summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* VERSION: Disable GIT_SNAPSHOT for the 4.10.18 release.samba-4.10.18v4-10-testv4-10-stableKarolin Seeger2020-09-181-1/+1
| | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* WHATSNEW: Add release notes for Samba 4.10.18.Karolin Seeger2020-09-181-2/+111
| | | | | | CVE-2020-1472: Samba impact of "ZeroLogon". Signed-off-by: Karolin Seeger <kseeger@samba.org>
* CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challengeGary Lockyer2020-09-181-0/+335
| | | | | | | | | | | Ensure that client challenges with the first 5 bytes identical are rejected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> [abartlet@samba.org: backported from master as test order was flipped]
* CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwdGary Lockyer2020-09-181-35/+29
| | | | | | | | | Ensure that an empty machine account password can't be set by netr_ServerPasswordSet2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
* CVE-2020-1472(ZeroLogon): docs-xml: document 'server require ↵Stefan Metzmacher2020-09-181-15/+54
| | | | | | | | schannel:COMPUTERACCOUNT' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about ↵Günther Deschner2020-09-181-4/+66
| | | | | | | | | | | unsecure configurations BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require ↵Günther Deschner2020-09-181-1/+6
| | | | | | | | | | | | | | schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". "server schannel = auto" is very insecure and will be removed soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor ↵Günther Deschner2020-09-181-8/+35
| | | | | | | | | | | | | dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Günther Deschner <gd@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about ↵Stefan Metzmacher2020-09-181-3/+63
| | | | | | | | | | | | | unsecure configurations This should give admins wawrnings until they have a secure configuration. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Günther Deschner <gd@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require ↵Stefan Metzmacher2020-09-181-1/+8
| | | | | | | | | | | schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". "server schannel = auto" is very insecure and will be removed soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor ↵Stefan Metzmacher2020-09-181-12/+33
| | | | | | | | | | dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect ↵Jeremy Allison2020-09-181-6/+92
| | | | | | | | | | | netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect ↵Stefan Metzmacher2020-09-181-1/+59
| | | | | | | | netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in ↵Stefan Metzmacher2020-09-182-1/+17
| | | | | | | | | | | | | | | | | | | | | netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: 7. If none of the first 5 bytes of the client challenge is unique, the server MUST fail session-key negotiation without further processing of the following steps. It lets ./zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472.git report: "Attack failed. Target is probably patched." BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> [dbagnall@samba.org, abartlet@samba.org: wscript_build backport differs because 4.10 has no gnutls dependency]
* CVE-2020-1472(ZeroLogon): libcli/auth: add ↵Stefan Metzmacher2020-09-182-1/+23
| | | | | | | | | | | netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, which are rejected by Windows DCs (and future Samba DCs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of ↵Stefan Metzmacher2020-09-181-2/+1
| | | | | | | | | | netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make use of ↵Stefan Metzmacher2020-09-181-2/+1
| | | | | | | | | | netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): libcli/auth: make use of ↵Stefan Metzmacher2020-09-181-2/+1
| | | | | | | | | | | netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate a weak challenge. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of ↵Stefan Metzmacher2020-09-182-23/+13
| | | | | | | | | | | netlogon_creds_random_challenge() This will avoid getting flakey tests once our server starts to reject weak challenges. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge()Stefan Metzmacher2020-09-182-0/+10
| | | | | | | | | | It's good to have just a single isolated function that will generate random challenges, in future we can add some logic in order to avoid weak values, which are likely to be rejected by a server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* util: fix build on AIX by fixing the order of replace.h includeBjoern Jacke2020-07-061-1/+1
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14422 Signed-off-by: Bjoern Jacke <bjacke@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit d93a6d2663a25bca072cd5623aea16e21ed650b8) Autobuild-User(v4-10-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-10-test): Mon Jul 6 13:47:25 UTC 2020 on sn-devel-144
* util: Reallocate larger buffer if getpwuid_r() returns ERANGEMartin Schwenke2020-07-061-0/+13
| | | | | | | | | | | Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org> Autobuild-User(master): Martin Schwenke <martins@samba.org> Autobuild-Date(master): Tue Jun 9 21:07:24 UTC 2020 on sn-devel-184 (cherry picked from commit ddac6b2eb4adaec8fc5e25ca07387d2b9417764c)
