[SCM] Samba Shared Repository - branch v4-8-stable updated
Karolin Seeger
kseeger at samba.org
Tue Aug 14 07:46:38 UTC 2018
The branch, v4-8-stable has been updated
via 626c489 VERSION: Disable GIT_SNAPSHOT for the Samba 4.8.4 release.
via 032a6a4 WHATSNEW: Add release notes for Samba 4.8.4.
via 43aba6b CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
via 5ad366e ldb: Release LDB 1.3.5 for CVE-2018-1140
via 47bf6f6 CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
via ebc3a1a CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
via a36db4f CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
via 7331723 CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
via 95c95a4 CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
via a5245e4 CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
via 6993f39 CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
via f0bd8cc CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
via 5fb35b7 CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
via 3454eae CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
via c775bd8 selftest/tests.py: remove always-needed, never-set with_cmocka flag
via a915e23 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
via 9891df4 CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
via 1575ba4 CVE-2018-10919 acl_read: Flip the logic in the dirsync check
via f9fa4e5 CVE-2018-10919 acl_read: Small refactor to aclread_callback()
via 6e35ae3 CVE-2018-10919 acl_read: Split access_mask logic out into helper function
via 7016bfd CVE-2018-10919 tests: test ldap searches for non-existent attributes.
via a90cb03 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
via 03dba18 CVE-2018-10919 tests: Add test case for object visibility with limited rights
via 77421f3 CVE-2018-10919 tests: Add tests for guessing confidential attributes
via a81f32e CVE-2018-10919 security: Add more comments to the object-specific access checks
via bbb72cf CVE-2018-10919 security: Move object-specific access checks into separate function
via 87aa836 CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
via 5923c3c CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
via 677fad5 CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
via 4954a6d VERSION: Bump version up to 4.8.4...
from a62c2f3 VERSION: Disable GIT_SNAPSHOT for the 4.8.3 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-stable
- Log -----------------------------------------------------------------
commit 626c489c2c879aef8b82efe9f7e832cca0183f4d
Author: Karolin Seeger <kseeger at samba.org>
Date: Sat Aug 11 08:16:26 2018 +0200
VERSION: Disable GIT_SNAPSHOT for the Samba 4.8.4 release.
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
server.)
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 032a6a4689d77034dc8827c8764c2f913e47b56c
Author: Karolin Seeger <kseeger at samba.org>
Date: Sat Aug 11 08:13:09 2018 +0200
WHATSNEW: Add release notes for Samba 4.8.4.
o CVE-2018-1139 (Weak authentication protocol allowed.)
o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
o CVE-2018-10858 (Insufficient input validation on client directory
listing in libsmbclient.)
o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
server.)
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 43aba6bd8e32fd03bd1cbb6c0304f0e75f8ab9c1
Author: Kai Blin <kai at samba.org>
Date: Fri Jun 8 18:20:16 2018 +0200
CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466
Signed-off-by: Kai Blin <kai at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 5ad366eb3db510d7e2dd54a7a796180416dea315
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 6 13:53:19 2018 +1200
ldb: Release LDB 1.3.5 for CVE-2018-1140
* Security fix for CVE-2018-1140 (NULL pointer de-reference, bug 13374)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit 47bf6f6e411668b62ad6dfd9c01f19ad8e3a6829
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 15:25:58 2018 +1200
CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit ebc3a1a137f0182d5c0b2b60d65578864b441e54
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 15:23:53 2018 +1200
CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search
This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which
would otherwise fail.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit a36db4fceb3235047f190f6d23841394b17aafec
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 15:20:26 2018 +1200
CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use
ldb_dn_from_ldb_val() does not validate this untrusted input, so a later
call to ldb_dn_get_casefold() can fail if the input is not valid.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit 7331723918018a40904ab7339b051e7ebb136a6e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon May 21 14:50:50 2018 +1200
CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit 95c95a4a99a41e175784319259f646f3deffcfe9
Author: Andrej Gessel <Andrej.Gessel at janztec.com>
Date: Fri Apr 6 18:18:33 2018 +0200
CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()
Signed-off-by: Andrej Gessel <Andrej.Gessel at janztec.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
commit a5245e464d710ecb41c759d04ae1c762fbd8d2e9
Author: Günther Deschner <gd at samba.org>
Date: Tue Mar 13 16:56:20 2018 +0100
CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.
