X-Original-To: alpine-aports@lists.alpinelinux.org
Received: from mail-lf0-f47.google.com (mail-lf0-f47.google.com [209.85.215.47])
	by lists.alpinelinux.org (Postfix) with ESMTP id 2BA285C0011
	for <alpine-aports@lists.alpinelinux.org>; Fri, 30 Dec 2016 14:59:31 +0000 (GMT)
Received: by mail-lf0-f47.google.com with SMTP id b14so238072467lfg.2
        for <alpine-aports@lists.alpinelinux.org>; Fri, 30 Dec 2016 06:59:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=EFeKmXKAnfWvYI8hDZfQILwpgm8SzdKPt1nHSxI1ssg=;
        b=LrDDdZyCO32EwEteDY4feJiNzlMGMRSQoOnQrBXxXpgnQRHrzpj6Bbp9cxMVSDQ5TJ
         Q/kjdgx+giNSio0ff3EV7IhEwwpTZMHXgCVj/E/zCoR2ozHENvjuI9AGY6+Mga7urZOo
         2DpHsDrWA3ksamEcRK2xF2cx7sY7weDcGOC3xBI5uroShqsQrbYCzefw2oscLMEgaH5z
         zKPvDjy3ZijKQUYoGyojTweUedyLm+WkEmQkt5gjhbCdgFSVfitdWV4GcrPkHdb/F6mU
         moGc7VEhP5BeqM40Prf9DFefmtuY1viIrn9cSbZgmmdZw22nkliBLBBl4VUri239URbe
         rTKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=EFeKmXKAnfWvYI8hDZfQILwpgm8SzdKPt1nHSxI1ssg=;
        b=MYeHoOxEXoDzBASon7c+m1KK6tuO2c6aDYAJTwG/eUONxO1sTumA0s06o1WHujVm8a
         0EbQG776T1mMH19fnU/oteU0BJofWwCUER8h0GRz3AGS2tDGGhLb0gASQKz6+N4bxM21
         u8w0Fq8WokLBXHypAXuHwDO1UMjSvCDxqzCmZGibiMIPH8sExi0GaOUZ8P5qQ4ex6MnJ
         v6Mlbb3NaMYxjbuMuD5OFj4c59kRcHYPVKECWoiXCky8D1qBafjHPk39cHW+K/3tz0m9
         ZonKWAJDjYMKiPGu3BxbudtAR3CYIFGPb/ivJJs3h3FXNStBSjwdTAExjj+mOtaEII3a
         lp1w==
X-Gm-Message-State: AIkVDXIX3xAKjO1QWZUTWQ8y3mzrxAVmCDpYkCGU91oNe5m94l6VmvwHnEfZr/muyAuUyg==
X-Received: by 10.46.78.26 with SMTP id c26mr17346715ljb.46.1483109969894;
        Fri, 30 Dec 2016 06:59:29 -0800 (PST)
Received: from v3-3.util.wtbts.net ([83.145.235.199])
        by smtp.gmail.com with ESMTPSA id m129sm13711654lfe.6.2016.12.30.06.59.28
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
        Fri, 30 Dec 2016 06:59:29 -0800 (PST)
From: Sergey Lukin <sergej.lukin@gmail.com>
To: alpine-aports@lists.alpinelinux.org
Cc: Sergey Lukin <sergej.lukin@gmail.com>
Subject: [alpine-aports] [PATCH v3.3] main/samba: security fixes #6560
Date: Fri, 30 Dec 2016 14:59:22 +0000
Message-Id: <1483109962-27170-1-git-send-email-sergej.lukin@gmail.com>
X-Mailer: git-send-email 2.6.6
X-Mailinglist: alpine-aports
Precedence: list
List-Id: Alpine Development <alpine-aports.lists.alpinelinux.org>
List-Unsubscribe: 
	<mailto:alpine-aports+unsubscribe@lists.alpinelinux.org?subject=unsubscribe>
List-Post: <mailto:alpine-aports@lists.alpinelinux.org>
List-Help: <mailto:alpine-aports+help@lists.alpinelinux.org?subject=help>
List-Subscribe: 
	<mailto:alpine-aports+subscribe@lists.alpinelinux.org?subject=subscribe>

