diff -Nru samba-4.7.6+dfsg~ubuntu/debian/changelog samba-4.7.6+dfsg~ubuntu/debian/changelog --- samba-4.7.6+dfsg~ubuntu/debian/changelog 2020-09-18 17:04:45.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/changelog 2020-10-16 10:50:50.000000000 +0000 @@ -1,3 +1,23 @@ +samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.21) bionic-security; urgency=medium + + * SECURITY UPDATE: Missing handle permissions check in ChangeNotify + - debian/patches/CVE-2020-14318-*.patch: ensure change notifies can't + get set unless the directory handle is open for SEC_DIR_LIST in + source4/torture/smb2/notify.c, source3/smbd/notify.c. + - CVE-2020-14318 + * SECURITY UPDATE: Unprivileged user can crash winbind + - debian/patches/CVE-2020-14323-*.patch: fix invalid lookupsids DoS in + source3/winbindd/winbindd_lookupsids.c, + source4/torture/winbind/struct_based.c. + - CVE-2020-14323 + * SECURITY UPDATE: DNS server crash via invalid records + - debian/patches/CVE-2020-14383-*.patch: ensure variable initialization + with NULL and do not crash when additional data not found in + source4/rpc_server/dnsserver/dcerpc_dnsserver.c. + - CVE-2020-14383 + + -- Marc Deslauriers Fri, 16 Oct 2020 06:50:50 -0400 + samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.20) bionic-security; urgency=medium * SECURITY UPDATE: Unauthenticated domain controller compromise by diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-1.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-1.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-1.patch 2020-10-16 10:50:32.000000000 +0000 @@ -0,0 +1,130 @@ +Backport of: + +From 722262fc5be24d2c67e1fe33547bda6bad682342 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Fri, 10 Jul 2020 15:09:33 -0700 +Subject: [PATCH 1/2] s4: torture: Add smb2.notify.handle-permissions test. + +Add knownfail entry. + +CVE-2020-14318 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 + +Signed-off-by: Jeremy Allison +--- + .../smb2_notify_handle_permissions | 2 + + source4/torture/smb2/notify.c | 80 +++++++++++++++++++ + 2 files changed, 82 insertions(+) + create mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions + +--- /dev/null ++++ b/selftest/knownfail.d/smb2_notify_handle_permissions +@@ -0,0 +1,2 @@ ++^samba3.smb2.notify.handle-permissions ++ +--- a/source4/torture/smb2/notify.c ++++ b/source4/torture/smb2/notify.c +@@ -1189,6 +1189,8 @@ done: + basic testing of change notifies followed by a tdis + */ + ++#define BASEDIR_TD BASEDIR "_TD" ++ + static bool torture_smb2_notify_tree_disconnect( + struct torture_context *torture, + struct smb2_tree *tree) +@@ -2500,6 +2502,83 @@ done: + } + + /* ++ Test asking for a change notify on a handle without permissions. ++*/ ++ ++#define BASEDIR_HPERM BASEDIR "_HPERM" ++ ++static bool torture_smb2_notify_handle_permissions( ++ struct torture_context *torture, ++ struct smb2_tree *tree) ++{ ++ bool ret = true; ++ NTSTATUS status; ++ union smb_notify notify; ++ union smb_open io; ++ struct smb2_handle h1 = {{0}}; ++ struct smb2_request *req; ++ ++ smb2_deltree(tree, BASEDIR_HPERM); ++ smb2_util_rmdir(tree, BASEDIR_HPERM); ++ ++ torture_comment(torture, ++ "TESTING CHANGE NOTIFY " ++ "ON A HANDLE WITHOUT PERMISSIONS\n"); ++ ++ /* ++ get a handle on the directory ++ */ ++ ZERO_STRUCT(io.smb2); ++ io.generic.level = RAW_OPEN_SMB2; ++ io.smb2.in.create_flags = 0; ++ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE; ++ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; ++ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL; ++ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ | ++ NTCREATEX_SHARE_ACCESS_WRITE; ++ io.smb2.in.alloc_size = 0; ++ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE; ++ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; ++ io.smb2.in.security_flags = 0; ++ io.smb2.in.fname = BASEDIR_HPERM; ++ ++ status = smb2_create(tree, torture, &io.smb2); ++ CHECK_STATUS(status, NT_STATUS_OK); ++ h1 = io.smb2.out.file.handle; ++ ++ /* ask for a change notify, ++ on file or directory name changes */ ++ ZERO_STRUCT(notify.smb2); ++ notify.smb2.level = RAW_NOTIFY_SMB2; ++ notify.smb2.in.buffer_size = 