The Samba-Bugzilla – Attachment 14621 Details for
Bug 13663
[SECURITY] Upcoming 2018 AD Security release
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
combined patch for 4.7 (v8)
2018-11-v4-7-CVEs.patch (text/plain), 11.31 KB, created by
Andrew Bartlett
on 2018-11-07 03:59:48 UTC
(
hide
)
Description:
combined patch for 4.7 (v8)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-11-07 03:59:48 UTC
Size:
11.31 KB
patch
obsolete
>From d3b52c8a1866a63a54497da9931fa606b77d089a Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 6 Nov 2018 13:32:05 +1300 >Subject: [PATCH 1/5] CVE-2018-16853 build: The Samba AD DC, when build with > MIT Kerberos is experimental > >This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >--- > wscript | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > >diff --git a/wscript b/wscript >index 542a60cf819..c9a4de4982b 100644 >--- a/wscript >+++ b/wscript >@@ -52,6 +52,14 @@ def set_options(opt): > help='build Samba with system MIT Kerberos. ' + > 'You may specify list of paths where Kerberos is installed (e.g. /usr/local /usr/kerberos) to search krb5-config', > action='callback', callback=system_mitkrb5_callback, dest='with_system_mitkrb5', default=False) >+ >+ opt.add_option('--with-experimental-mit-ad-dc', >+ help='Enable the experimental MIT Kerberos-backed AD DC. ' + >+ 'Note that security patches are not issued for this configuration', >+ action='store_true', >+ dest='with_experimental_mit_ad_dc', >+ default=False) >+ > opt.add_option('--with-system-mitkdc', > help=('Specify the path to the krb5kdc binary from MIT Kerberos'), > type="string", >@@ -165,7 +173,16 @@ def configure(conf): > conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) > > if Options.options.with_system_mitkrb5: >+ if not Options.options.with_experimental_mit_ad_dc and \ >+ not Options.options.without_ad_dc: >+ raise Utils.WafError('The MIT Kerberos build of Samba as an AD DC ' + >+ 'is experimental. Therefore ' >+ '--with-system-mitkrb5 requires either ' + >+ '--with-experimental-mit-ad-dc or ' + >+ '--without-ad-dc') >+ > conf.PROCESS_SEPARATE_RULE('system_mitkrb5') >+ > if not (Options.options.without_ad_dc or Options.options.with_system_mitkrb5): > conf.DEFINE('AD_DC_BUILD_IS_ENABLED', 1) > >-- >2.11.0 > > >From 66e4fadb1363f52afc0620fa21bc82a609aa8237 Mon Sep 17 00:00:00 2001 >From: Garming Sam <garming@catalyst.net.nz> >Date: Mon, 5 Nov 2018 16:18:18 +1300 >Subject: [PATCH 2/5] CVE-2018-16851 ldap_server: Check ret before manipulating > blob > >In the case of hitting the talloc ~256MB limit, this causes a crash in >the server. > >Note that you would actually need to load >256MB of data into the LDAP. >Although there is some generated/hidden data which would help you reach that >limit (descriptors and RMD blobs). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674 > >Signed-off-by: Garming Sam <garming@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/ldap_server/ldap_server.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > >diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c >index d9f24e0817c..e5e9688ed98 100644 >--- a/source4/ldap_server/ldap_server.c >+++ b/source4/ldap_server/ldap_server.c >@@ -669,13 +669,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call) > ret = data_blob_append(call, &blob, b.data, b.length); > data_blob_free(&b); > >- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); >- > if (!ret) { > ldapsrv_terminate_connection(conn, "data_blob_append failed"); > return; > } > >+ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); >+ > DLIST_REMOVE(call->replies, call->replies); > } > >-- >2.11.0 > > >From e50ac271a4a5279d13e0791f1dfc78288d101ab6 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 23 Oct 2018 17:33:46 +1300 >Subject: [PATCH 3/5] CVE-2018-16841 heimdal: Fix segfault on PKINIT with > mis-matching principal > >In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free >mem_ctx. > >This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the >MIT KDC effort. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >--- > source4/kdc/db-glue.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > >diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c >index 9ac5a1d38f0..4d7ac333fcc 100644 >--- a/source4/kdc/db-glue.c >+++ b/source4/kdc/db-glue.c >@@ -2578,10 +2578,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, > * comparison */ > if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { > talloc_free(mem_ctx); >-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */ >- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; >-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ >+#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ > return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; >+#else /* Heimdal (where this is an enum) */ >+ return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; > #endif > } > >-- >2.11.0 > > >From d7e1e127138621c732e4e8e3440eb9c66f1df111 