1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00

124640 Commits

Author SHA1 Message Date
Andrew Bartlett
ecfca707d5 docs: Further discourage the use of the "event notification" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 364b8be9816b34b2a1b07c6259345c406d68c9f2)
2021-05-03 07:17:09 +00:00
Andrew Bartlett
54ef0e6d6b docs: Add proper explination on why transactions need to be audited.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a778a3a6420f094a953563b87f84457fdebd20a3)
2021-05-03 07:17:09 +00:00
Andrew Bartlett
990997cae2 docs: Add missing documentation on dsdb_group_audit and dsdb_group_audit_json
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 2e533664e756ccde8fc1b3e41e70437c9e7bafcd)
2021-05-03 07:17:09 +00:00
Andrew Bartlett
60527b07cb debug: Synchronise "log level" in smb.conf with the code
This is done by pasting in the contents of default_classname_table[]
in lib/util/debug.c into
cut -f 2 -d \"| xargs -i sh -c 'echo "\t<listitem><para><parameter moreinfo=\"none\">{}</parameter></para></listitem>"'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14689

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 0d30d74e89829cc7b4faa6ba835e3d90c1c410aa)
2021-05-03 07:17:09 +00:00
Karolin Seeger
c650f7738b VERSION: Bump version up to 4.14.5.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-04-29 11:09:46 +02:00
Karolin Seeger
7319519350 samba: tag release samba-4.14.4
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmCGhegACgkQqplEL7aA
 tiAIgRAAkSTJ6znwcGwwb6m6dSz+pgxUJ64Z1NiQg5v3VJ4k+nGecGX+z0dNJTH2
 zkaj/sWWP7U45pliq5y6tZbV4a5JZKDOX6pGutazno3m3RrDdkhUueaiait/GNMH
 lM1eBCgLgSwOKTJ8bKP+79KIWQNLFwgX0Z+GyU+PjJB8ytmDqxFjn8DUC4bbCnvh
 ysJMY77RK1VHaRfPkijpTPUCd/ZVEOWWtod/vS7qbzqgL5WGF/9Wq89MO5CKyOu2
 kqmIF/K1XDZAgynFJ5qyLrXokNCtQW5sMYJw7nt78/3SG5U5X1OGgxrWkJNyp+IX
 vdU0MQBfVICX/fnwNy0lQ6WjBzVx4QyYXk/FZiE4J0CNk+RPQI3Bsa4foe3outeD
 mavnsuLJx4GwlIoBoBziexKqu8R9Zb/v5jM1enQf1O0DLutXbJXWeAu7W7dJ7AGb
 sLaWkJichL+GZ5aQ2iDa76frtDzmoVBT2XTig5p+lxtPi/a3wScBOUiPcFeoA1jD
 Eq9MwIm79DScpV0hte+Macktx1OWWFZWDd6NRtpB/027RchxeC3SXsMsg/6eDFb6
 BmqlscRDoxIsg6ICBr+jqGJKmGKCc5ykBqRSnV4qPWzmsVBqWbnErCq5PdGSv3Ma
 BEpx4oz64rdseYG6ojDBospseGs8EYx7J/eSQDo1jYJZOJxIdJg=
 =7u/u
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.14.4' into v4-14-test

samba: tag release samba-4.14.4
2021-04-29 11:09:10 +02:00
Karolin Seeger
e29fc62e1d VERSION: Disable GIT_SNAPSHOT for the 4.14.4 release.
BUG 14571: CVE-2021-20254: Buffer overrun in sids_to_unixids().

Signed-off-by: Karolin Seeger <kseeger@samba.org>
samba-4.14.4
2021-04-26 11:19:11 +02:00
Karolin Seeger
45f106c121 WHATSNEW: Add release notes for Samba 4.14.4.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-04-26 11:19:11 +02:00
Volker Lendecke
55b8f31679 CVE-2021-20254 passdb: Simplify sids_to_unixids()
Best reviewed with "git show -b", there's a "continue" statement that
changes subsequent indentation.

Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED

Add comments to explain the use of the three lookup
loops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14571

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

(cherry-picked from commit for master)
2021-04-26 10:18:07 +02:00
Karolin Seeger
77aa340ad8 VERSION: Bump version up to 4.14.4...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit a8b9ea7e1aa4f526bd73baee45f0a3483c95381a)
2021-04-26 10:17:55 +02:00
Karolin Seeger
a8b9ea7e1a VERSION: Bump version up to 4.14.4...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-04-20 12:02:33 +02:00
Karolin Seeger
def81d0a59 VERSION: Disable GIT_SNAPSHOT for the 4.14.3 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
samba-4.14.3
2021-04-20 12:02:33 +02:00
Karolin Seeger
794e161038 WHATSNEW: Add release notes for Samba 4.14.3.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-04-20 12:02:33 +02:00
Andrew Bartlett
1cf726dd52 build: Notice if flex is missing at configure time
This may also fix the coverage build by ensuring --noline
is always specified to flex.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14586

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Mar 29 02:12:23 UTC 2021 on sn-devel-184

(cherry picked from commit 942c0d2128cb8e64a9354dde6bdae82a1c1c3d88)

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Tue Apr 20 07:39:05 UTC 2021 on sn-devel-184
2021-04-20 07:39:05 +00:00
Samuel Cabrero
b74a079a20 s3-iremotewinspool: set the per-request memory context
The iremotewinspool service is not using the pidl autogenerated code.
Set the per-request memory context following the changes made is commit
5a7e9ade9a4cdfa68900c6a64b639f53c0da47ad.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1890

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Apr  9 15:20:02 UTC 2021 on sn-devel-184

(cherry picked from commit 1efa9ffd7ae77ebf22b28c12dd642a89991b75d2)
2021-04-20 06:43:13 +00:00
Martin Schwenke
12bfc43006 build: Only add -Wl,--as-needed when supported
If -Wl,--as-needed is added to EXTRA_LDFLAGS (via ADD_LDFLAGS, as per
commit 996560191ac6bd603901dcd6c0de5d239e019ef4) then on some
platforms (at least CentOS 8 and Fedora 33), any indirect/recursive
dependencies (i.e. private libraries) are added to both the
binary (reqid_test in the CTDB case) and to samba-util.so.  However,
only samba-util.so has rpath set to find private libraries.

When ld.so tries to resolve these dependencies for the binary it
fails. This may be a bug on those platforms, but it occurs reliably
and our users will also hit the bug.  For binaries that have other
private library dependencies (e.g. bundled talloc) rpath will contain
the private library directory so the duplicate private library
dependencies are then found... that is, when it works, it works by
accident!

For some reason (deep in waf or wafsamba) if -Wl,--as-needed is added to
LINKFLAGS (as is done in conf.add_as_needed()) then it works: the direct
dependencies are only added to samba-util.so and the same depenencies
(indirect dependencies for binaries) are not added incorrectly to the
binaries.

So, without changing 1/2 of waf/wafsamba the simplest fix is to revert
to adding -Wl,--as-needed to LINKFLAGS, which was the case before
commit 996560191ac6bd603901dcd6c0de5d239e019ef4.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14288
RN: Fix the build on OmniOS

Signed-off-by: Amitay Isaacs <amitay@gmail.com>
Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Bjoern Jacke <bj@sernet.de>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(backported from commit ff1c3af603b47a7e8f9faad8d1c2e4a489559155)

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Wed Apr 14 07:34:20 UTC 2021 on sn-devel-184
2021-04-14 07:34:20 +00:00
Ralph Boehme
0662726974 s3: smbd: fix deferred renames
This was broken by c7a9e0e4cdfb22e66533b5c8e20af3cfdb8ae78c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@amba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 31 06:13:39 UTC 2021 on sn-devel-184

(cherry picked from commit 10d753868e810604d8f60673bbd48f55aaff0797)

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Thu Apr  1 11:26:31 UTC 2021 on sn-devel-184
2021-04-01 11:26:31 +00:00
Jeremy Allison
f5bb7a5501 s4: torture. Add smb2.lease.rename_wait test to reproduce regression in delay rename for lease break code.
Passes against Windows 10. Add to knownfail, the
next commit will fix this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14679
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1875

