main/samba: security fixes

CVE-2018-14629, CVE-2018-16841 and CVE-2018-16851

5 files changed, 219 insertions, 1 deletions

diff --git a/main/samba/0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch b/main/samba/0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch
new file mode 100644
index 0000000000..0e6eaa9763
--- /dev/null
+++ b/main/samba/0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch
@@ -0,0 +1,81 @@
+From f7a8294d65e5a7424da93499074a30cb65418ce7 Mon Sep 17 00:00:00 2001
+From: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+Date: Tue, 23 Oct 2018 17:25:51 +1300
+Subject: [PATCH] CVE-2018-14629 dns: CNAME loop prevention using counter
+
+Count number of answers generated by internal DNS query routine and stop at
+20 to match Microsoft's loop prevention mechanism.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600
+
+Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Garming Sam <garming@catalyst.net.nz>
+---
+ python/samba/tests/dns.py      | 24 ++++++++++++++++++++++++
+ selftest/knownfail.d/dns       |  6 ++++++
+ source4/dns_server/dns_query.c |  6 ++++++
+ 3 files changed, 36 insertions(+)
+
+diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py
+index 1b5b64da3a4..3390a3990c9 100644
+--- a/python/samba/tests/dns.py
++++ b/python/samba/tests/dns.py
+@@ -798,6 +798,30 @@ class TestComplexQueries(DNSTest):
+         self.assertEquals(response.answers[1].name, name2)
+         self.assertEquals(response.answers[1].rdata, name0)
+ 
++    def test_cname_loop(self):
++        cname1 = "cnamelooptestrec." + self.get_dns_domain()
++        cname2 = "cnamelooptestrec2." + self.get_dns_domain()
++        cname3 = "cnamelooptestrec3." + self.get_dns_domain()
++        self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME)
++        self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME)
++        self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME)
++
++        p = self.make_name_packet(dns.DNS_OPCODE_QUERY)
++        questions = []
++
++        q = self.make_name_question(cname1,
++                                    dns.DNS_QTYPE_A,
++                                    dns.DNS_QCLASS_IN)
++        questions.append(q)
++        self.finish_name_packet(p, questions)
++
++        (response, response_packet) =\
++            self.dns_transaction_udp(p, host=self.server_ip)
++
++        max_recursion_depth = 20
++        self.assertEquals(len(response.answers), max_recursion_depth)
++
++
+ class TestInvalidQueries(DNSTest):
+     def setUp(self):
+         super(TestInvalidQueries, self).setUp()
+diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c
+index e8de304c8bb..fafadb6ac6f 100644
+--- a/source4/dns_server/dns_query.c
++++ b/source4/dns_server/dns_query.c
+@@ -40,6 +40,7 @@
+ 
+ #undef DBGC_CLASS
+ #define DBGC_CLASS DBGC_DNS
++#define MAX_Q_RECURSION_DEPTH 20
+ 
+ struct forwarder_string {
+ 	const char *forwarder;
+@@ -470,6 +471,11 @@ static struct tevent_req *handle_dnsrpcrec_send(
+ 	state->answers = answers;
+ 	state->nsrecs = nsrecs;
+ 
++	if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) {
++		tevent_req_done(req);
++		return tevent_req_post(req, ev);
++	}
++
+ 	resolve_cname = ((rec->wType == DNS_TYPE_CNAME) &&
+ 			 ((question->question_type == DNS_QTYPE_A) ||
+ 			  (question->question_type == DNS_QTYPE_AAAA)));
+-- 
+2.18.1
+
diff --git a/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch b/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
new file mode 100644
index 0000000000..32dab1e0ea
--- /dev/null
+++ b/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
@@ -0,0 +1,41 @@
+From e1026a1685b5838f2ca67965025b2381751c35cb Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 23 Oct 2018 17:33:46 +1300
+Subject: [PATCH] CVE-2018-16841 heimdal: Fix segfault on PKINIT with
+ mis-matching principal
+
+In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
+mem_ctx.
+
+This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
+MIT KDC effort.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
+---
+ source4/kdc/db-glue.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
+index 9ac5a1d38f0..4d7ac333fcc 100644
+--- a/source4/kdc/db-glue.c
++++ b/source4/kdc/db-glue.c
+@@ -2578,10 +2578,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context,
+ 	 * comparison */
+ 	if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) {
+ 		talloc_free(mem_ctx);
+-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */
+-		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
++#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */
+ 		return KRB5KDC_ERR_CLIENT_NAME_MISMATCH;
++#else /* Heimdal (where this is an enum) */
++		return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH;
+ #endif
+ 	}
+ 
+-- 
+2.18.1
+
diff --git a/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch b/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
new file mode 100644
index 0000000000..a1166946d3
--- /dev/null
+++ b/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
@@ -0,0 +1,44 @@
+From ac0b38fb285fad3165560a26afeeeaf23d850c1c Mon Sep 17 00:00:00 2001
+From: Garming Sam <garming@catalyst.net.nz>
+Date: Mon, 5 Nov 2018 16:18:18 +1300
+Subject: [PATCH] CVE-2018-16851 ldap_server: Check ret before manipulating
+ blob
+
+In the case of hitting the talloc ~256MB limit, this causes a crash in
+the server.
+
+Note that you would actually need to load >256MB of data into the LDAP.
+Although there is some generated/hidden data which would help you reach that
+limit (descriptors and RMD blobs).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674
+
+Signed-off-by: Garming Sam <garming@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source4/ldap_server/ldap_server.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c
+index d9f24e0817c..e5e9688ed98 100644
+--- a/source4/ldap_server/ldap_server.c
++++ b/source4/ldap_server/ldap_server.c
+@@ -669,13 +669,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call)
+ 		ret = data_blob_append(call, &blob, b.data, b.length);
+ 		data_blob_free(&b);
+ 
+-		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
+-
+ 		if (!ret) {
+ 			ldapsrv_terminate_connection(conn, "data_blob_append failed");
+ 			return;
+ 		}
+ 
++		talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet");
++
+ 		DLIST_REMOVE(call->replies, call->replies);
+ 	}
+ 
+-- 
+2.18.1
+
diff --git a/main/samba/0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch b/main/samba/0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch
new file mode 100644
index 0000000000..b378c9a162
--- /dev/null
+++ b/main/samba/0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch
@@ -0,0 +1,39 @@
+From b49c87f8d64677390e5c4c6698b95beb74468653 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Wed, 24 Oct 2018 15:41:28 +1300
+Subject: [PATCH] CVE-2018-16841 selftest: Check for mismatching principal in
+ certficate compared with principal in AS-REQ
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
+---
+ testprogs/blackbox/test_pkinit_heimdal.sh | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh
+index 0a13aa293e7..0912e0dbfe8 100755
+--- a/testprogs/blackbox/test_pkinit_heimdal.sh
++++ b/testprogs/blackbox/test_pkinit_heimdal.sh
+@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque
+ testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
+ test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+ 
++testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1`
++
++testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1`
++
+ testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1`
+ testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
+ test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+ 
++testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1`
++
++testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1`
++
+ testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1`
+ testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R  || failed=`expr $failed + 1`
+ test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1`
+-- 
+2.18.1
+
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index 6f4e07dec1..bfd2662d15 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=samba
 pkgver=4.6.16
-pkgrel=1
+pkgrel=2
 pkgdesc="Tools to access a server's filespace and printers via SMB"
 url="http://www.samba.org"
 arch="all"
@@ -49,6 +49,11 @@ source="https://us1.samba.org/samba/ftp/stable/$pkgname-$pkgver.tar.gz
 	getpwent_r.patch
 	netdb-defines.patch
 	netapp.patch
+
+	0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch
+	0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
+	0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch
+	0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
 	0012-CVE-2019-3880.patch
 
