO)] dns_hinfo_record hinfo_record;
+ [case(DNS_QTYPE_HINFO)] dnsp_hinfo hinfo_record;
[case(DNS_QTYPE_MX)] dns_mx_record mx_record;
[case(DNS_QTYPE_TXT)] dns_txt_record txt_record;
[case(DNS_QTYPE_RP)] dns_rp_record rp_record;
@@ -270,7 +262,7 @@ interface dns
/*
this is a convenience hook for ndrdump
*/
- void decode_dns_name_packet(
+ [nopython] void decode_dns_name_packet(
[in] dns_name_packet packet
);
}
diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl
index 4c49001..d705cfc 100644
--- a/librpc/idl/dnsp.idl
+++ b/librpc/idl/dnsp.idl
@@ -263,11 +263,11 @@ interface dnsp
/*
these are convenience hooks for ndrdump
*/
- void decode_DnssrvRpcRecord(
+ [nopython] void decode_DnssrvRpcRecord(
[in] dnsp_DnssrvRpcRecord blob
);
- void decode_DnsProperty(
+ [nopython] void decode_DnsProperty(
[in] dnsp_DnsProperty blob
);
}
diff --git a/librpc/idl/dnsserver.idl b/librpc/idl/dnsserver.idl
index ca9c371..c7742e7 100644
--- a/librpc/idl/dnsserver.idl
+++ b/librpc/idl/dnsserver.idl
@@ -73,7 +73,7 @@ import "misc.idl", "dnsp.idl";
typedef [public,gensize] struct {
[value(strlen(str))] uint8 len;
- [charset(UTF8)] uint8 str[len];
+ [charset(UNIX)] uint8 str[len];
}
DNS_RPC_NAME;
diff --git a/librpc/ndr/ndr_dns.c b/librpc/ndr/ndr_dns.c
index 0b9e3b0..065d992 100644
--- a/librpc/ndr/ndr_dns.c
+++ b/librpc/ndr/ndr_dns.c
@@ -30,6 +30,7 @@
#include "includes.h"
#include "librpc/gen_ndr/ndr_dns.h"
#include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_dnsp.h"
#include "system/locale.h"
#include "lib/util/util_net.h"
@@ -230,6 +231,29 @@ _PUBLIC_ enum ndr_err_code ndr_push_dns_string(struct ndr_push *ndr,
return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
}
+_PUBLIC_ enum ndr_err_code ndr_pull_dns_txt_record(struct ndr_pull *ndr, int ndr_flags, struct dns_txt_record *r)
+{
+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ enum ndr_err_code ndr_err;
+ uint32_t data_size = ndr->data_size;
+ uint32_t record_size = 0;
+ ndr_err = ndr_token_retrieve(&ndr->array_size_list, r,
+ &record_size);
+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ NDR_PULL_NEED_BYTES(ndr, record_size);
+ ndr->data_size = ndr->offset + record_size;
+ }
+ NDR_CHECK(ndr_pull_align(ndr, 1));
+ NDR_CHECK(ndr_pull_dnsp_string_list(ndr, NDR_SCALARS, &r->txt));
+ NDR_CHECK(ndr_pull_trailer_align(ndr, 1));
+ ndr->data_size = data_size;
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
_PUBLIC_ enum ndr_err_code ndr_push_dns_res_rec(struct ndr_push *ndr,
int ndr_flags,
const struct dns_res_rec *r)
@@ -302,6 +326,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dns_res_rec(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length));
_saved_offset1 = ndr->offset;
if (r->length > 0) {
+ NDR_CHECK(ndr_token_store(ndr, &ndr->array_size_list,
+ &r->rdata,
+ r->length));
NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->rdata,
r->rr_type));
NDR_CHECK(ndr_pull_dns_rdata(ndr, NDR_SCALARS,
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index fcb623a..82b5fb5 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -225,3 +225,27 @@ enum ndr_err_code ndr_push_dnsp_string_list(struct ndr_push *ndr, int ndr_flags,
}
return NDR_ERR_SUCCESS;
}
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+ const struct dnsp_string_list *src,
+ struct dnsp_string_list *dst)
+{
+ size_t i;
+
+ dst->count = 0;
+ dst->str = talloc_zero_array(mem_ctx, const char *, src->count);
+ if (dst->str == NULL) {
+ return NDR_ERR_ALLOC;
+ }
+
+ for (i = 0; i < src->count; i++) {
+ dst->str[i] = talloc_strdup(dst->str, src->str[i]);
+ if (dst->str[i] == NULL) {
+ TALLOC_FREE(dst->str);
+ return NDR_ERR_ALLOC;
+ }
+ }
+
+ dst->count = src->count;
+ return NDR_ERR_SUCCESS;
+}
diff --git a/librpc/ndr/ndr_dnsp.h b/librpc/ndr/ndr_dnsp.h
index 67f952c..0d56633 100644
--- a/librpc/ndr/ndr_dnsp.h
+++ b/librpc/ndr/ndr_dnsp.h
@@ -27,3 +27,7 @@ void ndr_print_dnsp_string(struct ndr_print *ndr, const char *name,
