[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via fd28e8aeb42 gpo: Correct name of files gpo from 47d79d7e7e4 s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success. https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit fd28e8aeb422fa99e3ea7f13a75ea93b76320b48 Author: David Mulder Date: Wed Apr 28 10:32:44 2021 -0600 gpo: Correct name of files gpo This is important, since having the incorrect name will prevent policies from removing correctly on an unapply, or when the policy is deleted from AD. Signed-off-by: David Mulder Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Thu Apr 29 22:27:20 UTC 2021 on sn-devel-184 --- Summary of changes: python/samba/vgp_files_ext.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/python/samba/vgp_files_ext.py b/python/samba/vgp_files_ext.py index be1d8c95466..7e992275b16 100644 --- a/python/samba/vgp_files_ext.py +++ b/python/samba/vgp_files_ext.py @@ -60,7 +60,7 @@ def stat_from_mode(mode): class vgp_files_ext(gp_xml_ext): def __str__(self): -return 'VGP/Unix Settings/Sudo Rights' +return 'VGP/Unix Settings/Files' def process_group_policy(self, deleted_gpo_list, changed_gpo_list): for guid, settings in deleted_gpo_list: -- Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 47d79d7e7e4 s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on
success.
from 54343f50a62 winbindd: remove obsolete sequence_number from struct
winbindd_methods
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 47d79d7e7e406f7dd204ded7c72cfed3e0761ad5
Author: Jeremy Allison
Date: Thu Apr 29 09:50:30 2021 -0700
s3: smbd: SMB1 SMBsplwr doesn't send a reply packet on success.
Missing call to set up req->outbuf means no reply is sent.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14696
Signed-off-by: Jeremy Allison
Reviewed-by: Ralph Boehme
Autobuild-User(master): Jeremy Allison
Autobuild-Date(master): Thu Apr 29 21:27:58 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/smbd/reply.c | 2 ++
1 file changed, 2 insertions(+)
Changeset truncated at 500 lines:
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index dcda32e8cc1..f7b0fe72f13 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -7059,6 +7059,8 @@ void reply_printwrite(struct smb_request *req)
DEBUG(3, ("printwrite %s num=%d\n", fsp_fnum_dbg(fsp), numtowrite));
+ reply_outbuf(req, 0, 0);
+
END_PROFILE(SMBsplwr);
return;
}
--
Samba Shared Repository
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated via 54343f50a62 winbindd: remove obsolete sequence_number from struct winbindd_methods via 27c53355b26 winbindd: remove obsolete sequence_number() from winbindd_reconnect.c via 7524e6e7b55 winbindd: remove obsolete sequence_number() from winbindd_reconnect_ads.c via 255a63abb57 s3:winbindd: Remove unused rpc_sequence_number() via f3c603766be s3:winbindd: Remove obsolete sequence_number callback from ads backend via 2d8093946dc s3:winbindd: Remove obsolete sequence_number callback from samr backend via 371bc987668 s3:winbindd: Remove obsolete sequence_number callback from msrpc backend via edad81c85c9 s3:winbindd: Do not call backends sequence number code via 9b2c17e57af s3:winbindd: Simplfy sequence number caching from 75ad84167f5 CVE-2021-20254 passdb: Simplify sids_to_unixids() https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log - commit 54343f50a62309967647a21d5d5a4003401fc12b Author: Ralph Boehme Date: Tue Apr 27 16:03:29 2021 +0200 winbindd: remove obsolete sequence_number from struct winbindd_methods Signed-off-by: Ralph Boehme Reviewed-by: Andreas Schneider Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Thu Apr 29 15:49:16 UTC 2021 on sn-devel-184 commit 27c53355b26cc0dff08d657e1315d52659833d1c Author: Ralph Boehme Date: Tue Apr 27 16:02:32 2021 +0200 winbindd: remove obsolete sequence_number() from winbindd_reconnect.c Signed-off-by: Ralph Boehme Reviewed-by: Andreas Schneider commit 7524e6e7b553fc82f7edb3b59566de5860d4d0e6 Author: Ralph Boehme Date: Tue Apr 27 16:01:45 2021 +0200 winbindd: remove obsolete sequence_number() from winbindd_reconnect_ads.c Signed-off-by: Ralph Boehme Reviewed-by: Andreas Schneider commit 255a63abb57bfb1228024f698779d2210027277c Author: Andreas Schneider Date: Mon Apr 26 14:03:38 2021 +0200 s3:winbindd: Remove unused rpc_sequence_number() Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme commit f3c603766bee2973aff0224bfab56901bab22c38 Author: