[Pkg-samba-maint] Prpeared ldb update for buster-security
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 28 13:08:22 BST 2021
Dear ldb maintainers,
Following the proposed NMU for unstable, I prepared as well an update
for ldb for buster to be released via a DSA.
I do not have the possiblity to test it in an Samba AD DC/LDAP setup
though as the only one running are simple file server.
Do you have the possibility to test the update in production for an
ldb update?
Regards,
Salvatore
-------------- next part --------------
diff -Nru ldb-1.5.1+really1.4.6/debian/changelog ldb-1.5.1+really1.4.6/debian/changelog
--- ldb-1.5.1+really1.4.6/debian/changelog 2019-03-30 18:09:28.000000000 +0100
+++ ldb-1.5.1+really1.4.6/debian/changelog 2021-03-28 10:35:25.000000000 +0200
@@ -1,3 +1,14 @@
+ldb (2:1.5.1+really1.4.6-3+deb10u1) buster-security; urgency=high
+
+ * Non-maintainer upload by the Security Team.
+ * lib ldb: Check if ldb_lock_backend_callback called twice (CVE-2020-10730)
+ * ldb_dn: avoid head corruption in ldb_dn_explode (CVE-2020-27840)
+ (Closes: #985936)
+ * ldb/attrib_handlers casefold: stay in bounds (CVE-2021-20277)
+ (Closes: #985935)
+
+ -- Salvatore Bonaccorso <carnil at debian.org> Sun, 28 Mar 2021 10:35:25 +0200
+
ldb (2:1.5.1+really1.4.6-3) unstable; urgency=medium
* Upload to unstable
diff -Nru ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-10730-lib-ldb-Check-if-ldb_lock_backend_cal.patch ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-10730-lib-ldb-Check-if-ldb_lock_backend_cal.patch
--- ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-10730-lib-ldb-Check-if-ldb_lock_backend_cal.patch 1970-01-01 01:00:00.000000000 +0100
+++ ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-10730-lib-ldb-Check-if-ldb_lock_backend_cal.patch 2021-03-28 10:35:25.000000000 +0200
@@ -0,0 +1,46 @@
+From: Gary Lockyer <gary at catalyst.net.nz>
+Date: Wed, 13 May 2020 10:56:56 +1200
+Subject: CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called
+ twice
+Origin: https://git.samba.org/?p=samba.git;a=commitdiff;h=9dd458956d7af1b4bbe505ba2ab72235e81c27d0
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14364
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-10730
+
+Prevent use after free issues if ldb_lock_backend_callback is called
+twice, usually due to ldb_module_done being called twice. This can happen if a
+module ignores the return value from function a function that calls
+ldb_module_done as part of it's error handling.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364
+
+Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+---
+ lib/ldb/common/ldb.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/common/ldb.c
++++ b/common/ldb.c
+@@ -1012,6 +1012,13 @@ static int ldb_lock_backend_callback(str
+ struct ldb_db_lock_context *lock_context;
+ int ret;
+
++ if (req->context == NULL) {
++ /*
++ * The usual way to get here is to ignore the return codes
++ * and continuing processing after an error.
++ */
++ abort();
++ }
+ lock_context = talloc_get_type(req->context,
+ struct ldb_db_lock_context);
+
+@@ -1026,7 +1033,7 @@ static int ldb_lock_backend_callback(str
+ * If this is a LDB_REPLY_DONE or an error, unlock the
+ * DB by calling the destructor on this context
+ */
+- talloc_free(lock_context);
++ TALLOC_FREE(req->context);
+ return ret;
+ }
+
diff -Nru ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-27840-ldb_dn-avoid-head-corruption-in-ldb_d.patch ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-27840-ldb_dn-avoid-head-corruption-in-ldb_d.patch
--- ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-27840-ldb_dn-avoid-head-corruption-in-ldb_d.patch 1970-01-01 01:00:00.000000000 +0100
+++ ldb-1.5.1+really1.4.6/debian/patches/CVE-2020-27840-ldb_dn-avoid-head-corruption-in-ldb_d.patch 2021-03-28 10:35:25.000000000 +0200
@@ -0,0 +1,104 @@
+From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Date: Fri, 11 Dec 2020 16:32:25 +1300
+Subject: CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
+Origin: https://git.samba.org/?p=samba.git;a=commitdiff;h=dbb3e65f7e382adf5fa6a6afb3d8684aca3f201a
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14595
+Bug-Debian: https://bugs.debian.org/985936
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-27840
+
+A DN string with lots of trailing space can cause ldb_dn_explode() to
+put a zero byte in the wrong place in the heap.
+
+When a DN string has a value represented with trailing spaces,
+like this
+
+ "CN=foo ,DC=bar"
+
+the whitespace is supposed to be ignored. We keep track of this in the
+`t` pointer, which is NULL when we are not walking through trailing
+spaces, and points to the first space when we are. We are walking with
+the `p` pointer, writing the value to `d`, and keeping the length in
+`l`.
