The branch, v4-2-test has been updated
via b73894c VERSION: Bump version up to 4.2.8...
via f51d78c Merge tag 'samba-4.2.7' into v4-2-test
via b8077d8 Fix bug #11394 - Crash: Bad talloc magic value - access
after free
via add4fe9 VERSION: Disable git snapshots for the 4.2.7 release.
via e59d852 WHATSNEW: Add release notes for Samba 4.2.7.
via 2483d66 CVE-2015-8467: samdb: Match MS15-096 behaviour for
userAccountControl
via 41e1e8b CVE-2015-5296: libcli/smb: make sure we require signing
when we demand encryption on a session
via 3e8f112 CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in SMBC_server_internal()
via 05d09fb CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in do_connect()
via 1d8efe6 CVE-2015-5299: s3-shadow-copy2: fix missing access check on
snapdir
via 79e5023 CVE-2015-5252: s3: smbd: Fix symlink verification (file
access outside the share).
via 6dc18a6 ldb: bump version of the required system ldb to 1.1.24
via aa68bd3 CVE-2015-5330: ldb_dn_explode: copy strings by length, not
terminators
via 75b3ce6 CVE-2015-5330: next_codepoint_handle_ext: don't
short-circuit UTF16 low bytes
via 9c06833 CVE-2015-5330: strupper_talloc_n_handle(): properly count
characters
via 405170b CVE-2015-5330: Fix handling of unicode near string endings
via 06f2d95 CVE-2015-5330: ldb_dn_escape_value: use known string
length, not strlen()
via 813ecea CVE-2015-5330: ldb_dn: simplify and fix
ldb_dn_escape_internal()
via 3c68b50 CVE-2015-3223: lib: ldb: Use memmem binary search, not
strstr text search.
via 9c7e988 CVE-2015-3223: lib: ldb: Cope with canonicalise_fn
returning string "", length 0.
from 5f9d311 VERSION: Bump version up to 4.2.7...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-2-test
- Log -----------------------------------------------------------------
commit b73894cdbd657ba7ea776bdbe40105488deb14c5
Author: Karolin Seeger <[email protected]>
Date: Wed Dec 16 12:32:20 2015 +0100
VERSION: Bump version up to 4.2.8...
and re-enable git snapshots.
Signed-off-by: Karolin Seeger <[email protected]>
commit f51d78c717334f5e802c04f51a89171fac150fc6
Merge: b8077d8 add4fe9
Author: Karolin Seeger <[email protected]>
Date: Wed Dec 16 12:31:26 2015 +0100
Merge tag 'samba-4.2.7' into v4-2-test
samba: tag release samba-4.2.7
commit b8077d861f4fd04f1d5c4187b8bf0166e2d8ae29
Author: Karolin Seeger <[email protected]>
Date: Fri Dec 11 12:00:51 2015 +0100
Fix bug #11394 - Crash: Bad talloc magic value - access after free
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 151 ++++++++++++++++++++++-
lib/dbwrap/dbwrap_rbt.c | 208 +++++++++++++++++++-------------
lib/ldb/common/ldb_dn.c | 67 +++++-----
lib/ldb/common/ldb_match.c | 33 ++++-
lib/ldb/wscript | 5 +-
lib/util/charset/charset.h | 9 +-
lib/util/charset/codepoints.c | 29 +++--
lib/util/charset/util_str.c | 3 +-
lib/util/charset/util_unistr.c | 6 +-
libcli/smb/smbXcli_base.c | 11 ++
script/autobuild.py | 2 +-
source3/libsmb/clidfs.c | 7 +-
source3/libsmb/libsmb_server.c | 15 ++-
source3/modules/vfs_shadow_copy2.c | 45 +++++++
source3/smbd/vfs.c | 13 +-
source3/torture/torture.c | 39 ++++++
source4/dsdb/samdb/ldb_modules/samldb.c | 24 +++-
18 files changed, 516 insertions(+), 153 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 9195002..8268fb6 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=2
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index a13c837..055f03f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,151 @@
=============================
+ Release Notes for Samba 4.2.7
+ December 16, 2015
+ =============================
+
+
+This is a security release in order to address the following CVEs:
+
+o CVE-2015-3223 (Denial of service in Samba Active Directory
+ server)
+o CVE-2015-5252 (Insufficient symlink verification in smbd)
+o CVE-2015-5299 (Missing access control check in shadow copy
+ code)
+o CVE-2015-5296 (Samba client requesting encryption vulnerable
+ to downgrade attack)
+o CVE-2015-8467 (Denial of service attack against Windows
+ Active Directory server)
+o CVE-2015-5330 (Remote memory read in Samba LDAP server)
+
+Please note that if building against a system libldb, the required
+version has been bumped to ldb-1.1.24. This is needed to ensure
+we build against a system ldb library that contains the fixes
+for CVE-2015-5330 and CVE-2015-3223.
