[dunfell 08/28] samba: CVE-2020-14383 Security Advisory

From: "akuster" <akuster808@gmail.com>
To: openembedded-devel@lists.openembedded.org
Subject: [dunfell 08/28] samba: CVE-2020-14383 Security Advisory
Date: Sun, 17 Jan 2021 09:46:06 -0800	[thread overview]
Message-ID: <65985a6579064d08009adecb6279a5bb599affca.1610905441.git.akuster808@gmail.com> (raw)
In-Reply-To: <cover.1610905441.git.akuster808@gmail.com>

From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14383

Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit baee1ebeafce5d6a99dafc30b91e6fb760197686)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
(cherry picked from commit 81d14a86353829eba1d55a93d478faf4c5527a89)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 .../samba/samba/CVE-2020-14383.patch          | 112 ++++++++++++++++++
 .../samba/samba_4.10.18.bb                    |   1 +
 2 files changed, 113 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
new file mode 100644
index 0000000000..3341b80a38
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
@@ -0,0 +1,112 @@
+From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 14:34:31 +0900
+Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with 
+ NULL. do not crash when additional data not found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Found by Francis Brosnan BlÃ¡zquez <francis@aspl.es>.
+Based on patches from Francis Brosnan BlÃ¡zquez <francis@aspl.es>
+and Jeremy Allison <jra@samba.org>
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
+Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
+
+(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)
+(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e
+
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ .../rpc_server/dnsserver/dcerpc_dnsserver.c   | 31 ++++++++++---------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+index 910de9a1..618c7096 100644
+--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
++++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+@@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 	TALLOC_CTX *tmp_ctx;
+ 	char *name;
+ 	const char * const attrs[] = { "name", "dnsRecord", NULL };
+-	struct ldb_result *res;
+-	struct DNS_RPC_RECORDS_ARRAY *recs;
++	struct ldb_result *res = NULL;
++	struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
+ 	char **add_names = NULL;
+-	char *rname;
++	char *rname = NULL;
+ 	const char *preference_name = NULL;
+ 	int add_count = 0;
+ 	int i, ret, len;
+ 	WERROR status;
+-	struct dns_tree *tree, *base, *node;
++	struct dns_tree *tree = NULL;
++	struct dns_tree *base = NULL;
++	struct dns_tree *node = NULL;
+ 
+ 	tmp_ctx = talloc_new(mem_ctx);
+ 	W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
+@@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 		}
+ 	}
+ 
+-	talloc_free(res);
+-	talloc_free(tree);
+-	talloc_free(name);
++	TALLOC_FREE(res);
++	TALLOC_FREE(tree);
++	TALLOC_FREE(name);
+ 
+ 	/* Add any additional records */
+ 	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
+ 		for (i=0; i<add_count; i++) {
+-			struct dnsserver_zone *z2;
+-
++			struct dnsserver_zone *z2 = NULL;
++			struct ldb_message *msg = NULL;
+ 			/* Search all the available zones for additional name */
+ 			for (z2 = dsstate->zones; z2; z2 = z2->next) {
+ 				char *encoded_name;
+@@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 						LDB_SCOPE_ONELEVEL, attrs,
+ 						"(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
+ 						encoded_name);
+-				talloc_free(name);
++				TALLOC_FREE(name);
+ 				if (ret != LDB_SUCCESS) {
+ 					continue;
+ 				}
+ 				if (res->count == 1) {
++					msg = res->msgs[0];
+ 					break;
+ 				} else {
+-					talloc_free(res);
++					TALLOC_FREE(res);
+ 					continue;
+ 				}
+ 			}
+@@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+ 			}
+ 			status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
+ 							select_flag, rname,
+-							res->msgs[0], 0, recs,
++							msg, 0, recs,
+ 							NULL, NULL);
+-			talloc_free(rname);
+-			talloc_free(res);
++			TALLOC_FREE(rname);
++			TALLOC_FREE(res);
+ 		}
+ 	}
+ 
+-- 
+2.25.1
+
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index 923b2ddf16..1a982368ec 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -29,6 +29,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
            file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
            file://CVE-2020-14318.patch \
+           file://CVE-2020-14383.patch \
            "
 SRC_URI_append_libc-musl = " \
            file://samba-pam.patch \
-- 
2.17.1

