[SCM] Samba Shared Repository - branch v4-8-test updated
Karolin Seeger
kseeger at samba.org
Tue Nov 27 10:07:26 UTC 2018
The branch, v4-8-test has been updated
via 03f60c3ab36 VERSION: Bump version up to 4.8.8.
via db08ec4c941 Merge tag 'samba-4.8.7' into v4-8-test
via cd870beb978 VERSION: Disable GIT_SNAPSHOT for the 4.8.7 release.
via de51a73e070 WHATSNEW: Add release notes for Samba 4.8.7.
via 52aa2e14144 CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental
via fff405ae28b CVE-2018-16851 ldap_server: Check ret before manipulating blob
via b904c680eed CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ
via da9eeee6fce CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal
via 86ddd703248 CVE-2018-14629 dns: CNAME loop prevention using counter
via 623c3a99ef7 VERSION: Bump version up to 4.8.7...
from 58c53ddef51 s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test
- Log -----------------------------------------------------------------
commit 03f60c3ab3662a8fde5dd457ece1faf638b7faa9
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Nov 27 11:06:59 2018 +0100
VERSION: Bump version up to 4.8.8.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit db08ec4c941d6d775d441260cd4e804bc7b4157a
Merge: 58c53ddef51 cd870beb978
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue Nov 27 11:06:43 2018 +0100
Merge tag 'samba-4.8.7' into v4-8-test
samba: tag release samba-4.8.7
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 103 +++++++++++++++++++++++++++++-
python/samba/tests/dns.py | 24 +++++++
selftest/knownfail.d/dns | 6 ++
source4/dns_server/dns_query.c | 6 ++
source4/kdc/db-glue.c | 6 +-
source4/ldap_server/ldap_server.c | 4 +-
testprogs/blackbox/test_pkinit_heimdal.sh | 8 +++
wscript | 17 +++++
9 files changed, 168 insertions(+), 8 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 94bec4b98dd..57150635ca3 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=8
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b93039803be..9f604b0d457 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,102 @@
+ =============================
+ Release Notes for Samba 4.8.7
+ November 27, 2018
+ =============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
+ Internal DNS server)
+o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
+o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
+o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
+ configuration (unsupported))
+
+
+=======
+Details
+=======
+
+o CVE-2018-14629:
+ All versions of Samba from 4.0.0 onwards are vulnerable to infinite
+ query recursion caused by CNAME loops. Any dns record can be added via
+ ldap by an unprivileged user using the ldbadd tool, so this is a
+ security issue.
+
+o CVE-2018-16841:
+ When configured to accept smart-card authentication, Samba's KDC will call
+ talloc_free() twice on the same memory if the principal in a validly signed
+ certificate does not match the principal in the AS-REQ.
+
+ This is only possible after authentication with a trusted certificate.
+
+ talloc is robust against further corruption from a double-free with
+ talloc_free() and directly calls abort(), terminating the KDC process.
+
+ There is no further vulnerability associated with this issue, merely a
+ denial of service.
+
+o CVE-2018-16851:
+ During the processing of an LDAP search before Samba's AD DC returns
+ the LDAP entries to the client, the entries are cached in a single
+ memory object with a maximum size of 256MB. When this size is
+ reached, the Samba process providing the LDAP service will follow the
+ NULL pointer, terminating the process.
+
+ There is no further vulnerability associated with this issue, merely a
+ denial of service.
+
+o CVE-2018-16853:
+ A user in a Samba AD domain can crash the KDC when Samba is built in the
+ non-default MIT Kerberos configuration.
+
+ With this advisory we clarify that the MIT Kerberos build of the Samba
+ AD DC is considered experimental. Therefore the Samba Team will not
+ issue security patches for this configuration.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.8.6:
+--------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with
+ mis-matching principal.
+ * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT
+ Kerberos is experimental
+
+o Aaron Haslett <aaronhaslett at catalyst.net.nz>
+ * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter.
