net/samba CVE-2015-0240

Jérémie Courrèges-Anglas Mon, 23 Feb 2015 12:37:27 -0800

More informations here:

  https://bugzilla.samba.org/show_bug.cgi?id=11077
  https://securityblog.redhat.com/2015/02/23/samba-vulnerability-cve-2015-0240/


Index: Makefile
===================================================================
RCS file: /cvs/ports/net/samba/Makefile,v
retrieving revision 1.199
diff -u -p -r1.199 Makefile
--- Makefile    17 Feb 2015 22:08:36 -0000      1.199
+++ Makefile    23 Feb 2015 19:46:06 -0000
@@ -9,7 +9,7 @@ DISTNAME=               samba-3.6.15
 PKGNAME-main=          ${DISTNAME}
 FULLPKGNAME-docs=      ${DISTNAME:S/-/-docs-/}
 FULLPKGPATH-docs=      net/samba,-docs
-REVISION-main=         13
+REVISION-main=         14
 REVISION-docs=         1
 
 SHARED_LIBS=           smbclient       3.0 \
Index: patches/patch-libcli_auth_schannel_state_tdb_c
===================================================================
RCS file: patches/patch-libcli_auth_schannel_state_tdb_c
diff -N patches/patch-libcli_auth_schannel_state_tdb_c
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-libcli_auth_schannel_state_tdb_c      23 Feb 2015 19:46:06 
-0000
@@ -0,0 +1,19 @@
+$OpenBSD$
+
+- CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon
+  server could lead to remote-code execution
+  https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
+
+--- libcli/auth/schannel_state_tdb.c.orig      Wed May  8 10:16:26 2013
++++ libcli/auth/schannel_state_tdb.c   Mon Feb 23 19:52:53 2015
+@@ -285,6 +285,10 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ct
+       NTSTATUS status;
+       int ret;
+ 
++      if (creds_out != NULL) {
++              *creds_out = NULL;
++      }
++
+       tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state");
+       if (!tmpctx) {
+               return NT_STATUS_NO_MEMORY;
Index: patches/patch-source3_rpc_server_netlogon_srv_netlog_nt_c
===================================================================
RCS file: 
/cvs/ports/net/samba/patches/patch-source3_rpc_server_netlogon_srv_netlog_nt_c,v
retrieving revision 1.1
diff -u -p -r1.1 patch-source3_rpc_server_netlogon_srv_netlog_nt_c
--- patches/patch-source3_rpc_server_netlogon_srv_netlog_nt_c   6 Feb 2014 
04:33:25 -0000       1.1
+++ patches/patch-source3_rpc_server_netlogon_srv_netlog_nt_c   23 Feb 2015 
19:46:06 -0000
@@ -1,10 +1,13 @@
 $OpenBSD: patch-source3_rpc_server_netlogon_srv_netlog_nt_c,v 1.1 2014/02/06 
04:33:25 brad Exp $
 
-DCE-RPC fragment length field is incorrectly checked.
-CVE-2013-4408
+- CVE-2013-4408: DCE-RPC fragment length field is incorrectly checked.
 
---- source3/rpc_server/netlogon/srv_netlog_nt.c.orig   Wed May  8 04:16:26 2013
-+++ source3/rpc_server/netlogon/srv_netlog_nt.c        Tue Jan 28 02:16:43 2014
+- CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon
+  server could lead to remote-code execution.
+  https://bugzilla.samba.org/show_bug.cgi?id=11077
+
+--- source3/rpc_server/netlogon/srv_netlog_nt.c.orig   Wed May  8 10:16:26 2013
++++ source3/rpc_server/netlogon/srv_netlog_nt.c        Mon Feb 23 19:51:23 2015
 @@ -586,7 +586,7 @@ static NTSTATUS samr_find_machine_account(TALLOC_CTX *
                status = NT_STATUS_NO_SUCH_USER;
                goto out;
@@ -13,4 +16,40 @@ CVE-2013-4408
 +      if (types.count != 1) {
                status = NT_STATUS_INVALID_PARAMETER;
                goto out;
+       }
+@@ -1070,6 +1070,10 @@ static NTSTATUS netr_creds_server_step_check(struct pi
+       NTSTATUS status;
+       bool schannel_global_required = (lp_server_schannel() == true) ? 
true:false;
+ 
++      if (creds_out != NULL) {
++              *creds_out = NULL;
++      }
++
+       if (schannel_global_required) {
+               status = schannel_check_required(&p->auth,
+                                                computer_name,
+@@ -1205,7 +1209,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *
+ {
+       NTSTATUS status = NT_STATUS_OK;
+       int i;
+-      struct netlogon_creds_CredentialState *creds;
++      struct netlogon_creds_CredentialState *creds = NULL;
+ 
+       DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
+ 
+@@ -1218,9 +1222,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *
+       unbecome_root();
+ 
+       if (!NT_STATUS_IS_OK(status)) {
++              const char *computer_name = "<unknown>";
++
++              if (creds != NULL && creds->computer_name != NULL) {
++                      computer_name = creds->computer_name;
++              }
+               DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step 
failed. Rejecting auth "
+                       "request from client %s machine account %s\n",
+-                      r->in.computer_name, creds->computer_name));
++                      r->in.computer_name, computer_name));
+               TALLOC_FREE(creds);
+               return status;
        }


-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

net/samba CVE-2015-0240

Reply via email to