Bug 24980 - samba new security issues CVE-2019-1243[56]
Summary: samba new security issues CVE-2019-1243[56]
Status: ASSIGNED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Buchan Milne
QA Contact: Sec team
URL: https://www.samba.org/samba/history/s...
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2019-06-20 20:57 CEST by Zombie Ryushu
Modified: 2019-07-13 20:31 CEST (History)
3 users (show)

See Also:
Source RPM: samba-4.10.4-1.mga7.src.rpm
CVE: CVE-2019-12435, CVE-2019-12436
Status comment: Fixed upstream in 4.10.5


Attachments

Description Zombie Ryushu 2019-06-20 20:57:59 CEST
This is a security release in order to address the following defects:

o  CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server
                  (dnsserver))
o  CVE-2019-12436 (Samba AD DC LDAP server crash (paged searches))

=======
Details
=======

o  CVE-2019-12435:
   An authenticated user can crash the Samba AD DC's RPC server process via a
   NULL pointer dereference.

o  CVE-2019-12436:
    An user with read access to the directory can cause a NULL pointer
    dereference using the paged search control.

For more details and workarounds, please refer to the security advisories.


Changes since 4.10.4:
---------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 13922: CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found
     in DnssrvOperation2.
   * BUG 13951: CVE-2019-12436 dsdb/paged_results: Ignore successful results
     without messages.


This is a severe issue and should take high priority.
Zombie Ryushu 2019-06-20 20:58:24 CEST

Version: Cauldron => 6

Comment 1 Lewis Smith 2019-06-23 09:15:03 CEST
Buchan, not sure whether this is for you or DavidW, so CCing him too.

Assignee: bugsquad => bgmilne
CC: (none) => lewyssmith, security

David Walser 2019-06-23 15:29:04 CEST

CC: security => (none)
Component: RPM Packages => Security
QA Contact: (none) => security

Comment 2 David Walser 2019-06-23 18:58:32 CEST
Upstream advisories from June 19:
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/security/CVE-2019-12436.html

4.10.5 release notes:
https://www.samba.org/samba/history/samba-4.10.5.html

Summary: Samba 4.10.5 and 4.9.9 Security Releases Available CVE-2019-12436 CVE-2019-12435 => samba new security issues CVE-2019-1243[56]
Status comment: (none) => Fixed upstream in 4.10.5
Source RPM: samba => samba-4.10.4-1.mga7.src.rpm
Whiteboard: (none) => MGA7TOO, MGA6TOO
Version: 6 => Cauldron

Comment 3 David Walser 2019-06-23 19:04:05 CEST
Mageia 6 is not affected by these issues.

It doesn't sound like these are very serious, and Fedora has already felt the need to backport further bugfixes from what will become 4.10.6, so we can wait.

Whiteboard: MGA7TOO, MGA6TOO => MGA7TOO

Comment 4 Buchan Milne 2019-07-02 21:20:35 CEST
Cauldron now has 4.10.5.

I can look at preparing updates that just address the CVEs for mga7's 4.10.4 (maybe tomorrow), please let me know what you would like to do here.

Status: NEW => ASSIGNED

Comment 5 David Walser 2019-07-03 02:03:53 CEST
Let's just keep up with the 4.10 series in Mageia 7.  We can add the same patches Fedora did if you want to go ahead with this now.

CC: (none) => luigiwalser

Comment 6 Buchan Milne 2019-07-03 22:45:33 CEST
4.10.5 submitted to core/updates_testing for 7 (from http://svnweb.mageia.org/packages?view=revision&revision=1418089 )

Resulting packages:

Wrote: /home/bgmilne/rpmbuild/SRPMS/samba-4.10.5-1.mga7.src.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-client-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-common-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-dc-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64samba-dc0-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64kdc-samba4_2-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64heimntlm-samba4_1-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64samba-devel-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-krb5-printing-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64samba1-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64smbclient0-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64smbclient-devel-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64wbclient0-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64wbclient-devel-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/python2-samba-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/python3-samba-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/noarch/samba-pidl-4.10.5-1.mga7.noarch.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-test-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64samba-test0-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-clients-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-krb5-locator-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-modules-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/ctdb-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/ctdb-tests-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-debugsource-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-client-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-common-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-dc-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64samba-dc0-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64kdc-samba4_2-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64heimntlm-samba4_1-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-krb5-printing-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64samba1-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64smbclient0-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64wbclient0-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/python2-samba-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/python3-samba-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-test-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/lib64samba-test0-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-clients-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-krb5-locator-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/samba-winbind-modules-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/ctdb-debuginfo-4.10.5-1.mga7.x86_64.rpm
Wrote: /home/bgmilne/rpmbuild/RPMS/x86_64/ctdb-tests-debuginfo-4.10.5-1.mga7.x86_64.rpm

I haven't had time to do any testing myself yet, I will try tomorrow.

