[SCM] Samba Shared Repository - branch v4-1-stable updated
Karolin Seeger
kseeger at samba.org
Tue Mar 8 12:54:51 UTC 2016
The branch, v4-1-stable has been updated
via fd69161 VERSION: Disable git snapshots for the 4.1.23 release.
via 8b05063 WHATSNEW: Add release notes for Samba 4.0.23.
via f548984 CVE-2016-0771: tests/dns: Remove dependencies on env variables
via 600af99 CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
via feadfc4 CVE-2016-0771: tests: rename test getopt to get_opt
via c7598f1 CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
via 74fc257 CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
via 1a97ee3 CVE-2016-0771: tests/dns: modify tests to check via RPC
via 006551d CVE-2016-0771: tests/dns: Add some more test cases for TXT records
via 6395b6c CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
via 83d94cb CVE-2016-0771: tests/dns: restore formerly segfaulting test
via a76db39 CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
via a03e3fa CVE-2016-0771: tests/dns: prepare script for further testing
via ede159b CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
via 24c5af7 CVE-2016-0771: dns.idl: make use of dnsp_hinfo
via 79f2cf1 CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
via 4c40108 CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
via b003b71 CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
via 757e25a CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
via 5b5fcbf CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
via 2a7b77b CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
via 72f4892 CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
via 09514d7 CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
via e1825c8 CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
via 63a27a3 CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
via 39aaef0 CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
via e387562 CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
via c4fade4 CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
via 9e6620b CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
via 7f893ff CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
via 24f3cb0 CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
via eba93d6 VERSION: Bump version up to 4.1.23...
from cd89c83 VERSION: Disable git snapshots for the 4.1.22 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-1-stable
- Log -----------------------------------------------------------------
commit fd69161868b5aa4d644488cc4e8069ba40266576
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Feb 24 12:19:51 2016 +0100
VERSION: Disable git snapshots for the 4.1.23 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 8b0506340901b22a0b2647b0ad7ed15bd4427cdc
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Feb 24 12:18:19 2016 +0100
WHATSNEW: Add release notes for Samba 4.0.23.
CVE-2015-7560 Getting and setting Windows ACLs on symlinks can change
permissions on link target.
CVE-2016-0771: Read of uninitialized memory DNS TXT handling
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit f548984208aba1fa7237c3b4b072cd9dfbd950b3
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 29 17:28:54 2016 +1300
CVE-2016-0771: tests/dns: Remove dependencies on env variables
Now that it is invoked as a normal script, there should be less of them.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 600af999a418d605705c00708cd9f744fc533a33
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 29 17:03:56 2016 +1300
CVE-2016-0771: tests/dns: change samba.tests.dns from being a unittest
This makes it easier to invoke, particularly against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit feadfc41a1f1223d59c8c0e9427d6a8bdb9a5e94
Author: Garming Sam <garming at catalyst.net.nz>
Date: Fri Jan 22 11:35:03 2016 +1300
CVE-2016-0771: tests: rename test getopt to get_opt
This avoids any conflicts in this directory with the original toplevel
getopt.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c7598f11a4b3f42e28f1d35ab2d17ddb85aa1d0a
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 28 12:54:58 2016 +1300
CVE-2016-0771: tests/dns: RPC => DNS roundtrip test
Make sure that TXT entries stored via RPC come out the same in DNS.
