Samba will crash with: bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD This is because the search_options control data is not a correct talloc child of the control, so when VLV and paged_results try to steal the control, the data is not kept with it, showing a use after free. Impacts Samba 4.5 and later (presumably, not yet tested) due to the VLV design that was then copied to paged_results in Samba 4.10 Originally reported by Andrei Popa <andrei.popa@next-gen.ro> but not fully diagnosed (we found other issues bug 14331 - CVE-2020-10700 - instead). Re-raised by an anonymous Samba user. CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
Created attachment 16021 [details] initial patch for master
Created attachment 16022 [details] Advisory v1 with CVE number. Still needs release versions
Created attachment 16023 [details] patch for master (v1)
Comment on attachment 16022 [details] Advisory v1 with CVE number. Still needs release versions (however this will use more memory, may allow resource exhaustion) Maybe reword this to (however this will use more memory, and may cause resource exhaustion)
Comment on attachment 16023 [details] patch for master (v1) Does not currently apply to master. But changes look good. Do we have a reproducer for the original triggering case?
(In reply to Gary Lockyer from comment #5) Sorry patch is on top of your other work, and includes the triggering case (confirmed)
Created attachment 16024 [details] patch for master to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Created attachment 16025 [details] patch for 4.12 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Created attachment 16026 [details] patch for 4.11 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Created attachment 16027 [details] patch for 4.10 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Created attachment 16028 [details] patch for 4.5 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2)
Created attachment 16029 [details] Advisory v2 with CVE number. Still needs release versions
Comment on attachment 16027 [details] patch for 4.10 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2) (CI still pending on 4.10 and below)
Comment on attachment 16028 [details] patch for 4.5 to be applied after patch in Bug 14364 (CVE-2020-10730) (v2) The 4.5 patch (which is not part of the official Samba patch service) is wrong, the vlv test needs to be backported more carefully.
Created attachment 16058 [details] Advisory V3
Planned release date Thursday July 2nd Opening bug report for vendors.
Created attachment 16066 [details] Advisory
Samba 4.12.4, 4.11.11 and 4.10.17 have been shipped to address this defect.
Pushed to autobuild-master.
Merged into v4-{12,11,10}-test.
Pushed to autobuild-master. Closing out bug report. Thanks!
Opening to the public and removing the samba-vendor alias from CC. Vendors: CC individually if you wish to follow along.