Bug 12438 (CVE-2019-14833) - CVE-2019-14833 [SECURITY] Accent with "check password script"
Summary: CVE-2019-14833 [SECURITY] Accent with "check password script"
Status: RESOLVED FIXED
Alias: CVE-2019-14833
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.1
Hardware: x64 Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14162
  Show dependency treegraph
 
Reported: 2016-11-19 16:14 UTC by Simon Fonteneau
Modified: 2021-03-25 20:02 UTC (History)
4 users (show)

See Also:


Attachments
patch for master (v1) (5.55 KB, patch)
2019-09-18 23:57 UTC, Andrew Bartlett
bbaumbach: review+
metze: review+
Details
CVE-2019-14833 advisory (2.21 KB, text/plain)
2019-09-30 11:56 UTC, Björn Baumbach
metze: review+
bbaumbach: review+
Details
backported patch for 4.11 (5.53 KB, patch)
2019-09-30 14:23 UTC, Björn Baumbach
metze: review+
bbaumbach: review+
bbaumbach: ci-passed+
Details
backported patch for 4.10 (5.73 KB, patch)
2019-10-02 11:53 UTC, Björn Baumbach
metze: review+
bbaumbach: review+
bbaumbach: ci-passed+
Details
backported patch for 4.9 (5.69 KB, patch)
2019-10-14 07:57 UTC, Björn Baumbach
metze: review+
bbaumbach: review+
bbaumbach: ci-passed+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fonteneau 2016-11-19 16:14:19 UTC
I want to report a bug with the check_script_password function.
The function does not behave normally when an accent is in the password.

In this case, characters disappear.

exemple, password : ééèè

Gives in script : éé
Comment 1 Andrew Bartlett 2019-09-06 19:00:17 UTC
Sorry for the delay picking this up. 

Björn Baumbach realised this is a security issue so we will be getting a CVE for it.
Comment 2 Andrew Bartlett 2019-09-18 23:57:13 UTC
Created attachment 15477 [details]
patch for master (v1)

This patch addresses the issue, renames a confusing variable and modifies our test to show the issue is found and fixed.
Comment 3 Björn Baumbach 2019-09-30 11:56:25 UTC
Created attachment 15502 [details]
CVE-2019-14833 advisory
Comment 4 Björn Baumbach 2019-09-30 12:49:36 UTC
Thanks to Andrew and Garming for the CVSSv3 calculation. I've added this to the advisory.

https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N&version=3.1
Comment 5 Björn Baumbach 2019-09-30 14:23:07 UTC
Created attachment 15503 [details]
backported patch for 4.11
Comment 6 Björn Baumbach 2019-10-02 11:53:56 UTC
Created attachment 15506 [details]
backported patch for 4.10
Comment 7 Björn Baumbach 2019-10-14 07:57:09 UTC
Created attachment 15531 [details]
backported patch for 4.9
Comment 8 Björn Baumbach 2019-10-16 11:03:10 UTC
Comment on attachment 15502 [details]
CVE-2019-14833 advisory

Correct release version numbers are missing, but the text is complete.
Comment 9 Andrew Bartlett 2019-10-16 17:49:01 UTC
(In reply to Björn Baumbach from comment #8)
It is up to Karolin to set a date but it looks like the soonest possible
will be 4.9.15, 4.10.10 and 4.11.2.
Comment 10 Karolin Seeger 2019-10-17 07:22:03 UTC
Planned release date: Tuesday, October 29
Opening bug report for vendors.
Comment 11 Karolin Seeger 2019-10-29 10:06:18 UTC
Samba 4.11.2, 4.10.10 and 4.9.15 have been released to address this defect.
Comment 12 Karolin Seeger 2019-10-29 10:15:43 UTC
Pushed to v4-{11,10,9}-test.
Pushed to autobuild-master.
Comment 13 Karolin Seeger 2019-10-30 09:45:46 UTC
(In reply to Karolin Seeger from comment #12)
Pushed to master.
Closing out bug report.

Thanks!
Comment 14 Andrew Bartlett 2019-11-03 21:43:12 UTC
Removing embargo, all important details here are in the advisory and this was a public bug to start with. 

Removing vendor alias now this is public.  If you (as a vendor) wish to still track this, please CC individually.