Bug 13552 (CVE-2018-10918) - [SECURITY] [CVE-2018-10918] - DsCrackNames on a user without an SPN can trigger NULL-pointer de-reference
Summary: [SECURITY] [CVE-2018-10918] - DsCrackNames on a user without an SPN can trigg...
Status: RESOLVED FIXED
Alias: CVE-2018-10918
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 critical (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 12842 13509
  Show dependency treegraph
 
Reported: 2018-07-29 23:07 UTC by Andrew Bartlett
Modified: 2018-08-24 09:40 UTC (History)
6 users (show)

See Also:


Attachments
patch for master (3.26 KB, patch)
2018-07-30 02:51 UTC, Andrew Bartlett
gary: review+
Details
proposed CVE text (needs CVE) (1.59 KB, text/plain)
2018-07-30 02:51 UTC, Andrew Bartlett
gary: review+
Details
patch for master (1.59 KB, patch)
2018-07-30 03:07 UTC, Andrew Bartlett
no flags Details
patch for master (3.31 KB, patch)
2018-07-30 03:07 UTC, Andrew Bartlett
gary: review+
Details
CVE text updated with CVE number. (1.63 KB, text/plain)
2018-08-07 23:45 UTC, Jeremy Allison
gary: review+
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andrew Bartlett 2018-07-30 02:51:03 UTC
Created attachment 14359 [details]
patch for master
Comment 2 Andrew Bartlett 2018-07-30 02:51:30 UTC
Created attachment 14360 [details]
proposed CVE text (needs CVE)
Comment 3 Andrew Bartlett 2018-07-30 02:54:00 UTC
Can I (urgently) get a CVE for this.  Our next security release needs to be locked in on 1 August and I would like this included.

Thanks!
Comment 4 Andrew Bartlett 2018-07-30 03:07:16 UTC
Created attachment 14361 [details]
patch for master
Comment 5 Andrew Bartlett 2018-07-30 03:07:50 UTC
Created attachment 14362 [details]
patch for master
Comment 6 Andrew Bartlett 2018-07-30 04:08:50 UTC
The master patch applies to 4.7 and 4.8 also.
Comment 7 Jeremy Allison 2018-07-31 20:16:27 UTC
CVE number requested from secalert@redhat.com.
Comment 8 Jeremy Allison 2018-08-01 16:14:52 UTC
CVE-2018-10918 assigned by Red Hat product security.
Comment 11 Nagendra.V.S 2018-08-07 13:11:44 UTC
The CVE text still contains the place holder(XXX) in CVE id

CVE-2018-XXXX
Comment 12 Jeremy Allison 2018-08-07 23:45:21 UTC
Created attachment 14401 [details]
CVE text updated with CVE number.
Comment 13 Karolin Seeger 2018-08-14 08:45:34 UTC
Samba 4.8.4, 4.9.7 an 4.6.16 have been released in order to address these defects.
Comment 14 Karolin Seeger 2018-08-14 08:59:25 UTC
(In reply to Karolin Seeger from comment #13)
4.7.9(In reply to Karolin Seeger from comment #13)
Meant 4.7.9 of course and 4.6.16 is not affected by this issue
Comment 15 Karolin Seeger 2018-08-14 10:11:02 UTC
Pushed to autobuild-v4-9-test and autobuild-master.
Comment 16 Andrew Bartlett 2018-08-14 22:20:29 UTC
Opening up bug.  Redacted original description. 

My elaboration was:

Likely due to elements being NULL here:

case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
		if (result->elements[0].num_values > 1) {
			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
			return WERR_OK;
		}
Comment 17 Karolin Seeger 2018-08-24 09:40:42 UTC
Pushed to both branches.
Closing out bug report.

Thanks!