Projects
openEuler:20.03:LTS:SP3
samba
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 34
View file
_service:tar_scm_kernel_repo:samba.spec
Changed
@@ -49,7 +49,7 @@ Name: samba Version: 4.11.12 -Release: 29 +Release: 30 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -340,6 +340,11 @@ Patch6411: backport-0038-CVE-2022-38023.patch Patch6412: backport-CVE-2023-0922.patch Patch6413: backport-Adapt-sign_authdata-in-our-KDB-module-for-krb5-v1.18.patch +Patch6414: backport-0001-CVE-2022-2127.patch +Patch6415: backport-0002-CVE-2022-2127.patch +Patch6416: backport-0003-CVE-2022-2127.patch +Patch6417: backport-CVE-2023-34966.patch +Patch6418: backport-CVE-2023-34967.patch BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel @@ -3398,6 +3403,12 @@ %{_mandir}/man* %changelog +* Mon Jul 24 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-30 +- Type:cves +- CVE:CVE-2022-2127 CVE-2023-34966 CVE-2023-34967 +- SUG:NA +- DESC:fix CVE-2022-2127 CVE-2023-34966 CVE-2023-34967 + * Mon Jun 26 2023 yanglu <yanglu72@h-partners.com> - 4.11.12-29 - Type:bugfix - CVE:NA
View file
_service:tar_scm_kernel_repo:backport-0001-CVE-2022-2127.patch
Added
@@ -0,0 +1,69 @@ +From 1dd3ae281b9d9260859822bbf6891e94c2f86882 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@samba.org> +Date: Thu, 24 Feb 2022 17:48:27 +0100 +Subject: [PATCH 01/25] CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks + to parent process + +The winbindd_dual_pam_auth_crap() function will be converted to a local +RPC call handler and it won't receive a winbindd_cli_state struct. Move +the checks accessing this struct to the parent. + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> +Reviewed-by: Jeremy Allison <jra@samba.org> +(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374) + +Conflict: NA +Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch +--- + source3/winbindd/winbindd_pam.c | 12 ------------ + source3/winbindd/winbindd_pam_auth_crap.c | 12 ++++++++++++ + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c +index e600ad27e54..e77673bf173 100644 +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -2671,18 +2671,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, + DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid, + name_domain, name_user)); + +- if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp) +- || state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) { +- if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) || +- state->request->extra_len != state->request->data.auth_crap.nt_resp_len) { +- DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n", +- state->request->data.auth_crap.lm_resp_len, +- state->request->data.auth_crap.nt_resp_len)); +- result = NT_STATUS_INVALID_PARAMETER; +- goto done; +- } +- } +- + lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp, + state->request->data.auth_crap.lm_resp_len); + +diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c +index a6f13806df9..fdb8120a6fe 100644 +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -140,6 +140,18 @@ struct tevent_req *winbindd_pam_auth_crap_send( + fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); + } + ++ if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) ++ || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { ++ if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || ++ request->extra_len != request->data.auth_crap.nt_resp_len) { ++ DBG_ERR("Invalid password length %u/%u\n", ++ request->data.auth_crap.lm_resp_len, ++ request->data.auth_crap.nt_resp_len); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return tevent_req_post(req, ev); ++ } ++ } ++ + subreq = wb_domain_request_send(state, global_event_context(), domain, + request); + if (tevent_req_nomem(subreq, req)) { +-- +2.34.1
View file
_service:tar_scm_kernel_repo:backport-0002-CVE-2022-2127.patch
Added
