[SCM] Samba Shared Repository - branch v4-2-stable updated

Karolin Seeger kseeger at samba.org
Tue Mar 8 12:52:56 UTC 2016


The branch, v4-2-stable has been updated
       via  c0aa427 VERSION: Disable git snapshots for the 4.2.9 release.
       via  c3eeba3 WHATSNEW: Add release notes for Samba 4.2.9.
       via  981cbe1 CVE-2016-0771: tests/dns: Remove dependencies on env variables
       via  4dfa41d CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
       via  409ec58 CVE-2016-0771: tests: rename test getopt to get_opt
       via  93662cf CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
       via  b9c595f CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
       via  43de2c0 CVE-2016-0771: tests/dns: modify tests to check via RPC
       via  18a1a7c CVE-2016-0771: tests/dns: Add some more test cases for TXT records
       via  1cae991 CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
       via  ffe5757 CVE-2016-0771: tests/dns: restore formerly segfaulting test
       via  9f1f669 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
       via  5462a4c CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
       via  356cc26 CVE-2016-0771: tests/dns: prepare script for further testing
       via  d076289 CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
       via  9c50144 CVE-2016-0771: dns.idl: make use of dnsp_hinfo
       via  50972cc CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
       via  69a4def CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
       via  192a619 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
       via  8070e38 CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
       via  6296447 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
       via  db00d27 CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
       via  6122a71 CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
       via  10e5700 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
       via  5923745 CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
       via  e77fb42 CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
       via  ef5f235 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
       via  3898806 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
       via  cb5b446 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
       via  478ed76 CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
       via  cc73ba9 CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
       via  e20deaf CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
       via  0549f6e VERSION: Bump version up to 4.2.9...
      from  ba74960 VERSION: Disable git snapshots for the 4.2.8 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-stable


- Log -----------------------------------------------------------------
commit c0aa42785d6b942b58a167da80f5e64385beff02
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 24 12:23:53 2016 +0100

    VERSION: Disable git snapshots for the 4.2.9 release.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit c3eeba393fb92e006597fffb09720ce33be5795b
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Feb 24 12:22:26 2016 +0100

    WHATSNEW: Add release notes for Samba 4.2.9.
    
    CVE-2015-7560 Getting and setting Windows ACLs on symlinks can change
    permissions on link target.
    CVE-2016-0771: Read of uninitialized memory DNS TXT handling
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 981cbe1e9be9de8d9775ba1fc9a53b2f719472d6
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Jan 29 17:28:54 2016 +1300

    CVE-2016-0771: tests/dns: Remove dependencies on env variables
    
    Now that it is invoked as a normal script, there should be less of them.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 4dfa41df9a87cb4793de3e9cd36d9b38f215d7cb
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Jan 29 17:03:56 2016 +1300

    CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
    
    This makes it easier to invoke, particularly against Windows.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 409ec584519b4ef45e28a7078ea2d234f6164081
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Fri Jan 22 11:35:03 2016 +1300

    CVE-2016-0771: tests: rename test getopt to get_opt
    
    This avoids any conflicts in this directory with the original toplevel
    getopt.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 93662cf283a8eaf84b67646f80f92847e073209a
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 28 12:54:58 2016 +1300

    CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
    
    Make sure that TXT entries stored via RPC come out the same in DNS.
    
    This has one caveat in that adding over RPC in Windows eats slashes,
    and so fails there.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b9c595feff54d415aadfcce4a5bfc982ff10ce14
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 28 12:36:43 2016 +1300

    CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
    
    While using a charset is not entirely logical, it allows testing of non
    UTF-8 data (like inserting 0xFF into the TXT string).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 43de2c0ddfe81617c927750438c02407b47e5cb5
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Jan 27 17:41:44 2016 +1300

    CVE-2016-0771: tests/dns: modify tests to check via RPC
    
    This checks that TXT records added over DNS, look the same over RPC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 18a1a7c4a14cdf0960635f152bcdbafbdba739e5
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Mon Jan 18 12:39:46 2016 +1300

    CVE-2016-0771: tests/dns: Add some more test cases for TXT records
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1cae991b029ec6e0ce4d18c1b3299889e23230b1
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 10:25:44 2016 +1300

    CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
    
    Both Samba and Windows returned NXRRSET
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ffe575725bb5b921b63810c629f93dd71178ce93
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Tue Dec 15 17:22:32 2015 +1300

    CVE-2016-0771: tests/dns: restore formerly segfaulting test
    
    This was on the client side, due the a strlen(NULL) on the previously
    DOS-encoded TXT field. With a new IDL structure, this segfault no longer exists.
    Note that both Samba and Windows return NXRRSET instead of FORMERR.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 9f1f669aa49dd9de80f18e97d2a28e094810ef97
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 17:08:18 2016 +1300

    CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 5462a4c4b449eb373062ebaa9e91619db6fd305f
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 15:43:55 2016 +1300

    CVE-2016-0771: tests/dns: FORMERR can simply timeout against Windows
    
    Two requests with identical parameters which are poorly formatted, can
    non-deterministically return FORMERR or simply fail to give a response.
    