Andreas Schneider Date: Mon Apr 26 13:54:30 2021 +0200 s3:winbindd: Remove obsolete sequence_number callback from ads backend Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme commit 2d8093946dc1a06f10676480e7ed3969d712170c Author: Andreas Schneider Date: Mon Apr 26 13:53:09 2021 +0200 s3:winbindd: Remove obsolete sequence_number callback from samr backend Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme commit 371bc987668463dc9693283921f400258112a744 Author: Andreas Schneider Date: Mon Apr 26 13:52:14 2021 +0200 s3:winbindd: Remove obsolete sequence_number callback from msrpc backend Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme commit edad81c85c9d726e2b08779ba9cd7729cdbf Author: Andreas Schneider Date: Mon Apr 26 14:01:39 2021 +0200 s3:winbindd: Do not call backends sequence number code This is not needed anymore. Signed-off-by: Andreas Schneider Reviewed-by: Ralph Boehme commit 9b2c17e57afffafc010e99b41c33dc8858bab95b Author: Andreas Schneider Date: Fri Apr 23 14:16:02 2021 +0200 s3:winbindd: Simplfy sequence number caching The sequence number is used to detect if the cache is still valid. It expires when the `winbind cache time` is over. After that time we want to fetch new information from a DC to make sure we are up to date. If a DC goes down and we recreate the connection, we want to expire the caches sooner. So we reset the sequence number and the next call should refill the caches. Using the current time as the sequence number is more reliable, as the sequence number of two DCs could in theory be equal. All we have to do is to make sure we reset it after we reconnect to a DC. Previously the sequence number check was based on the AD database change sequence number. Now this is based on a current time value which gets reset after a successful (re)connect. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Andreas Schneider Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- Summary of changes: source3/winbindd/winbindd.h | 3 - source3/winbindd/winbindd_ads.c | 49 -- source3/winbindd/winbindd_cache.c | 127 +--- source3/winbindd/winbindd_cm.c| 4 + source3/winbindd/winbindd_msrpc.c | 156 -- source3/winbindd/winbindd_reconnect.c | 14 --- source3/winbindd/winbindd_reconnect_ads.c | 15 --- source3/winbindd/winbindd_rpc.c | 59 ---
[SCM] Samba Shared Repository - branch master updated
The branch, master has been updated
via 75ad84167f5 CVE-2021-20254 passdb: Simplify sids_to_unixids()
from 757c49f6dc5 s3:winbind: For 'security = ADS' require
realm/workgroup to be set
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -
commit 75ad84167f5d2379557ec078d17c9a1c244402fc
Author: Volker Lendecke
Date: Sat Feb 20 15:50:12 2021 +0100
CVE-2021-20254 passdb: Simplify sids_to_unixids()
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.
Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED
Add comments to explain the use of the three lookup
loops.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14571
Signed-off-by: Volker Lendecke
Reviewed-by: Jeremy Allison
Autobuild-User(master): Karolin Seeger
Autobuild-Date(master): Thu Apr 29 09:55:51 UTC 2021 on sn-devel-184
---
Summary of changes:
source3/passdb/lookup_sid.c | 123
1 file changed, 101 insertions(+), 22 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c
index cf80a300189..0e01467b3cb 100644
--- a/source3/passdb/lookup_sid.c
+++ b/source3/passdb/lookup_sid.c
@@ -29,6 +29,7 @@
#include "../libcli/security/security.h"
#include "lib/winbind_util.h"
#include "../librpc/gen_ndr/idmap.h"
+#include "lib/util/bitmap.h"
static bool lookup_unix_user_name(const char *name, struct dom_sid *sid)
{
@@ -1266,7 +1267,9 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t
num_sids,
{
struct wbcDomainSid *wbc_sids = NULL;
struct wbcUnixId *wbc_ids = NULL;
+ struct bitmap *found = NULL;
uint32_t i, num_not_cached;
+ uint32_t wbc_ids_size = 0;
wbcErr err;
bool ret = false;
@@ -1274,6 +1277,20 @@ bool sids_to_unixids(const struct dom_sid *sids,
uint32_t num_sids,
if (wbc_sids == NULL) {
return false;
}
+ found = bitmap_talloc(wbc_sids, num_sids);
+ if (found == NULL) {
+ goto fail;
+ }
+
+ /*
+* We go through the requested SID array three times.
+* First time to look for global_sid_Unix_Users
+* and global_sid_Unix_Groups SIDS, and to look
+* for mappings cached in the idmap_cache.
+*
+* Use bitmap_set() to mark an ids[] array entry as
+* being mapped.
