[Pkg-samba-maint] [Git][samba-team/samba][master] 38 commits: VERSION: Bump version up to 4.8.4...

Sat Aug 18 00:48:12 BST 2018

Mathieu Parent pushed to branch master at Debian Samba Team / samba

Commits:
4954a6da by Karolin Seeger at 2018-08-11T06:16:00Z
VERSION: Bump version up to 4.8.4...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 1df7f93b6ede803ec01424c48d2f1f3526c9818c)

- - - - -
677fad5e by Jeremy Allison at 2018-08-11T06:16:00Z
CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
		listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
5923c3cc by Jeremy Allison at 2018-08-11T06:16:01Z
CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
                listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

- - - - -
87aa8361 by Andrew Bartlett at 2018-08-11T06:16:01Z
CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user

This regression was introduced in Samba 4.7 by bug 12842 and in
master git commit eb2e77970e41c1cb62c041877565e939c78ff52d.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552

CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
bbb72cfc by Tim Beale at 2018-08-11T06:16:01Z
CVE-2018-10919 security: Move object-specific access checks into separate function

Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.

This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
a81f32e7 by Tim Beale at 2018-08-11T06:16:01Z
CVE-2018-10919 security: Add more comments to the object-specific access checks

Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
77421f33 by Tim Beale at 2018-08-11T06:16:01Z
CVE-2018-10919 tests: Add tests for guessing confidential attributes

Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.

The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
  user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
  access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls

These tests all pass when run against a Windows Dc and all fail against
a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
03dba18b by Tim Beale at 2018-08-11T06:16:01Z
CVE-2018-10919 tests: Add test case for object visibility with limited rights

Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
attribute=*) searches compared to Windows.

All the acl.py tests are based on objectClass=* searches, where Windows
will happily tell a user about objects they have List Contents rights,
but not Read Property rights for. However, if you change the attribute
being searched for, suddenly the objects are no longer visible on
Windows (whereas they are on Samba).

This is a problem, because Samba can tell you about which objects have
confidential attributes, which in itself could be disclosive.

This patch adds a acl.py test-case that highlights this behaviour. The
test passes against Windows but fails against Samba.

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
a90cb03e by Tim Beale at 2018-08-11T06:16:01Z
CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights

An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.

What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.

Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.

One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
7016bfd3 by Gary Lockyer at 2018-08-11T06:16:02Z
CVE-2018-10919 tests: test ldap searches for non-existent attributes.

It is perfectly legal to search LDAP for an attribute that is not part
of the schema.  That part of the query should simply not match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
6e35ae37 by Tim Beale at 2018-08-11T06:16:02Z
CVE-2018-10919 acl_read: Split access_mask logic out into helper function

So we can re-use the same logic laster for checking the search-ops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
f9fa4e5c by Tim Beale at 2018-08-11T06:16:02Z
CVE-2018-10919 acl_read: Small refactor to aclread_callback()

Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
1575ba42 by Tim Beale at 2018-08-11T06:16:02Z
CVE-2018-10919 acl_read: Flip the logic in the dirsync check

This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
9891df45 by Tim Beale at 2018-08-11T06:16:02Z
CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches

A user that doesn't have access to view an attribute can still guess the
attribute's value via repeated LDAP searches. This affects confidential
attributes, as well as ACLs applied to an object/attribute to deny
access.

Currently the code will hide objects if the attribute filter contains an
attribute they are not authorized to see. However, the code still
returns objects as results if confidential attribute is in the search
expression itself, but not in the attribute filter.

To fix this problem we have to check the access rights on the attributes
in the search-tree, as well as the attributes returned in the message.

Points of note:
- I've preserved the existing dirsync logic (the dirsync module code
  suppresses the result as long as the replPropertyMetaData attribute is
  removed). However, there doesn't appear to be any test that highlights
  that this functionality is required for dirsync.
- To avoid this fix breaking the acl.py tests, we need to still permit
  searches like 'objectClass=*', even though we don't have Read Property
  access rights for the objectClass attribute. The logic that Windows
  uses does not appear to be clearly documented, so I've made a best
  guess that seems to mirror Windows behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
a915e23a by Tim Beale at 2018-08-11T06:16:02Z
CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case

The acl_read.c code contains a special case to allow dirsync to
work-around having insufficient access rights. We had a concern that
the dirsync module could leak sensitive information for deleted objects.
This patch adds a test-case to prove whether or not this is happening.

The new test case is similar to the existing dirsync test except:
- We make the confidential attribute also preserve-on-delete, so it
  hangs around for deleted objcts. Because the attributes now persist
  across test case runs, I've used a different attribute to normal.
  (Technically, the dirsync search expressions are now specific enough
  that the regular attribute could be used, but it would make things
  quite fragile if someone tried to add a new test case).
- To handle searching for deleted objects, the search expressions are
  now more complicated. Currently dirsync adds an extra-filter to the
  '!' searches to exclude deleted objects, i.e. samaccountname matches
  the test-objects AND the object is not deleted. We now extend this to
  include deleted objects with lastKnownParent equal to the test OU.
  The search expression matches either case so that we can use the same
  expression throughout the test (regardless of whether the object is
  deleted yet or not).

This test proves that the dirsync corner-case does not actually leak
sensitive information on Samba. This is due to a bug in the dirsync
code - when the buggy line is removed, this new test promptly fails.
Test also passes against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>

- - - - -
c775bd8b by Douglas Bagnall at 2018-08-11T06:16:02Z
selftest/tests.py: remove always-needed, never-set with_cmocka flag

We have cmocka in third_party, so we are never without it.