const char *dns_string);
enum ndr_err_code ndr_pull_dnsp_string(struct ndr_pull *ndr, int ndr_flags, const char **string);
enum ndr_err_code ndr_push_dnsp_string(struct ndr_push *ndr, int ndr_flags, const char *string);
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+ const struct dnsp_string_list *src,
+ struct dnsp_string_list *dst);
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 6f744eb..0b137db 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -27,12 +27,12 @@ bld.SAMBA_SUBSYSTEM('NDR_NAMED_PIPE_AUTH',
bld.SAMBA_SUBSYSTEM('NDR_DNSSERVER',
source='gen_ndr/ndr_dnsserver.c ndr/ndr_dnsserver.c',
- public_deps='ndr'
+ public_deps='ndr NDR_DNSP'
)
bld.SAMBA_SUBSYSTEM('NDR_DNS',
source='gen_ndr/ndr_dns.c ndr/ndr_dns.c',
- public_deps='ndr'
+ public_deps='ndr NDR_DNSP'
)
bld.SAMBA_SUBSYSTEM('NDR_DSBACKUP',
@@ -341,7 +341,7 @@ bld.SAMBA_LIBRARY('ndr-standard',
pc_files='ndr_standard.pc',
deps='''NDR_SECURITY NDR_LSA NDR_SAMR NDR_NETLOGON NDR_EVENTLOG NDR_DFS
NDR_NTSVCS NDR_SVCCTL NDR_INITSHUTDOWN NDR_WKSSVC NDR_SRVSVC NDR_WINREG
- NDR_ECHO security NDR_DNS NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
+ NDR_ECHO security NDR_DNS NDR_DNSP NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
NDR_SERVER_ID NDR_NOTIFY''',
public_deps='ndr',
public_headers='gen_ndr/samr.h gen_ndr/ndr_samr.h gen_ndr/lsa.h gen_ndr/netlogon.h gen_ndr/atsvc.h gen_ndr/ndr_atsvc.h gen_ndr/ndr_svcctl.h gen_ndr/svcctl.h',
@@ -418,11 +418,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_AUDIOSRV',
public_deps='NDR_AUDIOSRV dcerpc-binding'
)
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNS',
- source='gen_ndr/ndr_dns_c.c',
- public_deps='dcerpc-binding NDR_DNS'
- )
-
bld.SAMBA_SUBSYSTEM('RPC_NDR_ECHO',
source='gen_ndr/ndr_echo_c.c',
public_deps='dcerpc-binding NDR_ECHO'
@@ -605,11 +600,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_BACKUPKEY',
public_deps='dcerpc-binding NDR_BACKUPKEY'
)
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSP',
- source='gen_ndr/ndr_dnsp_c.c',
- public_deps='dcerpc-binding NDR_DNSP'
- )
-
bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSSERVER',
source='gen_ndr/ndr_dnsserver_c.c',
public_deps='dcerpc-binding ndr-standard'
@@ -634,7 +624,7 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_WITNESS',
bld.SAMBA_LIBRARY('ndr-samba',
source=[],
deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_SCHANNEL NDR_MGMT
- NDR_DNSP NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
+ NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_OPEN_FILES NDR_SMBXSRV''',
private_library=True,
grouping_library=True
@@ -646,7 +636,7 @@ bld.SAMBA_LIBRARY('dcerpc-samba',
deps='''RPC_NDR_LSA RPC_NDR_SAMR RPC_NDR_NETLOGON RPC_NDR_EVENTLOG
RPC_NDR_DFS RPC_NDR_NTSVCS RPC_NDR_SVCCTL RPC_NDR_INITSHUTDOWN
RPC_NDR_WKSSVC RPC_NDR_SRVSVC RPC_NDR_WINREG RPC_NDR_ECHO RPC_NDR_EPMAPPER
- RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNS''',
+ RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNSSERVER''',
public_deps='ndr-standard',
private_library=True,
grouping_library=True
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index f93e13f..f7f56a3 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -16,18 +16,69 @@
#
import os
+import sys
import struct
import random
import socket
import samba.ndr as ndr
-import samba.dcerpc.dns as dns
+from samba import credentials, param
from samba.tests import TestCase
+from samba.dcerpc import dns, dnsp, dnsserver
+from samba.netcmd.dns import TXTRecord, dns_record_match, data_to_dns_record
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+import samba.getopt as options
+import optparse
+
+parser = optparse.OptionParser("dns.py <server name> <server ip> [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
+# This timeout only has relevance when testing against Windows
+# Format errors tend to return patchy responses, so a timeout is needed.