CVE-2016-2123: NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability
  https://www.samba.org/samba/security/CVE-2016-2123.html
CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms
  https://www.samba.org/samba/security/CVE-2016-2125.html
CVE-2016-2126: Flaws in Kerberos PAC validation can trigger privilege elevation
  https://www.samba.org/samba/security/CVE-2016-2126.html

https://www.samba.org/samba/history/security.html
---
 main/samba/APKBUILD                                |  19 +-
 ...CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch | 200 +++++++++++++++++++++
 2 files changed, 215 insertions(+), 4 deletions(-)
 create mode 100644 main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch

diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index 5454fa6..a100f26 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,7 +1,8 @@
+# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=samba
 pkgver=4.2.14
-pkgrel=0
+pkgrel=1
 pkgdesc="Tools to access a server's filespace and printers via SMB"
 url="http://www.samba.org"
 arch="all"
@@ -52,9 +53,16 @@ source="http://us1.samba.org/samba/ftp/stable/samba-$pkgver.tar.gz
 	samba.initd
 	samba.confd
 	samba.logrotate
+	samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
 	"
 pkggroups="winbind"
 
+# secfixes:
+#   4.2.14-r1:
+#     - CVE-2016-2123
+#     - CVE-2016-2125
+#     - CVE-2016-2126
+
 _builddir="$srcdir"/samba-$pkgver
 prepare() {
 	cd "$_builddir"
@@ -495,7 +503,8 @@ f9ee1f13e59c60ee7e481f51329bf7d4  uclibc-xattr-create.patch
 f0d10a87a2067d0d3accdcb6c9b64ea9  domain.patch
 c1702b2ad7b68f7d704f50a1bfef3ad3  samba.initd
 c150433426e18261e6e3eed3930e1a76  samba.confd
-b7cafabfb4fa5b3ab5f2e857d8d1c733  samba.logrotate"
+b7cafabfb4fa5b3ab5f2e857d8d1c733  samba.logrotate
+c69c608d09081dc3dd783459ba0726f9  samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch"
 sha256sums="db820a9947e44f04b0eb25e4aa0c3db32c4042fca541775ee8e2905093e888e6  samba-4.2.14.tar.gz
 13617f691c648b44867c1a76d8be7c185021e8a8f3b695f8689a9f6244e65827  fix-libreplace.patch
 0cf7e4eadf442422434d2b0fb43193f3a79f2887e32432f12cb6aed1941e807a  musl-fix-headers.patch
@@ -505,7 +514,8 @@ d4880c4ccceba5017d64cead644f8f363f22d6e91f2c2e1687dd7b45e6ca27e0  heimdal-1.5-ap
 5554fff0df5d31e67a705c60d97e187b4109c79c8a4063c8ea7ebe1e0e4a7e7e  domain.patch
 3866a15ab73a9fd704ec8315cff48caf98937c490ba8dc40ce3701cef5ca22c9  samba.initd
 1d12f98a7727967b04eb123109b34cfffef320822dc0e8059286b6e3394c3fc0  samba.confd
-4c2b7d529126b2fc4f62fb09d99e49a87632d723a2d9d289a61e37dd84145be1  samba.logrotate"
+4c2b7d529126b2fc4f62fb09d99e49a87632d723a2d9d289a61e37dd84145be1  samba.logrotate
+3f4b931add7ca2ad333c80a047a3bd67ebcb24b1e52d1abf1b9deef06e473431  samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch"
 sha512sums="269dd74ba788657434f51ac70953a293c94bcf98280eaa6f44634c5da54169a5ea7865d543a7c23860c4750a40cdee7caeaf5c7fc3dbc137f444e90f31a09890  samba-4.2.14.tar.gz
 4adbbeb75de6c55199e10f284e741ee252f403b7809251caf4baf378669770be01d469b23e12f8119ed5dca5080dd45bda1b5b78cc7a791be44c1eb6fb8c0fa2  fix-libreplace.patch
 8d2e1be5f020d0558917f328770b289d0a41836616952d0d3208cecd457df3649f1357a2d35dc54123559ab6a1b720f3189286c65cee90b02ccbae7d676ae383  musl-fix-headers.patch
@@ -515,4 +525,5 @@ b43809d7ecbf3968f5154c2ded6ed47dae36921f1895ea98bcce50557eb2ad39b736345ffb421465
 62d373dbaee75121a1d73f2c09cdca7239705808ff807b171d1d5a28fd4ffc66bdb52494b62786d7aaba8aeece5c08433b532ca96a28d712452fe9daac8d8d2e  domain.patch
 6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf  samba.initd
 4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6  samba.confd
-f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053  samba.logrotate"
+f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053  samba.logrotate
+28150f51bcb558715a8613426d607ae07b2ab08ce58baef23339b1ded76d20191529395529546d2f1923ece2a52e4c1cc12a45e41579360ad9b04d0cacae8e0a  samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch"
diff --git a/main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch b/main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
new file mode 100644
index 0000000..0a84c53
--- /dev/null
+++ b/main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
@@ -0,0 +1,200 @@
+From 9d65af0137f793530e3cb1786b22bd803fd6dd19 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Sat, 5 Nov 2016 21:22:46 +0100
+Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
+
+Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
+this vulnerability with a PoC and a good analysis.
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
+---
+ librpc/ndr/ndr_dnsp.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
