Commit f50bb254 authored by Natanael Copa's avatar Natanael Copa

main/samba: security upgrade to 4.4.14

fixes #7322
parent 1ad78b64
# Contributor: Sergei Lukin <sergej.lukin@gmail.com>
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=samba
pkgver=4.4.5
pkgrel=3
pkgver=4.4.14
pkgrel=0
pkgdesc="Tools to access a server's filespace and printers via SMB"
url="http://www.samba.org"
arch="all"
......@@ -40,7 +40,7 @@ depends="$pkgname-server=$pkgver-r$pkgrel
$pkgname-common-tools=$pkgver-r$pkgrel"
# note that heimdal is required (over mit krb5) for AD DC functionality
makedepends="popt-dev ncurses-dev openldap-dev e2fsprogs-dev
makedepends="popt-dev ncurses-dev openldap-dev e2fsprogs-dev acl-dev
talloc-dev tdb-dev py-tdb ldb-dev cups-dev python-dev libcap-dev
tevent-dev py-tevent iniparser-dev perl subunit-dev docbook-xsl
libarchive-dev"
......@@ -48,8 +48,7 @@ source="http://us1.samba.org/samba/ftp/stable/samba-$pkgver.tar.gz
uclibc-xattr-create.patch
domain.patch
getpwent_r.patch
samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
samba-4.4.11-CVE-2017-2619.patch
netdb-defines.patch
samba.initd
samba.confd
......@@ -58,6 +57,8 @@ source="http://us1.samba.org/samba/ftp/stable/samba-$pkgver.tar.gz
pkggroups="winbind"
# secfixes:
# 4.4.14-r0:
# - CVE-2017-7494
# 4.4.5-r3:
# - CVE-2017-2619
# 4.4.5-r2:
......@@ -377,7 +378,6 @@ _dc_libs() {
usr/lib/samba/libdsdb-module-samba4.so \
usr/lib/samba/libhdb-samba4.so.* \
usr/lib/samba/libkdc-samba4.so.* \
usr/lib/samba/libntvfs-samba4.so \
usr/lib/samba/libpac-samba4.so \
usr/lib/samba/libposix-eadb-samba4.so \
usr/lib/samba/libprocess-model-samba4.so \
......@@ -468,7 +468,6 @@ libs() {
usr/lib/libsamba-util.so.* \
usr/lib/libsamdb.so.* \
usr/lib/libsmbconf.so.* \
usr/lib/libtevent-unix-util.so.* \
usr/lib/libtevent-util.so.* \
usr/lib/samba/libCHARSET3-samba4.so \
usr/lib/samba/libaddns-samba4.so \
......@@ -519,30 +518,27 @@ libs() {
|| return 1
}
md5sums="6950c5e9f7bdeb8a610c2ca957a15be4 samba-4.4.5.tar.gz
md5sums="79d820efee339bac1254f076c871407b samba-4.4.14.tar.gz
f9ee1f13e59c60ee7e481f51329bf7d4 uclibc-xattr-create.patch
f0d10a87a2067d0d3accdcb6c9b64ea9 domain.patch
6a220b2471764e6e189829ac9cc81996 getpwent_r.patch
29e6f401d2a71c42b24d1459b4633f9c samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
95c400f09c7fe8c6066d987e436d8c92 samba-4.4.11-CVE-2017-2619.patch
39b8cfa9abe6584d13a13ea63459a2e7 netdb-defines.patch
c1702b2ad7b68f7d704f50a1bfef3ad3 samba.initd
c150433426e18261e6e3eed3930e1a76 samba.confd
b7cafabfb4fa5b3ab5f2e857d8d1c733 samba.logrotate"
sha256sums="b876ef2e63f66265490e80a122e66ef2d7616112b839df68f56ac2e1ce17a7bd samba-4.4.5.tar.gz
sha256sums="b0a564af71536f12f01aae2e1d93a04c588dd53b81a3f3eaf9bb73ba4f6f57dd samba-4.4.14.tar.gz
dcf6a7118297d6567d8ff31c9eff1afffdf2f548db36fd17d00cdf0ffc555fe3 uclibc-xattr-create.patch