    Setting the timeout to a number allows Windows to succeed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 356cc2613394b76bae9c0eb9615323cb7426f474
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Thu Jan 21 16:58:40 2016 +1300

    CVE-2016-0771: tests/dns: prepare script for further testing
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d0762899de57590a155d6058f2be560f98f5c3b9
Author: Garming Sam <garming at catalyst.net.nz>
Date:   Wed Jan 6 14:12:35 2016 +1300

    CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 9c5014414693a4759c86e4cc55a89515da2b6a9f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: dns.idl: make use of dnsp_hinfo
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 50972cc8f53045b38e58760c4c7b6c77fd7d2d5c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
    
    From RFC 1035:
    
        3.3.14. TXT RDATA format
    
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
            /                   TXT-DATA                    /
            +--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
    
        where:
    
        TXT-DATA        One or more <character-string>s.
    
        TXT RRs are used to hold descriptive text.  The semantics of the text
        depends on the domain where it is found.
    
    Each record contains an array of strings instead of just one string.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 69a4defe3e56030cc63b1e9b29c24f047c287bbf
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 192a619b9a261e644fa66718731e733469a42d32
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
    
    RPC_NDR_DNSSERVER is the client interface NDR_DNSP contains just
    marshalling helpers.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8070e388a7218a9caf3f341201ecbc3a047ced5b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Aug 7 11:36:47 2015 +0200

    CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Garming Sam <garming at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 62964476950500b13dcc14ae6d028044fec4de18
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jan 7 14:26:35 2016 -0800

    CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit db00d27d3baac815b12917e5fa29791c1e76a040
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Jan 7 12:58:34 2016 -0800

    CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 6122a717b49a80674b370b334c5c437d6e0cb564
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jan 6 17:02:52 2016 -0800

    CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 10e570043cd777690d1b040ac0280f91acb0668f
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Jan 6 17:17:24 2016 -0800

    CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 592374557dca8bc95fd37f9a2c1eee2cc5d97e18
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:33:48 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit e77fb42e9cafb438a1dcc73d6dd4b0bf9f032b3a
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:29:38 2016 -0800

    CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit ef5f235be01d37d42d9114c4cc2a8d1562623f64
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:05:48 2016 -0800

    CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 3898806f26e668ee531a684afb4adc4af821ca5d
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:24:36 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit cb5b4460f401da1359759b29799141bfe2c6adc1
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:22:12 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 478ed76b8e1e12bba41f0de09ae5ba0201f748fa
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 10:52:50 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit cc73ba984b4e30fd7c826337bd865f0e747b68d9
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 10:38:28 2016 -0800

    CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit e20deafd55197e1a94b6990929f52de483d590c5
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Jan 5 11:18:12 2016 -0800

    CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Volker Lendecke <vl at samba.org>

commit 0549f6e48a8118c7394f34499f216351725ea435
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Feb 1 12:13:45 2016 +0100

    VERSION: Bump version up to 4.2.9...
    
    and re-enable git snapshots.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>
    (cherry picked from commit de7ad5d66a757e5b2c1e05ba0d0fe94990430dc2)

