git.samba.org - samba.git/log

git.samba.org / samba.git / log

commit | commitdiff | tree

Karolin Seeger [Tue, 14 Aug 2018 10:21:06 +0000 (12:21 +0200)]

VERSION: Bump version up to 4.6.17.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Karolin Seeger [Tue, 14 Aug 2018 10:20:50 +0000 (12:20 +0200)]

Merge tag 'samba-4.6.16' into v4-6-test

samba: tag release samba-4.6.16

commit | commitdiff | tree

Karolin Seeger [Mon, 13 Aug 2018 07:25:13 +0000 (09:25 +0200)]

VERSION: Disable GIT_SNAPSHOT for the 4.6.16 release.

o  CVE-2018-10858 (Insufficient input validation on client directory
                   listing in libsmbclient.)
o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
                   server.)

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Karolin Seeger [Mon, 13 Aug 2018 07:24:08 +0000 (09:24 +0200)]

WHATSNEW: Add release notes for Samba 4.6.16.

o  CVE-2018-10858 (Insufficient input validation on client directory
                   listing in libsmbclient.)
o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
                   server.)

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Tim Beale [Wed, 1 Aug 2018 01:51:42 +0000 (13:51 +1200)]

CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case

The acl_read.c code contains a special case to allow dirsync to
work-around having insufficient access rights. We had a concern that
the dirsync module could leak sensitive information for deleted objects.
This patch adds a test-case to prove whether or not this is happening.

The new test case is similar to the existing dirsync test except:
- We make the confidential attribute also preserve-on-delete, so it
  hangs around for deleted objcts. Because the attributes now persist
  across test case runs, I've used a different attribute to normal.
  (Technically, the dirsync search expressions are now specific enough
  that the regular attribute could be used, but it would make things
  quite fragile if someone tried to add a new test case).
- To handle searching for deleted objects, the search expressions are
  now more complicated. Currently dirsync adds an extra-filter to the
  '!' searches to exclude deleted objects, i.e. samaccountname matches
  the test-objects AND the object is not deleted. We now extend this to
  include deleted objects with lastKnownParent equal to the test OU.
  The search expression matches either case so that we can use the same
  expression throughout the test (regardless of whether the object is
  deleted yet or not).

This test proves that the dirsync corner-case does not actually leak
sensitive information on Samba. This is due to a bug in the dirsync
code - when the buggy line is removed, this new test promptly fails.
Test also passes against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Fri, 20 Jul 2018 03:42:36 +0000 (15:42 +1200)]

CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches

A user that doesn't have access to view an attribute can still guess the
attribute's value via repeated LDAP searches. This affects confidential
attributes, as well as ACLs applied to an object/attribute to deny
access.

Currently the code will hide objects if the attribute filter contains an
attribute they are not authorized to see. However, the code still
returns objects as results if confidential attribute is in the search
expression itself, but not in the attribute filter.

To fix this problem we have to check the access rights on the attributes
in the search-tree, as well as the attributes returned in the message.

Points of note:
- I've preserved the existing dirsync logic (the dirsync module code
  suppresses the result as long as the replPropertyMetaData attribute is
  removed). However, there doesn't appear to be any test that highlights
  that this functionality is required for dirsync.
- To avoid this fix breaking the acl.py tests, we need to still permit
  searches like 'objectClass=*', even though we don't have Read Property
  access rights for the objectClass attribute. The logic that Windows
  uses does not appear to be clearly documented, so I've made a best
  guess that seems to mirror Windows behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Mon, 30 Jul 2018 04:00:15 +0000 (16:00 +1200)]

CVE-2018-10919 acl_read: Flip the logic in the dirsync check

This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Thu, 26 Jul 2018 00:20:49 +0000 (12:20 +1200)]

CVE-2018-10919 acl_read: Small refactor to aclread_callback()

Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Tue, 31 Jul 2018 04:00:12 +0000 (16:00 +1200)]

CVE-2018-10919 acl_read: Split access_mask logic out into helper function

So we can re-use the same logic laster for checking the search-ops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Fri, 20 Jul 2018 01:01:00 +0000 (13:01 +1200)]

CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights

An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.

What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.

Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.