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

(Backported from commit 33ef0e57a4f08eae5ea06f482374fbc0a1014de6
by Andrew Bartlett)

- - - - -
3454eae9 by Andrew Bartlett at 2018-08-11T06:16:03Z
CVE-2018-1139 libcli/auth: Add initial tests for ntlm_password_check()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

Signed-off-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5fb35b7f by Günther Deschner at 2018-08-11T06:16:03Z
CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
f0bd8cc7 by Günther Deschner at 2018-08-11T06:16:03Z
CVE-2018-1139 s3-utils: use enum ntlm_auth_level in ntlm_password_check().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
6993f39d by Günther Deschner at 2018-08-11T06:16:03Z
CVE-2018-1139 selftest: verify whether ntlmv1 can be used via SMB1 when it is disabled.

Right now, this test will succeed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
a5245e46 by Günther Deschner at 2018-08-11T06:16:03Z
CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth".

This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.

Found by Vivek Das <vdas at redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Guenther Deschner <gd at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>

- - - - -
95c95a4a by Andrej Gessel at 2018-08-11T06:16:03Z
CVE-2018-1140 Add NULL check for ldb_dn_get_casefold() in ltdb_index_dn_attr()

Signed-off-by: Andrej Gessel <Andrej.Gessel at janztec.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

- - - - -
73317239 by Andrew Bartlett at 2018-08-11T06:16:03Z
CVE-2018-1140 ldb: Check for ldb_dn_get_casefold() failure in ldb_sqlite

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

- - - - -
a36db4fc by Andrew Bartlett at 2018-08-11T06:16:04Z
CVE-2018-1140 ldb_tdb: Ensure the dn in distinguishedName= is valid before use

ldb_dn_from_ldb_val() does not validate this untrusted input, so a later
call to ldb_dn_get_casefold() can fail if the input is not valid.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

- - - - -
ebc3a1a1 by Andrew Bartlett at 2018-08-11T06:16:04Z
CVE-2018-1140 ldb_tdb: Check for DN validity in add, rename and search

This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which
would otherwise fail.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

- - - - -
47bf6f6e by Andrew Bartlett at 2018-08-11T06:16:04Z
CVE-2018-1140 ldb: Add tests for search add and rename with a bad dn= DN

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374

- - - - -
5ad366eb by Andrew Bartlett at 2018-08-11T06:16:04Z
ldb: Release LDB 1.3.5 for CVE-2018-1140

* Security fix for CVE-2018-1140 (NULL pointer de-reference, bug 13374)

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
43aba6bd by Kai Blin at 2018-08-11T06:16:04Z
CVE-2018-1140 dns: Add a test to trigger the LDB casefolding issue on invalid chars

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466

Signed-off-by: Kai Blin <kai at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
032a6a46 by Karolin Seeger at 2018-08-11T06:16:04Z
WHATSNEW: Add release notes for Samba 4.8.4.

o  CVE-2018-1139  (Weak authentication protocol allowed.)
o  CVE-2018-1140  (Denial of Service Attack on DNS and LDAP server.)
o  CVE-2018-10858 (Insufficient input validation on client directory
                   listing in libsmbclient.)
o  CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
                   server.)

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
626c489c by Karolin Seeger at 2018-08-11T06:16:26Z
VERSION: Disable GIT_SNAPSHOT for the Samba 4.8.4 release.

o  CVE-2018-1139  (Weak authentication protocol allowed.)
o  CVE-2018-1140  (Denial of Service Attack on DNS and LDAP server.)
o  CVE-2018-10858 (Insufficient input validation on client directory
                   listing in libsmbclient.)
o  CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.)
o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
                   server.)

Signed-off-by: Karolin Seeger <kseeger at samba.org>

- - - - -
dd609d77 by Mathieu Parent at 2018-08-15T01:50:57Z
Changelog for previous commits

- - - - -
ce9eaf97 by Mathieu Parent at 2018-08-15T02:09:29Z
New upstream version 4.8.4+dfsg
- - - - -
031cbc5b by Mathieu Parent at 2018-08-15T02:16:47Z
Merge tag 'upstream/4.8.4+dfsg'

Upstream version 4.8.4+dfsg

- - - - -
5dc3c24f by Mathieu Parent at 2018-08-16T21:11:35Z
Bump ldb Build-depends to 2:1.4.0+really1.3.5

- - - - -
f9819549 by Mathieu Parent at 2018-08-17T14:29:27Z
Standards-Version: 4.2.0

- - - - -
25a59f4e by Mathieu Parent at 2018-08-17T14:29:27Z
Set Rules-Requires-Root: binary-targets as chmod is used

- - - - -
c00ec4d1 by Mathieu Parent at 2018-08-17T14:29:27Z
Remove override_dh_strip target as dbgsym migration is complete

- - - - -
47ad83c0 by Mathieu Parent at 2018-08-17T14:31:05Z
Release 2:4.8.4+dfsg-1

- - - - -

30 changed files:

- VERSION
- WHATSNEW.txt
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd.conf.5
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- debian/changelog
- debian/control
- debian/rules
- docs/manpages/cifsdd.8
- docs/manpages/dbwrap_tool.1
- docs/manpages/eventlogadm.8
- docs/manpages/findsmb.1
- docs/manpages/idmap_ad.8
- docs/manpages/idmap_autorid.8
- docs/manpages/idmap_hash.8
- docs/manpages/idmap_ldap.8
- docs/manpages/idmap_nss.8
- docs/manpages/idmap_rfc2307.8
- docs/manpages/idmap_rid.8
- docs/manpages/idmap_script.8

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/9e165f2738f15fe32319a6e6a7e745014e4c7f63...47ad83c01ded7b9530524935786d0c2c8ac9f0a6

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/9e165f2738f15fe32319a6e6a7e745014e4c7f63...47ad83c01ded7b9530524935786d0c2c8ac9f0a6
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20180817/1e440f34/attachment-0001.html>