* util: Fix build on FreeBSD by avoiding NSS_BUFLEN_PASSWDMartin Schwenke2020-07-061-5/+22
| | | | | | | | | | | | | | NSS_BUFLEN_PASSWD is not defined on FreeBSD. Use sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX. Use a dynamically allocated buffer instead of trying to cram all of the logic into the declarations. This will come in useful later anyway. Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org> (cherry picked from commit 847208cd8ac68c4c7d1dae63767820db1c69292b)
* util: Simplify input validationMartin Schwenke2020-07-061-5/+4
| | | | | | | | | | | | | | | It appears that snprintf(3) is being used for input validation. However, this seems like overkill because it causes szPath to be copied an extra time. The mostly likely protections being sought here, according to https://cwe.mitre.org/data/definitions/20.html, look to be DoS attacks involving CPU and memory usage. A simpler check that uses strnlen(3) can mitigate against both of these and is simpler. Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Bjoern Jacke <bjacke@samba.org> (cherry picked from commit 922bce2668994dd2a5988c17060f977e9bb0c229)
* VERSION: Bump version up to 4.10.18.Karolin Seeger2020-07-021-1/+1
| | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
* Merge tag 'samba-4.10.17' into v4-10-testKarolin Seeger2020-07-0221-234/+1359
|\ | | | | | | samba: tag release samba-4.10.17
| * VERSION: Diable GIT_SNAPSHOT for the 4.10.17 release.samba-4.10.17Karolin Seeger2020-06-251-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a security release in order to address the following CVEs: o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results. o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU. o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV. o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd. Signed-off-by: Karolin Seeger <kseeger@samba.org>
| * WHATSNEW: Add release notes for Samba 4.10.17.Karolin Seeger2020-06-251-2/+86
| | | | | | | | Signed-off-by: Karolin Seeger <kseeger@samba.org>
| * CVE-2020-10760 dsdb: Add tests for paged_results and VLV over the Global ↵Andrew Bartlett2020-06-252-66/+107
| | | | | | | | | | | | | | | | | | | | | | | | Catalog port This should avoid a regression. (backported from master patch) [abartlet@samba.org: sort=True parameter on test_paged_delete_during_search is not in 4.10] Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2020-10760 dsdb: Ensure a proper talloc tree for saved controlsAndrew Bartlett2020-06-252-0/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise a paged search on the GC port will fail as the ->data was not kept around for the second page of searches. An example command to produce this is bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD This shows up later in the partition module as: ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260 READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0)) #0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526 #1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559 #2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582 #3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780 or smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value (from source4/dsdb/samdb/ldb_modules/partition.c:780) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2020-14303: s4 nbt: fix busy loop on empty UDP packetGary Lockyer2020-06-252-2/+16
| | | | | | | | | | | | | | | | | | An empty UDP packet put the nbt server into a busy loop that consumes 100% of a cpu. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2020-14303 Ensure an empty packet will not DoS the NBT serverAndrew Bartlett2020-06-252-0/+20
| | | | | | | | | | | | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> (backported from master commit) [abartlet@samba.org: Remove f"" format string not supported in Python 3.4]
| * CVE-2020-10745: ndr/dns-utils: prepare for NBT compatibilityDouglas Bagnall2020-06-257-77/+49
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | NBT has a funny thing where it sometimes needs to send a trailing dot as part of the last component, because the string representation is a user name. In DNS, "example.com", and "example.com." are the same, both having three components ("example", "com", ""); in NBT, we want to treat them differently, with the second form having the three components ("example", "com.", ""). This retains the logic of e6e2ec0001fe3c010445e26cc0efddbc1f73416b. Also DNS compression cannot be turned off for NBT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| * CVE-2020-10745: dns_util/push: forbid names longer than 255 bytesDouglas Bagnall2020-06-252-2/+9
| | | | | | | | | | | | | | | | As per RFC 1035. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| * CVE-2020-10745: ndr_dns: do not allow consecutive dotsDouglas Bagnall2020-06-253-2/+6
| | | | | | | | | | | | | | | | | | | | The empty subdomain component is reserved for the root domain, which we should only (and always) see at the end of the list. That is, we expect "example.com.", but never "example..com". BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| * CVE-2020-10745: ndr/dns_utils: correct a commentDouglas Bagnall2020-06-251-1/+1
