sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00
Code

samba: tag release samba-4.16.6

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmNWba0ACgkQqplEL7aA
 tiAj2w/8DgIpsNJSFaUM/yjCPc3brNMFmr1ljBDWIqDOuAuYmx+wBsrPsLaewalp
 0O99kP8Tcsqanwc0HQ+SJcCuprCsxk2qQCMz3SdjSr/lpdDjaIZTAf8ycb1BtjQ3
 U7LxAU7Rv0pmlH277HS6aZAPd1iHWOhUpZpFMZsECOHJLVjdIghXW+x8SDEPl41Y
 ulogbEj7xebJk62N2Z4HrbxlSsoPtPtKSRAytstclnDf4+QSK2pIO2magobsA5q9
 V0z7k7E+8qp/nWiTG2g1hkozZjUVV3UfvOOXmPnr2JatXFblr3Id1gTIRjrPqK2L
 UvQu1r4idA4IWmnbyYldqu7SeQuRtnXHWNa1RVoVa8K5vO6NlhgyfZdLxDFlxO4b
 hKCFV6CvYs2+gDH1Ir7mQc/dV0LUAIUmRdBGwX8BUidyOgYIuoXgyWJAIVKdBGQX
 U9WA3fCS3jPM9RNgeNZMY0RRBmuTVjH/uJA22MEeBfdOKD/iqdt4O9RboC5NlrdS
 s72tiECST6dItBEc5EDTa7jtTd5tQyZkXjhvBLn7DIND0Kdes93u8HCazi74HhRK
 Sq8nbwuadxmGoBEPiISBoxK4fkWucHTRtOgISMfuhqHHug1WCOiHf2Q1IYANKlW0
 rcfC1x2LhTnb1TeRukOfzvXriAksOEhvcTG/HnJolWFZvfwnrgY=
 =bBex
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.16.6' into v4-16-test

samba: tag release samba-4.16.6

Signed-off-by: Jule Anger <janger@samba.org>
This commit is contained in:
Jule Anger 2022-10-25 11:55:25 +02:00
commit a901109313
10 changed files with 1368 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION
View File

@ -99,7 +99,7 @@ SAMBA_VERSION_RC_RELEASE=
# e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes # # e.g. SAMBA_VERSION_IS_SVN_SNAPSHOT=yes #
# -> "3.0.0-SVN-build-199" # # -> "3.0.0-SVN-build-199" #
######################################################## ########################################################
SAMBA_VERSION_IS_GIT_SNAPSHOT=yes SAMBA_VERSION_IS_GIT_SNAPSHOT=no
######################################################## ########################################################
# This is for specifying a release nickname # # This is for specifying a release nickname #

46
WHATSNEW.txt
View File

@ -1,3 +1,46 @@
==============================
Release Notes for Samba 4.16.6
October 25, 2022
==============================
This is a security release in order to address the following defect:
o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
unwrap_des() and unwrap_des3() routines of Heimdal (included
in Samba).
https://www.samba.org/samba/security/CVE-2022-3437.html
Changes since 4.16.5
---------------------
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15134: CVE-2022-3437.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical:matrix.org matrix room, or
#samba-technical IRC channel on irc.libera.chat.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
============================== ==============================
Release Notes for Samba 4.16.5 Release Notes for Samba 4.16.5
September 07, 2022 September 07, 2022
@ -60,8 +103,7 @@ database (https://bugzilla.samba.org/).
====================================================================== ======================================================================
Release notes for older releases follow: ----------------------------------------------------------------------
----------------------------------------
============================== ==============================
Release Notes for Samba 4.16.4 Release Notes for Samba 4.16.4
July 27, 2022 July 27, 2022

5
selftest/tests.py
View File

@ -47,6 +47,8 @@ with_pam = ("WITH_PAM" in config_hash)
with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash) with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash)
pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH") pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH")
pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH") pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH")
have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
planpythontestsuite("none", "samba.tests.source") planpythontestsuite("none", "samba.tests.source")
planpythontestsuite("none", "samba.tests.source_chars") planpythontestsuite("none", "samba.tests.source_chars")
@ -434,6 +436,9 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
[os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")]) [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
plantestsuite("samba.unittests.auth.sam", "none", plantestsuite("samba.unittests.auth.sam", "none",
[os.path.join(bindir(), "test_auth_sam")]) [os.path.join(bindir(), "test_auth_sam")])
if have_heimdal_support and not using_system_gssapi:
plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
[valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))])
if with_elasticsearch_backend: if with_elasticsearch_backend:
plantestsuite("samba.unittests.mdsparser_es", "none", plantestsuite("samba.unittests.mdsparser_es", "none",
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration]) [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])

