Projects
openEuler:20.03:LTS:SP3
samba
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 26
View file
_service:tar_scm_kernel_repo:samba.spec
Changed
@@ -49,7 +49,7 @@ Name: samba Version: 4.11.12 -Release: 21 +Release: 22 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -296,6 +296,8 @@ Patch6367: backport-0004-CVE-2022-42898.patch Patch6368: backport-s3waf-Fix-version-number-of-public-libsmbconf.patch Patch6369: backport-waf-Fix-SO-version-number-of-libsamba-errors.patch +Patch6370: backport-0001-CVE-2022-44640.patch +Patch6371: backport-0002-CVE-2022-44640.patch BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel @@ -3354,6 +3356,12 @@ %{_mandir}/man* %changelog +* Sat Dec 17 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-22 +- Type:cves +- CVE:CVE-2022-44640 +- SUG:NA +- DESC:fix CVE-2022-44640 + * Fri Dec 02 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-21 - Type:bugfix - CVE:NA
View file
_service:tar_scm_kernel_repo:backport-0001-CVE-2022-44640.patch
Added
@@ -0,0 +1,112 @@ +From b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f Mon Sep 17 00:00:00 2001 +From: Nicolas Williams <nico@twosigma.com> +Date: Wed, 10 Mar 2021 16:49:04 -0600 +Subject: [PATCH 1/2] CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec + +This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3. + +Heimdal's ASN.1 compiler generates code that allows specially +crafted DER encodings of CHOICEs to invoke the wrong free function +on the decoded structure upon decode error. This is known to impact +the Heimdal KDC, leading to an invalid free() of an address partly +or wholly under the control of the attacker, in turn leading to a +potential remote code execution (RCE) vulnerability. + +This error affects the DER codec for all CHOICE types used in +Heimdal, though not all cases will be exploitable. We have not +completed a thorough analysis of all the Heimdal components +affected, thus the Kerberos client, the X.509 library, and other +parts, may be affected as well. + +This bug has been in Heimdal since 2005. It was first reported by +Douglas Bagnall, though it had been found independently by the +Heimdal maintainers via fuzzing a few weeks earlier. + +While no zero-day exploit is known, such an exploit will likely be +available soon after public disclosure. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 + +[abartlet@samba.org Adapted from Heimdal commit +ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15 +by dropping fuzz-inputs file and EXPORTS entry for fuzzing] + +Signed-off-by: Andrew Bartlett <abartlet@samba.org> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17679 +--- + source4/heimdal/lib/asn1/gen_decode.c | 12 ++++++------ + source4/heimdal/lib/asn1/gen_free.c | 7 +++++++ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/source4/heimdal/lib/asn1/gen_decode.c b/source4/heimdal/lib/asn1/gen_decode.c +index 9d816d5400d7..bf2d93b806df 100644 +--- a/source4/heimdal/lib/asn1/gen_decode.c ++++ b/source4/heimdal/lib/asn1/gen_decode.c +@@ -584,14 +584,14 @@ decode_type (const char *name, const Type *t, int optional, + classname(cl), + ty ? "CONS" : "PRIM", + valuename(cl, tag)); ++ fprintf(codefile, ++ "(%s)->element = %s;\n", ++ name, m->label); + if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&", + name, m->gen_name) < 0 || s == NULL) + errx(1, "malloc"); + decode_type (s, m->type, m->optional, forwstr, m->gen_name, NULL, + depth + 1); +- fprintf(codefile, +- "(%s)->element = %s;\n", +- name, m->label); + free(s); + fprintf(codefile, + "}\n"); +@@ -600,23 +600,23 @@ decode_type (const char *name, const Type *t, int optional, + if (have_ellipsis) { + fprintf(codefile, + "else {\n" ++ "(%s)->element = %s;\n" + "(%s)->u.%s.data = calloc(1, len);\n" + "if ((%s)->u.%s.data == NULL) {\n" + "e = ENOMEM; %s;\n" + "}\n" + "(%s)->u.%s.length = len;\n" + "memcpy((%s)->u.%s.data, p, len);\n" +- "(%s)->element = %s;\n" + "p += len;\n" + "ret += len;\n" + "len = 0;\n" + "}\n", ++ name, have_ellipsis->label, + name, have_ellipsis->gen_name, + name, have_ellipsis->gen_name, + forwstr, + name, have_ellipsis->gen_name, +- name, have_ellipsis->gen_name, +- name, have_ellipsis->label); ++ name, have_ellipsis->gen_name); + } else { + fprintf(codefile, + "else {\n" +diff --git a/source4/heimdal/lib/asn1/gen_free.c b/source4/heimdal/lib/asn1/gen_free.c +index b9cae7533b17..74449fe6ca82 100644 +--- a/source4/heimdal/lib/asn1/gen_free.c ++++ b/source4/heimdal/lib/asn1/gen_free.c +@@ -61,6 +61,13 @@ free_type (const char *name, const Type *t, int preserve) + case TNull: + case TGeneralizedTime: + case TUTCTime: ++ /* ++ * This doesn't do much, but it leaves zeros where garbage might ++ * otherwise have been found. Gets us closer to having the equivalent ++ * of a memset()-to-zero data structure after calling the free ++ * functions. ++ */ ++ fprintf(codefile, "*%s = 0;\n", name); + break; + case TBitString: + if (ASN1_TAILQ_EMPTY(t->members)) +-- +2.34.1 \ No newline at end of file
View file
_service:tar_scm_kernel_repo:backport-0002-CVE-2022-44640.patch
Added
@@ -0,0 +1,46 @@ +From 73c7c6ec9bc3a1993e766f119e9e29905ded5e28 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 7 Dec 2022 20:13:25 +1300 +Subject: [PATCH 2/2] CVE-2022-44640 source4/heimdal: Fix use-after-free when + decoding PA-ENC-TS-ENC + +Upstream Heimdal fixed this in commit +7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of +ENC-CHALLANGE). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Stefan Metzmacher <metze@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17679 +--- + source4/heimdal/kdc/kerberos5.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c +index ad026dd617bd..bda61e69df2a 100644 +--- a/source4/heimdal/kdc/kerberos5.c ++++ b/source4/heimdal/kdc/kerberos5.c +@@ -1391,7 +1391,6 @@ _kdc_as_rep(krb5_context context, + client_name); + continue; + } +- free_PA_ENC_TS_ENC(&p); + if (abs(kdc_time - p.patimestamp) > context->max_skew) { + char client_time[100]; + +@@ -1413,8 +1412,10 @@ _kdc_as_rep(krb5_context context, + * there is a e_text, they become unhappy. + */ + e_text = NULL; ++ free_PA_ENC_TS_ENC(&p); + goto out; + } ++ free_PA_ENC_TS_ENC(&p); + et.flags.pre_authent = 1; + + set_salt_padata(rep.padata, pa_key->salt); +-- +2.34.1 \ No newline at end of file
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.