Open Build Service

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Changes of Revision 23

_service:tar_scm_kernel_repo:samba.spec Changed

@@ -49,7 +49,7 @@
 
 Name:           samba
 Version:        4.11.12
-Release:        18
+Release:        19
 
 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@@ -279,6 +279,17 @@
 Patch6350:       backport-0013-CVE-2022-32743-dsdb-modules-acl-Allow-simultaneous-s.patch
 Patch6351:       backport-0014-CVE-2022-32743-s4-rpc_server-common-Add-dcesrv_samdb.patch
 Patch6352:       backport-0015-CVE-2022-32743-s4-rpc_server-netlogon-Reconnect-to-s.patch
+Patch6353:       backport-0001-CVE-2022-3437.patch
+Patch6354:       backport-0002-CVE-2022-3437.patch
+Patch6355:       backport-0003-CVE-2022-3437.patch
+Patch6356:       backport-0004-CVE-2022-3437.patch
+Patch6357:       backport-0005-CVE-2022-3437.patch
+Patch6358:       backport-0006-CVE-2022-3437.patch
+Patch6359:       backport-0007-CVE-2022-3437.patch
+Patch6360:       backport-0008-CVE-2022-3437.patch
+Patch6361:       backport-0009-CVE-2022-3437.patch
+Patch6362:       backport-0010-CVE-2022-3437.patch
+Patch6363:       backport-0011-CVE-2022-3437.patch
 
 
 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@@ -3337,6 +3348,12 @@
 %{_mandir}/man*
 
 %changelog
+* Thu Oct 27 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-19
+- Type:cves
+- CVE:CVE-2022-3437
+- SUG:NA
+- DESC:fix CVE-2022-3437
+
 * Thu Sep 08 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-18
 - Type:bugfix
 - CVE:NA

_service:tar_scm_kernel_repo:backport-0001-CVE-2022-3437.patch Added

@@ -0,0 +1,39 @@
+From fe1204d9da2c6f761c4dc4421f67057b10eaf430 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:56:08 +1300
+Subject: [PATCH 05/15] CVE-2022-3437 source4/heimdal: Remove __func__
+ compatibility workaround
+
+As described by the C standard, __func__ is a variable, not a macro.
+Hence this #ifndef check does not work as intended, and only serves to
+unconditionally disable __func__. A nonoperating __func__ prevents
+cmocka operating correctly, so remove this definition.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ source4/heimdal/lib/krb5/krb5_locl.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
+index 49c614d5efe..d3360c556ce 100644
+--- a/source4/heimdal/lib/krb5/krb5_locl.h
++++ b/source4/heimdal/lib/krb5/krb5_locl.h
+@@ -188,10 +188,6 @@ struct _krb5_krb_auth_data;
+ #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
+ #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
+ 
+-#ifndef __func__
+-#define __func__ "unknown-function"
+-#endif
+-
+ #define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
+ 
+ #ifndef PATH_SEP
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0002-CVE-2022-3437.patch Added