+*/
num_not_cached = 0;
@@ -1285,17 +1302,20 @@ bool sids_to_unixids(const struct dom_sid *sids,
uint32_t num_sids,
[i], )) {
ids[i].type = ID_TYPE_UID;
ids[i].id = rid;
+ bitmap_set(found, i);
continue;
}
if (sid_peek_check_rid(_sid_Unix_Groups,
[i], )) {
ids[i].type = ID_TYPE_GID;
ids[i].id = rid;
+ bitmap_set(found, i);
continue;
}
if (idmap_cache_find_sid2unixid([i], [i], )
&& !expired)
{
+ bitmap_set(found, i);
continue;
}
ids[i].type = ID_TYPE_NOT_SPECIFIED;
@@ -1306,62 +1326,121 @@ bool sids_to_unixids(const struct dom_sid *sids,
uint32_t num_sids,
if (num_not_cached == 0) {
goto done;
}
- wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, num_not_cached);
+
+ /*
+* For the ones that we couldn't map in the loop above, query winbindd
+* via wbcSidsToUnixIds().
+*/
+
+ wbc_ids_size = num_not_cached;
+ wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, wbc_ids_size);
if (wbc_ids == NULL) {
goto fail;
}
- for (i=0; i id is a
union anyway */
- ids[i].type = (enum
id_type)wbc_ids[num_not_cached].type;
- ids[i].id = wbc_ids[num_not_cached].id.gid;
- break;
- }
- num_not_cached += 1;
+ if (bitmap_query(found, i)) {
+ continue;
+ }
+
+ SMB_ASSERT(num_not_cached < wbc_ids_size);
+
+ switch (wbc_ids[num_not_cached].type) {
+ case WBC_ID_TYPE_UID:
+ ids[i].type = ID_TYPE_UID;
+ ids[i].id = wbc_ids[num_not_cached].id.uid;
+ bitmap_set(found, i);
+ break;
+ case WBC_ID_TYPE_GID:
+ ids[i].type =
[SCM] Samba Shared Repository - branch v4-12-test updated
The branch, v4-12-test has been updated via a0531b507d1 VERSION: Bump version up to 4.12.16. via 5ab7bbd30bd Merge tag 'samba-4.12.15' into v4-12-test via 703c6301013 VERSION: Disable GIT_SNAPSHOT for the 4.12.15 release. via 05214a24860 WHATSNEW: Add release notes for Samba 4.12.15. via 6a6a33274c0 CVE-2021-20254 passdb: Simplify sids_to_unixids() via 80c8c8552ed VERSION: Enable GIT_SNAPSHOT. via 70a4b0269e9 VERSION: Bump version up to 4.12.15... from deb7b32b437 VERSION: Bump version up to 4.12.15... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-test - Log - commit a0531b507d1087ef1e1242d707c5d02d455a3177 Author: Karolin Seeger Date: Thu Apr 29 11:13:50 2021 +0200 VERSION: Bump version up to 4.12.16. Signed-off-by: Karolin Seeger commit 5ab7bbd30bd8cdd4510c07b37577f6c4d78ee187 Merge: deb7b32b437 703c6301013 Author: Karolin Seeger Date: Thu Apr 29 11:12:26 2021 +0200 Merge tag 'samba-4.12.15' into v4-12-test samba: tag release samba-4.12.15 --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 68 - source3/passdb/lookup_sid.c | 140 +--- 3 files changed, 185 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 1f011252804..8c7f01c0903 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=12 -SAMBA_VERSION_RELEASE=15 +SAMBA_VERSION_RELEASE=16 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f3c64a7050c..d77b074f2a7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,68 @@ + === + Release Notes for Samba 4.12.15 + April 29, 2021 + === + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +=== +Details +=== + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.12.14 +- + +o Volker Lendecke + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + === Release Notes for Samba 4.12.14 March 24, 2021 @@ -55,8 +120,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- === diff --git a/source3/passdb/lookup_sid.c
[SCM] Samba Shared Repository - branch v4-13-test updated
The branch, v4-13-test has been updated via 4484b030c0d VERSION: Bump version up to 4.13.9. via 5e9cd05325e Merge tag 'samba-4.13.8' into v4-13-test via 058aaad5f4a WHATSNEW: Add release notes for Samba 4.13.8. via 32c511d439b CVE-2021-20254 passdb: Simplify sids_to_unixids() via 2f7500d3927 VERSION: Bump version up to 4.13.8... from 2022e490d5e s3-iremotewinspool: set the per-request memory context https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log - commit 4484b030c0dc20285950da1b65d3cfad6393464d Author: Karolin Seeger Date: Thu Apr 29 11:11:31 2021 +0200 VERSION: Bump version up to 4.13.9. Signed-off-by: Karolin Seeger commit 5e9cd05325ea0220426cef1fe8990c1f303a0867 Merge: 2022e490d5e 058aaad5f4a Author: Karolin Seeger Date: Thu Apr 29 11:11:10 2021 +0200 Merge tag 'samba-4.13.8' into v4-13-test samba: tag release samba-4.13.8 commit 058aaad5f4a2399dc0c11b42a6650c251957f24d Author: Karolin Seeger Date: Mon Apr 26 12:45:26 2021 +0200 WHATSNEW: Add release notes for Samba 4.13.8. Signed-off-by: Karolin Seeger commit 32c511d439b23d880133b8d9d32274eba3952a88 Author: Volker Lendecke Date: Sat Feb 20 15:50:12 2021 +0100 CVE-2021-20254 passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (backported from patch from master) [backport by npo...