== Subject:     Samba AD DC LDAP server crash (paged searches)
== CVE ID#:     CVE-2019-12436
== Versions:    All versions of Samba since Samba 4.10.0
== Summary:     A user with read access to the directory can
                cause a NULL pointer dereference using the
                paged search control.


A user with read access to the LDAP server can crash the LDAP
server process.  Depending on the Samba version and the choice
of process model, this may crash only the user's own connection.

Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change

Samba 4.10 also supports the 'prefork' process model and by
using the -M option to 'samba' and a 'single' process model.
Both of these share on process between multiple clients.

NOTE WELL: the original report on this issue to the Samba Team
suggested a correlation between this NULL pointer dereference with
access to the \\DC\homes share on an AD DC, including a persistent
service failure.  The Samba Team has been unable to corroborate this
failure mode, and has instead focused on addressing the original

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba 4.10.5 has been issued as a security release to
correct the defect.  Samba administrators are advised to upgrade to
this release or apply the patch as soon as possible.

CVSSv3 calculation

CVSS:3.0/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)


Return to the default configuration by running 'samba' with -M 
standard, however this may consume more memory and would not address
the \\DC\homes issue.


Originally reported by Zombie Ryushu.

Patches provided by Douglas Bagnall of Catalyst and the Samba team.
Advisory written by Andrew Bartlett of Catalyst and the Samba team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team