1244
source4/auth/tests/heimdal_unwrap_des.c Normal file
View File

File diff suppressed because it is too large Load Diff

21
source4/auth/wscript_build
View File

@ -49,6 +49,27 @@ bld.SAMBA_BINARY('test_kerberos',
for_selftest=True for_selftest=True
) )
bld.SAMBA_BINARY('test_heimdal_gensec_unwrap_des',
source='tests/heimdal_unwrap_des.c',
deps='cmocka talloc gssapi-subsystem',
local_include=False,
for_selftest=True,
enabled=(bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and
not bld.CONFIG_SET('USING_SYSTEM_GSSAPI')),
ldflags='''
-Wl,--wrap,ct_memcmp
-Wl,--wrap,der_get_length
-Wl,--wrap,krb5_auth_con_getlocalsubkey
-Wl,--wrap,krb5_crypto_destroy
-Wl,--wrap,krb5_crypto_init
-Wl,--wrap,krb5_decrypt
-Wl,--wrap,krb5_decrypt_ivec
-Wl,--wrap,krb5_free_keyblock
-Wl,--wrap,krb5_verify_checksum
-Wl,--wrap,malloc
'''
)
bld.SAMBA_BINARY('test_auth_sam', bld.SAMBA_BINARY('test_auth_sam',
source='tests/sam.c', source='tests/sam.c',
deps='cmocka samdb samba-security ldb tevent', deps='cmocka samdb samba-security ldb tevent',

14
third_party/heimdal/lib/gssapi/krb5/arcfour.c vendored
View File

@ -388,9 +388,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL) if (context_handle->more_flags & LOCAL)
cmp = (memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0); cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
else else
cmp = (memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0); cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
memset_s(SND_SEQ, sizeof(SND_SEQ), 0, sizeof(SND_SEQ)); memset_s(SND_SEQ, sizeof(SND_SEQ), 0, sizeof(SND_SEQ));
if (cmp != 0) { if (cmp != 0) {
@ -659,9 +659,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number); _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL) if (context_handle->more_flags & LOCAL)
cmp = (memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0); cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
else else
cmp = (memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0); cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
if (cmp != 0) { if (cmp != 0) {
*minor_status = 0; *minor_status = 0;
@ -1282,9 +1282,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(snd_seq, &seq_number); _gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
if (ctx->more_flags & LOCAL) { if (ctx->more_flags & LOCAL) {
cmp = (memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0); cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
} else { } else {
cmp = (memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0); cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
} }
if (cmp != 0) { if (cmp != 0) {
*minor_status = 0; *minor_status = 0;
@ -1359,7 +1359,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
return GSS_S_FAILURE; return GSS_S_FAILURE;
} }
cmp = (memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) != 0); /* SGN_CKSUM */
if (cmp) { if (cmp) {
*minor_status = 0; *minor_status = 0;
return GSS_S_BAD_MIC; return GSS_S_BAD_MIC;

12
third_party/heimdal/lib/gssapi/krb5/decapsulate.c vendored
View File

@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
e = der_get_length (p, total_len - 1, &len, &len_len); e = der_get_length (p, total_len - 1, &len, &len_len);
if (e || 1 + len_len + len != total_len) if (e || 1 + len_len + len != total_len)
return -1; return -1;
if (total_len < 1 + len_len + 1)
return -1;
p += len_len; p += len_len;
if (*p++ != 0x06) if (*p++ != 0x06)
return -1; return -1;
@ -80,6 +82,10 @@ _gssapi_verify_mech_header(u_char **str,
if (mech_len != mech->length) if (mech_len != mech->length)
return GSS_S_BAD_MECH; return GSS_S_BAD_MECH;
if (mech_len > total_len)
return GSS_S_BAD_MECH;
if (p - *str > total_len - mech_len)
return GSS_S_BAD_MECH;
if (ct_memcmp(p, if (ct_memcmp(p,
mech->elements, mech->elements,
mech->length) != 0) mech->length) != 0)
@ -193,13 +199,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
if (wrapped_token->length < 1) if (wrapped_token->length < 1)
return GSS_S_BAD_MECH; return GSS_S_BAD_MECH;
pad = (u_char *)wrapped_token->value + wrapped_token->length - 1; pad = (u_char *)wrapped_token->value + wrapped_token->length;
padlength = *pad; padlength = pad[-1];
if (padlength > datalen) if (padlength > datalen)
return GSS_S_BAD_MECH; return GSS_S_BAD_MECH;
for (i = padlength; i > 0 && *pad == padlength; i--, pad--) for (i = padlength; i > 0 && *--pad == padlength; i--)
; ;
if (i != 0) if (i != 0)
return GSS_S_BAD_MIC; return GSS_S_BAD_MIC;

