Open Build Service

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Changes of Revision 24

_service:tar_scm_kernel_repo:samba.spec Changed

@@ -49,7 +49,7 @@
 
 Name:           samba
 Version:        4.11.12
-Release:        19
+Release:        20
 
 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@@ -290,6 +290,10 @@
 Patch6361:       backport-0009-CVE-2022-3437.patch
 Patch6362:       backport-0010-CVE-2022-3437.patch
 Patch6363:       backport-0011-CVE-2022-3437.patch
+Patch6364:       backport-0001-CVE-2022-42898.patch
+Patch6365:       backport-0002-CVE-2022-42898.patch
+Patch6366:       backport-0003-CVE-2022-42898.patch
+Patch6367:       backport-0004-CVE-2022-42898.patch
 
 
 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@@ -3348,6 +3352,12 @@
 %{_mandir}/man*
 
 %changelog
+* Tue Nov 22 2022 zhouyihang <zhouyihang3@h-partners.com> - 4.11.12-20
+- Type:cves
+- CVE:CVE-2022-42898
+- SUG:NA
+- DESC:fix CVE-2022-42898
+
 * Thu Oct 27 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-19
 - Type:cves
 - CVE:CVE-2022-3437

_service:tar_scm_kernel_repo:backport-0001-CVE-2022-42898.patch Added

@@ -0,0 +1,75 @@
+From 90fbe4af03e9063cb29a1d026d18fefd6c767c7d Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Thu, 21 May 2015 14:05:31 -0500
+Subject: [PATCH 1/4] CVE-2022-42898 source4/heimdal: Add bswap64()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
+
+[jsutton@samba.org backported from Heimdal commit
+ 0271b171e5331f0f562319b887f5f0b058ecc9b4; removed changes to
+ cf/roken-frag.m4 that we don't have]
+---
+ source4/heimdal/lib/roken/bswap.c            | 17 +++++++++++++++++
+ source4/heimdal/lib/roken/roken.h.in         |  5 +++++
+ source4/heimdal/lib/roken/version-script.map |  1 +
+ 3 files changed, 23 insertions(+)
+
+diff --git a/source4/heimdal/lib/roken/bswap.c b/source4/heimdal/lib/roken/bswap.c
+index 7f8c1c22b1b..b0c4248da11 100644
+--- a/source4/heimdal/lib/roken/bswap.c
++++ b/source4/heimdal/lib/roken/bswap.c
+@@ -34,6 +34,23 @@
+ #include <config.h>
+ #include "roken.h"
+ 
++#ifndef HAVE_BSWAP64
++
++ROKEN_LIB_FUNCTION uint64_t ROKEN_LIB_CALL
++bswap64 (uint64_t val)
++{
++    return
++        (val & 0xffULL) << 56 |
++	(val & 0xff00ULL) << 40 |
++	(val & 0xff0000ULL) << 24 |
++	(val & 0xff000000ULL) << 8 |
++	(val & 0xff00000000ULL) >> 8 |
++	(val & 0xff0000000000ULL) >> 24 |
++	(val & 0xff000000000000ULL) >> 40 |
++	(val & 0xff00000000000000ULL) >> 56 ;
++}
++#endif
++
+ #ifndef HAVE_BSWAP32
+ 
+ ROKEN_LIB_FUNCTION unsigned int ROKEN_LIB_CALL
+diff --git a/source4/heimdal/lib/roken/roken.h.in b/source4/heimdal/lib/roken/roken.h.in
+index a6299aee8e5..13a5d943ba2 100644
+--- a/source4/heimdal/lib/roken/roken.h.in
++++ b/source4/heimdal/lib/roken/roken.h.in
+@@ -696,6 +696,11 @@ ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL pidfile (const char*);
+ #endif
+ #endif
+ 
++#ifndef HAVE_BSWAP64
++#define bswap64 rk_bswap64
++ROKEN_LIB_FUNCTION uint64_t ROKEN_LIB_CALL bswap64(uint64_t);
++#endif
++
+ #ifndef HAVE_BSWAP32
+ #define bswap32 rk_bswap32
+ ROKEN_LIB_FUNCTION unsigned int ROKEN_LIB_CALL bswap32(unsigned int);
+diff --git a/source4/heimdal/lib/roken/version-script.map b/source4/heimdal/lib/roken/version-script.map
+index 9229a373cd7..34b42a3639f 100644
+--- a/source4/heimdal/lib/roken/version-script.map
++++ b/source4/heimdal/lib/roken/version-script.map
+@@ -38,6 +38,7 @@ HEIMDAL_ROKEN_1.0 {
+ 		rk_asprintf;
+ 		rk_bswap16;
+ 		rk_bswap32;
++		rk_bswap64;
+ 		rk_cgetent;
+ 		rk_cgetstr;
+ 		rk_cloexec;
+-- 
+2.35.0
+

