From 08db4349fdba6cf3e8a276c0c137d9dd87b58820 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Feb 23 2015 10:42:16 +0000 Subject: import samba-4.1.1-38.el7_0 --- diff --git a/SOURCES/samba-4.1.x-CVE-2015-0240.patch b/SOURCES/samba-4.1.x-CVE-2015-0240.patch new file mode 100644 index 0000000..b65c728 --- /dev/null +++ b/SOURCES/samba-4.1.x-CVE-2015-0240.patch @@ -0,0 +1,84 @@ +From cc4100701bec64cda6fae6a5650c2114f3862579 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 28 Jan 2015 14:47:31 -0800 +Subject: [PATCH 1/2] CVE-2015-0240: s3: netlogon: Ensure we don't call + talloc_free on an uninitialized pointer. + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=11077 + +Signed-off-by: Jeremy Allison +Reviewed-by: Stefan Metzmacher +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index c903ae8..cab635f 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1101,6 +1101,10 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + struct loadparm_context *lp_ctx; + ++ if (creds_out != NULL) { ++ *creds_out = NULL; ++ } ++ + if (schannel_global_required) { + status = schannel_check_required(&p->auth, + computer_name, +@@ -1258,7 +1262,7 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, + { + NTSTATUS status = NT_STATUS_OK; + int i; +- struct netlogon_creds_CredentialState *creds; ++ struct netlogon_creds_CredentialState *creds = NULL; + + DEBUG(5,("_netr_ServerPasswordSet: %d\n", __LINE__)); + +-- +2.3.0 + + +From 57c186ee4deda5e75d3588fa0252d9817492bb1f Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 16 Feb 2015 10:59:23 +0100 +Subject: [PATCH 2/2] s3-netlogon: Make sure we do not deference a NULL + pointer. + +This is an additional patch for CVE-2015-0240. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11077#c32 + +Pair-Programmed-With: Michael Adam +Pair-Programmed-With: Andreas Schneider +Signed-off-by: Michael Adam +Signed-off-by: Andreas Schneider +Reviewed-by: Volker Lendecke +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index cab635f..2ba3278 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1275,9 +1275,14 @@ NTSTATUS _netr_ServerPasswordSet(struct pipes_struct *p, + unbecome_root(); + + if (!NT_STATUS_IS_OK(status)) { ++ const char *computer_name = ""; ++ ++ if (creds != NULL && creds->computer_name != NULL) { ++ computer_name = creds->computer_name; ++ } + DEBUG(2,("_netr_ServerPasswordSet: netlogon_creds_server_step failed. Rejecting auth " + "request from client %s machine account %s\n", +- r->in.computer_name, creds->computer_name)); ++ r->in.computer_name, computer_name)); + TALLOC_FREE(creds); + return status; + } +-- +2.3.0 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 59a950a..9b072f6 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -1,7 +1,7 @@ # Set --with testsuite or %bcond_without to run the Samba torture testsuite. %bcond_with testsuite -%define main_release 37 +%define main_release 38 %define samba_version 4.1.1 %define talloc_version 2.0.8 @@ -120,6 +120,7 @@ Patch31: samba-CVE-2014-3493.patch Patch32: samba-CVE-2014-0178.patch Patch33: samba-4.1.9-file_open.patch Patch34: samba-CVE-2014-3560.patch +Patch35: samba-4.1.x-CVE-2015-0240.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -560,6 +561,7 @@ module necessary to communicate to the Winbind Daemon %patch32 -p1 -b .samba-CVE-2014-0178.patch %patch33 -p1 -b .samba-4.1.9-file_open.patch %patch34 -p1 -b .samba-CVE-2014-3560.patch +%patch35 -p1 -b .samba-4.1.x-CVE-2015-0240.patch %build %global _talloc_lib ,talloc,pytalloc,pytalloc-util @@ -1626,6 +1628,9 @@ rm -rf %{buildroot} %{_mandir}/man8/pam_winbind.8* %changelog +* Thu Feb 19 2015 - Guenther Deschner - 4.1.1-38 +- resolves: #1194132 - CVE-2015-0240: RCE in netlogon server. + * Fri Aug 01 2014 - Guenther Deschner - 4.1.1-37 - resolves: #1126013 - CVE-2014-3560: remote code execution in nmbd.