One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Gary Lockyer [Fri, 3 Aug 2018 03:51:28 +0000 (15:51 +1200)]

CVE-2018-10919 tests: test ldap searches for non-existent attributes.

It is perfectly legal to search LDAP for an attribute that is not part
of the schema. That part of the query should simply not match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

commit | commitdiff | tree

Tim Beale [Tue, 31 Jul 2018 02:14:20 +0000 (14:14 +1200)]

CVE-2018-10919 tests: Add test case for object visibility with limited rights

Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
attribute=*) searches compared to Windows.

All the acl.py tests are based on objectClass=* searches, where Windows
will happily tell a user about objects they have List Contents rights,
but not Read Property rights for. However, if you change the attribute
being searched for, suddenly the objects are no longer visible on
Windows (whereas they are on Samba).

This is a problem, because Samba can tell you about which objects have
confidential attributes, which in itself could be disclosive.

This patch adds a acl.py test-case that highlights this behaviour. The
test passes against Windows but fails against Samba.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Mon, 9 Jul 2018 03:57:59 +0000 (15:57 +1200)]

CVE-2018-10919 tests: Add tests for guessing confidential attributes

Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.

The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls

These tests all pass when run against a Windows Dc and all fail against
a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Fri, 20 Jul 2018 01:13:50 +0000 (13:13 +1200)]

CVE-2018-10919 security: Add more comments to the object-specific access checks

Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Tim Beale [Thu, 19 Jul 2018 04:03:36 +0000 (16:03 +1200)]

CVE-2018-10919 security: Move object-specific access checks into separate function

Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.

This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

commit | commitdiff | tree

Jeremy Allison [Fri, 15 Jun 2018 22:08:17 +0000 (15:08 -0700)]

CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

commit | commitdiff | tree

Jeremy Allison [Fri, 15 Jun 2018 22:07:17 +0000 (15:07 -0700)]

CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

commit | commitdiff | tree

Karolin Seeger [Tue, 10 Apr 2018 19:22:32 +0000 (21:22 +0200)]

VERSION: Bump version up to 4.6.16...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit 7705a4d471a427041616a9897158474d8a5ff457)

commit | commitdiff | tree

Karolin Seeger [Tue, 10 Apr 2018 19:22:32 +0000 (21:22 +0200)]

VERSION: Bump version up to 4.6.16...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Karolin Seeger [Tue, 10 Apr 2018 19:21:39 +0000 (21:21 +0200)]

VERSION: Disable GIT_SNAPSHOT for the 4.6.15 release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Karolin Seeger [Tue, 10 Apr 2018 19:21:09 +0000 (21:21 +0200)]

WHATSNEW: Add release notes for Samba 4.6.15.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Volker Lendecke [Wed, 11 Apr 2018 13:11:10 +0000 (15:11 +0200)]

torture: Test compound request request counters

This will send an unfixed smbd into the

SMB_ASSERT(op->request_count > 0);

in smbd_smb2_request_reply_update_counts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Apr 12 14:38:39 CEST 2018 on sn-devel-144

(cherry picked from commit 40edd1bc273f664d5567ef5be169033899acee1f)

Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-6-test): Thu Apr 12 21:56:31 CEST 2018 on sn-devel-144

commit | commitdiff | tree

Stefan Metzmacher [Wed, 11 Apr 2018 10:14:59 +0000 (12:14 +0200)]

s3:smb2_server: correctly maintain request counters for compound requests

If a session expires during a compound request chain,
we exit smbd_smb2_request_dispatch() with
'return smbd_smb2_request_error(req, ...)' before
calling smbd_smb2_request_dispatch_update_counts().

As req->request_counters_updated was only reset
within smbd_smb2_request_dispatch_update_counts(),
smbd_smb2_request_reply_update_counts() was called
twice on the same request, which triggers
SMB_ASSERT(op->request_count > 0);

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 87e25cd1e45bfe57292b62ffc44ddafc01c61ca0)

commit | commitdiff | tree

Jeremy Allison [Mon, 9 Apr 2018 16:32:23 +0000 (09:32 -0700)]

s3: smbd: Unix extensions attempts to change wrong field in fchown call.

