Bug 1671845 (CVE-2019-3824)

Summary: CVE-2019-3824 samba: Out of bound read in ldb_wildcard_compare in Samba AD DC
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, abokovoy, anoopcs, asn, dbaker, gdeschner, jarrpa, jhrozek, jokerman, jstephen, lmohanty, madam, rhs-smb, sankarshan, sbose, security-response-team, sisharma, smohan, ssaha, ssorce, sthangav, trankin, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.10 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way an LDAP search expression could crash the shared LDAP server process of a samba AD DC. An authenticated user, having read permissions on the LDAP server, could use this flaw to cause denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-02-28 05:54:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1683909    
Bug Blocks: 1671846    

Description Laura Pardo 2019-02-01 20:45:26 UTC 
A flaw was found in the way an authenticated user with read permission on the LDAP server could crash the shared LDAP server process of the Samba AD DC, by using specially crafted search expressions like "cn=test*multi*test*multi"

Note that in Samba 4.7 and later, the default is not to have a shared LDAP process, unless -M prefork or -M single is specified on the command line to 'samba'.
Comment 1 Laura Pardo 2019-02-01 20:53:38 UTC 
Acknowledgments:

Name: the Samba project
Comment 4 Eric Christensen 2019-02-18 14:21:40 UTC 
Statement:

The versions of samba packages shipped with Red Hat Enterprise Linux 5, 6, and 7 do not support Active Directory Domain Controller mode, therefore are not affected by this flaw.
This issue did not affect the version of samba as shipped with 'Red Hat Gluster Storage 3' as they did not include support for Active Directory Domain Controller.
Comment 5 Huzaifa S. Sidhpurwala 2019-02-28 05:31:36 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1683909]
Comment 6 Huzaifa S. Sidhpurwala 2019-02-28 05:53:10 UTC 
Upstream patches:

https://git.samba.org/?p=samba.git;a=commit;h=de3bb5cd5236565f2b79644d99e55d03b254b65e
https://git.samba.org/?p=samba.git;a=commit;h=45b75db50f5c1a7c8c38af59a62fccee5401c845
https://git.samba.org/?p=samba.git;a=commit;h=42f0f57eb819ce6b68a8c5b3b53123b83ec917e3
https://git.samba.org/?p=samba.git;a=commit;h=34383981a0c40860f71a4451ff8fd752e1b67666
https://git.samba.org/?p=samba.git;a=commit;h=8d34d172092f71baad0d777567e49aebfa07313d
https://git.samba.org/?p=samba.git;a=commit;h=9427806f7298d71bd7edfbdda7506ec63f15dda1
https://git.samba.org/?p=samba.git;a=commit;h=745b99fc6b75db33cdb0a58df1a3f2a5063bc76e
https://git.samba.org/?p=samba.git;a=commit;h=3674b0891afb016c83763520b87e9f190dcfe884
Comment 7 Huzaifa S. Sidhpurwala 2019-02-28 05:53:13 UTC 
External References:

https://bugzilla.samba.org/show_bug.cgi?id=13773