Some LDB modules add new values to a shallow copy of an LDB message such that talloc_realloc() is called on the original values array. This invalidates the 'values' pointer in the original message element, which may later be used in the database audit logging module to log database requests, potentially causing a crash.
Created attachment 17205 [details] WIP patch for master This patch is mostly complete, but probably needs a new LDB release.
Created attachment 17206 [details] WIP patch for master Forgot to add bug tags.
Created attachment 17377 [details] patch for master
Comment on attachment 17377 [details] patch for master Newer version of the patchset available at https://bugzilla.samba.org/show_bug.cgi?id=15096.
Created attachment 17381 [details] Advisory draft #1
Assigning to Jule for the next security release.
Created attachment 17399 [details] Advisory draft #2 Fixed typo: The AD DC database audit logging module be made => logging module can be made
Opening security bugs to vendors. Release date is currently proposed to be Wednesday 27 July but bug 15109 will be the authoritative reference on that.
This bug was referenced in samba v4-16-stable (Release samba-4.16.4): 16f3112687e59deb862ebb8f3649310a352b038a c83967ad71ae1fbacb6cec696face96aef1d2e22 59cd645b3958eeb7b359ed5b488820070873fac8 e46e43f76e7731c90ef4c47caa67d233d8c62d9a b436fa43f29da677513e4fb6bf5c4f9f69280be0 ef8e25cf53f218c63f6becd8724a20d4e0cba6f7 f2ee4c78d95e744d83a85f472f9d2d487cc3cf3a 738955d0e14ead23c3ca2e8c0ce1d042332de73d 77d87117744a0d96fa758e68dd0a4c2fc759b413 513574283d9985b9a74b9faecf57355fea178dc0 a7a59c540ba13777109b33470dbd2d2c4938eb9d c0127af98b2af828c635bd5a97b732cc5d151567 18b73e01ca4c67d27e08e505c0d29ff5c99d26ea 90ef792d904bc14c462a0232b985185a2159cf94
This bug was referenced in samba v4-15-stable (Release samba-4.15.9): a258b3c0636b208de699b1e693d86f5ee9985cfd e2ef0f299aed8c0f9660f1d7912472d23e81fee8 6bc5e73000a639bab3c3d6789bdf879d5395bf9c 39371352d8fc1d3ab0dd2baeacebd9ce48b4ef02 27efd19085d01e1e3702afb5dfd82eaf72c13bf9 7c4439c7b7ff4caa7152f810ec9e83732fa70c3c 47e2b1080e603b36b5d54a3e00f005983e6911e2 f2b821f24e9b144c2cb1a9ec85f3bf1fdd2c2a8e ba27d18c2e8e1d0cf1828bb6d072489e5c6c9159 1294192b821d2d3af444b750baa75924042f1162 3a68efe1bbba4923f02b89a7f675398fbd73265e a25b97d0540fdb5a4a75fd85807d8963f14b607d 0446581bcce7c2d7f5ec22d8510a6e2069463d39 b686ef00da46d4a0c0aba0c61b1866cbc9b462b6
This bug was referenced in samba v4-14-stable (Release samba-4.14.14): 5d958156c7e5d6c1da61d18fe4fd105b22639b56 51cbeff886fe01db463448f8655a43d10040dc8b a68553792a8512a2d266bbb86f064f78b5482a65 582ac171364f0c28f54eaf4f21b5bfa7569b5233 0526d27e9eddd9c2a54434cf0dcdb136a6c659e4 2869b5aa3148869edf0d079266542aef6e64608e 535b5a366a2ad054f729e57e282e402cf13b2efc bedd0b768c3f92645af033399aefd7ee971d9150 49dd9042f4ee380fa1dafcebcb54d0e1f0852463 faa61ab3053d077ac9d0aa67e955217e85b660f4 4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b 512a2617b1593bdc16caeeeda4312a581cbb34e9 f419753d1c7a373fb32ffe20930a6e084e44b44d 7270b68386692829f97d5c51c50108db395b263e
This bug was referenced in samba v4-14-test: 5d958156c7e5d6c1da61d18fe4fd105b22639b56 51cbeff886fe01db463448f8655a43d10040dc8b a68553792a8512a2d266bbb86f064f78b5482a65 582ac171364f0c28f54eaf4f21b5bfa7569b5233 0526d27e9eddd9c2a54434cf0dcdb136a6c659e4 2869b5aa3148869edf0d079266542aef6e64608e 535b5a366a2ad054f729e57e282e402cf13b2efc bedd0b768c3f92645af033399aefd7ee971d9150 49dd9042f4ee380fa1dafcebcb54d0e1f0852463 faa61ab3053d077ac9d0aa67e955217e85b660f4 4e5fb78c3dcff60aa8fd4b07dad4660bbb30532b 512a2617b1593bdc16caeeeda4312a581cbb34e9 f419753d1c7a373fb32ffe20930a6e084e44b44d 7270b68386692829f97d5c51c50108db395b263e
This bug was referenced in samba v4-15-test: a258b3c0636b208de699b1e693d86f5ee9985cfd e2ef0f299aed8c0f9660f1d7912472d23e81fee8 6bc5e73000a639bab3c3d6789bdf879d5395bf9c 39371352d8fc1d3ab0dd2baeacebd9ce48b4ef02 27efd19085d01e1e3702afb5dfd82eaf72c13bf9 7c4439c7b7ff4caa7152f810ec9e83732fa70c3c 47e2b1080e603b36b5d54a3e00f005983e6911e2 f2b821f24e9b144c2cb1a9ec85f3bf1fdd2c2a8e ba27d18c2e8e1d0cf1828bb6d072489e5c6c9159 1294192b821d2d3af444b750baa75924042f1162 3a68efe1bbba4923f02b89a7f675398fbd73265e a25b97d0540fdb5a4a75fd85807d8963f14b607d 0446581bcce7c2d7f5ec22d8510a6e2069463d39 b686ef00da46d4a0c0aba0c61b1866cbc9b462b6
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public. If you wish to continue to be informed about any changes here please CC individually.