Assignee: bgmilne => qa-bugs
CVE: (none) => CVE-2019-12435, CVE-2019-12436
CC: (none) => bgmilne

Comment 7 David Walser 2019-07-04 20:34:28 CEST
Looks like we're missing the bug fixes:
https://src.fedoraproject.org/rpms/samba/c/06c62a692d9eda3eea1676cec54eb9135dca901a?branch=master
https://src.fedoraproject.org/rpms/samba/c/b6c2e29b4aad8e46a38e859e858b9497a631daec?branch=master

Whiteboard: MGA7TOO => (none)
Keywords: (none) => feedback
Version: Cauldron => 7

Comment 8 David Walser 2019-07-04 20:38:13 CEST
Advisory:
========================

Updated samba packages fix security vulnerabilities:

An authenticated user can crash the Samba AD DC's RPC server process via a NULL
pointer de-reference (CVE-2019-12435).

A user with read access to the LDAP server can cause a NULL pointer dereference
using the paged search control (CVE-2019-12436).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12435
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12436
https://www.samba.org/samba/security/CVE-2019-12435.html
https://www.samba.org/samba/security/CVE-2019-12436.html
https://www.samba.org/samba/history/samba-4.10.5.html
Lewis Smith 2019-07-06 15:44:03 CEST

CC: lewyssmith => (none)

Comment 9 Zombie Ryushu 2019-07-09 15:10:20 CEST
Changes since 4.10.5:
---------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 13956: s3: winbind: Fix crash when invoking winbind idmap scripts.
   * BUG 13964: smbd does not correctly parse arguments passed to dfree and
     quota scripts.

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 13965: samba-tool dns: use bytes for inet_ntop.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 13828: samba-tool domain provision: Fix --interactive module in
     python3.
   * BUG 13893: ldb_kv: Skip @ records early in a search full scan.
   * BUG 13981: docs: Improve documentation of "lanman auth" and "ntlm auth"
     connection.

o  Björn Baumbach <bb@sernet.de>
   * BUG 14002: python/ntacls: Use correct "state directory" smb.conf option
     instead of "state dir".

o  Ralph Boehme <slow@samba.org>
   * BUG 13840: registry: Add a missing include.
   * BUG 13944: Fix SMB guest authentication.
   * BUG 13958: AppleDouble conversion breaks Resourceforks.
   * BUG 13968: vfs_fruit makes direct use of syscalls like mmap() and pread().
   * BUG 13987: s3:mdssvc: Fix flex compilation error.

o  Günther Deschner <gd@samba.org>
   * BUG 13872: s3/vfs_glusterfs[_fuse]: Avoid using NAME_MAX directly:

o  Aaron Haslett <aaronhaslett@catalyst.net.nz>
   * BUG 13799: dsdb:samdb: schemainfo update with relax control.

o  Aliaksei Karaliou <akaraliou@panasas.com>
   * BUG 13964: s3:util: Move static file_pload() function to lib/util.

o  Volker Lendecke <vl@samba.org>
   * BUG 13957: smbd: Fix a panic.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 12478: ldap server: Generate correct referral schemes.
   * BUG 13941: s4 dsdb/repl_meta_data: fix use after free in
     dsdb_audit_add_ldb_value.
   * BUG 13942: s4 dsdb: Fix use after free in
     samldb_rename_search_base_callback.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 12204: dsdb/repl: we need to replicate the whole schema before we can
     apply it.
   * BUG 12478: ldb: Release ldb 1.5.5
   * BUG 13713: Schema replication fails if link crosses chunk boundary
     backwards.
   * BUG 13799: 'samba-tool domain schemaupgrade' uses relax control and skips
     the schemaInfo update provision.
   * BUG 13916: dsdb_audit: avoid printing "... remote host [Unknown]
     SID [(NULL SID)] ..."
   * BUG 13917: python/ntacls: We only need security.SEC_STD_READ_CONTROL in
     order to get the ACL.

o  Shyamsunder Rathi <shyam.rathi@nutanix.com>
   * BUG 13947: s3:loadparm: Ensure to truncate FS Volume Label at multibyte
     boundary.

o  Andreas Schneider <asn@samba.org>
   * BUG 13939: Using Kerberos credentials to print using spoolss doesn't work.

o  Lukas Slebodnik <lslebodn@fedoraproject.org>
   * BUG 13998: wafsamba: Use native waf timer.

o  Rafael David Tinoco <rafaeldtinoco@ubuntu.com>
   * BUG 13984: ctdb-scripts: Fix tcp_tw_recycle existence check.
Comment 10 David Walser 2019-07-11 11:45:46 CEST
Zombie, please provide a link instead of copy and pasting.

What he was trying to say is that 4.10.6 is out and we should update to it:
https://www.samba.org/samba/history/samba-4.10.6.html
David Walser 2019-07-13 20:31:46 CEST

Assignee: qa-bugs => bgmilne
CC: (none) => qa-bugs


Note You need to log in before you can comment on or make changes to this bug.