mirror of
https://github.com/samba-team/samba.git
synced 2025-01-11 05:18:09 +03:00
samba: tag release samba-4.16.6
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNWba0ACgkQqplEL7aA tiAj2w/8DgIpsNJSFaUM/yjCPc3brNMFmr1ljBDWIqDOuAuYmx+wBsrPsLaewalp 0O99kP8Tcsqanwc0HQ+SJcCuprCsxk2qQCMz3SdjSr/lpdDjaIZTAf8ycb1BtjQ3 U7LxAU7Rv0pmlH277HS6aZAPd1iHWOhUpZpFMZsECOHJLVjdIghXW+x8SDEPl41Y ulogbEj7xebJk62N2Z4HrbxlSsoPtPtKSRAytstclnDf4+QSK2pIO2magobsA5q9 V0z7k7E+8qp/nWiTG2g1hkozZjUVV3UfvOOXmPnr2JatXFblr3Id1gTIRjrPqK2L UvQu1r4idA4IWmnbyYldqu7SeQuRtnXHWNa1RVoVa8K5vO6NlhgyfZdLxDFlxO4b hKCFV6CvYs2+gDH1Ir7mQc/dV0LUAIUmRdBGwX8BUidyOgYIuoXgyWJAIVKdBGQX U9WA3fCS3jPM9RNgeNZMY0RRBmuTVjH/uJA22MEeBfdOKD/iqdt4O9RboC5NlrdS s72tiECST6dItBEc5EDTa7jtTd5tQyZkXjhvBLn7DIND0Kdes93u8HCazi74HhRK Sq8nbwuadxmGoBEPiISBoxK4fkWucHTRtOgISMfuhqHHug1WCOiHf2Q1IYANKlW0 rcfC1x2LhTnb1TeRukOfzvXriAksOEhvcTG/HnJolWFZvfwnrgY= =bBex -----END PGP SIGNATURE----- Merge tag 'samba-4.16.6' into v4-16-test samba: tag release samba-4.16.6 Signed-off-by: Jule Anger <janger@samba.org>
This commit is contained in:
commit
a901109313
2
VERSION
2
VERSION
@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
|
||||
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
|
||||
# -> "3.0.0-SVN-build-199" #
|
||||
########################################################
|
||||
SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
|
||||
SAMBA_VERSION_IS_GIT_SNAPSHOT=no
|
||||
|
||||
########################################################
|
||||
# This is for specifying a release nickname #
|
||||
|
46
WHATSNEW.txt
46
WHATSNEW.txt
@ -1,3 +1,46 @@
|
||||
==============================
|
||||
Release Notes for Samba 4.16.6
|
||||
October 25, 2022
|
||||
==============================
|
||||
|
||||
|
||||
This is a security release in order to address the following defect:
|
||||
|
||||
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
|
||||
unwrap_des() and unwrap_des3() routines of Heimdal (included
|
||||
in Samba).
|
||||
https://www.samba.org/samba/security/CVE-2022-3437.html
|
||||
|
||||
Changes since 4.16.5
|
||||
---------------------
|
||||
|
||||
o Joseph Sutton <josephsutton@catalyst.net.nz>
|
||||
* BUG 15134: CVE-2022-3437.
|
||||
|
||||
|
||||
#######################################
|
||||
Reporting bugs & Development Discussion
|
||||
#######################################
|
||||
|
||||
Please discuss this release on the samba-technical mailing list or by
|
||||
joining the #samba-technical:matrix.org matrix room, or
|
||||
#samba-technical IRC channel on irc.libera.chat.
|
||||
|
||||
If you do report problems then please try to send high quality
|
||||
feedback. If you don't provide vital information to help us track down
|
||||
the problem then you will probably be ignored. All bug reports should
|
||||
be filed under the Samba 4.1 and newer product in the project's Bugzilla
|
||||
database (https://bugzilla.samba.org/).
|
||||
|
||||
|
||||
======================================================================
|
||||
== Our Code, Our Bugs, Our Responsibility.
