The branch, v4-5-stable has been updated
via f333815 VERSION: Disable GIT_SNAPSHOT for the 4.5.15 release.
via d7526d6 WHATSNEW: Add release notes for Samba 4.5.15.
via c1a22e5 s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
via 007f5b5 s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
via bd200ea python: use communicate to fix Popen deadlock
via c28d922 blackbox tests: method to check specific exit codes
via 21811ac VERSION: Bump version up to 4.5.15...
from f261c9a VERSION: Disable GIT_SNAPSHOTS for the 4.5.14 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-5-stable
- Log -----------------------------------------------------------------
commit f333815481d8f5354f605751b627379ed3b8ae6e
Author: Karolin Seeger <ksee...@samba.org>
Date: Fri Nov 17 11:29:01 2017 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.5.15 release.
Signed-off-by: Karolin Seeger <ksee...@samba.org>
commit d7526d66f5412c3421a95e716183eea7c7f50d14
Author: Karolin Seeger <ksee...@samba.org>
Date: Fri Nov 17 11:28:17 2017 +0100
WHATSNEW: Add release notes for Samba 4.5.15.
Signed-off-by: Karolin Seeger <ksee...@samba.org>
commit c1a22e59f87783d88dfbaeeb132b89be166b2754
Author: Jeremy Allison <j...@samba.org>
Date: Wed Sep 20 11:04:50 2017 -0700
s3: smbd: Chain code can return uninitialized memory when talloc buffer is
grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <j...@samba.org>
commit 007f5b54d76bf69f441cc277b7f41f478e258aab
Author: Jeremy Allison <j...@samba.org>
Date: Tue Sep 19 16:11:33 2017 -0700
s3: smbd: Fix SMB1 use-after-free crash bug. CVE-2017-14746
When setting up the chain, always use 'next->' variables
not the 'req->' one.
Bug discovered by 连一汉 <lianyi...@360.cn>
CVE-2017-14746
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13041
Signed-off-by: Jeremy Allison <j...@samba.org>
commit bd200ea5d2fb7e3948fae8fbeb114de557a14313
Author: Joe Guo <j...@catalyst.net.nz>
Date: Fri Sep 15 16:13:26 2017 +1200
python: use communicate to fix Popen deadlock
`Popen.wait()` will deadlock when using stdout=PIPE and/or stderr=PIPE and
the
child process generates large output to a pipe such that it blocks waiting
for
the OS pipe buffer to accept more data. Use communicate() to avoid that.
Signed-off-by: Joe Guo <j...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Oct 19 09:27:16 CEST 2017 on sn-devel-144
(cherry picked from commit 5dc773a5b00834c7a53130a73a48f49048bd55e8)
Autobuild-User(v4-5-test): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(v4-5-test): Tue Nov 14 14:35:22 CET 2017 on sn-devel-144
commit c28d92278842b5b29f954996c6e45d61cd5c35a8
Author: Gary Lockyer <g...@catalyst.net.nz>
Date: Wed Aug 16 13:52:25 2017 +1200
blackbox tests: method to check specific exit codes
Signed-off-by: Gary Lockyer <g...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
(cherry picked from commit 74ebcf6dfc84b6aab6838fa99e12808eb6b913d9)
commit 21811ac6882ccb8def448f80a03b699cae81a251
Author: Karolin Seeger <ksee...@samba.org>
Date: Wed Sep 20 13:03:53 2017 +0200
VERSION: Bump version up to 4.5.15...
and re-enable GIT_SNAPSHOTS.
Signed-off-by: Karolin Seeger <ksee...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 75 ++++++++++++++++++++++++++++++++++++++++--
python/samba/tests/__init__.py | 25 ++++++++++----
source3/smbd/process.c | 7 ++--
source3/smbd/reply.c | 5 +++
source3/smbd/srvstr.c | 14 ++++++++
6 files changed, 115 insertions(+), 13 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 7d102b0..d874810 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=5
-SAMBA_VERSION_RELEASE=14
+SAMBA_VERSION_RELEASE=15
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ea845c3..b245e30 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,75 @@
==============================
+ Release Notes for Samba 4.5.15
+ November 21, 2017
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2017-14746 (Use-after-free vulnerability.)
+o CVE-2017-15275 (Server heap memory information leak.)