Found by Vivek Das <vdas at redhat.com> (Red Hat QE).
In order to demonstrate simply run:
smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no
against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6993f39d20de0944c557336a99ac8e63551c808c
Author: Günther Deschner <gd at samba.org>
Date: Fri Mar 16 17:25:12 2018 +0100
CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.
Right now, this test will succeed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f0bd8cc723d8f119f90367f6d0258ff250a6075c
Author: Günther Deschner <gd at samba.org>
Date: Wed Mar 14 15:35:01 2018 +0100
CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5fb35b7f8e184879c3c8931e9af31befdc75aeac
Author: Günther Deschner <gd at samba.org>
Date: Wed Mar 14 15:36:05 2018 +0100
CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
CVE-2018-1139: Weak authentication protocol allowed.
Guenther
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3454eae9d41b23f856b350d1aac88795f339bdc3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Jul 27 08:44:24 2018 +1200
CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit c775bd8b26ef91238cb69d055930d3434ed049a0
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Feb 22 11:54:45 2018 +1300
selftest/tests.py: remove always-needed, never-set with_cmocka flag
We have cmocka in third_party, so we are never without it.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)
commit a915e23addbb37c199d6dbde6c6283642e742841
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Wed Aug 1 13:51:42 2018 +1200
CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
The acl_read.c code contains a special case to allow dirsync to
work-around having insufficient access rights. We had a concern that
the dirsync module could leak sensitive information for deleted objects.
This patch adds a test-case to prove whether or not this is happening.
The new test case is similar to the existing dirsync test except:
- We make the confidential attribute also preserve-on-delete, so it
hangs around for deleted objcts. Because the attributes now persist
across test case runs, I've used a different attribute to normal.
(Technically, the dirsync search expressions are now specific enough
that the regular attribute could be used, but it would make things
quite fragile if someone tried to add a new test case).
- To handle searching for deleted objects, the search expressions are
now more complicated. Currently dirsync adds an extra-filter to the
'!' searches to exclude deleted objects, i.e. samaccountname matches
the test-objects AND the object is not deleted. We now extend this to
include deleted objects with lastKnownParent equal to the test OU.
The search expression matches either case so that we can use the same
expression throughout the test (regardless of whether the object is
deleted yet or not).
This test proves that the dirsync corner-case does not actually leak
sensitive information on Samba. This is due to a bug in the dirsync
code - when the buggy line is removed, this new test promptly fails.
Test also passes against Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 9891df452e53b5e7b52ef6a0ce40b7b64aee28bf
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 15:42:36 2018 +1200
CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
A user that doesn't have access to view an attribute can still guess the
attribute's value via repeated LDAP searches. This affects confidential
attributes, as well as ACLs applied to an object/attribute to deny
access.
Currently the code will hide objects if the attribute filter contains an
attribute they are not authorized to see. However, the code still
returns objects as results if confidential attribute is in the search
expression itself, but not in the attribute filter.
To fix this problem we have to check the access rights on the attributes
in the search-tree, as well as the attributes returned in the message.
Points of note:
- I've preserved the existing dirsync logic (the dirsync module code
suppresses the result as long as the replPropertyMetaData attribute is
removed). However, there doesn't appear to be any test that highlights
that this functionality is required for dirsync.
- To avoid this fix breaking the acl.py tests, we need to still permit
searches like 'objectClass=*', even though we don't have Read Property
access rights for the objectClass attribute. The logic that Windows
uses does not appear to be clearly documented, so I've made a best
guess that seems to mirror Windows behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 1575ba4234a7fbb0d2cc7b23e361c4e753939a6b
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 30 16:00:15 2018 +1200
CVE-2018-10919 acl_read: Flip the logic in the dirsync check
This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit f9fa4e5c9325c68e97f51ac76855b1d92a4f1cba
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jul 26 12:20:49 2018 +1200
CVE-2018-10919 acl_read: Small refactor to aclread_callback()
Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 6e35ae37611590cbebabf30c173071f1ee9b9766
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 13:52:24 2018 +1200
CVE-2018-10919 acl_read: Split access_mask logic out into helper function
So we can re-use the same logic laster for checking the search-ops.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 7016bfd31abc16b6d190ec9b6c9be4b0fb1d3a69
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Aug 3 15:51:28 2018 +1200
CVE-2018-10919 tests: test ldap searches for non-existent attributes.