+
+ "CN=foo ,DC= " ==> "foo "
+ ^ ^ ^
+ t p d
+ --l---
+
+The value is finished when we encounter a comma or the end of the
+string. If `t` is not NULL at that point, we assume there are trailing
+spaces and wind `d and `l` back by the correct amount. Then we switch
+to expecting an attribute name (e.g. "CN"), until we get to an "=",
+which puts us back into looking for a value.
+
+Unfortunately, we forget to immediately tell `t` that we'd finished
+the last value, we can end up like this:
+
+ "CN=foo ,DC= " ==> ""
+ ^ ^ ^
+ t p d
+ l=0
+
+where `p` is pointing to a new value that contains only spaces, while
+`t` is still referring to the old value. `p` notices the value ends,
+and we subtract `p - t` from `d`:
+
+ "CN=foo ,DC= " ==> ? ""
+ ^ ^ ^
+ t p d
+ l ~= SIZE_MAX - 8
+
+At that point `d` wants to terminate its string with a '\0', but
+instead it terminates someone else's byte. This does not crash if the
+number of trailing spaces is small, as `d` will point into a previous
+value (a copy of "foo" in this example). Corrupting that value will
+ultimately not matter, as we will soon try to allocate a buffer `l`
+long, which will be greater than the available memory and the whole
+operation will fail properly.
+
+However, with more spaces, `d` will point into memory before the
+beginning of the allocated buffer, with the exact offset depending on
+the length of the earlier attributes and the number of spaces.
+
+What about a longer DN with more attributes? For example,
+"CN=foo ,DC= ,DC=example,DC=com" -- since `d` has moved out of
+bounds, won't we continue to use it and write more DN values into
+mystery memory? Fortunately not, because the aforementioned allocation
+of `l` bytes must happen first, and `l` is now huge. The allocation
+happens in a talloc_memdup(), which is by default restricted to
+allocating 256MB.
+
+So this allows a person who controls a string parsed by ldb_dn_explode
+to corrupt heap memory by placing a single zero byte at a chosen
+offset before the allocated buffer.
+
+An LDAP bind request can send a string DN as a username. This DN is
+necessarily parsed before the password is checked, so an attacker does
+not need proper credentials. The attacker can easily cause a denial of
+service and we cannot rule out more subtle attacks.
+
+The immediate solution is to reset `t` to NULL when a comma is
+encountered, indicating that we are no longer looking at trailing
+whitespace.
+
+Found with the help of Honggfuzz.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+---
+ lib/ldb/common/ldb_dn.c | 1 +
+ selftest/knownfail.d/python-segfaults | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+--- a/common/ldb_dn.c
++++ b/common/ldb_dn.c
+@@ -570,6 +570,7 @@ static bool ldb_dn_explode(struct ldb_dn
+ /* trim back */
+ d -= (p - t);
+ l -= (p - t);
++ t = NULL;
+ }
+
+ in_attr = true;
diff -Nru ldb-1.5.1+really1.4.6/debian/patches/CVE-2021-20277-ldb-attrib_handlers-casefold-stay-in-.patch ldb-1.5.1+really1.4.6/debian/patches/CVE-2021-20277-ldb-attrib_handlers-casefold-stay-in-.patch
--- ldb-1.5.1+really1.4.6/debian/patches/CVE-2021-20277-ldb-attrib_handlers-casefold-stay-in-.patch 1970-01-01 01:00:00.000000000 +0100
+++ ldb-1.5.1+really1.4.6/debian/patches/CVE-2021-20277-ldb-attrib_handlers-casefold-stay-in-.patch 2021-03-28 10:35:25.000000000 +0200
@@ -0,0 +1,30 @@
+From: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Date: Tue, 8 Dec 2020 21:32:09 +1300
+Subject: CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
+Origin: https://git.samba.org/?p=samba.git;a=commitdiff;h=1fe8c790b2294fd10fe9c9c6254ecf2b6c00b709
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-20277
+Bug-Debian: https://bugs.debian.org/985935
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=14655
+
+For a string that had N spaces at the beginning, we would
+try to move N bytes beyond the end of the string.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet at samba.org>
+---
+ lib/ldb/common/attrib_handlers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/common/attrib_handlers.c
++++ b/common/attrib_handlers.c
+@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context
+
+ /* remove leading spaces if any */
+ if (*s == ' ') {
+- for (t = s; *s == ' '; s++) ;
++ for (t = s; *s == ' '; s++, l--) ;
+
+ /* remove leading spaces by moving down the string */
+ memmove(t, s, l);
diff -Nru ldb-1.5.1+really1.4.6/debian/patches/series ldb-1.5.1+really1.4.6/debian/patches/series
--- ldb-1.5.1+really1.4.6/debian/patches/series 2019-03-20 06:31:07.000000000 +0100
+++ ldb-1.5.1+really1.4.6/debian/patches/series 2021-03-28 10:35:25.000000000 +0200
@@ -2,3 +2,6 @@
01_manpage_dates
02_hurd
03_EBADE
+CVE-2020-10730-lib-ldb-Check-if-ldb_lock_backend_cal.patch
+CVE-2020-27840-ldb_dn-avoid-head-corruption-in-ldb_d.patch
+CVE-2021-20277-ldb-attrib_handlers-casefold-stay-in-.patch
More information about the Pkg-samba-maint
mailing list