_service:tar_scm_kernel_repo:backport-0002-CVE-2022-42898.patch Added

@@ -0,0 +1,289 @@
+From a1a2eeb278cd0b504c9229cd7152f74463232fc4 Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Thu, 21 May 2015 14:24:38 -0500
+Subject: [PATCH 2/4] CVE-2022-42898 source4/heimdal: Add
+ krb5_ret/store_[u]int64()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
+
+[jsutton@samba.org backported from Heimdal commit
+ 996d4c5db3c8aee10b7496591db13f52a575cef5; removed changes to
+ lib/krb5/libkrb5-exports.def.in which we don't have]
+---
+ source4/heimdal/lib/krb5/store-int.c        |  13 +-
+ source4/heimdal/lib/krb5/store.c            | 132 +++++++++++++++++---
+ source4/heimdal/lib/krb5/version-script.map |   4 +
+ 3 files changed, 133 insertions(+), 16 deletions(-)
+
+diff --git a/source4/heimdal/lib/krb5/store-int.c b/source4/heimdal/lib/krb5/store-int.c
+index d5776297181..542b99abc08 100644
+--- a/source4/heimdal/lib/krb5/store-int.c
++++ b/source4/heimdal/lib/krb5/store-int.c
+@@ -34,7 +34,7 @@
+ #include "krb5_locl.h"
+ 
+ KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
+-_krb5_put_int(void *buffer, unsigned long value, size_t size)
++_krb5_put_int(void *buffer, uint64_t value, size_t size)
+ {
+     unsigned char *p = buffer;
+     int i;
+@@ -46,7 +46,7 @@ _krb5_put_int(void *buffer, unsigned long value, size_t size)
+ }
+ 
+ KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
+-_krb5_get_int(void *buffer, unsigned long *value, size_t size)
++_krb5_get_int64(void *buffer, uint64_t *value, size_t size)
+ {
+     unsigned char *p = buffer;
+     unsigned long v = 0;
+@@ -56,3 +56,12 @@ _krb5_get_int(void *buffer, unsigned long *value, size_t size)
+     *value = v;
+     return size;
+ }
++
++KRB5_LIB_FUNCTION krb5_ssize_t KRB5_LIB_CALL
++_krb5_get_int(void *buffer, unsigned long *value, size_t size)
++{
++    uint64_t v64;
++    krb5_ssize_t bytes = _krb5_get_int64(buffer, &v64, size);
++    *value = v64;
++    return bytes;
++}
+diff --git a/source4/heimdal/lib/krb5/store.c b/source4/heimdal/lib/krb5/store.c
+index 31afb23c983..df0227b39de 100644
+--- a/source4/heimdal/lib/krb5/store.c
++++ b/source4/heimdal/lib/krb5/store.c
+@@ -318,13 +318,13 @@ krb5_storage_to_data(krb5_storage *sp, krb5_data *data)
+ 
+ static krb5_error_code
+ krb5_store_int(krb5_storage *sp,
+-	       int32_t value,
++	       int64_t value,
+ 	       size_t len)
+ {
+     int ret;
+-    unsigned char v[16];
++    unsigned char v[8];
+ 
+-    if(len > sizeof(v))
++    if (len > sizeof(v))
+ 	return EINVAL;
+     _krb5_put_int(v, value, len);
+     ret = sp->store(sp, v, len);
+@@ -358,6 +358,33 @@ krb5_store_int32(krb5_storage *sp,
+     return krb5_store_int(sp, value, 4);
+ }
+ 
++/**
++ * Store a int64 to storage, byte order is controlled by the settings
++ * on the storage, see krb5_storage_set_byteorder().
++ *
++ * @param sp the storage to write too
++ * @param value the value to store
++ *
