1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00

samba: tag release samba-4.16.6

-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNWba0ACgkQqplEL7aA
 tiAj2w/8DgIpsNJSFaUM/yjCPc3brNMFmr1ljBDWIqDOuAuYmx+wBsrPsLaewalp
 0O99kP8Tcsqanwc0HQ+SJcCuprCsxk2qQCMz3SdjSr/lpdDjaIZTAf8ycb1BtjQ3
 U7LxAU7Rv0pmlH277HS6aZAPd1iHWOhUpZpFMZsECOHJLVjdIghXW+x8SDEPl41Y
 ulogbEj7xebJk62N2Z4HrbxlSsoPtPtKSRAytstclnDf4+QSK2pIO2magobsA5q9
 V0z7k7E+8qp/nWiTG2g1hkozZjUVV3UfvOOXmPnr2JatXFblr3Id1gTIRjrPqK2L
 UvQu1r4idA4IWmnbyYldqu7SeQuRtnXHWNa1RVoVa8K5vO6NlhgyfZdLxDFlxO4b
 hKCFV6CvYs2+gDH1Ir7mQc/dV0LUAIUmRdBGwX8BUidyOgYIuoXgyWJAIVKdBGQX
 U9WA3fCS3jPM9RNgeNZMY0RRBmuTVjH/uJA22MEeBfdOKD/iqdt4O9RboC5NlrdS
 s72tiECST6dItBEc5EDTa7jtTd5tQyZkXjhvBLn7DIND0Kdes93u8HCazi74HhRK
 Sq8nbwuadxmGoBEPiISBoxK4fkWucHTRtOgISMfuhqHHug1WCOiHf2Q1IYANKlW0
 rcfC1x2LhTnb1TeRukOfzvXriAksOEhvcTG/HnJolWFZvfwnrgY=
 =bBex
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.16.6' into v4-16-test

samba: tag release samba-4.16.6

Signed-off-by: Jule Anger <janger@samba.org>
This commit is contained in:
Jule Anger 2022-10-25 11:55:25 +02:00
commit a901109313
10 changed files with 1368 additions and 32 deletions

View File

@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" #
########################################################
SAMBA_VERSION_IS_GIT_SNAPSHOT=yes
SAMBA_VERSION_IS_GIT_SNAPSHOT=no
########################################################
# This is for specifying a release nickname #

View File

@ -1,3 +1,46 @@
==============================
Release Notes for Samba 4.16.6
October 25, 2022
==============================
This is a security release in order to address the following defect:
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
Changes since 4.16.5
---------------------
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.16.5
September 07, 2022
@ -60,8 +103,7 @@ database (https://bugzilla.samba.org/).
======================================================================
Release notes for older releases follow:
----------------------------------------
----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.4
July 27, 2022

View File

@ -47,6 +47,8 @@ with_pam = ("WITH_PAM" in config_hash)
with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash)
pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH")
pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH")
have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
planpythontestsuite("none", "samba.tests.source")
planpythontestsuite("none", "samba.tests.source_chars")
@ -434,6 +436,9 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
[os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
plantestsuite("samba.unittests.auth.sam", "none",
[os.path.join(bindir(), "test_auth_sam")])
if have_heimdal_support and not using_system_gssapi:
plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
[valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))])
if with_elasticsearch_backend:
plantestsuite("samba.unittests.mdsparser_es", "none",
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])

File diff suppressed because it is too large Load Diff

View File

@ -49,6 +49,27 @@ bld.SAMBA_BINARY('test_kerberos',
for_selftest=True
)
bld.SAMBA_BINARY('test_heimdal_gensec_unwrap_des',
source='tests/heimdal_unwrap_des.c',
deps='cmocka talloc gssapi-subsystem',
local_include=False,
for_selftest=True,
enabled=(bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and
not bld.CONFIG_SET('USING_SYSTEM_GSSAPI')),
ldflags='''
-Wl,--wrap,ct_memcmp
-Wl,--wrap,der_get_length
-Wl,--wrap,krb5_auth_con_getlocalsubkey
-Wl,--wrap,krb5_crypto_destroy
-Wl,--wrap,krb5_crypto_init
-Wl,--wrap,krb5_decrypt
-Wl,--wrap,krb5_decrypt_ivec
-Wl,--wrap,krb5_free_keyblock
-Wl,--wrap,krb5_verify_checksum
-Wl,--wrap,malloc
'''
)
bld.SAMBA_BINARY('test_auth_sam',
source='tests/sam.c',
deps='cmocka samdb samba-security ldb tevent',

