[SCM] Samba Shared Repository - branch v4-6-stable updated

Karolin Seeger kseeger at samba.org
Tue Nov 21 08:06:13 UTC 2017


The branch, v4-6-stable has been updated
       via  4878a25 VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release
       via  a3a3053 WHATSNEW: Add release notes for Samba 4.6.11.
       via  3a6b1ba s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
       via  3ef34e9 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
       via  8d7602d VERSION: Re-enable GIT_SNAPSHOT.
       via  1cd9157 VERSION: Bump version up to 4.6.11...
      from  a56f9ed VERSION: Disable GIT_SNAPSHOT for the 4.6.10 release.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable


- Log -----------------------------------------------------------------
commit 4878a25aea72c0bbd43344ab68d72f88406aacb4
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Nov 20 11:13:55 2017 +0100

    VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit a3a30536fb31c2f48be448cd5b59f7a740855b5d
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Nov 20 11:10:36 2017 +0100

    WHATSNEW: Add release notes for Samba 4.6.11.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 3a6b1baeb84ada35745109a11dacab328a1d6a5b
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Sep 20 11:04:50 2017 -0700

    s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
    
    Ensure we zero out unused grown area.
    
    CVE-2017-15275
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

commit 3ef34e983d79746d47c5a894d5325e1a8618dc7a
Author: Jeremy Allison <jra at samba.org>
Date:   Tue Sep 19 16:11:33 2017 -0700

    s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
    
    When setting up the chain, always use 'next->' variables
    not the 'req->' one.
    
    Bug discovered by 连一汉 <lianyihan at 360.cn>
    
    CVE-2017-14746
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
    
    Signed-off-by: Jeremy Allison <jra at samba.org>

commit 8d7602dd0defb30dce6b0c4ac5adc67ba936b84b
Author: Karolin Seeger <kseeger at samba.org>
Date:   Mon Nov 20 11:09:57 2017 +0100

    VERSION: Re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 1cd91577aed6c9952cd2d88905ba1173e679df05
Author: Karolin Seeger <kseeger at samba.org>
Date:   Tue Nov 14 13:01:58 2017 +0100

    VERSION: Bump version up to 4.6.11...
    
    and re-enable GIT_SNAPSHOT.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>
    (cherry picked from commit b196d0efcfaad6ea42ed0873b430ff3d416dd731)

-----------------------------------------------------------------------

Summary of changes:
 VERSION                |  2 +-
 WHATSNEW.txt           | 75 ++++++++++++++++++++++++++++++++++++++++++++++++--
 source3/smbd/process.c |  7 +++--
 source3/smbd/reply.c   |  5 ++++
 source3/smbd/srvstr.c  | 14 ++++++++++
 5 files changed, 97 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 4ccbdb5..c0e85a2 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 375d340..8199d91 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,75 @@
                    ==============================
+                   Release Notes for Samba 4.6.11
+                          November 21, 2017
+                   =============================
+
+
+This is a security release in order to address the following defects:
+
+o  CVE-2017-14746 (Use-after-free vulnerability.)
+o  CVE-2017-15275 (Server heap memory information leak.)
+
+
+=======
+Details
+=======
+
+o  CVE-2017-14746:
+   All versions of Samba from 4.0.0 onwards are vulnerable to a use after
+   free vulnerability, where a malicious SMB1 request can be used to
+   control the contents of heap memory via a deallocated heap pointer. It
+   is possible this may be used to compromise the SMB server.
+
+o  CVE-2017-15275:
+   All versions of Samba from 3.6.0 onwards are vulnerable to a heap
+   memory information leak, where server allocated heap memory may be
+   returned to the client without being cleared.
+
+   There is no known vulnerability associated with this error, but
+   uncleared heap memory may contain previously used data that may help
+   an attacker compromise the server via other methods. Uncleared heap
+   memory may potentially contain password hashes or other high-value
+   data.
+
+For more details and workarounds, please see the security advisories:
+
+   o https://www.samba.org/samba/security/CVE-2017-14746.html
+   o https://www.samba.org/samba/security/CVE-2017-15275.html
+
+
+Changes since 4.6.10:
+---------------------
+
+o  Jeremy Allison <jra at samba.org>
+   * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
+   * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized
+     memory when talloc buffer is grown.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+                   ==============================
                    Release Notes for Samba 4.6.10
                           November 15, 2017
                    =============================
@@ -66,8 +137,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.6.9
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 656f1c0..2641894 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1854,12 +1854,13 @@ void smb_request_done(struct smb_request *req)
 
 		next->vuid = SVAL(req->outbuf, smb_uid);
 		next->tid  = SVAL(req->outbuf, smb_tid);
-		status = smb1srv_tcon_lookup(req->xconn, req->tid,
+		status = smb1srv_tcon_lookup(req->xconn, next->tid,
 					     now, &tcon);
+
 		if (NT_STATUS_IS_OK(status)) {
-			req->conn = tcon->compat;
+			next->conn = tcon->compat;
 		} else {
-			req->conn = NULL;
+			next->conn = NULL;
 		}
 		next->chain_fsp = req->chain_fsp;
 		next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index a40ff81..26918b6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -921,6 +921,11 @@ void reply_tcon_and_X(struct smb_request *req)
 		}
 
 		TALLOC_FREE(tcon);
+		/*
+		 * This tree id is gone. Make sure we can't re-use it
+		 * by accident.
+		 */
+		req->tid = 0;
 	}
 
 	if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba..c2d70b3 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
 		DEBUG(0, ("srvstr_push failed\n"));
 		return -1;
 	}
+
+	/*
+	 * Ensure we clear out the extra data we have
+	 * grown the buffer by, but not written to.
+	 */
+	if (buf_size + result < buf_size) {
+		return -1;
+	}
+	if (grow_size < result) {
+		return -1;
+	}
+
+	memset(tmp + buf_size + result, '\0', grow_size - result);
+
 	set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
 
 	*outbuf = tmp;


-- 
Samba Shared Repository



More information about the samba-cvs mailing list