Back-ported from 8d9a0b8d57713781c72440c7e91746b5d89e6f6a.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-04-01 10:31:20 +00:00
Volker Lendecke
e85d111f54 rpc_server3: Fix a memleak for internal pipes
state->call should not be talloc'ed off a long-lived context

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861
RN: Memory leak in the RPC server

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Mar 31 12:14:01 UTC 2021 on sn-devel-184

(cherry picked from commit 12f516e4680753460e7fe8811e6c6ff70057580c)
2021-04-01 10:31:20 +00:00
Ralph Boehme
ed30ce7aa0 spools: avoid leaking memory into the callers mem_ctx
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 481176ec745c14b78fca68e01a61c83405a4b97b)
2021-04-01 10:31:20 +00:00
Ralph Boehme
55c76604ca pidl: set the per-request memory context in the pidl generator
The talloc memory context referenced by the pipe_struct mem_ctx member is used
as talloc parent for RPC response data by the RPC service implementations.

In Samba versions up to 4.10 all talloc children of p->mem_ctx were freed after
a RPC response was delivered by calling talloc_free_children(p->mem_ctx). Commit
60fa8e255254d38e9443bf96f2c0f31430be6ab8 removed this call which resulted in all
memory allocations on this context not getting released, which can consume
significant memory in long running RPC connections.

Instead of putting the talloc_free_children(p->mem_ctx) back, just use the
mem_ctx argument of the ${pipename}_op_dispatch_internal() function which is a
dcesrv_call_state object created by dcesrv_process_ncacn_packet() and released
by the RPC server when the RPC request processing is finished.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14675
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1861

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 4c3fb2a5912966a61e7ebdb05eb3231a0e1d6033)
2021-04-01 10:31:20 +00:00
Ralph Boehme
051585ef36 smbd: free open_rec state in remove_deferred_open_message_smb2_internal()
The lifetime of open_rec (struct deferred_open_record) ojects is the time
processing the SMB open request every time the request is scheduled, ie once we
reschedule we must wipe the slate clean. In case the request gets deferred
again, a new open_rec will be created by the schedule functions.

This ensures any timer-event tied to the open_rec gets cancelled and doesn't
fire unexpectedly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843
RN: smbd panic when two clients open same file

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Mar 18 18:04:09 UTC 2021 on sn-devel-184

(cherry picked from commit 591c9196962b695b01c0d86918b8f8a263e9665c)

Autobuild-User(v4-14-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-14-test): Wed Mar 31 11:10:29 UTC 2021 on sn-devel-184
2021-03-31 11:10:29 +00:00
Ralph Boehme
ebec84c886 smbd: cancel pending poll open timer in poll_open_done()
The retry of the open is scheduled below, avoid rescheduling it a second time in
the open retry timeout function.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 171a58ff3e8ee07cf5d7af08eabcb4a7379e7ce5)
2021-03-31 10:13:54 +00:00
Ralph Boehme
da71738e98 smbd: reset dangling watch_req pointer in poll_open_done
We just freed subreq and a pointer to subreq is stored in open_rec->watch_req,
so we must invalidate the pointer.

Otherwise if the poll open timer fires it will do a

  TALLOC_FREE(open_rec->watch_req);

on the dangling pointer which may crash or do something worse like freeing some
other random talloc memory.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14672
CI: https://gitlab.com/samba-team/samba/-/merge_requests/1843

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 065ed088b3d5710c288e46a5bf1e063f9a29c8cc)
2021-03-31 10:13:54 +00:00
Trever L. Adams
288c747208 s3:modules:vfs_virusfilter: Recent New_VFS changes break vfs_virusfilter_openat.
The_New_VFS introduces several changes that broke vfs_virusfilter_openat. The assert to make sure certain checks would work broke.

This patch fixes those breaks and converts to the SMB_VFS_FSTAT_NEXT instead of SMB_VFS_STAT_NEXT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14671
RN: vfs_virusfilter_openat support New_VFS FSTAT, avoid SMB_ASSERT(fsp_get_pathref_fd(dirfsp) == AT_FDCWD); problem.

