Jeremie Courreges-Anglas <j...@wxcvbn.org> writes:
> Hi,
>
> I committed an update to samba-4.5.2 on -current earlier today. Below
> there's a diff to update to samba-4.5.3, a security update.
>
> o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
> Overflow Remote Code Execution Vulnerability).
> o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
> trusted realms).
> o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
> elevation).
>
> https://www.samba.org/samba/history/samba-4.5.3.html
Committed.
[...]
> For -stable I plan to cook a diff later today / tomorrow, an update to
> 4.4.8 (since -stable is currently at 4.4.5).
Since moving to samba-4.4.8 would imply the removal of a shared library
used by other ports, let's backport the security fixes to samba-4.4.5
instead.
Build tests welcome. ok?
Index: Makefile
===================================================================
RCS file: /d/cvs/ports/net/samba/Makefile,v
retrieving revision 1.227
diff -u -p -r1.227 Makefile
--- Makefile 8 Jul 2016 18:39:50 -0000 1.227
+++ Makefile 21 Dec 2016 13:24:24 -0000
@@ -15,6 +15,7 @@ PKGNAME-tevent = tevent-${TEVENT_V}
PKGNAME-util = samba-util-${VERSION}
PKGNAME-docs = samba-docs-${VERSION}
+REVISION-main = 0
REVISION-ldb = 0
REVISION-tevent = 0
Index: patches/patch-auth_kerberos_kerberos_pac_c
===================================================================
RCS file: patches/patch-auth_kerberos_kerberos_pac_c
diff -N patches/patch-auth_kerberos_kerberos_pac_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-auth_kerberos_kerberos_pac_c 21 Dec 2016 13:22:23 -0000
@@ -0,0 +1,50 @@
+$OpenBSD$
+
+commit ce31a69a32d2bd6975006e428afe4584f6b7bc43
+Author: Stefan Metzmacher <me...@samba.org>
+Date: Tue Nov 22 17:08:46 2016 +0100
+
+ CVE-2016-2126: auth/kerberos: only allow known checksum types in
check_pac_checksum()
+
+ aes based checksums can only be checked with the
+ corresponding aes based keytype.
+
+ Otherwise we may trigger an undefined code path
+ deep in the kerberos libraries, which can leed to
+ segmentation faults.
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
+
+ Signed-off-by: Stefan Metzmacher <me...@samba.org>
+
+--- auth/kerberos/kerberos_pac.c.orig Wed Dec 21 12:14:39 2016
++++ auth/kerberos/kerberos_pac.c Wed Dec 21 14:20:55 2016
+@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+ krb5_boolean checksum_valid = false;
+ krb5_data input;
+
++ switch (sig->type) {
++ case CKSUMTYPE_HMAC_MD5:
++ /* ignores the key type */
++ break;
++ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96)
{
++ return EINVAL;
++ }
++ /* ok */
++ break;
++ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96)
{
++ return EINVAL;
++ }
++ /* ok */
++ break;
++ default:
++ DEBUG(2,("check_pac_checksum: Checksum Type %d is not
supported\n",
++ (int)sig->type));
++ return EINVAL;
++ }
++
+ #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+ cksum.cksumtype = (krb5_cksumtype)sig->type;
+ cksum.checksum.length = sig->signature.length;
Index: patches/patch-source3_librpc_crypto_gse_c
===================================================================
RCS file: patches/patch-source3_librpc_crypto_gse_c
diff -N patches/patch-source3_librpc_crypto_gse_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-source3_librpc_crypto_gse_c 21 Dec 2016 13:23:12 -0000
@@ -0,0 +1,28 @@
+$OpenBSD$
+
+commit 07ef0f6ce0fb9d9735710ab79c2ee91d7a72a974
+Author: Stefan Metzmacher <me...@samba.org>
+Date: Wed Nov 23 11:42:59 2016 +0100
+
+ CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
+
+ We should only use GSS_C_DELEG_POLICY_FLAG in order to let
+ the KDC decide if we should send delegated credentials to
+ a remote server.
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+ Signed-off-by: Stefan Metzmacher <me...@samba.org>
+ Reviewed-by: Alexander Bokovoy <a...@samba.org>
+ Reviewed-by: Simo Sorce <i...@samba.org>
+
+--- source3/librpc/crypto/gse.c.orig Wed Dec 21 12:14:43 2016
++++ source3/librpc/crypto/gse.c Wed Dec 21 14:20:55 2016
+@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
+
+ gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
+- GSS_C_DELEG_FLAG |
+ GSS_C_DELEG_POLICY_FLAG |
+ GSS_C_REPLAY_FLAG |
+ GSS_C_SEQUENCE_FLAG;
Index: patches/patch-source4_auth_gensec_gensec_gssapi_c
===================================================================
RCS file: patches/patch-source4_auth_gensec_gensec_gssapi_c
diff -N patches/patch-source4_auth_gensec_gensec_gssapi_c
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-source4_auth_gensec_gensec_gssapi_c 21 Dec 2016 13:22:48
-0000
@@ -0,0 +1,29 @@
+$OpenBSD$
+
+commit 58586ceae7fe628453e6bffdc463d4309ced15fb
+Author: Stefan Metzmacher <me...@samba.org>
+Date: Wed Nov 23 11:44:22 2016 +0100
+
+ CVE-2016-2125: s4:gensec_gssapi: don't use GSS_C_DELEG_FLAG by default
+
+ This disabled the usage of GSS_C_DELEG_FLAG by default, as
+ GSS_C_DELEG_POLICY_FLAG is still used by default we let the
+ KDC decide if we should send delegated credentials to a remote server.
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+ Signed-off-by: Stefan Metzmacher <me...@samba.org>
+ Reviewed-by: Alexander Bokovoy <a...@samba.org>
+ Reviewed-by: Simo Sorce <i...@samba.org>
+
+--- source4/auth/gensec/gensec_gssapi.c.orig Wed Dec 21 12:14:45 2016
++++ source4/auth/gensec/gensec_gssapi.c Wed Dec 21 14:20:55 2016
+@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_secu
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi",
"mutual", true)) {
+ gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
+ }
+- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi",
"delegation", true)) {
++ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi",
"delegation", false)) {
+ gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
+ }
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi",
"replay", true)) {
Index: patches/patch-source4_scripting_bin_nsupdate-gss
===================================================================
RCS file: patches/patch-source4_scripting_bin_nsupdate-gss
diff -N patches/patch-source4_scripting_bin_nsupdate-gss
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-source4_scripting_bin_nsupdate-gss 21 Dec 2016 13:23:33
-0000
@@ -0,0 +1,28 @@
+$OpenBSD$
+
+commit 0f1b36b7d5514f8d16c60ebcd5c59753113b4334
+Author: Stefan Metzmacher <me...@samba.org>
+Date: Wed Nov 23 11:41:10 2016 +0100
+
+ CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG in nsupdate-gss
+
+ This is just an example script that's not directly used by samba,
+ but we should avoid sending delegated credentials to dns servers.
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+ Signed-off-by: Stefan Metzmacher <me...@samba.org>
+ Reviewed-by: Alexander Bokovoy <a...@samba.org>
+ Reviewed-by: Simo Sorce <i...@samba.org>
+
+--- source4/scripting/bin/nsupdate-gss.orig Wed Dec 21 12:14:47 2016
++++ source4/scripting/bin/nsupdate-gss Wed Dec 21 14:20:55 2016
+@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
+ my $flags =
+ GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
+ GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
+- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
++ GSS_C_INTEG_FLAG;
+
+
+ $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
