[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.12] 69 commits: VERSION: Bump version up to 4.12.4...
Mathieu Parent
gitlab at salsa.debian.org
Thu Jul 2 13:11:54 BST 2020
Mathieu Parent pushed to branch upstream_4.12 at Debian Samba Team / samba
Commits:
11abc955 by Karolin Seeger at 2020-05-19T12:06:12+02:00
VERSION: Bump version up to 4.12.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
50653906 by Andrew Bartlett at 2020-05-25T06:27:16+00:00
librpc/idl: Add dnsp_DnsProperty_short
This will be used by a test and the DNS server code to parse short dnsProperty
records which come from Windows servers.
This example is from the value that caused Samba to fail as it
can not be parsed as a normal dnsp_DnsProperty
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(backported to 4.12 from commit 87bf1d687fe7b48a7b6d511dfc7f5414db16119c)
[abartlet at samba.org: resolve conflict due to less ndrdump tests in 4.12]
- - - - -
0acfdab2 by Andrew Bartlett at 2020-05-25T06:27:16+00:00
selftest: Add test for handling of "short" dnsProperty records
These have been known to be given by Windows DCs that share the same domain
as while invalid, they are not format-checked inbound when set by the DNS
Manager MMC applet over the dnsserver pipe to Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 6eb2a48f5a998b82bb071ef42d00d2f34a2b0ed8)
- - - - -
76c8a9de by Andrew Bartlett at 2020-05-25T06:27:16+00:00
s4/rpc_server/dnsserver: Allow parsing of dnsProperty to fail gracefully
On (eg) the
DC=_msdcs.X.Y,CN=MicrosoftDNS,DC=ForestDnsZones,DC=X,DC=Y
record, in domains that have had a Microsoft Windows DC an attribute:
dNSProperty:: AAAAAAAAAAAAAAAAAQAAAJIAAAAAAAAA
000000 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 >................<
000010 92 00 00 00 00 00 00 00 >........<
000018
We, until samba 4.12, would parse this as:
pull returned Success
dnsp_DnsProperty: struct dnsp_DnsProperty
wDataLength : 0x00000000 (0)
namelength : 0x00000000 (0)
flag : 0x00000000 (0)
version : 0x00000001 (1)
id : DSPROPERTY_ZONE_NS_SERVERS_DA (146)
data : union dnsPropertyData(case 0)
name : 0x00000000 (0)
dump OK
However, the wDataLength is 0. There is not anything in
[MS-DNSP] 2.3.2.1 dnsProperty to describe any special behaviour
for when the id suggests that there is a value, but wDataLength is 0.
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dnsp/445c7843-e4a1-4222-8c0f-630c230a4c80
We now fail to parse it, because we expect an entry with id DSPROPERTY_ZONE_NS_SERVERS_DA
to therefore have a valid DNS_ADDR_ARRAY (section 2.2.3.2.3).
As context we changed it in our commit fee5c6a4247aeac71318186bbff7708d25de5912
because of bug https://bugzilla.samba.org/show_bug.cgi?id=14206
which was due to the artificial environment of the fuzzer.
Microsoft advises that Windows also fails to parse this, but
instead of failing the operation, the value is ignored.
Reported by Alex MacCuish. Many thanks for your assistance in
tracking down the issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14310
RN: Can't use DNS functionality after a Windows DC has been in domain
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri May 15 07:29:17 UTC 2020 on sn-devel-184
(cherry picked from commit 004e7a1fee766102de302e83f4dc5f4d977aef32)
- - - - -
f0654fa4 by Andreas Schneider at 2020-05-25T06:27:16+00:00
lib:util: Add path_expand_tilde()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 15457254be0ab1235c327bd305dfeee19b2ea7a1)
- - - - -
b9192507 by Andreas Schneider at 2020-05-25T06:27:16+00:00
lib:util: Add test for path_expand_tilde()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(backported from commit a15bd5493b696c66c6803d8ca65bc13f1cfcdf0a)
- - - - -
eae0ae3c by Andreas Schneider at 2020-05-25T06:27:16+00:00
s3:gencache: Allow to open gencache as read-only
This allows client tools to access the cache for ready-only operations
as a normal user.
