[Pkg-samba-maint] [Git][samba-team/samba][master] 2 commits: poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse (#1022826)

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Wed Oct 26 18:12:12 BST 2022



Michael Tokarev pushed to branch master at Debian Samba Team / samba


Commits:
53c8b81c by Michael Tokarev at 2022-10-26T19:42:11+03:00
poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse (#1022826)

This is become an issue with popt-1.9, https://bugzilla.samba.org/show_bug.cgi?id=15205
These patches are included in 4.17 already.

- - - - -
2bd73416 by Michael Tokarev at 2022-10-26T20:10:49+03:00
update changelog; upload 4.16.6+dfsg-4 to unstable

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/poptGetArg-misuse-fixes-1022826.diff
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+samba (2:4.16.6+dfsg-4) unstable; urgency=medium
+
+  * poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse
+    for popt-1.9 (Closes: #1022826)
+
+ -- Michael Tokarev <mjt at tls.msk.ru>  Wed, 26 Oct 2022 19:45:38 +0300
+
 samba (2:4.16.6+dfsg-3) unstable; urgency=medium
 
   * d/rules: stop dh_installpam from installing samba.pam


=====================================
debian/patches/poptGetArg-misuse-fixes-1022826.diff
=====================================
@@ -0,0 +1,914 @@
+Subject: a collection of patches from upstream branch
+         v4.16-test to fix popt misue (#1022826)
+Bug-Debian: https://bugs.debian.org/1022826
+
+commit 0503e0df3b6b0b02c54c50f25e77b39de90ca575
+Author: Noel Power <noel.power at suse.com>
+Date:   Fri Oct 14 10:03:17 2022 +0100
+
+    s3/rpcclient: Duplicate string returned from poptGetArg
+    
+    popt1.19 fixes a leak that exposes a use as free,
+    make sure we duplicate return of poptGetArg if
+    poptFreeContext is called before we use it.
+    
+    ==4407== Invalid read of size 1
+    ==4407==    at 0x146263: main (rpcclient.c:1262)
+    ==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+    ==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x146227: main (rpcclient.c:1251)
+    ==4407==  Block was alloc'd at
+    ==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x1461BC: main (rpcclient.c:1219)
+    ==4407==
+    ==4407== Invalid read of size 1
+    ==4407==    at 0x14627D: main (rpcclient.c:1263)
+    ==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+    ==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x146227: main (rpcclient.c:1251)
+    ==4407==  Block was alloc'd at
+    ==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x1461BC: main (rpcclient.c:1219)
+    ==4407==
+    ==4407== Invalid read of size 1
+    ==4407==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x4980E1C: talloc_strdup (talloc.c:2470)
+    ==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+    ==4407==    by 0x1462B1: main (rpcclient.c:1267)
+    ==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+    ==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x146227: main (rpcclient.c:1251)
+    ==4407==  Block was alloc'd at
+    ==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x1461BC: main (rpcclient.c:1219)
+    ==4407==
+    ==4407== Invalid read of size 1
+    ==4407==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x4980E1C: talloc_strdup (talloc.c:2470)
+    ==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+    ==4407==    by 0x1462B1: main (rpcclient.c:1267)
+    ==4407==  Address 0x7b67cd1 is 1 bytes inside a block of size 10 free'd
+    ==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x146227: main (rpcclient.c:1251)
+    ==4407==  Block was alloc'd at
+    ==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x1461BC: main (rpcclient.c:1219)
+    ==4407==
+    ==4407== Invalid read of size 8
+    ==4407==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
+    ==4407==    by 0x4980E32: talloc_strdup (talloc.c:2470)
+    ==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+    ==4407==    by 0x1462B1: main (rpcclient.c:1267)
+    ==4407==  Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+    ==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x146227: main (rpcclient.c:1251)
+    ==4407==  Block was alloc'd at
+    ==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x1461BC: main (rpcclient.c:1219)
+    ==4407==
+    ==4407== Invalid read of size 1
+    ==4407==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
+    ==4407==    by 0x4980E32: talloc_strdup (talloc.c:2470)
+    ==4407==    by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+    ==4407==    by 0x1462B1: main (rpcclient.c:1267)
+    ==4407==  Address 0x7b67cd8 is 8 bytes inside a block of size 10 free'd
+    ==4407==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x146227: main (rpcclient.c:1251)
