[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.16] 15 commits: VERSION: Bump version up to Samba 4.16.5...

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Tue Oct 25 10:51:17 BST 2022



Michael Tokarev pushed to branch upstream_4.16 at Debian Samba Team / samba


Commits:
1b4f98ef by Jule Anger at 2022-09-07T20:52:32+02:00
VERSION: Bump version up to Samba 4.16.5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
0eaa68d1 by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Remove __func__ compatibility workaround

As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c5dd87f4 by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal_build: Add gssapi-subsystem subsystem

This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
03eefa45 by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e3c314ed by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() for arcfour unwrap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
9ca9408c by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() in unwrap_des3()

The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c944773a by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
e1c2e283 by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()

By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.

In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.

That would be undefined behaviour.

The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
de77f015 by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()

We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d16ac1f4 by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
22dd9072 by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Check for overflow in _gsskrb5_get_mech()

If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
5c31d5be by Joseph Sutton at 2022-10-24T07:27:37+02:00
CVE-2022-3437 third_party/heimdal: Pass correct length to _gssapi_verify_pad()

We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.

Now we properly constrain the value of padlength so underflow shouldn't
be possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
62069835 by Jule Anger at 2022-10-24T12:26:09+02:00
WHATSNEW: Add release notes for Samba 4.16.6.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
dc74e56c by Jule Anger at 2022-10-24T12:44:57+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.16.6 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
37c4e434 by Michael Tokarev at 2022-10-25T12:40:00+03:00
New upstream version 4.16.6+dfsg
- - - - -


30 changed files:

- VERSION
- WHATSNEW.txt
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- docs/manpages/cifsdd.8
- docs/manpages/dbwrap_tool.1
- docs/manpages/eventlogadm.8
- docs/manpages/idmap_ad.8
- docs/manpages/idmap_autorid.8
- docs/manpages/idmap_hash.8
- docs/manpages/idmap_ldap.8
- docs/manpages/idmap_nss.8
- docs/manpages/idmap_rfc2307.8
- docs/manpages/idmap_rid.8
- docs/manpages/idmap_script.8
- docs/manpages/idmap_tdb.8
- docs/manpages/idmap_tdb2.8


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/86846c6ebb68d3d3339d1d7c8e4e3855579ed036...37c4e43485a006bbbdaba804aea3a1cb9cd6dea3

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/86846c6ebb68d3d3339d1d7c8e4e3855579ed036...37c4e43485a006bbbdaba804aea3a1cb9cd6dea3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20221025/6d9d7728/attachment-0001.htm>


More information about the Pkg-samba-maint mailing list