This has one caveat in that adding over RPC in Windows eats slashes,
and so fails there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 74fc257badc81bf63c1f3174a6eb3bf0067e07bf
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 28 12:36:43 2016 +1300
CVE-2016-0771: dnsserver: don't force UTF-8 for TXT
While using a charset is not entirely logical, it allows testing of non
UTF-8 data (like inserting 0xFF into the TXT string).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a97ee31a8702ed7b06d0b07355615e314d29106
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 27 17:41:44 2016 +1300
CVE-2016-0771: tests/dns: modify tests to check via RPC
This checks that TXT records added over DNS, look the same over RPC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 006551db9d9a3feeadb0ebd31c1d91c766533827
Author: Garming Sam <garming at catalyst.net.nz>
Date: Mon Jan 18 12:39:46 2016 +1300
CVE-2016-0771: tests/dns: Add some more test cases for TXT records
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6395b6c578c78813266c9aa4ae3c0db49bb830ec
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 10:25:44 2016 +1300
CVE-2016-0771: tests/dns: Correct error code for formerly unrun test
Both Samba and Windows returned NXRRSET
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 83d94cbaceaae0bc305330dc827f31368c8e3191
Author: Garming Sam <garming at catalyst.net.nz>
Date: Tue Dec 15 17:22:32 2015 +1300
CVE-2016-0771: tests/dns: restore formerly segfaulting test
This was on the client side, due the a strlen(NULL) on the previously
DOS-encoded TXT field. With a new IDL structure, this segfault no longer exists.
Note that both Samba and Windows return NXRRSET instead of FORMERR.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a76db395d06c762a5f5527944215752865af1e54
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 17:08:18 2016 +1300
CVE-2016-0771: tests/dns: Add a comment regarding odd Windows behaviour
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a03e3fa362755405ea5a07f59c1f58f080f63f06
Author: Garming Sam <garming at catalyst.net.nz>
Date: Thu Jan 21 16:58:40 2016 +1300
CVE-2016-0771: tests/dns: prepare script for further testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ede159bcdf127e3281eb9391fe1260352780025a
Author: Garming Sam <garming at catalyst.net.nz>
Date: Wed Jan 6 14:12:35 2016 +1300
CVE-2016-0771: tests/dns: Modify dns tests to match new IDL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 24c5af7dde1ce5ff7a83d35a7da729008e5cede9
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: dns.idl: make use of dnsp_hinfo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 79f2cf166f1eb5c001c2c3124c0cbd2e4fbcba22
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: s4:dns_server: fix idl for dns_txt_record
From RFC 1035:
3.3.14. TXT RDATA format
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
/ TXT-DATA /
+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+--+
where:
TXT-DATA One or more <character-string>s.
TXT RRs are used to hold descriptive text. The semantics of the text
depends on the domain where it is found.
Each record contains an array of strings instead of just one string.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4c40108da8ea319e566e324ac7ea10f61b263d69
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: librpc: add ndr_dnsp_string_list_copy() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b003b71c11a13ff6229a166d38966a22e38b02b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: librpc: add RPC_NDR_DNSSERVER to dcerpc-samba library
RPC_NDR_DNSSERVER is the client interface NDR_DNSP contains just
marshalling helpers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 757e25a542eee265e60f6c9482b14b3aa3cf2e59
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Aug 7 11:36:47 2015 +0200
CVE-2016-0771: s4:librpc: python_dns and python_dcerpc_dnsp doesn't require client bindings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11686
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11128
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5b5fcbf8a535c196b38a1c4028f43770d5938dcf
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 7 14:26:35 2016 -0800
CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-EA test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 2a7b77b4704ab17a8576eeda9f194e6f4693f1e5
Author: Jeremy Allison <jra at samba.org>
Date: Thu Jan 7 12:58:34 2016 -0800
CVE-2015-7560: s3: torture3: Add new POSIX-SYMLINK-ACL test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 72f4892c0b4cbf96042232781c837845eb178a10
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 17:02:52 2016 -0800
CVE-2015-7560: s3: libsmb: Add SMB1-only POSIX cli_posix_setacl() functions. Needed for tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 09514d750d6fd59306bab80fb9ddeb1abe9d0b57
Author: Jeremy Allison <jra at samba.org>
Date: Wed Jan 6 17:17:24 2016 -0800
