GitLab

From local tests with strace:

socket(AF_UNIX, SOCK_STREAM, 0) = 12
write(2, "Connecting to 10.53.57.21 at por"..., 38) = 38
...
write(2, "ads_domain_func_level: 3\n", 25) = 25
write(12, "\27\3\3\0\37\0\0\0\0\0\0\0\16nl[\374\375i\325\334\25\227kxG@\326\311R\225x"..., 36) = 36
write(12, "\25\3\3\0\32\0\0\0\0\0\0\0\17Hh\304\254\244\17\342<\334\210L&\20_\177\307\232P", 31) = -1 EPIPE (Broken pipe)
--- SIGPIPE {si_signo=SIGPIPE, si_code=SI_USER, si_pid=12089, si_uid=1000} ---
+++ killed by SIGPIPE +++

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Isaac Boukris <iboukris@samba.org>
Autobuild-Date(master): Mon Jul 13 12:06:07 UTC 2020 on sn-devel-184

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14439Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Use the known ip address of the ldap server to open the connection and
initialize the ldap session with ldap_init_fd().

This avoid unnecessary DNS lookups which might block or prevent the
successful connection.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c8080bbd)

Required for working certificate verification.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13124Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>

Autobuild-User(master): Björn Baumbach <bb@sernet.de>
Autobuild-Date(master): Thu Mar  5 12:29:26 UTC 2020 on sn-devel-184

(cherry picked from commit e45e0912)

This fixed a regression introduced by commit
c83ce5f4 for bug #14345.

The backend loglevel globally restricts logging of a particular backend. If this
value is smaller then any explicitly configured logging class, logging for this
class is skipped.

Eg, given the following logging config in smb.conf:

  log level = 1 auth_json_audit:3@/var/log/samba/samba_auth_audit.log

the default class loglevel of 1 (dbgc_config[DBGC_ALL].loglevel) will be
assigned to the backend loglevel.

So even though the logging class auth_json_audit is configured at level 3, this
doesn't become effective as the file backend drops all log messages with a level
below 1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14426Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Jul  2 13:25:29 UTC 2020 on sn-devel-184

(cherry picked from commit 71488b81)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Thu Jul  9 11:40:15 UTC 2020 on sn-devel-184

The debug file backend is a built-in default, if it's missing we're totally
screwed.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14426Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 5aeaa695)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14345

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Amit Kumar <amitkuma@redhat.com>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit c83ce5f4)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14345Signed-off-by: Amit Kumar <amitkuma@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 2a7fc40f)

Add check for failure to resolve the OID array for the schema mode into
names.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14425Signed-off-by: Andrew <awalker@ixsystems.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit b5b80102)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14370

Guenther
Signed-off-by: Guenther Deschner <gd@samba.org>

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Tue Jul  7 08:16:40 UTC 2020 on sn-devel-184

This ensures that the crypt_r()/crypt_rn()/crypt() behaviour is tested in all
the samba-o3 builds and so is checked on RHEL7 in GitLab CI.

https://bugzilla.samba.org/show_bug.cgi?id=14424Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit cabf873b)

Autobuild-User(v4-11-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-11-test): Mon Jul  6 15:10:27 UTC 2020 on sn-devel-184

This allows the userPassword (not GPG) part of the test to run on hosts without
python3-gpg (eg RHEL7) while still testing the userPassword handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 2c4ecf00)

On RHEL7 crypt_r() will set errno.  This is a problem because the implementation of crypt_r()
in RHEL8 and elsewhere in libcrypt will return non-NULL but set errno on failure.

The workaround is to use crypt_rn(), provided only by libcrypt, which will return NULL
on failure, and so avoid checking errno in the non-failure case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14424Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 91453f11)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14422Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

(cherry picked from commit d93a6d26)

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>

Autobuild-User(master): Martin Schwenke <martins@samba.org>
Autobuild-Date(master): Tue Jun  9 21:07:24 UTC 2020 on sn-devel-184

(cherry picked from commit ddac6b2e)

NSS_BUFLEN_PASSWD is not defined on FreeBSD.  Use
sysconf(_SC_GETPW_R_SIZE_MAX) instead, as per POSIX.