@@ -0,0 +1,59 @@
+From a49a3ac8e082921c2793a073b5991c4693f167ab Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:55:51 +1300
+Subject: [PATCH 06/15] CVE-2022-3437 source4/heimdal_build: Add
+ gssapi-subsystem subsystem
+
+This allows us to access (and so test) functions internal to GSSAPI by
+depending on this subsystem.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+[jsutton@samba.org Adapted to older wscript_build file]
+
+Conflict: deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind',
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ source4/heimdal_build/wscript_build | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build
+index 27adbc0..1143f3f 100644
+--- a/source4/heimdal_build/wscript_build
++++ b/source4/heimdal_build/wscript_build
+@@ -589,8 +589,8 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"):
+     HEIMDAL_AUTOPROTO_PRIVATE('lib/gssapi/krb5/gsskrb5-private.h',
+                               HEIMDAL_GSSAPI_KRB5_SOURCE)
+ 
+-    HEIMDAL_LIBRARY('gssapi',
+-                    HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + '''
++    HEIMDAL_SUBSYSTEM('gssapi-subsystem',
++                      HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + '''
+     lib/gssapi/mech/context.c lib/gssapi/mech/gss_krb5.c lib/gssapi/mech/gss_mech_switch.c
+     lib/gssapi/mech/gss_process_context_token.c lib/gssapi/mech/gss_buffer_set.c
+     lib/gssapi/mech/gss_aeap.c lib/gssapi/mech/gss_add_cred.c lib/gssapi/mech/gss_cred.c
+@@ -615,10 +615,16 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"):
+     lib/gssapi/mech/gss_set_cred_option.c  lib/gssapi/mech/gss_pseudo_random.c ../heimdal_build/gssapi-glue.c''',
+         includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech',
+         deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind',
+-        vnum='2.0.0',
+-        version_script='lib/gssapi/version-script.map',
+         )
+ 
++    HEIMDAL_LIBRARY('gssapi',
++                    '',
++                    includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech',
++                    deps='gssapi-subsystem',
++                    vnum='2.0.0',
++                    version_script='lib/gssapi/version-script.map',
++                    )
++
+ if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
+     # expand_path.c needs some of the install paths
+     HEIMDAL_SUBSYSTEM('HEIMDAL_CONFIG',
+-- 
+2.27.0
+