@samba.org as master commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 and 58e9b6ad62c81cdf11d704859a227cb2902b creates conflicts due to rename of WBC_ID_TYPE_* -> ID_TYPE_*] --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 68 +++- source3/passdb/lookup_sid.c | 123 3 files changed, 168 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index ae39d7d1aac..b151df5266d 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=13 -SAMBA_VERSION_RELEASE=8 +SAMBA_VERSION_RELEASE=9 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7df21d367c1..6fe057c5b40 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,68 @@ + == + Release Notes for Samba 4.13.8 + April 29, 2021 + == + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +=== +Details +=== + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.13.7 + + +o Volker Lendecke + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + +
[SCM] Samba Shared Repository - branch v4-14-test updated
The branch, v4-14-test has been updated via c650f7738bf VERSION: Bump version up to 4.14.5. via 73195193503 Merge tag 'samba-4.14.4' into v4-14-test via e29fc62e1d6 VERSION: Disable GIT_SNAPSHOT for the 4.14.4 release. via 45f106c1218 WHATSNEW: Add release notes for Samba 4.14.4. via 55b8f31679b CVE-2021-20254 passdb: Simplify sids_to_unixids() via 77aa340ad8c VERSION: Bump version up to 4.14.4... from a8b9ea7e1aa VERSION: Bump version up to 4.14.4... https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test - Log - commit c650f7738bf12b8375a07bfc395686f6bf4d02ad Author: Karolin Seeger Date: Thu Apr 29 11:09:46 2021 +0200 VERSION: Bump version up to 4.14.5. Signed-off-by: Karolin Seeger commit 7319519350329db148959c6e4532aab390a2140f Merge: a8b9ea7e1aa e29fc62e1d6 Author: Karolin Seeger Date: Thu Apr 29 11:09:10 2021 +0200 Merge tag 'samba-4.14.4' into v4-14-test samba: tag release samba-4.14.4 --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 68 +++- source3/passdb/lookup_sid.c | 123 3 files changed, 168 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 23737d21667..94094eb0afb 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=14 -SAMBA_VERSION_RELEASE=4 +SAMBA_VERSION_RELEASE=5 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 71eff9a756c..8fa0ee3caf1 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,68 @@ + == + Release Notes for Samba 4.14.4 + April 29, 2021 + == + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +=== +Details +=== + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.14.3 + + +o Volker Lendecke + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +== + + +Release notes for older releases follow: + + + == Release Notes for Samba 4.14.3 April 20, 2021 @@ -67,8 +132,7 @@ database (https://bugzilla.samba.org/). == -Release notes for older releases follow: - +-- == diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c index cf80a300189..0e01467b3cb 100644 ---
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via 8309630 CVE-2021-20254.html: ö -> from c84ca93 NEWS[4.14.4]: Samba 4.14.4, 4.13.8 and 4.12.15 Available for Download https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit 830963018dde9c16921921789ab4ae2b7b974fa3 Author: Karolin Seeger Date: Thu Apr 29 10:55:36 2021 +0200 CVE-2021-20254.html: ö -> Signed-off-by: Karolin Seeger --- Summary of changes: security/CVE-2021-20254.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Changeset truncated at 500 lines: diff --git a/security/CVE-2021-20254.html b/security/CVE-2021-20254.html index bf96419..1f766d8 100644 --- a/security/CVE-2021-20254.html +++ b/security/CVE-2021-20254.html @@ -40,7 +40,7 @@ cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. Most commonly this flaw caused the calling code to crash, but an alert -user (Peter Eriksson, IT Department, Linköping University) found this +user (Peter Eriksson, IT Department, Linkping University) found this flaw by noticing an unprivileged user was able to delete a file within a network share that they should have been disallowed access to. -- Samba Website Repository