+
+=======
+Details
+=======
+
+o CVE-2015-3223:
+ All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+ ldb versions up to 1.1.23 inclusive) are vulnerable to
+ a denial of service attack in the samba daemon LDAP server.
+
+ A malicious client can send packets that cause the LDAP server in the
+ samba daemon process to become unresponsive, preventing the server
+ from servicing any other requests.
+
+ This flaw is not exploitable beyond causing the code to loop expending
+ CPU resources.
+
+o CVE-2015-5252:
+ All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to
+ a bug in symlink verification, which under certain circumstances could
+ allow client access to files outside the exported share path.
+
+ If a Samba share is configured with a path that shares a common path
+ prefix with another directory on the file system, the smbd daemon may
+ allow the client to follow a symlink pointing to a file or directory
+ in that other directory, even if the share parameter "wide links" is
+ set to "no" (the default).
+
+o CVE-2015-5299:
+ All versions of Samba from 3.2.0 to 4.3.2 inclusive are vulnerable to
+ a missing access control check in the vfs_shadow_copy2 module. When
+ looking for the shadow copy directory under the share path the current
+ accessing user should have DIRECTORY_LIST access rights in order to
+ view the current snapshots.
+
+ This was not being checked in the affected versions of Samba.
+
+o CVE-2015-5296:
+ Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
+ signing is negotiated when creating an encrypted client connection to
+ a server.
+
+ Without this a man-in-the-middle attack could downgrade the connection
+ and connect using the supplied credentials as an unsigned, unencrypted
+ connection.
+
+o CVE-2015-8467:
+ Samba, operating as an AD DC, is sometimes operated in a domain with a
+ mix of Samba and Windows Active Directory Domain Controllers.
+
+ All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
+ an AD DC in the same domain with Windows DCs, could be used to
+ override the protection against the MS15-096 / CVE-2015-2535 security
+ issue in Windows.
+
+ Prior to MS16-096 it was possible to bypass the quota of machine
+ accounts a non-administrative user could create. Pure Samba domains
+ are not impacted, as Samba does not implement the
+ SeMachineAccountPrivilege functionality to allow non-administrator
+ users to create new computer objects.
+
+o CVE-2015-5330:
+ All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all
+ ldb versions up to 1.1.23 inclusive) are vulnerable to
+ a remote memory read attack in the samba daemon LDAP server.
+
+ A malicious client can send packets that cause the LDAP server in the
+ samba daemon process to return heap memory beyond the length of the
+ requested value.
+
+ This memory may contain data that the client should not be allowed to
+ see, allowing compromise of the server.
+
+ The memory may either be returned to the client in an error string, or
+ stored in the database by a suitabily privileged user. If untrusted
+ users can create objects in your database, please confirm that all DN
+ and name attributes are reasonable.
+
+
+Changes since 4.2.6:
+--------------------
+
+o Andrew Bartlett <[email protected]>
+ * BUG 11552: CVE-2015-8467: samdb: Match MS15-096 behaviour for
+ userAccountControl.
+
+o Jeremy Allison <[email protected]>
+ * BUG 11325: CVE-2015-3223: Fix LDAP \00 search expression attack DoS.
+ * BUG 11395: CVE-2015-5252: Fix insufficient symlink verification (file
+ access outside the share).
+ * BUG 11529: CVE-2015-5299: s3-shadow-copy2: Fix missing access check on
+ snapdir.
+
+o Douglas Bagnall <[email protected]>
+ * BUG 11599: CVE-2015-5330: Fix remote read memory exploit in LDB.