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                      |   2 +-
 WHATSNEW.txt                                 |  87 +++-
 librpc/idl/dns.idl                           |  18 +-
 librpc/idl/dnsp.idl                          |   4 +-
 librpc/idl/dnsserver.idl                     |   2 +-
 librpc/ndr/ndr_dns.c                         |  27 ++
 librpc/ndr/ndr_dnsp.c                        |  24 ++
 librpc/ndr/ndr_dnsp.h                        |   4 +
 librpc/wscript_build                         |  20 +-
 python/samba/tests/dns.py                    | 620 +++++++++++++++++++++------
 python/samba/tests/{getopt.py => get_opt.py} |   0
 selftest/knownfail                           |   2 +
 selftest/tests.py                            |   2 +-
 source3/client/client.c                      |   2 +-
 source3/libsmb/clifile.c                     | 130 +++++-
 source3/libsmb/proto.h                       |  17 +-
 source3/selftest/tests.py                    |   2 +-
 source3/smbd/nttrans.c                       |  13 +
 source3/smbd/trans2.c                        |  68 ++-
 source3/torture/torture.c                    | 377 ++++++++++++++++
 source4/dns_server/dns_query.c               |  15 +-
 source4/dns_server/dns_update.c              |  31 +-
 source4/librpc/wscript_build                 |   4 +-
 source4/selftest/tests.py                    |   3 +-
 24 files changed, 1233 insertions(+), 241 deletions(-)
 rename python/samba/tests/{getopt.py => get_opt.py} (100%)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 7b35079..9c7df70 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ae15c36..f03be3a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,87 @@
                    =============================
+                   Release Notes for Samba 4.2.9
+                           March 8, 2016
+                   =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o  CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
+o  CVE-2016-0771 (Out-of-bounds read in internal DNS server)
+
+=======
+Details
+=======
+
+o  CVE-2015-7560:
+   All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
+   a malicious client overwriting the ownership of ACLs using symlinks.
+
+   An authenticated malicious client can use SMB1 UNIX extensions to
+   create a symlink to a file or directory, and then use non-UNIX SMB1
+   calls to overwrite the contents of the ACL on the file or directory
+   linked to.
+
+o  CVE-2016-0771:
+   All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
+   an AD DC and choose to run the internal DNS server, are vulnerable to an
+   out-of-bounds read issue during DNS TXT record handling caused by users
+   with permission to modify DNS records.
+
+   A malicious client can upload a specially constructed DNS TXT record,
+   resulting in a remote denial-of-service attack. As long as the affected
+   TXT record remains undisturbed in the Samba database, a targeted DNS
+   query may continue to trigger this exploit.
+
+   While unlikely, the out-of-bounds read may bypass safety checks and
+   allow leakage of memory from the server in the form of a DNS TXT reply.
+
+   By default only authenticated accounts can upload DNS records,
+   as "allow dns updates = secure only" is the default.
+   Any other value would allow anonymous clients to trigger this
+   bug, which is a much higher risk.
+
+
+Changes since 4.2.8:
+--------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
+     change permissions on link target.
+
+o  Garming Sam <garming at catalyst.net.nz>
+   * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+     handling.
+
+o  Stefan Metzmacher <metze at samba.org>
+   * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+     handling.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   =============================
                    Release Notes for Samba 4.2.8
                           February 2, 2016
                    =============================
@@ -67,8 +150,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.2.7
diff --git a/librpc/idl/dns.idl b/librpc/idl/dns.idl
index d247e0e..5435fcf 100644
--- a/librpc/idl/dns.idl
+++ b/librpc/idl/dns.idl
@@ -8,7 +8,7 @@
    encoding if it doesn't work out
 */
 
-import "misc.idl";
+import "misc.idl", "dnsp.idl";
 [
 	helper("librpc/ndr/ndr_dns.h"),
 	helpstring("DNS records"),
@@ -152,20 +152,12 @@ interface dns
 	} dns_soa_record;
 
 	typedef [public] struct {
-		[value(strlen(cpu))] uint8 cpu_length;
-		[charset(DOS)] uint8 cpu[cpu_length];
-		[value(strlen(os))] uint8 os_length;
-		[charset(DOS)] uint8 os[os_length];
-	} dns_hinfo_record;
-
-	typedef [public] struct {
 		uint16     preference;
 		dns_string exchange;
 	} dns_mx_record;
 
-	typedef [public] struct {
-		[value(strlen(txt))] uint8 length;
-		[charset(DOS)] uint8 txt[length];
+	typedef [public,nopull] struct {
+		dnsp_string_list txt;
 	} dns_txt_record;
 
