[Pkg-samba-maint] [Git][samba-team/samba][master] 20 commits: CVE-2018-14629 dns: CNAME loop prevention using counter

Mathieu Parent gitlab at salsa.debian.org
Wed Nov 28 07:14:45 GMT 2018 

Mathieu Parent pushed to branch master at Debian Samba Team / samba


Commits:
bbe5d2a7 by Aaron Haslett at 2018-11-24T22:21:16Z
CVE-2018-14629 dns: CNAME loop prevention using counter

Count number of answers generated by internal DNS query routine and stop at
20 to match Microsoft's loop prevention mechanism.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13600

Signed-off-by: Aaron Haslett <aaronhaslett at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Garming Sam <garming at catalyst.net.nz>

- - - - -
cd9b9571 by Andrew Bartlett at 2018-11-24T22:21:16Z
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal

In Heimdal KRB5_KDC_ERR_CLIENT_NAME_MISMATCH is an enum, so we tried to double-free
mem_ctx.

This was introduced in 9a0263a7c316112caf0265237bfb2cfb3a3d370d for the
MIT KDC effort.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
eb771f0b by Andrew Bartlett at 2018-11-24T22:21:16Z
CVE-2018-16841 selftest: Check for mismatching principal in certficate compared with principal in AS-REQ

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13628
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
f57de09c by Garming Sam at 2018-11-24T22:21:16Z
CVE-2018-16851 ldap_server: Check ret before manipulating blob

In the case of hitting the talloc ~256MB limit, this causes a crash in
the server.

Note that you would actually need to load >256MB of data into the LDAP.
Although there is some generated/hidden data which would help you reach that
limit (descriptors and RMD blobs).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13674

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d6486b6e by Gary Lockyer at 2018-11-24T22:21:16Z
CVE-2018-16852 dcerpc dnsserver: Verification tests

Tests to verify
Bug 13669 - (CVE-2018-16852) NULL
            pointer de-reference in Samba AD DC DNS management

The presence of the ZONE_MASTER_SERVERS property or the
ZONE_SCAVENGING_SERVERS property in a zone record causes the server to
follow a null pointer and terminate.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
ab1b3698 by Gary Lockyer at 2018-11-24T22:21:17Z
CVE-2018-16852 dcerpc dnsserver: Ensure properties are handled correctly

Fixes for
Bug 13669 - (CVE-2018-16852) NULL
            pointer de-reference in Samba AD DC DNS management

The presence of the ZONE_MASTER_SERVERS property or the
ZONE_SCAVENGING_SERVERS property in a zone record causes the server to
follow a null pointer and terminate.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a5e6809c by Gary Lockyer at 2018-11-24T22:21:17Z
CVE-2018-16852 dcerpc dnsserver: refactor common properties handling

dnsserver_common.c and dnsutils.c both share similar code to process
zone properties.  This patch extracts the common code and moves it to
dnsserver_common.c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13669

Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
7a437f80 by Andrew Bartlett at 2018-11-24T22:21:17Z
CVE-2018-16853 build: The Samba AD DC, when build with MIT Kerberos is experimental

This matches https://wiki.samba.org/index.php/Running_a_Samba_AD_DC_with_MIT_Kerberos_KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13678

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

- - - - -
db44a710 by Andrew Bartlett at 2018-11-24T22:21:17Z
CVE-2018-16857 selftest: Prepare to allow override of lockout duration in password_lockout tests

This will make it easier to avoid flapping tests.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
(cherry picked from commit a740a6131c967f9640b19a6964fd5d6f85ce853a)

Backported as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

- - - - -
acd70a39 by Joe Guo at 2018-11-24T22:21:17Z
CVE-2018-16857 PEP8: fix E305: expected 2 blank lines after class or function definition, found 1

Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Partial backport of commit 115f2a71b88 (only password_lockout.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

- - - - -
3efbb4f5 by Andrew Bartlett at 2018-11-24T22:21:18Z
CVE-2018-16857 selftest: Split up password_lockout into tests with and without a call to sleep()

This means we can have a long observation window for many of the tests and
so make them much more reliable.  Many of these cause frustrating flapping
failures in our CI systems.

Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Sep  3 06:14:55 CEST 2018 on sn-devel-144

(cherry picked from commit 74357bf347348d3a8b7483c58e5250e98f7e8810)
Backported as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

- - - - -
0587bc17 by Joe Guo at 2018-11-24T22:21:18Z
CVE-2018-16857 PEP8: fix E127: continuation line over-indented for visual indent

Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Partial backport of commit bbb9f57603d (only password_lockout_base.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

- - - - -
6563b5bf by Joe Guo at 2018-11-24T22:21:18Z
CVE-2018-16857 PEP8: fix E251: unexpected spaces around keyword / parameter equals

Signed-off-by: Joe Guo <joeg at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Partial backport of commit 1ccc36b4010cd63 (only password_lockout_base.py
change) as a dependency for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

- - - - -
bed247a3 by Tim Beale at 2018-11-24T22:21:18Z
CVE-2018-16857 tests: Sanity-check password lockout works with default values

Sanity-check that when we use the default lockOutObservationWindow that
user lockout actually works.

The easiest way to do this is to reuse the _test_login_lockout()
test-case, but stop at the point where we wait for the lockout duration
to expire (because we don't want the test to wait 30 mins).

This highlights a problem currently where the default values don't work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4f9ba706 by Tim Beale at 2018-11-24T22:21:18Z
CVE-2018-16857 dsdb/util: Correctly treat lockOutObservationWindow as 64-bit int

Commit 442a38c918ae1666b35 refactored some code into a new
get_lockout_observation_window() function. However, in moving the code,
an ldb_msg_find_attr_as_int64() inadvertently got converted to a
ldb_msg_find_attr_as_int().

ldb_msg_find_attr_as_int() will only work for values up to -2147483648
(about 3.5 minutes in MS timestamp form). Unfortunately, the automated
tests used a low enough timeout that they still worked, however,
password lockout would not work with the Samba default settings.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e0213feb by Tim Beale at 2018-11-24T22:21:19Z
CVE-2018-16857 dsdb/util: Fix lockOutObservationWindow for PSOs

Fix a remaining place where we were trying to read the
msDS-LockoutObservationWindow as an int instead of an int64.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5e0dd8bd by Tim Beale at 2018-11-24T22:21:19Z
CVE-2018-16857 dsdb/util: Add better default lockOutObservationWindow

Clearly the lockOutObservationWindow value is important, and using a
default value of zero doesn't work very well.

This patch adds a better default value (the domain default setting of 30
minutes).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13683

Signed-off-by: Tim Beale <timbeale at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
cda661fd by Mathieu Parent at 2018-11-24T22:21:19Z
Add patches for previous fixes

- - - - -
5a02c113 by Mathieu Parent at 2018-11-24T22:21:19Z
Prepend 1.5.1+really to ldb version

- - - - -
88baa267 by Mathieu Parent at 2018-11-24T22:21:30Z
Release 2:4.9.2+dfsg-2

- - - - -


24 changed files:

- debian/changelog
- debian/control
- + debian/patches/CVE-2018-14629-v4-9.patch
- + debian/patches/CVE-2018-16841-master.patch
- + debian/patches/CVE-2018-16851-master.patch
- + debian/patches/CVE-2018-16852-v4-9-v2.patch
- + debian/patches/CVE-2018-16857-v4-9.patch
- + debian/patches/mit-kdc-experimental-v4-7.patch
- debian/patches/series
- debian/rules
- python/samba/tests/dns.py
- selftest/knownfail.d/dns
- source4/dns_server/dns_query.c
- source4/dns_server/dnsserver_common.c
- source4/dns_server/dnsserver_common.h
- source4/dsdb/common/util.c
- source4/dsdb/tests/python/password_lockout.py
- source4/dsdb/tests/python/password_lockout_base.py
- source4/kdc/db-glue.c
- source4/ldap_server/ldap_server.c
- source4/rpc_server/dnsserver/dnsutils.c
- + source4/rpc_server/tests/rpc_dns_server_dnsutils_test.c
- source4/rpc_server/wscript_build
- source4/selftest/tests.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/c1f2485d48002c306cf1bb8f6d9a8b09f4fec198...88baa2674c02b6c4c1df6e13e97569017a02d483

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/c1f2485d48002c306cf1bb8f6d9a8b09f4fec198...88baa2674c02b6c4c1df6e13e97569017a02d483
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20181128/6c398e74/attachment-0001.html>

More information about the Pkg-samba-maint mailing list