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 11536: CVE-2015-5296: Add man in the middle protection when forcing
+ smb encryption on the client side.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.2.6
December 08, 2015
=============================
@@ -80,10 +227,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
-======================================================================
=============================
Release Notes for Samba 4.2.5
diff --git a/lib/dbwrap/dbwrap_rbt.c b/lib/dbwrap/dbwrap_rbt.c
index 3f97086..a9cc641 100644
--- a/lib/dbwrap/dbwrap_rbt.c
+++ b/lib/dbwrap/dbwrap_rbt.c
@@ -22,11 +22,15 @@
#include "dbwrap/dbwrap_private.h"
#include "dbwrap/dbwrap_rbt.h"
#include "../lib/util/rbtree.h"
+#include "../lib/util/dlinklist.h"
#define DBWRAP_RBT_ALIGN(_size_) (((_size_)+15)&~15)
struct db_rbt_ctx {
struct rb_root tree;
+ struct db_rbt_node *nodes;
+ size_t traverse_read;
+ struct db_rbt_node **traverse_nextp;
};
struct db_rbt_rec {
@@ -38,13 +42,7 @@ struct db_rbt_rec {
struct db_rbt_node {
struct rb_node rb_node;
size_t keysize, valuesize;
-
- /*
- * key and value are appended implicitly, "data" is only here as a
- * target for offsetof()
- */
-
- char data[1];
+ struct db_rbt_node *prev, *next;
};
/*
@@ -83,12 +81,43 @@ static int db_rbt_compare(TDB_DATA a, TDB_DATA b)
static void db_rbt_parse_node(struct db_rbt_node *node,
TDB_DATA *key, TDB_DATA *value)
{
- key->dptr = ((uint8_t *)node) + offsetof(struct db_rbt_node, data);
+ size_t key_offset, value_offset;
+
+ key_offset = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node));
+ key->dptr = ((uint8_t *)node) + key_offset;
key->dsize = node->keysize;
- value->dptr = key->dptr + node->keysize;
+
+ value_offset = DBWRAP_RBT_ALIGN(node->keysize);
+ value->dptr = key->dptr + value_offset;
value->dsize = node->valuesize;
}
+static ssize_t db_rbt_reclen(size_t keylen, size_t valuelen)
+{
+ size_t len, tmp;
+
+ len = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node));
+
+ tmp = DBWRAP_RBT_ALIGN(keylen);
+ if (tmp < keylen) {
+ goto overflow;
+ }
+
+ len += tmp;
+ if (len < tmp) {
+ goto overflow;
+ }
+
+ len += valuelen;
+ if (len < valuelen) {
+ goto overflow;
+ }
+
+ return len;
+overflow:
+ return -1;
+}
+
static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
{
struct db_rbt_ctx *db_ctx = talloc_get_type_abort(
@@ -97,10 +126,16 @@ static NTSTATUS db_rbt_store(struct db_record *rec,
TDB_DATA data, int flag)
struct db_rbt_node *node;
struct rb_node ** p;
- struct rb_node * parent;
+ struct rb_node *parent = NULL;
+ struct db_rbt_node *parent_node = NULL;
+ ssize_t reclen;
TDB_DATA this_key, this_val;
+ if (db_ctx->traverse_read > 0) {
+ return NT_STATUS_MEDIA_WRITE_PROTECTED;
+ }
+
if (rec_priv->node != NULL) {
/*
@@ -123,21 +158,30 @@ static NTSTATUS db_rbt_store(struct db_record *rec,
TDB_DATA data, int flag)
}
}
- node = (struct db_rbt_node *)talloc_size(db_ctx,
- offsetof(struct db_rbt_node, data) + rec->key.dsize
- + data.dsize);
+ reclen = db_rbt_reclen(rec->key.dsize, data.dsize);
+ if (reclen == -1) {
+ return NT_STATUS_INSUFFICIENT_RESOURCES;
+ }
+ node = talloc_zero_size(db_ctx, reclen);
if (node == NULL) {
return NT_STATUS_NO_MEMORY;
}
if (rec_priv->node != NULL) {
+ if (db_ctx->traverse_nextp != NULL) {
+ if (*db_ctx->traverse_nextp == rec_priv->node) {
+ *db_ctx->traverse_nextp = node;
+ }
+ }
+
/*
* We need to delete the key from the tree and start fresh,
* there's not enough space in the existing record
*/
rb_erase(&rec_priv->node->rb_node, &db_ctx->tree);
+ DLIST_REMOVE(db_ctx->nodes, rec_priv->node);
/*
* Keep the existing node around for a while: If the record
@@ -145,8 +189,6 @@ static NTSTATUS db_rbt_store(struct db_record *rec,
TDB_DATA data, int flag)
*/
}
- ZERO_STRUCT(node->rb_node);
-
node->keysize = rec->key.dsize;
node->valuesize = data.dsize;
@@ -166,10 +208,11 @@ static NTSTATUS db_rbt_store(struct db_record *rec,
TDB_DATA data, int flag)
TDB_DATA search_key, search_val;
int res;
- parent = (*p);
-
r = db_rbt2node(*p);
+ parent = (*p);
+ parent_node = r;