Cut and paste error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13375

Reported-by: Rungta, Vandana <vrungta@amazon.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Apr 10 00:45:56 CEST 2018 on sn-devel-144

(cherry picked from commit 3227b110d065500ed84fc70063da70ab35823a2e)

Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Wed Apr 11 16:55:21 CEST 2018 on sn-devel-144

commit | commitdiff | tree

Anton Nefedov via samba-technical [Thu, 15 Mar 2018 11:38:41 +0000 (14:38 +0300)]

s3:smbd: map nterror on smb2_flush errorpath

smbd_smb2_flush_recv() expects nterror in tevent_req, and otherwise
aborts in tevent_req_is_nterror()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13338

Signed-off-by: Anton Nefedov <anton.nefedov@virtuozzo.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 98623129446672521b7fa41d3457b8ce95db828c)

commit | commitdiff | tree

Poornima G [Thu, 22 Feb 2018 10:51:35 +0000 (16:21 +0530)]

vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13297

Pair-Programmed-With: Anoop C S <anoopcs@redhat.com>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Feb 26 20:17:50 CET 2018 on sn-devel-144

(cherry picked from commit 46e6626f73f42c84f254507c3ec2b591e2e732ba)

commit | commitdiff | tree

Jeremy Allison [Wed, 14 Feb 2018 21:23:12 +0000 (13:23 -0800)]

s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir()

HPUX has this problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13270

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 23 22:56:35 CET 2018 on sn-devel-144

(cherry picked from commit 5ad5e7966f555b1d2b39d276646934a2cd2535e6)

commit | commitdiff | tree

Jeremy Allison [Wed, 24 Jan 2018 22:09:43 +0000 (14:09 -0800)]

s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.

Thanks to Isaac Boukris <iboukris@gmail.com> for finding the
issue and testing this fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144

(cherry picked from commit e7425bd5245ffea68b7e8f794c9b5f864d103769)

commit | commitdiff | tree

Garming Sam [Mon, 8 Jan 2018 03:34:02 +0000 (16:34 +1300)]

tests/bind.py: Add a bind test with NTLMSSP with no domain

Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0)

Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-6-test): Tue Mar 20 21:20:00 CET 2018 on sn-devel-144

commit | commitdiff | tree

Stefan Metzmacher [Tue, 9 Jan 2018 07:57:05 +0000 (08:57 +0100)]

s3:cliconnect.c: remove useless ';'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3)

commit | commitdiff | tree

Stefan Metzmacher [Tue, 9 Jan 2018 07:55:48 +0000 (08:55 +0100)]

s3:libsmb: allow -U"\\administrator" to work

cli_credentials_get_principal() returns NULL in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87)

commit | commitdiff | tree

Stefan Metzmacher [Tue, 13 Mar 2018 10:11:55 +0000 (11:11 +0100)]

Merge tag 'samba-4.6.14' into v4-6-test

samba: tag release samba-4.6.14

commit | commitdiff | tree

Karolin Seeger [Tue, 13 Mar 2018 09:40:24 +0000 (10:40 +0100)]

VERSION: Bump version up to 4.6.15...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Günther Deschner [Mon, 15 Jan 2018 22:20:39 +0000 (23:20 +0100)]

build: fix libceph-common detection

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13277

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Feb 22 19:30:12 CET 2018 on sn-devel-144

(cherry picked from commit 6a59619844e0def505a6bfa778c17721c062e0ee)

commit | commitdiff | tree

Karolin Seeger [Mon, 12 Mar 2018 09:10:53 +0000 (10:10 +0100)]

VERSION: Disable GIT_SNAPSHOT for the 4.6.14 release.

CVE-2018-1050 (Denial of Service Attack on external print server.)
CVE-2018-1057 (Authenticated users can change other users' password.)

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Karolin Seeger [Mon, 12 Mar 2018 09:10:07 +0000 (10:10 +0100)]

WHATSNEW: Add release notes for Samba 4.6.14.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 22:11:38 +0000 (23:11 +0100)]

CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control

This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Fri, 16 Feb 2018 14:38:19 +0000 (15:38 +0100)]

CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID

This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.

