[Pkg-samba-maint] [Git][samba-team/samba][master] 5 commits: Add missing Breaks+Replace found by piuparts (Closes: #929217)
Mathieu Parent
gitlab at salsa.debian.org
Thu Jun 20 08:36:55 BST 2019
Mathieu Parent pushed to branch master at Debian Samba Team / samba
Commits:
a3d20ae6 by Mathieu Parent at 2019-06-20T05:51:21Z
Add missing Breaks+Replace found by piuparts (Closes: #929217)
Thanks Andreas Beckmann!
- - - - -
fe8ceb8f by Douglas Bagnall at 2019-06-20T05:51:22Z
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation
We still want to return DOES_NOT_EXIST when request_filter is not 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
fda0327e by Douglas Bagnall at 2019-06-20T05:51:22Z
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
We still want to return DOES_NOT_EXIST when request_filter is not 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
08fc5a8b by Mathieu Parent at 2019-06-20T05:51:48Z
Add patch for CVE-2019-12435
- - - - -
e0780386 by Mathieu Parent at 2019-06-20T05:53:29Z
Release 2:4.9.5+dfsg-5
- - - - -
6 changed files:
- debian/changelog
- debian/control
- + debian/patches/CVE-2019-12435-4.9-03.patch
- debian/patches/series
- python/samba/tests/dcerpc/dnsserver.py
- source4/rpc_server/dnsserver/dcerpc_dnsserver.c
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,12 @@
+samba (2:4.9.5+dfsg-5) unstable; urgency=high
+
+ * This is a security release in order to address the following defect:
+ - CVE-2019-12435 zone operations can crash rpc server
+ * Add missing Breaks+Replace found by piuparts (Closes: #929217)
+ Thanks Andreas Beckmann!
+
+ -- Mathieu Parent <sathieu at debian.org> Thu, 20 Jun 2019 07:53:26 +0200
+
samba (2:4.9.5+dfsg-4) unstable; urgency=high
* This is a security release in order to address the following defect:
=====================================
debian/control
=====================================
@@ -109,8 +109,15 @@ Multi-Arch: same
Architecture: any
Section: libs
Depends: ${misc:Depends}, ${shlibs:Depends}
-Breaks: libndr-standard0 (<< 2:4.0.9)
-Replaces: samba (<< 2:4.3.3+dfsg-1), libndr-standard0 (<< 2:4.0.9)
+Breaks: libndr-standard0 (<< 2:4.0.9),
+ libsamba-credentials0 (<< 2:4.0.9),
+ libsamba-hostconfig0 (<< 2:4.0.9),
+ libsamba-util0 (<< 2:4.0.9),
+Replaces: samba (<< 2:4.3.3+dfsg-1),
+ libndr-standard0 (<< 2:4.0.9),
+ libsamba-credentials0 (<< 2:4.0.9),
+ libsamba-hostconfig0 (<< 2:4.0.9),
+ libsamba-util0 (<< 2:4.0.9),
Description: Samba core libraries
Samba is an implementation of the SMB/CIFS protocol for Unix systems,
providing support for cross-platform file sharing with Microsoft Windows, OS X,
=====================================
debian/patches/CVE-2019-12435-4.9-03.patch
=====================================
@@ -0,0 +1,157 @@
+From 0d86acb75fe645a4306a3278334f28b320b1a6ab Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Date: Wed, 22 May 2019 12:58:01 +1200
+Subject: [PATCH 1/2] CVE-2019-12435 rpc/dns: avoid NULL deference if zone not
+ found in DnssrvOperation
+
+We still want to return DOES_NOT_EXIST when request_filter is not 0.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+---
+ python/samba/tests/dcerpc/dnsserver.py | 25 +++++++++++++++++++
+ .../rpc_server/dnsserver/dcerpc_dnsserver.c | 7 +++++-
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+
+diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py
+index 53e1abde042..db9ed156148 100644
+--- a/python/samba/tests/dcerpc/dnsserver.py
++++ b/python/samba/tests/dcerpc/dnsserver.py
+@@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security
+ from samba.tests import RpcInterfaceTestCase, env_get_var_value
+ from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord
+ from samba import sd_utils, descriptor
++from samba import WERRORError, werror
+
+ class DnsserverTests(RpcInterfaceTestCase):
+
+@@ -707,6 +708,30 @@ class DnsserverTests(RpcInterfaceTestCase):
+ 'ServerInfo')
+ self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid)
+
++
++ # This test is to confirm that we do not support multizone operations,
++ # which are designated by a non-zero dwContext value (the 3rd argument
++ # to DnssrvOperation).