+    ==4407==  Block was alloc'd at
+    ==4407==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==4407==    by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==4407==    by 0x1461BC: main (rpcclient.c:1219)
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Ralph Boehme <slow at samba.org>
+    (cherry picked from commit d26d3d9bff61f796c9c9ab54990ea078f575ab1e)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 4042d0d60be..27fe5d705c6 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -1238,7 +1238,7 @@ out_free:
+ 	/* Get server as remaining unparsed argument.  Print usage if more
+ 	   than one unparsed argument is present. */
+ 
+-	server = poptGetArg(pc);
++	server = talloc_strdup(frame, poptGetArg(pc));
+ 
+ 	if (!server || poptGetArg(pc)) {
+ 		poptPrintHelp(pc, stderr, 0);
+
+commit da11c48d9b69b394e2d01b3405aba24b17e671e0
+Author: Noel Power <noel.power at suse.com>
+Date:   Fri Oct 14 11:23:37 2022 +0100
+
+    s3/param: Fix use after free with popt-1.19
+    
+    popt1.19 fixes a leak that exposes a use as free,
+    make sure we duplicate return of poptGetArg if
+    poptFreeContext is called before we use it.
+    
+    ==5325== Invalid read of size 1
+    ==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+    ==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 1
+    ==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+    ==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 8
+    ==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+    ==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+    ==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 2
+    ==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+    ==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+    ==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 1
+    ==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+    ==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+    ==5325==    by 0x4894B98: lp_load_ex (loadparm.c:4004)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 1
+    ==5325==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+    ==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 1
+    ==5325==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859E1C: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+    ==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 8
+    ==5325==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+    ==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+    ==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 2
+    ==5325==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+    ==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+    ==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    ==5325== Invalid read of size 1
+    ==5325==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+    ==5325==    by 0x4859E32: talloc_strdup (talloc.c:2470)
+    ==5325==    by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+    ==5325==    by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+    ==5325==    by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==5325==    by 0x10ABD7: main (test_lp_load.c:98)
+    ==5325==  Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
+    ==5325==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB8E: main (test_lp_load.c:90)
+    ==5325==  Block was alloc'd at
+    ==5325==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5325==    by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5325==    by 0x10AB49: main (test_lp_load.c:74)
+    ==5325==
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Ralph Boehme <slow at samba.org>
+    (cherry picked from commit ff003fc87b8164610dfd6572347c05308c4b2fd7)
+
+diff --git a/source3/param/test_lp_load.c b/source3/param/test_lp_load.c
+index 2c6a5c8891b..03be4118efd 100644
+--- a/source3/param/test_lp_load.c
++++ b/source3/param/test_lp_load.c
+@@ -82,7 +82,7 @@ int main(int argc, const char **argv)
+ 	}
+ 
+ 	if (poptPeekArg(pc)) {
+-		config_file = poptGetArg(pc);
++		config_file = talloc_strdup(frame, poptGetArg(pc));
+ 	} else {
+ 		config_file = get_dyn_CONFIGFILE();
+ 	}
+
+commit 1efcc10c9d4f4f35ea22322e427989112a3bae51
+Author: Noel Power <noel.power at suse.com>
+Date:   Fri Oct 14 11:26:24 2022 +0100
+
+    s3/utils: Add missing poptFreeContext
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Ralph Boehme <slow at samba.org>
+    (cherry picked from commit 31d3d10b260f05080ca0a3cf9434aa4704d60739)
+
+diff --git a/source3/utils/mdsearch.c b/source3/utils/mdsearch.c
+index ac0b75fca51..ab48e366a0a 100644
+--- a/source3/utils/mdsearch.c
++++ b/source3/utils/mdsearch.c
+@@ -242,6 +242,7 @@ int main(int argc, char **argv)
+ 	return 0;
+ 
+ fail:
++	poptFreeContext(pc);
+ 	TALLOC_FREE(frame);
