[SCM] Samba Shared Repository - branch v4-6-stable updated
Karolin Seeger
kseeger at samba.org
Tue Nov 21 08:06:13 UTC 2017
The branch, v4-6-stable has been updated
via 4878a25 VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release
via a3a3053 WHATSNEW: Add release notes for Samba 4.6.11.
via 3a6b1ba s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
via 3ef34e9 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
via 8d7602d VERSION: Re-enable GIT_SNAPSHOT.
via 1cd9157 VERSION: Bump version up to 4.6.11...
from a56f9ed VERSION: Disable GIT_SNAPSHOT for the 4.6.10 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-6-stable
- Log -----------------------------------------------------------------
commit 4878a25aea72c0bbd43344ab68d72f88406aacb4
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Nov 20 11:13:55 2017 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.6.11 release
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit a3a30536fb31c2f48be448cd5b59f7a740855b5d
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Nov 20 11:10:36 2017 +0100
WHATSNEW: Add release notes for Samba 4.6.11.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 3a6b1baeb84ada35745109a11dacab328a1d6a5b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Sep 20 11:04:50 2017 -0700
s3: smbd: Chain code can return uninitialized memory when talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 3ef34e983d79746d47c5a894d5325e1a8618dc7a
Author: Jeremy Allison <jra at samba.org>
Date: Tue Sep 19 16:11:33 2017 -0700
s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
When setting up the chain, always use 'next->' variables
not the 'req->' one.
Bug discovered by 连一汉 <lianyihan at 360.cn>
CVE-2017-14746
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 8d7602dd0defb30dce6b0c4ac5adc67ba936b84b
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Nov 20 11:09:57 2017 +0100
VERSION: Re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 1cd91577aed6c9952cd2d88905ba1173e679df05
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Nov 14 13:01:58 2017 +0100
VERSION: Bump version up to 4.6.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit b196d0efcfaad6ea42ed0873b430ff3d416dd731)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 75 ++++++++++++++++++++++++++++++++++++++++++++++++--
source3/smbd/process.c | 7 +++--
source3/smbd/reply.c | 5 ++++
source3/smbd/srvstr.c | 14 ++++++++++
5 files changed, 97 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 4ccbdb5..c0e85a2 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=6
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 375d340..8199d91 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,75 @@
==============================
+ Release Notes for Samba 4.6.11
+ November 21, 2017
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2017-14746 (Use-after-free vulnerability.)
+o CVE-2017-15275 (Server heap memory information leak.)
+
+
+=======
+Details
+=======
+
+o CVE-2017-14746:
+ All versions of Samba from 4.0.0 onwards are vulnerable to a use after
+ free vulnerability, where a malicious SMB1 request can be used to
+ control the contents of heap memory via a deallocated heap pointer. It
+ is possible this may be used to compromise the SMB server.
+
+o CVE-2017-15275:
+ All versions of Samba from 3.6.0 onwards are vulnerable to a heap
+ memory information leak, where server allocated heap memory may be
+ returned to the client without being cleared.
+
+ There is no known vulnerability associated with this error, but
+ uncleared heap memory may contain previously used data that may help
+ an attacker compromise the server via other methods. Uncleared heap
+ memory may potentially contain password hashes or other high-value
+ data.
+
+For more details and workarounds, please see the security advisories:
+
+ o https://www.samba.org/samba/security/CVE-2017-14746.html
+ o https://www.samba.org/samba/security/CVE-2017-15275.html
+
+
+Changes since 4.6.10:
+---------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
+ * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized
+ memory when talloc buffer is grown.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.6.10
November 15, 2017
=============================
@@ -66,8 +137,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.6.9
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 656f1c0..2641894 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1854,12 +1854,13 @@ void smb_request_done(struct smb_request *req)
next->vuid = SVAL(req->outbuf, smb_uid);
next->tid = SVAL(req->outbuf, smb_tid);
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
now, &tcon);
+
if (NT_STATUS_IS_OK(status)) {
- req->conn = tcon->compat;
+ next->conn = tcon->compat;
} else {
- req->conn = NULL;
+ next->conn = NULL;
}
next->chain_fsp = req->chain_fsp;
next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index a40ff81..26918b6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -921,6 +921,11 @@ void reply_tcon_and_X(struct smb_request *req)
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba..c2d70b3 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
Samba Shared Repository
More information about the samba-cvs
mailing list