Update to Samba 4.2.11, fix badlock security bug

resolves: #1326453 - CVE-2015-5370 resolves: #1326453 - CVE-2016-2110 resolves: #1326453 - CVE-2016-2111 resolves: #1326453 - CVE-2016-2112 resolves: #1326453 - CVE-2016-2113 resolves: #1326453 - CVE-2016-2114 resolves: #1326453 - CVE-2016-2115 resolves: #1326453 - CVE-2016-2118 Guenther
2016-04-12 15:19:27 +02:00 · 2016-04-12 15:19:27 +02:00 · d89d561988
commit d89d561988
parent d826544fa7
5 changed files with 151 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -55,3 +55,4 @@ samba-3.6.0pre1.tar.gz
 /samba-4.2.7.tar.xz
 /samba-4.2.8.tar.xz
 /samba-4.2.9.tar.xz
 /samba-4.2.11.tar.xz
--- a/samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch
+++ b/samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch
@ -0,0 +1,71 @@
 From 137649fc01e6914bbb86a2f5f16c7e03a2fa132d Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <ab@samba.org>
 Date: Fri, 22 Jan 2016 11:44:03 +0200
 Subject: [PATCH] s3-parm: clean up defaults when removing global parameters
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11693
 When globals are re-initialized, they are cleared and globals' talloc
 context is freed. However, parm_table still contains a reference to the
 global value in the defaults. This confuses lpcfg_string_free() after
 commit 795c543d858b2452f062a02846c2f908fe4cffe4 because it tries to
 free already freed pointer which is passed by lp_save_defaults():
 ....
    case P_STRING:
    case P_USTRING:
                  lpcfg_string_set(Globals.ctx,
                                   &parm_table[i].def.svalue,
                                   *(char **)lp_parm_ptr(NULL, &parm_table[i]));
 ....
 here &parm_table[i].def.svalue is passed to lpcfg_string_free() but it
 is a pointer to a value allocated with previous Globals.ctx which
 already was freed.
 This specifically affects registry backend of smb.conf in lp_load_ex()
 where init_globals() called explicitly to re-init globals after
 lp_save_defaults() if we have registry backend defined.
 Reviewed-by: Uri Simchoni <uri@samba.org>
 Signed-off-by: Alexander Bokovoy <ab@samba.org>
 Autobuild-User(master): Uri Simchoni <uri@samba.org>
 Autobuild-Date(master): Mon Jan 25 23:58:42 CET 2016 on sn-devel-144
 ---
 source3/param/loadparm.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
 index 94de252..9bd47dc 100644
 --- a/source3/param/loadparm.c
 +++ b/source3/param/loadparm.c
@@ -402,8 +402,25 @@ static void free_parameters_by_snum(int snum)
  */
 static void free_global_parameters(void)
 {
 +	uint32_t i;
 +	struct parm_struct *parm;
 +
 	free_param_opts(&Globals.param_opt);
 	free_parameters_by_snum(GLOBAL_SECTION_SNUM);
 +
 +	/* Reset references in the defaults because the context is going to be freed */
 +	for (i=0; parm_table[i].label; i++) {
 +		parm = &parm_table[i];
 +		if ((parm->type == P_STRING) ||
 +		    (parm->type == P_USTRING)) {
 +			if ((parm->def.svalue != NULL) &&
 +			    (*(parm->def.svalue) != '\0')) {
 +				if (talloc_parent(parm->def.svalue) == Globals.ctx) {
 +					parm->def.svalue = NULL;
 +				}
 +			}
 +		}
 +	}
 	TALLOC_FREE(Globals.ctx);
 }
 -- 
 2.5.5
--- a/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
+++ b/samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
@ -0,0 +1,60 @@
 From b89f28556ad0d1caf9cf41c56a0d67440098358f Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Tue, 12 Apr 2016 09:36:12 +0300
 Subject: [PATCH] s3-winbind: make sure domain member can talk to trusted
 domains DCs
  Allow cm_connect_netlogon() to talk to trusted domains' DCs when
  running in a domain member configuration.