+ 	return 1;
+ }
+
+commit 4b35fa3f85e6ce8811a47e3d42049fecc0045d2f
+Author: Noel Power <noel.power at suse.com>
+Date:   Fri Oct 14 11:35:51 2022 +0100
+
+    s3/utils: Fix use after free with popt 1.19
+    
+    popt1.19 fixes a leak that exposes a use as free,
+    make sure we duplicate return of poptGetArg if
+    poptFreeContext is called before we use it.
+    
+    ==5914== Invalid read of size 1
+    ==5914==    at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
+    ==5914==    by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
+    ==5914==    by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
+    ==5914==    by 0x10DED1: print_user_info (pdbedit.c:372)
+    ==5914==    by 0x111413: main (pdbedit.c:1324)
+    ==5914==  Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
+    ==5914==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5914==    by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5914==    by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==5914==    by 0x1113E6: main (pdbedit.c:1323)
+    ==5914==  Block was alloc'd at
+    ==5914==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==5914==    by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==5914==    by 0x110AE5: main (pdbedit.c:1137)
+    ==5914==
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Ralph Boehme <slow at samba.org>
+    (cherry picked from commit e82699fcca3716d9ed0450263fd83f948de8ffbe)
+
+diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
+index 4fdcc3ee428..eb4f3072df8 100644
+--- a/source3/utils/pdbedit.c
++++ b/source3/utils/pdbedit.c
+@@ -1150,7 +1150,7 @@ int main(int argc, const char **argv)
+ 	poptGetArg(pc); /* Drop argv[0], the program name */
+ 
+ 	if (user_name == NULL)
+-		user_name = poptGetArg(pc);
++		user_name = talloc_strdup(frame, poptGetArg(pc));
+ 
+ 	setparms =	(backend ? BIT_BACKEND : 0) +
+ 			(verbose ? BIT_VERBOSE : 0) +
+
+commit 5383d625cbb3a2c10b4fa18d21e738dabad5d6be
+Author: Noel Power <noel.power at suse.com>
+Date:   Fri Oct 14 11:45:13 2022 +0100
+
+    s3/utils: Fix use after free with popt 1.19
+    
+    popt1.19 fixes a leak that exposes a use as free,
+    make sure we duplicate return of poptGetArg if
+    poptFreeContext is called before we use it.
+    
+    ==6055== Command: ./bin/testparm /etc/samba/smb.conf
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x10EBFA: main (testparm.c:862)
+    ==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x10EBFA: main (testparm.c:862)
+    ==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x10EBFA: main (testparm.c:862)
+    ==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+    ==6055==    by 0x10EBFA: main (testparm.c:862)
+    ==6055==  Address 0x72dab72 is 2 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    Load smb config files from /etc/samba/smb.conf
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+    ==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+    ==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 8
+    ==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+    ==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+    ==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 2
+    ==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+    ==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+    ==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+    ==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+    ==6055==    by 0x4889B98: lp_load_ex (loadparm.c:4004)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+    ==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927E1C: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+    ==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 8
+    ==6055==    at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+    ==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+    ==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 2
+    ==6055==    at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+    ==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+    ==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    ==6055== Invalid read of size 1
+    ==6055==    at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+    ==6055==    by 0x4927E32: talloc_strdup (talloc.c:2470)
+    ==6055==    by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+    ==6055==    by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+    ==6055==    by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+    ==6055==    by 0x10EC06: main (testparm.c:864)
+    ==6055==  Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
+    ==6055==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EBAC: main (testparm.c:854)
+    ==6055==  Block was alloc'd at