+
db_rbt_parse_node(r, &search_key, &search_val);
res = db_rbt_compare(this_key, search_key);
@@ -186,6 +229,7 @@ static NTSTATUS db_rbt_store(struct db_record *rec,
TDB_DATA data, int flag)
}
rb_link_node(&node->rb_node, parent, p);
+ DLIST_ADD_AFTER(db_ctx->nodes, node, parent_node);
rb_insert_color(&node->rb_node, &db_ctx->tree);
return NT_STATUS_OK;
@@ -197,26 +241,27 @@ static NTSTATUS db_rbt_delete(struct db_record *rec)
rec->db->private_data, struct db_rbt_ctx);
struct db_rbt_rec *rec_priv = (struct db_rbt_rec *)rec->private_data;
+ if (db_ctx->traverse_read > 0) {
+ return NT_STATUS_MEDIA_WRITE_PROTECTED;
+ }
+
if (rec_priv->node == NULL) {
return NT_STATUS_OK;
}
+ if (db_ctx->traverse_nextp != NULL) {
+ if (*db_ctx->traverse_nextp == rec_priv->node) {
+ *db_ctx->traverse_nextp = rec_priv->node->next;
+ }
+ }
+
rb_erase(&rec_priv->node->rb_node, &db_ctx->tree);
+ DLIST_REMOVE(db_ctx->nodes, rec_priv->node);
TALLOC_FREE(rec_priv->node);
return NT_STATUS_OK;
}
-static NTSTATUS db_rbt_store_deny(struct db_record *rec, TDB_DATA data, int
flag)
-{
- return NT_STATUS_MEDIA_WRITE_PROTECTED;
-}
-
-static NTSTATUS db_rbt_delete_deny(struct db_record *rec)
-{
- return NT_STATUS_MEDIA_WRITE_PROTECTED;
-}
-
struct db_rbt_search_result {
TDB_DATA key;
TDB_DATA val;
@@ -358,75 +403,65 @@ static NTSTATUS db_rbt_parse_record(struct db_context
*db, TDB_DATA key,
}
static int db_rbt_traverse_internal(struct db_context *db,
- struct rb_node *n,
int (*f)(struct db_record *db,
void *private_data),
void *private_data, uint32_t* count,
bool rw)
{
- struct rb_node *rb_right;
- struct rb_node *rb_left;
- struct db_record rec;
- struct db_rbt_rec rec_priv;
+ struct db_rbt_ctx *ctx = talloc_get_type_abort(
+ db->private_data, struct db_rbt_ctx);
+ struct db_rbt_node *cur = NULL;
+ struct db_rbt_node *next = NULL;
int ret;
- if (n == NULL) {
- return 0;
- }
-
- rb_left = n->rb_left;
- rb_right = n->rb_right;
-
- ret = db_rbt_traverse_internal(db, rb_left, f, private_data, count, rw);
- if (ret != 0) {
- return ret;
- }
+ for (cur = ctx->nodes; cur != NULL; cur = next) {
+ struct db_record rec;
+ struct db_rbt_rec rec_priv;
- rec_priv.node = db_rbt2node(n);
- /* n might be altered by the callback function */
- n = NULL;
+ rec_priv.node = cur;
+ next = rec_priv.node->next;
- ZERO_STRUCT(rec);
- rec.db = db;
- rec.private_data = &rec_priv;
- if (rw) {
+ ZERO_STRUCT(rec);
+ rec.db = db;
+ rec.private_data = &rec_priv;
rec.store = db_rbt_store;
rec.delete_rec = db_rbt_delete;
- } else {
- rec.store = db_rbt_store_deny;
- rec.delete_rec = db_rbt_delete_deny;
- }
- db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value);
-
- ret = f(&rec, private_data);
- (*count) ++;
- if (ret != 0) {
- return ret;
- }
+ db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value);
- if (rec_priv.node != NULL) {
- /*
- * If the current record is still there
- * we should take the current rb_right.
- */
- rb_right = rec_priv.node->rb_node.rb_right;
+ if (rw) {
+ ctx->traverse_nextp = &next;
+ }
+ ret = f(&rec, private_data);
+ (*count) ++;
+ if (rw) {
+ ctx->traverse_nextp = NULL;
+ }
+ if (ret != 0) {
+ return ret;
+ }
+ if (rec_priv.node != NULL) {
+ next = rec_priv.node->next;
+ }
}
- return db_rbt_traverse_internal(db, rb_right, f, private_data, count,
rw);
+ return 0;
}
-static int db_rbt_traverse(struct db_context *db,
- int (*f)(struct db_record *db,
- void *private_data),
- void *private_data)
+static int db_rbt_traverse_read(struct db_context *db,
+ int (*f)(struct db_record *db,
+ void *private_data),
+ void *private_data)
{
struct db_rbt_ctx *ctx = talloc_get_type_abort(
db->private_data, struct db_rbt_ctx);
uint32_t count = 0;
+ int ret;
- int ret = db_rbt_traverse_internal(db, ctx->tree.rb_node,
- f, private_data, &count,
- true /* rw */);
+ ctx->traverse_read++;
+ ret = db_rbt_traverse_internal(db,
+ f, private_data, &count,
+ false /* rw */);
+ ctx->traverse_read--;
if (ret != 0) {
return -1;
}
@@ -436,18 +471,27 @@ static int db_rbt_traverse(struct db_context *db,
return count;
}
--
Samba Shared Repository