++ def test_operation_invalid(self):
++ non_zone = 'a-zone-that-does-not-exist'
++ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
++ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
++ name_and_param.pszNodeName = 'AllowUpdate'
++ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
++ try:
++ res = self.conn.DnssrvOperation(self.server,
++ non_zone,
++ 1,
++ 'ResetDwordProperty',
++ typeid,
++ name_and_param)
++ except WERRORError as e:
++ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
++ return
++
++ # We should always encounter a DOES_NOT_EXIST error.
++ self.fail()
++
+ def test_operation2(self):
+ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
+ rev_zone = '1.168.192.in-addr.arpa'
+diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+index b42d7c549d1..4e28778c89a 100644
+--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+@@ -1955,7 +1955,12 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_
+ &r->in.pData);
+ } else {
+ z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
+- if (z == NULL && request_filter == 0) {
++ /*
++ * In the case that request_filter is not 0 and z is NULL,
++ * the request is for a multizone operation, which we do not
++ * yet support, so just error on NULL zone name.
++ */
++ if (z == NULL) {
+ return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
+ }
+
+--
+2.17.1
+
+
+From f05cc18c08a63850d956a0b8b325d88c5be3bef9 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Date: Wed, 22 May 2019 13:23:25 +1200
+Subject: [PATCH 2/2] CVE-2019-12435 rpc/dns: avoid NULL deference if zone not
+ found in DnssrvOperation2
+
+We still want to return DOES_NOT_EXIST when request_filter is not 0.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13922
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+---
+ python/samba/tests/dcerpc/dnsserver.py | 26 +++++++++++++++++++
+ .../rpc_server/dnsserver/dcerpc_dnsserver.c | 7 ++++-
+ 2 files changed, 32 insertions(+), 1 deletion(-)
+
+diff --git a/python/samba/tests/dcerpc/dnsserver.py b/python/samba/tests/dcerpc/dnsserver.py
+index db9ed156148..7264a290ef2 100644
+--- a/python/samba/tests/dcerpc/dnsserver.py
++++ b/python/samba/tests/dcerpc/dnsserver.py
+@@ -732,6 +732,32 @@ class DnsserverTests(RpcInterfaceTestCase):
+ # We should always encounter a DOES_NOT_EXIST error.
+ self.fail()
+
++ # This test is to confirm that we do not support multizone operations,
++ # which are designated by a non-zero dwContext value (the 5th argument
++ # to DnssrvOperation2).
++ def test_operation2_invalid(self):
++ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
++ non_zone = 'a-zone-that-does-not-exist'
++ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
++ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
++ name_and_param.pszNodeName = 'AllowUpdate'
++ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
++ try:
++ res = self.conn.DnssrvOperation2(client_version,
++ 0,
++ self.server,
++ non_zone,
++ 1,
++ 'ResetDwordProperty',
++ typeid,
++ name_and_param)
++ except WERRORError as e:
++ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
++ return
++
++ # We should always encounter a DOES_NOT_EXIST error.
++ self.fail()
++
+ def test_operation2(self):
+ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
+ rev_zone = '1.168.192.in-addr.arpa'
+diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+index 4e28778c89a..353754f9261 100644
+--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+@@ -2167,7 +2167,12 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC
+ &r->in.pData);
+ } else {
+ z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
+- if (z == NULL && request_filter == 0) {
++ /*
++ * In the case that request_filter is not 0 and z is NULL,
++ * the request is for a multizone operation, which we do not
++ * yet support, so just error on NULL zone name.