 	typedef [public] struct {
@@ -232,7 +224,7 @@ interface dns
 		[case(DNS_QTYPE_CNAME)] dns_string       cname_record;
 		[case(DNS_QTYPE_SOA)]   dns_soa_record   soa_record;
 		[case(DNS_QTYPE_PTR)]   dns_string       ptr_record;
-		[case(DNS_QTYPE_HINFO)] dns_hinfo_record  hinfo_record;
+		[case(DNS_QTYPE_HINFO)] dnsp_hinfo       hinfo_record;
 		[case(DNS_QTYPE_MX)]    dns_mx_record    mx_record;
 		[case(DNS_QTYPE_TXT)]	dns_txt_record   txt_record;
 		[case(DNS_QTYPE_RP)]	dns_rp_record    rp_record;
@@ -270,7 +262,7 @@ interface dns
         /*
 	   this is a convenience hook for ndrdump
 	*/
-	void decode_dns_name_packet(
+	[nopython] void decode_dns_name_packet(
 				    [in] dns_name_packet packet
 				   );
 }
diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl
index 4c49001..d705cfc 100644
--- a/librpc/idl/dnsp.idl
+++ b/librpc/idl/dnsp.idl
@@ -263,11 +263,11 @@ interface dnsp
 	/*
 	  these are convenience hooks for ndrdump
 	 */
-	void decode_DnssrvRpcRecord(
+	[nopython] void decode_DnssrvRpcRecord(
 		[in] dnsp_DnssrvRpcRecord blob
 		);
 
-	void decode_DnsProperty(
+	[nopython] void decode_DnsProperty(
 		[in] dnsp_DnsProperty blob
 		);
 }
diff --git a/librpc/idl/dnsserver.idl b/librpc/idl/dnsserver.idl
index ca9c371..c7742e7 100644
--- a/librpc/idl/dnsserver.idl
+++ b/librpc/idl/dnsserver.idl
@@ -73,7 +73,7 @@ import "misc.idl", "dnsp.idl";
 
 	typedef [public,gensize] struct {
 		[value(strlen(str))] uint8 len;
-		[charset(UTF8)] uint8 str[len];
+		[charset(UNIX)] uint8 str[len];
 	}
 	DNS_RPC_NAME;
 
diff --git a/librpc/ndr/ndr_dns.c b/librpc/ndr/ndr_dns.c
index 0b9e3b0..065d992 100644
--- a/librpc/ndr/ndr_dns.c
+++ b/librpc/ndr/ndr_dns.c
@@ -30,6 +30,7 @@
 #include "includes.h"
 #include "librpc/gen_ndr/ndr_dns.h"
 #include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_dnsp.h"
 #include "system/locale.h"
 #include "lib/util/util_net.h"
 
@@ -230,6 +231,29 @@ _PUBLIC_ enum ndr_err_code ndr_push_dns_string(struct ndr_push *ndr,
 	return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
 }
 
+_PUBLIC_ enum ndr_err_code ndr_pull_dns_txt_record(struct ndr_pull *ndr, int ndr_flags, struct dns_txt_record *r)
+{
+	NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+	if (ndr_flags & NDR_SCALARS) {
+		enum ndr_err_code ndr_err;
+		uint32_t data_size = ndr->data_size;
+		uint32_t record_size = 0;
+		ndr_err = ndr_token_retrieve(&ndr->array_size_list, r,
+					     &record_size);
+		if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+			NDR_PULL_NEED_BYTES(ndr, record_size);
+			ndr->data_size = ndr->offset + record_size;
+		}
+		NDR_CHECK(ndr_pull_align(ndr, 1));
+		NDR_CHECK(ndr_pull_dnsp_string_list(ndr, NDR_SCALARS, &r->txt));
+		NDR_CHECK(ndr_pull_trailer_align(ndr, 1));
+		ndr->data_size = data_size;
+	}
+	if (ndr_flags & NDR_BUFFERS) {
+	}
+	return NDR_ERR_SUCCESS;
+}
+
 _PUBLIC_ enum ndr_err_code ndr_push_dns_res_rec(struct ndr_push *ndr,
 						int ndr_flags,
 						const struct dns_res_rec *r)
@@ -302,6 +326,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dns_res_rec(struct ndr_pull *ndr,
 		NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length));
 		_saved_offset1 = ndr->offset;
 		if (r->length > 0) {
+			NDR_CHECK(ndr_token_store(ndr, &ndr->array_size_list,
+						  &r->rdata,
+						  r->length));
 			NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->rdata,
 							    r->rr_type));
 			NDR_CHECK(ndr_pull_dns_rdata(ndr, NDR_SCALARS,
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index fcb623a..82b5fb5 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -225,3 +225,27 @@ enum ndr_err_code ndr_push_dnsp_string_list(struct ndr_push *ndr, int ndr_flags,
 	}
 	return NDR_ERR_SUCCESS;
 }
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+					    const struct dnsp_string_list *src,
+					    struct dnsp_string_list *dst)
+{
+	size_t i;
+
+	dst->count = 0;
+	dst->str = talloc_zero_array(mem_ctx, const char *, src->count);
+	if (dst->str == NULL) {
+		return NDR_ERR_ALLOC;
+	}
+
+	for (i = 0; i < src->count; i++) {
+		dst->str[i] = talloc_strdup(dst->str, src->str[i]);
+		if (dst->str[i] == NULL) {
+			TALLOC_FREE(dst->str);
+			return NDR_ERR_ALLOC;
+		}
+	}
+
+	dst->count = src->count;
+	return NDR_ERR_SUCCESS;
+}
diff --git a/librpc/ndr/ndr_dnsp.h b/librpc/ndr/ndr_dnsp.h
index 67f952c..0d56633 100644
--- a/librpc/ndr/ndr_dnsp.h
+++ b/librpc/ndr/ndr_dnsp.h
@@ -27,3 +27,7 @@ void ndr_print_dnsp_string(struct ndr_print *ndr, const char *name,
 				  const char *dns_string);
 enum ndr_err_code ndr_pull_dnsp_string(struct ndr_pull *ndr, int ndr_flags, const char **string);
 enum ndr_err_code ndr_push_dnsp_string(struct ndr_push *ndr, int ndr_flags, const char *string);
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+					    const struct dnsp_string_list *src,
+					    struct dnsp_string_list *dst);
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 6f744eb..0b137db 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -27,12 +27,12 @@ bld.SAMBA_SUBSYSTEM('NDR_NAMED_PIPE_AUTH',
 