It is perfectly legal to search LDAP for an attribute that is not part
of the schema. That part of the query should simply not match.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
commit a90cb03e19e06eeb32536d02c111bdb0bc3d927d
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 13:01:00 2018 +1200
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.
What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.
Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.
One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 03dba18bc99f5e37821bfde9c138b012e730d4c7
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Tue Jul 31 14:14:20 2018 +1200
CVE-2018-10919 tests: Add test case for object visibility with limited rights
Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
attribute=*) searches compared to Windows.
All the acl.py tests are based on objectClass=* searches, where Windows
will happily tell a user about objects they have List Contents rights,
but not Read Property rights for. However, if you change the attribute
being searched for, suddenly the objects are no longer visible on
Windows (whereas they are on Samba).
This is a problem, because Samba can tell you about which objects have
confidential attributes, which in itself could be disclosive.
This patch adds a acl.py test-case that highlights this behaviour. The
test passes against Windows but fails against Samba.
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 77421f33f853aed254ed67a6541f86e4070c4128
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Mon Jul 9 15:57:59 2018 +1200
CVE-2018-10919 tests: Add tests for guessing confidential attributes
Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.
The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls
These tests all pass when run against a Windows Dc and all fail against
a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit a81f32e73026c02491983a3136834c3c72d1d03f
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Fri Jul 20 13:13:50 2018 +1200
CVE-2018-10919 security: Add more comments to the object-specific access checks
Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit bbb72cfc343a2da135402536739ad4fbb5ee5c1c
Author: Tim Beale <timbeale at catalyst.net.nz>
Date: Thu Jul 19 16:03:36 2018 +1200
CVE-2018-10919 security: Move object-specific access checks into separate function
Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.
This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434
Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
commit 87aa836153e6fb48ea05d3fd98b8e05c527daf72
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Jul 30 14:00:18 2018 +1200
CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user
This regression was introduced in Samba 4.7 by bug 12842 and in
master git commit eb2e77970e41c1cb62c041877565e939c78ff52d.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552
CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
commit 5923c3ccfc11462b841db9e015a33e5f96459e47
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jun 15 15:08:17 2018 -0700
CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 677fad5e51ab1f9782f2d7a8fa3c708a2d2bd4a0
Author: Jeremy Allison <jra at samba.org>
Date: Fri Jun 15 15:07:17 2018 -0700
CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453
CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 4954a6da82e13459b0756f1b29c8a9b417bcca8d
Author: Karolin Seeger <kseeger at samba.org>
Date: Mon Jun 25 22:13:45 2018 +0200
VERSION: Bump version up to 4.8.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 1df7f93b6ede803ec01424c48d2f1f3526c9818c)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 94 +-
lib/ldb/ABI/{ldb-1.3.4.sigs => ldb-1.3.5.sigs} | 0
