CVE-2016-2123: NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://www.samba.org/samba/security/CVE-2016-2123.html
CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms
https://www.samba.org/samba/security/CVE-2016-2125.html
CVE-2016-2126: Flaws in Kerberos PAC validation can trigger privilege elevation
https://www.samba.org/samba/security/CVE-2016-2126.html
https://www.samba.org/samba/history/security.html
---
main/samba/APKBUILD | 13 +-
...CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch | 200 +++++++++++++++++++++
2 files changed, 212 insertions(+), 1 deletion(-)
create mode 100644 main/samba/samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index 6c2f37b..4ffce24 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,7 +1,8 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
pkgver=4.4.5
-pkgrel=1
+pkgrel=2
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="http://www.samba.org"
arch="all"
@@ -47,6 +48,7 @@ source="http://us1.samba.org/samba/ftp/stable/samba-$pkgver.tar.gz
uclibc-xattr-create.patch
domain.patch
getpwent_r.patch
+ samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
samba.initd
samba.confd
@@ -54,6 +56,12 @@ source="http://us1.samba.org/samba/ftp/stable/samba-$pkgver.tar.gz
"
pkggroups="winbind"
+# secfixes:
+# 4.4.5-r2:
+# - CVE-2016-2123
+# - CVE-2016-2125
+# - CVE-2016-2126
+
_builddir="$srcdir"/samba-$pkgver
prepare() {
cd "$_builddir"
@@ -512,6 +520,7 @@ md5sums="6950c5e9f7bdeb8a610c2ca957a15be4 samba-4.4.5.tar.gz
f9ee1f13e59c60ee7e481f51329bf7d4 uclibc-xattr-create.patch
f0d10a87a2067d0d3accdcb6c9b64ea9 domain.patch
6a220b2471764e6e189829ac9cc81996 getpwent_r.patch
+29e6f401d2a71c42b24d1459b4633f9c samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
c1702b2ad7b68f7d704f50a1bfef3ad3 samba.initd
c150433426e18261e6e3eed3930e1a76 samba.confd
b7cafabfb4fa5b3ab5f2e857d8d1c733 samba.logrotate"
@@ -519,6 +528,7 @@ sha256sums="b876ef2e63f66265490e80a122e66ef2d7616112b839df68f56ac2e1ce17a7bd sa
dcf6a7118297d6567d8ff31c9eff1afffdf2f548db36fd17d00cdf0ffc555fe3 uclibc-xattr-create.patch
5554fff0df5d31e67a705c60d97e187b4109c79c8a4063c8ea7ebe1e0e4a7e7e domain.patch
7956274b412a268339abb63f8e1bd63b5049cd4ab7c6270235d9d0b9bcf6c81a getpwent_r.patch
+feedf1ccc311034252a5c7a2164a228e40f1244c3486d519aaf981ec9603ddb8 samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
3866a15ab73a9fd704ec8315cff48caf98937c490ba8dc40ce3701cef5ca22c9 samba.initd
1d12f98a7727967b04eb123109b34cfffef320822dc0e8059286b6e3394c3fc0 samba.confd
4c2b7d529126b2fc4f62fb09d99e49a87632d723a2d9d289a61e37dd84145be1 samba.logrotate"
@@ -526,6 +536,7 @@ sha512sums="4e63fabbddc04ebdf08b68a98fe4fa0c525b30f7d949948dd5d2e5cba17d263db820
b43809d7ecbf3968f5154c2ded6ed47dae36921f1895ea98bcce50557eb2ad39b736345ffb4214655ed3154c143c20431d248cde828285380bafbf4d2627df9b uclibc-xattr-create.patch
62d373dbaee75121a1d73f2c09cdca7239705808ff807b171d1d5a28fd4ffc66bdb52494b62786d7aaba8aeece5c08433b532ca96a28d712452fe9daac8d8d2e domain.patch
0d4fd9862191554dc9c724cec0b94fd19afbfd0c4ed619e4c620c075e849cb3f3d44db1e5f119d890da23a3dd0068d9873703f3d86c47b91310521f37356208b getpwent_r.patch
+3b2b6c12a1e64f3c164153d51cd1286477eb89b8ee9093d63f9c819ebdf6b4cd0ae1553b119b0ca78cd81769925e66f24392d9e0254e0fe708b81d9a7ea62000 samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf samba.initd
4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6 samba.confd
f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053 samba.logrotate"
diff --git a/main/samba/samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch b/main/samba/samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
new file mode 100644
index 0000000..79e67e6
--- /dev/null
+++ b/main/samba/samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
@@ -0,0 +1,200 @@
+From 4aa6b11d64a0a8133ef39a7e626f289f769e9415 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Sat, 5 Nov 2016 21:22:46 +0100
+Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
+
+Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
+this vulnerability with a PoC and a good analysis.