Use a dynamically allocated buffer instead of trying to cram all of
the logic into the declarations.  This will come in useful later
anyway.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
(cherry picked from commit 847208cd)

It appears that snprintf(3) is being used for input validation.
However, this seems like overkill because it causes szPath to be
copied an extra time.  The mostly likely protections being sought
here, according to https://cwe.mitre.org/data/definitions/20.html,
look to be DoS attacks involving CPU and memory usage.  A simpler
check that uses strnlen(3) can mitigate against both of these and is
simpler.
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Bjoern Jacke <bjacke@samba.org>
(cherry picked from commit 922bce26)

Fix bug where renaming to a target name of one
UCS2 character (name length 2 bytes) fails to
a Windows 10 SMB2 server.

The Windows 10 SMB2 server has a minimum length
for a SMB2_FILE_RENAME_INFORMATION buffer of
24 bytes. It returns NT_STATUS_INFO_LENGTH_MISMATCH
if the length is less. This isn't an alignment
issue as Windows client happily 2-byte align
for larget target name sizes. Also the Windows 10
SMB1 server doesn't have this restriction.

If the name length is too short, pad out with
zeros to 24 bytes.

Hard to add a test for this as we don't want to
add this silly restriction to the Samba server
as it would break all non-Windows clients.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14403Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Jul  1 18:59:53 UTC 2020 on sn-devel-184

(cherry picked from commit f59490dc)

Signed-off-by: Karolin Seeger <kseeger@samba.org>

samba: tag release samba-4.11.11

This is a security release in order to address the following CVEs:

o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC
                  LDAP Server with ASQ, VLV and paged_results.
o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
                  excessive CPU.
o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
                  paged_results and VLV.
o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
Signed-off-by: Karolin Seeger <kseeger@samba.org>

Signed-off-by: Karolin Seeger <kseeger@samba.org>

This should avoid a regression.

(backported from master patch)
[abartlet@samba.org: sort=True parameter on test_paged_delete_during_search
 is not in 4.11]
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Otherwise a paged search on the GC port will fail as the ->data was
not kept around for the second page of searches.

An example command to produce this is
 bin/ldbsearch --paged -H ldap://$SERVER:3268 -U$USERNAME%$PASSWORD

This shows up later in the partition module as:

ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00151ef20 at pc 0x7fec3f801aac bp 0x7ffe8472c270 sp 0x7ffe8472c260
READ of size 4 at 0x60b00151ef20 thread T0 (ldap(0))
    #0 0x7fec3f801aab in talloc_chunk_from_ptr ../../lib/talloc/talloc.c:526
    #1 0x7fec3f801aab in __talloc_get_name ../../lib/talloc/talloc.c:1559
    #2 0x7fec3f801aab in talloc_check_name ../../lib/talloc/talloc.c:1582
    #3 0x7fec1b86b2e1 in partition_search ../../source4/dsdb/samdb/ldb_modules/partition.c:780

or

smb_panic_default: PANIC (pid 13287): Bad talloc magic value - unknown value
(from source4/dsdb/samdb/ldb_modules/partition.c:780)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14402Signed-off-by: Andrew Bartlett <abartlet@samba.org>

An empty UDP packet put the nbt server into a busy loop that consumes
100% of a cpu.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14417Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

NBT has a funny thing where it sometimes needs to send a trailing dot as
part of the last component, because the string representation is a user
name. In DNS, "example.com", and "example.com." are the same, both
having three components ("example", "com", ""); in NBT, we want to treat
them differently, with the second form having the three components
("example", "com.", "").

This retains the logic of e6e2ec00.

Also DNS compression cannot be turned off for NBT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

As per RFC 1035.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

The empty subdomain component is reserved for the root domain, which we
should only (and always) see at the end of the list. That is, we expect
"example.com.", but never "example..com".

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

This is because ndr_nbt.c does almost exactly the same thing with
almost exactly the same code, and they both do it wrong. Soon they
will both be using the better version that this will become. Though in
this patch we just move the code, not fix it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

These time the push and pull function in isolation.

Timing should be under 0.0001 seconds on even quite old hardware; we
assert it must be under 0.2 seconds.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378

(backported from master commit)
[abartlet@samba.org: backported due to differences in pre-existing
tests - eg test_ndr - mentioned in wscript_build and tests.py]
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

The client libraries don't allow us to make packets that are broken in
certain ways, so we need to construct them as byte strings.

These tests all fail at present, proving the server is rendered
unresponsive, which is the crux of CVE-2020-10745.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Prevent use after free issues if ldb_lock_backend_callback is called
twice, usually due to ldb_module_done being called twice. This can happen if a
module ignores the return value from function a function that calls
ldb_module_done as part of it's error handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Check the return code from vlv_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Check the return code from paged_results, if it is not LDB_SUCCESS
ldb_module_done has already been called, and SHOULD NOT be called again.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14364Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>