 	$pkgname.initd
@@ -59,6 +64,10 @@ pkggroups="winbind"
 builddir="$srcdir/$pkgname-$pkgver"
 
 # secfixes:
+#   4.6.16-r2:
+#     - CVE-2018-14629
+#     - CVE-2018-16841
+#     - CVE-2018-16851
 #   4.6.16-r1:
 #     - CVE-2019-3880
 #   4.6.16-r0:
@@ -538,6 +547,10 @@ b43809d7ecbf3968f5154c2ded6ed47dae36921f1895ea98bcce50557eb2ad39b736345ffb421465
 0d4fd9862191554dc9c724cec0b94fd19afbfd0c4ed619e4c620c075e849cb3f3d44db1e5f119d890da23a3dd0068d9873703f3d86c47b91310521f37356208b  getpwent_r.patch
 1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8  netdb-defines.patch
 202667cb0383414d9289cd67574f5e1140c9a0ff63bb82a746a59b2397a00db15654bfb30cb5ec1cd68a097899be0f849d9aab4c0d210152386c9e66c640f0c0  netapp.patch
+12635ed619925d54a329730c4742e6d4f2766189afbfe1e22754c1a44ab7144604a378b884427bec0db7234002deda42666fb231f8382d56b1b8886f1226906e  0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch
+69c53b2b74e411feb9de6841f07566ba61a981eb28e5d38328f7099e36be541e2f9f52455fc1f7202440242551dae1bef15868079f43607ca236770f8adeb6f6  0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch
+558fb5112eba24b987c298e5e29811c8124d8eac46e5e8352caa035f765e9b94e8861a72718de9020dfb601a5293a2d8c9ffa9d5f8f827344ac8fd069ca918bd  0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch
+e88f1c34154fbf91a9c2fca253c0d46ddf9dd2a678119dde9e46c0b41d61529ac087f33e9f03f3b95fbe56e9ba4b211e639779b7e7565e06d0e56be0eebf6495  0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch
 1ca243614cef2c7061d914356475c629cd07e6e2c25a680bb65a18e6e4f3b948f19eae887fba9b006f1cbb02407ab4dd420aa6e05a48cdb5a7c1548cdbe0b072  0012-CVE-2019-3880.patch
 6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf  samba.initd
 4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6  samba.confd