The branch, v4-10-stable has been updated via 0953917629b VERSION: Disable GIT_SNAPSHOT for the 4.10.5 release. via bfa9f92e611 WHATSNEW: Add release notes for Samba 4.10.5. via c48920093da CVE-2019-12436 dsdb/paged_results: ignore successful results without messages via d32b96aeff0 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2 via 0b9da247534 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation via 090e8700af3 VERSION: Bump version up to 4.10.5... from 8e479542e28 VERSION: Disable GIT_SNAPSHOT for the 4.10.4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-10-stable - Log ----------------------------------------------------------------- commit 0953917629bb2e21a41013f50def0c9402d5399a Author: Karolin Seeger <ksee...@samba.org> Date: Thu Jun 13 11:48:53 2019 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.10.5 release. CVE-2019-12436 dsdb/paged_results: ignore successful results without messages BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Karolin Seeger <ksee...@samba.org> commit bfa9f92e611e3b634c505b9c4a2c7aef128afb64 Author: Karolin Seeger <ksee...@samba.org> Date: Thu Jun 13 11:47:07 2019 +0200 WHATSNEW: Add release notes for Samba 4.10.5. CVE-2019-12436 dsdb/paged_results: ignore successful results without messages BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Karolin Seeger <ksee...@samba.org> commit c48920093da7f5f6cbbca42d516b86b9cf51eea6 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Fri May 17 14:42:24 2019 +1200 CVE-2019-12436 dsdb/paged_results: ignore successful results without messages So that we don't dereference result->msgs[0] when it doesn't exist. This can happen when the object has changed in such a way that it no longer matches the original search query. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d32b96aeff0022c7a9052f15adbc7cd36643ca22 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed May 22 13:23:25 2019 +1200 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2 We still want to return DOES_NOT_EXIST when request_filter is not 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0b9da247534f735fa96141e9285fd22e0f2bb442 Author: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Date: Wed May 22 12:58:01 2019 +1200 CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation We still want to return DOES_NOT_EXIST when request_filter is not 0. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922 Signed-off-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 090e8700af31c0b9fd273e91a0deb8d1efd3ef24 Author: Karolin Seeger <ksee...@samba.org> Date: Wed May 22 11:50:17 2019 +0200 VERSION: Bump version up to 4.10.5... and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <ksee...@samba.org> (cherry picked from commit 827b5423c0fe6ad472226b6d172e0460d074135a) ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 64 ++++++++++++++++++++++++- python/samba/tests/dcerpc/dnsserver.py | 51 ++++++++++++++++++++ source4/dsdb/samdb/ldb_modules/paged_results.c | 3 +- source4/dsdb/tests/python/vlv.py | 50 ++++++++++++++++++- source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 14 +++++- 6 files changed, 177 insertions(+), 7 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index cddf98545d9..73c35f8f66c 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=10 -SAMBA_VERSION_RELEASE=4 +SAMBA_VERSION_RELEASE=5 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 21aef0c4960..8339bbf958a 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,63 @@ + ============================== + Release Notes for Samba 4.10.5 + June 19, 2019 + ============================== + + +This is a security release in order to address the following defects: + +o CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server + (dnsserver)) +o CVE-2019-12436 (Samba AD DC LDAP server crash (paged searches)) + +======= +Details +======= + +o CVE-2019-12435: + An authenticated user can crash the Samba AD DC's RPC server process via a + NULL pointer dereference. + +o CVE-2019-12436: + An user with read access to the directory can cause a NULL pointer + dereference using the paged search control. + +For more details and workarounds, please refer to the security advisories. + + +Changes since 4.10.4: +--------------------- + +o Douglas Bagnall <douglas.bagn...@catalyst.net.nz> + * BUG 13922: CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found + in DnssrvOperation2. + * BUG 13951: CVE-2019-12436 dsdb/paged_results: Ignore successful results + without messages. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + ============================== Release Notes for Samba 4.10.4 May 22, 2019 @@ -111,8 +171,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + ============================== Release Notes for Samba 4.10.3 diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py index 8e485c540dd..0da9614d066 100644 --- a/python/samba/tests/dcerpc/dnsserver.py +++ b/python/samba/tests/dcerpc/dnsserver.py @@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security from samba.tests import RpcInterfaceTestCase, env_get_var_value from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord from samba import sd_utils, descriptor +from samba import WERRORError, werror class DnsserverTests(RpcInterfaceTestCase): @@ -707,6 +708,56 @@ class DnsserverTests(RpcInterfaceTestCase): 'ServerInfo') self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid) + + # This test is to confirm that we do not support multizone operations, + # which are designated by a non-zero dwContext value (the 3rd argument + # to DnssrvOperation). + def test_operation_invalid(self): + non_zone = 'a-zone-that-does-not-exist' + typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM + name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() + name_and_param.pszNodeName = 'AllowUpdate' + name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE + try: + res = self.conn.DnssrvOperation(self.server, + non_zone, + 1, + 'ResetDwordProperty', + typeid, + name_and_param) + except WERRORError as e: + if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: + return + + # We should always encounter a DOES_NOT_EXIST error. + self.fail() + + # This test is to confirm that we do not support multizone operations, + # which are designated by a non-zero dwContext value (the 5th argument + # to DnssrvOperation2). + def test_operation2_invalid(self): + client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN + non_zone = 'a-zone-that-does-not-exist' + typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM + name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM() + name_and_param.pszNodeName = 'AllowUpdate' + name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE + try: + res = self.conn.DnssrvOperation2(client_version, + 0, + self.server, + non_zone, + 1, + 'ResetDwordProperty', + typeid, + name_and_param) + except WERRORError as e: + if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST: + return + + # We should always encounter a DOES_NOT_EXIST error. + self.fail() + def test_operation2(self): client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN rev_zone = '1.168.192.in-addr.arpa' diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c index 78ad44f6601..5cad398ab61 100644 --- a/source4/dsdb/samdb/ldb_modules/paged_results.c +++ b/source4/dsdb/samdb/ldb_modules/paged_results.c @@ -266,7 +266,8 @@ static int paged_results(struct paged_context *ac) ret = paged_search_by_dn_guid(ac->module, ac, &result, guid, ac->req->op.search.attrs, ac->store->expr); - if (ret == LDAP_NO_SUCH_OBJECT /* TODO or no result */) { + if (ret == LDAP_NO_SUCH_OBJECT || + (ret == LDB_SUCCESS && result->count == 0)) { /* The thing isn't there TODO, which we quietly ignore and go on to send an extra one instead. */ diff --git a/source4/dsdb/tests/python/vlv.py b/source4/dsdb/tests/python/vlv.py index 8550a38e287..bc07a53d575 100644 --- a/source4/dsdb/tests/python/vlv.py +++ b/source4/dsdb/tests/python/vlv.py @@ -105,6 +105,7 @@ class TestsWithUserOU(samba.tests.TestCase): 'givenName': "abcdefghijklmnopqrstuvwxyz"[i % 26], "roomNumber": "%sbc" % (n - i), "carLicense": "后来经", + "facsimileTelephoneNumber": name, "employeeNumber": "%s%sx" % (abs(i * (99 - i)), '\n' * (i & 255)), "accountExpires": "%s" % (10 ** 9 + 1000000 * i), "msTSExpireDate4": "19%02d0101010000.0Z" % (i % 100), @@ -1334,7 +1335,7 @@ class PagedResultsTests(TestsWithUserOU): self.assertEqual(results, expected_results) - def test_paged_modify_during_search(self): + def test_paged_rename_during_search(self): expr = "(objectClass=*)" # Start new search @@ -1421,6 +1422,53 @@ class PagedResultsTests(TestsWithUserOU): self.assertEqual(results, expected_results) + def test_paged_modify_one_during_search(self): + prefix = "change_during_search_" + num_users = 5 + users = [self.create_user(i, num_users, prefix=prefix) + for i in range(num_users)] + expr = "(&(objectClass=user)(facsimileTelephoneNumber=%s*))" % (prefix) + + # Get the first page, then change the searched attribute and + # try for the second page. + results, cookie = self.paged_search(expr, page_size=1) + self.assertEqual(len(results), 1) + unwalked_users = [u for u in users if u['cn'] != results[0]] + self.assertEqual(len(unwalked_users), num_users-1) + + mod_dn = unwalked_users[0]['dn'] + self.ldb.modify_ldif("dn: %s\n" + "changetype: modify\n" + "replace: facsimileTelephoneNumber\n" + "facsimileTelephoneNumber: 123" % mod_dn) + + results, _ = self.paged_search(expr, cookie=cookie, + page_size=len(self.users)) + expected_cns = {u['cn'] for u in unwalked_users if u['dn'] != mod_dn} + self.assertEqual(set(results), expected_cns) + + def test_paged_modify_all_during_search(self): + prefix = "change_during_search_" + num_users = 5 + users = [self.create_user(i, num_users, prefix=prefix) + for i in range(num_users)] + expr = "(&(objectClass=user)(facsimileTelephoneNumber=%s*))" % (prefix) + + # Get the first page, then change the searched attribute and + # try for the second page. + results, cookie = self.paged_search(expr, page_size=1) + unwalked_users = [u for u in users if u['cn'] != results[0]] + + for u in users: + self.ldb.modify_ldif("dn: %s\n" + "changetype: modify\n" + "replace: facsimileTelephoneNumber\n" + "facsimileTelephoneNumber: 123" % u['dn']) + + results, _ = self.paged_search(expr, cookie=cookie, + page_size=len(self.users)) + self.assertEqual(results, []) + def assertPagedSearchRaises(self, err_num, expr, cookie, attrs=None, extra_ctrls=None): try: diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c index 841557814a0..f8a8f0bae61 100644 --- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c @@ -2018,7 +2018,12 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_ &r->in.pData); } else { z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); - if (z == NULL && request_filter == 0) { + /* + * In the case that request_filter is not 0 and z is NULL, + * the request is for a multizone operation, which we do not + * yet support, so just error on NULL zone name. + */ + if (z == NULL) { return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; } @@ -2225,7 +2230,12 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC &r->in.pData); } else { z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); - if (z == NULL && request_filter == 0) { + /* + * In the case that request_filter is not 0 and z is NULL, + * the request is for a multizone operation, which we do not + * yet support, so just error on NULL zone name. + */ + if (z == NULL) { return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; } -- Samba Shared Repository