+
+
+=======
+Details
+=======
+
+o CVE-2017-14746:
+ All versions of Samba from 4.0.0 onwards are vulnerable to a use after
+ free vulnerability, where a malicious SMB1 request can be used to
+ control the contents of heap memory via a deallocated heap pointer. It
+ is possible this may be used to compromise the SMB server.
+
+o CVE-2017-15275:
+ All versions of Samba from 3.6.0 onwards are vulnerable to a heap
+ memory information leak, where server allocated heap memory may be
+ returned to the client without being cleared.
+
+ There is no known vulnerability associated with this error, but
+ uncleared heap memory may contain previously used data that may help
+ an attacker compromise the server via other methods. Uncleared heap
+ memory may potentially contain password hashes or other high-value
+ data.
+
+For more details and workarounds, please see the security advisories:
+
+ o https://www.samba.org/samba/security/CVE-2017-14746.html
+ o https://www.samba.org/samba/security/CVE-2017-15275.html
+
+
+Changes since 4.5.14:
+---------------------
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 13041: CVE-2017-14746: s3: smbd: Fix SMB1 use-after-free crash bug.
+ * BUG 13077: CVE-2017-15275: s3: smbd: Chain code can return uninitialized
+ memory when talloc buffer is grown.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.5.14
September 20, 2017
==============================
@@ -69,8 +140,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.5.13
diff --git a/python/samba/tests/__init__.py b/python/samba/tests/__init__.py
index 1c5f678..6960c0c 100644
--- a/python/samba/tests/__init__.py
+++ b/python/samba/tests/__init__.py
@@ -790,19 +790,30 @@ class BlackboxTestCase(TestCaseInTempDir):
return line
def check_run(self, line):
+ self.check_exit_code(line, 0)
+
+ def check_exit_code(self, line, expected):
line = self._make_cmdline(line)
- p = subprocess.Popen(line, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True)
- retcode = p.wait()
- if retcode:
- raise BlackboxProcessError(retcode, line, p.stdout.read(),
p.stderr.read())
+ p = subprocess.Popen(line,
+ stdout=subprocess.PIPE,
+ stderr=subprocess.PIPE,
+ shell=True)
+ stdoutdata, stderrdata = p.communicate()
+ retcode = p.returncode
+ if retcode != expected:
+ raise BlackboxProcessError(retcode,
+ line,
+ stdoutdata,
+ stderrdata)
def check_output(self, line):
line = self._make_cmdline(line)
p = subprocess.Popen(line, stdout=subprocess.PIPE,
stderr=subprocess.PIPE, shell=True, close_fds=True)
- retcode = p.wait()
+ stdoutdata, stderrdata = p.communicate()
+ retcode = p.returncode
if retcode:
- raise BlackboxProcessError(retcode, line, p.stdout.read(),
p.stderr.read())
- return p.stdout.read()
+ raise BlackboxProcessError(retcode, line, stdoutdata, stderrdata)
+ return stdoutdata
def connect_samdb(samdb_url, lp=None, session_info=None, credentials=None,
diff --git a/source3/smbd/process.c b/source3/smbd/process.c
index 656f1c0..2641894 100644
--- a/source3/smbd/process.c
+++ b/source3/smbd/process.c
@@ -1854,12 +1854,13 @@ void smb_request_done(struct smb_request *req)
next->vuid = SVAL(req->outbuf, smb_uid);
next->tid = SVAL(req->outbuf, smb_tid);
- status = smb1srv_tcon_lookup(req->xconn, req->tid,
+ status = smb1srv_tcon_lookup(req->xconn, next->tid,
now, &tcon);
+
if (NT_STATUS_IS_OK(status)) {
- req->conn = tcon->compat;
+ next->conn = tcon->compat;
} else {
- req->conn = NULL;
+ next->conn = NULL;
}
next->chain_fsp = req->chain_fsp;
next->inbuf = req->inbuf;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index a40ff81..26918b6 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -921,6 +921,11 @@ void reply_tcon_and_X(struct smb_request *req)
}
TALLOC_FREE(tcon);
+ /*
+ * This tree id is gone. Make sure we can't re-use it
+ * by accident.
+ */
+ req->tid = 0;
}
if ((passlen > MAX_PASS_LEN) || (passlen >= req->buflen)) {
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba..c2d70b3 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char
*str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
Samba Shared Repository
