13674 – (CVE-2018-16851) [SECURITY] CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server

Bug 13674 (CVE-2018-16851) - [SECURITY] CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server

Summary: [SECURITY] CVE-2018-16851 NULL pointer de-reference in Samba AD DC LDAP server

Status:	RESOLVED FIXED

Alias:	CVE-2018-16851

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	13663
	Show dependency tree / graph

Reported:	2018-11-05 02:45 UTC by Garming Sam
Modified:	2018-11-29 07:51 UTC (History)
CC List:	7 users (show)

See Also:

Attachments
patch for master (1.28 KB, patch) 2018-11-05 03:30 UTC, Garming Sam	no flags	Details
security advisory text (1.86 KB, text/plain) 2018-11-05 22:20 UTC, Andrew Bartlett	no flags	Details
patch for master, 4.7, 4.8 and 4.9 with CVE (1.41 KB, patch) 2018-11-06 01:34 UTC, Andrew Bartlett	abartlet: review? (gary) gary: review+	Details
updated advisory with release versions (1.98 KB, text/plain) 2018-11-06 03:48 UTC, Andrew Bartlett	gary: review+	Details
updated advisory with CVE number (1.83 KB, text/plain) 2018-11-21 11:50 UTC, Karolin Seeger	no flags	Details
updated advisory with CVE number (1.98 KB, text/plain) 2018-11-21 11:52 UTC, Karolin Seeger	no flags	Details
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Garming Sam 2018-11-05 02:45:34 UTC

Comment 1 Garming Sam 2018-11-05 03:30:04 UTC

There is a talloc limit of around 256MB which means that we can't send this much data across LDAP (all messages are aggregated on a single context). This would be fine, except that we forgot the error check before using the memory. This means that a database which can return more than 256MB of LDAP encoded data can be made to crash.

Comment 2 Garming Sam 2018-11-05 03:30:59 UTC

Created attachment 14566 [details]
patch for master

Comment 3 Andrew Bartlett 2018-11-05 22:20:23 UTC

Created attachment 14567 [details]
security advisory text

Comment 4 Andrew Bartlett 2018-11-06 01:34:39 UTC

Created attachment 14577 [details]
patch for master, 4.7, 4.8 and 4.9 with CVE

Comment 5 Andrew Bartlett 2018-11-06 03:48:58 UTC

Created attachment 14596 [details]
updated advisory with release versions

Comment 6 Karolin Seeger 2018-11-16 10:35:51 UTC

Opening bug report for vendors.
Planned release date is Tuesday, November 27 2018.

Comment 7 Karolin Seeger 2018-11-21 11:50:21 UTC

Created attachment 14673 [details]
updated advisory with CVE number

Comment 8 Karolin Seeger 2018-11-21 11:52:54 UTC

Created attachment 14674 [details]
updated advisory with CVE number

Comment 9 Andrew Bartlett 2018-11-21 17:40:41 UTC

(In reply to Karolin Seeger from comment #8)
I don't see any change here.  What was the issue?

Comment 10 Andrew Bartlett 2018-11-23 04:53:54 UTC

The patch applies to Samba 4.5 (and likely most other versions).

Comment 11 Andrew Bartlett 2018-11-26 04:06:39 UTC

(In reply to Andrew Bartlett from comment #10)
I can also confirm the patch passes a full autobuild on the Catalyst Cloud against Samba 4.5.16.

Comment 12 Karolin Seeger 2018-11-27 09:44:44 UTC

Samba 4.9.3, 4.8.7 and 4.7.12 have been shipped to address this defect.

Comment 13 Karolin Seeger 2018-11-27 09:45:00 UTC

Pushed to autobuild-master.

Comment 14 Karolin Seeger 2018-11-29 07:51:30 UTC

Pushed to master.
Closing out bug report.

Thanks!