[Pkg-samba-maint] [samba] 06/07: Add security-2016-12-19.patch

Mathieu Parent sathieu at moszumanska.debian.org
Sun Dec 25 16:40:50 UTC 2016


This is an automated email from the git hooks/post-receive script.

sathieu pushed a commit to branch master
in repository samba.

commit 21850015edcdcb03eb10fec82b1067b014801025
Author: Mathieu Parent <math.parent at gmail.com>
Date:   Sat Dec 17 22:53:45 2016 +0100

    Add security-2016-12-19.patch
---
 debian/patches/security-2016-12-19.patch | 200 +++++++++++++++++++++++++++++++
 debian/patches/series                    |   1 +
 2 files changed, 201 insertions(+)

diff --git a/debian/patches/security-2016-12-19.patch b/debian/patches/security-2016-12-19.patch
new file mode 100644
index 0000000..305c5ed
--- /dev/null
+++ b/debian/patches/security-2016-12-19.patch
@@ -0,0 +1,200 @@
+From c455677d43fbda512f0178a244c90591de481d51 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl at samba.org>
+Date: Sat, 5 Nov 2016 21:22:46 +0100
+Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
+
+Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
+this vulnerability with a PoC and a good analysis.
+
+Signed-off-by: Volker Lendecke <vl at samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
+---
+ librpc/ndr/ndr_dnsp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
+index ff77bc7..974ff5e 100644
+--- a/librpc/ndr/ndr_dnsp.c
++++ b/librpc/ndr/ndr_dnsp.c
+@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
+ 		uint8_t sublen, newlen;
+ 		NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
+ 		newlen = total_len + sublen;
++		if (newlen < total_len) {
++			return ndr_pull_error(ndr, NDR_ERR_RANGE,
++					      "Failed to pull dnsp_name");
++		}
+ 		if (i != count-1) {
++			if (newlen == UINT8_MAX) {
++				return ndr_pull_error(
++					ndr, NDR_ERR_RANGE,
++					"Failed to pull dnsp_name");
++			}
+ 			newlen++; /* for the '.' */
+ 		}
+ 		ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
+-- 
+1.9.1
+
+
+From f609b3cda4b6b349ec7090ff6aa1dafe31ba495d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Wed, 23 Nov 2016 11:41:10 +0100
+Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
+ in nsupdate-gss
+
+This is just an example script that's not directly used by samba,
+but we should avoid sending delegated credentials to dns servers.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Alexander Bokovoy <ab at samba.org>
+Reviewed-by: Simo Sorce <idra at samba.org>
+---
+ source4/scripting/bin/nsupdate-gss | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
+index dec5916..509220d 100755
+--- a/source4/scripting/bin/nsupdate-gss
++++ b/source4/scripting/bin/nsupdate-gss
+@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
+     my $flags = 
+ 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
+ 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
+-	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
++	GSS_C_INTEG_FLAG;
+ 
+ 
+     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
+-- 
+1.9.1
+
+
+From ff8a94caab2b9705ef393791140380ad70291e12 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Wed, 23 Nov 2016 11:42:59 +0100
+Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
+
+We should only use GSS_C_DELEG_POLICY_FLAG in order to let
+the KDC decide if we should send delegated credentials to
+a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Alexander Bokovoy <ab at samba.org>
+Reviewed-by: Simo Sorce <idra at samba.org>
+---
+ source3/librpc/crypto/gse.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 963c98a..c4c4bbc 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
+ 
+ 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
+-				GSS_C_DELEG_FLAG |
+ 				GSS_C_DELEG_POLICY_FLAG |
+ 				GSS_C_REPLAY_FLAG |
+ 				GSS_C_SEQUENCE_FLAG;
+-- 
+1.9.1
+
+
+From 8c31d69461cb54cb7f5d7b04fda2e52718d9990d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Wed, 23 Nov 2016 11:44:22 +0100
+Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use
+ GSS_C_DELEG_FLAG by default
+
+This disabled the usage of GSS_C_DELEG_FLAG by default, as
+GSS_C_DELEG_POLICY_FLAG is still used by default we let the
+KDC decide if we should send delegated credentials to a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+Reviewed-by: Alexander Bokovoy <ab at samba.org>
+Reviewed-by: Simo Sorce <idra at samba.org>
+---
+ source4/auth/gensec/gensec_gssapi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index e0b2bf2..e2994f6 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
+ 		gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
+ 	}
+-	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
++	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
+ 		gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
+ 	}
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
+-- 
+1.9.1
+
+
+From 913b5553bed688e9ae471de8b7d895c17f3ac6ab Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze at samba.org>
+Date: Tue, 22 Nov 2016 17:08:46 +0100
+Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum
+ types in check_pac_checksum()
+
+aes based checksums can only be checked with the
+corresponding aes based keytype.
+
+Otherwise we may trigger an undefined code path
+deep in the kerberos libraries, which can leed to
+segmentation faults.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
+
+Signed-off-by: Stefan Metzmacher <metze at samba.org>
+---
+ auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
+index 32d9d7f..7b6efdc 100644
+--- a/auth/kerberos/kerberos_pac.c
++++ b/auth/kerberos/kerberos_pac.c
+@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+ 	krb5_boolean checksum_valid = false;
+ 	krb5_data input;
+ 
++	switch (sig->type) {
++	case CKSUMTYPE_HMAC_MD5:
++		/* ignores the key type */
++		break;
++	case CKSUMTYPE_HMAC_SHA1_96_AES_256:
++		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
++			return EINVAL;
++		}
++		/* ok */
++		break;
++	case CKSUMTYPE_HMAC_SHA1_96_AES_128:
++		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
++			return EINVAL;
++		}
++		/* ok */
++		break;
++	default:
++		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
++			(int)sig->type));
++		return EINVAL;
++	}
++
+ #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+ 	cksum.cksumtype	= (krb5_cksumtype)sig->type;
+ 	cksum.checksum.length	= sig->signature.length;
+-- 
+1.9.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 3788884..b9fb59b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,3 +15,4 @@ systemd-syslog.target-is-obsolete.patch
 Add-documentation-to-systemd-Unit-files.patch
 fix_kill_path_in_units.patch
 nmbd-requires-a-working-network.patch
+security-2016-12-19.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git




More information about the Pkg-samba-maint mailing list