As per upstream advisory: Samba 4.9 introduced an off-by-default feature to tombstone dynamically created DNS records that had reached their expiry time. This feature is controlled by the smb.conf option: dns zone scavenging = yes There is a use-after-free issue in this code, essentially due to a call to realloc() while other local variables still point at the original buffer. The use is a read, but in quite unlikely conditions (due to NDR validation unpacking the buffer) that read memory might be saved back into the DB.
Acknowledgments: Name: the Samba project Upstream: Christian Naumer
Statement: This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.
Mitigation: The code in question is not run in the default configuration, so the workaround is simply to not set dns zone scavenging = yes
External References: https://www.samba.org/samba/security/CVE-2019-19344.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1793406]