Example:
net ads status
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri May 15 14:40:32 UTC 2020 on sn-devel-184
(cherry picked from commit 04f0c45475de383a0be4ca355ab9aa7784e61c27)
- - - - -
572eb426 by Jeremy Allison at 2020-05-25T06:27:16+00:00
s3: lib: Paranoia around use of snprintf copying into a fixed-size buffer from a getenv() pointer.
Post checks for overflow/error.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Mon May 18 23:42:57 UTC 2020 on sn-devel-184
(cherry picked from commit dd1f750293ef4361455a5d5b63fc7a89495715b7)
- - - - -
f02893f5 by Volker Lendecke at 2020-05-25T07:52:12+00:00
winbindd: Fix a use-after-free when winbind clients exit
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14382
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Volker Lendecke <vl at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue May 19 10:45:06 UTC 2020 on sn-devel-184
(cherry picked from commit 68380ebaa60c64311cc1081f700d571abbf69f4f)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-12-test): Mon May 25 07:52:12 UTC 2020 on sn-devel-184
- - - - -
701cbabc by Jeremy Allison at 2020-06-04T11:47:47+00:00
s3: selftest: Add share definition [bad_iconv] in fileserver.
Creates a utf8 valid filename within that is invalid in CP850.
Useful to test smbclient list directory character set conversions.
https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(back-ported from commit a9651d6bc2b6dea8adc859ce21c2431253868887)
- - - - -
290ae67b by Jeremy Allison at 2020-06-04T11:47:47+00:00
s3: selftest: Add test_smbclient_iconv.sh to check client behavior on bad name conversion.
SMB2 and NT1 fail this, CORE already returns NT_STATUS_INVALID_NETWORK_RESPONSE
on bad conversion.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(back-ported from commit e016671d34c24c4768df774425ec743b88e30015)
- - - - -
cc105695 by Jeremy Allison at 2020-06-04T11:47:47+00:00
s3: libsmb: In SMB1 old protocol - return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
Can happen if namelen == 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b10de0bb64fe022e6b066584013dfb0bdf2ade96)
- - - - -
ea64f5fb by Jeremy Allison at 2020-06-04T11:47:47+00:00
s3: libsmb: In SMB2 return NT_STATUS_INVALID_NETWORK_RESPONSE if name conversion ended up with a NULL filename.
Can happen if namelen == 0.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 753115a8d19f6ac8cd28305748fc6d888679dccc)
- - - - -
c2051cdf by Jeremy Allison at 2020-06-04T11:47:48+00:00
s3: libsmbclient: Finish unifing bad iconv behavior across CORE NT1 SMB2 protocols.
On bad name conversion, exit the directory listing with an error, but leave the
connection intact. We were already checking for finfo->name == NULL here,
but were ignoring it and not reporting an error.
Remove the knownfail.d/bad_iconv file as we now
behave the same across CORE/NT1/SMB2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14374
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Tue May 12 21:32:44 UTC 2020 on sn-devel-184
(cherry picked from commit 393da520e43bd3a28feb231bcd9fd5308a3daa4a)
- - - - -
2b15eee1 by Björn Jacke at 2020-06-04T11:47:48+00:00
docs-xml: update list of posible VFS operations for vfs_full_audit
the list of valid operations can be generated by
grep "{ SMB_VFS_OP_" source3/modules/vfs_full_audit.c |sed 's/.*,[ \t]*"//;s/".*//'|grep -v NULL | sort
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14386
based on 14470e4e4c16cfc36384027c39c1685dea42ad26 in master
Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
- - - - -
5015bbbd by Stefan Metzmacher at 2020-06-04T11:47:48+00:00
s3:libads: prefer ENCTYPE_AES256_CTS_HMAC_SHA1_96 in ads_keytab_add_entry()
This is currently not critical as we only use keytabs
only as acceptor, but in future we'll also use them
for kinit() and there we should prefer the newest type.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
e25e574b by Isaac Boukris at 2020-06-04T11:47:48+00:00
Add a test to check dNSHostName with netbios aliases
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
533a4be5 by Isaac Boukris at 2020-06-04T11:47:48+00:00
Fix accidental overwrite of dnsHostName by the last netbios alias
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
b3630d58 by Isaac Boukris at 2020-06-04T11:47:48+00:00
Refactor ads_keytab_add_entry() to make it iterable
