From nobody Sat Aug 05 06:03:43 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4RHsTW4R39z4ph82; Sat, 5 Aug 2023 06:03:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4RHsTW3kB2z4YfZ; Sat, 5 Aug 2023 06:03:43 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691215423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=w9F7TFLpXJPTV+I8wAYN0IrjoZ9BrOTIfGRIoUy7ak8=; b=mJSU1zPuCG4Yzx7ModXrOK5/OpIMjOd/wjU1w6ogaihaW4OCefdxppUWIuE4QjKrj28hcd bCh9AmpgvoHCNfmTDiWnmD4DcFOR/21lJL/m0hsgwB5nPx0VesV4Sfr5GvpSIdkpeXk8uH PdRykW58fW7SZS70rvyo44PsgQPE4okr6Gna+t6EmrTpT4WKewgQYJM95J8H5eVmAR72sC OdjNfc3Bp3L4/gPbTa+zUWGZVWS716O5pUQZ+Xq1caEi79BxnWktMLSnPUX7zqKDaG14io EcxbZXT6opHcaq2PMYY5k56fTD7SyGK546Vy1CINDLEgsvxdUnTDltQR7jX8sg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1691215423; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=w9F7TFLpXJPTV+I8wAYN0IrjoZ9BrOTIfGRIoUy7ak8=; b=qcAUEwswb2sjhG15o+GsmdhXPIbtbVn2854Kd4b7P7qcKNG9KaLeNIE6kZmmolbbfc76Lp 838sUBPtz2irQSo9+w44MQZsh+2fAeqjqKFvWjacM27TqU6hYKeaKKJZRRWj+fjtUspFAl y4f6CxrsfZlmrUSHQbj2wcUCHrETj4E1iGV4nbvzCZnO7mHnVildqX+u78T9AbmyGQ+bwk JwFY8wVOPdD0FlHdByemLMMVISHCex80EUmhrFFzbLEat7AxtAEg412/TvLrwEaLmfRzEo 66SMGrTVSMMj7t5V8odQtgbgxCiSnYYvIE9WUWWRHJ5XMGNGiwlbieU0lmUVrA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1691215423; a=rsa-sha256; cv=none; b=Ql24Wkfw6itxmOENAedbDVa/8EpFzcHNq3FwT00pBCi4Gvxxyc0wZ9rqbcJB1BimoNP1qI G0qpKv4A5sKGlsiuRQDOFqigKqiVzJrPMTotg/uaHQfQL3nRj1z7w4heiGzvPKuSgp1g16 5E1KKgIKlsKot0chmZDGNAnkZSHTBIVuvVjE9fRQqX07JkaVWFXW2IKKA373J0MdwDlrMi JepNn4bQH32Y5ThP2zvVcSvCRGElUV3I96x2G/F8yetFbenUQA/gc/s9drRsfLENXCJdWF ip+qF1P6fquP8tuOIZxfkEeirxvrwJq1PCUGzsJr+OWqnV5Tj8BtOaKmKic+nw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4RHsTW2nrfz37P; Sat, 5 Aug 2023 06:03:43 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 37563h9h093730; Sat, 5 Aug 2023 06:03:43 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 37563hwU093729; Sat, 5 Aug 2023 06:03:43 GMT (envelope-from git) Date: Sat, 5 Aug 2023 06:03:43 GMT Message-Id: <202308050603.37563hwU093729@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: Yasuhiro Kimura Subject: git: 3f30fc05f43a - main - security/vuxml: Document multiple vulnerabilities in Samba List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: yasu X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 3f30fc05f43a38cea67ecab0bef9f5e674dd5559 Auto-Submitted: auto-generated The branch main has been updated by yasu: URL: https://cgit.FreeBSD.org/ports/commit/?id=3f30fc05f43a38cea67ecab0bef9f5e674dd5559 commit 3f30fc05f43a38cea67ecab0bef9f5e674dd5559 Author: Yasuhiro Kimura AuthorDate: 2023-07-21 09:27:44 +0000 Commit: Yasuhiro Kimura CommitDate: 2023-08-05 06:02:23 +0000 security/vuxml: Document multiple vulnerabilities in Samba PR: 272638 --- security/vuxml/vuln/2023.xml | 141 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 141 insertions(+) diff --git a/security/vuxml/vuln/2023.xml b/security/vuxml/vuln/2023.xml index 1252e5b3cec6..64ad8330f851 100644 --- a/security/vuxml/vuln/2023.xml +++ b/security/vuxml/vuln/2023.xml @@ -1,3 +1,144 @@ + + samba -- multiple vulnerabilities + + + samba416 + 4.16.11 + + + samba413 + 4.13.18 + + + + +

The Samba Team reports:

+
+
+
CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion Denial-of-Service Vulnerability
+
+ When parsing Spotlight mdssvc RPC packets, one encoded + data structure is a key-value style dictionary where the + keys are character strings and the values can be any of + the supported types in the mdssvc protocol. Due to a + lack of type checking in callers of the function + dalloc_value_for_key(), which returns the object + associated with a key, a caller may trigger a crash in + talloc_get_size() when talloc detects that the passed in + pointer is not a valid talloc pointer. + + As RPC worker processes are shared among multiple client + connections, a malicious client can crash the worker + process affecting all other clients that are also served + by this worker. +
