The branch, v4-8-test has been updated via 03f60c3ab36 VERSION: Bump version up to 4.8.8. via db08ec4c941 Merge tag 'samba-4.8.7' into v4-8-test via cd870beb978 VERSION: Disable GIT_SNAPSHOT for the 4.8.7 release. via de51a73e070 WHATSNEW: Add release notes for Samba 4.8.7. via 52aa2e14144 CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental via fff405ae28b CVE-2018-16851 ldap_server: Check ret before manipulating blob via b904c680eed CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ via da9eeee6fce CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal via 86ddd703248 CVE-2018-14629 dns: CNAME loop prevention using counter via 623c3a99ef7 VERSION: Bump version up to 4.8.7... from 58c53ddef51 s3:smb2_sesssetup: check session_info security level before it gets talloc_move'd
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-8-test - Log ----------------------------------------------------------------- commit 03f60c3ab3662a8fde5dd457ece1faf638b7faa9 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Nov 27 11:06:59 2018 +0100 VERSION: Bump version up to 4.8.8. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit db08ec4c941d6d775d441260cd4e804bc7b4157a Merge: 58c53ddef51 cd870beb978 Author: Karolin Seeger <ksee...@samba.org> Date: Tue Nov 27 11:06:43 2018 +0100 Merge tag 'samba-4.8.7' into v4-8-test samba: tag release samba-4.8.7 ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 103 +++++++++++++++++++++++++++++- python/samba/tests/dns.py | 24 +++++++ selftest/knownfail.d/dns | 6 ++ source4/dns_server/dns_query.c | 6 ++ source4/kdc/db-glue.c | 6 +- source4/ldap_server/ldap_server.c | 4 +- testprogs/blackbox/test_pkinit_heimdal.sh | 8 +++ wscript | 17 +++++ 9 files changed, 168 insertions(+), 8 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 94bec4b98dd..57150635ca3 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=8 -SAMBA_VERSION_RELEASE=7 +SAMBA_VERSION_RELEASE=8 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index b93039803be..9f604b0d457 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,102 @@ + ============================= + Release Notes for Samba 4.8.7 + November 27, 2018 + ============================= + + +This is a security release in order to address the following defects: + +o CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD + Internal DNS server) +o CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT) +o CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server) +o CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos + configuration (unsupported)) + + +======= +Details +======= + +o CVE-2018-14629: + All versions of Samba from 4.0.0 onwards are vulnerable to infinite + query recursion caused by CNAME loops. Any dns record can be added via + ldap by an unprivileged user using the ldbadd tool, so this is a + security issue. + +o CVE-2018-16841: + When configured to accept smart-card authentication, Samba's KDC will call + talloc_free() twice on the same memory if the principal in a validly signed + certificate does not match the principal in the AS-REQ. + + This is only possible after authentication with a trusted certificate. + + talloc is robust against further corruption from a double-free with + talloc_free() and directly calls abort(), terminating the KDC process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16851: + During the processing of an LDAP search before Samba's AD DC returns + the LDAP entries to the client, the entries are cached in a single + memory object with a maximum size of 256MB. When this size is + reached, the Samba process providing the LDAP service will follow the + NULL pointer, terminating the process. + + There is no further vulnerability associated with this issue, merely a + denial of service. + +o CVE-2018-16853: + A user in a Samba AD domain can crash the KDC when Samba is built in the + non-default MIT Kerberos configuration. + + With this advisory we clarify that the MIT Kerberos build of the Samba + AD DC is considered experimental. Therefore the Samba Team will not + issue security patches for this configuration. + +For more details and workarounds, please refer to the security advisories. + + +Changes since 4.8.6: +-------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 13628: CVE-2018-16841: heimdal: Fix segfault on PKINIT with + mis-matching principal. + * BUG 13678: CVE-2018-16853: build: The Samba AD DC, when build with MIT + Kerberos is experimental + +o Aaron Haslett <aaronhasl...@catalyst.net.nz> + * BUG 13600: CVE-2018-14629: dns: CNAME loop prevention using counter. + +o Garming Sam <garm...@catalyst.net.nz> + * BUG 13674: CVE-2018-16851: ldap_server: Check ret before manipulating blob. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + ============================= Release Notes for Samba 4.8.6 October 9, 2018 @@ -63,8 +162,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================= Release Notes for Samba 4.8.5 diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py index 1b5b64da3a4..3390a3990c9 100644 --- a/python/samba/tests/dns.py +++ b/python/samba/tests/dns.py @@ -798,6 +798,30 @@ class TestComplexQueries(DNSTest): self.assertEquals(response.answers[1].name, name2) self.assertEquals(response.answers[1].rdata, name0) + def test_cname_loop(self): + cname1 = "cnamelooptestrec." + self.get_dns_domain() + cname2 = "cnamelooptestrec2." + self.get_dns_domain() + cname3 = "cnamelooptestrec3." + self.get_dns_domain() + self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME) + self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME) + self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME) + + p = self.make_name_packet(dns.DNS_OPCODE_QUERY) + questions = [] + + q = self.make_name_question(cname1, + dns.DNS_QTYPE_A, + dns.DNS_QCLASS_IN) + questions.append(q) + self.finish_name_packet(p, questions) + + (response, response_packet) =\ + self.dns_transaction_udp(p, host=self.server_ip) + + max_recursion_depth = 20 + self.assertEquals(len(response.answers), max_recursion_depth) + + class TestInvalidQueries(DNSTest): def setUp(self): super(TestInvalidQueries, self).setUp() diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns index cb3003240ea..8c79b3abe00 100644 --- a/selftest/knownfail.d/dns +++ b/selftest/knownfail.d/dns @@ -45,3 +45,9 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) # The SOA override should not pass against the RODC, it must not overstamp samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) + +# +# rodc and vampire_dc require signed dns updates, so the test setup +# fails, but the test does run on fl2003dc +^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\) +^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\) diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c index f1facc83125..07cde80a258 100644 --- a/source4/dns_server/dns_query.c +++ b/source4/dns_server/dns_query.c @@ -40,6 +40,7 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_DNS +#define MAX_Q_RECURSION_DEPTH 20 struct forwarder_string { const char *forwarder; @@ -419,6 +420,11 @@ static struct tevent_req *handle_dnsrpcrec_send( state->answers = answers; state->nsrecs = nsrecs; + if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { + tevent_req_done(req); + return tevent_req_post(req, ev); + } + resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && ((question->question_type == DNS_QTYPE_A) || (question->question_type == DNS_QTYPE_AAAA))); diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 8ccc34cd665..519060a5641 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -2606,10 +2606,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, * comparison */ if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { talloc_free(mem_ctx); -#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */ - return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; -#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ +#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; +#else /* Heimdal (where this is an enum) */ + return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; #endif } diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c index 5f7efe90bba..d754c4dae78 100644 --- a/source4/ldap_server/ldap_server.c +++ b/source4/ldap_server/ldap_server.c @@ -675,13 +675,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call) ret = data_blob_append(call, &blob, b.data, b.length); data_blob_free(&b); - talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); - if (!ret) { ldapsrv_terminate_connection(conn, "data_blob_append failed"); return; } + talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); + DLIST_REMOVE(call->replies, call->replies); } diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh index 0a13aa293e7..0912e0dbfe8 100755 --- a/testprogs/blackbox/test_pkinit_heimdal.sh +++ b/testprogs/blackbox/test_pkinit_heimdal.sh @@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1` + +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1` + testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1` + +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1` + testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` diff --git a/wscript b/wscript index 0985aa94867..ff628df37e7 100644 --- a/wscript +++ b/wscript @@ -55,6 +55,14 @@ def set_options(opt): help='build Samba with system MIT Kerberos. ' + 'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config', action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False) + + opt.add_option('--with-experimental-mit-ad-dc', + help='Enable the experimental MIT Kerberos-backed AD DC. ' + + 'Note that security patches are not issued for this configuration', + action='store_true', + dest='with_experimental_mit_ad_dc', + default=False) + opt.add_option('--with-system-mitkdc', help=('Specify the path to the krb5kdc binary from MIT Kerberos'), type="string", @@ -194,7 +202,16 @@ def configure(conf): conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) if Options.options.with_system_mitkrb5: + if not Options.options.with_experimental_mit_ad_dc and \ + not Options.options.without_ad_dc: + raise Utils.WafError('The MIT Kerberos build of Samba as an AD DC ' + + 'is experimental. Therefore ' + '--with-system-mitkrb5 requires either ' + + '--with-experimental-mit-ad-dc or ' + + '--without-ad-dc') + conf.PROCESS_SEPARATE_RULE('system_mitkrb5') + if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5): conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) -- Samba Shared Repository