[Pkg-samba-maint] [Git][samba-team/samba][bookworm] 33 commits: VERSION: Bump version up to Samba 4.17.10...

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Thu Jul 20 21:42:32 BST 2023



Michael Tokarev pushed to branch bookworm at Debian Samba Team / samba


Commits:
d48c42c7 by Jule Anger at 2023-07-06T15:41:31+02:00
VERSION: Bump version up to Samba 4.17.10...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
a3944de6 by Volker Lendecke at 2023-07-14T15:14:46+02:00
CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks

With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.

Discovered via Coverity ID 1504444 Out-of-bounds access

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
53838682 by Ralph Boehme at 2023-07-14T15:14:46+02:00
CVE-2022-2127: ntlm_auth: cap lanman response length value

We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
6e5e5c7f by Ralph Boehme at 2023-07-14T15:14:54+02:00
CVE-2023-34966: CI: test for sl_unpack_loop()

Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
c77b31f1 by Ralph Boehme at 2023-07-14T15:14:54+02:00
CVE-2023-34966: mdssvc: harden sl_unpack_loop()

A malicious client could send a packet where subcount is zero, leading to a busy
loop because

    count -= subcount
=>  count -= 0
=>  while (count > 0)

loops forever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
7812c56d by Ralph Boehme at 2023-07-14T15:14:57+02:00
CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()

Sends a maliciously crafted packet where the value in a key/value style
dictionary for the "scope" key is a simple string object whereas the server
expects an array. As the server doesn't perform type validation on the value, it
crashes when trying to use the "simple" object as a "complex" one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
049c1324 by Ralph Boehme at 2023-07-14T15:14:57+02:00
CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()

Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
98b2a013 by Ralph Boehme at 2023-07-14T15:15:00+02:00
CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map

Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
got stat info for the object in mds_add_result() so we can just pass stat info
from there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
47a0c168 by Ralph Boehme at 2023-07-14T15:15:00+02:00
CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties()

We were adding the value, but not the key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
56a21b3b by Ralph Boehme at 2023-07-14T15:15:00+02:00
CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob

d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
0ae6084d by Ralph Boehme at 2023-07-14T15:15:00+02:00
CVE-2023-34968: mdscli: remove response blob allocation

This is handled by the NDR code transparently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
353a9cce by Ralph Boehme at 2023-07-14T15:15:00+02:00
CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
449f1280 by Ralph Boehme at 2023-07-14T15:15:00+02:00
CVE-2023-34968: rpcclient: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
cc593a6a by Ralph Boehme at 2023-07-14T15:15:00+02:00
CVE-2023-34968: mdssvc: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
ee428be9 by Ralph Boehme at 2023-07-14T15:15:01+02:00
CVE-2023-34968: mdssvc: switch to doing an early return

Just reduce indentation of the code handling the success case. No change in
behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
cb8313e7 by Ralph Boehme at 2023-07-14T15:15:01+02:00
CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()

sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a5c570e2 by Ralph Boehme at 2023-07-14T15:15:01+02:00
CVE-2023-34968: mdscli: return share relative paths

The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.

So given a share

  [spotlight]
    path = /foo/bar
    spotlight = yes

and a file inside this share with a full path of

  /foo/bar/dir/file

previously a search that matched this file would returns the absolute
server-side pato of the file, ie

  /foo/bar/dir/file

This will be change to

  /spotlight/dir/file

As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just

  dir/file

in the example above.

The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.

There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be

  /System/Volumes/Data/foo/bar/dir/file

So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.

Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix

  kMDSStorePathScopes + share_path (from mdssvc_open).

eg

  kMDSStorePathScopes = /System/Volumes/Data
  share_path = /foo/bar
  search result = /System/Volumes/Data/foo/bar/dir/file
  relative path returned by mdscli = dir/file

Makes sense? :)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
091b0265 by Ralph Boehme at 2023-07-14T15:15:01+02:00
CVE-2023-34968: mdssvc: return a fake share path

Instead of returning the real server-side absolute path of shares and search
results, return a fake absolute path replacing the path of the share with the
share name, iow for a share "test" with a server-side path of "/foo/bar", we
previously returned

  /foo/bar and
  /foo/bar/search/result

and now return

  /test and
  /test/search/result

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
e67b7e5f by Ralph Boehme at 2023-07-14T15:15:04+02:00
CVE-2023-3347: CI: add a test for server-side mandatory signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
e96d5002 by Ralph Boehme at 2023-07-14T15:15:04+02:00
CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing()

No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
95cec0df by Ralph Boehme at 2023-07-14T15:15:04+02:00
CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing()

It's now a one-line function, imho the overall code is simpler if that code is
just inlined.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
a22fcb68 by Ralph Boehme at 2023-07-14T15:15:04+02:00
CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot()

This is just going to bitrot. Anyone who's interested can just grep for
"signing_mandatory" and look up what it does.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
6c1128b1 by Ralph Boehme at 2023-07-14T15:15:04+02:00
CVE-2023-3347: smbd: fix "server signing = mandatory"

This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
calling srv_init_signing() very early after accepting the connection in
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
492a52b1 by Stefan Metzmacher at 2023-07-17T10:28:30+02:00
netlogon.idl: add support for netr_LogonGetCapabilities response level 2

We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.

Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)

- - - - -
e14a5c36 by Stefan Metzmacher at 2023-07-17T10:28:30+02:00
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels

The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715)

- - - - -
55d0a386 by Stefan Metzmacher at 2023-07-17T10:28:30+02:00
s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)

- - - - -
56fad90e by Stefan Metzmacher at 2023-07-17T10:28:30+02:00
s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224

(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)

- - - - -
1448e347 by Jule Anger at 2023-07-17T22:19:16+02:00
WHATSNEW: Add release notes for Samba 4.17.10.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
5eceb0df by Jule Anger at 2023-07-17T22:19:16+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.17.10 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
c6a6a72b by Michael Tokarev at 2023-07-19T17:59:33+03:00
New upstream version 4.17.10+dfsg
- - - - -
f3a1e02c by Michael Tokarev at 2023-07-19T18:00:44+03:00
Update upstream source from tag 'upstream/4.17.10+dfsg'

Update to upstream version '4.17.10+dfsg'
with Debian dir 87b52a2bb0da173cef9cf7687a9b07b0a90649b7
- - - - -
842fb86a by Michael Tokarev at 2023-07-19T18:01:10+03:00
remove fix-unsupported-netr_LogonGetCapabilities-l2.patch (fix is included now)

- - - - -
ff0a13b2 by Michael Tokarev at 2023-07-19T18:15:37+03:00
update changelog; upload version 4.17.10+dfsg-0+deb12u1 to bookworm-security

- - - - -


30 changed files:

- VERSION
- WHATSNEW.txt
- debian/changelog
- − debian/patches/fix-unsupported-netr_LogonGetCapabilities-l2.patch
- debian/patches/series
- librpc/idl/netlogon.idl
- python/samba/tests/blackbox/mdsearch.py
- python/samba/tests/dcerpc/mdssvc.py
- selftest/target/Samba3.pm
- source3/rpc_client/cli_mdssvc.c
- source3/rpc_client/cli_mdssvc_private.h
- source3/rpc_client/cli_mdssvc_util.c
- source3/rpc_client/cli_mdssvc_util.h
- source3/rpc_server/mdssvc/dalloc.c
- source3/rpc_server/mdssvc/marshalling.c
- source3/rpc_server/mdssvc/marshalling.h
- source3/rpc_server/mdssvc/mdssvc.c
- source3/rpc_server/mdssvc/mdssvc.h
- source3/rpc_server/mdssvc/srv_mdssvc_nt.c
- source3/rpc_server/netlogon/srv_netlog_nt.c
- source3/rpcclient/cmd_spotlight.c
- source3/selftest/tests.py
- source3/smbd/proto.h
- source3/smbd/smb1_signing.c
- source3/smbd/smb1_signing.h
- source3/smbd/smb2_negprot.c
- source3/smbd/smb2_signing.c
- source3/utils/ntlm_auth.c
- source3/winbindd/winbindd_pam_auth_crap.c
- source4/rpc_server/netlogon/dcerpc_netlogon.c


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/dec07df126e2163d7d9c85f9ad7dcc23b4e6d0ae...ff0a13b20bbf5daa61e1d0c51db2fc3f65bf84f0

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/dec07df126e2163d7d9c85f9ad7dcc23b4e6d0ae...ff0a13b20bbf5daa61e1d0c51db2fc3f65bf84f0
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20230720/7ff903fd/attachment-0001.htm>


More information about the Pkg-samba-maint mailing list