+
CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP
+
+ When doing NTLM authentication, the client sends replies + to cryptographic challenges back to the server. These + replies have variable length. Winbind did not properly + bounds-check the lan manager response length, which + despite the lan manager version no longer being used is + still part of the protocol. + + If the system is running Samba's ntlm_auth as + authentication backend for services like Squid (or a + very unusual configuration with FreeRADIUS), the + vulnarebility is remotely exploitable + + If not so configured, or to exploit this vulnerability + locally, the user must have access to the privileged + winbindd UNIX domain socket (a subdirectory with name + 'winbindd_privileged' under "state directory", as set in + the smb.conf). + + This access is normally only given so special system + services like Squid or FreeRADIUS, that use this + feature. +
+
CVE-2023-34968: Spotlight server-side Share Path Disclosure
+
+ As part of the Spotlight protocol, the initial request + returns a path associated with the sharename targeted by + the RPC request. Samba returns the real server-side + share path at this point, as well as returning the + absolute server-side path of results in search queries + by clients. + + Known server side paths could be used to mount + subsequent more serious security attacks or could + disclose confidential information that is part of the + path. + + To mitigate the issue, Samba will replace the real + server-side path with a fake path constructed from the + sharename. +
+
CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop Denial-of-Service Vulnerability
+
+ When parsing Spotlight mdssvc RPC packets sent by the + client, the core unmarshalling function sl_unpack_loop() + did not validate a field in the network packet that + contains the count of elements in an array-like + structure. By passing 0 as the count value, the attacked + function will run in an endless loop consuming 100% CPU. + + This bug only affects servers where Spotlight is + explicitly enabled globally or on individual shares with + "spotlight = yes". +
+
CVE-2023-3347: SMB2 packet signing not enforced
+
+ SMB2 packet signing is not enforced if an admin + configured "server signing = required" or for SMB2 + connections to Domain Controllers where SMB2 packet + signing is mandatory. + + SMB2 packet signing is a mechanism that ensures the + integrity and authenticity of data exchanged between a + client and a server using the SMB2 protocol. + + It provides protection against certain types of attacks, + such as man-in-the-middle attacks, where an attacker + intercepts network traffic and modifies the SMB2 + messages. + + Both client and server of an SMB2 connection can require + that signing is being used. The server-side setting in + Samba to configure signing to be required is "server + signing = required". Note that on an Samba AD DCs this + is also the default for all SMB2 connections. + + Unless the client requires signing which would result in + signing being used on the SMB2 connection, sensitive + data might have been modified by an attacker. + + Clients connecting to IPC$ on an AD DC will require + signed connections being used, so the integrity of these + connections was not affected. +
+
+
+ + + + CVE-2023-34967 + CVE-2022-2127 + CVE-2023-34968 + CVE-2023-34966 + CVE-2023-3347 + https://www.samba.org/samba/security/CVE-2023-34967.html + https://www.samba.org/samba/security/CVE-2022-2127.html + https://www.samba.org/samba/security/CVE-2023-34968.html + https://www.samba.org/samba/security/CVE-2023-34966.html + https://www.samba.org/samba/security/CVE-2023-3347.html + + + 2023-07-19 + 2023-08-05 + + + chromium -- multiple vulnerabilities