5554fff0df5d31e67a705c60d97e187b4109c79c8a4063c8ea7ebe1e0e4a7e7e domain.patch
7956274b412a268339abb63f8e1bd63b5049cd4ab7c6270235d9d0b9bcf6c81a getpwent_r.patch
feedf1ccc311034252a5c7a2164a228e40f1244c3486d519aaf981ec9603ddb8 samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
e2001fb6d1522df04e6b8b954f5c0046d3f1ddaaac139326a7a119eb5082f829 samba-4.4.11-CVE-2017-2619.patch
d4a17891a14d9a4290750097cc28279059e6d971fadf132085e857ed4400d5ed netdb-defines.patch
3866a15ab73a9fd704ec8315cff48caf98937c490ba8dc40ce3701cef5ca22c9 samba.initd
1d12f98a7727967b04eb123109b34cfffef320822dc0e8059286b6e3394c3fc0 samba.confd
4c2b7d529126b2fc4f62fb09d99e49a87632d723a2d9d289a61e37dd84145be1 samba.logrotate"
sha512sums="4e63fabbddc04ebdf08b68a98fe4fa0c525b30f7d949948dd5d2e5cba17d263db820c61bac0c90dcb4e0b530d945a560c358df6c37e225d69788794fef851f0d samba-4.4.5.tar.gz
sha512sums="16c1e7ca3226db58440abf3ad56c86e70d473a7bcba9cb2444ed7127993569206c565d7f8cb834363d2b3106c4e91de4d41b73bf90d9017e688030ceeef60c53 samba-4.4.14.tar.gz
b43809d7ecbf3968f5154c2ded6ed47dae36921f1895ea98bcce50557eb2ad39b736345ffb4214655ed3154c143c20431d248cde828285380bafbf4d2627df9b uclibc-xattr-create.patch
62d373dbaee75121a1d73f2c09cdca7239705808ff807b171d1d5a28fd4ffc66bdb52494b62786d7aaba8aeece5c08433b532ca96a28d712452fe9daac8d8d2e domain.patch
0d4fd9862191554dc9c724cec0b94fd19afbfd0c4ed619e4c620c075e849cb3f3d44db1e5f119d890da23a3dd0068d9873703f3d86c47b91310521f37356208b getpwent_r.patch
3b2b6c12a1e64f3c164153d51cd1286477eb89b8ee9093d63f9c819ebdf6b4cd0ae1553b119b0ca78cd81769925e66f24392d9e0254e0fe708b81d9a7ea62000 samba-4.4.7-security-20016-12-19-CVE-2016-2123,CVE-2016-2125,CVE-2016-2126.patch
cee4515d23b38e89b91151f747473f0b08c503179364989cfa0ac69c41db1c66d5ee67660484955544e02f7d032033e65efe2bfdedf2ef97ff57f11299d12d0f samba-4.4.11-CVE-2017-2619.patch
1854577d0e4457e27da367a6c7ec0fb5cfd63cefea0a39181c9d6e78cf8d3eb50878cdddeea3daeec955d00263151c2f86ea754ff4276ef98bc52c0276d9ffe8 netdb-defines.patch
6bee83aab500f27248b315d8a5f567940d7232269b021d801b3d51c20ed9e4aad513ee0117f356fb388014a63a145beacb55307ef9addbf7997987304b548fcf samba.initd
4faf581ecef3ec38319e3c4ab6d3995c51fd7ba83180dc5553a2ff4dfb92efadb43030c543292130c4ed0c281dc0972c6973d52d48062c5edb39bb1c4bbb6dd6 samba.confd
f88ebe59ca3a9e9b77dd5993c13ef3e73a838efb8ed858088b464a330132d662f33e25c27819e38835389dee23057a3951de11bae1eef55db8ff5e1ec6760053 samba.logrotate"
diff --git a/nsswitch/wins.c b/nsswitch/wins.c
index dccb6dd..bb24acb 100644
--- a/nsswitch/wins.c
+++ b/nsswitch/wins.c
@@ -39,6 +39,14 @@ static pthread_mutex_t wins_nss_mutex = PTHREAD_MUTEX_INITIALIZER;
#define INADDRSZ 4
#endif
+#ifndef NETDB_INTERNAL
+#define NETDB_INTERNAL -1
+#endif
+
+#ifndef NETDB_SUCCESS
+#define NETDB_SUCCESS 0
+#endif
+
NSS_STATUS _nss_wins_gethostbyname_r(const char *hostname,
struct hostent *he,
char *buffer,
This diff is collapsed.