[SCM] Samba Website Repository - branch master updated
The branch, master has been updated via c84ca93 NEWS[4.14.4]: Samba 4.14.4, 4.13.8 and 4.12.15 Available for Download from 470c809 fix Lightspeed address https://git.samba.org/?p=samba-web.git;a=shortlog;h=master - Log - commit c84ca93f6eb37183b210b042486fd88a3fb6e97b Author: Karolin Seeger Date: Mon Apr 26 11:21:29 2021 +0200 NEWS[4.14.4]: Samba 4.14.4, 4.13.8 and 4.12.15 Available for Download Signed-off-by: Karolin Seeger --- Summary of changes: history/header_history.html | 3 + history/samba-4.12.15.html | 63 history/samba-4.13.8.html| 63 history/samba-4.14.4.html| 63 history/security.html| 19 + posted_news/20210429-080831.4.14.4.body.html | 22 ++ posted_news/20210429-080831.4.14.4.headline.html | 4 + security/CVE-2021-20254.html | 96 8 files changed, 333 insertions(+) create mode 100644 history/samba-4.12.15.html create mode 100644 history/samba-4.13.8.html create mode 100644 history/samba-4.14.4.html create mode 100644 posted_news/20210429-080831.4.14.4.body.html create mode 100644 posted_news/20210429-080831.4.14.4.headline.html create mode 100644 security/CVE-2021-20254.html Changeset truncated at 500 lines: diff --git a/history/header_history.html b/history/header_history.html index e7bf5c2..73047a3 100755 --- a/history/header_history.html +++ b/history/header_history.html @@ -9,10 +9,12 @@ Release Notes + samba-4.14.4 samba-4.14.3 samba-4.14.2 samba-4.14.1 samba-4.14.0 + samba-4.13.8 samba-4.13.7 samba-4.13.6 samba-4.13.5 @@ -21,6 +23,7 @@ samba-4.13.2 samba-4.13.1 samba-4.13.0 + samba-4.12.15 samba-4.12.14 samba-4.12.13 samba-4.12.12 diff --git a/history/samba-4.12.15.html b/history/samba-4.12.15.html new file mode 100644 index 000..907c80f --- /dev/null +++ b/history/samba-4.12.15.html @@ -0,0 +1,63 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xhtml;> + +Samba 4.12.15 - Release Notes + + +Samba 4.12.15 Available for Download + +https://download.samba.org/pub/samba/stable/samba-4.12.15.tar.gz;>Samba 4.12.15 (gzipped) +https://download.samba.org/pub/samba/stable/samba-4.12.15.tar.asc;>Signature + + +https://download.samba.org/pub/samba/patches/samba-4.12.14-4.12.15.diffs.gz;>Patch (gzipped) against Samba 4.12.14 +https://download.samba.org/pub/samba/patches/samba-4.12.14-4.12.15.diffs.asc;>Signature + + + + === + Release Notes for Samba 4.12.15 + April 29, 2021 + === + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +=== +Details +=== + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linkping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.12.14 +- + +o Volker Lendecke v...@samba.org + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + + + + + diff --git a/history/samba-4.13.8.html b/history/samba-4.13.8.html new file mode 100644 index 000..59c8ef3 --- /dev/null +++ b/history/samba-4.13.8.html @@ -0,0 +1,63 @@ +http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;> +http://www.w3.org/1999/xh
[SCM] Samba Shared Repository - branch v4-12-stable updated
The branch, v4-12-stable has been updated via 703c6301013 VERSION: Disable GIT_SNAPSHOT for the 4.12.15 release. via 05214a24860 WHATSNEW: Add release notes for Samba 4.12.15. via 6a6a33274c0 CVE-2021-20254 passdb: Simplify sids_to_unixids() via 80c8c8552ed VERSION: Enable GIT_SNAPSHOT. via 70a4b0269e9 VERSION: Bump version up to 4.12.15... from 94c36535bfd WHATSNEW: Add release notes for Samba 4.12.14. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-12-stable - Log - commit 703c6301013f78e80882abfe8375d6a45a176b7f Author: Karolin Seeger Date: Mon Apr 26 13:38:31 2021 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.12.15 release. BUG 14571: CVE-2021-20254: Buffer overrun in sids_to_unixids(). Signed-off-by: Karolin Seeger commit 05214a2486061a3bf6c06a70a2016a2994bb37e3 Author: Karolin Seeger Date: Mon Apr 26 13:37:22 2021 +0200 WHATSNEW: Add release notes for Samba 4.12.15. Signed-off-by: Karolin Seeger commit 6a6a33274c0829bb48c280f65c06213a185bee81 Author: Volker Lendecke Date: Sat Feb 20 15:50:12 2021 +0100 CVE-2021-20254 passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (backported from patch from master) [backport by npo...@samba.org as master commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 and 58e9b6ad62c81cdf11d704859a227cb2902b creates conflicts due to rename of WBC_ID_TYPE_* -> ID_TYPE_*] [backport by j...@samba.org to work around a compiler bug showing this error on gcc 5.6 -> 6.x, seen on Debian 9 and Ubuntu 16.04 under -O3: ../../source3/passdb/lookup_sid.c:1246:6: error: assuming pointer wraparound does not occur when comparing P +- C1 with P +- C2 [-Werror=strict-overflow]] commit 80c8c8552ed7522fadad7a861fda6594b47d02fa Author: Karolin Seeger Date: Mon Apr 26 13:20:37 2021 +0200 VERSION: Enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 70a4b0269e9573560d319591813f4e5ee4513fa2 Author: Stefan Metzmacher Date: Wed Mar 24 11:32:11 2021 +0100 VERSION: Bump version up to 4.12.15... GIT_SNAPSHOT is already 'yes'. Signed-off-by: Stefan Metzmacher (cherry picked from commit deb7b32b4372625211a4d6ba26e3d00223e903ca) --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 68 - source3/passdb/lookup_sid.c | 140 +--- 3 files changed, 185 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index b3cc915133d..01596d8c954 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=12 -SAMBA_VERSION_RELEASE=14 +SAMBA_VERSION_RELEASE=15 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index f3c64a7050c..d77b074f2a7 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,68 @@ + === + Release Notes for Samba 4.12.15 + April 29, 2021 + === + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +=== +Details +=== + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.12.14 +- + +o Volker
[SCM] Samba Shared Repository - annotated tag samba-4.12.15 created
The annotated tag, samba-4.12.15 has been created at d744541db986a2e6cdcbc2a9cb13edd64b0d025a (tag) tagging 703c6301013f78e80882abfe8375d6a45a176b7f (commit) replaces samba-4.12.14 tagged by Karolin Seeger on Mon Apr 26 13:42:29 2021 +0200 - Log - samba: tag release samba-4.12.15 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmCGpyUACgkQqplEL7aA tiDyYg//U428Khapx91YuFPFXDt5+NWPwTq0xLaIjYLzTM/Twz51GSLnrBR860yl AmZ4G4/pvLVqHyeT9LDZWCyqvrenieL/qnfusFMBS796oPRwwtrnEIhSLaD0GD/x BRKKS6HHSACs6anhJn155rvVn6v3cA1+6IC7jXoh6fNNDU0AVWD/RB+v2llYd7kg YP8+Y9g0gYFHceJBHMlLbuOrKqkHKtdMZPlnhYRvUIBkaqtg/qCqPrVCMx1GQHMM xmSb8xMTklz0eMvXkrItd/SFB6eKpXXSUC+zj/m4XqcGDZB3zLeGPgOww+QUku8z u0o1Yg76MzFLxtBBkq24RZBRBWEGOYfLpdXbYIKc3YB/714U+0w+0QfMSKA9odlk y9r08iUePQ+CeyEdzMvNO1x6EykBuLkxB+25T7fF4Rxb+raARP9wru997yyHK+Vy EBFmnrM1/iMdmwPaWGnBEjJUOH4dZ8pHu8H2HiOVW7KXfoeV3HzXOJG3up64Nw13 vRgkkltlKhSnQEySSM8Rht9Ms8RXvqeS/3bQXLIwuxy//J87GBtqPTSrjno/M2wB EktBMost8d+6zKmQBHj8fZLq246Q2ZO0S3Yq958+Eg6eguDRE3HGCckElCqwfVXF wqL0e1Ogk2FnKjOGbHN5zFuq4ETeevPjDaRRuYfoy095V1OJCkA= =TwNZ -END PGP SIGNATURE- Karolin Seeger (4): WHATSNEW: Add release notes for Samba 4.12.14. VERSION: Enable GIT_SNAPSHOT. WHATSNEW: Add release notes for Samba 4.12.15. VERSION: Disable GIT_SNAPSHOT for the 4.12.15 release. Stefan Metzmacher (1): VERSION: Bump version up to 4.12.15... Volker Lendecke (1): CVE-2021-20254 passdb: Simplify sids_to_unixids() --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-13-stable updated
