~alpine/aports

v3.3: main/samba: security fixes #6560 v1 PROPOSED

Sergey Lukin
Sergey Lukin: 1
 main/samba: security fixes #6560

 2 files changed, 215 insertions(+), 4 deletions(-)
Export patchset (mbox)
How do I use this?

Copy & paste the following snippet into your terminal to import this patchset into git:

curl -s https://lists.alpinelinux.org/~alpine/aports/patches/2763/mbox | git am -3
Learn more about email & git

[alpine-aports] [PATCH v3.3] main/samba: security fixes #6560 Export this patch

Sergey Lukin
CVE-2016-2123: NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability
  https://www.samba.org/samba/security/CVE-2016-2123.html
CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms
  https://www.samba.org/samba/security/CVE-2016-2125.html
CVE-2016-2126: Flaws in Kerberos PAC validation can trigger privilege elevation
  https://www.samba.org/samba/security/CVE-2016-2126.html

https://www.samba.org/samba/history/security.html
---
 main/samba/APKBUILD                                |  19 +-
 ...CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch | 200 +++++++++++++++++++++
 2 files changed, 215 insertions(+), 4 deletions(-)
 create mode 100644 main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch

diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index 5454fa6..a100f26 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,7 +1,8 @@
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
pkgver=4.2.14
pkgrel=0
pkgrel=1
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="http://www.samba.org"
arch="all"
@@ -52,9 +53,16 @@ source="http://us1.samba.org/samba/ftp/stable/samba-$pkgver.tar.gz
	samba.initd
	samba.confd
	samba.logrotate
	samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
	"
pkggroups="winbind"

# secfixes:
#   4.2.14-r1:
#     - CVE-2016-2123
#     - CVE-2016-2125
#     - CVE-2016-2126

_builddir="$srcdir"/samba-$pkgver
prepare() {
	cd "$_builddir"
@@ -495,7 +503,8 @@ f9ee1f13e59c60ee7e481f51329bf7d4  uclibc-xattr-create.patch
f0d10a87a2067d0d3accdcb6c9b64ea9  domain.patch
c1702b2ad7b68f7d704f50a1bfef3ad3  samba.initd
c150433426e18261e6e3eed3930e1a76  samba.confd
b7cafabfb4fa5b3ab5f2e857d8d1c733  samba.logrotate"
b7cafabfb4fa5b3ab5f2e857d8d1c733  samba.logrotate
c69c608d09081dc3dd783459ba0726f9  samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch"
sha256sums="db820a9947e44f04b0eb25e4aa0c3db32c4042fca541775ee8e2905093e888e6  samba-4.2.14.tar.gz
13617f691c648b44867c1a76d8be7c185021e8a8f3b695f8689a9f6244e65827  fix-libreplace.patch
0cf7e4eadf442422434d2b0fb43193f3a79f2887e32432f12cb6aed1941e807a  musl-fix-headers.patch
@@ -505,7 +514,8 @@ d4880c4ccceba5017d64cead644f8f363f22d6e91f2c2e1687dd7b45e6ca27e0  heimdal-1.5-ap
5554fff0df5d31e67a705c60d97e187b4109c79c8a4063c8ea7ebe1e0e4a7e7e  domain.patch
3866a15ab73a9fd704ec8315cff48caf98937c490ba8dc40ce3701cef5ca22c9  samba.initd
1d12f98a7727967b04eb123109b34cfffef320822dc0e8059286b6e3394c3fc0  samba.confd
4c2b7d529126b2fc4f62fb09d99e49a87632d723a2d9d289a61e37dd84145be1  samba.logrotate"
4c2b7d529126b2fc4f62fb09d99e49a87632d723a2d9d289a61e37dd84145be1  samba.logrotate
3f4b931add7ca2ad333c80a047a3bd67ebcb24b1e52d1abf1b9deef06e473431  samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch"
sha512sums="269dd74ba788657434f51ac70953a293c94bcf98280eaa6f44634c5da54169a5ea7865d543a7c23860c4750a40cdee7caeaf5c7fc3dbc137f444e90f31a09890  samba-4.2.14.tar.gz
4adbbeb75de6c55199e10f284e741ee252f403b7809251caf4baf378669770be01d469b23e12f8119ed5dca5080dd45bda1b5b78cc7a791be44c1eb6fb8c0fa2  fix-libreplace.patch
8d2e1be5f020d0558917f328770b289d0a41836616952d0d3208cecd457df3649f1357a2d35dc54123559ab6a1b720f3189286c65cee90b02ccbae7d676ae383  musl-fix-headers.patch
@@ -515,4 +525,5 @@ b43809d7ecbf3968f5154c2ded6ed47dae36921f1895ea98bcce50557eb2ad39b736345ffb421465
62d373dbaee75121a1d73f2c09cdca7239705808ff807b171d1d5a28fd4ffc66bdb52494b62786d7aaba8aeece5c08433b532ca96a28d712452fe9daac8d8d2e  domain.patch
6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf  samba.initd
4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6  samba.confd
f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053  samba.logrotate"
f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053  samba.logrotate
28150f51bcb558715a8613426d607ae07b2ab08ce58baef23339b1ded76d20191529395529546d2f1923ece2a52e4c1cc12a45e41579360ad9b04d0cacae8e0a  samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch"
diff --git a/main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch b/main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
new file mode 100644
index 0000000..0a84c53
--- /dev/null
+++ b/main/samba/samba-4.3.12-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
@@ -0,0 +1,200 @@
From 9d65af0137f793530e3cb1786b22bd803fd6dd19 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 5 Nov 2016 21:22:46 +0100
Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995

Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.

Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
---
 librpc/ndr/ndr_dnsp.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 3cb96f9..0541261 100644
--- a/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
 		uint8_t sublen, newlen;
 		NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
 		newlen = total_len + sublen;
+		if (newlen < total_len) {
+			return ndr_pull_error(ndr, NDR_ERR_RANGE,
+					      "Failed to pull dnsp_name");
+		}
 		if (i != count-1) {
+			if (newlen == UINT8_MAX) {
+				return ndr_pull_error(
+					ndr, NDR_ERR_RANGE,
+					"Failed to pull dnsp_name");
+			}
 			newlen++; /* for the '.' */
 		}
 		ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
-- 
1.9.1


From b83897ae49fdee1fda73c10c7fe73362bfaba690 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:41:10 +0100
Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
 in nsupdate-gss

This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
 source4/scripting/bin/nsupdate-gss | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
     my $flags = 
 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
-	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+	GSS_C_INTEG_FLAG;
 
 
     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
-- 
1.9.1


From b1a056f77e793efc45df34ab7bf78fbec1bf8a59 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:42:59 +0100
Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG

We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
 source3/librpc/crypto/gse.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index f1ebe19..9c9f55d 100644
--- a/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
 
 	gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
-				GSS_C_DELEG_FLAG |
 				GSS_C_DELEG_POLICY_FLAG |
 				GSS_C_REPLAY_FLAG |
 				GSS_C_SEQUENCE_FLAG;
-- 
1.9.1


From 3106964a640ddf6a3c08c634ff586a814f94dff8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:44:22 +0100
Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use
 GSS_C_DELEG_FLAG by default

This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
 source4/auth/gensec/gensec_gssapi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index a12447a..8823771 100644
--- a/source4/auth/gensec/gensec_gssapi.c
@@ -113,7 +113,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
 	}
-	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
 		gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
 	}
 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
-- 
1.9.1


From 8512eed8e2fb7f16a884b659e381257745a669fd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 22 Nov 2016 17:08:46 +0100
Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum
 types in check_pac_checksum()

aes based checksums can only be checked with the
corresponding aes based keytype.

Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
 	krb5_boolean checksum_valid = false;
 	krb5_data input;
 
+	switch (sig->type) {
+	case CKSUMTYPE_HMAC_MD5:
+		/* ignores the key type */
+		break;
+	case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+			return EINVAL;
+		}
+		/* ok */
+		break;
+	case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+		if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+			return EINVAL;
+		}
+		/* ok */
+		break;
+	default:
+		DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+			(int)sig->type));
+		return EINVAL;
+	}
+
 #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
 	cksum.cksumtype	= (krb5_cksumtype)sig->type;
 	cksum.checksum.length	= sig->signature.length;
-- 
1.9.1

-- 
2.6.6



---
Unsubscribe:  alpine-aports+unsubscribe@lists.alpinelinux.org
Help:         alpine-aports+help@lists.alpinelinux.org
---
View this thread in the archives