++ * @return 0 for success, or a Kerberos 5 error code on failure.
++ *
++ * @ingroup krb5_storage
++ */
++
++KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
++krb5_store_int64(krb5_storage *sp,
++		 int64_t value)
++{
++    if (BYTEORDER_IS_HOST(sp))
++#ifdef WORDS_BIGENDIAN
++        ;
++#else
++	value = bswap64(value); /* There's no ntohll() */
++#endif
++    else if (BYTEORDER_IS_LE(sp))
++	value = bswap64(value);
++    return krb5_store_int(sp, value, 8);
++}
++
+ /**
+  * Store a uint32 to storage, byte order is controlled by the settings
+  * on the storage, see krb5_storage_set_byteorder().
+@@ -377,24 +404,99 @@ krb5_store_uint32(krb5_storage *sp,
+     return krb5_store_int32(sp, (int32_t)value);
+ }
+ 
++/**
++ * Store a uint64 to storage, byte order is controlled by the settings
++ * on the storage, see krb5_storage_set_byteorder().
++ *
++ * @param sp the storage to write too
++ * @param value the value to store
++ *
++ * @return 0 for success, or a Kerberos 5 error code on failure.
++ *
++ * @ingroup krb5_storage
++ */
++
++KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
++krb5_store_uint64(krb5_storage *sp,
++		  uint64_t value)
++{
++    return krb5_store_int64(sp, (int64_t)value);
++}
++
+ static krb5_error_code
+ krb5_ret_int(krb5_storage *sp,
+-	     int32_t *value,
++	     int64_t *value,
+ 	     size_t len)
+ {
+     int ret;
+-    unsigned char v[4];
+-    unsigned long w;
++    unsigned char v[8];
++    uint64_t w;
+     ret = sp->fetch(sp, v, len);
+     if (ret < 0)
+ 	return errno;
+     if ((size_t)ret != len)
+ 	return sp->eof_code;
+-    _krb5_get_int(v, &w, len);
++    _krb5_get_int64(v, &w, len);
+     *value = w;
+     return 0;
+ }
+ 
++/**
++ * Read a int64 from storage, byte order is controlled by the settings
++ * on the storage, see krb5_storage_set_byteorder().
++ *
++ * @param sp the storage to write too
++ * @param value the value read from the buffer
++ *
++ * @return 0 for success, or a Kerberos 5 error code on failure.
++ *
++ * @ingroup krb5_storage
++ */
++
++KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
++krb5_ret_int64(krb5_storage *sp,
++	       int64_t *value)
++{
++    krb5_error_code ret = krb5_ret_int(sp, value, 8);
++    if(ret)
++	return ret;
++    if(BYTEORDER_IS_HOST(sp))
++#ifdef WORDS_BIGENDIAN
++        ;
++#else
++	*value = bswap64(*value); /* There's no ntohll() */
++#endif
++    else if(BYTEORDER_IS_LE(sp))
++	*value = bswap64(*value);
++    return 0;
++}
++
++/**
++ * Read a uint64 from storage, byte order is controlled by the settings
++ * on the storage, see krb5_storage_set_byteorder().
++ *
++ * @param sp the storage to write too
++ * @param value the value read from the buffer
++ *
++ * @return 0 for success, or a Kerberos 5 error code on failure.
++ *
++ * @ingroup krb5_storage
++ */
++
++KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
++krb5_ret_uint64(krb5_storage *sp,
++		uint64_t *value)
++{
++    krb5_error_code ret;