34
third_party/heimdal/lib/gssapi/krb5/unwrap.c vendored
View File

@ -64,6 +64,8 @@ unwrap_des
if (IS_DCE_STYLE(context_handle)) { if (IS_DCE_STYLE(context_handle)) {
token_len = 22 + 8 + 15; /* 45 */ token_len = 22 + 8 + 15; /* 45 */
if (input_message_buffer->length < token_len)
return GSS_S_BAD_MECH;
} else { } else {
token_len = input_message_buffer->length; token_len = input_message_buffer->length;
} }
@ -76,6 +78,11 @@ unwrap_des
if (ret) if (ret)
return ret; return ret;
len = (p - (u_char *)input_message_buffer->value)
+ 22 + 8;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
if (memcmp (p, "\x00\x00", 2) != 0) if (memcmp (p, "\x00\x00", 2) != 0)
return GSS_S_BAD_SIG; return GSS_S_BAD_SIG;
p += 2; p += 2;
@ -117,7 +124,7 @@ unwrap_des
} else { } else {
/* check pad */ /* check pad */
ret = _gssapi_verify_pad(input_message_buffer, ret = _gssapi_verify_pad(input_message_buffer,
input_message_buffer->length - len, input_message_buffer->length - len - 8,
&padlength); &padlength);
if (ret) if (ret)
return ret; return ret;
@ -183,9 +190,10 @@ unwrap_des
output_message_buffer->value = malloc(output_message_buffer->length); output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE; return GSS_S_FAILURE;
memcpy (output_message_buffer->value, if (output_message_buffer->value != NULL)
p + 24, memcpy (output_message_buffer->value,
output_message_buffer->length); p + 24,
output_message_buffer->length);
return GSS_S_COMPLETE; return GSS_S_COMPLETE;
} }
#endif #endif
@ -218,6 +226,8 @@ unwrap_des3
if (IS_DCE_STYLE(context_handle)) { if (IS_DCE_STYLE(context_handle)) {
token_len = 34 + 8 + 15; /* 57 */ token_len = 34 + 8 + 15; /* 57 */
if (input_message_buffer->length < token_len)
return GSS_S_BAD_MECH;
} else { } else {
token_len = input_message_buffer->length; token_len = input_message_buffer->length;
} }
@ -230,7 +240,12 @@ unwrap_des3
if (ret) if (ret)
return ret; return ret;
if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */ len = (p - (u_char *)input_message_buffer->value)
+ 34 + 8;
if (input_message_buffer->length < len)
return GSS_S_BAD_MECH;
if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
return GSS_S_BAD_SIG; return GSS_S_BAD_SIG;
p += 2; p += 2;
if (ct_memcmp (p, "\x02\x00", 2) == 0) { if (ct_memcmp (p, "\x02\x00", 2) == 0) {
@ -277,7 +292,7 @@ unwrap_des3
} else { } else {
/* check pad */ /* check pad */
ret = _gssapi_verify_pad(input_message_buffer, ret = _gssapi_verify_pad(input_message_buffer,
input_message_buffer->length - len, input_message_buffer->length - len - 8,
&padlength); &padlength);
if (ret) if (ret)
return ret; return ret;
@ -377,9 +392,10 @@ unwrap_des3
output_message_buffer->value = malloc(output_message_buffer->length); output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL) if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE; return GSS_S_FAILURE;
memcpy (output_message_buffer->value, if (output_message_buffer->value != NULL)
p + 36, memcpy (output_message_buffer->value,
output_message_buffer->length); p + 36,
output_message_buffer->length);
return GSS_S_COMPLETE; return GSS_S_COMPLETE;
} }

4
third_party/heimdal/lib/krb5/krb5_locl.h vendored
View File

@ -204,10 +204,6 @@ extern const char _krb5_wellknown_lkdc[];
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
#ifndef __func__
#define __func__ "unknown-function"
#endif
#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) #define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
#ifndef PATH_SEP #ifndef PATH_SEP

18
third_party/heimdal_build/wscript_build vendored
View File

@ -633,15 +633,21 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"):
../heimdal_build/gssapi-glue.c ../heimdal_build/gssapi-glue.c
''' '''
HEIMDAL_LIBRARY('gssapi', HEIMDAL_SUBSYSTEM('gssapi-subsystem',
HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_SPNEGO_SOURCE +
HEIMDAL_GSSAPI_KRB5_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE +
HEIMDAL_GSSAPI_MECH_SOURCE, HEIMDAL_GSSAPI_MECH_SOURCE,
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm', includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind heimbase', deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind heimbase',
cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS, cflags=bld.env.HEIMDAL_UNPICKY_WNO_STRICT_OVERFLOW_CFLAGS,
version_script='lib/gssapi/version-script.map', )
)
HEIMDAL_LIBRARY('gssapi',
'',
includes='../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech ../heimdal/lib/ntlm',
deps='gssapi-subsystem',
version_script='lib/gssapi/version-script.map',
)
if not bld.CONFIG_SET("USING_SYSTEM_KRB5"): if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
# expand_path.c needs some of the install paths # expand_path.c needs some of the install paths