CVE-2015-7560: s3: libsmb: Rename cli_posix_getfaclXX() functions to cli_posix_getacl() as they operate on pathnames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit e1825c8138135226fbf9ca685edd4b44aac40220
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:33:48 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set EA's on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 63a27a313a44ff8f3a37dcb695ad437fb847dfa0
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:29:38 2016 -0800
CVE-2015-7560: s3: smbd: Silently return no EA's available on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 39aaef0dcb14d3d2299021c66cacfac51cddf7fd
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:05:48 2016 -0800
CVE-2015-7560: s3: smbd: Set return values early, allows removal of code duplication.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit e3875621cec2b0a301be976331ade51baa087b68
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:24:36 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to get a POSIX ACL on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit c4fade47263c72dd3d36005109e29887cf56210d
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:22:12 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set a POSIX ACL on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 9e6620b22f3d20b4f05f38ea2a16c7f8ec6ea1b7
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 10:52:50 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to set an ACL from a POSIX file handle on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 7f893ff4e635fd42ab5d02b0ef3504b899f79d04
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 10:38:28 2016 -0800
CVE-2015-7560: s3: smbd: Refuse to get an ACL from a POSIX file handle on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit 24f3cb04abc4db573adc1f2d69d7539a0233d673
Author: Jeremy Allison <jra at samba.org>
Date: Tue Jan 5 11:18:12 2016 -0800
CVE-2015-7560: s3: smbd: Add refuse_symlink() function that can be used to prevent operations on a symlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11648
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org>
commit eba93d6c0b0de1770266bfa14c419864777c7887
Author: Karolin Seeger <kseeger at samba.org>
Date: Wed Dec 16 12:29:36 2015 +0100
VERSION: Bump version up to 4.1.23...
and re-enable git snapshots.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 08cff9ca228a3d7714768eb5727201895cd1dd41)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 87 +++-
librpc/idl/dns.idl | 18 +-
librpc/idl/dnsp.idl | 4 +-
librpc/idl/dnsserver.idl | 2 +-
librpc/ndr/ndr_dns.c | 27 ++
librpc/ndr/ndr_dnsp.c | 24 ++
librpc/ndr/ndr_dnsp.h | 4 +
librpc/wscript_build | 20 +-
python/samba/tests/dns.py | 577 +++++++++++++++++++++------
python/samba/tests/{getopt.py => get_opt.py} | 0
selftest/knownfail | 2 +
selftest/tests.py | 2 +-
source3/client/client.c | 2 +-
source3/libsmb/clifile.c | 130 +++++-
source3/libsmb/proto.h | 17 +-
source3/selftest/tests.py | 2 +-
source3/smbd/nttrans.c | 13 +
source3/smbd/trans2.c | 68 +++-
source3/torture/torture.c | 376 +++++++++++++++++
source4/dns_server/dns_query.c | 15 +-
source4/dns_server/dns_update.c | 31 +-
source4/librpc/wscript_build | 4 +-
source4/selftest/tests.py | 3 +-
24 files changed, 1198 insertions(+), 232 deletions(-)
rename python/samba/tests/{getopt.py => get_opt.py} (100%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 873257e..c203c1e 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=1
-SAMBA_VERSION_RELEASE=22
+SAMBA_VERSION_RELEASE=23
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 2cd1a20..dc94dd4 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,87 @@
==============================
+ Release Notes for Samba 4.1.23
+ March 8, 2015
+ ==============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path)
+o CVE-2016-0771 (Out-of-bounds read in internal DNS server)
+
+=======
+Details
+=======
+
+o CVE-2015-7560:
+ All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
+ a malicious client overwriting the ownership of ACLs using symlinks.
+
+ An authenticated malicious client can use SMB1 UNIX extensions to
+ create a symlink to a file or directory, and then use non-UNIX SMB1
+ calls to overwrite the contents of the ACL on the file or directory
+ linked to.
+
+o CVE-2016-0771:
+ All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
+ an AD DC and choose to run the internal DNS server, are vulnerable to an
+ out-of-bounds read issue during DNS TXT record handling caused by users
+ with permission to modify DNS records.
+
+ A malicious client can upload a specially constructed DNS TXT record,
+ resulting in a remote denial-of-service attack. As long as the affected
+ TXT record remains undisturbed in the Samba database, a targeted DNS
+ query may continue to trigger this exploit.
+
+ While unlikely, the out-of-bounds read may bypass safety checks and
+ allow leakage of memory from the server in the form of a DNS TXT reply.
+
+ By default only authenticated accounts can upload DNS records,
+ as "allow dns updates = secure only" is the default.
