Commits on Source (38)
-
Karolin Seeger authored
and re-enable GIT_SNAPSHOT. Signed-off-by: Karolin Seeger <kseeger@samba.org> (cherry picked from commit 1df7f93b)
4954a6da -
Jeremy Allison authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
677fad5e -
Jeremy Allison authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453 CVE-2018-10858: Insufficient input validation on client directory listing in libsmbclient. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
5923c3cc -
Andrew Bartlett authored
CVE-2018-10918: cracknames: Fix DoS (NULL pointer de-ref) when not servicePrincipalName is set on a user This regression was introduced in Samba 4.7 by bug 12842 and in master git commit eb2e7797. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13552 CVE-2018-10918: Denial of Service Attack on AD DC DRSUAPI server. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
87aa8361 -
Tim Beale authored
Object-specific access checks refer to a specific section of the MS-ADTS, and the code closely matches the spec. We need to extend this logic to properly handle the Control-Access Right (CR), so it makes sense to split the logic out into its own function. This patch just moves the code, and should not alter the logic (apart from ading in the boolean grant_access return variable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
bbb72cfc -
Tim Beale authored
Reading the spec and then reading the code makes sense, but we could comment the code more so it makes sense on its own. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
a81f32e7 -
Tim Beale authored
Adds tests that assert that a confidential attribute cannot be guessed by an unprivileged user through wildcard DB searches. The tests basically consist of a set of DB searches/assertions that get run for: - basic searches against a confidential attribute - confidential attributes that get overridden by giving access to the user via an ACE (run against a variety of ACEs) - protecting a non-confidential attribute via an ACL that denies read- access (run against a variety of ACEs) - querying confidential attributes via the dirsync controls These tests all pass when run against a Windows Dc and all fail against a Samba DC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
77421f33 -
Tim Beale authored
Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e. attribute=*) searches compared to Windows. All the acl.py tests are based on objectClass=* searches, where Windows will happily tell a user about objects they have List Contents rights, but not Read Property rights for. However, if you change the attribute being searched for, suddenly the objects are no longer visible on Windows (whereas they are on Samba). This is a problem, because Samba can tell you about which objects have confidential attributes, which in itself could be disclosive. This patch adds a acl.py test-case that highlights this behaviour. The test passes against Windows but fails against Samba. Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
03dba18b -
Tim Beale authored
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR) rights to a specific attribute would not actually grant access. What was happening was the remaining_access mask for the object_tree nodes would be Read Property (RP) + Control Access (CR). The ACE mapped to the schemaIDGUID for a given attribute, which would end up being a child node in the tree. So the CR bit was cleared for a child node, but not the rest of the tree. We would then check the user had the RP access right, which it did. However, the RP right was cleared for another node in the tree, which still had the CR bit set in its remaining_access bitmap, so Samba would not grant access. Generally, the remaining_access only ever has one bit set, which means this isn't a problem normally. However, in the Control Access case there are 2 separate bits being checked, i.e. RP + CR. One option to fix this problem would be to clear the remaining_access for the tree instead of just the node. However, the Windows spec is actually pretty clear on this: if the ACE has a CR right present, then you can stop any further access checks. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
a90cb03e -
Gary Lockyer authored
It is perfectly legal to search LDAP for an attribute that is not part of the schema. That part of the query should simply not match. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
7016bfd3 -
Tim Beale authored
So we can re-use the same logic laster for checking the search-ops. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
6e35ae37 -
Tim Beale authored
Flip the dirsync check (to avoid a double negative), and use a helper boolean variable. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
f9fa4e5c -
Tim Beale authored
This better reflects the special case we're making for dirsync, and gets rid of a 'if-else' clause. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
1575ba42 -
Tim Beale authored
A user that doesn't have access to view an attribute can still guess the attribute's value via repeated LDAP searches. This affects confidential attributes, as well as ACLs applied to an object/attribute to deny access. Currently the code will hide objects if the attribute filter contains an attribute they are not authorized to see. However, the code still returns objects as results if confidential attribute is in the search expression itself, but not in the attribute filter. To fix this problem we have to check the access rights on the attributes in the search-tree, as well as the attributes returned in the message. Points of note: - I've preserved the existing dirsync logic (the dirsync module code suppresses the result as long as the replPropertyMetaData attribute is removed). However, there doesn't appear to be any test that highlights that this functionality is required for dirsync. - To avoid this fix breaking the acl.py tests, we need to still permit searches like 'objectClass=*', even though we don't have Read Property access rights for the objectClass attribute. The logic that Windows uses does not appear to be clearly documented, so I've made a best guess that seems to mirror Windows behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
9891df45 -
Tim Beale authored