+    ==6055==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6055==    by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6055==    by 0x10EB2E: main (testparm.c:830)
+    ==6055==
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Ralph Boehme <slow at samba.org>
+    (cherry picked from commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3)
+
+diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
+index 71bc4c2694e..bb9cb6db563 100644
+--- a/source3/utils/testparm.c
++++ b/source3/utils/testparm.c
+@@ -844,13 +844,13 @@ static void do_per_share_checks(int s)
+ 	}
+ 
+ 	if (poptPeekArg(pc)) {
+-		config_file = poptGetArg(pc);
++		config_file = talloc_strdup(frame, poptGetArg(pc));
+ 	} else {
+ 		config_file = get_dyn_CONFIGFILE();
+ 	}
+ 
+-	cname = poptGetArg(pc);
+-	caddr = poptGetArg(pc);
++	cname = talloc_strdup(frame, poptGetArg(pc));
++	caddr = talloc_strdup(frame, poptGetArg(pc));
+ 
+ 	poptFreeContext(pc);
+ 
+
+commit 7480f9c01d6449e071784b04ea1f8e2a18906d75
+Author: Noel Power <noel.power at suse.com>
+Date:   Fri Oct 14 11:53:53 2022 +0100
+
+    s4/lib/registry: Fix use after free with popt 1.19
+    
+    popt1.19 fixes a leak that exposes a use as free,
+    make sure we duplicate return of poptGetArg if
+    poptFreeContext is called before we use it.
+    
+    ==6357== Command: ./bin/regpatch file
+    ==6357==
+    Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
+    ==6357== Syscall param openat(filename) points to unaddressable byte(s)
+    ==6357==    at 0x4BFE535: open (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4861432: reg_diff_load (patchfile.c:345)
+    ==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+    ==6357==    by 0x10ADF9: main (regpatch.c:114)
+    ==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
+    ==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ADCF: main (regpatch.c:111)
+    ==6357==  Block was alloc'd at
+    ==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ACBD: main (regpatch.c:79)
+    ==6357==
+    ==6357== Invalid read of size 1
+    ==6357==    at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+    ==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
+    ==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
+    ==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+    ==6357==    by 0x10ADF9: main (regpatch.c:114)
+    ==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
+    ==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ADCF: main (regpatch.c:111)
+    ==6357==  Block was alloc'd at
+    ==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ACBD: main (regpatch.c:79)
+    ==6357==
+    ==6357== Invalid read of size 1
+    ==6357==    at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+    ==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
+    ==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
+    ==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+    ==6357==    by 0x10ADF9: main (regpatch.c:114)
+    ==6357==  Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
+    ==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ADCF: main (regpatch.c:111)
+    ==6357==  Block was alloc'd at
+    ==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ACBD: main (regpatch.c:79)
+    ==6357==
+    ==6357== Invalid read of size 1
+    ==6357==    at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+    ==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
+    ==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
+    ==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+    ==6357==    by 0x10ADF9: main (regpatch.c:114)
+    ==6357==  Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
+    ==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ADCF: main (regpatch.c:111)
+    ==6357==  Block was alloc'd at
+    ==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ACBD: main (regpatch.c:79)
+    ==6357==
+    ==6357== Invalid read of size 1
+    ==6357==    at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+    ==6357==    by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+    ==6357==    by 0x4AD33F2: dbgtext (debug.c:1925)
+    ==6357==    by 0x4861515: reg_diff_load (patchfile.c:353)
+    ==6357==    by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+    ==6357==    by 0x10ADF9: main (regpatch.c:114)
+    ==6357==  Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
+    ==6357==    at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ADCF: main (regpatch.c:111)
+    ==6357==  Block was alloc'd at
+    ==6357==    at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+    ==6357==    by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+    ==6357==    by 0x10ACBD: main (regpatch.c:79)
+    ==6357==
+    Error reading registry patch file `file'