 bld.SAMBA_SUBSYSTEM('NDR_DNSSERVER',
     source='gen_ndr/ndr_dnsserver.c ndr/ndr_dnsserver.c',
-    public_deps='ndr'
+    public_deps='ndr NDR_DNSP'
     )
 
 bld.SAMBA_SUBSYSTEM('NDR_DNS',
     source='gen_ndr/ndr_dns.c ndr/ndr_dns.c',
-    public_deps='ndr'
+    public_deps='ndr NDR_DNSP'
     )
 
 bld.SAMBA_SUBSYSTEM('NDR_DSBACKUP',
@@ -341,7 +341,7 @@ bld.SAMBA_LIBRARY('ndr-standard',
     pc_files='ndr_standard.pc',
     deps='''NDR_SECURITY NDR_LSA NDR_SAMR NDR_NETLOGON NDR_EVENTLOG NDR_DFS
     NDR_NTSVCS NDR_SVCCTL NDR_INITSHUTDOWN NDR_WKSSVC NDR_SRVSVC NDR_WINREG
-    NDR_ECHO security NDR_DNS NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
+    NDR_ECHO security NDR_DNS NDR_DNSP NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
     NDR_SERVER_ID NDR_NOTIFY''',
     public_deps='ndr',
     public_headers='gen_ndr/samr.h gen_ndr/ndr_samr.h gen_ndr/lsa.h gen_ndr/netlogon.h gen_ndr/atsvc.h gen_ndr/ndr_atsvc.h gen_ndr/ndr_svcctl.h gen_ndr/svcctl.h',
@@ -418,11 +418,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_AUDIOSRV',
     public_deps='NDR_AUDIOSRV dcerpc-binding'
     )
 
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNS',
-    source='gen_ndr/ndr_dns_c.c',
-    public_deps='dcerpc-binding NDR_DNS'
-    )
-
 bld.SAMBA_SUBSYSTEM('RPC_NDR_ECHO',
     source='gen_ndr/ndr_echo_c.c',
     public_deps='dcerpc-binding NDR_ECHO'
@@ -605,11 +600,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_BACKUPKEY',
     public_deps='dcerpc-binding NDR_BACKUPKEY'
     )
 
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSP',
-    source='gen_ndr/ndr_dnsp_c.c',
-    public_deps='dcerpc-binding NDR_DNSP'
-    )
-
 bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSSERVER',
     source='gen_ndr/ndr_dnsserver_c.c',
     public_deps='dcerpc-binding ndr-standard'
@@ -634,7 +624,7 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_WITNESS',
 bld.SAMBA_LIBRARY('ndr-samba',
     source=[],
     deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_SCHANNEL NDR_MGMT
-    NDR_DNSP NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
+    NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
     NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_OPEN_FILES NDR_SMBXSRV''',
     private_library=True,
     grouping_library=True
@@ -646,7 +636,7 @@ bld.SAMBA_LIBRARY('dcerpc-samba',
     deps='''RPC_NDR_LSA RPC_NDR_SAMR RPC_NDR_NETLOGON RPC_NDR_EVENTLOG
     RPC_NDR_DFS RPC_NDR_NTSVCS RPC_NDR_SVCCTL RPC_NDR_INITSHUTDOWN
     RPC_NDR_WKSSVC RPC_NDR_SRVSVC RPC_NDR_WINREG RPC_NDR_ECHO RPC_NDR_EPMAPPER
-    RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNS''',
+    RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNSSERVER''',
     public_deps='ndr-standard',
     private_library=True,
     grouping_library=True
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index f93e13f..f7f56a3 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -16,18 +16,69 @@
 #
 