|
||||
== The Samba Team
|
||||
======================================================================
|
||||
|
||||
|
||||
Release notes for older releases follow:
|
||||
----------------------------------------
|
||||
==============================
|
||||
Release Notes for Samba 4.16.5
|
||||
September 07, 2022
|
||||
@ -60,8 +103,7 @@ database (https://bugzilla.samba.org/).
|
||||
======================================================================
|
||||
|
||||
|
||||
Release notes for older releases follow:
|
||||
----------------------------------------
|
||||
----------------------------------------------------------------------
|
||||
==============================
|
||||
Release Notes for Samba 4.16.4
|
||||
July 27, 2022
|
||||
|
@ -47,6 +47,8 @@ with_pam = ("WITH_PAM" in config_hash)
|
||||
with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash)
|
||||
pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH")
|
||||
pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH")
|
||||
have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
|
||||
using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
|
||||
|
||||
planpythontestsuite("none", "samba.tests.source")
|
||||
planpythontestsuite("none", "samba.tests.source_chars")
|
||||
@ -434,6 +436,9 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
|
||||
[os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
|
||||
plantestsuite("samba.unittests.auth.sam", "none",
|
||||
[os.path.join(bindir(), "test_auth_sam")])
|
||||
if have_heimdal_support and not using_system_gssapi:
|
||||
plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
|
||||
[valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))])
|
||||
if with_elasticsearch_backend:
|
||||
plantestsuite("samba.unittests.mdsparser_es", "none",
|
||||
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
|
||||
|
1244
source4/auth/tests/heimdal_unwrap_des.c
Normal file
1244
source4/auth/tests/heimdal_unwrap_des.c
Normal file
File diff suppressed because it is too large
Load Diff
@ -49,6 +49,27 @@ bld.SAMBA_BINARY('test_kerberos',
|
||||
for_selftest=True
|
||||
)
|
||||
|
||||
bld.SAMBA_BINARY('test_heimdal_gensec_unwrap_des',
|
||||
source='tests/heimdal_unwrap_des.c',
|
||||
deps='cmocka talloc gssapi-subsystem',
|
||||
local_include=False,
|
||||
for_selftest=True,
|
||||
enabled=(bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and
|
||||
not bld.CONFIG_SET('USING_SYSTEM_GSSAPI')),
|
||||
ldflags='''
|
||||
-Wl,--wrap,ct_memcmp
|
||||
-Wl,--wrap,der_get_length
|
||||
-Wl,--wrap,krb5_auth_con_getlocalsubkey
|
||||
-Wl,--wrap,krb5_crypto_destroy
|
||||
-Wl,--wrap,krb5_crypto_init
|
||||
-Wl,--wrap,krb5_decrypt
|
||||
-Wl,--wrap,krb5_decrypt_ivec
|
||||
-Wl,--wrap,krb5_free_keyblock
|
||||
-Wl,--wrap,krb5_verify_checksum
|
||||
-Wl,--wrap,malloc
|
||||
'''
|
||||
)
|
||||
|
||||
bld.SAMBA_BINARY('test_auth_sam',
|
||||
source='tests/sam.c',
|
||||
deps='cmocka samdb samba-security ldb tevent',
|
||||
|
14
third_party/heimdal/lib/gssapi/krb5/arcfour.c
vendored
14
third_party/heimdal/lib/gssapi/krb5/arcfour.c
vendored
@ -388,9 +388,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
|
||||
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
|
||||
|
||||
if (context_handle->more_flags & LOCAL)
|
||||
cmp = (memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
|
||||
cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
|
||||
else
|
||||
cmp = (memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
|
||||
cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
|
||||
|
||||
memset_s(SND_SEQ, sizeof(SND_SEQ), 0, sizeof(SND_SEQ));
|
||||
if (cmp != 0) {
|
||||