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
+---
+ librpc/ndr/ndr_dnsp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
+index 3cb96f9..0541261 100644
+--- a/librpc/ndr/ndr_dnsp.c
++++ b/librpc/ndr/ndr_dnsp.c
+@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
+ uint8_t sublen, newlen;
+ NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
+ newlen = total_len + sublen;
++ if (newlen < total_len) {
++ return ndr_pull_error(ndr, NDR_ERR_RANGE,
++ "Failed to pull dnsp_name");
++ }
+ if (i != count-1) {
++ if (newlen == UINT8_MAX) {
++ return ndr_pull_error(
++ ndr, NDR_ERR_RANGE,
++ "Failed to pull dnsp_name");
++ }
+ newlen++; /* for the '.' */
+ }
+ ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
+--
+1.9.1
+
+
+From 0f1b36b7d5514f8d16c60ebcd5c59753113b4334 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:41:10 +0100
+Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
+ in nsupdate-gss
+
+This is just an example script that's not directly used by samba,
+but we should avoid sending delegated credentials to dns servers.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/scripting/bin/nsupdate-gss | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
+index dec5916..509220d 100755
+--- a/source4/scripting/bin/nsupdate-gss
++++ b/source4/scripting/bin/nsupdate-gss
+@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
+ my $flags =
+ GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
+ GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
+- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
++ GSS_C_INTEG_FLAG;
+
+
+ $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
+--
+1.9.1
+
+
+From 07ef0f6ce0fb9d9735710ab79c2ee91d7a72a974 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:42:59 +0100
+Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
+
+We should only use GSS_C_DELEG_POLICY_FLAG in order to let
+the KDC decide if we should send delegated credentials to
+a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source3/librpc/crypto/gse.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 963c98a..c4c4bbc 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
+
+ gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
+- GSS_C_DELEG_FLAG |
+ GSS_C_DELEG_POLICY_FLAG |
+ GSS_C_REPLAY_FLAG |
+ GSS_C_SEQUENCE_FLAG;
+--
+1.9.1
+
+
+From 58586ceae7fe628453e6bffdc463d4309ced15fb Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:44:22 +0100
+Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use
+ GSS_C_DELEG_FLAG by default
+
+This disabled the usage of GSS_C_DELEG_FLAG by default, as
+GSS_C_DELEG_POLICY_FLAG is still used by default we let the
+KDC decide if we should send delegated credentials to a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/auth/gensec/gensec_gssapi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index e0b2bf2..e2994f6 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
+ gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
+ }
+- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
++ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
+ gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
+ }
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
+--
+1.9.1
+
+
+From ce31a69a32d2bd6975006e428afe4584f6b7bc43 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 22 Nov 2016 17:08:46 +0100
+Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum
+ types in check_pac_checksum()
+
+aes based checksums can only be checked with the
+corresponding aes based keytype.
+
+Otherwise we may trigger an undefined code path
+deep in the kerberos libraries, which can leed to
+segmentation faults.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
+index 32d9d7f..7b6efdc 100644
+--- a/auth/kerberos/kerberos_pac.c
++++ b/auth/kerberos/kerberos_pac.c
+@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+ krb5_boolean checksum_valid = false;
+ krb5_data input;
+
++ switch (sig->type) {
++ case CKSUMTYPE_HMAC_MD5:
++ /* ignores the key type */
++ break;
++ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
++ return EINVAL;
++ }
++ /* ok */
++ break;
++ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
++ return EINVAL;
++ }
++ /* ok */
++ break;
++ default:
++ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
++ (int)sig->type));
++ return EINVAL;
++ }
++
+ #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+ cksum.cksumtype = (krb5_cksumtype)sig->type;
+ cksum.checksum.length = sig->signature.length;
+--
+1.9.1
+
--
2.8.3
---
Unsubscribe: alpine-aports+unsubscribe@lists.alpinelinux.org
Help: alpine-aports+help@lists.alpinelinux.org
---