@@ -0,0 +1,73 @@ +From 5c6fe5a491b16bb658c191cfafb5edc0beb5fab2 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke <vl@samba.org> +Date: Fri, 20 May 2022 10:55:23 +0200 +Subject: [PATCH 02/25] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP + length checks + +With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you +can crash winbind. We don't independently check lm_resp_len +sufficiently. + +Discovered via Coverity ID 1504444 Out-of-bounds access + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 + +Signed-off-by: Volker Lendecke <vl@samba.org> + +Conflict: NA +Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch +--- + source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++-------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c +index fdb8120a6fe..651d54b01d3 100644 +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -42,6 +42,9 @@ struct tevent_req *winbindd_pam_auth_crap_send( + struct winbindd_pam_auth_crap_state *state; + struct winbindd_domain *domain; + const char *auth_domain = NULL; ++ bool lmlength_ok = false; ++ bool ntlength_ok = false; ++ bool pwlength_ok = false; + + req = tevent_req_create(mem_ctx, &state, + struct winbindd_pam_auth_crap_state); +@@ -140,16 +143,24 @@ struct tevent_req *winbindd_pam_auth_crap_send( + fstrcpy(request->data.auth_crap.workstation, lp_netbios_name()); + } + +- if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp) +- || request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) { +- if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) || +- request->extra_len != request->data.auth_crap.nt_resp_len) { +- DBG_ERR("Invalid password length %u/%u\n", +- request->data.auth_crap.lm_resp_len, +- request->data.auth_crap.nt_resp_len); +- tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); +- return tevent_req_post(req, ev); +- } ++ lmlength_ok = (request->data.auth_crap.lm_resp_len <= ++ sizeof(request->data.auth_crap.lm_resp)); ++ ++ ntlength_ok = (request->data.auth_crap.nt_resp_len <= ++ sizeof(request->data.auth_crap.nt_resp)); ++ ++ ntlength_ok |= ++ ((request->flags & WBFLAG_BIG_NTLMV2_BLOB) && ++ (request->extra_len == request->data.auth_crap.nt_resp_len)); ++ ++ pwlength_ok = lmlength_ok && ntlength_ok; ++ ++ if (!pwlength_ok) { ++ DBG_ERR("Invalid password length %u/%u\n", ++ request->data.auth_crap.lm_resp_len, ++ request->data.auth_crap.nt_resp_len); ++ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); ++ return tevent_req_post(req, ev); + } + + subreq = wb_domain_request_send(state, global_event_context(), domain, +-- +2.34.1
View file
_service:tar_scm_kernel_repo:backport-0003-CVE-2022-2127.patch
Added
@@ -0,0 +1,43 @@ +From 2eabbe31f64a8456813a502afb05907beb46ffad Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 16 Jun 2023 12:28:47 +0200 +Subject: [PATCH 03/25] CVE-2022-2127: ntlm_auth: cap lanman response length + value + +We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the +lm_resp buffer, but we don't cap the length indicator. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Conflict: NA +Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch +--- + source3/utils/ntlm_auth.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index 52a1840..f363f25 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -570,10 +570,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username, + memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8)); + + if (lm_response && lm_response->length) { ++ size_t capped_lm_response_len = MIN( ++ lm_response->length, ++ sizeof(request.data.auth_crap.lm_resp)); ++ + memcpy(request.data.auth_crap.lm_resp, + lm_response->data, +- MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp))); +- request.data.auth_crap.lm_resp_len = lm_response->length; ++ capped_lm_response_len); ++ request.data.auth_crap.lm_resp_len = capped_lm_response_len; + } + + if (nt_response && nt_response->length) { +-- +2.27.0 +
View file
_service:tar_scm_kernel_repo:backport-CVE-2023-34966.patch
Added
@@ -0,0 +1,75 @@ +From cb6f3e2202473eeccf81e34ebcdb4bc4f726548a Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 13:06:19 +0200 +Subject: [PATCH 05/25] CVE-2023-34966: mdssvc: harden sl_unpack_loop() + +A malicious client could send a packet where subcount is zero, leading to a busy +loop because + + count -= subcount +=> count -= 0 +=> while (count > 0) + +loops forever. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Conflict: NA +Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch +--- + source3/rpc_server/mdssvc/marshalling.