Signed-off-by: Trever L. Adams" <trever.adams@gmail.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Mar 22 19:44:30 UTC 2021 on sn-devel-184

(cherry picked from commit d6a16ad00e426a6f815215af71c071dd8e85a50a)
2021-03-31 10:13:54 +00:00
David Mulder
a164468a40 samba-gpupdate: Check sysvol download paths in case-insensitive way
https://bugzilla.samba.org/show_bug.cgi?id=14665

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Björn Baumbach <bb@sernet.de>
(cherry picked from commit 2d6bed495e14349e19ba680bd72c3f110f1c397b)
2021-03-31 10:13:54 +00:00
David Mulder
702e0c5598 samba-gpupdate: Test that sysvol paths download in case-insensitive way
Bug: https://bugzilla.samba.org/show_bug.cgi?id=14665

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Björn Baumbach <bb@sernet.de>
(cherry picked from commit 554f2134a9f9638ebd8ac2500e5b6c94b74c27d5)
2021-03-31 10:13:54 +00:00
Christof Schmitt
231342faf2 idmap_nss: Do not return SID from unixids_to_sids on type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.

Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Mar 11 08:38:41 UTC 2021 on sn-devel-184

(cherry picked from commit 0e789ba1802ca22e5a01abd6e93ef66cd45566a7)
2021-03-31 10:13:54 +00:00
Christof Schmitt
7628a27a96 idmap_rfc2307: Do not return SID from unixids_to_sids on type mismatch
The call to winbind_lookup_name already wrote the result in the id_map
array. The later check for the type detected a mismatch, but that did
not remove the SID from the result struct.

Change this by first assigning the SID to a temporary variable and only
write it to the id_map array after the type checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663

Signed-off-by: Christof Schmitt <cs@samba.org>
(cherry picked from commit 79dd4b133c37451c98fe7f7c45da881e89e91ffc)
2021-03-31 10:13:54 +00:00
Christof Schmitt
e7b1ee061e winbind: Only use unixid2sid mapping when module reports ID_MAPPED
Only consider a mapping to be valid when the idmap module reports
ID_MAPPED. Otherwise return the null SID.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14663

Signed-off-by: Christof Schmitt <cs@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit db2afa57e4aa926b478db1be4d693edbdf4d2a23)
2021-03-31 10:13:54 +00:00
Sachin Prabhu
6b8226b735 smbd: Ensure errno is preserved across fsp destructor
The errno can be overwritten by the calls made by the fsp destructor.
This can cause problems if the original errno was required by subsequent
calls.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14662

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Mar 10 22:55:17 UTC 2021 on sn-devel-184

(cherry picked from commit 65510204d4123b1825ea57607e84ba50f8ce3baf)
2021-03-31 10:13:54 +00:00
Stefan Metzmacher
a0862d6d6d third_party: Update socket_wrapper to version 1.3.3
This fixes a deadlock abort() when SOCKET_WRAPPER_KEEP_PCAP=1
is used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14640

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Mar 17 23:53:04 UTC 2021 on sn-devel-184

(cherry picked from commit 10c198827d977e07b411897556578d3aedce2184)
2021-03-31 10:13:54 +00:00
Stefan Metzmacher
ed3c83a7f8 third_party: Update socket_wrapper to version 1.3.2
This brings support for fd-passing of INET sockets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11899