This bug was referenced in samba v4-16-test: 16f3112687e59deb862ebb8f3649310a352b038a c83967ad71ae1fbacb6cec696face96aef1d2e22 59cd645b3958eeb7b359ed5b488820070873fac8 e46e43f76e7731c90ef4c47caa67d233d8c62d9a b436fa43f29da677513e4fb6bf5c4f9f69280be0 ef8e25cf53f218c63f6becd8724a20d4e0cba6f7 f2ee4c78d95e744d83a85f472f9d2d487cc3cf3a 738955d0e14ead23c3ca2e8c0ce1d042332de73d 77d87117744a0d96fa758e68dd0a4c2fc759b413 513574283d9985b9a74b9faecf57355fea178dc0 a7a59c540ba13777109b33470dbd2d2c4938eb9d c0127af98b2af828c635bd5a97b732cc5d151567 18b73e01ca4c67d27e08e505c0d29ff5c99d26ea 90ef792d904bc14c462a0232b985185a2159cf94
This bug was referenced in samba master: a45ba891829b2f76a7d92998b8d96d7096e03c38 852a79c63c965b9861a1bd319948a51f116b7e9a d178a0614057e75c957a77607df34ad81d8f1207 64258fd8b128970f0198b3f804311a0ca8fd48a1 99b805e4cbeec232c65adb1a6f3fb326b55c4496 41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b e3b002641357ab7ee447999a3ffad8512d2bbb9c e8ebdb99369c8d073190e467d1ede0f5b938a284 3e4439565b655135246491a2b43f69817bf20161 7efe8182c165fbf17d2f88c173527a7a554e214b a2bb5beee82fd9c4c29decc07024057febeaf1b5 df487eb2d713e817660dd3b56bb26ba715fadfea 0a3aa5f908e351201dc9c4d4807b09ed9eedff77 f4eb4e6478db2b41acf426a7a6ba2e7130b69b29
This bug was referenced in samba v4-17-stable: a45ba891829b2f76a7d92998b8d96d7096e03c38 852a79c63c965b9861a1bd319948a51f116b7e9a d178a0614057e75c957a77607df34ad81d8f1207 64258fd8b128970f0198b3f804311a0ca8fd48a1 99b805e4cbeec232c65adb1a6f3fb326b55c4496 41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b e3b002641357ab7ee447999a3ffad8512d2bbb9c e8ebdb99369c8d073190e467d1ede0f5b938a284 3e4439565b655135246491a2b43f69817bf20161 7efe8182c165fbf17d2f88c173527a7a554e214b a2bb5beee82fd9c4c29decc07024057febeaf1b5 df487eb2d713e817660dd3b56bb26ba715fadfea 0a3aa5f908e351201dc9c4d4807b09ed9eedff77 f4eb4e6478db2b41acf426a7a6ba2e7130b69b29
This bug was referenced in samba v4-17-test: a45ba891829b2f76a7d92998b8d96d7096e03c38 852a79c63c965b9861a1bd319948a51f116b7e9a d178a0614057e75c957a77607df34ad81d8f1207 64258fd8b128970f0198b3f804311a0ca8fd48a1 99b805e4cbeec232c65adb1a6f3fb326b55c4496 41b1fe6d4ae1f547b2f1a0ef8d1aee284b4ef93b e3b002641357ab7ee447999a3ffad8512d2bbb9c e8ebdb99369c8d073190e467d1ede0f5b938a284 3e4439565b655135246491a2b43f69817bf20161 7efe8182c165fbf17d2f88c173527a7a554e214b a2bb5beee82fd9c4c29decc07024057febeaf1b5 df487eb2d713e817660dd3b56bb26ba715fadfea 0a3aa5f908e351201dc9c4d4807b09ed9eedff77 f4eb4e6478db2b41acf426a7a6ba2e7130b69b29
Pushed to all relevant branches. Closing out bug report. Many thanks at all!