The acl_read.c code contains a special case to allow dirsync to work-around having insufficient access rights. We had a concern that the dirsync module could leak sensitive information for deleted objects. This patch adds a test-case to prove whether or not this is happening. The new test case is similar to the existing dirsync test except: - We make the confidential attribute also preserve-on-delete, so it hangs around for deleted objcts. Because the attributes now persist across test case runs, I've used a different attribute to normal. (Technically, the dirsync search expressions are now specific enough that the regular attribute could be used, but it would make things quite fragile if someone tried to add a new test case). - To handle searching for deleted objects, the search expressions are now more complicated. Currently dirsync adds an extra-filter to the '!' searches to exclude deleted objects, i.e. samaccountname matches the test-objects AND the object is not deleted. We now extend this to include deleted objects with lastKnownParent equal to the test OU. The search expression matches either case so that we can use the same expression throughout the test (regardless of whether the object is deleted yet or not). This test proves that the dirsync corner-case does not actually leak sensitive information on Samba. This is due to a bug in the dirsync code - when the buggy line is removed, this new test promptly fails. Test also passes against Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434 Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
a915e23a -
Douglas Bagnall authored
We have cmocka in third_party, so we are never without it. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (Backported from commit 33ef0e57 by Andrew Bartlett)
c775bd8b -
Andrew Bartlett authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
3454eae9 -
Günther Deschner authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
5fb35b7f -
Günther Deschner authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
f0bd8cc7 -
Günther Deschner authored
Right now, this test will succeed. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
6993f39d -
Günther Deschner authored
This fixes a regression that came in via 00db3aba. Found by Vivek Das <vdas@redhat.com> (Red Hat QE). In order to demonstrate simply run: smbclient //server/share -U user%password -mNT1 -c quit \ --option="client ntlmv2 auth"=no \ --option="client use spnego"=no against a server that uses "ntlm auth = ntlmv2-only" (our default setting). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
a5245e46 -
Andrej Gessel authored
Signed-off-by: Andrej Gessel <Andrej.Gessel@janztec.com> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
95c95a4a -
Andrew Bartlett authored
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
73317239 -
Andrew Bartlett authored
ldb_dn_from_ldb_val() does not validate this untrusted input, so a later call to ldb_dn_get_casefold() can fail if the input is not valid. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
a36db4fc -
Andrew Bartlett authored
This ensures we fail with a good error code before an eventual ldb_dn_get_casefold() which would otherwise fail. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
ebc3a1a1 -
Andrew Bartlett authored
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=13374
47bf6f6e -
Andrew Bartlett authored
* Security fix for CVE-2018-1140 (NULL pointer de-reference, bug 13374) Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
5ad366eb -
Kai Blin authored
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13466 Signed-off-by: Kai Blin <kai@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
43aba6bd -
Karolin Seeger authored
o CVE-2018-1139 (Weak authentication protocol allowed.) o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.) o CVE-2018-10858 (Insufficient input validation on client directory listing in libsmbclient.) o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.) o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP server.) Signed-off-by: Karolin Seeger <kseeger@samba.org>
032a6a46 -
Karolin Seeger authored
o CVE-2018-1139 (Weak authentication protocol allowed.) o CVE-2018-1140 (Denial of Service Attack on DNS and LDAP server.) o CVE-2018-10858 (Insufficient input validation on client directory listing in libsmbclient.) o CVE-2018-10918 (Denial of Service Attack on AD DC DRSUAPI server.) o CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP server.) Signed-off-by: Karolin Seeger <kseeger@samba.org>
626c489c -
Mathieu Parent authoreddd609d77
-
Mathieu Parent authoredce9eaf97
-
Mathieu Parent authored
Upstream version 4.8.4+dfsg
031cbc5b -
Mathieu Parent authored5dc3c24f
-
Mathieu Parent authoredf9819549
-
Mathieu Parent authored25a59f4e
-
Mathieu Parent authoredc00ec4d1
-
Mathieu Parent authored47ad83c0
Showing
- VERSION 1 addition, 1 deletionVERSION
- WHATSNEW.txt 92 additions, 2 deletionsWHATSNEW.txt
- ctdb/doc/ctdb-etcd.7 2 additions, 2 deletionsctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-statistics.7 2 additions, 2 deletionsctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7 2 additions, 2 deletionsctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1 2 additions, 2 deletionsctdb/doc/ctdb.1
- ctdb/doc/ctdb.7 2 additions, 2 deletionsctdb/doc/ctdb.7
- ctdb/doc/ctdb_diagnostics.1 2 additions, 2 deletionsctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7 2 additions, 2 deletionsctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1 2 additions, 2 deletionsctdb/doc/ctdbd.1
- ctdb/doc/ctdbd.conf.5 2 additions, 2 deletionsctdb/doc/ctdbd.conf.5
- ctdb/doc/ctdbd_wrapper.1 2 additions, 2 deletionsctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ltdbtool.1 2 additions, 2 deletionsctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1 2 additions, 2 deletionsctdb/doc/onnode.1
- ctdb/doc/ping_pong.1 2 additions, 2 deletionsctdb/doc/ping_pong.1
- debian/changelog 20 additions, 5 deletionsdebian/changelog
- debian/control 5 additions, 4 deletionsdebian/control
- debian/rules 0 additions, 3 deletionsdebian/rules
- docs/manpages/cifsdd.8 3 additions, 3 deletionsdocs/manpages/cifsdd.8
- docs/manpages/dbwrap_tool.1 4 additions, 4 deletionsdocs/manpages/dbwrap_tool.1