+ Any other value would allow anonymous clients to trigger this
+ bug, which is a much higher risk.
+
+
+Changes since 4.1.22:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 11648: CVE-2015-7560: Getting and setting Windows ACLs on symlinks can
+ change permissions on link target.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+ handling.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUGs 11128, 11686: CVE-2016-0771: Read of uninitialized memory DNS TXT
+ handling.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.1.22
December 16, 2015
==============================
@@ -153,8 +236,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.1.21
diff --git a/librpc/idl/dns.idl b/librpc/idl/dns.idl
index d247e0e..5435fcf 100644
--- a/librpc/idl/dns.idl
+++ b/librpc/idl/dns.idl
@@ -8,7 +8,7 @@
encoding if it doesn't work out
*/
-import "misc.idl";
+import "misc.idl", "dnsp.idl";
[
helper("librpc/ndr/ndr_dns.h"),
helpstring("DNS records"),
@@ -152,20 +152,12 @@ interface dns
} dns_soa_record;
typedef [public] struct {
- [value(strlen(cpu))] uint8 cpu_length;
- [charset(DOS)] uint8 cpu[cpu_length];
- [value(strlen(os))] uint8 os_length;
- [charset(DOS)] uint8 os[os_length];
- } dns_hinfo_record;
-
- typedef [public] struct {
uint16 preference;
dns_string exchange;
} dns_mx_record;
- typedef [public] struct {
- [value(strlen(txt))] uint8 length;
- [charset(DOS)] uint8 txt[length];
+ typedef [public,nopull] struct {
+ dnsp_string_list txt;
} dns_txt_record;
typedef [public] struct {
@@ -232,7 +224,7 @@ interface dns
[case(DNS_QTYPE_CNAME)] dns_string cname_record;
[case(DNS_QTYPE_SOA)] dns_soa_record soa_record;
[case(DNS_QTYPE_PTR)] dns_string ptr_record;
- [case(DNS_QTYPE_HINFO)] dns_hinfo_record hinfo_record;
+ [case(DNS_QTYPE_HINFO)] dnsp_hinfo hinfo_record;
[case(DNS_QTYPE_MX)] dns_mx_record mx_record;
[case(DNS_QTYPE_TXT)] dns_txt_record txt_record;
[case(DNS_QTYPE_RP)] dns_rp_record rp_record;
@@ -270,7 +262,7 @@ interface dns
/*
this is a convenience hook for ndrdump
*/
- void decode_dns_name_packet(
+ [nopython] void decode_dns_name_packet(
[in] dns_name_packet packet
);
}
diff --git a/librpc/idl/dnsp.idl b/librpc/idl/dnsp.idl
index 4c49001..d705cfc 100644
--- a/librpc/idl/dnsp.idl
+++ b/librpc/idl/dnsp.idl
@@ -263,11 +263,11 @@ interface dnsp
/*
these are convenience hooks for ndrdump
*/
- void decode_DnssrvRpcRecord(
+ [nopython] void decode_DnssrvRpcRecord(
[in] dnsp_DnssrvRpcRecord blob
);
- void decode_DnsProperty(
+ [nopython] void decode_DnsProperty(
[in] dnsp_DnsProperty blob
);
}
diff --git a/librpc/idl/dnsserver.idl b/librpc/idl/dnsserver.idl
index 506d72e..d567ec9 100644
--- a/librpc/idl/dnsserver.idl
+++ b/librpc/idl/dnsserver.idl
@@ -73,7 +73,7 @@ import "misc.idl", "dnsp.idl";
typedef [public,gensize] struct {
[value(strlen(str))] uint8 len;
- [charset(UTF8)] uint8 str[len];
+ [charset(UNIX)] uint8 str[len];
}
DNS_RPC_NAME;
diff --git a/librpc/ndr/ndr_dns.c b/librpc/ndr/ndr_dns.c
index 0b9e3b0..065d992 100644
--- a/librpc/ndr/ndr_dns.c
+++ b/librpc/ndr/ndr_dns.c
@@ -30,6 +30,7 @@
