[SCM] Samba Shared Repository - branch v4-9-stable updated
Karolin Seeger
kseeger at samba.org
Wed Jun 19 06:41:30 UTC 2019
The branch, v4-9-stable has been updated
via e6e7c8cada4 VERSION: Disable GIT_SNAPSHOT for the 4.9.9 release
via c0712976700 WHATSNEW: Add release notes for Samba 4.9.9
via c2423655657 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
via 09818693ac2 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation
via a26bed6da5c VERSION: Re-enable GIT_SNAPSHOT.
via a402c1e10ef VERSION: Bump version up to 4.9.9.
from 9dfd4419b50 VERSION: Disable GIT_SNAPSHOT for the 4.9.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-stable
- Log -----------------------------------------------------------------
commit e6e7c8cada481f79fb899e372fa2f34d35e14637
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jun 13 11:59:07 2019 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.9.9 release
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit c07129767006e89014b01105d5aca6b3043b5596
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jun 13 11:57:35 2019 +0200
WHATSNEW: Add release notes for Samba 4.9.9
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit c2423655657f3074c80ae06f0b6806fc71c8bb41
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed May 22 13:23:25 2019 +1200
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
We still want to return DOES_NOT_EXIST when request_filter is not 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 09818693ac251a15df39433ed529b882883cdd44
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed May 22 12:58:01 2019 +1200
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation
We still want to return DOES_NOT_EXIST when request_filter is not 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a26bed6da5c1813b14a2c4a5d77359d76eb2f4b3
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jun 13 11:16:26 2019 +0200
VERSION: Re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit a402c1e10ef4e1007250a5d622e6bfde56cd5291
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue May 14 08:23:03 2019 +0200
VERSION: Bump version up to 4.9.9.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit a9f7f1f7433b1f1c18ebf0d88fc57ae270f2711f)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 57 ++++++++++++++++++++++++-
python/samba/tests/dcerpc/dnsserver.py | 51 ++++++++++++++++++++++
source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 14 +++++-
4 files changed, 119 insertions(+), 5 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 1833b6c24d0..62d75c7cb9a 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=9
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b0191a14442..a053735f6e9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,56 @@
+ =============================
+ Release Notes for Samba 4.9.9
+ June 19, 2019
+ =============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server
+ (dnsserver))
+
+=======
+Details
+=======
+
+o CVE-2019-12435:
+ An authenticated user can crash the Samba AD DC's RPC server process via a
+ NULL pointer dereference.
+
+For more details and workarounds, please refer to the security advisory.
+
+
+Changes since 4.9.8:
+--------------------
+
+o Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+ * BUG 13922: CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found
+ in DnssrvOperation2.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
=============================
Release Notes for Samba 4.9.8
May 14, 2019
@@ -49,8 +102,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.9.7
diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py
index 53e1abde042..7264a290ef2 100644
--- a/python/samba/tests/dcerpc/dnsserver.py
+++ b/python/samba/tests/dcerpc/dnsserver.py
@@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security
from samba.tests import RpcInterfaceTestCase, env_get_var_value
from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord
from samba import sd_utils, descriptor
+from samba import WERRORError, werror
class DnsserverTests(RpcInterfaceTestCase):
@@ -707,6 +708,56 @@ class DnsserverTests(RpcInterfaceTestCase):
'ServerInfo')
self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid)
+
+ # This test is to confirm that we do not support multizone operations,
+ # which are designated by a non-zero dwContext value (the 3rd argument
+ # to DnssrvOperation).
+ def test_operation_invalid(self):
+ non_zone = 'a-zone-that-does-not-exist'
+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
+ name_and_param.pszNodeName = 'AllowUpdate'
+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
+ try:
+ res = self.conn.DnssrvOperation(self.server,
+ non_zone,
+ 1,
+ 'ResetDwordProperty',
+ typeid,
+ name_and_param)
+ except WERRORError as e:
+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
+ return
+
+ # We should always encounter a DOES_NOT_EXIST error.
+ self.fail()
+
+ # This test is to confirm that we do not support multizone operations,
+ # which are designated by a non-zero dwContext value (the 5th argument
+ # to DnssrvOperation2).
+ def test_operation2_invalid(self):
+ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
+ non_zone = 'a-zone-that-does-not-exist'
+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
+ name_and_param.pszNodeName = 'AllowUpdate'
+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
+ try:
+ res = self.conn.DnssrvOperation2(client_version,
+ 0,
+ self.server,
+ non_zone,
+ 1,
+ 'ResetDwordProperty',
+ typeid,
+ name_and_param)
+ except WERRORError as e:
+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
+ return
+
+ # We should always encounter a DOES_NOT_EXIST error.
+ self.fail()
+
def test_operation2(self):
client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
rev_zone = '1.168.192.in-addr.arpa'
diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index b42d7c549d1..353754f9261 100644
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -1955,7 +1955,12 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_
&r->in.pData);
} else {
z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
- if (z == NULL && request_filter == 0) {
+ /*
+ * In the case that request_filter is not 0 and z is NULL,
+ * the request is for a multizone operation, which we do not
+ * yet support, so just error on NULL zone name.
+ */
+ if (z == NULL) {
return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
}
@@ -2162,7 +2167,12 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC
&r->in.pData);
} else {
z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
- if (z == NULL && request_filter == 0) {
+ /*
+ * In the case that request_filter is not 0 and z is NULL,
+ * the request is for a multizone operation, which we do not
+ * yet support, so just error on NULL zone name.
+ */
+ if (z == NULL) {
return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
}
--
Samba Shared Repository
More information about the samba-cvs
mailing list