The branch, v4-11-test has been updated
via c5f61b9dd0a VERSION: Bump version up to 4.11.6.
via 5f735302220 Merge tag 'samba-4.11.5' into v4-11-test
via 01a4dd8ea2b VERSION: Disable GIT_SNAPSHOT for the 4.11.5 release.
via 16f159bdd2d WHATSNEW: Add release notes for Samba 4.11.5.
via a56fb1c0427 CVE-2019-19344 kcc dns scavenging: Fix use after free
in dns_tombstone_records_zone
via 0010822597d CVE-2019-14907 lib/util: Do not print the failed to
convert string into the logs
via 5884a973309 CVE-2019-14902 dsdb: Change basis of descriptor module
deferred processing to be GUIDs
via da1d3a0c03c CVE-2019-14902 repl_meta_data: Set renamed = true (and
so do SD inheritance) after any rename
via febccb4845e CVE-2019-14902 repl_meta_data: Fix issue where
inherited Security Descriptors were not replicated.
via 2cf368d0023 CVE-2019-14902 repl_meta_data: schedule SD propagation
to a renamed DN
via dc1b30c8316 CVE-2019-14902 dsdb: Ensure we honour both
change->force_self and change->force_children
via 68a91b11e40 CVE-2019-14902 dsdb: Add comments explaining why SD
propagation needs to be done here
via 971247385a4 CVE-2019-14902 dsdb: Explain that
descriptor_sd_propagation_recursive() is proctected by a transaction
via 50498111ac0 selftest: Add test to confirm ACL inheritence really
happens
via 59a7bbe0c15 CVE-2019-14902 selftest: Add test for a special case
around replicated renames
via 6b6a993e6af CVE-2019-14902 selftest: Add test for replication of
inherited security descriptors
via 98761ff1b2e VERSION: Bump version up to 4.11.5...
from c5dee3fcee6 libsmbclient: If over SMB1 first try to do a posix stat
on the file.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-test
- Log -----------------------------------------------------------------
commit c5f61b9dd0a0624ba91f1ee9277c653ebb38a3e6
Author: Karolin Seeger <ksee...@samba.org>
Date: Tue Jan 21 11:02:17 2020 +0100
VERSION: Bump version up to 4.11.6.
Signed-off-by: Karolin Seeger <ksee...@samba.org>
commit 5f73530222071af7cf6d9fa044cde86217fec112
Merge: c5dee3fcee6 01a4dd8ea2b
Author: Karolin Seeger <ksee...@samba.org>
Date: Tue Jan 21 11:01:42 2020 +0100
Merge tag 'samba-4.11.5' into v4-11-test
samba: tag release samba-4.11.5
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 76 ++++-
lib/util/charset/convert_string.c | 38 +--
source4/dsdb/kcc/scavenge_dns_records.c | 51 ++-
source4/dsdb/samdb/ldb_modules/acl_util.c | 4 +-
source4/dsdb/samdb/ldb_modules/descriptor.c | 291 +++++++++--------
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 55 +++-
source4/dsdb/samdb/samdb.h | 2 +-
source4/selftest/tests.py | 5 +
source4/torture/drs/python/repl_secdesc.py | 400 ++++++++++++++++++++++++
10 files changed, 752 insertions(+), 172 deletions(-)
create mode 100644 source4/torture/drs/python/repl_secdesc.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 7bbd4754860..0f54515c8b9 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=11
-SAMBA_VERSION_RELEASE=5
+SAMBA_VERSION_RELEASE=6
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 830081446ab..99272550643 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,75 @@
+ ==============================
+ Release Notes for Samba 4.11.5
+ January 21, 2020
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
+ Directory not automatic.
+o CVE-2019-14907: Crash after failed character conversion at log level 3 or
+ above.
+o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.
+
+
+=======
+Details
+=======
+
+o CVE-2019-14902:
+ The implementation of ACL inheritance in the Samba AD DC was not complete,
+ and so absent a 'full-sync' replication, ACLs could get out of sync between
+ domain controllers.
+
+o CVE-2019-14907:
+ When processing untrusted string input Samba can read past the end of the
+ allocated buffer when printing a "Conversion error" message to the logs.
+
+o CVE-2019-19344:
+ During DNS zone scavenging (of expired dynamic entries) there is a read of
+ memory after it has been freed.
