Jeremie Courreges-Anglas <j...@wxcvbn.org> writes: > Hi, > > I committed an update to samba-4.5.2 on -current earlier today. Below > there's a diff to update to samba-4.5.3, a security update. > > o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer > Overflow Remote Code Execution Vulnerability). > o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in > trusted realms). > o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege > elevation). > > https://www.samba.org/samba/history/samba-4.5.3.html
Committed. [...] > For -stable I plan to cook a diff later today / tomorrow, an update to > 4.4.8 (since -stable is currently at 4.4.5). Since moving to samba-4.4.8 would imply the removal of a shared library used by other ports, let's backport the security fixes to samba-4.4.5 instead. Build tests welcome. ok? Index: Makefile =================================================================== RCS file: /d/cvs/ports/net/samba/Makefile,v retrieving revision 1.227 diff -u -p -r1.227 Makefile --- Makefile 8 Jul 2016 18:39:50 -0000 1.227 +++ Makefile 21 Dec 2016 13:24:24 -0000 @@ -15,6 +15,7 @@ PKGNAME-tevent = tevent-${TEVENT_V} PKGNAME-util = samba-util-${VERSION} PKGNAME-docs = samba-docs-${VERSION} +REVISION-main = 0 REVISION-ldb = 0 REVISION-tevent = 0 Index: patches/patch-auth_kerberos_kerberos_pac_c =================================================================== RCS file: patches/patch-auth_kerberos_kerberos_pac_c diff -N patches/patch-auth_kerberos_kerberos_pac_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-auth_kerberos_kerberos_pac_c 21 Dec 2016 13:22:23 -0000 @@ -0,0 +1,50 @@ +$OpenBSD$ + +commit ce31a69a32d2bd6975006e428afe4584f6b7bc43 +Author: Stefan Metzmacher <me...@samba.org> +Date: Tue Nov 22 17:08:46 2016 +0100 + + CVE-2016-2126: auth/kerberos: only allow known checksum types in check_pac_checksum() + + aes based checksums can only be checked with the + corresponding aes based keytype. + + Otherwise we may trigger an undefined code path + deep in the kerberos libraries, which can leed to + segmentation faults. + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446 + + Signed-off-by: Stefan Metzmacher <me...@samba.org> + +--- auth/kerberos/kerberos_pac.c.orig Wed Dec 21 12:14:39 2016 ++++ auth/kerberos/kerberos_pac.c Wed Dec 21 14:20:55 2016 +@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data, + krb5_boolean checksum_valid = false; + krb5_data input; + ++ switch (sig->type) { ++ case CKSUMTYPE_HMAC_MD5: ++ /* ignores the key type */ ++ break; ++ case CKSUMTYPE_HMAC_SHA1_96_AES_256: ++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) { ++ return EINVAL; ++ } ++ /* ok */ ++ break; ++ case CKSUMTYPE_HMAC_SHA1_96_AES_128: ++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) { ++ return EINVAL; ++ } ++ /* ok */ ++ break; ++ default: ++ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n", ++ (int)sig->type)); ++ return EINVAL; ++ } ++ + #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */ + cksum.cksumtype = (krb5_cksumtype)sig->type; + cksum.checksum.length = sig->signature.length; Index: patches/patch-source3_librpc_crypto_gse_c =================================================================== RCS file: patches/patch-source3_librpc_crypto_gse_c diff -N patches/patch-source3_librpc_crypto_gse_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-source3_librpc_crypto_gse_c 21 Dec 2016 13:23:12 -0000 @@ -0,0 +1,28 @@ +$OpenBSD$ + +commit 07ef0f6ce0fb9d9735710ab79c2ee91d7a72a974 +Author: Stefan Metzmacher <me...@samba.org> +Date: Wed Nov 23 11:42:59 2016 +0100 + + CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG + + We should only use GSS_C_DELEG_POLICY_FLAG in order to let + the KDC decide if we should send delegated credentials to + a remote server. + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 + + Signed-off-by: Stefan Metzmacher <me...@samba.org> + Reviewed-by: Alexander Bokovoy <a...@samba.org> + Reviewed-by: Simo Sorce <i...@samba.org> + +--- source3/librpc/crypto/gse.c.orig Wed Dec 21 12:14:43 2016 ++++ source3/librpc/crypto/gse.c Wed Dec 21 14:20:55 2016 +@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, + memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); + + gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG | +- GSS_C_DELEG_FLAG | + GSS_C_DELEG_POLICY_FLAG | + GSS_C_REPLAY_FLAG | + GSS_C_SEQUENCE_FLAG; Index: patches/patch-source4_auth_gensec_gensec_gssapi_c =================================================================== RCS file: patches/patch-source4_auth_gensec_gensec_gssapi_c diff -N patches/patch-source4_auth_gensec_gensec_gssapi_c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-source4_auth_gensec_gensec_gssapi_c 21 Dec 2016 13:22:48 -0000 @@ -0,0 +1,29 @@ +$OpenBSD$ + +commit 58586ceae7fe628453e6bffdc463d4309ced15fb +Author: Stefan Metzmacher <me...@samba.org> +Date: Wed Nov 23 11:44:22 2016 +0100 + + CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default + + This disabled the usage of GSS_C_DELEG_FLAG by default, as + GSS_C_DELEG_POLICY_FLAG is still used by default we let the + KDC decide if we should send delegated credentials to a remote server. + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 + + Signed-off-by: Stefan Metzmacher <me...@samba.org> + Reviewed-by: Alexander Bokovoy <a...@samba.org> + Reviewed-by: Simo Sorce <i...@samba.org> + +--- source4/auth/gensec/gensec_gssapi.c.orig Wed Dec 21 12:14:45 2016 ++++ source4/auth/gensec/gensec_gssapi.c Wed Dec 21 14:20:55 2016 +@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_secu + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { + gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG; + } +- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { ++ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { + gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG; + } + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { Index: patches/patch-source4_scripting_bin_nsupdate-gss =================================================================== RCS file: patches/patch-source4_scripting_bin_nsupdate-gss diff -N patches/patch-source4_scripting_bin_nsupdate-gss --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-source4_scripting_bin_nsupdate-gss 21 Dec 2016 13:23:33 -0000 @@ -0,0 +1,28 @@ +$OpenBSD$ + +commit 0f1b36b7d5514f8d16c60ebcd5c59753113b4334 +Author: Stefan Metzmacher <me...@samba.org> +Date: Wed Nov 23 11:41:10 2016 +0100 + + CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss + + This is just an example script that's not directly used by samba, + but we should avoid sending delegated credentials to dns servers. + + BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 + + Signed-off-by: Stefan Metzmacher <me...@samba.org> + Reviewed-by: Alexander Bokovoy <a...@samba.org> + Reviewed-by: Simo Sorce <i...@samba.org> + +--- source4/scripting/bin/nsupdate-gss.orig Wed Dec 21 12:14:47 2016 ++++ source4/scripting/bin/nsupdate-gss Wed Dec 21 14:20:55 2016 +@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) + my $flags = + GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | + GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | +- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; ++ GSS_C_INTEG_FLAG; + + + $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, -- jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE