[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.17] 19 commits: VERSION: Bump version up to Samba 4.17.2...

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Tue Oct 25 12:53:54 BST 2022



Michael Tokarev pushed to branch upstream_4.17 at Debian Samba Team / samba


Commits:
96e8adf7 by Jule Anger at 2022-10-19T14:13:39+02:00
VERSION: Bump version up to Samba 4.17.2...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
16ea178f by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Remove __func__ compatibility workaround

As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
d5a06cd5 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal_build: Add gssapi-subsystem subsystem

This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
846fbd04 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
2ee62a7c by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() for arcfour unwrap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
abb3f7f1 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Use constant-time memcmp() in unwrap_des3()

The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
24099e34 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
c06f2e9c by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()

By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.

In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.

That would be undefined behaviour.

The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
a0cd16f0 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Check the result of _gsskrb5_get_mech()

We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
0de56695 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Check buffer length against overflow for DES{,3} unwrap

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
f33f8a51 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Check for overflow in _gsskrb5_get_mech()

If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
3007e320 by Joseph Sutton at 2022-10-24T07:57:56+02:00
CVE-2022-3437 third_party/heimdal: Pass correct length to _gssapi_verify_pad()

We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.

Now we properly constrain the value of padlength so underflow shouldn't
be possible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134

Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

- - - - -
4fbcfb28 by Volker Lendecke at 2022-10-24T08:00:02+02:00
CVE-2022-3592 smbd: No empty path components in openat_pathref_dirfsp_nosymlink()

Upper layers must have filtered this, everything else is a bug

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
4e3e3f9c by Volker Lendecke at 2022-10-24T08:00:02+02:00
CVE-2022-3592 torture3: Show that our symlink traversal checks are insecure

This test shows that we don't properly check whether symlink targets
are inside the exported share. Linking to <share-root>a/etc makes us
loop back into filename_convert_dirfsp_nosymlink() with /etc as a
directory name.

On Linux systems with openat2(RESOLVE_NO_SYMLINKS) we pass "/etc"
directly into that call after some checks for "."/".." as invalid file
name components. "/etc" is okay for openat2(), but this test must also
succeed on systems without RESOLVE_NO_SYMLINKS (sn-devel-184 for
example). On systems without RESOLVE_NO_SYMLINKS split up the path
"/etc" into path components, in this case "" and "etc". So we pass ""
down to openat(), which correctly fails with ENOENT.

Summary: Only with RESOLVE_NO_SYMLINKS we're hit by bug 15207, and
this test shows by expecting CONNECTION_DISCONNECTED that we violate
the internal assumption of empty path components with an unexpected
symlink target, making it testable on systems with and without
RESOLVE_NO_SYMLINKS.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
ace0ebde by Volker Lendecke at 2022-10-24T08:00:02+02:00
CVE-2022-3592 lib: add subdir_of() to source3/lib/util_path.c

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
e96d2809 by Volker Lendecke at 2022-10-24T08:00:02+02:00
CVE-2022-3592 smbd: Slightly simplify filename_convert_dirfsp()

subdir_of() calculates the share-relative rest for us, don't do the
strlen(connectpath) calculation twice. subdir_of() also checks that
the target properly ends on a directory. With just strncmp a symlink
to x->/aa/etc would qualify as in share /a, so a "get x/passwd" leads to a
pretty unfortunate result. This is the proper fix for bug 15207, so we
need to change the expected error code to OBJECT_PATH_NOT_FOUND

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
37fa752e by Jule Anger at 2022-10-24T12:32:18+02:00
WHATSNEW: Add release notes for Samba 4.17.2.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
21f99510 by Jule Anger at 2022-10-24T12:50:24+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.17.2 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
114c6678 by Michael Tokarev at 2022-10-25T14:15:45+03:00
New upstream version 4.17.2+dfsg
- - - - -


30 changed files:

- VERSION
- WHATSNEW.txt
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdbd.1
- ctdb/doc/ltdbtool.1
- ctdb/doc/onnode.1
- ctdb/doc/ping_pong.1
- docs/manpages/cifsdd.8
- docs/manpages/dbwrap_tool.1
- docs/manpages/eventlogadm.8
- docs/manpages/idmap_ad.8
- docs/manpages/idmap_autorid.8
- docs/manpages/idmap_hash.8
- docs/manpages/idmap_ldap.8
- docs/manpages/idmap_nss.8
- docs/manpages/idmap_rfc2307.8
- docs/manpages/idmap_rid.8
- docs/manpages/idmap_script.8
- docs/manpages/idmap_tdb.8
- docs/manpages/idmap_tdb2.8
- docs/manpages/libsmbclient.7


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/74e5200a99002ea2b5dd72e10ac3a9ffcf925a88...114c66784e5dce29e800ace60d2a0ae551593740

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/74e5200a99002ea2b5dd72e10ac3a9ffcf925a88...114c66784e5dce29e800ace60d2a0ae551593740
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20221025/70b85697/attachment-0001.htm>


More information about the Pkg-samba-maint mailing list