It's very important that both modules treat the request identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Fri, 16 Feb 2018 14:30:13 +0000 (15:30 +0100)]

CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control

Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Wed, 14 Feb 2018 18:15:49 +0000 (19:15 +0100)]

CVE-2018-1057: s4:dsdb/acl: run password checking only once

This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 22 Feb 2018 09:54:37 +0000 (10:54 +0100)]

CVE-2018-1057: s4/dsdb: correctly detect password resets

This change ensures we correctly treat the following LDIF

  dn: cn=testuser,cn=users,...
  changetype: modify
  delete: userPassword
  add: userPassword
  userPassword: thatsAcomplPASS1

as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.

For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Fri, 16 Feb 2018 14:17:26 +0000 (15:17 +0100)]

CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 16:43:43 +0000 (17:43 +0100)]

CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 21:59:24 +0000 (22:59 +0100)]

CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]

CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]

CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 13:40:59 +0000 (14:40 +0100)]

CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 09:56:06 +0000 (10:56 +0100)]

CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 11:43:09 +0000 (12:43 +0100)]

CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete

Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Jeremy Allison [Tue, 2 Jan 2018 23:56:03 +0000 (15:56 -0800)]

CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>

commit | commitdiff | tree

Karolin Seeger [Mon, 12 Mar 2018 09:10:53 +0000 (10:10 +0100)]

commit | commitdiff | tree

Karolin Seeger [Mon, 12 Mar 2018 09:10:07 +0000 (10:10 +0100)]

WHATSNEW: Add release notes for Samba 4.6.14.

Signed-off-by: Karolin Seeger <kseeger@samba.org>

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 22:11:38 +0000 (23:11 +0100)]

commit | commitdiff | tree

Ralph Boehme [Fri, 16 Feb 2018 14:38:19 +0000 (15:38 +0100)]

commit | commitdiff | tree

Ralph Boehme [Fri, 16 Feb 2018 14:30:13 +0000 (15:30 +0100)]

commit | commitdiff | tree

Ralph Boehme [Wed, 14 Feb 2018 18:15:49 +0000 (19:15 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 22 Feb 2018 09:54:37 +0000 (10:54 +0100)]

commit | commitdiff | tree

Ralph Boehme [Fri, 16 Feb 2018 14:17:26 +0000 (15:17 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 16:43:43 +0000 (17:43 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 21:59:24 +0000 (22:59 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 16:38:31 +0000 (17:38 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 13:40:59 +0000 (14:40 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 09:56:06 +0000 (10:56 +0100)]

commit | commitdiff | tree

Ralph Boehme [Thu, 15 Feb 2018 11:43:09 +0000 (12:43 +0100)]

commit | commitdiff | tree

Jeremy Allison [Tue, 2 Jan 2018 23:56:03 +0000 (15:56 -0800)]

CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>

commit | commitdiff | tree

Karolin Seeger [Tue, 13 Feb 2018 10:45:24 +0000 (11:45 +0100)]

VERSION: Bump version up to 4.6.14...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit 2ed874196b73fce0e2376f0a4237f9986413e95f)

commit | commitdiff | tree

Andreas Schneider [Mon, 19 Feb 2018 17:07:50 +0000 (18:07 +0100)]

s3:smbd: Do not crash if we fail to init the session table

This should the following segfault with SMB1:

  #6  sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94
  #7  <signal handler called>
  #8  smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8)
      at ../source3/smbd/smbXsrv_session.c:1212
  #9  0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961
  #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726
  #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0)
      at ../source3/smbd/process.c:1762
  #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>,
      deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008
  #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608
  #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0

Inspection the core shows that:
  conn->client-session_table is NULL
  conn->protocol is PROTOCOL_NONE

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit a89a7146563f2d9eb8bc02f1c090158ee499c878)

Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-6-test): Fri Mar  9 01:47:40 CET 2018 on sn-devel-144

commit | commitdiff | tree

Dan Robertson [Thu, 22 Feb 2018 20:47:11 +0000 (20:47 +0000)]

libsmb: Use smb2 tcon if conn_protocol >= SMB2_02

When the connection protocol is SMB2 the tid from the smb1 member is
used instead of smb2 in cli_state_set_tid which often results in a null
deref.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13310