#include "includes.h"
#include "librpc/gen_ndr/ndr_dns.h"
#include "librpc/gen_ndr/ndr_misc.h"
+#include "librpc/gen_ndr/ndr_dnsp.h"
#include "system/locale.h"
#include "lib/util/util_net.h"
@@ -230,6 +231,29 @@ _PUBLIC_ enum ndr_err_code ndr_push_dns_string(struct ndr_push *ndr,
return ndr_push_bytes(ndr, (const uint8_t *)"", 1);
}
+_PUBLIC_ enum ndr_err_code ndr_pull_dns_txt_record(struct ndr_pull *ndr, int ndr_flags, struct dns_txt_record *r)
+{
+ NDR_PULL_CHECK_FLAGS(ndr, ndr_flags);
+ if (ndr_flags & NDR_SCALARS) {
+ enum ndr_err_code ndr_err;
+ uint32_t data_size = ndr->data_size;
+ uint32_t record_size = 0;
+ ndr_err = ndr_token_retrieve(&ndr->array_size_list, r,
+ &record_size);
+ if (NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ NDR_PULL_NEED_BYTES(ndr, record_size);
+ ndr->data_size = ndr->offset + record_size;
+ }
+ NDR_CHECK(ndr_pull_align(ndr, 1));
+ NDR_CHECK(ndr_pull_dnsp_string_list(ndr, NDR_SCALARS, &r->txt));
+ NDR_CHECK(ndr_pull_trailer_align(ndr, 1));
+ ndr->data_size = data_size;
+ }
+ if (ndr_flags & NDR_BUFFERS) {
+ }
+ return NDR_ERR_SUCCESS;
+}
+
_PUBLIC_ enum ndr_err_code ndr_push_dns_res_rec(struct ndr_push *ndr,
int ndr_flags,
const struct dns_res_rec *r)
@@ -302,6 +326,9 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dns_res_rec(struct ndr_pull *ndr,
NDR_CHECK(ndr_pull_uint16(ndr, NDR_SCALARS, &r->length));
_saved_offset1 = ndr->offset;
if (r->length > 0) {
+ NDR_CHECK(ndr_token_store(ndr, &ndr->array_size_list,
+ &r->rdata,
+ r->length));
NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->rdata,
r->rr_type));
NDR_CHECK(ndr_pull_dns_rdata(ndr, NDR_SCALARS,
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index fcb623a..82b5fb5 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -225,3 +225,27 @@ enum ndr_err_code ndr_push_dnsp_string_list(struct ndr_push *ndr, int ndr_flags,
}
return NDR_ERR_SUCCESS;
}
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+ const struct dnsp_string_list *src,
+ struct dnsp_string_list *dst)
+{
+ size_t i;
+
+ dst->count = 0;
+ dst->str = talloc_zero_array(mem_ctx, const char *, src->count);
+ if (dst->str == NULL) {
+ return NDR_ERR_ALLOC;
+ }
+
+ for (i = 0; i < src->count; i++) {
+ dst->str[i] = talloc_strdup(dst->str, src->str[i]);
+ if (dst->str[i] == NULL) {
+ TALLOC_FREE(dst->str);
+ return NDR_ERR_ALLOC;
+ }
+ }
+
+ dst->count = src->count;
+ return NDR_ERR_SUCCESS;
+}
diff --git a/librpc/ndr/ndr_dnsp.h b/librpc/ndr/ndr_dnsp.h
index 67f952c..0d56633 100644
--- a/librpc/ndr/ndr_dnsp.h
+++ b/librpc/ndr/ndr_dnsp.h
@@ -27,3 +27,7 @@ void ndr_print_dnsp_string(struct ndr_print *ndr, const char *name,
const char *dns_string);
enum ndr_err_code ndr_pull_dnsp_string(struct ndr_pull *ndr, int ndr_flags, const char **string);
enum ndr_err_code ndr_push_dnsp_string(struct ndr_push *ndr, int ndr_flags, const char *string);
+
+enum ndr_err_code ndr_dnsp_string_list_copy(TALLOC_CTX *mem_ctx,
+ const struct dnsp_string_list *src,
+ struct dnsp_string_list *dst);