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit ab943babc3eb454186558f6e863996dfcf7a20ea)
2021-03-31 10:13:54 +00:00
Stefan Metzmacher
6e981465fc VERSION: Bump version up to 4.14.2...
GIT_SNAPSHOT is already 'yes'.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-03-24 11:55:22 +01:00
Stefan Metzmacher
3dceb3ac56 samba: tag release samba-4.14.2
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmBbEMcACgkQqplEL7aA
 tiBLBQ//b7oxluu+o7rE2uvoR6wT7rWGm7urY+8Y+v+99vHtwf9ujfy1FAeLvEnO
 BY6jaZy4Whoi1WZU5FFCA7pfc4am5ay76r0w0wTV7aTcF47niGPurEGcK9Y9S3Uw
 VHVB6GRCEVUIP2SJYkY7LOV971PxoMk7I9Q130rLKIrlgsNxAhRkN/x2cfwwS0qC
 PUozITdTWoIbRZr1H/PMiM7WxN/aYFWz/1WNCVIstJR2OrYtWd1u3SGMB8Vjj7ia
 tK14TrtrEIs/w4O5Xpk8rPXT7AnfTnjvURelDlEv9ggYr5Y+K0vEl4EexCqrD3p8
 oHO6JSuV/g2NI+C/rSXKebxKD0J8o17pBHPyjC/YJ9bcxGWkdrSGcBME9KinzB3M
 RrefK3mxtSUdUYBUz37zHb+SCNP4iy6ph/MJyl/BlCzg5vnmMwgMaUofnBci3XbA
 qVLA1bYXj7dP1grp4XX7irN3/z4WCrKV8fGu8Oc2bpG404KujXH8D/DlMIQy2zse
 osNsbBBz53xEsOduDourAg3M+L899iUy9Ay4CWfXQe1dBHVplcGNb+CMVMTZ6zIV
 FO6zhHKuDYUfPxsRnaVG5oiaoIDujnU3jWIbYPxDWamEp20NbYuONJsALHU4rDoK
 Tn3R3t//LfilaAHxl+T1MwfcNyuNAdurZvQQ8MqnmEl9/eHibfA=
 =lQ48
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.14.2' into v4-14-test

samba: tag release samba-4.14.2

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-03-24 11:55:04 +01:00
Karolin Seeger
5b5f4deb88 WHATSNEW: Add release notes for Samba 4.14.2.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
samba-4.14.2
2021-03-24 11:08:27 +01:00
Stefan Metzmacher
e2409cb548 VERSION: Bump version for Samba 4.14.2 release.
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.

Note this is exactly the same as 4.14.1, except that it
has a dependency on ldb version 2.3.0, which is needed if
someone builds against a system libldb.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-03-24 10:31:51 +01:00
Stefan Metzmacher
f31a64c133 ldb: version 2.3.0
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Karolin Seeger <kseeger@samba.org>
ldb-2.3.0
2021-03-24 10:23:06 +01:00
Karolin Seeger
ed4a04eca5 VERSION: Disable GIT_SNAPSHOT for the 4.14.1 release.
o BUG #14595: CVE-2020-27840: Heap corruption via crafted DN strings.
o BUG #14655: CVE-2021-20277: Out of bounds read in AD DC LDAP server.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
samba-4.14.1
2021-03-23 09:29:08 +01:00
Karolin Seeger
94b42a3a39 WHATSNEW: Add release notes for Samba 4.14.1.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-03-23 09:28:00 +01:00
Douglas Bagnall
2d82f0e1b8 CVE-2020-27840: pytests: move Dn.validate test to ldb
We had the test in the Samba Python segfault suite because
a) the signal catching infrastructure was there, and
b) the ldb tests lack Samba's knownfail mechanism, which allowed us to
   assert the failure.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-19 08:52:23 +01:00
Douglas Bagnall
f89767bea7 CVE-2020-27840 ldb_dn: avoid head corruption in ldb_dn_explode
A DN string with lots of trailing space can cause ldb_dn_explode() to
put a zero byte in the wrong place in the heap.

When a DN string has a value represented with trailing spaces,
like this

     "CN=foo   ,DC=bar"

the whitespace is supposed to be ignored. We keep track of this in the
`t` pointer, which is NULL when we are not walking through trailing
spaces, and points to the first space when we are. We are walking with
the `p` pointer, writing the value to `d`, and keeping the length in
`l`.

     "CN=foo   ,DC= "       ==>       "foo   "
            ^  ^                             ^
            t  p                             d
                                       --l---

The value is finished when we encounter a comma or the end of the
string. If `t` is not NULL at that point, we assume there are trailing
spaces and wind `d and `l` back by the correct amount. Then we switch
to expecting an attribute name (e.g. "CN"), until we get to an "=",
which puts us back into looking for a value.