+
+o Garming Sam <garming at catalyst.net.nz>
+ * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
=============================
Release Notes for Samba 4.8.6
October 9, 2018
@@ -63,8 +162,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.8.5
diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
index 1b5b64da3a4..3390a3990c9 100644
--- a/python/samba/tests/dns.py
+++ b/python/samba/tests/dns.py
@@ -798,6 +798,30 @@ class TestComplexQueries(DNSTest):
self.assertEquals(response.answers[1].name, name2)
self.assertEquals(response.answers[1].rdata, name0)
+ def test_cname_loop(self):
+ cname1 = "cnamelooptestrec." + self.get_dns_domain()
+ cname2 = "cnamelooptestrec2." + self.get_dns_domain()
+ cname3 = "cnamelooptestrec3." + self.get_dns_domain()
+ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
+ self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME)
+
+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
+ questions = []
+
+ q = self.make_name_question(cname1,
+ dns.DNS_QTYPE_A,
+ dns.DNS_QCLASS_IN)
+ questions.append(q)
+ self.finish_name_packet(p, questions)
+
+ (response, response_packet) =\
+ self.dns_transaction_udp(p, host=self.server_ip)
+
+ max_recursion_depth = 20
+ self.assertEquals(len(response.answers), max_recursion_depth)
+
+
class TestInvalidQueries(DNSTest):
def setUp(self):
super(TestInvalidQueries, self).setUp()
diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns
index cb3003240ea..8c79b3abe00 100644
--- a/selftest/knownfail.d/dns
+++ b/selftest/knownfail.d/dns
@@ -45,3 +45,9 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\)
# The SOA override should not pass against the RODC, it must not overstamp
samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\)
+
+#
+# rodc and vampire_dc require signed dns updates, so the test setup
+# fails, but the test does run on fl2003dc
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\)
+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\)
diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
index f1facc83125..07cde80a258 100644
--- a/source4/dns_server/dns_query.c
+++ b/source4/dns_server/dns_query.c
@@ -40,6 +40,7 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_DNS
+#define MAX_Q_RECURSION_DEPTH 20
struct forwarder_string {
const char *forwarder;
@@ -419,6 +420,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
state->answers = answers;
state->nsrecs = nsrecs;
+ if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
+ tevent_req_done(req);
+ return tevent_req_post(req, ev);
+ }
+
resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
((question->question_type == DNS_QTYPE_A) ||
(question->question_type == DNS_QTYPE_AAAA)));
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8ccc34cd665..519060a5641 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2606,10 +2606,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
* comparison */
if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
talloc_free(mem_ctx);
-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */
- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
+#else /* Heimdal (where this is an enum) */
+ return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
#endif
}
diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
index 5f7efe90bba..d754c4dae78 100644
--- a/source4/ldap_server/ldap_server.c
+++ b/source4/ldap_server/ldap_server.c
@@ -675,13 +675,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
ret = data_blob_append(call, &blob, b.data, b.length);
data_blob_free(&b);
- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
-
if (!ret) {
ldapsrv_terminate_connection(conn, "data_blob_append failed");
return;
}
+ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+
DLIST_REMOVE(call->replies, call->replies);
}
diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh
index 0a13aa293e7..0912e0dbfe8 100755
--- a/testprogs/blackbox/test_pkinit_heimdal.sh
+++ b/testprogs/blackbox/test_pkinit_heimdal.sh
@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque
testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1`
+
+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1`
+
testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1`
+
+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1`
+
testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1`
test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
diff --git a/wscript b/wscript
index 0985aa94867..ff628df37e7 100644
--- a/wscript
+++ b/wscript
@@ -55,6 +55,14 @@ def set_options(opt):
help='build Samba with system MIT Kerberos. ' +
'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config',
action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False)
+
+ opt.add_option('--with-experimental-mit-ad-dc',
+ help='Enable the experimental MIT Kerberos-backed AD DC. ' +
+ 'Note that security patches are not issued for this configuration',
+ action='store_true',
+ dest='with_experimental_mit_ad_dc',
+ default=False)
+
opt.add_option('--with-system-mitkdc',
help=('Specify the path to the krb5kdc binary from MIT Kerberos'),
type="string",
@@ -194,7 +202,16 @@ def configure(conf):
conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
if Options.options.with_system_mitkrb5:
+ if not Options.options.with_experimental_mit_ad_dc and \
+ not Options.options.without_ad_dc:
+ raise Utils.WafError('The MIT Kerberos build of Samba as an AD DC ' +
+ 'is experimental. Therefore '
+ '--with-system-mitkrb5 requires either ' +
+ '--with-experimental-mit-ad-dc or ' +
+ '--without-ad-dc')
+
conf.PROCESS_SEPARATE_RULE('system_mitkrb5')
+
if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5):
conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1)
--
Samba Shared Repository
More information about the samba-cvs
mailing list