_service:tar_scm_kernel_repo:backport-0003-CVE-2022-42898.patch Added

_service:tar_scm_kernel_repo:backport-0004-CVE-2022-42898.patch Added

@@ -0,0 +1,809 @@
+From 38dcbb82b084b8eeb97614f655a5f1d451ee6e20 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Fri, 14 Oct 2022 16:45:37 +1300
+Subject: [PATCH 4/4] CVE-2022-42898 source4/heimdal: PAC parse integer
+ overflows
+
+Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
+
+Heavily edited by committer Nico Williams <nico@twosigma.com>, original by
+Joseph Sutton <josephsutton@catalyst.net.nz>.
+
+Signed-off-by: Nico Williams <nico@twosigma.com>
+
+[jsutton@samba.org Zero-initialised header_size in krb5_pac_parse() to
+ avoid a maybe-uninitialized error; added a missing check for ret == 0]
+
+[jsutton@samba.org Backported to our older version of Heimdal; removed
+ lib/krb5/test_pac.c which we don't have]
+---
+ source4/heimdal/lib/krb5/pac.c | 521 +++++++++++++++++++++------------
+ 1 file changed, 358 insertions(+), 163 deletions(-)
+
+diff --git a/source4/heimdal/lib/krb5/pac.c b/source4/heimdal/lib/krb5/pac.c
+index 100de904662..0641c0c57bc 100644
+--- a/source4/heimdal/lib/krb5/pac.c
++++ b/source4/heimdal/lib/krb5/pac.c
+@@ -34,19 +34,34 @@
+ #include "krb5_locl.h"
+ #include <wind.h>
+ 
++/*
++ * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/3341cfa2-6ef5-42e0-b7bc-4544884bf399
++ */
+ struct PAC_INFO_BUFFER {
+-    uint32_t type;
+-    uint32_t buffersize;
+-    uint32_t offset_hi;
+-    uint32_t offset_lo;
++    uint32_t type;          /* ULONG   ulType       in the original */
++    uint32_t buffersize;    /* ULONG   cbBufferSize in the original */
++    uint64_t offset;        /* ULONG64 Offset       in the original
++                             * this being the offset from the beginning of the
++                             * struct PACTYPE to the beginning of the buffer
++                             * containing data of type ulType
++                             */
+ };
+ 
++/*
++ * https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/6655b92f-ab06-490b-845d-037e6987275f
++ */
+ struct PACTYPE {
+-    uint32_t numbuffers;
+-    uint32_t version;
+-    struct PAC_INFO_BUFFER buffers[1];
++    uint32_t numbuffers;    /* named cBuffers of type ULONG in the original */
++    uint32_t version;       /* Named Version  of type ULONG in the original */
++    struct PAC_INFO_BUFFER buffers[1]; /* an ellipsis (...) in the original */
+ };
+ 
++/*
++ * A PAC starts with a PACTYPE header structure that is followed by an array of
++ * numbuffers PAC_INFO_BUFFER structures, each of which points to a buffer
++ * beyond the last PAC_INFO_BUFFER structures.
++ */
++
+ struct krb5_pac_data {
+     struct PACTYPE *pac;
+     krb5_data data;
+@@ -80,6 +95,60 @@ struct krb5_pac_data {
+ 
+ static const char zeros[PAC_ALIGNMENT] = { 0 };
+ 
++/*
++ * Returns the size of the PACTYPE header + the PAC_INFO_BUFFER array.  This is
++ * also the end of the whole thing, and any offsets to buffers from
++ * thePAC_INFO_BUFFER[] entries have to be beyond it.
++ */
++static krb5_error_code
++pac_header_size(krb5_context context, uint32_t num_buffers, uint32_t *result)
++{
++    krb5_error_code ret;
++    uint32_t header_size;
++
++    /* Guard against integer overflow */
++    if (num_buffers > UINT32_MAX / PAC_INFO_BUFFER_SIZE) {
++	ret = EOVERFLOW;
++	krb5_set_error_message(context, ret, "PAC has too many buffers");