+
+For more details and workarounds, please refer to the security advisories.
+
+
+Changes since 4.11.4:
+---------------------
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD
Directory
+ not automatic.
+ * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
+ string into the logs.
+
+o Gary Lockyer <g...@catalyst.net.nz>
+ * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
+ dns_tombstone_records_zone.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
==============================
Release Notes for Samba 4.11.4
December 16, 2019
@@ -76,8 +148,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
==============================
Release Notes for Samba 4.11.3
diff --git a/lib/util/charset/convert_string.c
b/lib/util/charset/convert_string.c
index d274e305a0c..b725b53cb5a 100644
--- a/lib/util/charset/convert_string.c
+++ b/lib/util/charset/convert_string.c
@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
switch(errno) {
case EINVAL:
reason="Incomplete multibyte sequence";
- DEBUG(3,("convert_string_internal: Conversion
error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
case E2BIG:
{
reason="No more room";
if (from == CH_UNIX) {
- DEBUG(3,("E2BIG: convert_string(%s,%s):
srclen=%u destlen=%u - '%s' error: %s\n",
- charset_name(ic, from),
charset_name(ic, to),
- (unsigned int)srclen,
(unsigned int)destlen, (const char *)src, reason));
+ DBG_NOTICE("E2BIG:
convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+ charset_name(ic, from),
charset_name(ic, to),
+ (unsigned int)srclen,
(unsigned int)destlen, reason);
} else {
- DEBUG(3,("E2BIG: convert_string(%s,%s):
srclen=%u destlen=%u error: %s\n",
- charset_name(ic, from),
charset_name(ic, to),
- (unsigned int)srclen,
(unsigned int)destlen, reason));
+ DBG_NOTICE("E2BIG:
convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
+ charset_name(ic, from),
charset_name(ic, to),
+ (unsigned int)srclen,
(unsigned int)destlen, reason);
}
break;
}
case EILSEQ:
reason="Illegal multibyte sequence";
- DEBUG(3,("convert_string_internal: Conversion
error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_NOTICE("convert_string_internal: Conversion
error: %s\n",
+ reason);
break;
default:
- DEBUG(0,("convert_string_internal: Conversion
error: %s(%s)\n",
- reason, (const char *)src));
+ DBG_ERR("convert_string_internal: Conversion
error: %s\n",
+ reason);
break;
}
/* smb_panic(reason); */
@@ -427,20 +427,22 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct
smb_iconv_handle *ic,
switch(errno) {
case EINVAL:
reason="Incomplete multibyte sequence";
- DEBUG(3,("convert_string_talloc: Conversion
error: %s(%s)\n",reason,inbuf));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
case E2BIG:
reason = "output buffer is too small";
- DBG_NOTICE("convert_string_talloc: "
- "Conversion error: %s(%s)\n",
- reason, inbuf);
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
case EILSEQ:
reason="Illegal multibyte sequence";
- DEBUG(3,("convert_string_talloc: Conversion
error: %s(%s)\n",reason,inbuf));
+ DBG_NOTICE("Conversion error: %s\n",
+ reason);
break;
default:
- DEBUG(0,("Conversion error:
%s(%s)\n",reason,inbuf));
+ DBG_ERR("Conversion error: %s\n",
+ reason);
break;
}
/* smb_panic(reason); */
diff --git a/source4/dsdb/kcc/scavenge_dns_records.c
b/source4/dsdb/kcc/scavenge_dns_records.c
index 6c0684b3153..8e916cf7b06 100644
--- a/source4/dsdb/kcc/scavenge_dns_records.c
+++ b/source4/dsdb/kcc/scavenge_dns_records.c
@@ -128,6 +128,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
struct ldb_message_element *el = NULL;
struct ldb_message_element *tombstone_el = NULL;
struct ldb_message_element *old_el = NULL;
+ struct ldb_message *new_msg = NULL;
+ struct ldb_message *old_msg = NULL;
int ret;
struct GUID guid;
struct GUID_txt_buf buf_guid;
@@ -184,12 +186,29 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
* change. This prevents race conditions.