Unfortunately, we forget to immediately tell `t` that we'd finished
the last value, we can end up like this:

     "CN=foo   ,DC= "       ==>        ""
            ^      ^                    ^
            t      p                    d
                                        l=0

where `p` is pointing to a new value that contains only spaces, while
`t` is still referring to the old value. `p` notices the value ends,
and we subtract `p - t` from `d`:

     "CN=foo   ,DC= "       ==>  ?     ""
            ^       ^            ^
            t       p            d
                                      l ~= SIZE_MAX - 8

At that point `d` wants to terminate its string with a '\0', but
instead it terminates someone else's byte. This does not crash if the
number of trailing spaces is small, as `d` will point into a previous
value (a copy of "foo" in this example). Corrupting that value will
ultimately not matter, as we will soon try to allocate a buffer `l`
long, which will be greater than the available memory and the whole
operation will fail properly.

However, with more spaces, `d` will point into memory before the
beginning of the allocated buffer, with the exact offset depending on
the length of the earlier attributes and the number of spaces.

What about a longer DN with more attributes? For example,
"CN=foo     ,DC= ,DC=example,DC=com" -- since `d` has moved out of
bounds, won't we continue to use it and write more DN values into
mystery memory? Fortunately not, because the aforementioned allocation
of `l` bytes must happen first, and `l` is now huge. The allocation
happens in a talloc_memdup(), which is by default restricted to
allocating 256MB.

So this allows a person who controls a string parsed by ldb_dn_explode
to corrupt heap memory by placing a single zero byte at a chosen
offset before the allocated buffer.

An LDAP bind request can send a string DN as a username. This DN is
necessarily parsed before the password is checked, so an attacker does
not need proper credentials. The attacker can easily cause a denial of
service and we cannot rule out more subtle attacks.

The immediate solution is to reset `t` to NULL when a comma is
encountered, indicating that we are no longer looking at trailing
whitespace.

Found with the help of Honggfuzz.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-19 08:52:23 +01:00
Douglas Bagnall
c82bea2b72 CVE-2020-27840: pytests:segfault: add ldb.Dn validate test
ldb.Dn.validate wraps ldb_dn_explode.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-03-19 08:52:23 +01:00
Douglas Bagnall
fab6b79b77 CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds
For a string that had N spaces at the beginning, we would
try to move N bytes beyond the end of the string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry-picked from commit for master)
2021-03-19 08:51:01 +01:00
Andrew Bartlett
50e44877c3 CVE-2021-20277 ldb: Remove tests from ldb_match_test that do not pass
This reverts some of the backport of 33a95a1e75b85e9795c4490b78ead2162e2a1f47

This is done here rather than squashed in the cherry-pick of the expanded testsuite
because it allows this commit to be simply reverted for the backport of bug 14044
if this lands first, or to be dropped if bug 14044 lands first.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-03-19 08:51:01 +01:00
Douglas Bagnall
1d966cb12e CVE-2021-20277 ldb tests: ldb_match tests with extra spaces
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry-picked from commit for master)
2021-03-19 08:51:01 +01:00
Douglas Bagnall
ff12bd2fa1 ldb: add tests for ldb_wildcard_compare
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14044

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Björn Jacke <bjacke@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(cherry-picked from commit 33a95a1e75b85e9795c4490b78ead2162e2a1f47)
2021-03-19 08:51:01 +01:00
Karolin Seeger
72ca2fb73a VERSION: Bump version up to 4.14.1...
and-re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit 3fa3608e8f00df81ae7504f26459b42da069d322)
2021-03-19 08:49:01 +01:00
Karolin Seeger
3fa3608e8f VERSION: Bump version up to 4.14.1...
and-re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2021-03-09 13:31:47 +01:00
Karolin Seeger
9b49519cae VERSION: Bump version up to 4.14.0...
and disable GIT_SNAPSHOT for the release.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
samba-4.14.0
2021-03-09 13:30:50 +01:00