@ -659,9 +659,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
|
||||
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
|
||||
|
||||
if (context_handle->more_flags & LOCAL)
|
||||
cmp = (memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
|
||||
cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
|
||||
else
|
||||
cmp = (memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
|
||||
cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
|
||||
|
||||
if (cmp != 0) {
|
||||
*minor_status = 0;
|
||||
@ -1282,9 +1282,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
|
||||
_gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
|
||||
|
||||
if (ctx->more_flags & LOCAL) {
|
||||
cmp = (memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
|
||||
cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
|
||||
} else {
|
||||
cmp = (memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
|
||||
cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
|
||||
}
|
||||
if (cmp != 0) {
|
||||
*minor_status = 0;
|
||||
@ -1359,7 +1359,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
|
||||
return GSS_S_FAILURE;
|
||||
}
|
||||
|
||||
cmp = (memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
|
||||
cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
|
||||
if (cmp) {
|
||||
*minor_status = 0;
|
||||
return GSS_S_BAD_MIC;
|
||||
|
@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
|
||||
e = der_get_length (p, total_len - 1, &len, &len_len);
|
||||
if (e || 1 + len_len + len != total_len)
|
||||
return -1;
|
||||
if (total_len < 1 + len_len + 1)
|
||||
return -1;
|
||||
p += len_len;
|
||||
if (*p++ != 0x06)
|
||||
return -1;
|
||||
@ -80,6 +82,10 @@ _gssapi_verify_mech_header(u_char **str,
|
||||
|
||||
if (mech_len != mech->length)
|
||||
return GSS_S_BAD_MECH;
|
||||
if (mech_len > total_len)
|
||||
return GSS_S_BAD_MECH;
|
||||
if (p - *str > total_len - mech_len)
|
||||
return GSS_S_BAD_MECH;
|
||||
if (ct_memcmp(p,
|
||||
mech->elements,
|
||||
mech->length) != 0)
|
||||
@ -193,13 +199,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
|
||||
if (wrapped_token->length < 1)
|
||||
return GSS_S_BAD_MECH;
|
||||
|
||||
pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
|
||||
padlength = *pad;
|
||||
pad = (u_char *)wrapped_token->value + wrapped_token->length;
|
||||
padlength = pad[-1];
|
||||
|
||||
if (padlength > datalen)
|
||||
return GSS_S_BAD_MECH;
|
||||
|
||||
for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
|
||||
for (i = padlength; i > 0 && *--pad == padlength; i--)
|
||||
;
|
||||
if (i != 0)
|
||||
return GSS_S_BAD_MIC;
|
||||
|
34
third_party/heimdal/lib/gssapi/krb5/unwrap.c
vendored
34
third_party/heimdal/lib/gssapi/krb5/unwrap.c
vendored
@ -64,6 +64,8 @@ unwrap_des
|
||||
|
||||
if (IS_DCE_STYLE(context_handle)) {
|
||||
token_len = 22 + 8 + 15; /* 45 */
|
||||
if (input_message_buffer->length < token_len)
|
||||
return GSS_S_BAD_MECH;
|
||||
} else {
|
||||
token_len = input_message_buffer->length;
|
||||
}
|
||||
@ -76,6 +78,11 @@ unwrap_des
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
len = (p - (u_char *)input_message_buffer->value)
|
||||
+ 22 + 8;
|
||||
if (input_message_buffer->length < len)
|
||||
return GSS_S_BAD_MECH;
|
||||
|
||||
if (memcmp (p, "\x00\x00", 2) != 0)
|
||||
return GSS_S_BAD_SIG;
|
||||
p += 2;
|
||||
@ -117,7 +124,7 @@ unwrap_des
|
||||
} else {
|
||||
/* check pad */
|
||||
ret = _gssapi_verify_pad(input_message_buffer,
|
||||
input_message_buffer->length - len,
|
||||
input_message_buffer->length - len - 8,
|
||||
&padlength);
|
||||
if (ret)
|
||||
return ret;
|
||||
@ -183,9 +190,10 @@ unwrap_des
|
||||
output_message_buffer->value = malloc(output_message_buffer->length);