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c +index 1aa750413cd..441d41160f1 100644 +--- a/source3/rpc_server/mdssvc/marshalling.c ++++ b/source3/rpc_server/mdssvc/marshalling.c +@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + sl_nil_t nil = 0; + + subcount = tag.count; +- if (subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + for (i = 0; i < subcount; i++) { +@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_INT64: + subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_UUID: + subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_FLOAT: + subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query, + + case SQ_TYPE_DATE: + subcount = sl_unpack_date(query, buf, offset, bufsize, encoding); +- if (subcount == -1 || subcount > count) { ++ if (subcount < 1 || subcount > count) { + return -1; + } + offset += tag.size; +-- +2.34.1
View file
_service:tar_scm_kernel_repo:backport-CVE-2023-34967.patch
Added
@@ -0,0 +1,123 @@ +From 5b4353cc60b75610f0aa12b1cced36d35a4d04d4 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme <slow@samba.org> +Date: Fri, 26 May 2023 15:06:38 +0200 +Subject: [PATCH 07/25] CVE-2023-34967: mdssvc: add type checking to + dalloc_value_for_key() + +Change the dalloc_value_for_key() function to require an additional final +argument which denotes the expected type of the value associated with a key. If +the types don't match, return NULL. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341 + +Signed-off-by: Ralph Boehme <slow@samba.org> + +Conflict: NA +Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch +--- + source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++---- + source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++---- + 2 files changed, 23 insertions(+), 8 deletions(-) + +diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c +index 28944b8..908d54b 100644 +--- a/source3/rpc_server/mdssvc/dalloc.c ++++ b/source3/rpc_server/mdssvc/dalloc.c +@@ -160,7 +160,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + int result = 0; + void *p = NULL; + va_list args; +- const char *type; ++ const char *type = NULL; + int elem; + size_t array_len; + +@@ -171,7 +171,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + array_len = talloc_array_length(d->dd_talloc_array); + elem = va_arg(args, int); + if (elem >= array_len) { +- va_end(args); + result = -1; + goto done; + } +@@ -179,8 +178,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + type = va_arg(args, const char *); + } + +- va_end(args); +- + array_len = talloc_array_length(d->dd_talloc_array); + + for (elem = 0; elem + 1 < array_len; elem += 2) { +@@ -193,8 +190,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...) + break; + } + } ++ if (p == NULL) { ++ goto done; ++ } ++ ++ type = va_arg(args, const char *); ++ if (strcmp(talloc_get_name(p), type) != 0) { ++ p = NULL; ++ } + + done: ++ va_end(args); + if (result != 0) { + p = NULL; + } +diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c +index 58a219b..dba7c3c 100644 +--- a/source3/rpc_server/mdssvc/mdssvc.c ++++ b/source3/rpc_server/mdssvc/mdssvc.c +@@ -1198,7 +1198,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + + querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0, + "DALLOC_CTX", 1, +- "kMDQueryString"); ++ "kMDQueryString", ++ "char *"); + if (querystring == NULL) { + DEBUG(1, ("missing kMDQueryString\n")); + goto error; +@@ -1228,8 +1229,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + slq->ctx2 = *uint64p; + + path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDScopeArray"); ++ "DALLOC_CTX", 1, ++ "kMDScopeArray", ++ "sl_array_t"); + if (path_scope == NULL) { ++ DBG_ERR("missing kMDScopeArray\n"); + goto error; + } + +@@ -1253,8 +1257,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + + + reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDAttributeArray"); ++ "DALLOC_CTX", 1, ++ "kMDAttributeArray", ++ "sl_array_t"); + if (reqinfo == NULL) { ++ DBG_ERR("missing kMDAttributeArray\n"); + goto error; + } + +@@ -1262,7 +1269,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx, + DEBUG(10, ("requested attributes: %s", mds_dalloc_dump(reqinfo, 0))); + + cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0, +- "DALLOC_CTX", 1, "kMDQueryItemArray"); ++ "DALLOC_CTX", 1, ++ "kMDQueryItemArray", ++ "sl_array_t"); + if (cnids) { + ok = sort_cnids(slq, cnids->ca_cnids); + if (!ok) { +-- +2.27.0 +
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.