so we can more easily add msDS-AdditionalDnsHostName entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
279e72fe by Isaac Boukris at 2020-06-04T11:47:48+00:00
Add a test for msDS-AdditionalDnsHostName entries in keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
71efed33 by Isaac Boukris at 2020-06-04T11:47:48+00:00
Add msDS-AdditionalDnsHostName entries to the keytab
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
7b1bac7d by Isaac Boukris at 2020-06-04T13:12:27+00:00
Add net-ads-join dnshostname=fqdn option
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri May 29 13:33:28 UTC 2020 on sn-devel-184
Autobuild-User(v4-12-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-12-test): Thu Jun 4 13:12:27 UTC 2020 on sn-devel-184
- - - - -
f50cb3a0 by Gary Lockyer at 2020-06-24T09:57:26+00:00
libcli ldap tests: remove use of zero length array
libcli/ldap/tests/ldap_message_test.c defines a zero length array
(uint8_t buf[0]), which is a GCC extension and breaks the build with
some strict compilers like xlc.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14387
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Jun 23 02:15:35 UTC 2020 on sn-devel-184
(cherry picked from commit d701bc1518766f36b1c7a3a00a82485098a8ee3d)
- - - - -
63c70acd by Isaac Boukris at 2020-06-24T09:57:26+00:00
Fix a typo in recent net man page changes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
60e73282 by Isaac Boukris at 2020-06-24T09:57:26+00:00
selftest: add tests for binary msDS-AdditionalDnsHostName
Like the short names added implicitly by Windows DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
0e668997 by Isaac Boukris at 2020-06-24T09:57:26+00:00
Properly handle msDS-AdditionalDnsHostName returned from Windows DC
Windows DC adds short names for each specified msDS-AdditionalDnsHostName
attribute, but these have a suffix of "\0$" and thus fail with
ldap_get_values(), use ldap_get_values_len() instead.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
- - - - -
0ac77960 by Isaac Boukris at 2020-06-24T09:57:27+00:00
Fix usage of ldap_get_values_len for msDS-AdditionalDnsHostName
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Mon Jun 22 09:59:04 UTC 2020 on sn-devel-184
- - - - -
1049c577 by Alexander Bokovoy at 2020-06-24T09:57:27+00:00
lib/ldb: add unit test for ldb_ldap internal code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14413
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 36bd6edd8a603f3aa34aff81c43ef26efd3ad4cf)
- - - - -
3db89a6c by Alexander Bokovoy at 2020-06-24T11:22:16+00:00
ldb_ldap: fix off-by-one increment in lldb_add_msg_attr
Fix regression introduced by commit ce2bf5c72b6423fff680b3d6a9042103a6cdda55
lldb_add_msg_attr() calls ldb_msg_add_empty() which, in turn, calls
calls _ldb_msg_add_el() which already increments msg->num_elements by one.
As a result, msg->num_elements is bigger than the actual number of
elements and any iteration over elements would step over elements array
boundary.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14413
Signed-off-by: Alexander Bokovoy <ab at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Jun 19 08:35:33 UTC 2020 on sn-devel-184
(cherry picked from commit 990a0fc4a0481aed817fad7575d8df453fbe7af9)
Autobuild-User(v4-12-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-12-test): Wed Jun 24 11:22:16 UTC 2020 on sn-devel-184
- - - - -
837ee4b1 by Karolin Seeger at 2020-06-25T10:36:07+02:00
VERSION: Bump version up to 4.12.4...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
(cherry picked from commit 11abc955736af2e398cb0f208ab47bde9fadee60)
- - - - -
c61a5255 by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL terminated control OIDs
The end result is the same, as sizeof() includes the trailing NUL, but this
avoids having to think about that.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
dd53faf4 by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLV
This is a silly combination, but at least try and keep the results sensible
and avoid a double-dereference.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
98a67d49 by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQ
Tested against Windows 1709.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
337f3e42 by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLV
This is essentially an alternative patch, but without the correct
behaviour. Instead this just avoids a segfault.