...b-util.py3-1.3.4.sigs => pyldb-util-1.3.5.sigs} | 0
...il.py3-1.3.4.sigs => pyldb-util.py3-1.3.5.sigs} | 0
lib/ldb/ldb_sqlite3/ldb_sqlite3.c | 3 +
lib/ldb/ldb_tdb/ldb_index.c | 18 +
lib/ldb/ldb_tdb/ldb_search.c | 16 +
lib/ldb/ldb_tdb/ldb_tdb.c | 27 +-
lib/ldb/tests/python/api.py | 156 +++
lib/ldb/wscript | 2 +-
libcli/auth/ntlm_check.c | 10 +-
libcli/auth/tests/ntlm_check.c | 413 ++++++++
libcli/auth/wscript_build | 13 +
libcli/security/access_check.c | 110 ++-
python/samba/tests/dns_invalid.py | 87 ++
selftest/knownfail | 3 +-
selftest/tests.py | 20 +-
source3/libsmb/libsmb_dir.c | 57 +-
source3/libsmb/libsmb_path.c | 9 +-
source3/selftest/tests.py | 2 +-
source3/utils/ntlm_auth.c | 6 +-
source4/dsdb/samdb/cracknames.c | 8 +-
source4/dsdb/samdb/ldb_modules/acl_read.c | 331 ++++++-
source4/dsdb/tests/python/acl.py | 68 ++
source4/dsdb/tests/python/confidential_attr.py | 1025 ++++++++++++++++++++
source4/dsdb/tests/python/ldap.py | 9 +
source4/selftest/tests.py | 6 +
source4/torture/drs/python/cracknames.py | 38 +
29 files changed, 2438 insertions(+), 95 deletions(-)
copy lib/ldb/ABI/{ldb-1.3.4.sigs => ldb-1.3.5.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.3.4.sigs => pyldb-util-1.3.5.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util.py3-1.3.4.sigs => pyldb-util.py3-1.3.5.sigs} (100%)
create mode 100644 libcli/auth/tests/ntlm_check.c
create mode 100644 python/samba/tests/dns_invalid.py
create mode 100755 source4/dsdb/tests/python/confidential_attr.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f9e02e8..fd52ff2 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=8
-SAMBA_VERSION_RELEASE=3
+SAMBA_VERSION_RELEASE=4
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 5c2d922..d092972 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,94 @@
=============================
+ Release Notes for Samba 4.8.4
+ August 14, 2018
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2018-1139 (Weak authentication protocol allowed.)
+o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.)
+o CVE-2018-10858 (Insufficient input validation on client directory
+ listing in libsmbclient.)
+o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
+o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
+ server.)
+
+
+=======
+Details
+=======
+
+o CVE-2018-1139:
+ Vulnerability that allows authentication via NTLMv1 even if disabled.
+
+o CVE-2018-1140:
+ Missing null pointer checks may crash the Samba AD DC, both over
+ DNS and LDAP.
+
+o CVE-2018-10858:
+ A malicious server could return a directory entry that could corrupt
+ libsmbclient memory.
+
+o CVE-2018-10918:
+ Missing null pointer checks may crash the Samba AD DC, over the
+ authenticated DRSUAPI RPC service.
+
+o CVE-2018-10919:
+ Missing access control checks allow discovery of confidential attribute
+ values via authenticated LDAP search expressions.
+
+
+Changes since 4.8.3:
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 13453: CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against
+ returns from malicious servers.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 13374: CVE-2018-1140: ldbsearch '(distinguishedName=abc)' and DNS query
+ with escapes crashes, ldb: Release LDB 1.3.5 for CVE-2018-1140
+ * BUG 13552: CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when
+ not servicePrincipalName is set on a user.
+
+o Tim Beale <timbeale at catalyst.net.nz>
+ * BUG 13434: CVE-2018-10919: acl_read: Fix unauthorized attribute access via
+ searches.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 13360: CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it
+ is disabled via "ntlm auth".
+
+o Andrej Gessel <Andrej.Gessel at janztec.com>
+ * BUG 13374: CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in
+ ltdb_index_dn_attr().
