diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-02-04 15:01:47 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2019-02-04 15:01:47 +0000 |
commit | f7ba3ea2bf6a0f6310a8526c95d88f7986735f8c (patch) | |
tree | 95ae0c5ac6f1b375ef323b34408a07af09622d38 /main | |
parent | 2f186b4a430de0eab78872fa2d1b61c3d32d45d2 (diff) | |
download | aports-f7ba3ea2bf6a0f6310a8526c95d88f7986735f8c.tar.bz2 aports-f7ba3ea2bf6a0f6310a8526c95d88f7986735f8c.tar.xz |
main/samba: security fixes
Diffstat (limited to 'main')
5 files changed, 232 insertions, 1 deletions
diff --git a/main/samba/0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch b/main/samba/0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch new file mode 100644 index 0000000000..89c938d0d5 --- /dev/null +++ b/main/samba/0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch @@ -0,0 +1,95 @@ +From f7a8294d65e5a7424da93499074a30cb65418ce7 Mon Sep 17 00:00:00 2001 +From: Aaron Haslett <aaronhaslett@catalyst.net.nz> +Date: Tue, 23 Oct 2018 17:25:51 +1300 +Subject: [PATCH] CVE-2018-14629 dns: CNAME loop prevention using counter + +Count number of answers generated by internal DNS query routine and stop at +20 to match Microsoft's loop prevention mechanism. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600 + +Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +Reviewed-by: Garming Sam <garming@catalyst.net.nz> +--- + python/samba/tests/dns.py | 24 ++++++++++++++++++++++++ + selftest/knownfail.d/dns | 6 ++++++ + source4/dns_server/dns_query.c | 6 ++++++ + 3 files changed, 36 insertions(+) + +diff --git a/python/samba/tests/dns.py b/python/samba/tests/dns.py +index 1b5b64da3a4..3390a3990c9 100644 +--- a/python/samba/tests/dns.py ++++ b/python/samba/tests/dns.py +@@ -798,6 +798,30 @@ class TestComplexQueries(DNSTest): + self.assertEquals(response.answers[1].name, name2) + self.assertEquals(response.answers[1].rdata, name0) + ++ def test_cname_loop(self): ++ cname1 = "cnamelooptestrec." + self.get_dns_domain() ++ cname2 = "cnamelooptestrec2." + self.get_dns_domain() ++ cname3 = "cnamelooptestrec3." + self.get_dns_domain() ++ self.make_dns_update(cname1, cname2, dnsp.DNS_TYPE_CNAME) ++ self.make_dns_update(cname2, cname3, dnsp.DNS_TYPE_CNAME) ++ self.make_dns_update(cname3, cname1, dnsp.DNS_TYPE_CNAME) ++ ++ p = self.make_name_packet(dns.DNS_OPCODE_QUERY) ++ questions = [] ++ ++ q = self.make_name_question(cname1, ++ dns.DNS_QTYPE_A, ++ dns.DNS_QCLASS_IN) ++ questions.append(q) ++ self.finish_name_packet(p, questions) ++ ++ (response, response_packet) =\ ++ self.dns_transaction_udp(p, host=self.server_ip) ++ ++ max_recursion_depth = 20 ++ self.assertEquals(len(response.answers), max_recursion_depth) ++ ++ + class TestInvalidQueries(DNSTest): + def setUp(self): + super(TestInvalidQueries, self).setUp() +diff --git a/selftest/knownfail.d/dns b/selftest/knownfail.d/dns +index cb3003240ea..8c79b3abe00 100644 +--- a/selftest/knownfail.d/dns ++++ b/selftest/knownfail.d/dns +@@ -45,3 +45,9 @@ samba.tests.dns.__main__.TestSimpleQueries.test_qtype_all_query\(rodc:local\) + + # The SOA override should not pass against the RODC, it must not overstamp + samba.tests.dns.__main__.TestSimpleQueries.test_one_SOA_query\(rodc:local\) ++ ++# ++# rodc and vampire_dc require signed dns updates, so the test setup ++# fails, but the test does run on fl2003dc ++^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(rodc:local\) ++^samba.tests.dns.__main__.TestComplexQueries.test_cname_loop\(vampire_dc:local\) +diff --git a/source4/dns_server/dns_query.c b/source4/dns_server/dns_query.c +index e8de304c8bb..fafadb6ac6f 100644 +--- a/source4/dns_server/dns_query.c ++++ b/source4/dns_server/dns_query.c +@@ -40,6 +40,7 @@ + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_DNS ++#define MAX_Q_RECURSION_DEPTH 20 + + struct forwarder_string { + const char *forwarder; +@@ -470,6 +471,11 @@ static struct tevent_req *handle_dnsrpcrec_send( + state->answers = answers; + state->nsrecs = nsrecs; + ++ if (talloc_array_length(*answers) >= MAX_Q_RECURSION_DEPTH) { ++ tevent_req_done(req); ++ return