+index 3cb96f9..0541261 100644
+--- a/librpc/ndr/ndr_dnsp.c
++++ b/librpc/ndr/ndr_dnsp.c
+@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
+ 		uint8_t sublen, newlen;
+ 		NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
+ 		newlen = total_len + sublen;
++		if (newlen < total_len) {
++			return ndr_pull_error(ndr, NDR_ERR_RANGE,
++					      "Failed to pull dnsp_name");
++		}
+ 		if (i != count-1) {
++			if (newlen == UINT8_MAX) {
++				return ndr_pull_error(
++					ndr, NDR_ERR_RANGE,
++					"Failed to pull dnsp_name");
++			}
+ 			newlen++; /* for the '.' */
+ 		}
+ 		ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
+-- 
+1.9.1
+
+
+From b83897ae49fdee1fda73c10c7fe73362bfaba690 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:41:10 +0100
+Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
+ in nsupdate-gss
+
+This is just an example script that's not directly used by samba,
+but we should avoid sending delegated credentials to dns servers.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/scripting/bin/nsupdate-gss | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
+index dec5916..509220d 100755
+--- a/source4/scripting/bin/nsupdate-gss
++++ b/source4/scripting/bin/nsupdate-gss
+@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
+     my $flags = 
+ 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
+ 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
+-	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
++	GSS_C_INTEG_FLAG;
+ 
+ 
+     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
+-- 
+1.9.1
+
+
+From b1a056f77e793efc45df34ab7bf78fbec1bf8a59 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:42:59 +0100
+Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
+
+We should only use GSS_C_DELEG_POLICY_FLAG in order to let
+the KDC decide if we should send delegated credentials to
+a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source3/librpc/crypto/gse.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index f1ebe19..9c9f55d 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
+ 
+ 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
+-				GSS_C_DELEG_FLAG |
+ 				GSS_C_DELEG_POLICY_FLAG |
+ 				GSS_C_REPLAY_FLAG |
+ 				GSS_C_SEQUENCE_FLAG;
+-- 
+1.9.1
+
+
+From 3106964a640ddf6a3c08c634ff586a814f94dff8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:44:22 +0100
+Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use
+ GSS_C_DELEG_FLAG by default
+
+This disabled the usage of GSS_C_DELEG_FLAG by default, as
+GSS_C_DELEG_POLICY_FLAG is still used by default we let the
+KDC decide if we should send delegated credentials to a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/auth/gensec/gensec_gssapi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index a12447a..8823771 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -113,7 +113,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
+ 		gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
+ 	}
+-	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
++	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
+ 		gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
+ 	}
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
+-- 
+1.9.1
+
+
+From 8512eed8e2fb7f16a884b659e381257745a669fd Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 22 Nov 2016 17:08:46 +0100
+Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum
+ types in check_pac_checksum()
+
+aes based checksums can only be checked with the
+corresponding aes based keytype.
+
+Otherwise we may trigger an undefined code path
+deep in the kerberos libraries, which can leed to
+segmentation faults.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
+index 32d9d7f..7b6efdc 100644
+--- a/auth/kerberos/kerberos_pac.c
++++ b/auth/kerberos/kerberos_pac.c
+@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+ 	krb5_boolean checksum_valid = false;
+ 	krb5_data input;
+ 
++	switch (sig->type) {
++	case CKSUMTYPE_HMAC_MD5:
++		/* ignores the key type */
++		break;
++	case CKSUMTYPE_HMAC_SHA1_96_AES_256:
++		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
++			return EINVAL;
++		}
++		/* ok */
++		break;
++	case CKSUMTYPE_HMAC_SHA1_96_AES_128:
++		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
++			return EINVAL;
++		}
++		/* ok */
++		break;
++	default:
++		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
++			(int)sig->type));
++		return EINVAL;
++	}
++
+ #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+ 	cksum.cksumtype	= (krb5_cksumtype)sig->type;
+ 	cksum.checksum.length	= sig->signature.length;
+-- 
+1.9.1
+
-- 
2.6.6



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---