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.8.3
June 26, 2018
=============================
@@ -84,8 +174,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.8.2
diff --git a/lib/ldb/ABI/ldb-1.3.4.sigs b/lib/ldb/ABI/ldb-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-1.3.4.sigs
copy to lib/ldb/ABI/ldb-1.3.5.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs b/lib/ldb/ABI/pyldb-util-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
copy to lib/ldb/ABI/pyldb-util-1.3.5.sigs
diff --git a/lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs b/lib/ldb/ABI/pyldb-util.py3-1.3.5.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util.py3-1.3.4.sigs
copy to lib/ldb/ABI/pyldb-util.py3-1.3.5.sigs
diff --git a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
index f94dc99..0f5abf8 100644
--- a/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
+++ b/lib/ldb/ldb_sqlite3/ldb_sqlite3.c
@@ -323,6 +323,9 @@ static char *parsetree_to_sql(struct ldb_module *module,
const char *cdn = ldb_dn_get_casefold(
ldb_dn_new(mem_ctx, ldb,
(const char *)value.data));
+ if (cdn == NULL) {
+ return NULL;
+ }
return lsqlite3_tprintf(mem_ctx,
"SELECT eid FROM ldb_entry "
diff --git a/lib/ldb/ldb_tdb/ldb_index.c b/lib/ldb/ldb_tdb/ldb_index.c
index 40baeea..429c8f5 100644
--- a/lib/ldb/ldb_tdb/ldb_index.c
+++ b/lib/ldb/ldb_tdb/ldb_index.c
@@ -970,6 +970,7 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
return LDB_SUCCESS;
}
if (ldb_attr_dn(tree->u.equality.attr) == 0) {
+ bool valid_dn = false;
struct ldb_dn *dn
= ldb_dn_from_ldb_val(list,
ldb_module_get_ctx(module),
@@ -981,6 +982,14 @@ static int ltdb_index_dn_leaf(struct ldb_module *module,
return LDB_SUCCESS;
}
+ valid_dn = ldb_dn_validate(dn);
+ if (valid_dn == false) {
+ /* If we can't parse it, no match */
+ list->dn = NULL;
+ list->count = 0;
+ return LDB_SUCCESS;
+ }
+
/*
* Re-use the same code we use for a SCOPE_BASE
* search
@@ -1405,6 +1414,15 @@ static int ltdb_index_dn_attr(struct ldb_module *module,
/* work out the index key from the parent DN */
val.data = (uint8_t *)((uintptr_t)ldb_dn_get_casefold(dn));
+ if (val.data == NULL) {
+ const char *dn_str = ldb_dn_get_linearized(dn);
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ __location__
+ ": Failed to get casefold DN "
+ "from: %s",
+ dn_str);
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
val.length = strlen((char *)val.data);
key = ltdb_index_key(ldb, ltdb, attr, &val, NULL);
if (!key) {
diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c
index 0289086..d14be0f 100644
--- a/lib/ldb/ldb_tdb/ldb_search.c
+++ b/lib/ldb/ldb_tdb/ldb_search.c
@@ -295,6 +295,14 @@ int ltdb_search_dn1(struct ldb_module *module, struct ldb_dn *dn, struct ldb_mes
};
TALLOC_CTX *tdb_key_ctx = NULL;
+ bool valid_dn = ldb_dn_validate(dn);
+ if (valid_dn == false) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid Base DN: %s",
+ ldb_dn_get_linearized(dn));
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
if (ltdb->cache->GUID_index_attribute == NULL) {
tdb_key_ctx = talloc_new(msg);
if (!tdb_key_ctx) {
@@ -803,6 +811,14 @@ int ltdb_search(struct ltdb_context *ctx)
ldb_dn_get_linearized(req->op.search.base));
}
+ } else if (ldb_dn_validate(req->op.search.base) == false) {
+
+ /* We don't want invalid base DNs here */
+ ldb_asprintf_errstring(ldb,
+ "Invalid Base DN: %s",
+ ldb_dn_get_linearized(req->op.search.base));
+ ret = LDB_ERR_INVALID_DN_SYNTAX;
+
} else {
/* If we are not checking the base DN life is easy */
ret = LDB_SUCCESS;
diff --git a/lib/ldb/ldb_tdb/ldb_tdb.c b/lib/ldb/ldb_tdb/ldb_tdb.c
index 7014276..c7bf865 100644
--- a/lib/ldb/ldb_tdb/ldb_tdb.c
+++ b/lib/ldb/ldb_tdb/ldb_tdb.c
@@ -515,6 +515,16 @@ static int ltdb_add_internal(struct ldb_module *module,
struct ldb_context *ldb = ldb_module_get_ctx(module);
int ret = LDB_SUCCESS;
unsigned int i;
+ bool valid_dn = false;
+
+ /* Check the new DN is reasonable */
+ valid_dn = ldb_dn_validate(msg->dn);
