Bug 1392702 (CVE-2016-2123)

Summary: CVE-2016-2123 samba: NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability (ZDI-CAN-3995)
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: urgent Docs Contact:
Priority: urgent    
Version: unspecifiedCC: asn, cperry, crrobins, gdeschner, grocha, jarrpa, madam, sbose, security-response-team, sisharma, smohan, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-12-16 06:31:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1392703    

Description Huzaifa S. Sidhpurwala 2016-11-08 03:22:07 UTC 
As per upstream:

The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database.  Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption.

By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation.
Comment 4 Huzaifa S. Sidhpurwala 2016-12-16 06:29:57 UTC 
Statement:

Red Hat Enterprise Linux 5, 6 and 7 are not affected by this flaw because we do not ship Samba with the AD DNS Server, which is the vulnerable component.
Comment 5 Huzaifa S. Sidhpurwala 2016-12-20 03:20:44 UTC 
External Reference:

https://www.samba.org/samba/security/CVE-2016-2123.html