_service:tar_scm_kernel_repo:backport-0003-CVE-2022-3437.patch Added

@@ -0,0 +1,1348 @@
+From 310bffc085514f9ceba5b3501ddef15807c53809 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:55:39 +1300
+Subject: [PATCH 07/15] CVE-2022-3437 s4/auth/tests: Add unit tests for
+ unwrap_des3()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+[jsutton@samba.org Adapted to lack of 'samba.unittests.auth.sam' test,
+ renamed 'third_party' to 'source4' in paths, defined
+ HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE to fix compiler
+ error]
+
+Conflict: with_pam = ("WITH_PAM" in config_hash)
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ selftest/knownfail.d/heimdal-des-overflow |    9 +
+ selftest/tests.py                         |    5 +
+ source4/auth/tests/heimdal_unwrap_des.c   | 1247 +++++++++++++++++++++
+ source4/auth/wscript_build                |   21 +
+ 4 files changed, 1282 insertions(+)
+ create mode 100644 selftest/knownfail.d/heimdal-des-overflow
+ create mode 100644 source4/auth/tests/heimdal_unwrap_des.c
+
+diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
+new file mode 100644
+index 0000000..23acbb4
+--- /dev/null
++++ b/selftest/knownfail.d/heimdal-des-overflow
+@@ -0,0 +1,9 @@
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
+diff --git a/selftest/tests.py b/selftest/tests.py
+index 7589566..dfda95a 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -46,6 +46,8 @@ have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash)
+ with_pam = ("WITH_PAM" in config_hash)
+ pam_wrapper_so_path = config_hash["LIBPAM_WRAPPER_SO_PATH"]
+ pam_set_items_so_path = config_hash["PAM_SET_ITEMS_SO_PATH"]
++have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
++using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
+ 
+ planpythontestsuite("none", "samba.tests.source")
+ if have_man_pages_support:
+@@ -401,3 +403,6 @@ plantestsuite("samba.unittests.test_registry_regfio", "none",
+               [os.path.join(bindir(), "default/source3/test_registry_regfio")])
+ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
+               [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
++if have_heimdal_support and not using_system_gssapi:
++    plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
++              [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))])
+diff --git a/source4/auth/tests/heimdal_unwrap_des.c b/source4/auth/tests/heimdal_unwrap_des.c
+new file mode 100644
+index 0000000..dc31e9d
+--- /dev/null
++++ b/source4/auth/tests/heimdal_unwrap_des.c
+@@ -0,0 +1,1247 @@
++/*
++ * Unit tests for source4/heimdal/lib/gssapi/krb5/unwrap.c
++ *
++ * Copyright (C) Catalyst.NET Ltd 2022
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ *
++ */
++
++/*
++ * from cmocka.c:
++ * These headers or their equivalents should be included prior to
++ * including
++ * this header file.
++ *
++ * #include <stdarg.h>
++ * #include <stddef.h>
++ * #include <setjmp.h>
++ *
++ * This allows test applications to use custom definitions of C standard
++ * library functions and types.
++ *
++ */
++
++#include <stdarg.h>
++#include <stddef.h>
++#include <setjmp.h>
++
++#include <cmocka.h>
++
++#include "includes.h"
++#include "replace.h"
++
++#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_
++#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x)
++
++#include "../../../source4/heimdal/lib/gssapi/gssapi/gssapi.h"
++#include "gsskrb5_locl.h"
++
++/******************************************************************************
++ * Helper functions
++ ******************************************************************************/
++
++const uint8_t *valid_range_begin;
++const uint8_t *valid_range_end;
++const uint8_t *invalid_range_end;
++
++/*
++ * 'array_len' is the size of the passed in array. 'buffer_len' is the size to
++ * report in the resulting buffer.
++ */
++static const gss_buffer_desc get_input_buffer(TALLOC_CTX *mem_ctx,
++					      const uint8_t array[],
++					      const size_t array_len,
++					      const size_t buffer_len)
++{
++	gss_buffer_desc buf;
++
++	/* Add some padding to catch invalid memory accesses. */
++	const size_t padding = 0x100;
++	const size_t padded_len = array_len + padding;
++
++	uint8_t *data = talloc_size(mem_ctx, padded_len);
++	assert_non_null(data);
++
++	memcpy(data, array, array_len);
++	memset(data + array_len, 0, padding);
++
++	assert_in_range(buffer_len, 0, array_len);
++
++	buf.value = data;
++	buf.length = buffer_len;
++
++	valid_range_begin = buf.value;
++	valid_range_end = valid_range_begin + buf.length;
++	invalid_range_end = valid_range_begin + padded_len;
++
++	return buf;
++}
++
++static void assert_mem_in_valid_range(const uint8_t *ptr, const size_t len)
++{
++	/* Ensure we've set up the range pointers properly. */
++	assert_non_null(valid_range_begin);
++	assert_non_null(valid_range_end);
++	assert_non_null(invalid_range_end);
++
++	/*
++	 * Ensure the length isn't excessively large (a symptom of integer
++	 * underflow).
++	 */
++	assert_in_range(len, 0, 0x1000);
++
++	/* Ensure the memory is in our valid range. */
++	assert_in_range(ptr, valid_range_begin, valid_range_end);
++	assert_in_range(ptr + len, valid_range_begin, valid_range_end);
++}
++
++/*
++ * This function takes a pointer to volatile to allow it to be called from the
++ * ct_memcmp() wrapper.
++ */
++static void assert_mem_outside_invalid_range(const volatile uint8_t *ptr,
++					     const size_t len)
++{
++	const LargestIntegralType _valid_range_end
++		= cast_ptr_to_largest_integral_type(valid_range_end);
++	const LargestIntegralType _invalid_range_end
++		= cast_ptr_to_largest_integral_type(invalid_range_end);
++	const LargestIntegralType _ptr = cast_ptr_to_largest_integral_type(ptr);
++	const LargestIntegralType _len = cast_to_largest_integral_type(len);
++
++	/* Ensure we've set up the range pointers properly. */
++	assert_non_null(valid_range_begin);
++	assert_non_null(valid_range_end);
++	assert_non_null(invalid_range_end);
++
++	/*
++	 * Ensure the length isn't excessively large (a symptom of integer
++	 * underflow).
++	 */

_service:tar_scm_kernel_repo:backport-0004-CVE-2022-3437.patch Added

@@ -0,0 +1,81 @@
+From c22914f845b3eba1c9ad444333f3d044352b7e2c Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH 08/15] CVE-2022-3437 source4/heimdal: Use constant-time
+ memcmp() for arcfour unwrap
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+[jsutton@samba.org Adapted to small differences in comparisons, and
+ removed erroneous duplicate code in conflicting region]
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ source4/heimdal/lib/gssapi/krb5/arcfour.c | 24 +++++++----------------
+ 1 file changed, 7 insertions(+), 17 deletions(-)
+
+diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
+index a61f7686e95..c6b317ff683 100644
+--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
++++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+     _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
+ 
+     if (context_handle->more_flags & LOCAL)
+-	cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
++	cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+     else
+-	cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
++	cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+ 
+     memset(SND_SEQ, 0, sizeof(SND_SEQ));
+     if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+     _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
+ 
+     if (context_handle->more_flags & LOCAL)
+-	cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
++	cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+     else
+-	cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
++	cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+ 
+     if (cmp != 0) {
+ 	*minor_status = 0;
+@@ -1266,19 +1266,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
+     _gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
+ 
+     if (ctx->more_flags & LOCAL) {
+-	cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
++	cmp = ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
+     } else {
+-	cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
+-    }
+-    if (cmp != 0) {
+-	*minor_status = 0;
+-	return GSS_S_BAD_MIC;
+-    }
+-
+-    if (ctx->more_flags & LOCAL) {
+-	cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
+-    } else {
+-	cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
++	cmp = ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
+     }
+     if (cmp != 0) {
+ 	*minor_status = 0;
+@@ -1353,7 +1343,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
+ 	return GSS_S_FAILURE;
+     }
+ 
+-    cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
++    cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
+     if (cmp != 0) {
+ 	*minor_status = 0;
+ 	return GSS_S_BAD_MIC;
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0005-CVE-2022-3437.patch Added

@@ -0,0 +1,35 @@
+From 5f6dbf2ab29bcd30c701cab3daecf5a6a53a44cd Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:55 +1300
+Subject: [PATCH 09/15] CVE-2022-3437 source4/heimdal: Use constant-time
+ memcmp() in unwrap_des3()
+
+The surrounding checks all use ct_memcmp(), so this one was presumably
+meant to as well.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ source4/heimdal/lib/gssapi/krb5/unwrap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+index b3da35ee9e2..7111a7944fe 100644
+--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+@@ -227,7 +227,7 @@ unwrap_des3
+   if (ret)
+       return ret;
+ 
+-  if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
++  if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+     return GSS_S_BAD_SIG;
+   p += 2;
+   if (ct_memcmp (p, "\x02\x00", 2) == 0) {
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0006-CVE-2022-3437.patch Added

@@ -0,0 +1,51 @@
+From 9f6f1e01aca4f00a5d23127803c81939253e0577 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:42 +1300
+Subject: [PATCH 10/15] CVE-2022-3437 source4/heimdal: Don't pass NULL pointers
+ to memcpy() in DES unwrap
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+index 7111a7944fe..9639091cb3a 100644
+--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+@@ -180,9 +180,10 @@ unwrap_des
+   output_message_buffer->value  = malloc(output_message_buffer->length);
+   if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+       return GSS_S_FAILURE;
+-  memcpy (output_message_buffer->value,
+-	  p + 24,
+-	  output_message_buffer->length);
++  if (output_message_buffer->value != NULL)
++      memcpy (output_message_buffer->value,
++	      p + 24,
++	      output_message_buffer->length);
+   return GSS_S_COMPLETE;
+ }
+ #endif
+@@ -374,9 +375,10 @@ unwrap_des3
+   output_message_buffer->value  = malloc(output_message_buffer->length);
+   if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+       return GSS_S_FAILURE;
+-  memcpy (output_message_buffer->value,
+-	  p + 36,
+-	  output_message_buffer->length);
++  if (output_message_buffer->value != NULL)
++      memcpy (output_message_buffer->value,
++	      p + 36,
++	      output_message_buffer->length);
+   return GSS_S_COMPLETE;
+ }
+ 
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0007-CVE-2022-3437.patch Added