The branch, v4-13-stable has been updated via 692d5287eaf VERSION: Disable GIT_SNAPSHOT for the 4.13.8 release. via dc853e700d4 WHATSNEW: Add release notes for Samba 4.13.8. via 39d9e71cfcf CVE-2021-20254 passdb: Simplify sids_to_unixids() via a44be607c9d VERSION: Enable GIT_SNAPSHOT. via 2f7500d3927 VERSION: Bump version up to 4.13.8... from bf1d38a7a16 WHATSNEW: Add release notes for Samba 4.13.7. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-stable - Log - commit 692d5287eaf0559777b8aeeef11e62549da06068 Author: Karolin Seeger Date: Mon Apr 26 13:09:58 2021 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.13.8 release. BUG 14571: CVE-2021-20254: Buffer overrun in sids_to_unixids(). Signed-off-by: Karolin Seeger commit dc853e700d4bb1d6faf4d2d8aac180d458d76c8b Author: Karolin Seeger Date: Mon Apr 26 12:45:26 2021 +0200 WHATSNEW: Add release notes for Samba 4.13.8. Signed-off-by: Karolin Seeger commit 39d9e71cfcff17395ba26c076e2dc5fe0ddc1d65 Author: Volker Lendecke Date: Sat Feb 20 15:50:12 2021 +0100 CVE-2021-20254 passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED Bug: https://bugzilla.samba.org/show_bug.cgi?id=14571 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (backported from patch from master) [backport by npo...@samba.org as master commit 493f5d6b078e0b0f80d1ef25043e2834cb4fcb87 and 58e9b6ad62c81cdf11d704859a227cb2902b creates conflicts due to rename of WBC_ID_TYPE_* -> ID_TYPE_*] commit a44be607c9d6dca5052e82d12d487e90376e2d28 Author: Karolin Seeger Date: Mon Apr 26 13:08:23 2021 +0200 VERSION: Enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger commit 2f7500d3927812bab01680e26bf1b49224e6bd2a Author: Stefan Metzmacher Date: Wed Mar 24 11:52:22 2021 +0100 VERSION: Bump version up to 4.13.8... GIT_SNAPSHOT is already 'yes'. Signed-off-by: Stefan Metzmacher (cherry picked from commit 5677103fe7b49ed7738d5df5e5231473c673e08c) --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 68 +++- source3/passdb/lookup_sid.c | 123 3 files changed, 168 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 9f3a9e91308..030268366fc 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=13 -SAMBA_VERSION_RELEASE=7 +SAMBA_VERSION_RELEASE=8 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 7df21d367c1..6fe057c5b40 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,68 @@ + == + Release Notes for Samba 4.13.8 + April 29, 2021 + == + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +=== +Details +=== + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.13.7 + + +o Volker Lendecke + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. +
[SCM] Samba Shared Repository - annotated tag samba-4.13.8 created
The annotated tag, samba-4.13.8 has been created at 69f2c1b0e1cb59656fb33a965d4756a3cb3bd6ab (tag) tagging 058aaad5f4a2399dc0c11b42a6650c251957f24d (commit) replaces samba-4.13.7 tagged by Karolin Seeger on Mon Apr 26 13:03:23 2021 +0200 - Log - samba: tag release samba-4.13.8 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmCGnfsACgkQqplEL7aA tiD/Pw//WvpLzJSFaJfSYKOScgdA28add5G8OfLC+6k2zGL8AMXsDYOmBdp2dPDh EdLBdMC1qYWM0tWz6Y5P0ZI1GEso+ZarXA9yNWaPUA4xxRKu/TJA0Es5Pt0OAQe6 Sg42U9WecgP3ENnbPu9QNX5/5/EsbNAy48icQl4GVJdQddopvRXLmBw/sNvhGmSE SJY3rNVbpPSf8/93wfFDjFwhA4gQ3wxpYv0cY8fyLOAwWgj2ITzrv3Iwt4Gnwa79 9nXfhyJu60N754dsdM+QeF08W0bTLibpvP2cjuOOvn2iZn9GYGG4yoY6brGU7xwm mkLsjEIypvaSinQYeHmlOmZfaed2GjXPA8ATLEa06hbOEJ3edJoAdXzIWjbJj+1M KCOfJlKp+Tpo2eBdTjO/3VuXi2zEi4GcS5XCt9MtIXw2pzUWYSxjH2THTFSUxt3U ros3CeCjGM2bVrO96V+uaVDSTCG6LBpzGwy5+vc9al4XVGoGXTpG9+I99kn+yD95 ZvXAqKE3PRwnD850w8D5l6+iHsNsaZU1Wm1n3Z9v8cf5dRLVo4vBJDBbhYOeRexm KjKhg8GNaJem+oUdpvYj6zzShtdMpU8zzi5SJN7vLSThTLCdZqP2cX7IFGh5QVnx wvU0TWDZnrEuP72dOaC7AYxCOdVaSexFhrheWHM8XRsNeUnmZfc= =evdV -END PGP SIGNATURE- Karolin Seeger (1): WHATSNEW: Add release notes for Samba 4.13.8. Stefan Metzmacher (1): VERSION: Bump version up to 4.13.8... Volker Lendecke (1): CVE-2021-20254 passdb: Simplify sids_to_unixids() --- -- Samba Shared Repository
[SCM] Samba Shared Repository - branch v4-14-stable updated
The branch, v4-14-stable has been updated via e29fc62e1d6 VERSION: Disable GIT_SNAPSHOT for the 4.14.4 release. via 45f106c1218 WHATSNEW: Add release notes for Samba 4.14.4. via 55b8f31679b CVE-2021-20254 passdb: Simplify sids_to_unixids() via 77aa340ad8c VERSION: Bump version up to 4.14.4... from def81d0a59d VERSION: Disable GIT_SNAPSHOT for the 4.14.3 release. https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-stable - Log - commit e29fc62e1d60a1add177fca059d0d67dcf6a1866 Author: Karolin Seeger Date: Mon Apr 26 10:26:38 2021 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.14.4 release. BUG 14571: CVE-2021-20254: Buffer overrun in sids_to_unixids(). Signed-off-by: Karolin Seeger commit 45f106c121814c0166fe7f9905b55c05a67dbda0 Author: Karolin Seeger Date: Mon Apr 26 10:26:10 2021 +0200 WHATSNEW: Add release notes for Samba 4.14.4. Signed-off-by: Karolin Seeger commit 55b8f31679b57545d7808cae8527663d770b10bc Author: Volker Lendecke Date: Sat Feb 20 15:50:12 2021 +0100 CVE-2021-20254 passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED Add comments to explain the use of the three lookup loops. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14571 Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison (cherry-picked from commit for master) commit 77aa340ad8c22a1f3ea43c90fbcedf5a424de56b Author: Karolin Seeger Date: Mon Apr 19 09:57:25 2021 +0200 VERSION: Bump version up to 4.14.4... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger (cherry picked from commit a8b9ea7e1aa4f526bd73baee45f0a3483c95381a) --- Summary of changes: VERSION | 2 +- WHATSNEW.txt| 68 +++- source3/passdb/lookup_sid.c | 123 3 files changed, 168 insertions(+), 25 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index fbdb45a2349..4b9426fa79b 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=14 -SAMBA_VERSION_RELEASE=3 +SAMBA_VERSION_RELEASE=4 # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 71eff9a756c..8fa0ee3caf1 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,68 @@ + == + Release Notes for Samba 4.14.4 + April 29, 2021 + == + + +This is a security release in order to address the following defect: + +o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries + in the Samba file server process token. + + +=== +Details +=== + +o CVE-2021-20254: + The Samba smbd file server must map Windows group identities (SIDs) into unix + group ids (gids). The code that performs this had a flaw that could allow it + to read data beyond the end of the array in the case where a negative cache + entry had been added to the mapping cache. This could cause the calling code + to return those values into the process token that stores the group + membership for a user. + + Most commonly this flaw caused the calling code to crash, but an alert user + (Peter Eriksson, IT Department, Linköping University) found this flaw by + noticing an unprivileged user was able to delete a file within a network + share that they should have been disallowed access to. + + Analysis of the code paths has not allowed us to discover a way for a + remote user to be able to trigger this flaw reproducibly or on demand, + but this CVE has been issued out of an abundance of caution. + + +Changes since 4.14.3 + + +o Volker Lendecke + * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids(). + + +### +Reporting bugs & Development Discussion +### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + +
[SCM] Samba Shared Repository - annotated tag samba-4.14.4 created
The annotated tag, samba-4.14.4 has been created at deeab6c9742780a4fcc8b73700625472f38248be (tag) tagging e29fc62e1d60a1add177fca059d0d67dcf6a1866 (commit) replaces samba-4.14.3 tagged by Karolin Seeger on Mon Apr 26 11:20:40 2021 +0200 - Log - samba: tag release samba-4.14.4 -BEGIN PGP SIGNATURE- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmCGhegACgkQqplEL7aA tiAIgRAAkSTJ6znwcGwwb6m6dSz+pgxUJ64Z1NiQg5v3VJ4k+nGecGX+z0dNJTH2 zkaj/sWWP7U45pliq5y6tZbV4a5JZKDOX6pGutazno3m3RrDdkhUueaiait/GNMH lM1eBCgLgSwOKTJ8bKP+79KIWQNLFwgX0Z+GyU+PjJB8ytmDqxFjn8DUC4bbCnvh ysJMY77RK1VHaRfPkijpTPUCd/ZVEOWWtod/vS7qbzqgL5WGF/9Wq89MO5CKyOu2 kqmIF/K1XDZAgynFJ5qyLrXokNCtQW5sMYJw7nt78/3SG5U5X1OGgxrWkJNyp+IX vdU0MQBfVICX/fnwNy0lQ6WjBzVx4QyYXk/FZiE4J0CNk+RPQI3Bsa4foe3outeD mavnsuLJx4GwlIoBoBziexKqu8R9Zb/v5jM1enQf1O0DLutXbJXWeAu7W7dJ7AGb sLaWkJichL+GZ5aQ2iDa76frtDzmoVBT2XTig5p+lxtPi/a3wScBOUiPcFeoA1jD Eq9MwIm79DScpV0hte+Macktx1OWWFZWDd6NRtpB/027RchxeC3SXsMsg/6eDFb6 BmqlscRDoxIsg6ICBr+jqGJKmGKCc5ykBqRSnV4qPWzmsVBqWbnErCq5PdGSv3Ma BEpx4oz64rdseYG6ojDBospseGs8EYx7J/eSQDo1jYJZOJxIdJg= =7u/u -END PGP SIGNATURE- Karolin Seeger (3): VERSION: Bump version up to 4.14.4... WHATSNEW: Add release notes for Samba 4.14.4. VERSION: Disable GIT_SNAPSHOT for the 4.14.4 release. Volker Lendecke (1): CVE-2021-20254 passdb: Simplify sids_to_unixids() --- -- Samba Shared Repository
