diff options
Diffstat (limited to 'meta-networking/recipes-connectivity/samba')
38 files changed, 3954 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0001.patch new file mode 100644 index 0000000000..d938e8cd66 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0001.patch @@ -0,0 +1,147 @@ +From cbbfc917b9635bc62825ea64a157028297f54fb7 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Fri, 29 Jan 2016 23:35:31 +0100 +Subject: [PATCH] CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix + the nTSecurityDescriptor on CN=Deleted Objects containers + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566) + +Autobuild-User(v4-18-test): Jule Anger <janger@samba.org> +Autobuild-Date(v4-18-test): Mon Oct 23 09:52:22 UTC 2023 on atb-devel-224 + +CVE: CVE-2018-14628 + +Upstream-Status: Backport[https://github.com/samba-team/samba/commit/cbbfc917b9635bc62825ea64a157028297f54fb7] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + python/samba/dbchecker.py | 10 ++++++++-- + python/samba/descriptor.py | 15 ++++++++++++++- + testprogs/blackbox/dbcheck-links.sh | 12 ++++++++++++ + 3 files changed, 34 insertions(+), 3 deletions(-) + +diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py +index d10d765..d8c2341 100644 +--- a/python/samba/dbchecker.py ++++ b/python/samba/dbchecker.py +@@ -2433,7 +2433,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) + error_count += 1 + continue + +- if self.reset_well_known_acls: ++ if dn == deleted_objects_dn or self.reset_well_known_acls: + try: + well_known_sd = self.get_wellknown_sd(dn) + except KeyError: +@@ -2442,7 +2442,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) + current_sd = ndr_unpack(security.descriptor, + obj[attrname][0]) + +- diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid())) ++ ignoreAdditionalACEs = False ++ if not self.reset_well_known_acls: ++ ignoreAdditionalACEs = True ++ ++ diff = get_diff_sds(well_known_sd, current_sd, ++ security.dom_sid(self.samdb.get_domain_sid()), ++ ignoreAdditionalACEs=ignoreAdditionalACEs) + if diff != "": + self.err_wrong_default_sd(dn, well_known_sd, diff) + error_count += 1 +diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py +index 0998348..08cfab0 100644 +--- a/python/samba/descriptor.py ++++ b/python/samba/descriptor.py +@@ -407,6 +407,7 @@ def get_wellknown_sds(samdb): + # Then subcontainers + subcontainers = [ + (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor), ++ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor), + (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor), + (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor), + (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor), +@@ -417,6 +418,7 @@ def get_wellknown_sds(samdb): + (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor), + + (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor), ++ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor), + (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor), + (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), + (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor), +@@ -441,6 +443,9 @@ def get_wellknown_sds(samdb): + if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn: + c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor) + subcontainers.append(c) ++ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)), ++ get_deletedobjects_descriptor) ++ subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)), + get_domain_delete_protected1_descriptor) + subcontainers.append(c) +@@ -456,6 +461,9 @@ def get_wellknown_sds(samdb): + if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn: + c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor) + subcontainers.append(c) ++ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)), ++ get_deletedobjects_descriptor) ++ subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)), + get_domain_delete_protected1_descriptor) + subcontainers.append(c) +@@ -548,7 +556,8 @@ def get_clean_sd(sd): + return sd_clean + + +-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): ++def get_diff_sds(refsd, cursd, domainsid, checkSacl=True, ++ ignoreAdditionalACEs=False): + """Get the difference between 2 sd + + This function split the textual representation of ACL into smaller +@@ -603,6 +612,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): + h_ref.remove(k) + + if len(h_cur) + len(h_ref) > 0: ++ if txt == "" and len(h_ref) == 0: ++ if ignoreAdditionalACEs: ++ return "" ++ + txt = "%s\tPart %s is different between reference" \ + " and current here is the detail:\n" % (txt, part) + +diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh +index f00fe46..06b24fb 100755 +--- a/testprogs/blackbox/dbcheck-links.sh ++++ b/testprogs/blackbox/dbcheck-links.sh +@@ -58,6 +58,16 @@ dbcheck() { + fi + } + ++dbcheck_acl_reset() ++{ ++ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --fix --yes --attrs=nTSecurityDescriptor ++} ++ ++dbcheck_acl_clean() ++{ ++ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --attrs=nTSecurityDescriptor ++} ++ + dbcheck_dangling() { + dbcheck "" "1" "--selftest-check-expired-tombstones" + return $? +@@ -893,6 +903,8 @@ EOF + remove_directory $PREFIX_ABS/${RELEASE} + + testit $RELEASE undump || failed=`expr $failed + 1` ++testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) ++testit "dbcheck_acl_clean" dbcheck_acl_clean || failed=$(expr $failed + 1) + testit "add_two_more_users" add_two_more_users || failed=`expr $failed + 1` + testit "add_four_more_links" add_four_more_links || failed=`expr $failed + 1` + testit "remove_one_link" remove_one_link || failed=`expr $failed + 1` +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0002.patch new file mode 100644 index 0000000000..e3d45627a5 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0002.patch @@ -0,0 +1,72 @@ +From f967b91da76f86a9feb4c1469fccfce93be8bc79 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Wed, 7 Jun 2023 18:18:58 +0200 +Subject: [PATCH] CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor + for missing deleted objects container + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db) + +CVE: CVE-2018-14628 + +Upstream-Status: Backport +[https://github.com/samba-team/samba/commit/f967b91da76f86a9feb4c1469fccfce93be8bc79] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + python/samba/dbchecker.py | 16 +++++++++++++--- + 1 file changed, 13 insertions(+), 3 deletions(-) + +diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py +index d8c2341..35b6eeb 100644 +--- a/python/samba/dbchecker.py ++++ b/python/samba/dbchecker.py +@@ -21,7 +21,7 @@ from __future__ import print_function + import ldb + import samba + import time +-from base64 import b64decode ++from base64 import b64decode, b64encode + from samba import dsdb + from samba import common + from samba.dcerpc import misc +@@ -30,7 +30,11 @@ from samba.ndr import ndr_unpack, ndr_pack + from samba.dcerpc import drsblobs + from samba.samdb import dsdb_Dn + from samba.dcerpc import security +-from samba.descriptor import get_wellknown_sds, get_diff_sds ++from samba.descriptor import ( ++ get_wellknown_sds, ++ get_deletedobjects_descriptor, ++ get_diff_sds ++) + from samba.auth import system_session, admin_session + from samba.netcmd import CommandError + from samba.netcmd.fsmo import get_fsmo_roleowner +@@ -340,6 +344,11 @@ class dbcheck(object): + wko_prefix = "B:32:%s" % dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER + listwko.append('%s:%s' % (wko_prefix, dn)) + guid_suffix = "" ++ ++ domain_sid = security.dom_sid(self.samdb.get_domain_sid()) ++ sec_desc = get_deletedobjects_descriptor(domain_sid, ++ name_map=self.name_map) ++ sec_desc_b64 = b64encode(sec_desc).decode('utf8') + + # Insert a brand new Deleted Objects container + self.samdb.add_ldif("""dn: %s +@@ -349,7 +358,8 @@ description: Container for deleted objects + isDeleted: TRUE + isCriticalSystemObject: TRUE + showInAdvancedViewOnly: TRUE +-systemFlags: -1946157056%s""" % (dn, guid_suffix), ++nTSecurityDescriptor:: %s ++systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix), + controls=["relax:0", "provision:0"]) + + delta = ldb.Message() +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0003.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0003.patch new file mode 100644 index 0000000000..df30e0c106 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0003.patch @@ -0,0 +1,106 @@ +From edac27f5408191567233983562091484ebbbad0a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Mon, 26 Jun 2023 15:14:24 +0200 +Subject: [PATCH] CVE-2018-14628: s4:dsdb: remove unused code in + dirsync_filter_entry() + +This makes the next change easier to understand. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371) + +CVE: CVE-2018-14628 + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/edac27f5408191567233983562091484ebbbad0a] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source4/dsdb/samdb/ldb_modules/dirsync.c | 53 +++--------------------- + 1 file changed, 5 insertions(+), 48 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c +index e61ade8..e7fb27f 100644 +--- a/source4/dsdb/samdb/ldb_modules/dirsync.c ++++ b/source4/dsdb/samdb/ldb_modules/dirsync.c +@@ -152,10 +152,6 @@ static int dirsync_filter_entry(struct ldb_request *req, + * list only the attribute that have been modified since last interogation + * + */ +- newmsg = ldb_msg_new(dsc->req); +- if (newmsg == NULL) { +- return ldb_oom(ldb); +- } + for (i = msg->num_elements - 1; i >= 0; i--) { + if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) { + int error = 0; +@@ -202,11 +198,6 @@ static int dirsync_filter_entry(struct ldb_request *req, + */ + return LDB_SUCCESS; + } +- newmsg->dn = ldb_dn_new(newmsg, ldb, ""); +- if (newmsg->dn == NULL) { +- return ldb_oom(ldb); +- } +- + el = ldb_msg_find_element(msg, "objectGUID"); + if ( el != NULL) { + guidfound = true; +@@ -217,48 +208,14 @@ static int dirsync_filter_entry(struct ldb_request *req, + * well will uncomment the code bellow + */ + SMB_ASSERT(guidfound == true); +- /* +- if (guidfound == false) { +- struct GUID guid; +- struct ldb_val *new_val; +- DATA_BLOB guid_blob; +- +- tmp[0] = '\0'; +- txt = strrchr(txt, ':'); +- if (txt == NULL) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- txt++; +- +- status = GUID_from_string(txt, &guid); +- if (!NT_STATUS_IS_OK(status)) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- +- status = GUID_to_ndr_blob(&guid, msg, &guid_blob); +- if (!NT_STATUS_IS_OK(status)) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- +- new_val = talloc(msg, struct ldb_val); +- if (new_val == NULL) { +- return ldb_oom(ldb); +- } +- new_val->data = talloc_steal(new_val, guid_blob.data); +- new_val->length = guid_blob.length; +- if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- } +- */ +- ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD); +- talloc_steal(newmsg->elements, el->name); +- talloc_steal(newmsg->elements, el->values); +- +- talloc_steal(newmsg->elements, msg); + return ldb_module_send_entry(dsc->req, msg, controls); + } + ++ newmsg = ldb_msg_new(dsc->req); ++ if (newmsg == NULL) { ++ return ldb_oom(ldb); ++ } ++ + ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd, + (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0004.patch new file mode 100644 index 0000000000..6fa4ef10dd --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0004.patch @@ -0,0 +1,64 @@ +From 74a508b39e6fd5036a2adc99d559bd3852f8ce8d Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Fri, 29 Jan 2016 23:34:15 +0100 +Subject: [PATCH] CVE-2018-14628: s4:setup: set the correct + nTSecurityDescriptor on the CN=Deleted Objects container + +This revealed a bug in our dirsync code, so we mark +test_search_with_dirsync_deleted_objects as knownfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47) + +CVE: CVE-2018-14628 + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/74a508b39e6fd5036a2adc99d559bd3852f8ce8d] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source4/setup/provision.ldif | 1 + + source4/setup/provision_configuration.ldif | 1 + + source4/setup/provision_dnszones_add.ldif | 1 + + 3 files changed, 3 insertions(+) + +diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif +index 5d9eba4..7f966fd 100644 +--- a/source4/setup/provision.ldif ++++ b/source4/setup/provision.ldif +@@ -34,6 +34,7 @@ isDeleted: TRUE + isCriticalSystemObject: TRUE + showInAdvancedViewOnly: TRUE + systemFlags: -1946157056 ++nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} + + # Computers located in "provision_computers*.ldif" + # Users/Groups located in "provision_users*.ldif" +diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif +index 53c9c85..8fcbddb 100644 +--- a/source4/setup/provision_configuration.ldif ++++ b/source4/setup/provision_configuration.ldif +@@ -14,6 +14,7 @@ description: Container for deleted objects + isDeleted: TRUE + isCriticalSystemObject: TRUE + systemFlags: -1946157056 ++nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} + + # Extended rights + +diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif +index 860aa4b..a2d6b6b 100644 +--- a/source4/setup/provision_dnszones_add.ldif ++++ b/source4/setup/provision_dnszones_add.ldif +@@ -8,6 +8,7 @@ description: Deleted objects + isDeleted: TRUE + isCriticalSystemObject: TRUE + systemFlags: -1946157056 ++nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} + + dn: CN=LostAndFound,${ZONE_DN} + objectClass: top +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0005.patch new file mode 100644 index 0000000000..b0a8ef2535 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0005.patch @@ -0,0 +1,98 @@ +From 46a168c9a89e82ccaf8d27669d1ae5459f7becb9 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Fri, 29 Jan 2016 23:33:37 +0100 +Subject: [PATCH] CVE-2018-14628: python:provision: make + DELETEDOBJECTS_DESCRIPTOR available in the ldif files + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c) + +CVE: CVE-2018-14628 + +Upstream-Status: Backport +[https://github.com/samba-team/samba/commit/46a168c9a89e82ccaf8d27669d1ae5459f7becb9] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + python/samba/provision/__init__.py | 5 +++++ + python/samba/provision/sambadns.py | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py +index e8903ad..0c52cc1 100644 +--- a/python/samba/provision/__init__.py ++++ b/python/samba/provision/__init__.py +@@ -79,6 +79,7 @@ from samba.provision.backend import ( + LDBBackend, + ) + from samba.descriptor import ( ++ get_deletedobjects_descriptor, + get_empty_descriptor, + get_config_descriptor, + get_config_partitions_descriptor, +@@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid, + msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD, + "subRefs") + ++ deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8') ++ + samdb.invocation_id = invocationid + + # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it +@@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, + "FOREST_FUNCTIONALITY": str(forestFunctionality), + "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, ++ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, + "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, + "SERVICES_DESCRIPTOR": protected1_descr, + "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, +@@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, + "RIDAVAILABLESTART": str(next_rid + 600), + "POLICYGUID_DC": policyguid_dc, + "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, ++ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, + "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc, + "SYSTEM_DESCRIPTOR": system_desc, + "BUILTIN_DESCRIPTOR": builtin_desc, +diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py +index 8a5d8a9..61beb16 100644 +--- a/python/samba/provision/sambadns.py ++++ b/python/samba/provision/sambadns.py +@@ -41,6 +41,7 @@ from samba.dsdb import ( + DS_DOMAIN_FUNCTION_2016 + ) + from samba.descriptor import ( ++ get_deletedobjects_descriptor, + get_domain_descriptor, + get_domain_delete_protected1_descriptor, + get_domain_delete_protected2_descriptor, +@@ -245,6 +246,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, + domainzone_dn = "DC=DomainDnsZones,%s" % domaindn + forestzone_dn = "DC=ForestDnsZones,%s" % forestdn + descriptor = get_dns_partition_descriptor(domainsid) ++ deletedobjects_desc = get_deletedobjects_descriptor(domainsid) + + setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), { + "ZONE_DN": domainzone_dn, +@@ -268,6 +270,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, + "ZONE_DNS": domainzone_dns, + "CONFIGDN": configdn, + "SERVERDN": serverdn, ++ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), + "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), + "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), + }) +@@ -288,6 +291,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, + "ZONE_DNS": forestzone_dns, + "CONFIGDN": configdn, + "SERVERDN": serverdn, ++ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8') + "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), + "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), + }) +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0006.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0006.patch new file mode 100644 index 0000000000..d92ad41df1 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0006.patch @@ -0,0 +1,51 @@ +From e884fc791e59bd6ebd41b4a2ab7c9d7dc45415f4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Fri, 29 Jan 2016 23:30:59 +0100 +Subject: [PATCH] CVE-2018-14628: python:descriptor: add + get_deletedobjects_descriptor() + +samba-tool drs clone-dc-database was quite useful to find +the true value of nTSecurityDescriptor of the CN=Delete Objects +containers. + +Only the auto inherited SACL is available via a ldap search. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8) + +CVE: CVE-2018-14628 + +Upstream-Status: Backport +[https://github.com/samba-team/samba/commit/e884fc791e59bd6ebd41b4a2ab7c9d7dc45415f4] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + python/samba/descriptor.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py +index 08cfab0..0141f38 100644 +--- a/python/samba/descriptor.py ++++ b/python/samba/descriptor.py +@@ -52,6 +52,16 @@ def get_empty_descriptor(domain_sid, name_map={}): + # "get_schema_descriptor" is located in "schema.py" + + ++def get_deletedobjects_descriptor(domain_sid, name_map=None): ++ if name_map is None: ++ name_map = {} ++ ++ sddl = "O:SYG:SYD:PAI" \ ++ "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \ ++ "(A;;RPLC;;;BA)" ++ return sddl2binary(sddl, domain_sid, name_map) ++ ++ + def get_config_descriptor(domain_sid, name_map={}): + sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch new file mode 100644 index 0000000000..6610899458 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch @@ -0,0 +1,72 @@ +From f9ec7002cdd526ae84fbacbf153162e118f22580 Mon Sep 17 00:00:00 2001 +From: Nicolas Williams <nico@twosigma.com> +Date: Wed Mar 9 10:18:52 2022 -0600 +Subject: [PATCH] spnego: CVE-2021-44758 send_reject when no mech selected + + This fixes a DoS where an initial SPNEGO token that has no acceptable + mechanisms causes a NULL dereference in acceptors. + + send_accept() when called with a non-zero 'initial_response' did + not handle the case of gssspnego_ctx.preferred_mech_type equal + to GSS_C_NO_OID. + + The failure to handle GSS_C_NO_OID has been present since the + initial revision of gssapi/spnego, + 2baa7e7d613c26b2b037b368931519a84baec53d but might not have + been exercised until later revisions. + + The introduction of opportunistic token handling in + gss_accept_sec_context(), 3c9d3266f47f594a29068c9d629908e7000ac663, + introduced two bugs: + + 1. The optional mechToken field is used unconditionally + possibly resulting in a segmentation fault. + + 2. If use of the opportunistic token is unsuccessful and the + mech type list length is one, send_accept() can be called + with 'initial_response' true and preferred mech set to + GSS_C_NO_OID. + + b53c90da0890a9cce6f95c552f094ff6d69027bf ("Make error reporting + somewhat more correct for SPNEGO") attempted to fix the first + issue and increased the likelihood of the second. + + This change alters the behavior of acceptor_start() so it calls + send_reject() when no mechanism was selected. + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580] +CVE: CVE-2021-44758 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + .../heimdal/lib/gssapi/spnego/accept_sec_context.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c +index 3a51dd3..b60dc19 100644 +--- a/lib/gssapi/spnego/accept_sec_context.c ++++ b/lib/gssapi/spnego/accept_sec_context.c +@@ -619,13 +619,15 @@ acceptor_start + if (ret == 0) + break; + } +- if (preferred_mech_type == GSS_C_NO_OID) { +- HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); +- free_NegotiationToken(&nt); +- return ret; +- } ++ } ++ ++ ctx->preferred_mech_type = preferred_mech_type; + +- ctx->preferred_mech_type = preferred_mech_type; ++ if (preferred_mech_type == GSS_C_NO_OID) { ++ send_reject(minor_status, output_token); ++ HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex); ++ free_NegotiationToken(&nt); ++ return ret; + } + + /* +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-2127.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-2127.patch new file mode 100644 index 0000000000..e94d5d538b --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-2127.patch @@ -0,0 +1,44 @@ +From 53838682570135b753fa622dfcde111528563c2d Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 16 Jun 2023 12:28:47 +0200 +Subject: [PATCH] CVE-2022-2127: ntlm_auth: cap lanman response length value + +We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the +lm_resp buffer, but we don't cap the length indicator. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +CVE: CVE-2022-2127 + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/53838682570135b753fa622dfcde111528563c2d] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/utils/ntlm_auth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 02a2379..c82ea45 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -574,10 +574,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, + memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); + + if (lm_response && lm_response->length) { ++ size_t capped_lm_response_len = MIN( ++ lm_response->length, ++ sizeof(request.data.auth_crap.lm_resp)); ++ + memcpy(request.data.auth_crap.lm_resp, + lm_response->data, +- MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); +- request.data.auth_crap.lm_resp_len = lm_response->length; ++ capped_lm_response_len); ++ request.data.auth_crap.lm_resp_len = capped_lm_response_len; + } + + if (nt_response && nt_response->length) { +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch new file mode 100644 index 0000000000..abc778b731 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch @@ -0,0 +1,77 @@ +From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:57:13 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour + unwrap + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/arcfour.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index a61f768..4fc46ce 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = ct_memcmp(cksum_data, p + 8, 8); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) +- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); ++ cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0); + else +- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); ++ cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0); + + memset(SND_SEQ, 0, sizeof(SND_SEQ)); + if (cmp != 0) { +@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); + + if (context_handle->more_flags & LOCAL) +- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4); ++ cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0); + else +- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4); ++ cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0); + + if (cmp != 0) { + *minor_status = 0; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +@@ -1266,9 +1266,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status, + _gsskrb5_decode_be_om_uint32(snd_seq, &seq_number); + + if (ctx->more_flags & LOCAL) { +- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4); ++ cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0); + } else { +- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4); ++ cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0); + } + if (cmp != 0) { + *minor_status = 0; diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch new file mode 100644 index 0000000000..5686df78e1 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch @@ -0,0 +1,35 @@ +From c9cc34334bd64b08fe91a2f720262462e9f6bb49 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:57:55 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() in + unwrap_des3() + +The surrounding checks all use ct_memcmp(), so this one was presumably +meant to as well. + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/unwrap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c +index da939c0529..61a341ee43 100644 +--- a/lib/gssapi/krb5/unwrap.c ++++ b/lib/gssapi/krb5/unwrap.c +@@ -227,7 +227,7 @@ unwrap_des3 + if (ret) + return ret; + +- if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ ++ if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ + return GSS_S_BAD_SIG; + p += 2; + if (ct_memcmp (p, "\x02\x00", 2) == 0) { diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch new file mode 100644 index 0000000000..55239356e4 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch @@ -0,0 +1,50 @@ +From a587a4bcb28d5b9047f332573b1e7c8f89ca3edd Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:57:42 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Don't pass NULL pointers to memcpy() + in DES unwrap + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/unwrap.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c +index 61a341ee43..d3987240dd 100644 +--- a/lib/gssapi/krb5/unwrap.c ++++ b/lib/gssapi/krb5/unwrap.c +@@ -180,9 +180,10 @@ unwrap_des + output_message_buffer->value = malloc(output_message_buffer->length); + if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) + return GSS_S_FAILURE; +- memcpy (output_message_buffer->value, +- p + 24, +- output_message_buffer->length); ++ if (output_message_buffer->value != NULL) ++ memcpy (output_message_buffer->value, ++ p + 24, ++ output_message_buffer->length); + return GSS_S_COMPLETE; + } + #endif +@@ -374,9 +375,10 @@ unwrap_des3 + output_message_buffer->value = malloc(output_message_buffer->length); + if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) + return GSS_S_FAILURE; +- memcpy (output_message_buffer->value, +- p + 36, +- output_message_buffer->length); ++ if (output_message_buffer->value != NULL) ++ memcpy (output_message_buffer->value, ++ p + 36, ++ output_message_buffer->length); + return GSS_S_COMPLETE; + } diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch new file mode 100644 index 0000000000..4e750f0dc6 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch @@ -0,0 +1,57 @@ +From c758910eaad3c0de2cfb68830a661c4739675a7d Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Mon, 15 Aug 2022 16:53:45 +1200 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Avoid undefined behaviour in + _gssapi_verify_pad() + +By decrementing 'pad' only when we know it's safe, we ensure we can't +stray backwards past the start of a buffer, which would be undefined +behaviour. + +In the previous version of the loop, 'i' is the number of bytes left to +check, and 'pad' is the current byte we're checking. 'pad' was +decremented at the end of each loop iteration. If 'i' was 1 (so we +checked the final byte), 'pad' could potentially be pointing to the +first byte of the input buffer, and the decrement would put it one +byte behind the buffer. + +That would be undefined behaviour. + +The patch changes it so that 'pad' is the byte we previously checked, +which allows us to ensure that we only decrement it when we know we +have a byte to check. + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/decapsulate.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c +index 86085f5695..4e3fcd659e 100644 +--- a/lib/gssapi/krb5/decapsulate.c ++++ b/lib/gssapi/krb5/decapsulate.c +@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token, + if (wrapped_token->length < 1) + return GSS_S_BAD_MECH; + +- pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; +- padlength = *pad; ++ pad = (u_char *)wrapped_token->value + wrapped_token->length; ++ padlength = pad[-1]; + + if (padlength > datalen) + return GSS_S_BAD_MECH; + +- for (i = padlength; i > 0 && *pad == padlength; i--, pad--) ++ for (i = padlength; i > 0 && *--pad == padlength; i--) + ; + if (i != 0) + return GSS_S_BAD_MIC; diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch new file mode 100644 index 0000000000..d6ea22e3df --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch @@ -0,0 +1,37 @@ +From 414b2a77fd61c26d64562e3800dc5578d9d0f15d Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Mon, 15 Aug 2022 16:53:55 +1200 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Check the result of + _gsskrb5_get_mech() + +We should make sure that the result of 'total_len - mech_len' won't +overflow, and that we don't memcmp() past the end of the buffer. + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/decapsulate.