CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.
CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init()
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
7. If none of the first 5 bytes of the client challenge is unique, the
server MUST fail session-key negotiation without further processing of
the following steps.
It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."
Signed-off-by: Stefan Metzmacher <metze@samba.org>
[dbagnall@samba.org, abartlet@samba.org: wscript_build backport
differs because 4.10 has no gnutls dependency]
It's good to have just a single isolated function that will generate
random challenges, in future we can add some logic in order to
avoid weak values, which are likely to be rejected by a server.
Martin Schwenke [Fri, 5 Jun 2020 12:05:42 +0000 (22:05 +1000)]
util: Reallocate larger buffer if getpwuid_r() returns ERANGE
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jun 9 21:07:24 UTC 2020 on sn-devel-184
Martin Schwenke [Tue, 9 Jun 2020 01:52:50 +0000 (11:52 +1000)]
util: Simplify input validation
It appears that snprintf(3) is being used for input validation.
However, this seems like overkill because it causes szPath to be
copied an extra time. The mostly likely protections being sought
here, according to https://cwe.mitre.org/data/definitions/20.html,
look to be DoS attacks involving CPU and memory usage. A simpler
check that uses strnlen(3) can mitigate against both of these and is
simpler.
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org>
(cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229)
Karolin Seeger [Thu, 25 Jun 2020 11:12:45 +0000 (13:12 +0200)]
VERSION: Diable GIT_SNAPSHOT for the 4.10.17 release.
This is a security release in order to address the following CVEs:
o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
LDAP Server with ASQ, VLV and paged_results.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU.
o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV.
o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
Andrew Bartlett [Fri, 5 Jun 2020 10:14:48 +0000 (22:14 +1200)]
CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls
Otherwise a paged search on the GC port will fail as the ->data was
not kept around for the second page of searches.
An example command to produce this is
bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD
This shows up later in the partition module as:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260
READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0))
#0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526
#1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559
#2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582
#3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780
or
smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value
(from source4/dsdb/samdb/ldb_modules/partition.c:780)
Andrew Bartlett [Wed, 24 Jun 2020 23:59:54 +0000 (11:59 +1200)]
CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(backported from master commit)
[abartlet@samba.org: Remove f"" format string not supported in
Python 3.4]
Douglas Bagnall [Thu, 14 May 2020 22:52:45 +0000 (10:52 +1200)]
CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").
Douglas Bagnall [Fri, 24 Apr 2020 23:10:18 +0000 (11:10 +1200)]
CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".
Douglas Bagnall [Fri, 24 Apr 2020 23:02:08 +0000 (11:02 +1200)]
CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.
(backported from master commit)
[abartlet@samba.org: backported due to differences in pre-existing
tests - eg test_ndr - mentioned in wscript_build and tests.py]
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from patch for master)
[abartlet@samba.org: f"" strings are not in Python 3.4 and
bytes cannot be formatted in python 3.4]
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Gary Lockyer [Tue, 12 May 2020 22:56:56 +0000 (10:56 +1200)]
CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.
Jeremy Allison [Fri, 15 May 2020 19:18:02 +0000 (12:18 -0700)]
s3: lib: Paranoia around use of snprintf copying into a fixed-size buffer from a getenv() pointer.
Post checks for overflow/error.
Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri May 15 14:40:32 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Apr 29 09:44:55 UTC 2020 on sn-devel-184
Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Amit Kumar <amitkuma@redhat.com> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit c83ce5f4f99aef94530411ec82cc03e9935b352d)
Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-10-test): Thu May 14 12:11:49 UTC 2020 on sn-devel-144
Signed-off-by: Amit Kumar <amitkuma@redhat.com> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 2a7fc40fb3f3ca994cecad3e2957433d7a411208)
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Apr 6 19:09:53 UTC 2020 on sn-devel-184
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit ec69752cb963ae850568d3f4905d2941e485627e)
Volker Lendecke [Sat, 2 May 2020 13:18:07 +0000 (15:18 +0200)]
libsmb: Protect cli_oem_change_password() from rprcnt<2
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14366 Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue May 5 17:12:04 UTC 2020 on sn-devel-184
Volker Lendecke [Thu, 19 Mar 2020 10:01:41 +0000 (11:01 +0100)]
libsmb: Don't try to find posix stat info in SMBC_getatr()
This wrongly used "frame" instead of "fname", which can never have
worked. A first attempt to fix in 51551e0d53fa6 caused a few followup
patches in an attempt to clean up the test failures 51551e0d53fa6
introduced. They were reverted after a few discussions. So rather than
changing behaviour, just remove the code that introduced the valgrind
error again.
Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Mar 20 05:06:07 UTC 2020 on sn-devel-184
The test python/samba/tests/ldap_raw.py does not run under python 3
which means the CI task build_ad_dc_py2 fails. The test is run and
passes in the CI task build_ad_dc. This patch adds a check for the
Python version and skips the tests if running under python 2, allowing
CI to run for V4.10.
This patch is only applied to version 4.10.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Gary Lockyer [Thu, 2 Apr 2020 02:25:53 +0000 (15:25 +1300)]
CVE-2020-10704: libcli ldap: test recursion depth in ldap_decode_filter_tree
Add tests to check that ASN.1 ldap requests with deeply nested elements
are rejected. Previously there was no check on the on the depth of
nesting and excessive nesting could cause a stack overflow.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(backported from patch for master due to selftest changes) Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
(backported from patch for master due to selftest changes) Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
Martin Schwenke [Fri, 6 Mar 2020 05:11:23 +0000 (16:11 +1100)]
ctdb-tcp: Do not stop outbound connection in ctdb_tcp_node_connect()
The only place the outgoing connection needs to be stopped is when
there is a timeout when waiting for the connection to become writable.
Add a new function ctdb_tcp_node_connect_timeout() to handle this
case.
All of the other cases are attempts to establish a new outgoing
connection (initial attempt, retry after an error or disconnect, ...)
so drop stopping the connection in those cases.
Signed-off-by: Amitay Isaacs <amitay@gmail.com> Signed-off-by: Martin Schwenke <martin@meltin.net>
Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Thu Mar 12 05:29:20 UTC 2020 on sn-devel-184
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 2c73dbafba50b28e72a8ec7b4382fae42fca6d17)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 1e2a967ff41cc29c3a0d7f61a46937c68fdb90ba)
Signed-off-by: Ralph Boehme <slow@samba.org> Signed-off-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit ea37ecdcd5960311f54a7a5510b88a654da23daa)
Ralph Boehme [Sat, 29 Feb 2020 11:13:12 +0000 (12:13 +0100)]
ctdb-tcp: always call node_dead() upcall in ctdb_tcp_tnode_cb()
ctdb_tcp_tnode_cb() is called when we receive data on the outgoing connection.
This can happen when we get an EOF on the connection because the other side as
closed. In this case data will be NULL.
It would also be called if we received data from the peer. In this case data
will not be NULL.
The latter case is a fatal error though and we already call
ctdb_tcp_stop_connection() for this case as well, which means even though the
node is not fully connected anymore, by not calling the node_dead() upcall
NODE_FLAGS_DISCONNECTED will not be set.
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit b83ef98c7466b2a81968555de83fb977bb6ca9f0)
Noel Power [Sat, 29 Feb 2020 15:49:28 +0000 (15:49 +0000)]
ctdb-tcp: move free of inbound queue to TCP restart
Since commit 77deaadca8e8dbc3c92ea16893099c72f6dc874e, a nodeA which
had previously accepted a connection from nodeB (where nodeB dies
e.g. as as result of fencing) when nodeB attempts to connect again
after restarting is always rejected with
ctdb_listen_event: Incoming queue active, rejecting connection from w.x.y.z
messages.
Consolidate dead node handling in the TCP restart handling.
Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 0ff1b78fc2f0491f9e11131d0040bdaba8873770)
Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 15762a34559599cf908e30651a2d4c11560068ed)
Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net>
(cherry picked from commit 6a4fa0785fc83561939fa41617d526eb96c1af89)
projects / thirdparty / samba.git / log
