[Pkg-samba-maint] [samba] 01/02: add fix for CVE-2015-0240
Ivo De Decker
ivodd at moszumanska.debian.org
Mon Feb 23 18:11:42 UTC 2015
This is an automated email from the git hooks/post-receive script.
ivodd pushed a commit to branch squeeze
in repository samba.
commit 7bebe42f3a6f5bdb0d9503df85e255d35a4c6ee5
Author: Ivo De Decker <ivodd at debian.org>
Date: Sun Feb 22 22:22:10 2015 +0100
add fix for CVE-2015-0240
Unauthenticated code execution attack on smbd file services
---
debian/changelog | 8 ++
debian/patches/security-CVE-2015-0240.patch | 117 ++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 126 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index ccd3067..9a53002 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.5.6~dfsg-3squeeze12) UNRELEASED; urgency=high
+
+ * Security update
+ * CVE-2015-0240: Unauthenticated code execution attack on smbd file
+ services
+
+ -- Ivo De Decker <ivodd at debian.org> Sun, 22 Feb 2015 22:21:16 +0100
+
samba (2:3.5.6~dfsg-3squeeze11) squeeze-security; urgency=high
* Security update
diff --git a/debian/patches/security-CVE-2015-0240.patch b/debian/patches/security-CVE-2015-0240.patch
new file mode 100644
index 0000000..7abbb1a
--- /dev/null
+++ b/debian/patches/security-CVE-2015-0240.patch
@@ -0,0 +1,117 @@
+===========================================================
+== Subject: Unexpected code execution in smbd.
+==
+== CVE ID#: CVE-2015-0240
+==
+== Versions: Samba 3.5.0 to 4.2.0rc4
+==
+== Summary: Unauthenticated code execution attack on
+== smbd file services.
+==
+===========================================================
+
+===========
+Description
+===========
+
+All versions of Samba from 3.5.0 to 4.2.0rc4 are vulnerable to an
+unexpected code execution vulnerability in the smbd file server
+daemon.
+
+A malicious client could send packets that may set up the stack in
+such a way that the freeing of memory in a subsequent anonymous
+netlogon packet could allow execution of arbitrary code. This code
+would execute with root privileges.
+
+=======
+Credits
+=======
+
+This problem was found by Richard van Eeden of Microsoft Vulnerability
+Research, who also provided the fix.
+
+
+
+Index: samba/source3/rpc_server/srv_netlog_nt.c
+===================================================================
+--- samba.orig/source3/rpc_server/srv_netlog_nt.c
++++ samba/source3/rpc_server/srv_netlog_nt.c
+@@ -782,6 +782,10 @@ static NTSTATUS netr_creds_server_step_c
+ (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY ||
+ p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY); */
+
++ if (creds_out != NULL) {
++ *creds_out = NULL;
++ }
++
+ tdb = open_schannel_session_store(mem_ctx);
+ if (!tdb) {
+ return NT_STATUS_ACCESS_DENIED;
+@@ -923,7 +927,7 @@ NTSTATUS _netr_ServerPasswordSet(pipes_s
+ NTSTATUS status = NT_STATUS_OK;
+ struct samu *sampass=NULL;
+ int i;
+- struct netlogon_creds_CredentialState *creds;
++ struct netlogon_creds_CredentialState *creds = NULL;
+
+ DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__));
+
+@@ -936,9 +940,15 @@ NTSTATUS _netr_ServerPasswordSet(pipes_s
+ unbecome_root();
+
+ if (!NT_STATUS_IS_OK(status)) {
++ const char *computer_name = "<unknown>";
++
++ if (creds != NULL && creds->computer_name != NULL) {
++ computer_name = creds->computer_name;
++ }
++
+ DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth "
+ "request from client %s machine account %s\n",
+- r->in.computer_name, creds->computer_name));
++ r->in.computer_name, computer_name));
+ TALLOC_FREE(creds);
+ return status;
+ }
+@@ -977,7 +987,7 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ struct netr_ServerPasswordSet2 *r)
+ {
+ NTSTATUS status;
+- struct netlogon_creds_CredentialState *creds;
++ struct netlogon_creds_CredentialState *creds = NULL;
+ struct samu *sampass;
+ DATA_BLOB plaintext;
+ struct samr_CryptPassword password_buf;
+@@ -992,9 +1002,15 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ unbecome_root();
+
+ if (!NT_STATUS_IS_OK(status)) {
++ const char *computer_name = "<unknown>";
++
++ if (creds && creds->computer_name) {
++ computer_name = creds->computer_name;
++ }
++
+ DEBUG(2,("_netr_ServerPasswordSet2: netlogon_creds_server_step "
+ "failed. Rejecting auth request from client %s machine account %s\n",
+- r->in.computer_name, creds->computer_name));
++ r->in.computer_name, computer_name));
+ TALLOC_FREE(creds);
+ return status;
+ }
+@@ -1004,6 +1020,7 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516);
+
+ if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &plaintext)) {
++ TALLOC_FREE(creds);
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+
+@@ -1012,6 +1029,7 @@ NTSTATUS _netr_ServerPasswordSet2(pipes_
+ status = netr_find_machine_account(p->mem_ctx,
+ creds->account_name,
+ &sampass);
++ TALLOC_FREE(creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
diff --git a/debian/patches/series b/debian/patches/series
index bd77d21..a50d364 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,4 @@ security-CVE-2013-0213.patch
security-CVE-2013-0214.patch
security-CVE-2013-4124.patch
security-CVE-2013-4408.patch
+security-CVE-2015-0240.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git
More information about the Pkg-samba-maint
mailing list