 import os
+import sys
 import struct
 import random
 import socket
 import samba.ndr as ndr
-import samba.dcerpc.dns as dns
+from samba import credentials, param
 from samba.tests import TestCase
+from samba.dcerpc import dns, dnsp, dnsserver
+from samba.netcmd.dns import TXTRecord, dns_record_match, data_to_dns_record
+from samba.tests.subunitrun import SubunitOptions, TestProgram
+import samba.getopt as options
+import optparse
+
+parser = optparse.OptionParser("dns.py <server name> <server ip> [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
 
 FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
 
+# This timeout only has relevance when testing against Windows
+# Format errors tend to return patchy responses, so a timeout is needed.
+parser.add_option("--timeout", type="int", dest="timeout",
+                  help="Specify timeout for DNS requests")
+
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+subunitopts = SubunitOptions(parser)
+parser.add_option_group(subunitopts)
+
+opts, args = parser.parse_args()
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+timeout = opts.timeout
+
+if len(args) < 2:
+    parser.print_usage()
+    sys.exit(1)
+
+server_name = args[0]
+server_ip = args[1]
+creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
+
+def make_txt_record(records):
+    rdata_txt = dns.txt_record()
+    s_list = dnsp.string_list()
+    s_list.count = len(records)
+    s_list.str = records
+    rdata_txt.txt = s_list
+    return rdata_txt
 
 class DNSTest(TestCase):
 
+    def setUp(self):
+        global server, server_ip, lp, creds
+        super(DNSTest, self).setUp()
+        self.server = server_name
+        self.server_ip = server_ip
+        self.lp = lp
+        self.creds = creds
+
     def errstr(self, errcode):
         "Return a readable error code"
         string_codes = [
@@ -83,9 +134,10 @@ class DNSTest(TestCase):
 
     def get_dns_domain(self):
         "Helper to get dns domain"
-        return os.getenv('REALM', 'example.com').lower()
+        return self.creds.get_realm().lower()
 
-    def dns_transaction_udp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+    def dns_transaction_udp(self, packet, host=server_ip,
+                            dump=False, timeout=timeout):
         "send a DNS query and read the reply"
         s = None
         try:
@@ -93,6 +145,7 @@ class DNSTest(TestCase):
             if dump:
                 print self.hexdump(send_packet)
             s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM, 0)
+            s.settimeout(timeout)
             s.connect((host, 53))
             s.send(send_packet, 0)
             recv_packet = s.recv(2048, 0)
@@ -103,7 +156,8 @@ class DNSTest(TestCase):
             if s is not None:
                 s.close()
 
-    def dns_transaction_tcp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+    def dns_transaction_tcp(self, packet, host=server_ip,
+                            dump=False, timeout=timeout):
         "send a DNS query and read the reply"
         s = None
         try:
@@ -111,6 +165,7 @@ class DNSTest(TestCase):
             if dump:
                 print self.hexdump(send_packet)
             s = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
+            s.settimeout(timeout)
             s.connect((host, 53))
             tcp_packet = struct.pack('!H', len(send_packet))
             tcp_packet += send_packet
@@ -133,6 +188,47 @@ class DNSTest(TestCase):
            N+=length
         return result
 
+    def make_txt_update(self, prefix, txt_array):
+        p = self.make_name_packet(dns.DNS_OPCODE_UPDATE)
+        updates = []
+
+        name = self.get_dns_domain()
+        u = self.make_name_question(name, dns.DNS_QTYPE_SOA, dns.DNS_QCLASS_IN)
+        updates.append(u)
+        self.finish_name_packet(p, updates)
+
+        updates = []
+        r = dns.res_rec()
+        r.name = "%s.%s" % (prefix, self.get_dns_domain())
+        r.rr_type = dns.DNS_QTYPE_TXT
+        r.rr_class = dns.DNS_QCLASS_IN
+        r.ttl = 900


-- 
Samba Shared Repository



More information about the samba-cvs mailing list