++	return ret;
++    }
++    header_size = PAC_INFO_BUFFER_SIZE * num_buffers;
++
++    /* Guard against integer overflow */
++    if (header_size > UINT32_MAX - PACTYPE_SIZE) {
++	ret = EOVERFLOW;
++	krb5_set_error_message(context, ret, "PAC has too many buffers");
++	return ret;
++    }
++    header_size += PACTYPE_SIZE;
++
++    *result = header_size;
++
++    return 0;
++}
++
++/* Output `size' + `addend' + padding for alignment if it doesn't overflow */
++static krb5_error_code
++pac_aligned_size(krb5_context context,
++                 uint32_t size,
++                 uint32_t addend,
++                 uint32_t *aligned_size)
++{
++    krb5_error_code ret;
++
++    if (size > UINT32_MAX - addend ||
++        (size + addend) > UINT32_MAX - (PAC_ALIGNMENT - 1)) {
++	ret = EOVERFLOW;
++	krb5_set_error_message(context, ret, "integer overrun");
++	return ret;
++    }
++    size += addend;
++    size += PAC_ALIGNMENT - 1;
++    size &= ~(PAC_ALIGNMENT - 1);
++    *aligned_size = size;
++    return 0;
++}
++
+ /*
+  * HMAC-MD5 checksum over any key (needed for the PAC routines)
+  */
+@@ -120,140 +120,150 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL
+ krb5_pac_parse(krb5_context context, const void *ptr, size_t len,
+ 	       krb5_pac *pac)
+ {
+-    krb5_error_code ret;
++    krb5_error_code ret = 0;
+     krb5_pac p;
+     krb5_storage *sp = NULL;
+-    uint32_t i, tmp, tmp2, header_end;
++    uint32_t i, num_buffers, version, header_size = 0;
++    uint32_t prev_start = 0;
++    uint32_t prev_end = 0;
+ 
++    *pac = NULL;
+     p = calloc(1, sizeof(*p));
+-    if (p == NULL) {
+-	ret = krb5_enomem(context);
+-	goto out;
+-    }
+-
+-    sp = krb5_storage_from_readonly_mem(ptr, len);
+-    if (sp == NULL) {
+-	ret = krb5_enomem(context);
+-	goto out;
+-    }
+-    krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
+-
+-    CHECK(ret, krb5_ret_uint32(sp, &tmp), out);
+-    CHECK(ret, krb5_ret_uint32(sp, &tmp2), out);
+-    if (tmp < 1) {
+-	ret = EINVAL; /* Too few buffers */
+-	krb5_set_error_message(context, ret, N_("PAC have too few buffer", ""));
+-	goto out;
+-    }
+-    if (tmp2 != 0) {
+-	ret = EINVAL; /* Wrong version */
+-	krb5_set_error_message(context, ret,
+-			       N_("PAC have wrong version %d", ""),
+-			       (int)tmp2);
+-	goto out;
++    if (p)
++        sp = krb5_storage_from_readonly_mem(ptr, len);
++    if (sp == NULL)
++       ret = krb5_enomem(context);
++    if (ret == 0) {
++        krb5_storage_set_flags(sp, KRB5_STORAGE_BYTEORDER_LE);
++        ret = krb5_ret_uint32(sp, &num_buffers);
+     }
+-
+-    p->pac = calloc(1,
+-		    sizeof(*p->pac) + (sizeof(p->pac->buffers[0]) * (tmp - 1)));
+-    if (p->pac == NULL) {
+-	ret = krb5_enomem(context);
+-	goto out;
++    if (ret == 0)
++        ret = krb5_ret_uint32(sp, &version);
++    if (ret == 0 && num_buffers < 1)
++       krb5_set_error_message(context, ret = EINVAL,
++                               N_("PAC has too few buffers", ""));
++    if (ret == 0 && num_buffers > 1000)
++       krb5_set_error_message(context, ret = EINVAL,
++                               N_("PAC has too many buffers", ""));
++    if (ret == 0 && version != 0)
++       krb5_set_error_message(context, ret = EINVAL,
++                              N_("PAC has wrong version %d", ""),
++                              (int)version);
++    if (ret == 0)
++        ret = pac_header_size(context, num_buffers, &header_size);