===========================================================
== Subject:     Use after free during DNS zone scavenging
==              in Samba AD DC
==
== CVE ID#:     CVE-2019-19344
==
== Versions:    Samba 4.9 and later versions
==
== Summary:     During DNS zone scavenging (of expired dynamic
==              entries) there is a read of memory after it has
==              been freed.
===========================================================

===========
Description
===========

Samba 4.9 introduced an off-by-default feature to tombstone
dynamically created DNS records that had reached their expiry time.

This feature is controlled by the smb.conf option:
 dns zone scavenging = yes

There is a use-after-free issue in this code, essentially due to a
call to realloc() while other local variables still point at the
original buffer.

The use is a read, but in quite unlikely conditions (due to NDR
validation unpacking the buffer) that read memory might be saved back
into the DB.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The code in question is not run in the default configuration, so
the workaround is simply to not set
 dns zone scavenging = yes

=======
Credits
=======

Originally reported by Christian Naumer

Patches provided by Andrew Bartlett of the Samba team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================