[Pkg-samba-maint] [samba] 01/06: add patch for CVE-2015-0240
Ivo De Decker
ivodd at moszumanska.debian.org
Mon Feb 23 18:12:23 UTC 2015
This is an automated email from the git hooks/post-receive script.
ivodd pushed a commit to branch squeeze-backports
in repository samba.
commit a2eff1bad0db53c447037ea6c17800c380c18b41
Author: Ivo De Decker <ivodd at debian.org>
Date: Thu Feb 19 22:29:54 2015 +0100
add patch for CVE-2015-0240
Unauthenticated code execution attack on smbd file services
---
debian/changelog | 8 ++
debian/patches/security-CVE-2015-0240.patch | 155 ++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 164 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 1a94fdf..143561f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.6.6-6+deb7u5) UNRELEASED; urgency=high
+
+ * Security update
+ * CVE-2015-0240: Unauthenticated code execution attack on smbd file
+ services
+
+ -- Ivo De Decker <ivodd at debian.org> Thu, 19 Feb 2015 22:28:13 +0100
+
samba (2:3.6.6-6+deb7u4) wheezy-security; urgency=high
* Security update
diff --git a/debian/patches/security-CVE-2015-0240.patch b/debian/patches/security-CVE-2015-0240.patch
new file mode 100644
index 0000000..ac74533
--- /dev/null
+++ b/debian/patches/security-CVE-2015-0240.patch
@@ -0,0 +1,155 @@
+===========================================================
+== Subject: Unexpected code execution in smbd.
+==
+== CVE ID#: CVE-2015-0240
+==
+== Versions: Samba 3.5.0 to 4.2.0rc4
+==
+== Summary: Unauthenticated code execution attack on
+== smbd file services.
+==
+===========================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
+unexpected code execution vulnerability in the smbd file server
+daemon.
+
+A malicious client could send packets that may set up the stack in
+such a way that the freeing of memory in a subsequent anonymous
+netlogon packet could allow execution of arbitrary code. This code
+would execute with root privileges.
+
+=======
+Credits
+=======
+
+This problem was found by Richard van Eeden of Microsoft Vulnerability
+Research, who also provided the fix.
+
+
+
+From 32cdad66bde9c385bd07cb373812bd9a46d0b86b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Wed, 28 Jan 2015 14:47:31 -0800
+Subject: [PATCH 1/3] CVE-2015-0240: s3: netlogon: Ensure we don't call
+ talloc_free on an uninitialized pointer.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Stefan Metzmacher <metze at samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 3fd93bc..0366caa 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1070,6 +1070,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ NTSTATUS status;
+ bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+
++ if (creds_out != NULL) {
++ *creds_out = NULL;
++ }
++
+ if (schannel_global_required) {
+ status = schannel_check_required(&p->auth,
+ computer_name,
+@@ -1205,7 +1209,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
+ {
+ NTSTATUS status = NT_STATUS_OK;
+ int i;
+- struct netlogon_creds_CredentialState *creds;
++ struct netlogon_creds_CredentialState *creds = NULL;
+
+ DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
+
+--
+2.3.0
+
+
+From 38225873da44350663d36cecc8d8d60aa5f0e54a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Mon, 16 Feb 2015 10:59:23 +0100
+Subject: [PATCH 2/3] s3-netlogon: Make sure we do not deference a NULL
+ pointer.
+
+This is an additional patch for CVE-2015-0240.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
+
+Pair-Programmed-With: Michael Adam <obnox at samba.org>
+Pair-Programmed-With: Andreas Schneider <asn at samba.org>
+Signed-off-by: Michael Adam <obnox at samba.org>
+Signed-off-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: Volker Lendecke <vl at samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 0366caa..a26638e 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1222,9 +1222,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
+ unbecome_root();
+
+ if (!NT_STATUS_IS_OK(status)) {
++ const char *computer_name = "<unknown>";
++
++ if (creds != NULL && creds->computer_name != NULL) {
++ computer_name = creds->computer_name;
++ }
+ DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
+ "request from client %s machine account %s\n",
+- r->in.computer_name, creds->computer_name));
++ r->in.computer_name, computer_name));
+ TALLOC_FREE(creds);
+ return status;
+ }
+--
+2.3.0
+
+
+From 6732025dd330ead77ee4ae44badbaa13044b6422 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Mon, 16 Feb 2015 10:56:03 +0100
+Subject: [PATCH 3/3] auth: Make sure that creds_out is initialized with NULL.
+
+This is an additional patch for CVE-2015-0240.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
+
+Pair-Programmed-With: Michael Adam <obnox at samba.org>
+Pair-Programmed-With: Andreas Schneider <asn at samba.org>
+Signed-off-by: Michael Adam <obnox at samba.org>
+Signed-off-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: Volker Lendecke <vl at samba.org>
+---
+ libcli/auth/schannel_state_tdb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
+index ca35a11..145005c 100644
+--- a/libcli/auth/schannel_state_tdb.c
++++ b/libcli/auth/schannel_state_tdb.c
+@@ -285,6 +285,10 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
+ NTSTATUS status;
+ int ret;
+
++ if (creds_out != NULL) {
++ *creds_out = NULL;
++ }
++
+ tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state");
+ if (!tmpctx) {
+ return NT_STATUS_NO_MEMORY;
+--
+2.3.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 819175b..bbec167 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ security-CVE-2013-4496.patch
security-CVE-2014-0178.patch
security-CVE-2014-0244.patch
security-CVE-2014-3493.patch
+security-CVE-2015-0240.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list