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c +index 4e3fcd659e..031a621eab 100644 +--- a/lib/gssapi/krb5/decapsulate.c ++++ b/lib/gssapi/krb5/decapsulate.c +@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str, + + if (mech_len != mech->length) + return GSS_S_BAD_MECH; ++ if (mech_len > total_len) ++ return GSS_S_BAD_MECH; ++ if (p - *str > total_len - mech_len) ++ return GSS_S_BAD_MECH; + if (ct_memcmp(p, + mech->elements, + mech->length) != 0) diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch new file mode 100644 index 0000000000..9fa59c29b0 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch @@ -0,0 +1,65 @@ +From be9bbd93ed8f204b4bc1b92d1bc3c16aac194696 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Mon, 15 Aug 2022 16:54:23 +1200 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Check buffer length against overflow + for DES{,3} unwrap + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/unwrap.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c +index d3987240dd..fddb64bc53 100644 +--- a/lib/gssapi/krb5/unwrap.c ++++ b/lib/gssapi/krb5/unwrap.c +@@ -64,6 +64,8 @@ unwrap_des + + if (IS_DCE_STYLE(context_handle)) { + token_len = 22 + 8 + 15; /* 45 */ ++ if (input_message_buffer->length < token_len) ++ return GSS_S_BAD_MECH; + } else { + token_len = input_message_buffer->length; + } +@@ -76,6 +78,11 @@ unwrap_des + if (ret) + return ret; + ++ len = (p - (u_char *)input_message_buffer->value) ++ + 22 + 8; ++ if (input_message_buffer->length < len) ++ return GSS_S_BAD_MECH; ++ + if (memcmp (p, "\x00\x00", 2) != 0) + return GSS_S_BAD_SIG; + p += 2; +@@ -216,6 +223,8 @@ unwrap_des3 + + if (IS_DCE_STYLE(context_handle)) { + token_len = 34 + 8 + 15; /* 57 */ ++ if (input_message_buffer->length < token_len) ++ return GSS_S_BAD_MECH; + } else { + token_len = input_message_buffer->length; + } +@@ -228,6 +237,11 @@ unwrap_des3 + if (ret) + return ret; + ++ len = (p - (u_char *)input_message_buffer->value) ++ + 34 + 8; ++ if (input_message_buffer->length < len) ++ return GSS_S_BAD_MECH; ++ + if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ + return GSS_S_BAD_SIG; + p += 2; diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch new file mode 100644 index 0000000000..b3197afc34 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch @@ -0,0 +1,39 @@ +From c8407ca079294d76a5ed140ba5b546f870d23ed2 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Mon, 10 Oct 2022 20:33:09 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Check for overflow in + _gsskrb5_get_mech() + +If len_len is equal to total_len - 1 (i.e. the input consists only of a +0x60 byte and a length), the expression 'total_len - 1 - len_len - 1', +used as the 'len' parameter to der_get_length(), will overflow to +SIZE_MAX. Then der_get_length() will proceed to read, unconstrained, +whatever data follows in memory. Add a check to ensure that doesn't +happen. + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/decapsulate.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c +index 031a621eab..d7b75a6422 100644 +--- a/lib/gssapi/krb5/decapsulate.c ++++ b/lib/gssapi/krb5/decapsulate.c +@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr, + e = der_get_length (p, total_len - 1, &len, &len_len); + if (e || 1 + len_len + len != total_len) + return -1; ++ if (total_len < 1 + len_len + 1) ++ return -1; + p += len_len; + if (*p++ != 0x06) + return -1; diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch new file mode 100644 index 0000000000..6d64312211 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch @@ -0,0 +1,48 @@ +From 8fb508a25a6a47289c73e3f4339352a73a396eef Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:57:33 +1300 +Subject: [PATCH] gsskrb5: CVE-2022-3437 Pass correct length to + _gssapi_verify_pad() + +We later subtract 8 when calculating the length of the output message +buffer. If padlength is excessively high, this calculation can underflow +and result in a very large positive value. + +Now we properly constrain the value of padlength so underflow shouldn't +be possible. + +Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef] +CVE: CVE-2022-3437 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/unwrap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c +index fddb64bc53..bab30f4501 100644 +--- a/lib/gssapi/krb5/unwrap.c ++++ b/lib/gssapi/krb5/unwrap.c +@@ -124,7 +124,7 @@ unwrap_des + } else { + /* check pad */ + ret = _gssapi_verify_pad(input_message_buffer, +- input_message_buffer->length - len, ++ input_message_buffer->length - len - 8, + &padlength); + if (ret) + return ret; +@@ -289,7 +289,7 @@ unwrap_des3 + } else { + /* check pad */ + ret = _gssapi_verify_pad(input_message_buffer, +- input_message_buffer->length - len, ++ input_message_buffer->length - len - 8, + &padlength); + if (ret) + return ret; diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch new file mode 100644 index 0000000000..07f4a18a2f --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch @@ -0,0 +1,38 @@ +From eb87af0c2d189c25294c7daf483a47b03af80c2c Mon Sep 17 00:00:00 2001 +From: Jeffrey Altman <jaltman@secure-endpoints.com> +Date: Wed, 17 Nov 2021 20:00:29 -0500 +Subject: [PATCH] lib/wind: find_normalize read past end of array + +find_normalize() can under some circumstances read one element +beyond the input array. The contents are discarded immediately +without further use. + +This change prevents the unintended read. + +(cherry picked from commit 357a38fc7fb582ae73f4b7f4a90a4b0b871b149e) + +Change-Id: Ia2759a5632d64f7fa6553f879b5bbbf43ba3513e + +Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c] +CVE: CVE-2022-41916 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/wind/normalize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/wind/normalize.c b/lib/wind/normalize.c +index 20e8a4a04b..8f3991d10e 100644 +--- a/lib/wind/normalize.c ++++ b/lib/wind/normalize.c +@@ -227,9 +227,9 @@ find_composition(const uint32_t *in, unsigned in_len) + unsigned i; + + if (n % 5 == 0) { +- cur = *in++; + if (in_len-- == 0) + return c->val; ++ cur = *in++; + } + + i = cur >> 16; diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch new file mode 100644 index 0000000000..d6b9826e4b --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-45142.patch @@ -0,0 +1,51 @@ +From: Helmut Grohne <helmut@...divi.de> +Subject: [PATCH v3] CVE-2022-45142: gsskrb5: fix accidental logic inversions + +The referenced commit attempted to fix miscompilations with gcc-9 and +gcc-10 by changing `memcmp(...)` to `memcmp(...) != 0`. Unfortunately, +it also inverted the result of the comparison in two occasions. This +inversion happened during backporting the patch to 7.7.1 and 7.8.0. + +Fixes: f6edaafcfefd ("gsskrb5: CVE-2022-3437 Use constant-time memcmp() + for arcfour unwrap") +Signed-off-by: Helmut Grohne <helmut@...divi.de> + +Upstream-Status: Backport [https://www.openwall.com/lists/oss-security/2023/02/08/1] +CVE: CVE-2022-45142 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + lib/gssapi/krb5/arcfour.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +Changes since v1: + * Fix typo in commit message. + * Mention 7.8.0 in commit message. Thanks to Jeffrey Altman. + +Changes since v2: + * Add CVE identifier. + +diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c +index e838d007a..eee6ad72f 100644 +--- a/lib/gssapi/krb5/arcfour.c ++++ b/lib/gssapi/krb5/arcfour.c +@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0); ++ cmp = (ct_memcmp(cksum_data, p + 8, 8) != 0); + if (cmp) { + *minor_status = 0; + return GSS_S_BAD_MIC; +@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status, + return GSS_S_FAILURE; + } + +- cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */ ++ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ + if (cmp) { + _gsskrb5_release_buffer(minor_status, output_message_buffer); + *minor_status = 0; +-- +2.38.1 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-0922.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-0922.patch new file mode 100644 index 0000000000..b8cb06bee1 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-0922.patch @@ -0,0 +1,111 @@ +From 04e5a7eb03a1e913f34d77b7b6c2353b41ef546a Mon Sep 17 00:00:00 2001 +From: Rob van der Linde <rob@catalyst.net.nz> +Date: Mon, 27 Feb 2023 14:06:23 +1300 +Subject: [PATCH] CVE-2023-0922 set default ldap client sasl wrapping to seal + +This avoids sending new or reset passwords in the clear +(integrity protected only) from samba-tool in particular. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315 + +Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> +Signed-off-by: Andrew Bartlett <abartlet@samba.org> +Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> + +CVE: CVE-2023-0922 + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/04e5a7eb03a] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + .../ldap/clientldapsaslwrapping.xml | 27 +++++++++---------- + lib/param/loadparm.c | 2 +- + python/samba/tests/auth_log.py | 2 +- + source3/param/loadparm.c | 2 +- + 4 files changed, 16 insertions(+), 17 deletions(-) + +diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +index 3152f06..21bd209 100644 +--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml ++++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +@@ -18,25 +18,24 @@ + </para> + + <para> +- This option is needed in the case of Domain Controllers enforcing +- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). +- LDAP sign and seal can be controlled with the registry key +- "<literal>HKLM\System\CurrentControlSet\Services\</literal> +- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>" +- on the Windows server side. +- </para> ++ This option is needed firstly to secure the privacy of ++ administrative connections from <command>samba-tool</command>, ++ including in particular new or reset passwords for users. For ++ this reason the default is <emphasis>seal</emphasis>.</para> + +- <para> +- Depending on the used KRB5 library (MIT and older Heimdal versions) +- it is possible that the message "integrity only" is not supported. +- In this case, <emphasis>sign</emphasis> is just an alias for +- <emphasis>seal</emphasis>. ++ <para>Additionally, <command>winbindd</command> and the ++ <command>net</command> tool can use LDAP to communicate with ++ Domain Controllers, so this option also controls the level of ++ privacy for those connections. All supported AD DC versions ++ will enforce the usage of at least signed LDAP connections by ++ default, so a value of at least <emphasis>sign</emphasis> is ++ required in practice. + </para> + + <para> +- The default value is <emphasis>sign</emphasis>. That implies synchronizing the time ++ The default value is <emphasis>seal</emphasis>. That implies synchronizing the time + with the KDC in the case of using <emphasis>Kerberos</emphasis>. + </para> + </description> +-<value type="default">sign</value> ++<value type="default">seal</value> + </samba:parameter> +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 75687f5..d260691 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2970,7 +2970,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + + lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); + +- lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); ++ lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal"); + + lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios"); + +diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py +index 8ac76fe..d2db380 100644 +--- a/python/samba/tests/auth_log.py ++++ b/python/samba/tests/auth_log.py +@@ -471,7 +471,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): + def isLastExpectedMessage(msg): + return (msg["type"] == "Authorization" and + msg["Authorization"]["serviceDescription"] == "LDAP" and +- msg["Authorization"]["transportProtection"] == "SIGN" and ++ msg["Authorization"]["transportProtection"] == "SEAL" and + msg["Authorization"]["authType"] == "krb5") + + self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"], +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index a99ab35..c47c5f6 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.ldap_debug_level = 0; + Globals.ldap_debug_threshold = 10; + +- Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; ++ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL; + + Globals.ldap_server_require_strong_auth = + LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; +-- +2.40.0 + diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch new file mode 100644 index 0000000000..77a383f09e --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0001.patch @@ -0,0 +1,78 @@ +From 38664163fcac985d87e4274d198568e0fe88595e Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 13:06:19 +0200 +Subject: [PATCH] CVE-2023-34966: mdssvc: harden sl_unpack_loop() + +A malicious client could send a packet where subcount is zero, leading to a busy +loop because + + count -= subcount +=> count -= 0 +=> while (count > 0) + +loops forever. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/38664163fcac985d87e4274d198568e0fe88595e] + +CVE: CVE-2023-34966 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_server/mdssvc/marshalling.