From 4aa6b11d64a0a8133ef39a7e626f289f769e9415 Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Sat, 5 Nov 2016 21:22:46 +0100
Subject: [PATCH 1/5] CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995
Thanks to Trend Micro's Zero Day Initiative and Frederic Besler for finding
this vulnerability with a PoC and a good analysis.
Signed-off-by: Volker Lendecke <vl@samba.org>
Bug: https://bugzilla.samba.org/show_bug.cgi?id=12409
---
librpc/ndr/ndr_dnsp.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/librpc/ndr/ndr_dnsp.c b/librpc/ndr/ndr_dnsp.c
index 3cb96f9..0541261 100644
--- a/librpc/ndr/ndr_dnsp.c
+++ b/librpc/ndr/ndr_dnsp.c
@@ -56,7 +56,16 @@ _PUBLIC_ enum ndr_err_code ndr_pull_dnsp_name(struct ndr_pull *ndr, int ndr_flag
uint8_t sublen, newlen;
NDR_CHECK(ndr_pull_uint8(ndr, ndr_flags, &sublen));
newlen = total_len + sublen;
+ if (newlen < total_len) {
+ return ndr_pull_error(ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
if (i != count-1) {
+ if (newlen == UINT8_MAX) {
+ return ndr_pull_error(
+ ndr, NDR_ERR_RANGE,
+ "Failed to pull dnsp_name");
+ }
newlen++; /* for the '.' */
}
ret = talloc_realloc(ndr->current_mem_ctx, ret, char, newlen);
--
1.9.1
From 0f1b36b7d5514f8d16c60ebcd5c59753113b4334 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:41:10 +0100
Subject: [PATCH 2/5] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source4/scripting/bin/nsupdate-gss | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
1.9.1
From 07ef0f6ce0fb9d9735710ab79c2ee91d7a72a974 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:42:59 +0100
Subject: [PATCH 3/5] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source3/librpc/crypto/gse.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..c4c4bbc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
--
1.9.1
From 58586ceae7fe628453e6bffdc463d4309ced15fb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:44:22 +0100
Subject: [PATCH 4/5] CVE-2016-2125: s4:gensec_gssapi: don't use
GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source4/auth/gensec/gensec_gssapi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
--
1.9.1
From ce31a69a32d2bd6975006e428afe4584f6b7bc43 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 22 Nov 2016 17:08:46 +0100
Subject: [PATCH 5/5] CVE-2016-2126: auth/kerberos: only allow known checksum
types in check_pac_checksum()
aes based checksums can only be checked with the
corresponding aes based keytype.
Otherwise we may trigger an undefined code path
deep in the kerberos libraries, which can leed to
segmentation faults.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
index 32d9d7f..7b6efdc 100644
--- a/auth/kerberos/kerberos_pac.c
+++ b/auth/kerberos/kerberos_pac.c
@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
krb5_boolean checksum_valid = false;
krb5_data input;
+ switch (sig->type) {
+ case CKSUMTYPE_HMAC_MD5:
+ /* ignores the key type */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
+ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
+ return EINVAL;
+ }
+ /* ok */
+ break;
+ default:
+ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
+ (int)sig->type));
+ return EINVAL;
+ }
+
#ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
cksum.cksumtype = (krb5_cksumtype)sig->type;
cksum.checksum.length = sig->signature.length;
--
1.9.1
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment