From 6f2e21cb88ba28d9008f8d4ed02d9886ba359d00 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Oct 25 2022 07:33:42 +0000 Subject: import samba-4.15.5-10.el8_6 --- diff --git a/SOURCES/CVE-2022-32742-v4-15.patch b/SOURCES/CVE-2022-32742-v4-15.patch new file mode 100644 index 0000000..314b144 --- /dev/null +++ b/SOURCES/CVE-2022-32742-v4-15.patch @@ -0,0 +1,216 @@ +From 9ccec2afdaf8af463f321eb37d3c3bb90d1d432e Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 7 Jun 2022 09:40:45 -0700 +Subject: [PATCH 1/2] CVE-2022-32742: s4: torture: Add raw.write.bad-write test. + +Reproduces the test code in: + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 + +Add knownfail. + +Signed-off-by: Jeremy Allison +Reviewed-by: David Disseldorp +--- + selftest/knownfail.d/bad-write | 2 + + source4/torture/raw/write.c | 89 ++++++++++++++++++++++++++++++++++ + 2 files changed, 91 insertions(+) + create mode 100644 selftest/knownfail.d/bad-write + +diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write +new file mode 100644 +index 00000000000..5fc16606a13 +--- /dev/null ++++ b/selftest/knownfail.d/bad-write +@@ -0,0 +1,2 @@ ++^samba3.raw.write.bad-write\(nt4_dc_smb1\) ++^samba3.raw.write.bad-write\(ad_dc_smb1\) +diff --git a/source4/torture/raw/write.c b/source4/torture/raw/write.c +index 0a2f50f425b..661485bb548 100644 +--- a/source4/torture/raw/write.c ++++ b/source4/torture/raw/write.c +@@ -25,6 +25,7 @@ + #include "libcli/libcli.h" + #include "torture/util.h" + #include "torture/raw/proto.h" ++#include "libcli/raw/raw_proto.h" + + #define CHECK_STATUS(status, correct) do { \ + if (!NT_STATUS_EQUAL(status, correct)) { \ +@@ -694,6 +695,93 @@ done: + return ret; + } + ++/* ++ test a deliberately bad SMB1 write. ++*/ ++static bool test_bad_write(struct torture_context *tctx, ++ struct smbcli_state *cli) ++{ ++ bool ret = false; ++ int fnum = -1; ++ struct smbcli_request *req = NULL; ++ const char *fname = BASEDIR "\\badwrite.txt"; ++ bool ok = false; ++ ++ if (!torture_setup_dir(cli, BASEDIR)) { ++ torture_fail(tctx, "failed to setup basedir"); ++ } ++ ++ torture_comment(tctx, "Testing RAW_BAD_WRITE\n"); ++ ++ fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE); ++ if (fnum == -1) { ++ torture_fail_goto(tctx, ++ done, ++ talloc_asprintf(tctx, ++ "Failed to create %s - %s\n", ++ fname, ++ smbcli_errstr(cli->tree))); ++ } ++ ++ req = smbcli_request_setup(cli->tree, ++ SMBwrite, ++ 5, ++ 0); ++ if (req == NULL) { ++ torture_fail_goto(tctx, ++ done, ++ talloc_asprintf(tctx, "talloc fail\n")); ++ } ++ ++ SSVAL(req->out.vwv, VWV(0), fnum); ++ SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */ ++ SIVAL(req->out.vwv, VWV(2), 0); /* offset */ ++ SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */ ++ ++ if (!smbcli_request_send(req)) { ++ torture_fail_goto(tctx, ++ done, ++ talloc_asprintf(tctx, "Send failed\n")); ++ } ++ ++ if (!smbcli_request_receive(req)) { ++ torture_fail_goto(tctx, ++ done, ++ talloc_asprintf(tctx, "Reveive failed\n")); ++ } ++ ++ /* ++ * Check for expected error codes. ++ * ntvfs returns NT_STATUS_UNSUCCESSFUL. ++ */ ++ ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) || ++ NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL)); ++ ++ if (!ok) { ++ torture_fail_goto(tctx, ++ done, ++ talloc_asprintf(tctx, ++ "Should have returned " ++ "NT_STATUS_INVALID_PARAMETER or " ++ "NT_STATUS_UNSUCCESSFUL " ++ "got %s\n", ++ nt_errstr(req->status))); ++ } ++ ++ ret = true; ++ ++done: ++ if (req != NULL) { ++ smbcli_request_destroy(req); ++ } ++ if (fnum != -1) { ++ smbcli_close(cli->tree, fnum); ++ } ++ smb_raw_exit(cli->session); ++ smbcli_deltree(cli->tree, BASEDIR); ++ return ret; ++} ++ + /* + basic testing of write calls + */ +@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx) + torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock); + torture_suite_add_1smb_test(suite, "write close", test_writeclose); + torture_suite_add_1smb_test(suite, "writex", test_writex); ++ torture_suite_add_1smb_test(suite, "bad-write", test_bad_write); + + return suite; + } +-- +2.34.1 + + +From 9097c5363605e1d5f99ff5a59dc6795c612d472f Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Wed, 8 Jun 2022 13:50:51 -0700 +Subject: [PATCH 2/2] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro. + +Fixes the raw.write.bad-write test. + +NB. We need the two (==0) changes in source3/smbd/reply.c +as the gcc optimizer now knows that the return from +smbreq_bufrem() can never be less than zero. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085 + +Remove knownfail. + +Signed-off-by: Jeremy Allison +Reviewed-by: David Disseldorp + +--- + selftest/knownfail.d/bad-write | 2 -- + source3/include/smb_macros.h | 2 +- + source3/smbd/reply.c | 4 ++-- + 3 files changed, 3 insertions(+), 5 deletions(-) + delete mode 100644 selftest/knownfail.d/bad-write + +diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write +deleted file mode 100644 +index 5fc16606a13..00000000000 +--- a/selftest/knownfail.d/bad-write ++++ /dev/null +@@ -1,2 +0,0 @@ +-^samba3.raw.write.bad-write\(nt4_dc_smb1\) +-^samba3.raw.write.bad-write\(ad_dc_smb1\) +diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h +index 344a997cbd2..c75b93fcc25 100644 +--- a/source3/include/smb_macros.h ++++ b/source3/include/smb_macros.h +@@ -152,7 +152,7 @@ + + /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */ + #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf))) +-#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf)) ++#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf)) + + + /* Note that chain_size must be available as an extern int to this macro. */ +diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c +index d4573d3da55..e1a47a65662 100644 +--- a/source3/smbd/reply.c ++++ b/source3/smbd/reply.c +@@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req, + { + ssize_t bufrem = smbreq_bufrem(req, src); + +- if (bufrem < 0) { ++ if (bufrem == 0) { + *err = NT_STATUS_INVALID_PARAMETER; + return 0; + } +@@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req, + { + ssize_t bufrem = smbreq_bufrem(req, src); + +- if (bufrem < 0) { ++ if (bufrem == 0) { + return 0; + } + +-- +2.34.1 + diff --git a/SOURCES/samba.abignore b/SOURCES/samba.abignore new file mode 100644 index 0000000..718059d --- /dev/null +++ b/SOURCES/samba.abignore @@ -0,0 +1,5 @@ +################################################# +# This is a grouping library without any code +################################################# +[suppress_file] +file_name_regexp=.*libdcerpc-samr\\.so.* diff --git a/SPECS/samba.spec b/SPECS/samba.spec index 641ee93..3aaa858 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -132,7 +132,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%global baserelease 8 +%global baserelease 10 %global samba_version 4.15.5 %global talloc_version 2.3.3 @@ -198,6 +198,7 @@ Source11: smb.conf.vendor Source12: smb.conf.example Source13: pam_winbind.conf Source14: samba.pamd +Source15: samba.abignore Source201: README.downgrade @@ -215,6 +216,7 @@ Patch10: samba-4-15-fix-create-local-krb5-conf.patch Patch11: samba-4-15-username-map.patch Patch12: samba-4-15-kerberos-clock-skew.patch Patch13: samba-4-15-smbd-upn.patch +Patch14: CVE-2022-32742-v4-15.patch Requires(pre): /usr/sbin/groupadd Requires(post): systemd @@ -735,7 +737,6 @@ library. ### PYTHON3 %package -n python3-%{name} Summary: Samba Python3 libraries -Requires: %{name} = %{samba_depver} Requires: %{name}-client-libs = %{samba_depver} Requires: %{name}-common-libs = %{samba_depver} Requires: %{name}-libs = %{samba_depver} @@ -4113,6 +4114,13 @@ fi %endif %changelog +* Mon Sep 12 2022 Andreas Schneider - 4.15.5-10 +- resolves: rhbz#2126041 - Do not require samba package in python3-samba + +* Fri Sep 09 2022 Andreas Schneider - 4.15.5-9 +- Fix CVE-2022-32742 +- resolves: rhbz#2125552 + * Wed Apr 27 2022 Pavel Filipenský - 4.15.5-8 - resolves: rhbz#2079303 - Fix username map for unix groups - resolves: rhbz#2079299 - PAM Kerberos authentication fails with a clock skew error