Bug 13674 (CVE-2018-16851) - [SECURITY] CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server
Summary: [SECURITY] CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server
Status: RESOLVED FIXED
Alias: CVE-2018-16851
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 13663
  Show dependency treegraph
 
Reported: 2018-11-05 02:45 UTC by Garming Sam
Modified: 2018-11-29 07:51 UTC (History)
7 users (show)

See Also:


Attachments
patch for master (1.28 KB, patch)
2018-11-05 03:30 UTC, Garming Sam
no flags Details
security advisory text (1.86 KB, text/plain)
2018-11-05 22:20 UTC, Andrew Bartlett
no flags Details
patch for master, 4.7, 4.8 and 4.9 with CVE (1.41 KB, patch)
2018-11-06 01:34 UTC, Andrew Bartlett
abartlet: review? (gary)
gary: review+
Details
updated advisory with release versions (1.98 KB, text/plain)
2018-11-06 03:48 UTC, Andrew Bartlett
gary: review+
Details
updated advisory with CVE number (1.83 KB, text/plain)
2018-11-21 11:50 UTC, Karolin Seeger
no flags Details
updated advisory with CVE number (1.98 KB, text/plain)
2018-11-21 11:52 UTC, Karolin Seeger
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Garming Sam 2018-11-05 02:45:34 UTC

    
Comment 1 Garming Sam 2018-11-05 03:30:04 UTC
There is a talloc limit of around 256MB which means that we can't send this much data across LDAP (all messages are aggregated on a single context). This would be fine, except that we forgot the error check before using the memory. This means that a database which can return more than 256MB of LDAP encoded data can be made to crash.
Comment 2 Garming Sam 2018-11-05 03:30:59 UTC
Created attachment 14566 [details]
patch for master
Comment 3 Andrew Bartlett 2018-11-05 22:20:23 UTC
Created attachment 14567 [details]
security advisory text
Comment 4 Andrew Bartlett 2018-11-06 01:34:39 UTC
Created attachment 14577 [details]
patch for master, 4.7, 4.8 and 4.9 with CVE
Comment 5 Andrew Bartlett 2018-11-06 03:48:58 UTC
Created attachment 14596 [details]
updated advisory with release versions
Comment 6 Karolin Seeger 2018-11-16 10:35:51 UTC
Opening bug report for vendors.
Planned release date is Tuesday, November 27 2018.
Comment 7 Karolin Seeger 2018-11-21 11:50:21 UTC
Created attachment 14673 [details]
updated advisory with CVE number
Comment 8 Karolin Seeger 2018-11-21 11:52:54 UTC
Created attachment 14674 [details]
updated advisory with CVE number
Comment 9 Andrew Bartlett 2018-11-21 17:40:41 UTC
(In reply to Karolin Seeger from comment #8)
I don't see any change here.  What was the issue?
Comment 10 Andrew Bartlett 2018-11-23 04:53:54 UTC
The patch applies to Samba 4.5 (and likely most other versions).
Comment 11 Andrew Bartlett 2018-11-26 04:06:39 UTC
(In reply to Andrew Bartlett from comment #10)
I can also confirm the patch passes a full autobuild on the Catalyst Cloud against Samba 4.5.16.
Comment 12 Karolin Seeger 2018-11-27 09:44:44 UTC
Samba 4.9.3, 4.8.7 and 4.7.12 have been shipped to address this defect.
Comment 13 Karolin Seeger 2018-11-27 09:45:00 UTC
Pushed to autobuild-master.
Comment 14 Karolin Seeger 2018-11-29 07:51:30 UTC
Pushed to master.
Closing out bug report.

Thanks!