|
||||
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
|
||||
return GSS_S_FAILURE;
|
||||
memcpy (output_message_buffer->value,
|
||||
p + 24,
|
||||
output_message_buffer->length);
|
||||
if (output_message_buffer->value != NULL)
|
||||
memcpy (output_message_buffer->value,
|
||||
p + 24,
|
||||
output_message_buffer->length);
|
||||
return GSS_S_COMPLETE;
|
||||
}
|
||||
#endif
|
||||
@ -218,6 +226,8 @@ unwrap_des3
|
||||
|
||||
if (IS_DCE_STYLE(context_handle)) {
|
||||
token_len = 34 + 8 + 15; /* 57 */
|
||||
if (input_message_buffer->length < token_len)
|
||||
return GSS_S_BAD_MECH;
|
||||
} else {
|
||||
token_len = input_message_buffer->length;
|
||||
}
|
||||
@ -230,7 +240,12 @@ unwrap_des3
|
||||
if (ret)
|
||||
return ret;
|
||||
|
||||
if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
|
||||
len = (p - (u_char *)input_message_buffer->value)
|
||||
+ 34 + 8;
|
||||
if (input_message_buffer->length < len)
|
||||
return GSS_S_BAD_MECH;
|
||||
|
||||
if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
|
||||
return GSS_S_BAD_SIG;
|
||||
p += 2;
|
||||
if (ct_memcmp (p, "\x02\x00", 2) == 0) {
|
||||
@ -277,7 +292,7 @@ unwrap_des3
|
||||
} else {
|
||||
/* check pad */
|
||||
ret = _gssapi_verify_pad(input_message_buffer,
|
||||
input_message_buffer->length - len,
|
||||
input_message_buffer->length - len - 8,
|
||||
&padlength);
|
||||
if (ret)
|
||||
return ret;
|
||||
@ -377,9 +392,10 @@ unwrap_des3
|
||||
output_message_buffer->value = malloc(output_message_buffer->length);
|
||||
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
|
||||
return GSS_S_FAILURE;
|
||||
memcpy (output_message_buffer->value,
|
||||
p + 36,
|
||||
output_message_buffer->length);
|
||||
if (output_message_buffer->value != NULL)
|
||||
memcpy (output_message_buffer->value,
|
||||
p + 36,
|
||||
output_message_buffer->length);
|
||||
return GSS_S_COMPLETE;
|
||||
}
|
||||
|
||||
|
4
third_party/heimdal/lib/krb5/krb5_locl.h
vendored
4
third_party/heimdal/lib/krb5/krb5_locl.h
vendored
@ -204,10 +204,6 @@ extern const char _krb5_wellknown_lkdc[];
|
||||
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
|
||||
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
|
||||
|
||||
#ifndef __func__
|
||||
#define __func__ "unknown-function"
|
||||
#endif
|
||||
|
||||
#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
|
||||
|
||||
#ifndef PATH_SEP
|
||||
|
18
third_party/heimdal_build/wscript_build
vendored
18
third_party/heimdal_build/wscript_build
vendored
@ -633,15 +633,21 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"):
|
||||
../heimdal_build/gssapi-glue.c
|
||||
'''
|
||||
|
||||
HEIMDAL_LIBRARY('gssapi',
|
||||
HEIMDAL_SUBSYSTEM('gssapi-subsystem',
|
||||
HEIMDAL_GSSAPI_SPNEGO_SOURCE +
|
||||
HEIMDAL_GSSAPI_KRB5_SOURCE +
|
||||
HEIMDAL_GSSAPI_MECH_SOURCE,
|
||||
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
|
||||
deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind heimbase',
|
||||
cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS,
|
||||
version_script='lib/gssapi/version-script.map',
|
||||
)
|
||||
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
|
||||
deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind heimbase',
|
||||
cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS,
|
||||
)
|
||||
|
||||
HEIMDAL_LIBRARY('gssapi',
|
||||
'',
|
||||
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
|
||||
deps='gssapi-subsystem',
|
||||
version_script='lib/gssapi/version-script.map',
|
||||
)
|
||||
|
||||
if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
|
||||
# expand_path.c needs some of the install paths
|
||||
|
Loading…
Reference in New Issue
Block a user