+ if (valid_dn == false) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid DN in ADD: %s",
+ ldb_dn_get_linearized(msg->dn));
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
for (i=0;i<msg->num_elements;i++) {
struct ldb_message_element *el = &msg->elements[i];
@@ -1292,6 +1302,7 @@ static int ltdb_rename(struct ltdb_context *ctx)
int ret = LDB_SUCCESS;
TDB_DATA tdb_key, tdb_key_old;
struct ldb_dn *db_dn;
+ bool valid_dn = false;
ldb_request_set_state(req, LDB_ASYNC_PENDING);
@@ -1304,10 +1315,24 @@ static int ltdb_rename(struct ltdb_context *ctx)
return LDB_ERR_OPERATIONS_ERROR;
}
+ /* Check the new DN is reasonable */
+ valid_dn = ldb_dn_validate(req->op.rename.newdn);
+ if (valid_dn == false) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid New DN: %s",
+ ldb_dn_get_linearized(req->op.rename.newdn));
+ return LDB_ERR_INVALID_DN_SYNTAX;
+ }
+
/* we need to fetch the old record to re-add under the new name */
ret = ltdb_search_dn1(module, req->op.rename.olddn, msg,
LDB_UNPACK_DATA_FLAG_NO_DATA_ALLOC);
- if (ret != LDB_SUCCESS) {
+ if (ret == LDB_ERR_INVALID_DN_SYNTAX) {
+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
+ "Invalid Old DN: %s",
+ ldb_dn_get_linearized(req->op.rename.newdn));
+ return ret;
+ } else if (ret != LDB_SUCCESS) {
/* not finding the old record is an error */
return ret;
}
diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py
index a62b241..48fac88 100755
--- a/lib/ldb/tests/python/api.py
+++ b/lib/ldb/tests/python/api.py
@@ -401,6 +401,19 @@ class SimpleLdb(LdbBaseTest):
finally:
l.delete(ldb.Dn(l, "dc=bar"))
+ def test_rename_bad_string_dns(self):
+ l = ldb.Ldb(self.url(), flags=self.flags())
+ m = ldb.Message()
+ m.dn = ldb.Dn(l, "dc=foo8")
+ m["bla"] = b"bla"
+ m["objectUUID"] = b"0123456789abcdef"
+ self.assertEqual(len(l.search()), 0)
+ l.add(m)
+ self.assertEqual(len(l.search()), 1)
+ self.assertRaises(ldb.LdbError,lambda: l.rename("dcXfoo8", "dc=bar"))
+ self.assertRaises(ldb.LdbError,lambda: l.rename("dc=foo8", "dcXbar"))
+ l.delete(ldb.Dn(l, "dc=foo8"))
+
def test_empty_dn(self):
l = ldb.Ldb(self.url(), flags=self.flags())
self.assertEqual(0, len(l.search()))
@@ -1143,6 +1156,110 @@ class SearchTests(LdbBaseTest):
# At some point we should fix this, but it isn't trivial
self.assertEqual(len(res11), 1)
+ def test_distinguishedName_filter_one(self):
+ """Testing that a distinguishedName= filter succeeds
+ when the scope is SCOPE_ONELEVEL.
+
+ This should be made more consistent, but for now lock in
+ the behaviour
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_ONELEVEL,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+ self.assertEqual(len(res11), 1)
+
+ def test_distinguishedName_filter_subtree(self):
+ """Testing that a distinguishedName= filter succeeds
+ when the scope is SCOPE_SUBTREE"""
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_SUBTREE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+ self.assertEqual(len(res11), 1)
+
+ def test_distinguishedName_filter_base(self):
+ """Testing that (incorrectly) a distinguishedName= filter works
+ when the scope is SCOPE_BASE"""
+
+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_BASE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DC=ORG)")
+
+ # At some point we should fix this, but it isn't trivial
+ self.assertEqual(len(res11), 1)
+
+ def test_bad_dn_filter_base(self):
+ """Testing that a dn= filter on an invalid DN works
+ when the scope is SCOPE_BASE but
+ returns zero results"""
+
+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_BASE,
+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+
+ # At some point we should fix this, but it isn't trivial
+ self.assertEqual(len(res11), 0)
+
+
+ def test_bad_dn_filter_one(self):
+ """Testing that a dn= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_ONELEVEL search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_ONELEVEL,
+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
+ def test_bad_dn_filter_subtree(self):