1000; ++ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME; ++ notify.smb2.in.file.handle = h1; ++ notify.smb2.in.recursive = true; ++ ++ req = smb2_notify_send(tree, ¬ify.smb2); ++ torture_assert_goto(torture, ++ req != NULL, ++ ret, ++ done, ++ "smb2_notify_send failed\n"); ++ ++ /* ++ * Cancel it, we don't really want to wait. ++ */ ++ smb2_cancel(req); ++ status = smb2_notify_recv(req, torture, ¬ify.smb2); ++ /* Handle h1 doesn't have permissions for ChangeNotify. */ ++ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); ++ ++done: ++ if (!smb2_util_handle_empty(h1)) { ++ smb2_util_close(tree, h1); ++ } ++ smb2_deltree(tree, BASEDIR_HPERM); ++ return ret; ++} ++ ++/* + basic testing of SMB2 change notify + */ + struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx) +@@ -2532,6 +2611,9 @@ struct torture_suite *torture_smb2_notif + torture_smb2_notify_rmdir3); + torture_suite_add_2smb2_test(suite, "rmdir4", + torture_smb2_notify_rmdir4); ++ torture_suite_add_1smb2_test(suite, ++ "handle-permissions", ++ torture_smb2_notify_handle_permissions); + + suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-2.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-2.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14318-2.patch 2020-10-08 13:51:09.000000000 +0000 @@ -0,0 +1,41 @@ +From 8601553762e508a841ed70b4bbdffe2101c3ad17 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 7 Jul 2020 18:25:23 -0700 +Subject: [PATCH 2/2] s3: smbd: Ensure change notifies can't get set unless the + directory handle is open for SEC_DIR_LIST. + +Remove knownfail entry. + +CVE-2020-14318 + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 + +Signed-off-by: Jeremy Allison +--- + selftest/knownfail.d/smb2_notify_handle_permissions | 2 -- + source3/smbd/notify.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + delete mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions + +--- a/selftest/knownfail.d/smb2_notify_handle_permissions ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba3.smb2.notify.handle-permissions +- +--- a/source3/smbd/notify.c ++++ b/source3/smbd/notify.c +@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct fil + char fullpath[len+1]; + NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; + ++ /* ++ * Setting a changenotify needs READ/LIST access ++ * on the directory handle. ++ */ ++ if (!(fsp->access_mask & SEC_DIR_LIST)) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ + if (fsp->notify != NULL) { + DEBUG(1, ("change_notify_create: fsp->notify != NULL, " + "fname = %s\n", fsp->fsp_name->base_name)); diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-1.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-1.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-1.patch 2020-10-08 13:51:13.000000000 +0000 @@ -0,0 +1,33 @@ +From 54422ea3f9bf6cd4b1436d91de919d54ae8308b4 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Thu, 9 Jul 2020 21:49:25 +0200 +Subject: [PATCH 1/2] CVE-2020-14323 winbind: Fix invalid lookupsids DoS + +A lookupsids request without extra_data will lead to "state->domain==NULL", +which makes winbindd_lookupsids_recv trying to dereference it. + +Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 +Signed-off-by: Volker Lendecke +--- + source3/winbindd/winbindd_lookupsids.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/winbindd/winbindd_lookupsids.c b/source3/winbindd/winbindd_lookupsids.c +index d28b5fa9f01..a289fd86f0f 100644 +--- a/source3/winbindd/winbindd_lookupsids.c ++++ b/source3/winbindd/winbindd_lookupsids.c +@@ -47,7 +47,7 @@ struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx, + DEBUG(3, ("lookupsids\n")); + + if (request->extra_len == 0) { +- tevent_req_done(req); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); + return tevent_req_post(req, ev); + } + if (request->extra_data.data[request->extra_len-1] != '\0') { +-- +2.20.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-2.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-2.