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Ralph Boehme <slow at samba.org>
+    
+    Autobuild-User(master): Ralph Böhme <slow at samba.org>
+    Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184
+    
+    (cherry picked from commit 7e0e3f47cd67e4cadc101691cd14837f45d9506a)
+
+diff --git a/source4/lib/registry/tools/regpatch.c b/source4/lib/registry/tools/regpatch.c
+index 2be78d143ef..eafaff6cf99 100644
+--- a/source4/lib/registry/tools/regpatch.c
++++ b/source4/lib/registry/tools/regpatch.c
+@@ -101,7 +101,7 @@ int main(int argc, char **argv)
+ 		return 1;
+ 	}
+ 
+-	patch = poptGetArg(pc);
++	patch = talloc_strdup(mem_ctx, poptGetArg(pc));
+ 	if (patch == NULL) {
+ 		poptPrintUsage(pc, stderr, 0);
+ 		TALLOC_FREE(mem_ctx);
+
+commit e69d2b3f9d2c8f38a4d93413d563ad5241d35383
+Author: Noel Power <noel.power at suse.com>
+Date:   Mon Oct 17 10:17:34 2022 +0100
+
+    s3/param: Check return of talloc_strdup
+    
+    followup to commit ff003fc87b8164610dfd6572347c05308c4b2fd7
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Jeremy Allison <jra at samba.org>
+    (cherry picked from commit 19eb88bc53e481327bbd437b0c145d5765c6dcec)
+
+diff --git a/source3/param/test_lp_load.c b/source3/param/test_lp_load.c
+index 03be4118efd..9f3d5516805 100644
+--- a/source3/param/test_lp_load.c
++++ b/source3/param/test_lp_load.c
+@@ -83,6 +83,11 @@ int main(int argc, const char **argv)
+ 
+ 	if (poptPeekArg(pc)) {
+ 		config_file = talloc_strdup(frame, poptGetArg(pc));
++		if (config_file == NULL) {
++			DBG_ERR("out of memory\n");
++			TALLOC_FREE(frame);
++			exit(1);
++		}
+ 	} else {
+ 		config_file = get_dyn_CONFIGFILE();
+ 	}
+
+commit 9a18da112c47055fb32291dfcde42f2ccca7aad7
+Author: Noel Power <noel.power at suse.com>
+Date:   Mon Oct 17 10:25:00 2022 +0100
+
+    s3/utils: Check return of talloc_strdup
+    
+    followup to e82699fcca3716d9ed0450263fd83f948de8ffbe
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Jeremy Allison <jra at samba.org>
+    (cherry picked from commit 972127daddc7a32d23fb84d97102557035b06f5b)
+
+diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
+index eb4f3072df8..ede467108bb 100644
+--- a/source3/utils/pdbedit.c
++++ b/source3/utils/pdbedit.c
+@@ -1149,8 +1149,16 @@ int main(int argc, const char **argv)
+ 
+ 	poptGetArg(pc); /* Drop argv[0], the program name */
+ 
+-	if (user_name == NULL)
+-		user_name = talloc_strdup(frame, poptGetArg(pc));
++	if (user_name == NULL) {
++		if (poptPeekArg(pc)) {
++			user_name = talloc_strdup(frame, poptGetArg(pc));
++			if (user_name == NULL) {
++				fprintf(stderr, "out of memory\n");
++				TALLOC_FREE(frame);
++				exit(1);
++			}
++		}
++	}
+ 
+ 	setparms =	(backend ? BIT_BACKEND : 0) +
+ 			(verbose ? BIT_VERBOSE : 0) +
+
+commit 4d7e31b98162a33702162b00cf40811dfeabe671
+Author: Noel Power <noel.power at suse.com>
+Date:   Mon Oct 17 10:27:31 2022 +0100
+
+    s3/utils: check result of talloc_strdup
+    
+    follow to commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3
+    
+    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+    
+    Signed-off-by: Noel Power <noel.power at suse.com>
+    Reviewed-by: Jeremy Allison <jra at samba.org>
+    
+    Autobuild-User(master): Jeremy Allison <jra at samba.org>
+    Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184
+    
+    (cherry picked from commit 0326549a052c22e4929e3760fd5011c35e32fe33)
+
+diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
+index bb9cb6db563..27a8bc1fb8e 100644
+--- a/source3/utils/testparm.c
++++ b/source3/utils/testparm.c
+@@ -845,6 +845,11 @@ static void do_per_share_checks(int s)
+ 
+ 	if (poptPeekArg(pc)) {
+ 		config_file = talloc_strdup(frame, poptGetArg(pc));
++                if (config_file == NULL) {
++                        DBG_ERR("out of memory\n");
++                        TALLOC_FREE(frame);
++                        exit(1);
++                }
+ 	} else {
+ 		config_file = get_dyn_CONFIGFILE();
+ 	}


=====================================
debian/patches/series
=====================================
@@ -20,3 +20,4 @@ move-msg.sock-from-var-lib-samba-to-run-samba.patch
 testparm-do-not-fail-if-pid-dir-does-not-exist.patch
 add-missing-libs-deps.diff
 dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch
+poptGetArg-misuse-fixes-1022826.diff



View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/ce709ba2b2104d04ebee954e94c514fc3bc7a36c...2bd73416bb1d5ba03d4c36d3b321aca1daa0e46e

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/ce709ba2b2104d04ebee954e94c514fc3bc7a36c...2bd73416bb1d5ba03d4c36d3b321aca1daa0e46e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20221026/87468dd8/attachment-0001.htm>


More information about the Pkg-samba-maint mailing list