*/
for (i = 0; i < res->count; i++) {
- old_el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
+ old_msg = ldb_msg_copy(mem_ctx, res->msgs[i]);
+ if (old_msg == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ old_el = ldb_msg_find_element(old_msg, "dnsRecord");
+ if (old_el == NULL) {
+ TALLOC_FREE(old_msg);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
old_el->flags = LDB_FLAG_MOD_DELETE;
+ new_msg = ldb_msg_copy(mem_ctx, old_msg);
+ if (new_msg == NULL) {
+ TALLOC_FREE(old_msg);
+ return NT_STATUS_INTERNAL_ERROR;
+ }
ret = ldb_msg_add_empty(
- res->msgs[i], "dnsRecord", LDB_FLAG_MOD_ADD, &el);
+ new_msg, "dnsRecord", LDB_FLAG_MOD_ADD, &el);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
@@ -197,12 +216,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
status = copy_current_records(mem_ctx, old_el, el, t);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
/* If nothing was expired, do nothing. */
if (el->num_values == old_el->num_values &&
el->num_values != 0) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
continue;
}
@@ -213,14 +236,16 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
el->values = tombstone_blob;
el->num_values = 1;
- tombstone_el = ldb_msg_find_element(res->msgs[i],
+ tombstone_el = ldb_msg_find_element(new_msg,
"dnsTombstoned");
if (tombstone_el == NULL) {
- ret = ldb_msg_add_value(res->msgs[i],
+ ret = ldb_msg_add_value(new_msg,
"dnsTombstoned",
true_struct,
&tombstone_el);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
return NT_STATUS_INTERNAL_ERROR;
}
tombstone_el->flags = LDB_FLAG_MOD_ADD;
@@ -234,13 +259,15 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
* Do not change the status of dnsTombstoned
* if we found any live records
*/
- ldb_msg_remove_attr(res->msgs[i],
+ ldb_msg_remove_attr(new_msg,
"dnsTombstoned");
}
/* Set DN to the GUID in case the object was moved. */
- el = ldb_msg_find_element(res->msgs[i], "objectGUID");
+ el = ldb_msg_find_element(new_msg, "objectGUID");
if (el == NULL) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
talloc_asprintf(mem_ctx,
"record has no objectGUID "
@@ -251,20 +278,24 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
status = GUID_from_ndr_blob(el->values, &guid);
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
discard_const_p(char, "Error: Invalid GUID.\n");
return NT_STATUS_INTERNAL_ERROR;
}
GUID_buf_string(&guid, &buf_guid);
- res->msgs[i]->dn =
+ new_msg->dn =
ldb_dn_new_fmt(mem_ctx, samdb, "<GUID=%s>", buf_guid.buf);
/* Remove the GUID so we're not trying to modify it. */
- ldb_msg_remove_attr(res->msgs[i], "objectGUID");
+ ldb_msg_remove_attr(new_msg, "objectGUID");
- ret = ldb_modify(samdb, res->msgs[i]);
+ ret = ldb_modify(samdb, new_msg);
if (ret != LDB_SUCCESS) {
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
*error_string =
talloc_asprintf(mem_ctx,
"Failed to modify dns record "
@@ -273,6 +304,8 @@ NTSTATUS dns_tombstone_records_zone(TALLOC_CTX *mem_ctx,
ldb_errstring(samdb));
return NT_STATUS_INTERNAL_ERROR;
}
+ TALLOC_FREE(old_msg);
+ TALLOC_FREE(new_msg);
}
return NT_STATUS_OK;
diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c
b/source4/dsdb/samdb/ldb_modules/acl_util.c
index 6d645b10fe2..b9931795e19 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
@@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req,
bool *explicit)
int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
struct ldb_dn *nc_root,
- struct ldb_dn *dn,
+ struct GUID guid,
bool include_self)
{
struct ldb_context *ldb = ldb_module_get_ctx(module);
@@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module
*module,
}
op->nc_root = nc_root;
- op->dn = dn;
+ op->guid = guid;
op->include_self = include_self;
ret = dsdb_module_extended(module, op, NULL,
diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c
b/source4/dsdb/samdb/ldb_modules/descriptor.c
index 9018b750ab5..daa08c2ebc7 100644
--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
@@ -46,9 +46,8 @@