Signed-off-by: Dan Robertson <drobertson@tripwire.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit b67ffaf518c971817b167b41bf6226cddfdcfd2f)

commit | commitdiff | tree

Volker Lendecke [Thu, 11 Jan 2018 10:55:39 +0000 (11:55 +0100)]

torture: Add test for channel sequence number handling

We run into an assert when the csn wraps

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 14 14:47:15 CET 2018 on sn-devel-144

(cherry picked from commit 0abe16a5343de9a69bb5cccbad9809b28b642f45)

commit | commitdiff | tree

Volker Lendecke [Thu, 11 Jan 2018 10:25:49 +0000 (11:25 +0100)]

smbXcli: Add "force_channel_sequence"

This enables use of the channel sequence number even for
non-multi-channel servers. This makes our client invalid, but we need to
protect against broken clients with tests.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit cd288a08500b1cc38ef26e5cb8ef754b4da658b6)

commit | commitdiff | tree

Volker Lendecke [Thu, 11 Jan 2018 14:34:45 +0000 (15:34 +0100)]

smbd: Fix channel sequence number checks for long-running requests

When the client's supplied csn overflows and hits a pending, long-running
request's csn, we panic. Fix this by counting the overflows in
smbXsrv_open_global0->channel_generation

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Volker Lendecke <vl@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 0b57434151a8334a6e9b9b7542824ce4915421a2)

commit | commitdiff | tree

Volker Lendecke [Wed, 10 Jan 2018 13:59:08 +0000 (14:59 +0100)]

smbd: Remove a "!" from an if-condition for easier readability

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 03f65a7cdc91091a171269cfebc9916f2f678388)

commit | commitdiff | tree

Volker Lendecke [Wed, 10 Jan 2018 14:51:56 +0000 (15:51 +0100)]

torture4: Fix typos

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 71cee27962cba53da3249bd3f5ece32a1d10071d)

commit | commitdiff | tree

Volker Lendecke [Wed, 10 Jan 2018 13:29:01 +0000 (14:29 +0100)]

smbd: Fix a typo

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit e8636e7ab75f89e89ef054b5d4aa6c07fddcbe2a)

commit | commitdiff | tree

Stefan Metzmacher [Wed, 20 Dec 2017 13:05:54 +0000 (14:05 +0100)]

s3:smb2_server: allow logoff, close, unlock, cancel and echo on expired sessions

Windows client at least doesn't have code to replay
a SMB2 Close after getting NETWORK_SESSION_EXPIRED,
which locks out a the client and generates an endless
loop around NT_STATUS_SHARING_VIOLATION.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197

Signed-off-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Thu, 21 Dec 2017 13:47:06 +0000 (14:47 +0100)]

s3:smbd: return the correct error for cancelled SMB2 notifies on expired sessions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197

Signed-off-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Stefan Metzmacher [Thu, 21 Dec 2017 11:53:02 +0000 (12:53 +0100)]

s4:torture: add smb2.session.expire2 test

This demonstrates the interaction of NT_STATUS_NETWORK_SESSION_EXPIRED
and various SMB2 opcodes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13197

Signed-off-by: Stefan Metzmacher <metze@samba.org>

commit | commitdiff | tree

Karolin Seeger [Wed, 21 Feb 2018 09:15:23 +0000 (10:15 +0100)]

Revert "HEIMDAL:kdc: fix memory leak when decryption AuthorizationData"

This reverts commit 678a7a32473b1f64421cd905b7d535878eb11cab.

Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Wed Feb 21 15:14:49 CET 2018 on sn-devel-144

commit | commitdiff | tree

Karolin Seeger [Wed, 21 Feb 2018 09:15:23 +0000 (10:15 +0100)]

Revert "HEIMDAL:kdc: decrypt b->enc_authorization_data in tgs_build_reply()"

This reverts commit e8988e614aaf269b24b072e483047bdcd80fef33.

commit | commitdiff | tree

Karolin Seeger [Wed, 21 Feb 2018 09:15:23 +0000 (10:15 +0100)]

Revert "HEIMDAL:kdc: if we don't have an authenticator subkey for S4U2Proxy we need to use the additional tickets key"

This reverts commit ec57c13dc378d15dad98efd59e86bcc2775c5b0a.

commit | commitdiff | tree