[Pkg-samba-maint] [samba] 01/06: add patch for CVE-2015-0240

Ivo De Decker ivodd at moszumanska.debian.org
Mon Feb 23 18:12:23 UTC 2015


This is an automated email from the git hooks/post-receive script.

ivodd pushed a commit to branch squeeze-backports
in repository samba.

commit a2eff1bad0db53c447037ea6c17800c380c18b41
Author: Ivo De Decker <ivodd at debian.org>
Date:   Thu Feb 19 22:29:54 2015 +0100

    add patch for CVE-2015-0240
    
    Unauthenticated code execution attack on smbd file services
---
 debian/changelog                            |   8 ++
 debian/patches/security-CVE-2015-0240.patch | 155 ++++++++++++++++++++++++++++
 debian/patches/series                       |   1 +
 3 files changed, 164 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 1a94fdf..143561f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.6.6-6+deb7u5) UNRELEASED; urgency=high
+
+  * Security update
+  * CVE-2015-0240: Unauthenticated code execution attack on smbd file
+    services
+
+ -- Ivo De Decker <ivodd at debian.org>  Thu, 19 Feb 2015 22:28:13 +0100
+
 samba (2:3.6.6-6+deb7u4) wheezy-security; urgency=high
 
   * Security update
diff --git a/debian/patches/security-CVE-2015-0240.patch b/debian/patches/security-CVE-2015-0240.patch
new file mode 100644
index 0000000..ac74533
--- /dev/null
+++ b/debian/patches/security-CVE-2015-0240.patch
@@ -0,0 +1,155 @@
+===========================================================
+== Subject:     Unexpected code execution in smbd.
+==
+== CVE ID#:     CVE-2015-0240
+==
+== Versions:    Samba 3.5.0 to 4.2.0rc4
+==
+== Summary:     Unauthenticated code execution attack on
+==		smbd file services.
+==
+===========================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
+unexpected code execution vulnerability in the smbd file server
+daemon.
+
+A malicious client could send packets that may set up the stack in
+such a way that the freeing of memory in a subsequent anonymous
+netlogon packet could allow execution of arbitrary code. This code
+would execute with root privileges.
+
+=======
+Credits
+=======
+
+This problem was found by Richard van Eeden of Microsoft Vulnerability
+Research, who also provided the fix.
+
+
+
+From 32cdad66bde9c385bd07cb373812bd9a46d0b86b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra at samba.org>
+Date: Wed, 28 Jan 2015 14:47:31 -0800
+Subject: [PATCH 1/3] CVE-2015-0240: s3: netlogon: Ensure we don't call
+ talloc_free on an uninitialized pointer.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077
+
+Signed-off-by: Jeremy Allison <jra at samba.org>
+Reviewed-by: Stefan Metzmacher <metze at samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 3fd93bc..0366caa 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1070,6 +1070,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 	NTSTATUS status;
+ 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ 
++	if (creds_out != NULL) {
++		*creds_out = NULL;
++	}
++
+ 	if (schannel_global_required) {
+ 		status = schannel_check_required(&p->auth,
+ 						 computer_name,
+@@ -1205,7 +1209,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
+ {
+ 	NTSTATUS status = NT_STATUS_OK;
+ 	int i;
+-	struct netlogon_creds_CredentialState *creds;
++	struct netlogon_creds_CredentialState *creds = NULL;
+ 
+ 	DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
+ 
+-- 
+2.3.0
+
+
+From 38225873da44350663d36cecc8d8d60aa5f0e54a Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Mon, 16 Feb 2015 10:59:23 +0100
+Subject: [PATCH 2/3] s3-netlogon: Make sure we do not deference a NULL
+ pointer.
+
+This is an additional patch for CVE-2015-0240.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
+
+Pair-Programmed-With: Michael Adam <obnox at samba.org>
+Pair-Programmed-With: Andreas Schneider <asn at samba.org>
+Signed-off-by: Michael Adam <obnox at samba.org>
+Signed-off-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: Volker Lendecke <vl at samba.org>
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 0366caa..a26638e 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1222,9 +1222,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p,
+ 	unbecome_root();
+ 
+ 	if (!NT_STATUS_IS_OK(status)) {
++		const char *computer_name = "<unknown>";
++
++		if (creds != NULL && creds->computer_name != NULL) {
++			computer_name = creds->computer_name;
++		}
+ 		DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
+ 			"request from client %s machine account %s\n",
+-			r->in.computer_name, creds->computer_name));
++			r->in.computer_name, computer_name));
+ 		TALLOC_FREE(creds);
+ 		return status;
+ 	}
+-- 
+2.3.0
+
+
+From 6732025dd330ead77ee4ae44badbaa13044b6422 Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn at samba.org>
+Date: Mon, 16 Feb 2015 10:56:03 +0100
+Subject: [PATCH 3/3] auth: Make sure that creds_out is initialized with NULL.
+
+This is an additional patch for CVE-2015-0240.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32
+
+Pair-Programmed-With: Michael Adam <obnox at samba.org>
+Pair-Programmed-With: Andreas Schneider <asn at samba.org>
+Signed-off-by: Michael Adam <obnox at samba.org>
+Signed-off-by: Andreas Schneider <asn at samba.org>
+Reviewed-by: Volker Lendecke <vl at samba.org>
+---
+ libcli/auth/schannel_state_tdb.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
+index ca35a11..145005c 100644
+--- a/libcli/auth/schannel_state_tdb.c
++++ b/libcli/auth/schannel_state_tdb.c
+@@ -285,6 +285,10 @@ NTSTATUS schannel_check_creds_state(TALLOC_CTX *mem_ctx,
+ 	NTSTATUS status;
+ 	int ret;
+ 
++	if (creds_out != NULL) {
++		*creds_out = NULL;
++	}
++
+ 	tmpctx = talloc_named(mem_ctx, 0, "schannel_check_creds_state");
+ 	if (!tmpctx) {
+ 		return NT_STATUS_NO_MEMORY;
+-- 
+2.3.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 819175b..bbec167 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -32,3 +32,4 @@ security-CVE-2013-4496.patch
 security-CVE-2014-0178.patch
 security-CVE-2014-0244.patch
 security-CVE-2014-3493.patch
+security-CVE-2015-0240.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git




More information about the Pkg-samba-maint mailing list