 Signed-off-by: Alexander Bokovoy <ab@samba.org>
 ---
 source3/winbindd/winbindd_cm.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)
 diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
 index 63175e5..1ef3d17 100644
 --- a/source3/winbindd/winbindd_cm.c
 +++ b/source3/winbindd/winbindd_cm.c
@@ -2578,9 +2578,10 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  anonymous:
 	/* Finally fall back to anonymous. */
 -	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
 +	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
 +	    (IS_DC || domain->primary)) {
 		status = NT_STATUS_DOWNGRADE_DETECTED;
 -		DEBUG(1, ("Unwilling to make SAMR connection to domain %s"
 +		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
 			  "without connection level security, "
 			  "must set 'winbind sealed pipes = false' and "
 			  "'require strong key = false' to proceed: %s\n",
@@ -2811,9 +2812,10 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
  anonymous:
 -	if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
 +	if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
 +	    (IS_DC || domain->primary)) {
 		result = NT_STATUS_DOWNGRADE_DETECTED;
 -		DEBUG(1, ("Unwilling to make LSA connection to domain %s"
 +		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
 			  "without connection level security, "
 			  "must set 'winbind sealed pipes = false' and "
 			  "'require strong key = false' to proceed: %s\n",
@@ -2978,9 +2980,10 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain,
  no_schannel:
 	if (!(conn->netlogon_flags & NETLOGON_NEG_AUTHENTICATED_RPC)) {
 -		if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
 +		if ((lp_winbind_sealed_pipes() || lp_require_strong_key()) &&
 +		    (IS_DC || domain->primary)) {
 			result = NT_STATUS_DOWNGRADE_DETECTED;
 -			DEBUG(1, ("Unwilling to make connection to domain %s"
 +			DEBUG(1, ("Unwilling to make connection to domain %s "
 				  "without connection level security, "
 				  "must set 'winbind sealed pipes = false' and "
 				  "'require strong key = false' to proceed: %s\n",
 -- 
 2.5.5
--- a/samba.spec
+++ b/samba.spec
@ -8,7 +8,7 @@
 %define main_release 0
-%define samba_version 4.2.9
+%define samba_version 4.2.11
 %define talloc_version 2.1.2
 %define ntdb_version 1.0
 %define tdb_version 1.3.6
@ -109,6 +109,9 @@ Source6: samba.pamd
 Source200: README.dc
 Source201: README.downgrade
 Patch0:		samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
 Patch1:		samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch
 BuildRoot:      %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Requires(pre): /usr/sbin/groupadd
@ -644,6 +647,9 @@ and use CTDB instead.
 %prep
 %setup -q -n samba-%{version}%{pre_release}
 %patch0 -p 1 -b .samba-4.2.10-s3-winbind-make-sure-domain-member-can-talk-to-trust.patch
 %patch1 -p 1 -b .samba-4.2.10-s3-parm-clean-up-defaults-when-removing-global-param.patch
 %build
 %global _talloc_lib ,talloc,pytalloc,pytalloc-util
 %global _tevent_lib ,tevent,pytevent
@ -1941,6 +1947,17 @@ rm -rf %{buildroot}
 %endif # with_clustering_support
 %changelog
 * Tue Apr 12 2016 Guenther Deschner <gdeschner@redhat.com> - 4.2.11-0
 - Update to Samba 4.2.11, fix badlock security bug
 - resolves: #1326453 - CVE-2015-5370
 - resolves: #1326453 - CVE-2016-2110
 - resolves: #1326453 - CVE-2016-2111
 - resolves: #1326453 - CVE-2016-2112
 - resolves: #1326453 - CVE-2016-2113
 - resolves: #1326453 - CVE-2016-2114
 - resolves: #1326453 - CVE-2016-2115
 - resolves: #1326453 - CVE-2016-2118
 * Tue Mar 08 2016 Guenther Deschner <gdeschner@redhat.com> - 4.2.9-0
 - Update to Samba 4.2.9
 - resolves: #1315942 - CVE-2015-7560 Incorrect ACL get/set allowed on symlink path
--- a/2
+++ b/2
@ -1 +1 @@
-46fe2df7fa86f224c27c1f64926a697b  samba-4.2.9.tar.xz
+de7740d94b04cab55365ee9621906ef3  samba-4.2.11.tar.xz
`@ -1 +1 @@`
	`46fe2df7fa86f224c27c1f64926a697b samba-4.2.9.tar.xz`	`de7740d94b04cab55365ee9621906ef3 samba-4.2.11.tar.xz`