+ """Testing that a dn= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_SUBTREE search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_SUBTREE,
+ expression="(dn=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
+ def test_bad_distinguishedName_filter_base(self):
+ """Testing that a distinguishedName= filter on an invalid DN works
+ when the scope is SCOPE_BASE but
+ returns zero results"""
+
+ res11 = self.l.search(base="OU=OU1,DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_BASE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+
+ # At some point we should fix this, but it isn't trivial
+ self.assertEqual(len(res11), 0)
+
+
+ def test_bad_distinguishedName_filter_one(self):
+ """Testing that a distinguishedName= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_ONELEVEL search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_ONELEVEL,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
+ def test_bad_distinguishedName_filter_subtree(self):
+ """Testing that a distinguishedName= filter succeeds but returns zero
+ results when the DN is not valid on a SCOPE_SUBTREE search
+
+ """
+
+ res11 = self.l.search(base="DC=SAMBA,DC=ORG",
+ scope=ldb.SCOPE_SUBTREE,
+ expression="(distinguishedName=OU=OU1,DC=SAMBA,DCXXXX)")
+ self.assertEqual(len(res11), 0)
+
class IndexedSearchTests(SearchTests):
"""Test searches using the index, to ensure the index doesn't
@@ -1291,6 +1408,17 @@ class AddModifyTests(LdbBaseTest):
enum = err.args[0]
self.assertEqual(enum, ldb.ERR_ENTRY_ALREADY_EXISTS)
+ def test_add_bad(self):
+ try:
+ self.l.add({"dn": "BAD,DC=SAMBA,DC=ORG",
+ "name": b"Admins",
+ "x": "z", "y": "a",
+ "objectUUID": b"0123456789abcde1"})
+ self.fail("Should have failed adding entry with invalid DN")
+ except ldb.LdbError as err:
+ enum = err.args[0]
+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
def test_add_del_add(self):
self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
"name": b"Admins",
@@ -1372,6 +1500,34 @@ class AddModifyTests(LdbBaseTest):
enum = err.args[0]
self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
+ def test_move_bad(self):
+ self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+ "name": b"Admins",
+ "x": "z", "y": "a",
+ "objectUUID": b"0123456789abcde2"})
+
+ try:
+ self.l.rename("OUXDUP,DC=SAMBA,DC=ORG",
+ "OU=DUP2,DC=SAMBA,DC=ORG")
+ self.fail("Should have failed on invalid DN")
+ except ldb.LdbError as err:
+ enum = err.args[0]
+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
+ def test_move_bad2(self):
+ self.l.add({"dn": "OU=DUP2,DC=SAMBA,DC=ORG",
+ "name": b"Admins",
+ "x": "z", "y": "a",
+ "objectUUID": b"0123456789abcde2"})
+
+ try:
+ self.l.rename("OU=DUP,DC=SAMBA,DC=ORG",
+ "OUXDUP2,DC=SAMBA,DC=ORG")
+ self.fail("Should have failed on missing")
+ except ldb.LdbError as err:
+ enum = err.args[0]
+ self.assertEqual(enum, ldb.ERR_INVALID_DN_SYNTAX)
+
def test_move_fail_move_add(self):
self.l.add({"dn": "OU=DUP,DC=SAMBA,DC=ORG",
"name": b"Admins",
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index 2477885..5b7f364 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '1.3.4'
+VERSION = '1.3.5'
blddir = 'bin'
diff --git a/libcli/auth/ntlm_check.c b/libcli/auth/ntlm_check.c
index 3b02adc..b68e9c8 100644
--- a/libcli/auth/ntlm_check.c
+++ b/libcli/auth/ntlm_check.c
@@ -224,7 +224,7 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
const struct samr_Password *stored_nt)
{
if (stored_nt == NULL) {
- DEBUG(3,("ntlm_password_check: NO NT password stored for user %s.\n",
+ DEBUG(3,("hash_password_check: NO NT password stored for user %s.\n",
username));
}
@@ -232,14 +232,14 @@ NTSTATUS hash_password_check(TALLOC_CTX *mem_ctx,
if (memcmp(client_nt->hash, stored_nt->hash, sizeof(stored_nt->hash)) == 0) {
return NT_STATUS_OK;
} else {
- DEBUG(3,("ntlm_password_check: Interactive logon: NT password check failed for user %s\n",
--
Samba Shared Repository
More information about the samba-cvs
mailing list