Included in case we have something simialr again in
another module.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
d6329e8a by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10730: selftest: Add test to show that VLV and paged_results are incompatible
As tested against Windows Server 1709
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
8103df54 by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combined
The GUID is not returned in the DN for some reason in this (to be banned)
combination.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
b1f72d2c by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10730: dsdb: Ban the combination of paged_results and VLV
This (two different paging controls) makes no sense and fails against
Windows Server 1709.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
c29319e9 by Gary Lockyer at 2020-06-25T10:43:52+02:00
CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_done
Check the return code from paged_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b2658b94 by Gary Lockyer at 2020-06-25T10:43:52+02:00
CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_done
Check the return code from vlv_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
9dd45895 by Gary Lockyer at 2020-06-25T10:43:52+02:00
CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twice
Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
7cc5a5a3 by Gary Lockyer at 2020-06-25T10:43:52+02:00
ldb: Bump version to 2.1.4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
6e04e0b4 by Douglas Bagnall at 2020-06-25T10:43:52+02:00
CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet tests
The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.
These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
ec640f93 by Douglas Bagnall at 2020-06-25T10:43:52+02:00
CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr strings
These time the push and pull function in isolation.
Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
(backported from master commit)
[abartlet at samba.org: backported due to differences in pre-existing
tests - eg test_ndr - mentioned in wscript_build and tests.py]
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
a80dd6d1 by Douglas Bagnall at 2020-06-25T10:43:52+02:00
CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable function
This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
be20d15a by Douglas Bagnall at 2020-06-25T10:43:52+02:00
CVE-2020-10745: ndr/dns_utils: correct a comment
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
a19660d1 by Douglas Bagnall at 2020-06-25T10:43:52+02:00
CVE-2020-10745: ndr_dns: do not allow consecutive dots
The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
0afc9f77 by Douglas Bagnall at 2020-06-25T10:43:52+02:00
CVE-2020-10745: dns_util/push: forbid names longer than 255 bytes
As per RFC 1035.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
3b98e807 by Douglas Bagnall at 2020-06-25T10:43:52+02:00
CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibility
NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").
This retains the logic of e6e2ec0001fe3c010445e26cc0efddbc1f73416b.
Also DNS compression cannot be turned off for NBT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
- - - - -
795a25dc by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-14303 Ensure an empty packet will not DoS the NBT server
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
d7a32e81 by Gary Lockyer at 2020-06-25T10:43:52+02:00
CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packet
An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
- - - - -
a6a3a9f5 by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controls
Otherwise a paged search on the GC port will fail as the ->data was
not kept around for the second page of searches.
An example command to produce this is
bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD
This shows up later in the partition module as:
ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260
READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0))
#0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526
#1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559
#2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582
#3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780
or
smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value
(from source4/dsdb/samdb/ldb_modules/partition.c:780)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
565811f4 by Andrew Bartlett at 2020-06-25T10:43:52+02:00
CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global Catalog port
This should avoid a regression.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
86177f14 by Karolin Seeger at 2020-06-25T12:56:15+02:00
WHATSNEW: Add release notes for Samba 4.12.4.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
6ecd05df by Karolin Seeger at 2020-06-25T12:57:04+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.12.4 release.
This is a security release in order to address the following CVEs:
o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
LDAP Server with ASQ, VLV and paged_results.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU.
o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV.
o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
19c6e21c by Jeremy Allison at 2020-06-26T07:52:25+00:00
s3: selftest: Add samba3.blackbox.aio-outstanding test.
Shows smbd panics if connection is terminated (torn down)
by killing the client with outstanding aio requests in the
queue. As we're closing smbd we should cope with this.
Followup-bugfix for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14301
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
(cherry picked from commit f206d37f6ec8143b2051a8fe15783c188344adbe)
- - - - -
8666dc1e by Jeremy Allison at 2020-06-26T07:52:26+00:00
s3: smbd: Add smbXsrv_client_valid_connections().
Next commit will make use of this.
Followup-bugfix for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14301
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
1f8a77fe by Jeremy Allison at 2020-06-26T07:52:26+00:00
s3: smbd: Allow a SHUTDOWN_CLOSE on a file with outstanding aio if there are no client connections alive.
The process is exiting now so pthreads will never complete to cause
problems.
Remove the knownfail.d/aio_outstanding entry.
Followup-bugfix for:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14301
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Jun 24 20:14:15 UTC 2020 on sn-devel-184
(cherry picked from commit 205653732064ecf76d3198451240af468806ec14)
- - - - -
10e8d8b4 by Jeremy Allison at 2020-06-26T07:52:26+00:00
s3: libsmb: Info level SMB2_FIND_ID_BOTH_DIRECTORY_INFO encodes attibutes as a uint32, not a uint8.