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c +index 9ba6ef571f2..d794ba15838 100644 +--- a/source3/rpc_server/mdssvc/marshalling.c ++++ b/source3/rpc_server/mdssvc/marshalling.c +@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + sl_nil_t nil = 0; + + subcount = tag.count; +- if (subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + for (i = 0; i < subcount; i++) { +@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_INT64: + subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_UUID: + subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_FLOAT: + subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_DATE: + subcount = sl_unpack_date(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch new file mode 100644 index 0000000000..a86d1729cf --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34966_0002.patch @@ -0,0 +1,140 @@ +From 10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Wed, 31 May 2023 15:34:26 +0200 +Subject: [PATCH] CVE-2023-34966: CI: test for sl_unpack_loop() + +Send a maliciously crafted packet where a nil type has a subcount of 0. This +triggers an endless loop in mdssvc sl_unpack_loop(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/10b6890d26b3c7a829a9e9a05ad1d1ff54daeca9] + +CVE: CVE-2023-34966 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source4/torture/rpc/mdssvc.c | 100 +++++++++++++++++++++++++++++++++++ + 1 file changed, 100 insertions(+) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index 2d2a8306412..a9956ef8f1d 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -581,6 +581,102 @@ done: + return ok; + } + ++static uint8_t test_sl_unpack_loop_buf[] = { ++ 0x34, 0x33, 0x32, 0x31, 0x33, 0x30, 0x64, 0x6d, ++ 0x1d, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x02, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x03, 0x00, 0x00, 0x00, ++ 0x06, 0x00, 0x00, 0x07, 0x04, 0x00, 0x00, 0x00, ++ 0x66, 0x65, 0x74, 0x63, 0x68, 0x41, 0x74, 0x74, ++ 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x73, 0x3a, ++ 0x66, 0x6f, 0x72, 0x4f, 0x49, 0x44, 0x41, 0x72, ++ 0x72, 0x61, 0x79, 0x3a, 0x63, 0x6f, 0x6e, 0x74, ++ 0x65, 0x78, 0x74, 0x3a, 0x00, 0x00, 0x00, 0xea, ++ 0x02, 0x00, 0x00, 0x84, 0x02, 0x00, 0x00, 0x00, ++ 0x0a, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x04, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x05, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x07, 0x03, 0x00, 0x00, 0x00, ++ 0x6b, 0x4d, 0x44, 0x49, 0x74, 0x65, 0x6d, 0x50, ++ 0x61, 0x74, 0x68, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0x00, 0x02, 0x06, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x87, 0x08, 0x00, 0x00, 0x00, ++ 0x01, 0x00, 0xdd, 0x0a, 0x20, 0x00, 0x00, 0x6b, ++ 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x07, 0x00, 0x00, 0x88, 0x00, 0x00, 0x00, 0x00, ++ 0x02, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x03, 0x00, 0x00, 0x0a, 0x03, 0x00, 0x00, 0x00, ++ 0x04, 0x00, 0x00, 0x0c, 0x04, 0x00, 0x00, 0x00, ++ 0x0e, 0x00, 0x00, 0x0a, 0x01, 0x00, 0x00, 0x00, ++ 0x0f, 0x00, 0x00, 0x0c, 0x03, 0x00, 0x00, 0x00, ++ 0x13, 0x00, 0x00, 0x1a, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00 ++}; ++ ++static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, ++ void *data) ++{ ++ struct torture_mdsscv_state *state = talloc_get_type_abort( ++ data, struct torture_mdsscv_state); ++ struct dcerpc_binding_handle *b = state->p->binding_handle; ++ struct mdssvc_blob request_blob; ++ struct mdssvc_blob response_blob; ++ uint32_t device_id; ++ uint32_t unkn2; ++ uint32_t unkn9; ++ uint32_t fragment; ++ uint32_t flags; ++ NTSTATUS status; ++ bool ok = true; ++ ++ device_id = UINT32_C(0x2f000045); ++ unkn2 = 23; ++ unkn9 = 0; ++ fragment = 0; ++ flags = UINT32_C(0x6b000001); ++ ++ request_blob.spotlight_blob = test_sl_unpack_loop_buf; ++ request_blob.size = sizeof(test_sl_unpack_loop_buf); ++ request_blob.length = sizeof(test_sl_unpack_loop_buf); ++ ++ response_blob.spotlight_blob = talloc_array(state, ++ uint8_t, ++ 0); ++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, ++ ok, done, "dalloc_zero failed\n"); ++ response_blob.size = 0; ++ ++ status = dcerpc_mdssvc_cmd(b, ++ state, ++ &state->ph, ++ 0, ++ device_id, ++ unkn2, ++ 0, ++ flags, ++ request_blob, ++ 0, ++ 64 * 1024, ++ 1, ++ 64 * 1024, ++ 0, ++ 0, ++ &fragment, ++ &response_blob, ++ &unkn9); ++ torture_assert_ntstatus_ok_goto( ++ tctx, status, ok, done, ++ "dcerpc_mdssvc_unknown1 failed\n"); ++ ++done: ++ return ok; ++} ++ + static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, + void *data) + { +@@ -856,5 +952,9 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) + "fetch_unknown_cnid", + test_mdssvc_fetch_attr_unknown_cnid); + ++ torture_tcase_add_simple_test(tcase, ++ "mdssvc_sl_unpack_loop", ++ test_mdssvc_sl_unpack_loop); ++ + return suite; + } +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch new file mode 100644 index 0000000000..e30e54ab96 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0001.patch @@ -0,0 +1,178 @@ +From 3b3c30e2acfb00d04c4013e32343bc277d5b1aa8 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Wed, 31 May 2023 16:26:14 +0200 +Subject: [PATCH] CVE-2023-34967: CI: add a test for type checking of + dalloc_value_for_key() + +Sends a maliciously crafted packet where the value in a key/value style +dictionary for the "scope" key is a simple string object whereas the server +expects an array. As the server doesn't perform type validation on the value, it +crashes when trying to use the "simple" object as a "complex" one. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/3b3c30e2acfb00d04c4013e32343bc277d5b1aa8] + +CVE: CVE-2023-34967 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source4/torture/rpc/mdssvc.c | 134 +++++++++++++++++++++++++++++++++++ + 1 file changed, 134 insertions(+) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index f5f5939..1dce403 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -666,6 +666,136 @@ done: + return ok; + } + ++static bool test_sl_dict_type_safety(struct torture_context *tctx, ++ void *data) ++{ ++ struct torture_mdsscv_state *state = talloc_get_type_abort( ++ data, struct torture_mdsscv_state); ++ struct dcerpc_binding_handle *b = state->p->binding_handle; ++ struct mdssvc_blob request_blob; ++ struct mdssvc_blob response_blob; ++ uint64_t ctx1 = 0xdeadbeef; ++ uint64_t ctx2 = 0xcafebabe; ++ uint32_t device_id; ++ uint32_t unkn2; ++ uint32_t unkn9; ++ uint32_t fragment; ++ uint32_t flags; ++ DALLOC_CTX *d = NULL; ++ sl_array_t *array1 = NULL, *array2 = NULL; ++ sl_dict_t *arg = NULL; ++ int result; ++ NTSTATUS status; ++ bool ok = true; ++ ++ device_id = UINT32_C(0x2f000045); ++ unkn2 = 23; ++ unkn9 = 0; ++ fragment = 0; ++ flags = UINT32_C(0x6b000001); ++ ++ d = dalloc_new(tctx); ++ torture_assert_not_null_goto(tctx, d, ++ ok, done, "dalloc_new failed\n"); ++ ++ array1 = dalloc_zero(d, sl_array_t); ++ torture_assert_not_null_goto(tctx, array1, ++ ok, done, "dalloc_zero failed\n"); ++ ++ array2 = dalloc_zero(d, sl_array_t); ++ torture_assert_not_null_goto(tctx, array2, ++ ok, done, "dalloc_new failed\n"); ++ ++ result = dalloc_stradd(array2, "openQueryWithParams:forContext:"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add_copy(array2, &ctx1, uint64_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add_copy(array2, &ctx2, uint64_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ arg = dalloc_zero(array1, sl_dict_t); ++ torture_assert_not_null_goto(tctx, d, ++ ok, done, "dalloc_zero failed\n"); ++ ++ result = dalloc_stradd(arg, "kMDQueryString"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "*"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "kMDScopeArray"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_stradd(arg, "AAAABBBB"); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_stradd failed\n"); ++ ++ result = dalloc_add(array1, array2, sl_array_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ result = dalloc_add(array1, arg, sl_dict_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ result = dalloc_add(d, array1, sl_array_t); ++ torture_assert_goto(tctx, result == 0, ++ ok, done, "dalloc_add failed\n"); ++ ++ torture_comment(tctx, "%s", dalloc_dump(d, 0)); ++ ++ request_blob.spotlight_blob = talloc_array(tctx, ++ uint8_t, ++ 64 * 1024); ++ torture_assert_not_null_goto(tctx, request_blob.spotlight_blob, ++ ok, done, "dalloc_new failed\n"); ++ request_blob.size = 64 * 1024; ++ ++ request_blob.length = sl_pack(d, ++ (char *)request_blob.spotlight_blob, ++ request_blob.size); ++ torture_assert_goto(tctx, request_blob.length > 0, ++ ok, done, "sl_pack failed\n"); ++ ++ response_blob.spotlight_blob = talloc_array(state, uint8_t, 0); ++ torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, ++ ok, done, "dalloc_zero failed\n"); ++ response_blob.size = 0; ++ ++ status = dcerpc_mdssvc_cmd(b, ++ state, ++ &state->ph, ++ 0, ++ device_id, ++ unkn2, ++ 0, ++ flags, ++ request_blob, ++ 0, ++ 64 * 1024, ++ 1, ++ 64 * 1024, ++ 0, ++ 0, ++ &fragment, ++ &response_blob, ++ &unkn9); ++ torture_assert_ntstatus_ok_goto( ++ tctx, status, ok, done, ++ "dcerpc_mdssvc_cmd failed\n"); ++ ++done: ++ return ok; ++} ++ + static bool test_mdssvc_invalid_ph_close(struct torture_context *tctx, + void *data) + { +@@ -940,6 +1070,10 @@ struct torture_suite *torture_rpc_mdssvc(TALLOC_CTX *mem_ctx) + torture_tcase_add_simple_test(tcase, + "mdssvc_sl_unpack_loop", + test_mdssvc_sl_unpack_loop); ++ torture_tcase_add_simple_test(tcase, ++ "sl_dict_type_safety", ++ test_sl_dict_type_safety); ++ + + return suite; + } +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch new file mode 100644 index 0000000000..2e4907ab62 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34967_0002.patch @@ -0,0 +1,125 @@ +From 049c13245649fab412b61a5b55e5a7dea72d7c72 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 15:06:38 +0200 +Subject: [PATCH] CVE-2023-34967: mdssvc: add type checking to + dalloc_value_for_key() + +Change the dalloc_value_for_key() function to require an additional final +argument which denotes the expected type of the value associated with a key. If +the types don't match, return NULL. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/4c60e35add4a1abd04334012a8d6edf1c3f396ba] + +CVE: CVE-2023-34967 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++---- + source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++---- + 2 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c +index 007702d..8b79b41 100644 +--- a/source3/rpc_server/mdssvc/dalloc.c ++++ b/source3/rpc_server/mdssvc/dalloc.c +@@ -159,7 +159,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + int result = 0; + void *p = NULL; + va_list args; +- const char *type; ++ const char *type = NULL; + int elem; + size_t array_len; + +@@ -170,7 +170,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + array_len = talloc_array_length(d->dd_talloc_array); + elem = va_arg(args, int); + if (elem >= array_len) { +- va_end(args); + result = -1; + goto done; + } +@@ -178,8 +177,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + type = va_arg(args, const char *); + } + +- va_end(args); +- + array_len = talloc_array_length(d->dd_talloc_array); + + for (elem = 0; elem + 1 < array_len; elem += 2) { +@@ -192,8 +189,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + break; + } + } ++ if (p == NULL) { ++ goto done; ++ } ++ ++ type = va_arg(args, const char *); ++ if (strcmp(talloc_get_name(p), type) != 0) { ++ p = NULL; ++ } + + done: ++ va_end(args); + if (result != 0) { + p = NULL; + } +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index a983a88..fe6e0c2 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -884,7 +884,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + + querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0, + "DALLOC_CTX", 1, +- "kMDQueryString"); ++ "kMDQueryString", ++ "char *"); + if (querystring == NULL) { + DEBUG(1, ("missing kMDQueryString\n")); + goto error; +@@ -924,8 +925,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + slq->ctx2 = *uint64p; + + path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDScopeArray"); ++ "DALLOC_CTX", 1, ++ "kMDScopeArray", ++ "sl_array_t"); + if (path_scope == NULL) { ++ DBG_ERR("missing kMDScopeArray\n"); + goto error; + } + +@@ -940,8 +944,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + } + + reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDAttributeArray"); ++ "DALLOC_CTX", 1, ++ "kMDAttributeArray", ++ "sl_array_t"); + if (reqinfo == NULL) { ++ DBG_ERR("missing kMDAttributeArray\n"); + goto error; + } + +@@ -949,7 +956,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + DEBUG(10, ("requested attributes: %s", dalloc_dump(reqinfo, 0))); + + cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDQueryItemArray"); ++ "DALLOC_CTX", 1, ++ "kMDQueryItemArray", ++ "sl_array_t"); + if (cnids) { + ok = sort_cnids(slq, cnids->ca_cnids); + if (!ok) { +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch new file mode 100644 index 0000000000..ad8e3e4ce3 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0001.patch @@ -0,0 +1,104 @@ +From 98b2a013bc723cd660978d5a1db40b987816f90e Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Tue, 6 Jun 2023 15:17:26 +0200 +Subject: [PATCH] CVE-2023-34968: mdssvc: cache and reuse stat info in struct + sl_inode_path_map + +Prepare for the "path" being a fake path and not the real server-side +path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already +got stat info for the object in mds_add_result() so we can just pass stat info +from there. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/98b2a013bc723cd660978d5a1db40b987816f90e] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_server/mdssvc/mdssvc.c | 32 +++++++----------------------- + source3/rpc_server/mdssvc/mdssvc.h | 1 + + 2 files changed, 8 insertions(+), 25 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 26a3ec7..a6cc653 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -446,7 +446,10 @@ static int ino_path_map_destr_cb(struct sl_inode_path_map *entry) + * entries by calling talloc_free() on the query slq handles. + **/ + +-static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path) ++static bool inode_map_add(struct sl_query *slq, ++ uint64_t ino, ++ const char *path, ++ struct stat_ex *st) + { + NTSTATUS status; + struct sl_inode_path_map *entry; +@@ -493,6 +496,7 @@ static bool inode_map_add(struct sl_query *slq, uint64_t ino, const char *path) + + entry->ino = ino; + entry->mds_ctx = slq->mds_ctx; ++ entry->st = *st; + entry->path = talloc_strdup(entry, path); + if (entry->path == NULL) { + DEBUG(1, ("talloc failed\n")); +@@ -629,7 +633,7 @@ bool mds_add_result(struct sl_query *slq, const char *path) + return false; + } + +- ok = inode_map_add(slq, ino64, path); ++ ok = inode_map_add(slq, ino64, path, &sb); + if (!ok) { + DEBUG(1, ("inode_map_add error\n")); + slq->state = SLQ_STATE_ERROR; +@@ -1350,29 +1354,7 @@ static bool slrpc_fetch_attributes(struct mds_ctx *mds_ctx, + elem = talloc_get_type_abort(p, struct sl_inode_path_map); + path = elem->path; + +- status = synthetic_pathref(talloc_tos(), +- mds_ctx->conn->cwd_fsp, +- path, +- NULL, +- NULL, +- 0, +- 0, +- &smb_fname); +- if (!NT_STATUS_IS_OK(status)) { +- /* This is not an error, the user may lack permissions */ +- DBG_DEBUG("synthetic_pathref [%s]: %s\n", +- smb_fname_str_dbg(smb_fname), +- nt_errstr(status)); +- return true; +- } +- +- result = SMB_VFS_FSTAT(smb_fname->fsp, &smb_fname->st); +- if (result != 0) { +- TALLOC_FREE(smb_fname); +- return true; +- } +- +- sp = &smb_fname->st; ++ sp = &elem->st; + } + + ok = add_filemeta(mds_ctx, reqinfo, fm_array, path, sp); +diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h +index 3924827..a097991 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.h ++++ b/source3/rpc_server/mdssvc/mdssvc.h +@@ -105,6 +105,7 @@ struct sl_inode_path_map { + struct mds_ctx *mds_ctx; + uint64_t ino; + char *path; ++ struct stat_ex st; + }; + + /* Per process state */ +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch new file mode 100644 index 0000000000..21b98c4d7e --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0002.patch @@ -0,0 +1,39 @@ +From 47a0c1681dd1e7ec407679793966ec8bdc08a24e Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Sat, 17 Jun 2023 13:39:55 +0200 +Subject: [PATCH] CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" + dict key in slrpc_fetch_properties() + +We were adding the value, but not the key. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/47a0c1681dd1e7ec407679793966ec8bdc08a24e] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_server/mdssvc/mdssvc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index a6d09a43b9c..9c23ef95753 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -730,6 +730,10 @@ static bool slrpc_fetch_properties(struct mds_ctx *mds_ctx, + } + + /* kMDSStoreMetaScopes array */ ++ result = dalloc_stradd(dict, "kMDSStoreMetaScopes"); ++ if (result != 0) { ++ return false; ++ } + array = dalloc_zero(dict, sl_array_t); + if (array == NULL) { + return NULL; +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch new file mode 100644 index 0000000000..42106d82b8 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0003.patch @@ -0,0 +1,65 @@ +From 56a21b3bc8fb24416ead9061f9305c8122bc7f86 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Mon, 19 Jun 2023 17:14:38 +0200 +Subject: [PATCH] CVE-2023-34968: mdscli: use correct TALLOC memory context + when allocating spotlight_blob + +d is talloc_free()d at the end of the functions and the buffer was later used +after beeing freed in the DCERPC layer when sending the packet. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/56a21b3bc8fb24416ead9061f9305c8122bc7f86] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_client/cli_mdssvc_util.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c +index fe5092c3790..892a844e71a 100644 +--- a/source3/rpc_client/cli_mdssvc_util.c ++++ b/source3/rpc_client/cli_mdssvc_util.c +@@ -209,7 +209,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +@@ -293,7 +293,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +@@ -426,7 +426,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +@@ -510,7 +510,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(d, ++ blob->spotlight_blob = talloc_array(mem_ctx, + uint8_t, + ctx->max_fragment_size); + if (blob->spotlight_blob == NULL) { +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch new file mode 100644 index 0000000000..785908b528 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0004.patch @@ -0,0 +1,85 @@ +From 0ae6084d1a9c4eb12e9f1ab1902e00f96bcbea55 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Mon, 19 Jun 2023 18:28:41 +0200 +Subject: [PATCH] CVE-2023-34968: mdscli: remove response blob allocation + +This is handled by the NDR code transparently. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> +--- + source3/rpc_client/cli_mdssvc.c | 36 --------------------------------- + 1 file changed, 36 deletions(-) + +diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c +index 046d37135cb..474d7c0b150 100644 +--- a/source3/rpc_client/cli_mdssvc.c ++++ b/source3/rpc_client/cli_mdssvc.c +@@ -276,15 +276,6 @@ struct tevent_req *mdscli_search_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +@@ -457,15 +448,6 @@ struct tevent_req *mdscli_get_results_send( + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +@@ -681,15 +663,6 @@ struct tevent_req *mdscli_get_path_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +@@ -852,15 +825,6 @@ struct tevent_req *mdscli_close_search_send(TALLOC_CTX *mem_ctx, + return tevent_req_post(req, ev); + } + +- state->response_blob.spotlight_blob = talloc_array( +- state, +- uint8_t, +- mdscli_ctx->max_fragment_size); +- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) { +- return tevent_req_post(req, ev); +- } +- state->response_blob.size = mdscli_ctx->max_fragment_size; +- + subreq = dcerpc_mdssvc_cmd_send(state, + ev, + mdscli_ctx->bh, +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch new file mode 100644 index 0000000000..308b441e95 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0005.patch @@ -0,0 +1,83 @@ +From 353a9ccea6ff93ea2cd604dcc2b0372f056f819d Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Tue, 20 Jun 2023 11:28:47 +0200 +Subject: [PATCH] CVE-2023-34968: smbtorture: remove response blob allocation + in mdssvc.c + +This is alreay done by NDR for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/353a9ccea6ff93ea2cd604dcc2b0372f056f819d] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> + +--- + source4/torture/rpc/mdssvc.c | 26 -------------------------- + 1 file changed, 26 deletions(-) + +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index 3689692f7de..a16bd5b47e3 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -536,13 +536,6 @@ static bool test_mdssvc_invalid_ph_cmd(struct torture_context *tctx, + request_blob.length = 0; + request_blob.size = 0; + +- response_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- 0); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ok, done, "dalloc_zero failed\n"); +- response_blob.size = 0; +- + status = dcerpc_mdssvc_cmd(b, + state, + &ph, +@@ -632,13 +625,6 @@ static bool test_mdssvc_sl_unpack_loop(struct torture_context *tctx, + request_blob.size = sizeof(test_sl_unpack_loop_buf); + request_blob.length = sizeof(test_sl_unpack_loop_buf); + +- response_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- 0); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ok, done, "dalloc_zero failed\n"); +- response_blob.size = 0; +- + status = dcerpc_mdssvc_cmd(b, + state, + &state->ph, +@@ -764,11 +750,6 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx, + torture_assert_goto(tctx, request_blob.length > 0, + ok, done, "sl_pack failed\n"); + +- response_blob.spotlight_blob = talloc_array(state, uint8_t, 0); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ok, done, "dalloc_zero failed\n"); +- response_blob.size = 0; +- + status = dcerpc_mdssvc_cmd(b, + state, + &state->ph, +@@ -926,13 +907,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, + ret, done, "dalloc_zero failed\n"); + request_blob.size = max_fragment_size; + +- response_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- max_fragment_size); +- torture_assert_not_null_goto(tctx, response_blob.spotlight_blob, +- ret, done, "dalloc_zero failed\n"); +- response_blob.size = max_fragment_size; +- + len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); + torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n"); + +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch new file mode 100644 index 0000000000..34526a8c8e --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0006.patch @@ -0,0 +1,57 @@ +From 449f1280b718c6da3b8e309fe124be4e9bfd8184 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Tue, 20 Jun 2023 11:35:41 +0200 +Subject: [PATCH] CVE-2023-34968: rpcclient: remove response blob allocation + +This is alreay done by NDR for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/449f1280b718c6da3b8e309fe124be4e9bfd8184] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpcclient/cmd_spotlight.c | 16 ---------------- + 1 file changed, 16 deletions(-) + +diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c +index 24db9893df6..64fe321089c 100644 +--- a/source3/rpcclient/cmd_spotlight.c ++++ b/source3/rpcclient/cmd_spotlight.c +@@ -144,13 +144,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties( + } + request_blob.size = max_fragment_size; + +- response_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size); +- if (response_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- response_blob.size = max_fragment_size; +- + len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); + if (len == -1) { + status = NT_STATUS_INTERNAL_ERROR; +@@ -368,15 +361,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( + } + request_blob.size = max_fragment_size; + +- response_blob.spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- max_fragment_size); +- if (response_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- response_blob.size = max_fragment_size; +- + len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); + if (len == -1) { + status = NT_STATUS_INTERNAL_ERROR; +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch new file mode 100644 index 0000000000..679e174c05 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0007.patch @@ -0,0 +1,49 @@ +From cc593a6ac531f02f2fe70fd4f7dfe649a02f9206 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Tue, 20 Jun 2023 11:42:10 +0200 +Subject: [PATCH] CVE-2023-34968: mdssvc: remove response blob allocation + +This is alreay done by NDR for us. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/cc593a6ac531f02f2fe70fd4f7dfe649a02f9206] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 8 -------- + 1 file changed, 8 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +index b8eed8b..714e6c1 100644 +--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c ++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +@@ -209,7 +209,6 @@ void _mdssvc_unknown1(struct pipes_struct *p, struct mdssvc_unknown1 *r) + void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) + { + bool ok; +- char *rbuf; + struct mds_ctx *mds_ctx; + NTSTATUS status; + +@@ -266,13 +265,6 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) + return; + } + +- rbuf = talloc_zero_array(p->mem_ctx, char, r->in.max_fragment_size1); +- if (rbuf == NULL) { +- p->fault_state = DCERPC_FAULT_CANT_PERFORM; +- return; +- } +- r->out.response_blob->spotlight_blob = (uint8_t *)rbuf; +- r->out.response_blob->size = r->in.max_fragment_size1; + + /* We currently don't use fragmentation at the mdssvc RPC layer */ + *r->out.fragment = 0; +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch new file mode 100644 index 0000000000..e65379fe83 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0008.patch @@ -0,0 +1,62 @@ +From 397919e82b493206ae9b60bb9c539d52c3207729 Mon Sep 17 00:00:00 2001 +From: Archana Polampalli <archana.polampalli@windriver.com> +Date: Fri, 29 Sep 2023 08:59:31 +0000 +Subject: [PATCH] CVE-2023-34968: mdssvc: switch to doing an early return + +Just reduce indentation of the code handling the success case. No change in +behaviour. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/397919e82b493206ae9b60bb9c539d52c3207729] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_server/mdssvc/mdssvc.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index a6cc653..0e6a916 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -1798,19 +1798,21 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, + } + + ok = slcmd->function(mds_ctx, query, reply); +- if (ok) { +- DBG_DEBUG("%s", dalloc_dump(reply, 0)); +- +- len = sl_pack(reply, +- (char *)response_blob->spotlight_blob, +- response_blob->size); +- if (len == -1) { +- DBG_ERR("error packing Spotlight RPC reply\n"); +- ok = false; +- goto cleanup; +- } +- response_blob->length = len; ++ if (!ok) { ++ goto cleanup; ++ } ++ ++ DBG_DEBUG("%s", dalloc_dump(reply, 0)); ++ ++ len = sl_pack(reply, ++ (char *)response_blob->spotlight_blob, ++ response_blob->size); ++ if (len == -1) { ++ DBG_ERR("error packing Spotlight RPC reply\n"); ++ ok = false; ++ goto cleanup; + } ++ response_blob->length = len; + + cleanup: + talloc_free(query); +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch new file mode 100644 index 0000000000..e21f2ba4be --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0009.patch @@ -0,0 +1,465 @@ +From cb8313e7bee75454ce29d2b2f657927259298f52 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Mon, 19 Jun 2023 18:16:57 +0200 +Subject: [PATCH] CVE-2023-34968: mdssvc: introduce an allocating wrapper to + sl_pack() + +sl_pack_alloc() does the buffer allocation that previously all callers of +sl_pack() did themselves. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/cb8313e7bee75454ce29d2b2f657927259298f52] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/rpc_client/cli_mdssvc_util.c | 80 +++++------------------ + source3/rpc_server/mdssvc/marshalling.c | 35 ++++++++-- + source3/rpc_server/mdssvc/marshalling.h | 9 ++- + source3/rpc_server/mdssvc/mdssvc.c | 18 ++--- + source3/rpc_server/mdssvc/mdssvc.h | 5 +- + source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 5 +- + source3/rpcclient/cmd_spotlight.c | 32 ++------- + source4/torture/rpc/mdssvc.c | 24 ++----- + 8 files changed, 80 insertions(+), 128 deletions(-) + +diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c +index 892a844..a39202d 100644 +--- a/source3/rpc_client/cli_mdssvc_util.c ++++ b/source3/rpc_client/cli_mdssvc_util.c +@@ -42,7 +42,7 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + sl_array_t *scope_array = NULL; + double dval; + uint64_t uint64val; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -209,23 +209,11 @@ NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } + +@@ -238,7 +226,7 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, + uint64_t *uint64p = NULL; + sl_array_t *array = NULL; + sl_array_t *cmd_array = NULL; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -293,23 +281,11 @@ NTSTATUS mdscli_blob_get_results(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } + +@@ -325,7 +301,7 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, + sl_array_t *cmd_array = NULL; + sl_array_t *attr_array = NULL; + sl_cnids_t *cnids = NULL; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -426,23 +402,11 @@ NTSTATUS mdscli_blob_get_path(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } + +@@ -455,7 +419,7 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, + uint64_t *uint64p = NULL; + sl_array_t *array = NULL; + sl_array_t *cmd_array = NULL; +- ssize_t len; ++ NTSTATUS status; + int ret; + + d = dalloc_new(mem_ctx); +@@ -510,22 +474,10 @@ NTSTATUS mdscli_blob_close_search(TALLOC_CTX *mem_ctx, + return NT_STATUS_NO_MEMORY; + } + +- blob->spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- ctx->max_fragment_size); +- if (blob->spotlight_blob == NULL) { +- TALLOC_FREE(d); +- return NT_STATUS_NO_MEMORY; +- } +- blob->size = ctx->max_fragment_size; +- +- len = sl_pack(d, (char *)blob->spotlight_blob, blob->size); ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); + TALLOC_FREE(d); +- if (len == -1) { +- return NT_STATUS_NO_MEMORY; ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; + } +- +- blob->length = len; +- blob->size = len; + return NT_STATUS_OK; + } +diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c +index 441d411..34bfda5 100644 +--- a/source3/rpc_server/mdssvc/marshalling.c ++++ b/source3/rpc_server/mdssvc/marshalling.c +@@ -78,6 +78,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, const char *buf, + ssize_t offset, size_t bufsize, + int count, ssize_t toc_offset, + int encoding); ++static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize); + + /****************************************************************************** + * Wrapper functions for the *VAL macros with bound checking +@@ -1190,11 +1191,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + return offset; + } + +-/****************************************************************************** +- * Global functions for packing und unpacking +- ******************************************************************************/ +- +-ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) ++static ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) + { + ssize_t result; + char *toc_buf; +@@ -1274,6 +1271,34 @@ ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize) + return len; + } + ++/****************************************************************************** ++ * Global functions for packing und unpacking ++ ******************************************************************************/ ++ ++NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx, ++ DALLOC_CTX *d, ++ struct mdssvc_blob *b, ++ size_t max_fragment_size) ++{ ++ ssize_t len; ++ ++ b->spotlight_blob = talloc_zero_array(mem_ctx, ++ uint8_t, ++ max_fragment_size); ++ if (b->spotlight_blob == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ len = sl_pack(d, (char *)b->spotlight_blob, max_fragment_size); ++ if (len == -1) { ++ return NT_STATUS_DATA_ERROR; ++ } ++ ++ b->length = len; ++ b->size = len; ++ return NT_STATUS_OK; ++} ++ + bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize) + { + ssize_t result; +diff --git a/source3/rpc_server/mdssvc/marshalling.h b/source3/rpc_server/mdssvc/marshalling.h +index 086ca74..2cc1b44 100644 +--- a/source3/rpc_server/mdssvc/marshalling.h ++++ b/source3/rpc_server/mdssvc/marshalling.h +@@ -22,6 +22,9 @@ + #define _MDSSVC_MARSHALLING_H + + #include "dalloc.h" ++#include "libcli/util/ntstatus.h" ++#include "lib/util/data_blob.h" ++#include "librpc/gen_ndr/mdssvc.h" + + #define MAX_SL_FRAGMENT_SIZE 0xFFFFF + +@@ -49,7 +52,11 @@ typedef struct { + * Function declarations + ******************************************************************************/ + +-extern ssize_t sl_pack(DALLOC_CTX *query, char *buf, size_t bufsize); ++extern NTSTATUS sl_pack_alloc(TALLOC_CTX *mem_ctx, ++ DALLOC_CTX *d, ++ struct mdssvc_blob *b, ++ size_t max_fragment_size); ++ + extern bool sl_unpack(DALLOC_CTX *query, const char *buf, size_t bufsize); + + #endif +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 0e6a916..19257e8 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -1726,11 +1726,11 @@ error: + **/ + bool mds_dispatch(struct mds_ctx *mds_ctx, + struct mdssvc_blob *request_blob, +- struct mdssvc_blob *response_blob) ++ struct mdssvc_blob *response_blob, ++ size_t max_fragment_size) + { + bool ok; + int ret; +- ssize_t len; + DALLOC_CTX *query = NULL; + DALLOC_CTX *reply = NULL; + char *rpccmd; +@@ -1738,6 +1738,7 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, + const struct smb_filename conn_basedir = { + .base_name = mds_ctx->conn->connectpath, + }; ++ NTSTATUS status; + + if (CHECK_DEBUGLVL(10)) { + const struct sl_query *slq; +@@ -1804,15 +1805,14 @@ bool mds_dispatch(struct mds_ctx *mds_ctx, + + DBG_DEBUG("%s", dalloc_dump(reply, 0)); + +- len = sl_pack(reply, +- (char *)response_blob->spotlight_blob, +- response_blob->size); +- if (len == -1) { +- DBG_ERR("error packing Spotlight RPC reply\n"); +- ok = false; ++ status = sl_pack_alloc(response_blob, ++ reply, ++ response_blob, ++ max_fragment_size); ++ if (!NT_STATUS_IS_OK(status)) { ++ DBG_ERR("sl_pack_alloc() failed\n"); + goto cleanup; + } +- response_blob->length = len; + + cleanup: + talloc_free(query); +diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h +index a097991..b3bd8b9 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.h ++++ b/source3/rpc_server/mdssvc/mdssvc.h +@@ -157,9 +157,10 @@ struct mds_ctx *mds_init_ctx(TALLOC_CTX *mem_ctx, + int snum, + const char *sharename, + const char *path); +-extern bool mds_dispatch(struct mds_ctx *query_ctx, ++extern bool mds_dispatch(struct mds_ctx *mds_ctx, + struct mdssvc_blob *request_blob, +- struct mdssvc_blob *response_blob); ++ struct mdssvc_blob *response_blob, ++ size_t max_fragment_size); + bool mds_add_result(struct sl_query *slq, const char *path); + + #endif /* _MDSSVC_H */ +diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +index 714e6c1..59e2a97 100644 +--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c ++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +@@ -269,7 +269,10 @@ void _mdssvc_cmd(struct pipes_struct *p, struct mdssvc_cmd *r) + /* We currently don't use fragmentation at the mdssvc RPC layer */ + *r->out.fragment = 0; + +- ok = mds_dispatch(mds_ctx, &r->in.request_blob, r->out.response_blob); ++ ok = mds_dispatch(mds_ctx, ++ &r->in.request_blob, ++ r->out.response_blob, ++ r->in.max_fragment_size1); + if (ok) { + *r->out.unkn9 = 0; + } else { +diff --git a/source3/rpcclient/cmd_spotlight.c b/source3/rpcclient/cmd_spotlight.c +index 64fe321..ba3f61f 100644 +--- a/source3/rpcclient/cmd_spotlight.c ++++ b/source3/rpcclient/cmd_spotlight.c +@@ -43,7 +43,6 @@ static NTSTATUS cmd_mdssvc_fetch_properties( + uint32_t unkn3; /* server always returns 0 ? */ + struct mdssvc_blob request_blob; + struct mdssvc_blob response_blob; +- ssize_t len; + uint32_t max_fragment_size = 64 * 1024; + DALLOC_CTX *d, *mds_reply; + uint64_t *uint64var; +@@ -137,20 +136,10 @@ static NTSTATUS cmd_mdssvc_fetch_properties( + goto done; + } + +- request_blob.spotlight_blob = talloc_array(mem_ctx, uint8_t, max_fragment_size); +- if (request_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- request_blob.size = max_fragment_size; +- +- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); +- if (len == -1) { +- status = NT_STATUS_INTERNAL_ERROR; ++ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size); ++ if (!NT_STATUS_IS_OK(status)) { + goto done; + } +- request_blob.length = len; +- request_blob.size = len; + + status = dcerpc_mdssvc_cmd(b, mem_ctx, + &share_handle, +@@ -204,7 +193,6 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( + uint32_t unkn3; /* server always returns 0 ? */ + struct mdssvc_blob request_blob; + struct mdssvc_blob response_blob; +- ssize_t len; + uint32_t max_fragment_size = 64 * 1024; + DALLOC_CTX *d, *mds_reply; + uint64_t *uint64var; +@@ -352,22 +340,10 @@ static NTSTATUS cmd_mdssvc_fetch_attributes( + goto done; + } + +- request_blob.spotlight_blob = talloc_array(mem_ctx, +- uint8_t, +- max_fragment_size); +- if (request_blob.spotlight_blob == NULL) { +- status = NT_STATUS_INTERNAL_ERROR; +- goto done; +- } +- request_blob.size = max_fragment_size; +- +- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); +- if (len == -1) { +- status = NT_STATUS_INTERNAL_ERROR; ++ status = sl_pack_alloc(mem_ctx, d, &request_blob, max_fragment_size); ++ if (!NT_STATUS_IS_OK(status)) { + goto done; + } +- request_blob.length = len; +- request_blob.size = len; + + status = dcerpc_mdssvc_cmd(b, mem_ctx, + &share_handle, +diff --git a/source4/torture/rpc/mdssvc.c b/source4/torture/rpc/mdssvc.c +index e99c82c..1305456 100644 +--- a/source4/torture/rpc/mdssvc.c ++++ b/source4/torture/rpc/mdssvc.c +@@ -745,11 +745,9 @@ static bool test_sl_dict_type_safety(struct torture_context *tctx, + ok, done, "dalloc_new failed\n"); + request_blob.size = 64 * 1024; + +- request_blob.length = sl_pack(d, +- (char *)request_blob.spotlight_blob, +- request_blob.size); +- torture_assert_goto(tctx, request_blob.length > 0, +- ok, done, "sl_pack failed\n"); ++ status = sl_pack_alloc(tctx, d, &request_blob, 64 * 1024); ++ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, ++ "sl_pack_alloc() failed\n"); + + status = dcerpc_mdssvc_cmd(b, + state, +@@ -836,7 +834,6 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, + const char *path_type = NULL; + uint64_t ino64; + NTSTATUS status; +- ssize_t len; + int ret; + bool ok = true; + +@@ -901,19 +898,10 @@ static bool test_mdssvc_fetch_attr_unknown_cnid(struct torture_context *tctx, + ret = dalloc_add(array, cnids, sl_cnids_t); + torture_assert_goto(tctx, ret == 0, ret, done, "dalloc_add failed\n"); + +- request_blob.spotlight_blob = talloc_array(state, +- uint8_t, +- max_fragment_size); +- torture_assert_not_null_goto(tctx, request_blob.spotlight_blob, +- ret, done, "dalloc_zero failed\n"); +- request_blob.size = max_fragment_size; +- +- len = sl_pack(d, (char *)request_blob.spotlight_blob, request_blob.size); +- torture_assert_goto(tctx, len != -1, ret, done, "sl_pack failed\n"); +- +- request_blob.length = len; +- request_blob.size = len; + ++ status = sl_pack_alloc(tctx, d, &request_blob, max_fragment_size); ++ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, ++ "sl_pack_alloc() failed\n"); + status = dcerpc_mdssvc_cmd(b, + state, + &state->ph, +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch new file mode 100644 index 0000000000..57668f5eef --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0010.patch @@ -0,0 +1,484 @@ +From a5c570e262911874e43e82de601d809aa5b1b729 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Sat, 17 Jun 2023 13:53:27 +0200 +Subject: [PATCH] CVE-2023-34968: mdscli: return share relative paths The next + commit will change the Samba Spotlight server to return absolute paths that + start with the sharename as "/SHARENAME/..." followed by the share path + relative appended. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +So given a share + + [spotlight] + path = /foo/bar + spotlight = yes + +and a file inside this share with a full path of + + /foo/bar/dir/file + +previously a search that matched this file would returns the absolute +server-side pato of the file, ie + + /foo/bar/dir/file + +This will be change to + + /spotlight/dir/file + +As currently the mdscli library and hence the mdsearch tool print out these +paths returned from the server, we have to change the output to accomodate these +fake paths. The only way to do this sensibly is by makeing the paths relative to +the containing share, so just + + dir/file + +in the example above. + +The client learns about the share root path prefix – real server-side of fake in +the future – in an initial handshake in the "share_path" out argument of the +mdssvc_open() RPC call, so the client can use this path to convert the absolute +path to relative. + +There is however an additional twist: the macOS Spotlight server prefixes this +absolute path with another prefix, typically "/System/Volumes/Data", so in the +example above the full path for the same search would be + + /System/Volumes/Data/foo/bar/dir/file + +So macOS does return the full server-side path too, just prefixed with an +additional path. This path prefixed can be queried by the client in the +mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:" +and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba +just returns "/" for this. + +Currently the mdscli library doesn't issue this Spotlight RPC +request (fetchPropertiesForContext), so this is added in this commit. In the +end, all search result paths are stripped of the combined prefix + + kMDSStorePathScopes + share_path (from mdssvc_open). + +eg + + kMDSStorePathScopes = /System/Volumes/Data + share_path = /foo/bar + search result = /System/Volumes/Data/foo/bar/dir/file + relative path returned by mdscli = dir/file + +Makes sense? :) + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/a5c570e262911874e43e82de601d809aa5b1b729] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + python/samba/tests/dcerpc/mdssvc.py | 26 ++-- + source3/rpc_client/cli_mdssvc.c | 155 +++++++++++++++++++++++- + source3/rpc_client/cli_mdssvc_private.h | 4 + + source3/rpc_client/cli_mdssvc_util.c | 68 +++++++++++ + source3/rpc_client/cli_mdssvc_util.h | 4 + + 5 files changed, 243 insertions(+), 14 deletions(-) + +diff --git a/python/samba/tests/dcerpc/mdssvc.py b/python/samba/tests/dcerpc/mdssvc.py +index b0df509..5002e5d 100644 +--- a/python/samba/tests/dcerpc/mdssvc.py ++++ b/python/samba/tests/dcerpc/mdssvc.py +@@ -84,10 +84,11 @@ class MdssvcTests(RpcInterfaceTestCase): + self.t = threading.Thread(target=MdssvcTests.http_server, args=(self,)) + self.t.setDaemon(True) + self.t.start() ++ self.sharepath = os.environ["LOCAL_PATH"] + time.sleep(1) + + conn = mdscli.conn(self.pipe, 'spotlight', '/foo') +- self.sharepath = conn.sharepath() ++ self.fakepath = conn.sharepath() + conn.disconnect(self.pipe) + + for file in testfiles: +@@ -105,12 +106,11 @@ class MdssvcTests(RpcInterfaceTestCase): + self.server.serve_forever() + + def run_test(self, query, expect, json_in, json_out): +- expect = [s.replace("%BASEPATH%", self.sharepath) for s in expect] + self.server.json_in = json_in.replace("%BASEPATH%", self.sharepath) + self.server.json_out = json_out.replace("%BASEPATH%", self.sharepath) + + self.conn = mdscli.conn(self.pipe, 'spotlight', '/foo') +- search = self.conn.search(self.pipe, query, self.sharepath) ++ search = self.conn.search(self.pipe, query, self.fakepath) + + # Give it some time, the get_results() below returns immediately + # what's available, so if we ask to soon, we might get back no results +@@ -141,7 +141,7 @@ class MdssvcTests(RpcInterfaceTestCase): + ] + } + }''' +- exp_results = ["%BASEPATH%/foo", "%BASEPATH%/bar"] ++ exp_results = ["foo", "bar"] + self.run_test('*=="samba*"', exp_results, exp_json_query, fake_json_response) + + def test_mdscli_search_escapes(self): +@@ -181,14 +181,14 @@ class MdssvcTests(RpcInterfaceTestCase): + } + }''' + exp_results = [ +- r"%BASEPATH%/x+x", +- r"%BASEPATH%/x*x", +- r"%BASEPATH%/x=x", +- r"%BASEPATH%/x'x", +- r"%BASEPATH%/x?x", +- r"%BASEPATH%/x x", +- r"%BASEPATH%/x(x", +- "%BASEPATH%/x\"x", +- r"%BASEPATH%/x\x", ++ r"x+x", ++ r"x*x", ++ r"x=x", ++ r"x'x", ++ r"x?x", ++ r"x x", ++ r"x(x", ++ "x\"x", ++ r"x\x", + ] + self.run_test(sl_query, exp_results, exp_json_query, fake_json_response) +diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c +index 07c19b5..a047b91 100644 +--- a/source3/rpc_client/cli_mdssvc.c ++++ b/source3/rpc_client/cli_mdssvc.c +@@ -43,10 +43,12 @@ char *mdscli_get_basepath(TALLOC_CTX *mem_ctx, + struct mdscli_connect_state { + struct tevent_context *ev; + struct mdscli_ctx *mdscli_ctx; ++ struct mdssvc_blob response_blob; + }; + + static void mdscli_connect_open_done(struct tevent_req *subreq); + static void mdscli_connect_unknown1_done(struct tevent_req *subreq); ++static void mdscli_connect_fetch_props_done(struct tevent_req *subreq); + + struct tevent_req *mdscli_connect_send(TALLOC_CTX *mem_ctx, + struct tevent_context *ev, +@@ -111,6 +113,7 @@ static void mdscli_connect_open_done(struct tevent_req *subreq) + struct mdscli_connect_state *state = tevent_req_data( + req, struct mdscli_connect_state); + struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; ++ size_t share_path_len; + NTSTATUS status; + + status = dcerpc_mdssvc_open_recv(subreq, state); +@@ -120,6 +123,18 @@ static void mdscli_connect_open_done(struct tevent_req *subreq) + return; + } + ++ share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path); ++ if (share_path_len < 1 || share_path_len > UINT16_MAX) { ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ mdscli_ctx->mdscmd_open.share_path_len = share_path_len; ++ ++ if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') { ++ mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0'; ++ mdscli_ctx->mdscmd_open.share_path_len--; ++ } ++ + subreq = dcerpc_mdssvc_unknown1_send( + state, + state->ev, +@@ -146,6 +161,8 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq) + subreq, struct tevent_req); + struct mdscli_connect_state *state = tevent_req_data( + req, struct mdscli_connect_state); ++ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; ++ struct mdssvc_blob request_blob; + NTSTATUS status; + + status = dcerpc_mdssvc_unknown1_recv(subreq, state); +@@ -153,6 +170,108 @@ static void mdscli_connect_unknown1_done(struct tevent_req *subreq) + if (tevent_req_nterror(req, status)) { + return; + } ++ status = mdscli_blob_fetch_props(state, ++ state->mdscli_ctx, ++ &request_blob); ++ if (tevent_req_nterror(req, status)) { ++ return; ++ } ++ ++ subreq = dcerpc_mdssvc_cmd_send(state, ++ state->ev, ++ mdscli_ctx->bh, ++ &mdscli_ctx->ph, ++ 0, ++ mdscli_ctx->dev, ++ mdscli_ctx->mdscmd_open.unkn2, ++ 0, ++ mdscli_ctx->flags, ++ request_blob, ++ 0, ++ mdscli_ctx->max_fragment_size, ++ 1, ++ mdscli_ctx->max_fragment_size, ++ 0, ++ 0, ++ &mdscli_ctx->mdscmd_cmd.fragment, ++ &state->response_blob, ++ &mdscli_ctx->mdscmd_cmd.unkn9); ++ if (tevent_req_nomem(subreq, req)) { ++ return; ++ } ++ tevent_req_set_callback(subreq, mdscli_connect_fetch_props_done, req); ++ mdscli_ctx->async_pending++; ++ return; ++} ++ ++static void mdscli_connect_fetch_props_done(struct tevent_req *subreq) ++{ ++ struct tevent_req *req = tevent_req_callback_data( ++ subreq, struct tevent_req); ++ struct mdscli_connect_state *state = tevent_req_data( ++ req, struct mdscli_connect_state); ++ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx; ++ DALLOC_CTX *d = NULL; ++ sl_array_t *path_scope_array = NULL; ++ char *path_scope = NULL; ++ NTSTATUS status; ++ bool ok; ++ ++ status = dcerpc_mdssvc_cmd_recv(subreq, state); ++ TALLOC_FREE(subreq); ++ state->mdscli_ctx->async_pending--; ++ if (tevent_req_nterror(req, status)) { ++ return; ++ } ++ ++ d = dalloc_new(state); ++ if (tevent_req_nomem(d, req)) { ++ return; ++ } ++ ++ ok = sl_unpack(d, ++ (char *)state->response_blob.spotlight_blob, ++ state->response_blob.length); ++ if (!ok) { ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ ++ path_scope_array = dalloc_value_for_key(d, ++ "DALLOC_CTX", 0, ++ "kMDSStorePathScopes", ++ "sl_array_t"); ++ if (path_scope_array == NULL) { ++ DBG_ERR("Missing kMDSStorePathScopes\n"); ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ ++ path_scope = dalloc_get(path_scope_array, "char *", 0); ++ if (path_scope == NULL) { ++ DBG_ERR("Missing path in kMDSStorePathScopes\n"); ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ ++ mdscli_ctx->path_scope_len = strlen(path_scope); ++ if (mdscli_ctx->path_scope_len < 1 || ++ mdscli_ctx->path_scope_len > UINT16_MAX) ++ { ++ DBG_ERR("Bad path_scope: %s\n", path_scope); ++ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); ++ return; ++ } ++ mdscli_ctx->path_scope = talloc_strdup(mdscli_ctx, path_scope); ++ if (tevent_req_nomem(mdscli_ctx->path_scope, req)) { ++ return; ++ } ++ ++ if (mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] == '/') { ++ mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] = '\0'; ++ mdscli_ctx->path_scope_len--; ++ } ++ + + tevent_req_done(req); + } +@@ -697,7 +816,10 @@ static void mdscli_get_path_done(struct tevent_req *subreq) + struct mdscli_get_path_state *state = tevent_req_data( + req, struct mdscli_get_path_state); + DALLOC_CTX *d = NULL; ++ size_t pathlen; ++ size_t prefixlen; + char *path = NULL; ++ const char *p = NULL; + NTSTATUS status; + bool ok; + +@@ -732,7 +854,38 @@ static void mdscli_get_path_done(struct tevent_req *subreq) + tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR); + return; + } +- state->path = talloc_move(state, &path); ++ ++ /* Path is prefixed by /PATHSCOPE/SHARENAME/, strip it */ ++ pathlen = strlen(path); ++ ++ /* ++ * path_scope_len and share_path_len are already checked to be smaller ++ * then UINT16_MAX so this can't overflow ++ */ ++ prefixlen = state->mdscli_ctx->path_scope_len ++ + state->mdscli_ctx->mdscmd_open.share_path_len; ++ ++ if (pathlen < prefixlen) { ++ DBG_DEBUG("Bad path: %s\n", path); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return; ++ } ++ ++ p = path + prefixlen; ++ while (*p == '/') { ++ p++; ++ } ++ if (*p == '\0') { ++ DBG_DEBUG("Bad path: %s\n", path); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return; ++ } ++ ++ state->path = talloc_strdup(state, p); ++ if (state->path == NULL) { ++ tevent_req_nterror(req, NT_STATUS_NO_MEMORY); ++ return; ++ } + DBG_DEBUG("path: %s\n", state->path); + + tevent_req_done(req); +diff --git a/source3/rpc_client/cli_mdssvc_private.h b/source3/rpc_client/cli_mdssvc_private.h +index 031af85..b10aca0 100644 +--- a/source3/rpc_client/cli_mdssvc_private.h ++++ b/source3/rpc_client/cli_mdssvc_private.h +@@ -42,6 +42,7 @@ struct mdscli_ctx { + /* cmd specific or unknown fields */ + struct { + char share_path[1025]; ++ size_t share_path_len; + uint32_t unkn2; + uint32_t unkn3; + } mdscmd_open; +@@ -56,6 +57,9 @@ struct mdscli_ctx { + struct { + uint32_t status; + } mdscmd_close; ++ ++ char *path_scope; ++ size_t path_scope_len; + }; + + struct mdscli_search_ctx { +diff --git a/source3/rpc_client/cli_mdssvc_util.c b/source3/rpc_client/cli_mdssvc_util.c +index a39202d..1eaaca7 100644 +--- a/source3/rpc_client/cli_mdssvc_util.c ++++ b/source3/rpc_client/cli_mdssvc_util.c +@@ -28,6 +28,74 @@ + #include "rpc_server/mdssvc/dalloc.h" + #include "rpc_server/mdssvc/marshalling.h" + ++NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx, ++ struct mdscli_ctx *ctx, ++ struct mdssvc_blob *blob) ++{ ++ DALLOC_CTX *d = NULL; ++ uint64_t *uint64p = NULL; ++ sl_array_t *array = NULL; ++ sl_array_t *cmd_array = NULL; ++ NTSTATUS status; ++ int ret; ++ ++ d = dalloc_new(mem_ctx); ++ if (d == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ array = dalloc_zero(d, sl_array_t); ++ if (array == NULL) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ ret = dalloc_add(d, array, sl_array_t); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ cmd_array = dalloc_zero(d, sl_array_t); ++ if (cmd_array == NULL) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ ret = dalloc_add(array, cmd_array, sl_array_t); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ ret = dalloc_stradd(cmd_array, "fetchPropertiesForContext:"); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ uint64p = talloc_zero_array(cmd_array, uint64_t, 2); ++ if (uint64p == NULL) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ talloc_set_name(uint64p, "uint64_t *"); ++ ++ ret = dalloc_add(cmd_array, uint64p, uint64_t *); ++ if (ret != 0) { ++ TALLOC_FREE(d); ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ status = sl_pack_alloc(mem_ctx, d, blob, ctx->max_fragment_size); ++ TALLOC_FREE(d); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ return NT_STATUS_OK; ++} ++ + NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + struct mdscli_search_ctx *search, + struct mdssvc_blob *blob) +diff --git a/source3/rpc_client/cli_mdssvc_util.h b/source3/rpc_client/cli_mdssvc_util.h +index 7a98c85..3f32475 100644 +--- a/source3/rpc_client/cli_mdssvc_util.h ++++ b/source3/rpc_client/cli_mdssvc_util.h +@@ -21,6 +21,10 @@ + #ifndef _MDSCLI_UTIL_H_ + #define _MDSCLI_UTIL_H_ + ++NTSTATUS mdscli_blob_fetch_props(TALLOC_CTX *mem_ctx, ++ struct mdscli_ctx *ctx, ++ struct mdssvc_blob *blob); ++ + NTSTATUS mdscli_blob_search(TALLOC_CTX *mem_ctx, + struct mdscli_search_ctx *search, + struct mdssvc_blob *blob); +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch new file mode 100644 index 0000000000..d2bef187f7 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-34968_0011.patch @@ -0,0 +1,295 @@ +From 091b0265fe42878d676def5d4f5b4f8f3977b0e2 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Mon, 5 Jun 2023 18:02:20 +0200 +Subject: [PATCH] CVE-2023-34968: mdssvc: return a fake share path Instead of + returning the real server-side absolute path of shares and search results, + return a fake absolute path replacing the path of the share with the share + name, iow for a share "test" with a server-side path of "/foo/bar", we + previously returned + + /foo/bar and + /foo/bar/search/result + +and now return + + /test and + /test/search/result + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388 + +Signed-off-by: Ralph Boehme <slow@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/091b0265fe42878d676def5d4f5b4f8f3977b0e2] + +CVE: CVE-2023-34968 + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + source3/lib/util_path.c | 52 ++++++++++++++++++++ + source3/lib/util_path.h | 5 ++ + source3/rpc_server/mdssvc/mdssvc.c | 60 +++++++++++++++++++++-- + source3/rpc_server/mdssvc/mdssvc.h | 1 + + source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 17 +++++-- + 6 files changed, 128 insertions(+), 7 deletions(-) + mode change 100755 => 100644 source3/libads/ldap.c + +diff --git a/source3/lib/util_path.c b/source3/lib/util_path.c +index c34b734..5b5a51c 100644 +--- a/source3/lib/util_path.c ++++ b/source3/lib/util_path.c +@@ -21,8 +21,10 @@ + * along with this program. If not, see <http://www.gnu.org/licenses/>. + */ + ++#include "includes.h" + #include "replace.h" + #include <talloc.h> ++#include "lib/util/debug.h" + #include "lib/util/samba_util.h" + #include "lib/util_path.h" + +@@ -210,3 +212,53 @@ char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *pathname_in) + *p++ = '\0'; + return pathname; + } ++ ++/* ++ * Take two absolute paths, figure out if "subdir" is a proper ++ * subdirectory of "parent". Return the component relative to the ++ * "parent" without the potential "/". Take care of "parent" ++ * possibly ending in "/". ++ */ ++bool subdir_of(const char *parent, ++ size_t parent_len, ++ const char *subdir, ++ const char **_relative) ++{ ++ const char *relative = NULL; ++ bool matched; ++ ++ SMB_ASSERT(parent[0] == '/'); ++ SMB_ASSERT(subdir[0] == '/'); ++ ++ if (parent_len == 1) { ++ /* ++ * Everything is below "/" ++ */ ++ *_relative = subdir+1; ++ return true; ++ } ++ ++ if (parent[parent_len-1] == '/') { ++ parent_len -= 1; ++ } ++ ++ matched = (strncmp(subdir, parent, parent_len) == 0); ++ if (!matched) { ++ return false; ++ } ++ ++ relative = &subdir[parent_len]; ++ ++ if (relative[0] == '\0') { ++ *_relative = relative; /* nothing left */ ++ return true; ++ } ++ ++ if (relative[0] == '/') { ++ /* End of parent must match a '/' in subdir. */ ++ *_relative = relative+1; ++ return true; ++ } ++ ++ return false; ++} +diff --git a/source3/lib/util_path.h b/source3/lib/util_path.h +index 3e7d04d..6d2155a 100644 +--- a/source3/lib/util_path.h ++++ b/source3/lib/util_path.h +@@ -31,5 +31,10 @@ char *lock_path(TALLOC_CTX *mem_ctx, const char *name); + char *state_path(TALLOC_CTX *mem_ctx, const char *name); + char *cache_path(TALLOC_CTX *mem_ctx, const char *name); + char *canonicalize_absolute_path(TALLOC_CTX *ctx, const char *abs_path); ++bool subdir_of(const char *parent, ++ size_t parent_len, ++ const char *subdir, ++ const char **_relative); ++ + + #endif +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 19257e8..d442d8d 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -520,11 +520,14 @@ static bool inode_map_add(struct sl_query *slq, + bool mds_add_result(struct sl_query *slq, const char *path) + { + struct smb_filename *smb_fname = NULL; ++ char *fake_path = NULL; ++ const char *relative = NULL; + struct stat_ex sb; + uint32_t attr; + uint64_t ino64; + int result; + NTSTATUS status; ++ bool sub; + bool ok; + + /* +@@ -610,6 +613,17 @@ bool mds_add_result(struct sl_query *slq, const char *path) + } + } + ++ sub = subdir_of(slq->mds_ctx->spath, ++ slq->mds_ctx->spath_len, ++ path, ++ &relative); ++ if (!sub) { ++ DBG_ERR("[%s] is not inside [%s]\n", ++ path, slq->mds_ctx->spath); ++ slq->state = SLQ_STATE_ERROR; ++ return false; ++ } ++ + /* + * Add inode number and filemeta to result set, this is what + * we return as part of the result set of a query +@@ -622,18 +636,30 @@ bool mds_add_result(struct sl_query *slq, const char *path) + slq->state = SLQ_STATE_ERROR; + return false; + } ++ ++ fake_path = talloc_asprintf(slq, ++ "/%s/%s", ++ slq->mds_ctx->sharename, ++ relative); ++ if (fake_path == NULL) { ++ slq->state = SLQ_STATE_ERROR; ++ return false; ++ } ++ + ok = add_filemeta(slq->mds_ctx, + slq->reqinfo, + slq->query_results->fm_array, +- path, ++ fake_path, + &sb); + if (!ok) { + DBG_ERR("add_filemeta error\n"); ++ TALLOC_FREE(fake_path); + slq->state = SLQ_STATE_ERROR; + return false; + } + +- ok = inode_map_add(slq, ino64, path, &sb); ++ ok = inode_map_add(slq, ino64, fake_path, &sb); ++ TALLOC_FREE(fake_path); + if (!ok) { + DEBUG(1, ("inode_map_add error\n")); + slq->state = SLQ_STATE_ERROR; +@@ -840,6 +866,32 @@ static void slq_close_timer(struct tevent_context *ev, + } + } + ++/** ++ * Translate a fake scope from the client like /sharename/dir ++ * to the real server-side path, replacing the "/sharename" part ++ * with the absolute server-side path of the share. ++ **/ ++static bool mdssvc_real_scope(struct sl_query *slq, const char *fake_scope) ++{ ++ size_t sname_len = strlen(slq->mds_ctx->sharename); ++ size_t fake_scope_len = strlen(fake_scope); ++ ++ if (fake_scope_len < sname_len + 1) { ++ DBG_ERR("Short scope [%s] for share [%s]\n", ++ fake_scope, slq->mds_ctx->sharename); ++ return false; ++ } ++ ++ slq->path_scope = talloc_asprintf(slq, ++ "%s%s", ++ slq->mds_ctx->spath, ++ fake_scope + sname_len + 1); ++ if (slq->path_scope == NULL) { ++ return false; ++ } ++ return true; ++} ++ + /** + * Begin a search query + **/ +@@ -946,8 +998,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + goto error; + } + +- slq->path_scope = talloc_strdup(slq, scope); +- if (slq->path_scope == NULL) { ++ ok = mdssvc_real_scope(slq, scope); ++ if (!ok) { + goto error; + } + +diff --git a/source3/rpc_server/mdssvc/mdssvc.h b/source3/rpc_server/mdssvc/mdssvc.h +index b3bd8b9..8434812 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.h ++++ b/source3/rpc_server/mdssvc/mdssvc.h +@@ -127,6 +127,7 @@ struct mds_ctx { + int snum; + const char *sharename; + const char *spath; ++ size_t spath_len; + struct connection_struct *conn; + struct sl_query *query_list; /* list of active queries */ + struct db_context *ino_path_map; /* dbwrap rbt for storing inode->path mappings */ +diff --git a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +index 59e2a97..b20bd2a 100644 +--- a/source3/rpc_server/mdssvc/srv_mdssvc_nt.c ++++ b/source3/rpc_server/mdssvc/srv_mdssvc_nt.c +@@ -121,6 +121,7 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) + loadparm_s3_global_substitution(); + int snum; + char *outpath = discard_const_p(char, r->out.share_path); ++ char *fake_path = NULL; + char *path; + NTSTATUS status; + +@@ -144,21 +145,31 @@ void _mdssvc_open(struct pipes_struct *p, struct mdssvc_open *r) + return; + } + ++ fake_path = talloc_asprintf(p->mem_ctx, "/%s", r->in.share_name); ++ if (fake_path == NULL) { ++ DBG_ERR("Couldn't create fake share path for %s\n", ++ r->in.share_name); ++ talloc_free(path); ++ p->fault_state = DCERPC_FAULT_CANT_PERFORM; ++ return; ++ } ++ + status = create_mdssvc_policy_handle(p->mem_ctx, p, + snum, + r->in.share_name, + path, + r->out.handle); + if (!NT_STATUS_IS_OK(status)) { +- DBG_ERR("Couldn't create policy handle for %s\n", ++ DBG_ERR("Couldn't create path for %s\n", + r->in.share_name); + talloc_free(path); ++ talloc_free(fake_path); + p->fault_state = DCERPC_FAULT_CANT_PERFORM; + return; + } + +- strlcpy(outpath, path, 1024); +- talloc_free(path); ++ strlcpy(outpath, fake_path, 1024); ++ talloc_free(fake_path); + return; + } + +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch new file mode 100644 index 0000000000..908ab85baf --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0001.patch @@ -0,0 +1,193 @@ +From b08a60160e6ab8d982d31844bcbf7ab67ff3a8de Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Tue, 1 Aug 2023 12:30:00 +0200 +Subject: [PATCH 2/2] CVE-2023-4091: smbtorture: test overwrite dispositions on + read-only file + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +CVE: CVE-2023-4091 + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/b08a60160e6ab8d982d31844bcbf7ab67ff3a8de] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + selftest/knownfail.d/samba3.smb2.acls | 1 + + source4/torture/smb2/acls.c | 145 ++++++++++++++++++++++++++ + 2 files changed, 146 insertions(+) + create mode 100644 selftest/knownfail.d/samba3.smb2.acls + +diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls +new file mode 100644 +index 0000000..18df260 +--- /dev/null ++++ b/selftest/knownfail.d/samba3.smb2.acls +@@ -0,0 +1 @@ ++^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE +diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c +index 4f4538b..d26caeb 100644 +--- a/source4/torture/smb2/acls.c ++++ b/source4/torture/smb2/acls.c +@@ -3023,6 +3023,149 @@ done: + return ret; + } + ++static bool test_overwrite_read_only_file(struct torture_context *tctx, ++ struct smb2_tree *tree) ++{ ++ NTSTATUS status; ++ struct smb2_create c; ++ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt"; ++ struct smb2_handle handle = {{0}}; ++ union smb_fileinfo q; ++ union smb_setfileinfo set; ++ struct security_descriptor *sd = NULL, *sd_orig = NULL; ++ const char *owner_sid = NULL; ++ int i; ++ bool ret = true; ++ ++ struct tcase { ++ int disposition; ++ const char *disposition_string; ++ NTSTATUS expected_status; ++ } tcases[] = { ++#define TCASE(d, s) { \ ++ .disposition = d, \ ++ .disposition_string = #d, \ ++ .expected_status = s, \ ++ } ++ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK), ++ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED), ++ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED), ++ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED), ++ }; ++#undef TCASE ++ ++ ret = smb2_util_setup_dir(tctx, tree, BASEDIR); ++ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok"); ++ ++ c = (struct smb2_create) { ++ .in.desired_access = SEC_STD_READ_CONTROL | ++ SEC_STD_WRITE_DAC | ++ SEC_STD_WRITE_OWNER, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_READ | ++ NTCREATEX_SHARE_ACCESS_WRITE, ++ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_create failed\n"); ++ handle = c.out.file.handle; ++ ++ torture_comment(tctx, "get the original sd\n"); ++ ++ ZERO_STRUCT(q); ++ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; ++ q.query_secdesc.in.file.handle = handle; ++ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; ++ ++ status = smb2_getinfo_file(tree, tctx, &q); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_getinfo_file failed\n"); ++ sd_orig = q.query_secdesc.out.sd; ++ ++ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); ++ ++ sd = security_descriptor_dacl_create(tctx, ++ 0, NULL, NULL, ++ owner_sid, ++ SEC_ACE_TYPE_ACCESS_ALLOWED, ++ SEC_FILE_READ_DATA, ++ 0, ++ NULL); ++ ++ ZERO_STRUCT(set); ++ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; ++ set.set_secdesc.in.file.handle = handle; ++ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; ++ set.set_secdesc.in.sd = sd; ++ ++ status = smb2_setinfo_file(tree, &set); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_setinfo_file failed\n"); ++ ++ smb2_util_close(tree, handle); ++ ZERO_STRUCT(handle); ++ ++ for (i = 0; i < ARRAY_SIZE(tcases); i++) { ++ torture_comment(tctx, "Verify open with %s dispostion\n", ++ tcases[i].disposition_string); ++ ++ c = (struct smb2_create) { ++ .in.create_disposition = tcases[i].disposition, ++ .in.desired_access = SEC_FILE_READ_DATA, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ smb2_util_close(tree, c.out.file.handle); ++ torture_assert_ntstatus_equal_goto( ++ tctx, status, tcases[i].expected_status, ret, done, ++ "smb2_create failed\n"); ++ }; ++ ++ torture_comment(tctx, "put back original sd\n"); ++ ++ c = (struct smb2_create) { ++ .in.desired_access = SEC_STD_WRITE_DAC, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, ++ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_create failed\n"); ++ handle = c.out.file.handle; ++ ++ ZERO_STRUCT(set); ++ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; ++ set.set_secdesc.in.file.handle = handle; ++ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; ++ set.set_secdesc.in.sd = sd_orig; ++ ++ status = smb2_setinfo_file(tree, &set); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_setinfo_file failed\n"); ++ ++ smb2_util_close(tree, handle); ++ ZERO_STRUCT(handle); ++ ++done: ++ smb2_util_close(tree, handle); ++ smb2_util_unlink(tree, fname); ++ smb2_deltree(tree, BASEDIR); ++ return ret; ++} ++ ++ + /* + basic testing of SMB2 ACLs + */ +@@ -3051,6 +3194,8 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) + test_deny1); + torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED", + test_mxac_not_granted); ++ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", ++ test_overwrite_read_only_file); + + suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); + +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch new file mode 100644 index 0000000000..43d3b4929f --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-4091-0002.patch @@ -0,0 +1,59 @@ +From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Tue, 1 Aug 2023 13:04:36 +0200 +Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in + open_file() + +If the client requested FILE_OVERWRITE[_IF], we're implicitly adding +FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the +access check we're using access_mask which doesn't contain the additional +right, which means we can end up truncating a file for which the user has +only read-only access via an SD. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +CVE: CVE-2023-4091 + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + selftest/knownfail.d/samba3.smb2.acls | 1 - + source3/smbd/open.c | 4 ++-- + 2 files changed, 2 insertions(+), 3 deletions(-) + delete mode 100644 selftest/knownfail.d/samba3.smb2.acls + +diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls +deleted file mode 100644 +index 18df260..0000000 +--- a/selftest/knownfail.d/samba3.smb2.acls ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 2c3bf9e..4bec5cb 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -1402,7 +1402,7 @@ static NTSTATUS open_file(files_struct *fsp, + conn->cwd_fsp, + smb_fname, + false, +- access_mask); ++ open_access_mask); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10, ("open_file: " +@@ -1585,7 +1585,7 @@ static NTSTATUS open_file(files_struct *fsp, + conn->cwd_fsp, + smb_fname, + false, +- access_mask); ++ open_access_mask); + + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) && + (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) && +-- +2.40.0 + diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch new file mode 100644 index 0000000000..dfa6aeb023 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch @@ -0,0 +1,94 @@ +From 9989568b20c8f804140c22f51548d766a18ed887 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett <abartlet@samba.org> +Date: Tue, 12 Sep 2023 18:59:44 +1200 +Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by + default + +The rpcecho server is useful in development and testing, but should never +have been allowed into production, as it includes the facility to +do a blocking sleep() in the single-threaded rpc worker. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett <abartlet@samba.org> + +CVE: CVE-2023-42669 + +Upstream-Status: Backport [https://github.com/samba-team/samba/commit/9989568b20c8f804140c22f51548d766a18ed887] + +Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> +--- + docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- + lib/param/loadparm.c | 2 +- + selftest/target/Samba4.pm | 2 +- + source3/param/loadparm.c | 2 +- + source4/rpc_server/wscript_build | 3 ++- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +index 8a217cc..c6642b7 100644 +--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml ++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +@@ -6,6 +6,6 @@ + <para>Specifies which DCE/RPC endpoint servers should be run.</para> + </description> + +-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> ++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value> + <value type="example">rpcecho</value> + </samba:parameter> +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index eedfa00..75687f5 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2717,7 +2717,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); + lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); + +- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); ++ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); + lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); + /* the winbind method for domain controllers is for both RODC +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 651faa7..c7b33d2 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -773,7 +773,7 @@ sub provision_raw_step1($$) + wins support = yes + server role = $ctx->{server_role} + server services = +echo $services +- dcerpc endpoint servers = +winreg +srvsvc ++ dcerpc endpoint servers = +winreg +srvsvc +rpcecho + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 8bcd35f..a99ab35 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -879,7 +879,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); + +- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); ++ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + + Globals.tls_enabled = true; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 8c75672..a2520da 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -29,7 +29,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', + source='echo/rpc_echo.c', + subsystem='dcerpc_server', + init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' ++ deps='ndr-standard events', ++ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') + ) + + +-- +2.40.0 diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index 53526a26b6..2fb93be0a9 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb @@ -22,6 +22,43 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://0005-samba-build-dnsserver_common-code.patch \ file://0001-Fix-pyext_PATTERN-for-cross-compilation.patch \ file://0001-smbtorture-skip-test-case-tfork_cmd_send.patch \ + file://CVE-2022-3437-0001.patch;patchdir=source4/heimdal \ + file://CVE-2022-3437-0002.patch;patchdir=source4/heimdal \ + file://CVE-2022-3437-0003.patch;patchdir=source4/heimdal \ + file://CVE-2022-3437-0004.patch;patchdir=source4/heimdal \ + file://CVE-2022-3437-0005.patch;patchdir=source4/heimdal \ + file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \ + file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \ + file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \ + file://CVE-2022-45142.patch;patchdir=source4/heimdal \ + file://CVE-2022-41916.patch;patchdir=source4/heimdal \ + file://CVE-2021-44758.patch;patchdir=source4/heimdal \ + file://CVE-2023-34966_0001.patch \ + file://CVE-2023-34966_0002.patch \ + file://CVE-2022-2127.patch \ + file://CVE-2023-34967_0001.patch \ + file://CVE-2023-34967_0002.patch \ + file://CVE-2023-34968_0001.patch \ + file://CVE-2023-34968_0002.patch \ + file://CVE-2023-34968_0003.patch \ + file://CVE-2023-34968_0004.patch \ + file://CVE-2023-34968_0005.patch \ + file://CVE-2023-34968_0006.patch \ + file://CVE-2023-34968_0007.patch \ + file://CVE-2023-34968_0008.patch \ + file://CVE-2023-34968_0009.patch \ + file://CVE-2023-34968_0010.patch \ + file://CVE-2023-34968_0011.patch \ + file://CVE-2023-4091-0001.patch \ + file://CVE-2023-4091-0002.patch \ + file://CVE-2023-42669.patch \ + file://CVE-2018-14628-0001.patch \ + file://CVE-2018-14628-0002.patch \ + file://CVE-2018-14628-0003.patch \ + file://CVE-2018-14628-0004.patch \ + file://CVE-2018-14628-0005.patch \ + file://CVE-2018-14628-0006.patch \ + file://CVE-2023-0922.patch \ " SRC_URI:append:libc-musl = " \ |