+parser.add_option("--timeout", type="int", dest="timeout",
+ help="Specify timeout for DNS requests")
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+opts, args = parser.parse_args()
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+timeout = opts.timeout
+
+if len(args) < 2:
+ parser.print_usage()
+ sys.exit(1)
+
+server_name = args[0]
+server_ip = args[1]
+creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
+
+def make_txt_record(records):
+ rdata_txt = dns.txt_record()
+ s_list = dnsp.string_list()
+ s_list.count = len(records)
+ s_list.str = records
+ rdata_txt.txt = s_list
+ return rdata_txt
class DNSTest(TestCase):
+ def setUp(self):
+ global server, server_ip, lp, creds
+ super(DNSTest, self).setUp()
+ self.server = server_name
+ self.server_ip = server_ip
+ self.lp = lp
+ self.creds = creds
+
def errstr(self, errcode):
"Return a readable error code"
string_codes = [
@@ -83,9 +134,10 @@ class DNSTest(TestCase):
def get_dns_domain(self):
"Helper to get dns domain"
- return os.getenv('REALM', 'example.com').lower()
+ return self.creds.get_realm().lower()
- def dns_transaction_udp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+ def dns_transaction_udp(self, packet, host=server_ip,
+ dump=False, timeout=timeout):
"send a DNS query and read the reply"
s = None
try:
@@ -93,6 +145,7 @@ class DNSTest(TestCase):
if dump:
print self.hexdump(send_packet)
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
+ s.settimeout(timeout)
s.connect((host, 53))
s.send(send_packet, 0)
recv_packet = s.recv(2048, 0)
@@ -103,7 +156,8 @@ class DNSTest(TestCase):
if s is not None:
s.close()
- def dns_transaction_tcp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+ def dns_transaction_tcp(self, packet, host=server_ip,
+ dump=False, timeout=timeout):
"send a DNS query and read the reply"
s = None
try:
@@ -111,6 +165,7 @@ class DNSTest(TestCase):
if dump:
print self.hexdump(send_packet)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
+ s.settimeout(timeout)
s.connect((host, 53))
tcp_packet = struct.pack('!H', len(send_packet))
tcp_packet += send_packet
@@ -133,6 +188,47 @@ class DNSTest(TestCase):
N+=length
return result
+ def make_txt_update(self, prefix, txt_array):
+ p = self.make_name_packet(dns.DNS_OPCODE_UPDATE)
+ updates = []
+
+ name = self.get_dns_domain()
+ u = self.make_name_question(name, dns.DNS_QTYPE_SOA, dns.DNS_QCLASS_IN)
+ updates.append(u)
+ self.finish_name_packet(p, updates)
+
+ updates = []
+ r = dns.res_rec()
+ r.name = "%s.%s" % (prefix, self.get_dns_domain())
+ r.rr_type = dns.DNS_QTYPE_TXT
+ r.rr_class = dns.DNS_QCLASS_IN
+ r.ttl = 900
--
Samba Shared Repository
More information about the samba-cvs
mailing list