++ */
++ if (z == NULL) {
+ return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
+ }
+
+--
+2.17.1
+
=====================================
debian/patches/series
=====================================
@@ -11,3 +11,4 @@ smbd.service-Run-update-apparmor-samba-profile-befor.patch
CVE-2019-3880-v4-9-02.patch
CVE-2019-3870-v4-9-04.patch
CVE-2018-16860-v4-9-06.patch
+CVE-2019-12435-4.9-03.patch
=====================================
python/samba/tests/dcerpc/dnsserver.py
=====================================
@@ -28,6 +28,7 @@ from samba.dcerpc import dnsp, dnsserver, security
from samba.tests import RpcInterfaceTestCase, env_get_var_value
from samba.netcmd.dns import ARecord, AAAARecord, PTRRecord, CNameRecord, NSRecord, MXRecord, SRVRecord, TXTRecord
from samba import sd_utils, descriptor
+from samba import WERRORError, werror
class DnsserverTests(RpcInterfaceTestCase):
@@ -707,6 +708,56 @@ class DnsserverTests(RpcInterfaceTestCase):
'ServerInfo')
self.assertEquals(dnsserver.DNSSRV_TYPEID_SERVER_INFO, typeid)
+
+ # This test is to confirm that we do not support multizone operations,
+ # which are designated by a non-zero dwContext value (the 3rd argument
+ # to DnssrvOperation).
+ def test_operation_invalid(self):
+ non_zone = 'a-zone-that-does-not-exist'
+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
+ name_and_param.pszNodeName = 'AllowUpdate'
+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
+ try:
+ res = self.conn.DnssrvOperation(self.server,
+ non_zone,
+ 1,
+ 'ResetDwordProperty',
+ typeid,
+ name_and_param)
+ except WERRORError as e:
+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
+ return
+
+ # We should always encounter a DOES_NOT_EXIST error.
+ self.fail()
+
+ # This test is to confirm that we do not support multizone operations,
+ # which are designated by a non-zero dwContext value (the 5th argument
+ # to DnssrvOperation2).
+ def test_operation2_invalid(self):
+ client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
+ non_zone = 'a-zone-that-does-not-exist'
+ typeid = dnsserver.DNSSRV_TYPEID_NAME_AND_PARAM
+ name_and_param = dnsserver.DNS_RPC_NAME_AND_PARAM()
+ name_and_param.pszNodeName = 'AllowUpdate'
+ name_and_param.dwParam = dnsp.DNS_ZONE_UPDATE_SECURE
+ try:
+ res = self.conn.DnssrvOperation2(client_version,
+ 0,
+ self.server,
+ non_zone,
+ 1,
+ 'ResetDwordProperty',
+ typeid,
+ name_and_param)
+ except WERRORError as e:
+ if e.args[0] == werror.WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST:
+ return
+
+ # We should always encounter a DOES_NOT_EXIST error.
+ self.fail()
+
def test_operation2(self):
client_version = dnsserver.DNS_CLIENT_VERSION_LONGHORN
rev_zone = '1.168.192.in-addr.arpa'
=====================================
source4/rpc_server/dnsserver/dcerpc_dnsserver.c
=====================================
@@ -1955,7 +1955,12 @@ static WERROR dcesrv_DnssrvOperation(struct dcesrv_call_state *dce_call, TALLOC_
&r->in.pData);
} else {
z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
- if (z == NULL && request_filter == 0) {
+ /*
+ * In the case that request_filter is not 0 and z is NULL,
+ * the request is for a multizone operation, which we do not
+ * yet support, so just error on NULL zone name.
+ */
+ if (z == NULL) {
return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
}
@@ -2162,7 +2167,12 @@ static WERROR dcesrv_DnssrvOperation2(struct dcesrv_call_state *dce_call, TALLOC
&r->in.pData);
} else {
z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
- if (z == NULL && request_filter == 0) {
+ /*
+ * In the case that request_filter is not 0 and z is NULL,
+ * the request is for a multizone operation, which we do not
+ * yet support, so just error on NULL zone name.
+ */
+ if (z == NULL) {
return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
}
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/964bd6a6419583cf457ea39e39fc7cff8ed214f1...e07803866d495c40e96ceb02f6b07d4d4ee6f39d
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/compare/964bd6a6419583cf457ea39e39fc7cff8ed214f1...e07803866d495c40e96ceb02f6b07d4d4ee6f39d
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20190620/4b92aec5/attachment-0001.html>
More information about the Pkg-samba-maint
mailing list