@@ -0,0 +1,57 @@
+From 5a62eb5734d50fe556934aefa3bac5698372f00e Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 15 Aug 2022 16:53:45 +1200
+Subject: [PATCH 11/15] CVE-2022-3437 source4/heimdal: Avoid undefined
+ behaviour in _gssapi_verify_pad()
+
+By decrementing 'pad' only when we know it's safe, we ensure we can't
+stray backwards past the start of a buffer, which would be undefined
+behaviour.
+
+In the previous version of the loop, 'i' is the number of bytes left to
+check, and 'pad' is the current byte we're checking. 'pad' was
+decremented at the end of each loop iteration. If 'i' was 1 (so we
+checked the final byte), 'pad' could potentially be pointing to the
+first byte of the input buffer, and the decrement would put it one
+byte behind the buffer.
+
+That would be undefined behaviour.
+
+The patch changes it so that 'pad' is the byte we previously checked,
+which allows us to ensure that we only decrement it when we know we
+have a byte to check.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ source4/heimdal/lib/gssapi/krb5/decapsulate.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+index 86085f56950..4e3fcd659e9 100644
+--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
++++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
+     if (wrapped_token->length < 1)
+ 	return GSS_S_BAD_MECH;
+ 
+-    pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
+-    padlength = *pad;
++    pad = (u_char *)wrapped_token->value + wrapped_token->length;
++    padlength = pad[-1];
+ 
+     if (padlength > datalen)
+ 	return GSS_S_BAD_MECH;
+ 
+-    for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
++    for (i = padlength; i > 0 && *--pad == padlength; i--)
+ 	;
+     if (i != 0)
+ 	return GSS_S_BAD_MIC;
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0008-CVE-2022-3437.patch Added

@@ -0,0 +1,50 @@
+From ebac8bf0478e19849f83af6d44b73d7ab3afd25b Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 15 Aug 2022 16:53:55 +1200
+Subject: [PATCH 12/15] CVE-2022-3437 source4/heimdal: Check the result of
+ _gsskrb5_get_mech()
+
+We should make sure that the result of 'total_len - mech_len' won't
+overflow, and that we don't memcmp() past the end of the buffer.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ selftest/knownfail.d/heimdal-des-overflow     | 1 -
+ source4/heimdal/lib/gssapi/krb5/decapsulate.c | 4 ++++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
+index 23acbb43d31..68b304530db 100644
+--- a/selftest/knownfail.d/heimdal-des-overflow
++++ b/selftest/knownfail.d/heimdal-des-overflow
+@@ -3,7 +3,6 @@
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
+diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+index 4e3fcd659e9..031a621eabc 100644
+--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
++++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
+ 
+     if (mech_len != mech->length)
+ 	return GSS_S_BAD_MECH;
++    if (mech_len > total_len)
++	return GSS_S_BAD_MECH;
++    if (p - *str > total_len - mech_len)
++	return GSS_S_BAD_MECH;
+     if (ct_memcmp(p,
+ 		  mech->elements,
+ 		  mech->length) != 0)
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0009-CVE-2022-3437.patch Added

@@ -0,0 +1,79 @@
+From 1aca34515515f2cb00fbf5ad8b9212b319f01836 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 15 Aug 2022 16:54:23 +1200
+Subject: [PATCH 13/15] CVE-2022-3437 source4/heimdal: Check buffer length
+ against overflow for DES{,3} unwrap
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ selftest/knownfail.d/heimdal-des-overflow |  5 -----
+ source4/heimdal/lib/gssapi/krb5/unwrap.c  | 14 ++++++++++++++
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
+index 68b304530db..94a49bbee7f 100644
+--- a/selftest/knownfail.d/heimdal-des-overflow
++++ b/selftest/knownfail.d/heimdal-des-overflow
+@@ -1,8 +1,3 @@
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
+diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+index 9639091cb3a..70d26a75ccf 100644
+--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+@@ -64,6 +64,8 @@ unwrap_des
+ 
+   if (IS_DCE_STYLE(context_handle)) {
+      token_len = 22 + 8 + 15; /* 45 */
++     if (input_message_buffer->length < token_len)
++	  return GSS_S_BAD_MECH;
+   } else {
+      token_len = input_message_buffer->length;
+   }
+@@ -76,6 +78,11 @@ unwrap_des
+   if (ret)
+       return ret;
+ 
++  len = (p - (u_char *)input_message_buffer->value)
++      + 22 + 8;
++  if (input_message_buffer->length < len)
++      return GSS_S_BAD_MECH;
++
+   if (memcmp (p, "\x00\x00", 2) != 0)
+     return GSS_S_BAD_SIG;
+   p += 2;
+@@ -216,6 +223,8 @@ unwrap_des3
+ 
+   if (IS_DCE_STYLE(context_handle)) {
+      token_len = 34 + 8 + 15; /* 57 */
++     if (input_message_buffer->length < token_len)
++	  return GSS_S_BAD_MECH;
+   } else {
+      token_len = input_message_buffer->length;
+   }
+@@ -228,6 +237,11 @@ unwrap_des3
+   if (ret)
+       return ret;
+ 
++  len = (p - (u_char *)input_message_buffer->value)
++      + 34 + 8;
++  if (input_message_buffer->length < len)
++      return GSS_S_BAD_MECH;
++
+   if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+     return GSS_S_BAD_SIG;
+   p += 2;
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0010-CVE-2022-3437.patch Added