Fix the SMB2 parsing code.
Cast to a uint16_t for now after pulling the information
as finfo->mode is currently only 16 bits.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3063e1601ad9e2536651a75a47ebf4921ffddbdc)
- - - - -
bb210d6d by Jeremy Allison at 2020-06-26T07:52:26+00:00
s3: libsmb: Info level SMB_FIND_FILE_BOTH_DIRECTORY_INFO encodes attibutes as a uint32, not a uint8.
Cast to a uint16_t for now after pulling the information
as finfo->mode is currently only 16 bits.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 5e3e6c4c0c70e171607f4b5351bd8ec146730f08)
- - - - -
7db0eb75 by Jeremy Allison at 2020-06-26T07:52:26+00:00
s3: libsmb: Info level SMB_FIND_INFO_STANDARD encodes attibutes as a uint16, not a uint8.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit be52f87c376a8f71b2de4aa52f25818cad2b160e)
- - - - -
50ff83cb by Jeremy Allison at 2020-06-26T07:52:26+00:00
s3: libsmb: Info level SMB_FIND_EA_SIZE encodes attibutes as a uint16, not a uint8.
We will need this to detect FILE_ATTRIBUTE_REPARSE_POINT in a later commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 6463f2612a662f217af18455206afde122323375)
- - - - -
68c0b008 by Jeremy Allison at 2020-06-26T07:52:26+00:00
s3: torture: Add a MSDFS-ATTRIBUTE test.
Framework to drive comes next.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 84134812e3447317125ae08b2a98848a2e4bbd65)
- - - - -
54d6efeb by Jeremy Allison at 2020-06-26T07:52:27+00:00
s3: torture: Add test for getting attibutes on an MSDFS link.
Mark as knownfail for now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(back ported from commit 2a4705129d06b91023bc3fc435fccf91d3939553)
- - - - -
50badbae by Jeremy Allison at 2020-06-26T11:18:10+00:00
s3: msdfs: Fix missing struct stat return on msdfs links by doing an LSTAT call.
This (unfortunately) re-exposes the fact the msdfs links are symlinks,
bit fixing this correctly requires a VFS ABI change which we can't
do for a released stream.
Remove the knownfail.d/msdfs-attr file.
Everything now passes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14391
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(v4-12-test): Karolin Seeger <kseeger at samba.org>
Autobuild-Date(v4-12-test): Fri Jun 26 11:18:10 UTC 2020 on sn-devel-184
- - - - -
05b8919c by Karolin Seeger at 2020-07-02T11:05:20+02:00
Merge tag 'samba-4.12.4' into v4-12-test
samba: tag release samba-4.12.4
- - - - -
8d47600f by Karolin Seeger at 2020-07-02T11:05:41+02:00
VERSION: Bump version up to 4.12.5.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
c61cb94a by Karolin Seeger at 2020-07-02T13:07:29+02:00
WHATSNEW: Add release notes for Samba 4.12.5.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
217bc17f by Karolin Seeger at 2020-07-02T13:08:04+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.12.5 release.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
- - - - -
c3562f1d by Mathieu Parent at 2020-07-02T13:58:46+02:00
New upstream version 4.12.5+dfsg
- - - - -
30 changed files:
- VERSION
- WHATSNEW.txt
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- docs-xml/manpages/net.8.xml
- docs-xml/manpages/vfs_full_audit.8.xml
- docs/manpages/cifsdd.8
- docs/manpages/dbwrap_tool.1
- docs/manpages/eventlogadm.8
- docs/manpages/findsmb.1
- docs/manpages/idmap_ad.8
- docs/manpages/idmap_autorid.8
- docs/manpages/idmap_hash.8
- docs/manpages/idmap_ldap.8
- docs/manpages/idmap_nss.8
- docs/manpages/idmap_rfc2307.8
- docs/manpages/idmap_rid.8
The diff was not included because it is too large.
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/df7c3d5b0045d2a1a73dda7546142fcd0b517b19...c3562f1d81acbe6b3a70a75e2029a02de7c559af
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/df7c3d5b0045d2a1a73dda7546142fcd0b517b19...c3562f1d81acbe6b3a70a75e2029a02de7c559af
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20200702/13d02ce1/attachment-0001.html>
More information about the Pkg-samba-maint
mailing list