The branch, v4-0-test has been updated via 1a13242 VERSION: Bump version up to 4.0.26. via 31b74e8 VERSION: Disable git snapshots for the 3.0.25 release. via bad8f6d WHATSNEW: Add release notes for Samba 3.0.25. via 1d573da auth: Make sure that creds_out is initialized with NULL. via 9d5417d s3-netlogon: Make sure we do not deference a NULL pointer. via 43feed1 CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer. from 0d5069f s3: smbclient: Allinfo leaves the file handle open.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-0-test - Log ----------------------------------------------------------------- commit 1a13242bc488dad82b0ae5a232933df4936ecff2 Author: Karolin Seeger <ksee...@samba.org> Date: Mon Feb 23 14:39:52 2015 +0100 VERSION: Bump version up to 4.0.26. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 31b74e8602b1d80b56425bf7d6ab94cf2dd316a3 Author: Karolin Seeger <ksee...@samba.org> Date: Sun Feb 22 14:24:55 2015 +0100 VERSION: Disable git snapshots for the 3.0.25 release. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077 CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server could lead to security vulnerability. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit bad8f6dc6fa6a8c597c92f77e08a7e77b30fdb23 Author: Karolin Seeger <ksee...@samba.org> Date: Sat Feb 21 21:29:36 2015 +0100 WHATSNEW: Add release notes for Samba 3.0.25. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077 CVE-2015-0240: talloc free on uninitialized stack pointer in netlogon server could lead to security vulnerability. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit 1d573daf6c9811d963c8c0b832ffa134a175fddc Author: Andreas Schneider <a...@samba.org> Date: Mon Feb 16 10:56:03 2015 +0100 auth: Make sure that creds_out is initialized with NULL. This is an additional patch for CVE-2015-0240. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32 Pair-Programmed-With: Michael Adam <ob...@samba.org> Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Michael Adam <ob...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> commit 9d5417d09fb9fcbc0f0f86a00b728d88781dd3a4 Author: Andreas Schneider <a...@samba.org> Date: Mon Feb 16 10:59:23 2015 +0100 s3-netlogon: Make sure we do not deference a NULL pointer. This is an additional patch for CVE-2015-0240. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32 Pair-Programmed-With: Michael Adam <ob...@samba.org> Pair-Programmed-With: Andreas Schneider <a...@samba.org> Signed-off-by: Michael Adam <ob...@samba.org> Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> commit 43feed106993cbe28b38a101332934b35820a506 Author: Jeremy Allison <j...@samba.org> Date: Wed Jan 28 14:47:31 2015 -0800 CVE-2015-0240: s3: netlogon: Ensure we don't call talloc_free on an uninitialized pointer. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077 Signed-off-by: Jeremy Allison <j...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 4 +- WHATSNEW.txt | 60 ++++++++++++++++++++++++++++- libcli/auth/schannel_state_tdb.c | 4 ++ source3/rpc_server/netlogon/srv_netlog_nt.c | 13 ++++++- 4 files changed, 75 insertions(+), 6 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 705c416..db42d5f 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=0 -SAMBA_VERSION_RELEASE=25 +SAMBA_VERSION_RELEASE=26 ######################################################## # If a official release has a serious bug # @@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE= # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # -> "3.0.0-SVN-build-199" # ######################################################## -SAMBA_VERSION_IS_GIT_SNAPSHOT=yes +SAMBA_VERSION_IS_GIT_SNAPSHOT=no ######################################################## # This is for specifying a release nickname # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 777997f..80d9c95 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,4 +1,60 @@ ============================== + Release Notes for Samba 4.0.25 + February 23, 2015 + ============================== + + +This is a security release in order to address CVE-2015-0240 (Unexpected +code execution in smbd). + +o CVE-2015-0240: + All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an + unexpected code execution vulnerability in the smbd file server + daemon. + + A malicious client could send packets that may set up the stack in + such a way that the freeing of memory in a subsequent anonymous + netlogon packet could allow execution of arbitrary code. This code + would execute with root privileges. + + +Changes since 4.0.24: +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 11077: CVE-2015-0240: talloc free on uninitialized stack pointer + in netlogon server could lead to security vulnerability. + + +o Andreas Schneider <a...@samba.org> + * BUG 11077: CVE-2015-0240: s3-netlogon: Make sure we do not deference + a NULL pointer./auth: Make sure that creds_out is initialized with NULL. + + +###################################################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.0 product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + + ============================== Release Notes for Samba 4.0.24 January 15, 2015 ============================== @@ -44,8 +100,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.0.23 diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index 6abb69b..d8d5f84 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -286,6 +286,10 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx, NTSTATUS status; int ret; + if (creds_out != NULL) { + *creds_out = NULL; + } + tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state"); if (!tmpctx) { return NT_STATUS_NO_MEMORY; diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index deba47b..701d299 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1101,6 +1101,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, bool schannel_global_required = (lp_server_schannel() == true) ? true:false; struct loadparm_context *lp_ctx; + if (creds_out != NULL) { + *creds_out = NULL; + } + if (schannel_global_required) { status = schannel_check_required(&p->auth, computer_name, @@ -1258,7 +1262,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, { NTSTATUS status = NT_STATUS_OK; int i; - struct netlogon_creds_CredentialState *creds; + struct netlogon_creds_CredentialState *creds = NULL; DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__)); @@ -1271,9 +1275,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, unbecome_root(); if (!NT_STATUS_IS_OK(status)) { + const char *computer_name = "<unknown>"; + + if (creds != NULL && creds->computer_name != NULL) { + computer_name = creds->computer_name; + } DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", - r->in.computer_name, creds->computer_name)); + r->in.computer_name, computer_name)); TALLOC_FREE(creds); return status; } -- Samba Shared Repository