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 2017a29..30820d2 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -27,12 +27,12 @@ bld.SAMBA_SUBSYSTEM('NDR_NAMED_PIPE_AUTH',
bld.SAMBA_SUBSYSTEM('NDR_DNSSERVER',
source='gen_ndr/ndr_dnsserver.c ndr/ndr_dnsserver.c',
- public_deps='ndr'
+ public_deps='ndr NDR_DNSP'
)
bld.SAMBA_SUBSYSTEM('NDR_DNS',
source='gen_ndr/ndr_dns.c ndr/ndr_dns.c',
- public_deps='ndr'
+ public_deps='ndr NDR_DNSP'
)
bld.SAMBA_SUBSYSTEM('NDR_DSBACKUP',
@@ -336,7 +336,7 @@ bld.SAMBA_LIBRARY('ndr-standard',
pc_files='ndr_standard.pc',
deps='''NDR_SECURITY NDR_LSA NDR_SAMR NDR_NETLOGON NDR_EVENTLOG NDR_DFS
NDR_NTSVCS NDR_SVCCTL NDR_INITSHUTDOWN NDR_WKSSVC NDR_SRVSVC NDR_WINREG
- NDR_ECHO security NDR_DNS NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
+ NDR_ECHO security NDR_DNS NDR_DNSP NDR_ATSVC NDR_SPOOLSS NDR_DSSETUP
NDR_SERVER_ID NDR_NOTIFY''',
public_deps='ndr',
public_headers='gen_ndr/samr.h gen_ndr/ndr_samr.h gen_ndr/lsa.h gen_ndr/netlogon.h gen_ndr/atsvc.h gen_ndr/ndr_atsvc.h gen_ndr/ndr_svcctl.h gen_ndr/svcctl.h',
@@ -407,11 +407,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_AUDIOSRV',
public_deps='NDR_AUDIOSRV dcerpc-binding'
)
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNS',
- source='gen_ndr/ndr_dns_c.c',
- public_deps='dcerpc-binding NDR_DNS'
- )
-
bld.SAMBA_SUBSYSTEM('RPC_NDR_ECHO',
source='gen_ndr/ndr_echo_c.c',
public_deps='dcerpc-binding NDR_ECHO'
@@ -594,11 +589,6 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_BACKUPKEY',
public_deps='dcerpc-binding NDR_BACKUPKEY'
)
-bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSP',
- source='gen_ndr/ndr_dnsp_c.c',
- public_deps='dcerpc-binding NDR_DNSP'
- )
-
bld.SAMBA_SUBSYSTEM('RPC_NDR_DNSSERVER',
source='gen_ndr/ndr_dnsserver_c.c',
public_deps='dcerpc-binding ndr-standard'
@@ -618,7 +608,7 @@ bld.SAMBA_SUBSYSTEM('RPC_NDR_FSRVP',
bld.SAMBA_LIBRARY('ndr-samba',
source=[],
deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_SCHANNEL NDR_MGMT
- NDR_DNSP NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
+ NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
NDR_NTPRINTING NDR_FSRVP NDR_OPEN_FILES NDR_SMBXSRV''',
private_library=True,
grouping_library=True
@@ -630,7 +620,7 @@ bld.SAMBA_LIBRARY('dcerpc-samba',
deps='''RPC_NDR_LSA RPC_NDR_SAMR RPC_NDR_NETLOGON RPC_NDR_EVENTLOG
RPC_NDR_DFS RPC_NDR_NTSVCS RPC_NDR_SVCCTL RPC_NDR_INITSHUTDOWN
RPC_NDR_WKSSVC RPC_NDR_SRVSVC RPC_NDR_WINREG RPC_NDR_ECHO RPC_NDR_EPMAPPER
- RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNS''',
+ RPC_NDR_ATSVC RPC_NDR_SPOOLSS RPC_NDR_DNSSERVER''',
public_deps='ndr-standard',
private_library=True,
grouping_library=True
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index 2983de3..75b5b7f 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -16,18 +16,67 @@
#
import os
+import sys
import struct
import random
+
+sys.path.insert(0, "bin/python")
+import samba
+samba.ensure_external_module("testtools", "testtools")
+samba.ensure_external_module("subunit", "subunit/python")
+from subunit.run import SubunitTestRunner
+import unittest
+
from samba import socket
import samba.ndr as ndr
-import samba.dcerpc.dns as dns
+from samba import credentials, param
from samba.tests import TestCase
+from samba.dcerpc import dns, dnsp, dnsserver
+from samba.netcmd.dns import TXTRecord, dns_record_match, data_to_dns_record
+import samba.getopt as options
+import optparse
+
+parser = optparse.OptionParser("dns.py <server name> <server ip> [options]")
+sambaopts = options.SambaOptions(parser)
+parser.add_option_group(sambaopts)
FILTER=''.join([(len(repr(chr(x)))==3) and chr(x) or '.' for x in range(256)])
+# use command line creds if available
+credopts = options.CredentialsOptions(parser)
+parser.add_option_group(credopts)
+
+opts, args = parser.parse_args()
+
+lp = sambaopts.get_loadparm()
+creds = credopts.get_credentials(lp)
+
+if len(args) < 2:
+ parser.print_usage()
+ sys.exit(1)
+
+server_name = args[0]
+server_ip = args[1]
+creds.set_krb_forwardable(credentials.NO_KRB_FORWARDABLE)
+
+def make_txt_record(records):
+ rdata_txt = dns.txt_record()
+ s_list = dnsp.string_list()
+ s_list.count = len(records)
+ s_list.str = records
+ rdata_txt.txt = s_list
+ return rdata_txt
class DNSTest(TestCase):
+ def setUp(self):
+ global server, server_ip, lp, creds
+ super(DNSTest, self).setUp()
+ self.server = server_name
+ self.server_ip = server_ip
+ self.lp = lp
+ self.creds = creds
+
def errstr(self, errcode):
"Return a readable error code"
string_codes = [
@@ -83,9 +132,10 @@ class DNSTest(TestCase):
def get_dns_domain(self):
"Helper to get dns domain"
- return os.getenv('REALM', 'example.com').lower()
+ return self.creds.get_realm().lower()
- def dns_transaction_udp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+ def dns_transaction_udp(self, packet, host=server_ip,
+ dump=False):
"send a DNS query and read the reply"
s = None
try:
@@ -103,7 +153,8 @@ class DNSTest(TestCase):
if s is not None:
s.close()
- def dns_transaction_tcp(self, packet, host=os.getenv('SERVER_IP'), dump=False):
+ def dns_transaction_tcp(self, packet, host=server_ip,
+ dump=False):
"send a DNS query and read the reply"
s = None
try:
@@ -133,6 +184,47 @@ class DNSTest(TestCase):
N+=length
return result
+ def make_txt_update(self, prefix, txt_array):
+ p = self.make_name_packet(dns.DNS_OPCODE_UPDATE)
+ updates = []
+
+ name = self.get_dns_domain()
+ u = self.make_name_question(name, dns.DNS_QTYPE_SOA, dns.DNS_QCLASS_IN)
+ updates.append(u)
+ self.finish_name_packet(p, updates)
+
+ updates = []
+ r = dns.res_rec()
+ r.name = "%s.%s" % (prefix, self.get_dns_domain())
+ r.rr_type = dns.DNS_QTYPE_TXT
+ r.rr_class = dns.DNS_QCLASS_IN
+ r.ttl = 900
+ r.length = 0xffff
+ rdata = make_txt_record(txt_array)
+ r.rdata = rdata
+ updates.append(r)
+ p.nscount = len(updates)
+ p.nsrecs = updates
+
+ return p
+
+ def check_query_txt(self, prefix, txt_array):
+ name = "%s.%s" % (prefix, self.get_dns_domain())
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(name, dns.DNS_QTYPE_TXT, dns.DNS_QCLASS_IN)
+ questions.append(q)
+
+ self.finish_name_packet(p, questions)
--
Samba Shared Repository
More information about the samba-cvs
mailing list