[SCM] Samba Shared Repository - branch v4-9-test updated

Karolin Seeger kseeger at samba.org
Wed Jun 19 07:08:25 UTC 2019


The branch, v4-9-test has been updated
       via  414261f3785 VERSION: Bump version up to 4.9.10.
       via  01f22365af9 Merge tag 'samba-4.9.9' into v4-9-test
       via  e6e7c8cada4 VERSION: Disable GIT_SNAPSHOT for the 4.9.9 release
       via  c0712976700 WHATSNEW: Add release notes for Samba 4.9.9
       via  c2423655657 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
       via  09818693ac2 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation
       via  a26bed6da5c VERSION: Re-enable GIT_SNAPSHOT.
       via  a402c1e10ef VERSION: Bump version up to 4.9.9.
      from  8b1dfd9b172 vfs_fruit: change trigger points of AppleDouble conversion

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-9-test


- Log -----------------------------------------------------------------
commit 414261f37851c61e41967b882436adf2e62a072b
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Jun 19 09:07:50 2019 +0200

    VERSION: Bump version up to 4.9.10.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

commit 01f22365af9c1070579efcf24703d5387303722c
Merge: 8b1dfd9b172 e6e7c8cada4
Author: Karolin Seeger <kseeger at samba.org>
Date:   Wed Jun 19 09:07:05 2019 +0200

    Merge tag 'samba-4.9.9' into v4-9-test
    
    samba: tag release samba-4.9.9

-----------------------------------------------------------------------

Summary of changes:
 VERSION                                         |  2 +-
 WHATSNEW.txt                                    | 57 ++++++++++++++++++++++++-
 python/samba/tests/dcerpc/dnsserver.py          | 51 ++++++++++++++++++++++
 source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 14 +++++-
 4 files changed, 119 insertions(+), 5 deletions(-)


Changeset truncated at 500 lines:

diff --git a/VERSION b/VERSION
index 7471561058a..d851624cade 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
 ########################################################
 SAMBA_VERSION_MAJOR=4
 SAMBA_VERSION_MINOR=9
-SAMBA_VERSION_RELEASE=9
+SAMBA_VERSION_RELEASE=10
 
 ########################################################
 # If a official release has a serious bug              #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index b0191a14442..a053735f6e9 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,56 @@
+                   =============================
+                   Release Notes for Samba 4.9.9
+                            June 19, 2019
+                   =============================
+
+
+This is a security release in order to address the following defect:
+
+o  CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server       
+                  (dnsserver))
+
+=======
+Details
+=======
+
+o  CVE-2019-12435:                                                              
+   An authenticated user can crash the Samba AD DC's RPC server process via a   
+   NULL pointer dereference.
+
+For more details and workarounds, please refer to the security advisory.
+
+
+Changes since 4.9.8:
+--------------------
+
+o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+   * BUG 13922: CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found
+     in DnssrvOperation2.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored.  All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
                    =============================
                    Release Notes for Samba 4.9.8
                             May 14, 2019
@@ -49,8 +102,8 @@ database (https://bugzilla.samba.org/).
 ======================================================================
 
 
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
 
                    =============================
                    Release Notes for Samba 4.9.7
diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py
index 53e1abde042..7264a290ef2 100644
--- a/python/samba/tests/dcerpc/dnsserver.py
+++ b/python/samba/tests/dcerpc/dnsserver.py
@@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security
 from samba.tests import RpcInterfaceTestCase, env_get_var_value
 from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord
 from samba import sd_utils, descriptor
+from samba import WERRORError, werror
 
 class DnsserverTests(RpcInterfaceTestCase):
 
@@ -707,6 +708,56 @@ class DnsserverTests(RpcInterfaceTestCase):
                                                 'ServerInfo')
         self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid)
 
+
+    # This test is to confirm that we do not support multizone operations,
+    # which are designated by a non-zero dwContext value (the 3rd argument
+    # to DnssrvOperation).
+    def test_operation_invalid(self):
+        non_zone = 'a-zone-that-does-not-exist'
+        typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
+        name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
+        name_and_param.pszNodeName = 'AllowUpdate'
+        name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
+        try:
+            res = self.conn.DnssrvOperation(self.server,
+                                            non_zone,
+                                            1,
+                                            'ResetDwordProperty',
+                                            typeid,
+                                            name_and_param)
+        except WERRORError as e:
+            if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
+                return
+
+        # We should always encounter a DOES_NOT_EXIST error.
+        self.fail()
+
+    # This test is to confirm that we do not support multizone operations,
+    # which are designated by a non-zero dwContext value (the 5th argument
+    # to DnssrvOperation2).
+    def test_operation2_invalid(self):
+        client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
+        non_zone = 'a-zone-that-does-not-exist'
+        typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
+        name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
+        name_and_param.pszNodeName = 'AllowUpdate'
+        name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
+        try:
+            res = self.conn.DnssrvOperation2(client_version,
+                                             0,
+                                             self.server,
+                                             non_zone,
+                                             1,
+                                             'ResetDwordProperty',
+                                             typeid,
+                                             name_and_param)
+        except WERRORError as e:
+            if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
+                return
+
+        # We should always encounter a DOES_NOT_EXIST error.
+        self.fail()
+
     def test_operation2(self):
         client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
         rev_zone = '1.168.192.in-addr.arpa'
diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
index b42d7c549d1..353754f9261 100644
--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
@@ -1955,7 +1955,12 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_
 						&r->in.pData);
 	} else {
 		z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
-		if (z == NULL && request_filter == 0) {
+		/*
+		 * In the case that request_filter is not 0 and z is NULL,
+		 * the request is for a multizone operation, which we do not
+		 * yet support, so just error on NULL zone name.
+		 */
+		if (z == NULL) {
 			return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
 		}
 
@@ -2162,7 +2167,12 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC
 						&r->in.pData);
 	} else {
 		z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
-		if (z == NULL && request_filter == 0) {
+		/*
+		 * In the case that request_filter is not 0 and z is NULL,
+		 * the request is for a multizone operation, which we do not
+		 * yet support, so just error on NULL zone name.
+		 */
+		if (z == NULL) {
 			return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
 		}
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list