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Wed, 24 Oct 2018 15:41:28 +1300 >Subject: [PATCH 4/5] CVE-2018-16841 selftest: Check for mismatching principal > in certficate compared with principal in AS-REQ > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> >--- > testprogs/blackbox/test_pkinit_heimdal.sh | 8 ++++++++ > 1 file changed, 8 insertions(+) > >diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh >index 0a13aa293e7..0912e0dbfe8 100755 >--- a/testprogs/blackbox/test_pkinit_heimdal.sh >+++ b/testprogs/blackbox/test_pkinit_heimdal.sh >@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque > testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` > test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` > >+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1` >+ >+testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1` >+ > testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` > testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` > test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` > >+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1` >+ >+testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1` >+ > testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` > testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` > test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` >-- >2.11.0 > > >From e67e9d75fd5244818e3256467c199ad2cc6e5292 Mon Sep 17 00:00:00 2001 >From: Aaron Haslett <aaronhaslett@catalyst.net.nz> >Date: Tue, 23 Oct 2018 17:25:51 +1300 >Subject: [PATCH 5/5] CVE-2018-14629 dns: CNAME loop prevention using counter > >Count number of answers generated by internal DNS query routine and stop at >20 to match Microsoft's loop prevention mechanism. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 > >Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Garming Sam <garming@catalyst.net.nz> >--- > python/samba/tests/dns.py | 24 ++++++++++++++++++++++++ > selftest/knownfail.d/dns | 6 ++++++ > source4/dns_server/dns_query.c | 6 ++++++ > 3 files changed, 36 insertions(+) > >diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py >index 1b5b64da3a4..3390a3990c9 100644 >--- a/python/samba/tests/dns.py >+++ b/python/samba/tests/dns.py >@@ -798,6 +798,30 @@ class TestComplexQueries(DNSTest): > self.assertEquals(response.answers[1].name, name2) > self.assertEquals(response.answers[1].rdata, name0) > >+ def test_cname_loop(self): >+ cname1 = "cnamelooptestrec." + self.get_dns_domain() >+ cname2 = "cnamelooptestrec2." + self.get_dns_domain() >+ cname3 = "cnamelooptestrec3." + self.get_dns_domain() >+ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME) >+ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME) >+ self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME) >+ >+ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) >+ questions = [] >+ >+ q = self.make_name_question(cname1, >+ dns.DNS_QTYPE_A, >+ dns.DNS_QCLASS_IN) >+ questions.append(q) >+ self.finish_name_packet(p, questions) >+ >+ (response, response_packet) =\ >+ self.dns_transaction_udp(p, host=self.server_ip) >+ >+ max_recursion_depth = 20 >+ self.assertEquals(len(response.answers), max_recursion_depth) >+ >+ > class TestInvalidQueries(DNSTest): > def setUp(self): > super(TestInvalidQueries, self).setUp() >diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns >index cb3003240ea..8c79b3abe00 100644 >--- a/selftest/knownfail.d/dns >+++ b/selftest/knownfail.d/dns >@@ -45,3 +45,9 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) > > # The SOA override should not pass against the RODC, it must not overstamp > samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) >+ >+# >+# rodc and vampire_dc require signed dns updates, so the test setup >+# fails, but the test does run on fl2003dc >+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\) >+^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\) >diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c >index e8de304c8bb..fafadb6ac6f 100644 >--- a/source4/dns_server/dns_query.c >+++ b/source4/dns_server/dns_query.c >@@ -40,6 +40,7 @@ > > #undef DBGC_CLASS > #define DBGC_CLASS DBGC_DNS >+#define MAX_Q_RECURSION_DEPTH 20 > > struct forwarder_string { > const char *forwarder; >@@ -470,6 +471,11 @@ static struct tevent_req *handle_dnsrpcrec_send( > state->answers = answers; > state->nsrecs = nsrecs; > >+ if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { >+ tevent_req_done(req); >+ return tevent_req_post(req, ev); >+ } >+ > resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && > ((question->question_type == DNS_QTYPE_A) || > (question->question_type == DNS_QTYPE_AAAA))); >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review?
(
gary
)
dbagnall
:
review+
abartlet
:
review+
Actions:
View
Attachments on
bug 13663
:
14580
|
14581
|
14582
|
14583
|
14585
|
14586
|
14587
|
14588
|
14589
|
14592
|
14593
|
14601
|
14602
|
14608
|
14609
|
14610
|
14611
|
14612
|
14618
|
14619
|
14620
| 14621 |
14622
|
14637
|
14638