@@ -0,0 +1,48 @@
+From 77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 10 Oct 2022 20:33:09 +1300
+Subject: [PATCH 14/15] CVE-2022-3437 source4/heimdal: Check for overflow in
+ _gsskrb5_get_mech()
+
+If len_len is equal to total_len - 1 (i.e. the input consists only of a
+0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
+used as the 'len' parameter to der_get_length(), will overflow to
+SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
+whatever data follows in memory. Add a check to ensure that doesn't
+happen.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ selftest/knownfail.d/heimdal-des-overflow     | 1 -
+ source4/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++
+ 2 files changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
+index 94a49bbee7f..a7416dc61d9 100644
+--- a/selftest/knownfail.d/heimdal-des-overflow
++++ b/selftest/knownfail.d/heimdal-des-overflow
+@@ -1,3 +1,2 @@
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
+ ^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
+diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+index 031a621eabc..d7b75a64222 100644
+--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
++++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
+     e = der_get_length (p, total_len - 1, &len, &len_len);
+     if (e || 1 + len_len + len != total_len)
+ 	return -1;
++    if (total_len < 1 + len_len + 1)
++	return -1;
+     p += len_len;
+     if (*p++ != 0x06)
+ 	return -1;
+-- 
+2.25.1

_service:tar_scm_kernel_repo:backport-0011-CVE-2022-3437.patch Added

@@ -0,0 +1,58 @@
+From e9db03736007721e37c4fba847ce4aa0c4520924 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:33 +1300
+Subject: [PATCH 15/15] CVE-2022-3437 source4/heimdal: Pass correct length to
+ _gssapi_verify_pad()
+
+We later subtract 8 when calculating the length of the output message
+buffer. If padlength is excessively high, this calculation can underflow
+and result in a very large positive value.
+
+Now we properly constrain the value of padlength so underflow shouldn't
+be possible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
+---
+ selftest/knownfail.d/heimdal-des-overflow | 2 --
+ source4/heimdal/lib/gssapi/krb5/unwrap.c  | 4 ++--
+ 2 files changed, 2 insertions(+), 4 deletions(-)
+ delete mode 100644 selftest/knownfail.d/heimdal-des-overflow
+
+diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
+deleted file mode 100644
+index a7416dc61d9..00000000000
+--- a/selftest/knownfail.d/heimdal-des-overflow
++++ /dev/null
+@@ -1,2 +0,0 @@
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
+-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
+diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+index 70d26a75ccf..ed8f7d78ffa 100644
+--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
++++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
+@@ -124,7 +124,7 @@ unwrap_des
+   } else {
+     /* check pad */
+     ret = _gssapi_verify_pad(input_message_buffer,
+-			     input_message_buffer->length - len,
++			     input_message_buffer->length - len - 8,
+ 			     &padlength);
+     if (ret)
+         return ret;
+@@ -289,7 +289,7 @@ unwrap_des3
+   } else {
+     /* check pad */
+     ret = _gssapi_verify_pad(input_message_buffer,
+-			     input_message_buffer->length - len,
++			     input_message_buffer->length - len - 8,
+ 			     &padlength);
+     if (ret)
+         return ret;
+-- 
+2.25.1