[Pkg-samba-maint] [samba] 01/02: add fix for CVE-2015-0240

Mon Feb 23 18:11:42 UTC 2015

This is an automated email from the git hooks/post-receive script.

ivodd pushed a commit to branch squeeze
in repository samba.

commit 7bebe42f3a6f5bdb0d9503df85e255d35a4c6ee5
Author: Ivo De Decker <ivodd at debian.org>
Date:   Sun Feb 22 22:22:10 2015 +0100

    add fix for CVE-2015-0240
    
    Unauthenticated code execution attack on smbd file services
---
 debian/changelog                            |   8 ++
 debian/patches/security-CVE-2015-0240.patch | 117 ++++++++++++++++++++++++++++
 debian/patches/series                       |   1 +
 3 files changed, 126 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index ccd3067..9a53002 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.5.6~dfsg-3squeeze12) UNRELEASED; urgency=high
+
+  * Security update
+  * CVE-2015-0240: Unauthenticated code execution attack on smbd file
+    services
+
+ -- Ivo De Decker <ivodd at debian.org>  Sun, 22 Feb 2015 22:21:16 +0100
+
 samba (2:3.5.6~dfsg-3squeeze11) squeeze-security; urgency=high
 
   * Security update
diff --git a/debian/patches/security-CVE-2015-0240.patch b/debian/patches/security-CVE-2015-0240.patch
new file mode 100644
index 0000000..7abbb1a
--- /dev/null
+++ b/debian/patches/security-CVE-2015-0240.patch
@@ -0,0 +1,117 @@
+===========================================================
+== Subject:     Unexpected code execution in smbd.
+==
+== CVE ID#:     CVE-2015-0240
+==
+== Versions:    Samba 3.5.0 to 4.2.0rc4
+==
+== Summary:     Unauthenticated code execution attack on
+==		smbd file services.
+==
+===========================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
+unexpected code execution vulnerability in the smbd file server
+daemon.
+
+A malicious client could send packets that may set up the stack in
+such a way that the freeing of memory in a subsequent anonymous
+netlogon packet could allow execution of arbitrary code. This code
+would execute with root privileges.
+
+=======
+Credits
+=======
+
+This problem was found by Richard van Eeden of Microsoft Vulnerability
+Research, who also provided the fix.
+
+
+
+Index: samba/source3/rpc_server/srv_netlog_nt.c
+===================================================================
+--- samba.orig/source3/rpc_server/srv_netlog_nt.c
++++ samba/source3/rpc_server/srv_netlog_nt.c
+@@ -782,6 +782,10 @@ static NTSTATUS netr_creds_server_step_c
+ 		(p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY ||
+ 		 p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY); */
+ 
++	if (creds_out != NULL) {
++		*creds_out = NULL;
++	}
++
+ 	tdb = open_schannel_session_store(mem_ctx);
+ 	if (!tdb) {
+ 		return NT_STATUS_ACCESS_DENIED;
+@@ -923,7 +927,7 @@ NTSTATUS _netr_ServerPasswordSet(pipes_s
+ 	NTSTATUS status = NT_STATUS_OK;
+ 	struct samu *sampass=NULL;
+ 	int i;
+-	struct netlogon_creds_CredentialState *creds;
++	struct netlogon_creds_CredentialState *creds = NULL;
+ 
+ 	DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
+ 
+@@ -936,9 +940,15 @@ NTSTATUS _netr_ServerPasswordSet(pipes_s
+ 	unbecome_root();
+ 
+ 	if (!NT_STATUS_IS_OK(status)) {
++		const char *computer_name = "<unknown>";
++
++		if (creds != NULL && creds->computer_name != NULL) {
++			computer_name = creds->computer_name;
++		}
++
+ 		DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
+ 			"request from client %s machine account %s\n",
+-			r->in.computer_name, creds->computer_name));
++			r->in.computer_name, computer_name));
+ 		TALLOC_FREE(creds);
+ 		return status;
+ 	}
+@@ -977,7 +987,7 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ 				  struct netr_ServerPasswordSet2 *r)
+ {
+ 	NTSTATUS status;
+-	struct netlogon_creds_CredentialState *creds;
++	struct netlogon_creds_CredentialState *creds = NULL;
+ 	struct samu *sampass;
+ 	DATA_BLOB plaintext;
+ 	struct samr_CryptPassword password_buf;
+@@ -992,9 +1002,15 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ 	unbecome_root();
+ 
+ 	if (!NT_STATUS_IS_OK(status)) {
++		const char *computer_name = "<unknown>";
++
++		if (creds && creds->computer_name) {
++			computer_name = creds->computer_name;
++		}
++
+ 		DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
+ 			"failed. Rejecting auth request from client %s machine account %s\n",
+-			r->in.computer_name, creds->computer_name));
++			r->in.computer_name, computer_name));
+ 		TALLOC_FREE(creds);
+ 		return status;
+ 	}
+@@ -1004,6 +1020,7 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ 	netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+ 
+ 	if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
++		TALLOC_FREE(creds);
+ 		return NT_STATUS_WRONG_PASSWORD;
+ 	}
+ 
+@@ -1012,6 +1029,7 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ 	status = netr_find_machine_account(p->mem_ctx,
+ 					   creds->account_name,
+ 					   &sampass);
++	TALLOC_FREE(creds);
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		return status;
+ 	}
diff --git a/debian/patches/series b/debian/patches/series
index bd77d21..a50d364 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,4 @@ security-CVE-2013-0213.patch
 security-CVE-2013-0214.patch
 security-CVE-2013-4124.patch
 security-CVE-2013-4408.patch
+security-CVE-2015-0240.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git