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| * CVE-2020-10745: ndr_dns: move ndr_push_dns_string core into sharable functionDouglas Bagnall2020-06-254-75/+99
| | | | | | | | | | | | | | | | | | | | | | This is because ndr_nbt.c does almost exactly the same thing with almost exactly the same code, and they both do it wrong. Soon they will both be using the better version that this will become. Though in this patch we just move the code, not fix it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| * CVE-2020-10745: librpc/tests: cmocka tests of dns and ndr stringsDouglas Bagnall2020-06-254-0/+255
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | These time the push and pull function in isolation. Timing should be under 0.0001 seconds on even quite old hardware; we assert it must be under 0.2 seconds. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 (backported from master commit) [abartlet@samba.org: backported due to differences in pre-existing tests - eg test_ndr - mentioned in wscript_build and tests.py] Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
| * CVE-2020-10745: pytests: hand-rolled invalid dns/nbt packet testsDouglas Bagnall2020-06-253-0/+222
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The client libraries don't allow us to make packets that are broken in certain ways, so we need to construct them as byte strings. These tests all fail at present, proving the server is rendered unresponsive, which is the crux of CVE-2020-10745. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (backported from patch for master) [abartlet@samba.org: f"" strings are not in Python 3.4 and bytes cannot be formatted in python 3.4] Signed-off-by: Andrew Bartlett <abartlet@samba.org>
| * ldb: Bump version to 1.5.8ldb-1.5.8Gary Lockyer2020-06-254-1/+286
| | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2020-10730: lib ldb: Check if ldb_lock_backend_callback called twiceGary Lockyer2020-06-251-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | Prevent use after free issues if ldb_lock_backend_callback is called twice, usually due to ldb_module_done being called twice. This can happen if a module ignores the return value from function a function that calls ldb_module_done as part of it's error handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2020-10730: s4 dsdb vlv_pagination: Prevent repeat call of ldb_module_doneGary Lockyer2020-06-251-12/+49
| | | | | | | | | | | | | | | | | | | | Check the return code from vlv_results, if it is not LDB_SUCCESS ldb_module_done has already been called, and SHOULD NOT be called again. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2020-10730: s4 dsdb paged_results: Prevent repeat call of ldb_module_doneGary Lockyer2020-06-251-9/+34
| | | | | | | | | | | | | | | | | | | | Check the return code from paged_results, if it is not LDB_SUCCESS ldb_module_done has already been called, and SHOULD NOT be called again. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
| * CVE-2020-10730: dsdb: Ban the combination of paged_results and VLVAndrew Bartlett2020-06-251-0/+10
| | | | | | | | | | | | | | | | | | | | This (two different paging controls) makes no sense and fails against Windows Server 1709. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2020-10730: dsdb: Fix crash when vlv and paged_results are combinedAndrew Bartlett2020-06-251-0/+4
| | | | | | | | | | | | | | | | | | | | The GUID is not returned in the DN for some reason in this (to be banned) combination. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2020-10730: selftest: Add test to show that VLV and paged_results are ↵Andrew Bartlett2020-06-252-0/+50
| | | | | | | | | | | | | | | | | | | | | | incompatible As tested against Windows Server 1709 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2020-10730: vlv: Another workaround for mixing ASQ and VLVAndrew Bartlett2020-06-251-4/+15
| | | | | | | | | | | | | | | | | | | | | | | | | | This is essentially an alternative patch, but without the correct behaviour. Instead this just avoids a segfault. Included in case we have something simialr again in another module. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2020-10730: selftest: Add test to confirm VLV interaction with ASQAndrew Bartlett2020-06-251-0/+27
| | | | | | | | | | | | | | | | | | Tested against Windows 1709. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2020-10730: vlv: Do not re-ASQ search the results of an ASQ search with VLVAndrew Bartlett2020-06-251-0/+11
| | | | | | | | | | | | | | | | | | | | This is a silly combination, but at least try and keep the results sensible and avoid a double-dereference. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
| * CVE-2020-10730: vlv: Use strcmp(), not strncmp() checking the NULL ↵Andrew Bartlett2020-06-251-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | terminated control OIDs The end result is the same, as sizeof() includes the trailing NUL, but this avoids having to think about that. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
View Lorry Controller Status