tevent_req_post(req, ev); ++ } ++ + resolve_cname = ((rec->wType == DNS_TYPE_CNAME) && + ((question->question_type == DNS_QTYPE_A) || + (question->question_type == DNS_QTYPE_AAAA))); +-- +2.18.1 + diff --git a/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch b/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch new file mode 100644 index 0000000000..32dab1e0ea --- /dev/null +++ b/main/samba/0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch @@ -0,0 +1,41 @@ +From e1026a1685b5838f2ca67965025b2381751c35cb Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett <abartlet@samba.org> +Date: Tue, 23 Oct 2018 17:33:46 +1300 +Subject: [PATCH] CVE-2018-16841 heimdal: Fix segfault on PKINIT with + mis-matching principal + +In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free +mem_ctx. + +This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the +MIT KDC effort. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 + +Signed-off-by: Andrew Bartlett <abartlet@samba.org> +Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> +--- + source4/kdc/db-glue.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c +index 9ac5a1d38f0..4d7ac333fcc 100644 +--- a/source4/kdc/db-glue.c ++++ b/source4/kdc/db-glue.c +@@ -2578,10 +2578,10 @@ samba_kdc_check_pkinit_ms_upn_match(krb5_context context, + * comparison */ + if (!(orig_sid && target_sid && dom_sid_equal(orig_sid, target_sid))) { + talloc_free(mem_ctx); +-#ifdef KRB5_KDC_ERR_CLIENT_NAME_MISMATCH /* Heimdal */ +- return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; +-#elif defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ ++#if defined(KRB5KDC_ERR_CLIENT_NAME_MISMATCH) /* MIT */ + return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; ++#else /* Heimdal (where this is an enum) */ ++ return KRB5_KDC_ERR_CLIENT_NAME_MISMATCH; + #endif + } + +-- +2.18.1 + diff --git a/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch b/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch new file mode 100644 index 0000000000..a1166946d3 --- /dev/null +++ b/main/samba/0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch @@ -0,0 +1,44 @@ +From ac0b38fb285fad3165560a26afeeeaf23d850c1c Mon Sep 17 00:00:00 2001 +From: Garming Sam <garming@catalyst.net.nz> +Date: Mon, 5 Nov 2018 16:18:18 +1300 +Subject: [PATCH] CVE-2018-16851 ldap_server: Check ret before manipulating + blob + +In the case of hitting the talloc ~256MB limit, this causes a crash in +the server. + +Note that you would actually need to load >256MB of data into the LDAP. +Although there is some generated/hidden data which would help you reach that +limit (descriptors and RMD blobs). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674 + +Signed-off-by: Garming Sam <garming@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +--- + source4/ldap_server/ldap_server.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source4/ldap_server/ldap_server.c b/source4/ldap_server/ldap_server.c +index d9f24e0817c..e5e9688ed98 100644 +--- a/source4/ldap_server/ldap_server.c ++++ b/source4/ldap_server/ldap_server.c +@@ -669,13 +669,13 @@ static void ldapsrv_call_writev_start(struct ldapsrv_call *call) + ret = data_blob_append(call, &blob, b.data, b.length); + data_blob_free(&b); + +- talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); +- + if (!ret) { + ldapsrv_terminate_connection(conn, "data_blob_append failed"); + return; + } + ++ talloc_set_name_const(blob.data, "Outgoing, encoded LDAP packet"); ++ + DLIST_REMOVE(call->replies, call->replies); + } + +-- +2.18.1 + diff --git a/main/samba/0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch b/main/samba/0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch new file mode 100644 index 0000000000..b378c9a162 --- /dev/null +++ b/main/samba/0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch @@ -0,0 +1,39 @@ +From b49c87f8d64677390e5c4c6698b95beb74468653 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett <abartlet@samba.org> +Date: Wed, 24 Oct 2018 15:41:28 +1300 +Subject: [PATCH] CVE-2018-16841 selftest: Check for mismatching principal in + certficate compared with principal in AS-REQ + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628 +Signed-off-by: Andrew Bartlett <abartlet@samba.org> +Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> +--- + testprogs/blackbox/test_pkinit_heimdal.sh | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh +index 0a13aa293e7..0912e0dbfe8 100755 +--- a/testprogs/blackbox/test_pkinit_heimdal.sh ++++ b/testprogs/blackbox/test_pkinit_heimdal.sh +@@ -75,10 +75,18 @@ testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --reque + testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` + test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` + ++testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1` ++ ++testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1` ++ + testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` + testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` + test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` + ++testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1` ++ ++testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1` ++ + testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` + testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` + test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" -k yes || failed=`expr $failed + 1` +-- +2.18.1 + diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD index 2301bbde88..d138288555 100644 --- a/main/samba/APKBUILD +++ b/main/samba/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=samba pkgver=4.7.6 -pkgrel=1 +pkgrel=2 pkgdesc="Tools to access a server's filespace and printers via SMB" url="http://www.samba.org" arch="all" @@ -69,6 +69,10 @@ source="https://us1.samba.org/samba/ftp/stable/$pkgname-$pkgver.tar.gz 0009-CVE-2018-10919-acl_read-Flip-the-logic-in-the-dirsyn.patch 0010-CVE-2018-10919-acl_read-Fix-unauthorized-attribute-a.patch 0011-CVE-2018-10919-tests-Add-extra-test-for-dirsync-dele.patch + 0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch + 0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch + 0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch + 0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch $pkgname.initd $pkgname.confd @@ -78,6 +82,10 @@ pkggroups="winbind" builddir="$srcdir/$pkgname-$pkgver" # secfixes: +# 4.7.6-r2: +# - CVE-2018-14629 +# - CVE-2018-16841 +# - CVE-2018-16851 # 4.7.6-r1: # - CVE-2018-1139 # - CVE-2018-10858 @@ -561,6 +569,10 @@ b5e73fa0e114a8c388b56b46d373dd821aecab942c409421afaca26aeeb85f14ca42db9fda88e03d c317f5338a612906a3765ee69e3f487f755d4aa61670543aefec71cc4eb7fed12f1aa21027f80661a25a2cc550ddbceb3988a1d3fa624925763b9164b9153b89 0009-CVE-2018-10919-acl_read-Flip-the-logic-in-the-dirsyn.patch f59421fc880c864d36da28d9a6b41fb8be912c8a0411301cc80c8682210d17fc111ea956a9d2ad01ebb58f4737a3b8d8fa8d8e2a897d32a8b30240eacf23b2e2 0010-CVE-2018-10919-acl_read-Fix-unauthorized-attribute-a.patch 8c284d9faa975342092c94193c6993d1dc11e429f108bf2a152a631ed2f5ae85c1f5db5ef51828682357aac015c888cc1080f705fbc529b6d07112a0039d3bd6 0011-CVE-2018-10919-tests-Add-extra-test-for-dirsync-dele.patch +a856ee2ff97caf6201bab768b4187fb80b693d9be9e7c45252e938f0371b678fd28e549f4bd1f7c3cd968fc4ca54c37b4753f190cb36cec069d82e8cdfc8b22c 0001-CVE-2018-14629-dns-CNAME-loop-prevention-using-count.patch +69c53b2b74e411feb9de6841f07566ba61a981eb28e5d38328f7099e36be541e2f9f52455fc1f7202440242551dae1bef15868079f43607ca236770f8adeb6f6 0001-CVE-2018-16841-heimdal-Fix-segfault-on-PKINIT-with-m.patch +558fb5112eba24b987c298e5e29811c8124d8eac46e5e8352caa035f765e9b94e8861a72718de9020dfb601a5293a2d8c9ffa9d5f8f827344ac8fd069ca918bd 0002-CVE-2018-16841-selftest-Check-for-mismatching-princi.patch +e88f1c34154fbf91a9c2fca253c0d46ddf9dd2a678119dde9e46c0b41d61529ac087f33e9f03f3b95fbe56e9ba4b211e639779b7e7565e06d0e56be0eebf6495 0001-CVE-2018-16851-ldap_server-Check-ret-before-manipula.patch 6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf samba.initd 4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6 samba.confd f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053 samba.logrotate" |