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14323-2.patch 2020-10-08 13:51:21.000000000 +0000 @@ -0,0 +1,61 @@ +From 98fb7f0f67e95a2026eb19b132c45793d77d8ead Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Thu, 9 Jul 2020 21:48:57 +0200 +Subject: [PATCH 2/2] CVE-2020-14323 torture4: Add a simple test for invalid + lookup_sids winbind call + +We can't add this test before the fix, add it to knownfail and have the fix +remove the knownfail entry again. As this crashes winbind, many tests after +this one will fail. + +Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 +Signed-off-by: Volker Lendecke +--- + source4/torture/winbind/struct_based.c | 27 ++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/source4/torture/winbind/struct_based.c ++++ b/source4/torture/winbind/struct_based.c +@@ -1074,6 +1074,29 @@ static bool torture_winbind_struct_looku + return true; + } + ++static bool torture_winbind_struct_lookup_sids_invalid( ++ struct torture_context *torture) ++{ ++ struct winbindd_request req = {0}; ++ struct winbindd_response rep = {0}; ++ bool strict = torture_setting_bool(torture, "strict mode", false); ++ bool ok; ++ ++ torture_comment(torture, ++ "Running WINBINDD_LOOKUP_SIDS (struct based)\n"); ++ ++ ok = true; ++ DO_STRUCT_REQ_REP_EXT(WINBINDD_LOOKUPSIDS, &req, &rep, ++ NSS_STATUS_NOTFOUND, ++ strict, ++ ok=false, ++ talloc_asprintf( ++ torture, ++ "invalid lookupsids succeeded")); ++ ++ return ok; ++} ++ + struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx) + { + struct torture_suite *suite = torture_suite_create(ctx, "struct"); +@@ -1096,6 +1119,10 @@ struct torture_suite *torture_winbind_st + torture_suite_add_simple_test(suite, "getpwent", torture_winbind_struct_getpwent); + torture_suite_add_simple_test(suite, "endpwent", torture_winbind_struct_endpwent); + torture_suite_add_simple_test(suite, "lookup_name_sid", torture_winbind_struct_lookup_name_sid); ++ torture_suite_add_simple_test( ++ suite, ++ "lookup_sids_invalid", ++ torture_winbind_struct_lookup_sids_invalid); + + suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests"); + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-1.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-1.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-1.patch 2020-10-08 13:51:31.000000000 +0000 @@ -0,0 +1,46 @@ +From 32ca608ac27f3500920f1479c44f7efc7042416d Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Wed, 22 May 2019 09:47:27 +0000 +Subject: [PATCH 1/3] s4/rpc_server/dnsserver: clang: fix Value stored to + 'status' is never read + +Fix the following warnings + +source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1021: error: uninitvar: Uninitialized variable: answer_integer <--[cppcheck] +source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1723:4: warning: Value stored to 'status' is never read <--[clang] + status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, + ^ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +source4/rpc_server/dnsserver/dcerpc_dnsserver.c:1881:4: warning: Value stored to 'status' is never read <--[clang] + status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, + +Signed-off-by: Noel Power +Reviewed-by: Andreas Schneider +(cherry picked from commit bcc6b8c2492b87fb4ac6bdb5075a5831d71bade8) +--- + source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c ++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +@@ -1698,6 +1698,10 @@ static WERROR dnsserver_enumerate_root_r + NULL, NULL); + talloc_free(rname); + talloc_free(res); ++ if (!W_ERROR_IS_OK(status)) { ++ talloc_free(tmp_ctx); ++ return status; ++ } + } + } + +@@ -1861,6 +1865,10 @@ static WERROR dnsserver_enumerate_record + NULL, NULL); + talloc_free(rname); + talloc_free(res); ++ if (!W_ERROR_IS_OK(status)) { ++ talloc_free(tmp_ctx); ++ return status; ++ } + } + } + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-2.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-2.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-2.patch 2020-10-08 13:51:35.000000000 +0000 @@ -0,0 +1,87 @@ +From 859527915a1e21b067d54fe936200628206c097d Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Fri, 21 Aug 2020 17:10:22 +1200 +Subject: [PATCH 2/3] CVE-2020-14383: s4/dns: Ensure variable initialization + with NULL. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Based on patches from Francis Brosnan Blázquez +and Jeremy Allison + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 + +Signed-off-by: Douglas Bagnall +Reviewed-by: Jeremy Allison +(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e) +--- + .../rpc_server/dnsserver/dcerpc_dnsserver.c | 24 ++++++++++--------- + 1 file changed, 13 insertions(+), 11 deletions(-) + +--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c ++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +@@ -1730,15 +1730,17 @@ static WERROR dnsserver_enumerate_record + TALLOC_CTX *tmp_ctx; + char *name; + const char * const attrs[] = { "name", "dnsRecord", NULL }; +- struct ldb_result *res; +- struct DNS_RPC_RECORDS_ARRAY *recs; ++ struct ldb_result *res = NULL; ++ struct DNS_RPC_RECORDS_ARRAY *recs = NULL; + char **add_names = NULL; +- char *rname; ++ char *rname = NULL; + const char *preference_name = NULL; + int add_count = 0; + int i, ret, len; + WERROR status; +- struct dns_tree *tree, *base, *node; ++ struct dns_tree *tree = NULL; ++ struct dns_tree *base = NULL; ++ struct dns_tree *node = NULL; + + tmp_ctx = talloc_new(mem_ctx); + W_ERROR_HAVE_NO_MEMORY(tmp_ctx); +@@ -1821,9 +1823,9 @@ static WERROR dnsserver_enumerate_record + } + } + +- talloc_free(res); +- talloc_free(tree); +- talloc_free(name); ++ TALLOC_FREE(res); ++ TALLOC_FREE(tree); ++ TALLOC_FREE(name); + + /* Add any additional records */ + if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { +@@ -1841,14 +1843,14 @@ static WERROR dnsserver_enumerate_record + LDB_SCOPE_ONELEVEL, attrs, + "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", + encoded_name); +- talloc_free(name); ++ TALLOC_FREE(name); + if (ret != LDB_SUCCESS) { + continue; + } + if (res->count == 1) { + break; + } else { +- talloc_free(res); ++ TALLOC_FREE(res); + continue; + } + } +@@ -1863,8 +1865,8 @@ static WERROR dnsserver_enumerate_record + select_flag, rname, + res->msgs[0], 0, recs, + NULL, NULL); +- talloc_free(rname); +- talloc_free(res); ++ TALLOC_FREE(rname); ++ TALLOC_FREE(res); + if (!W_ERROR_IS_OK(status)) { + talloc_free(tmp_ctx); + return status; diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-3.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-3.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-14383-3.patch 2020-10-08 13:51:40.000000000 +0000 @@ -0,0 +1,55 @@ +From 4ee7d70763159cdccc7be7c005e66af342c9ae68 Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall +Date: Fri, 21 Aug 2020 17:23:17 +1200 +Subject: [PATCH 3/3] CVE-2020-14383: s4/dns: do not crash when additional data + not found +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Found by Francis Brosnan Blázquez . + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 + +Signed-off-by: Douglas Bagnall +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Douglas Bagnall +Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 + +(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) +--- + source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c ++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c +@@ -1830,8 +1830,8 @@ static WERROR dnsserver_enumerate_record + /* Add any additional records */ + if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { + for (i=0; izones; z2; z2 = z2->next) { + char *encoded_name; +@@ -1848,6 +1848,7 @@ static WERROR dnsserver_enumerate_record + continue; + } + if (res->count == 1) { ++ msg = res->msgs[0]; + break; + } else { + TALLOC_FREE(res); +@@ -1863,7 +1864,7 @@ static WERROR dnsserver_enumerate_record + } + status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, + select_flag, rname, +- res->msgs[0], 0, recs, ++ msg, 0, recs, + NULL, NULL); + TALLOC_FREE(rname); + TALLOC_FREE(res); diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/series samba-4.7.6+dfsg~ubuntu/debian/patches/series --- samba-4.7.6+dfsg~ubuntu/debian/patches/series 2020-09-18 17:04:45.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/series 2020-10-08 13:51:37.000000000 +0000 @@ -118,3 +118,10 @@ zerologon-20.patch zerologon-21.patch zerologon-22.patch +CVE-2020-14318-1.patch +CVE-2020-14318-2.patch +CVE-2020-14323-1.patch +CVE-2020-14323-2.patch +CVE-2020-14383-1.patch +CVE-2020-14383-2.patch +CVE-2020-14383-3.patch