View File

@ -388,9 +388,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = (memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
else
cmp = (memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
memset_s(SND_SEQ, sizeof(SND_SEQ), 0, sizeof(SND_SEQ));
if (cmp != 0) {
@ -659,9 +659,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
cmp = (memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
else
cmp = (memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
if (cmp != 0) {
*minor_status = 0;
@ -1282,9 +1282,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
if (ctx->more_flags & LOCAL) {
cmp = (memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
} else {
cmp = (memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
}
if (cmp != 0) {
*minor_status = 0;
@ -1359,7 +1359,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
cmp = (memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
if (cmp) {
*minor_status = 0;
return GSS_S_BAD_MIC;

View File

@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
e = der_get_length (p, total_len - 1, &len, &len_len);
if (e || 1 + len_len + len != total_len)
return -1;
if (total_len < 1 + len_len + 1)
return -1;
p += len_len;
if (*p++ != 0x06)
return -1;
@ -80,6 +82,10 @@ _gssapi_verify_mech_header(u_char **str,
if (mech_len != mech->length)
return GSS_S_BAD_MECH;
if (mech_len > total_len)
return GSS_S_BAD_MECH;
if (p - *str > total_len - mech_len)
return GSS_S_BAD_MECH;
if (ct_memcmp(p,
mech->elements,
mech->length) != 0)
@ -193,13 +199,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
if (wrapped_token->length < 1)
return GSS_S_BAD_MECH;
pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
padlength = *pad;
pad = (u_char *)wrapped_token->value + wrapped_token->length;
padlength = pad[-1];
if (padlength > datalen)
return GSS_S_BAD_MECH;
for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
for (i = padlength; i > 0 && *--pad == padlength; i--)
;
if (i != 0)
return GSS_S_BAD_MIC;

View File

@ -64,6 +64,8 @@ unwrap_des
if (IS_DCE_STYLE(context_handle)) {
token_len = 22 + 8 + 15; /* 45 */
if (input_message_buffer->length < token_len)
return GSS_S_BAD_MECH;
} else {
token_len = input_message_buffer->length;
}
@ -76,6 +78,11 @@ unwrap_des
if (ret)
return ret;
len = (p - (u_char *)input_message_buffer->value)
+ 22 + 8;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
if (memcmp (p, "\x00\x00", 2) != 0)
return GSS_S_BAD_SIG;
p += 2;
@ -117,7 +124,7 @@ unwrap_des
} else {
/* check pad */
ret = _gssapi_verify_pad(input_message_buffer,
input_message_buffer->length - len,
input_message_buffer->length - len - 8,
&padlength);
if (ret)
return ret;
@ -183,9 +190,10 @@ unwrap_des
output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE;
memcpy (output_message_buffer->value,
p + 24,
output_message_buffer->length);
if (output_message_buffer->value != NULL)
memcpy (output_message_buffer->value,
p + 24,
output_message_buffer->length);
return GSS_S_COMPLETE;
}
#endif
@ -218,6 +226,8 @@ unwrap_des3
if (IS_DCE_STYLE(context_handle)) {
token_len = 34 + 8 + 15; /* 57 */
if (input_message_buffer->length < token_len)
return GSS_S_BAD_MECH;
} else {
token_len = input_message_buffer->length;
}
@ -230,7 +240,12 @@ unwrap_des3
if (ret)
return ret;
if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
len = (p - (u_char *)input_message_buffer->value)
+ 34 + 8;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
return GSS_S_BAD_SIG;
p += 2;
if (ct_memcmp (p, "\x02\x00", 2) == 0) {
@ -277,7 +292,7 @@ unwrap_des3
} else {
/* check pad */
ret = _gssapi_verify_pad(input_message_buffer,
input_message_buffer->length - len,
input_message_buffer->length - len - 8,
&padlength);
if (ret)
return ret;
@ -377,9 +392,10 @@ unwrap_des3
output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE;
memcpy (output_message_buffer->value,
p + 36,
output_message_buffer->length);
if (output_message_buffer->value != NULL)
memcpy (output_message_buffer->value,
p + 36,
output_message_buffer->length);
return GSS_S_COMPLETE;
}

View File

@ -204,10 +204,6 @@ extern const char _krb5_wellknown_lkdc[];
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
#ifndef __func__
#define __func__ "unknown-function"
#endif
#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
#ifndef PATH_SEP

View File

@ -633,15 +633,21 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"):
../heimdal_build/gssapi-glue.c
'''
HEIMDAL_LIBRARY('gssapi',
HEIMDAL_SUBSYSTEM('gssapi-subsystem',
HEIMDAL_GSSAPI_SPNEGO_SOURCE +
HEIMDAL_GSSAPI_KRB5_SOURCE +
HEIMDAL_GSSAPI_MECH_SOURCE,
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind heimbase',
cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS,
version_script='lib/gssapi/version-script.map',
)
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind heimbase',
cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS,
)
HEIMDAL_LIBRARY('gssapi',
'',
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
deps='gssapi-subsystem',
version_script='lib/gssapi/version-script.map',
)
if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
# expand_path.c needs some of the install paths