struct descriptor_changes {
struct descriptor_changes *prev, *next;
- struct descriptor_changes *children;
struct ldb_dn *nc_root;
- struct ldb_dn *dn;
+ struct GUID guid;
bool force_self;
bool force_children;
struct ldb_dn *stopped_dn;
@@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module,
struct ldb_request *req)
current_attrs,
DSDB_FLAG_NEXT_MODULE |
DSDB_FLAG_AS_SYSTEM |
- DSDB_SEARCH_SHOW_RECYCLED,
+ DSDB_SEARCH_SHOW_RECYCLED |
+ DSDB_SEARCH_SHOW_EXTENDED_DN,
req);
if (ret != LDB_SUCCESS) {
ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not
find %s\n",
@@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module,
struct ldb_request *req)
user_sd = old_sd;
}
- sd = get_new_descriptor(module, dn, req,
+ sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
objectclass, parent_sd,
user_sd, old_sd, sd_flags);
if (sd == NULL) {
@@ -869,15 +869,32 @@ static int descriptor_modify(struct ldb_module *module,
struct ldb_request *req)
return ldb_oom(ldb);
}
} else if (cmp_ret != 0) {
+ struct GUID guid;
struct ldb_dn *nc_root;
+ NTSTATUS status;
- ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
+ ret = dsdb_find_nc_root(ldb,
+ msg,
+ current_res->msgs[0]->dn,
+ &nc_root);
if (ret != LDB_SUCCESS) {
return ldb_oom(ldb);
}
- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
- dn, false);
+ status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
+ &guid,
+ "GUID");
+ if (!NT_STATUS_IS_OK(status)) {
+ return ldb_operr(ldb);
+ }
+
+ /*
+ * Force SD propagation on children of this record
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ false);
if (ret != LDB_SUCCESS) {
return ldb_operr(ldb);
}
@@ -960,16 +977,31 @@ static int descriptor_rename(struct ldb_module *module,
struct ldb_request *req)
if (ldb_dn_compare(olddn, newdn) != 0) {
struct ldb_dn *nc_root;
+ struct GUID guid;
ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
if (ret != LDB_SUCCESS) {
return ldb_oom(ldb);
}
- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
- newdn, true);
- if (ret != LDB_SUCCESS) {
- return ldb_operr(ldb);
+ ret = dsdb_module_guid_by_dn(module,
+ olddn,
+ &guid,
+ req);
+ if (ret == LDB_SUCCESS) {
+ /*
+ * Without disturbing any errors if the olddn
+ * does not exit, force SD propagation on
+ * this record (get a new inherited SD from
+ * the potentially new parent
+ */
+ ret = dsdb_module_schedule_sd_propagation(module,
+ nc_root,
+ guid,
+ true);
+ if (ret != LDB_SUCCESS) {
+ return ldb_operr(ldb);
+ }
}
}
@@ -985,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct
ldb_module *module,
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct dsdb_extended_sec_desc_propagation_op *op;
TALLOC_CTX *parent_mem = NULL;
- struct descriptor_changes *parent_change = NULL;
struct descriptor_changes *c;
- int ret;
op = talloc_get_type(req->op.extended.data,
struct dsdb_extended_sec_desc_propagation_op);
@@ -1004,32 +1034,6 @@ static int
descriptor_extended_sec_desc_propagation(struct ldb_module *module,
parent_mem = descriptor_private->trans_mem;
- for (c = descriptor_private->changes; c; c = c->next) {
- ret = ldb_dn_compare(c->nc_root, op->nc_root);
- if (ret != 0) {
- continue;
- }
-
- ret = ldb_dn_compare(c->dn, op->dn);
- if (ret == 0) {
- if (op->include_self) {
- c->force_self = true;
- } else {
- c->force_children = true;
- }
- return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
- }
-
- ret = ldb_dn_compare_base(c->dn, op->dn);
- if (ret != 0) {
- continue;
- }
-
- parent_mem = c;
- parent_change = c;
- break;
- }
-
c = talloc_zero(parent_mem, struct descriptor_changes);
if (c == NULL) {
return ldb_module_oom(module);
@@ -1038,21 +1042,14 @@ static int
descriptor_extended_sec_desc_propagation(struct ldb_module *module,
if (c->nc_root == NULL) {
return ldb_module_oom(module);
}
- c->dn = ldb_dn_copy(c, op->dn);
- if (c->dn == NULL) {
- return ldb_module_oom(module);
- }
+ c->guid = op->guid;
if (op->include_self) {
c->force_self = true;
} else {
--
Samba Shared Repository
