[Pkg-samba-maint] [Git][samba-team/samba][debian/4.23] 59 commits: VERSION: Bump version up to Samba 4.23.7...

Tue May 26 14:05:19 BST 2026

Michael Tokarev pushed to branch debian/4.23 at Debian Samba Team / samba

Commits:
8deb76b0 by Björn Jacke at 2026-02-27T10:20:06+01:00
VERSION: Bump version up to Samba 4.23.7...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Bjoern Jacke <bjacke at samba.org>

- - - - -
4d57a910 by Volker Lendecke at 2026-04-14T13:20:17+00:00
rpc: Don't offer spoolss RPC with "disable spoolss = yes"

Bug: https://bugzilla.samba.org/show_bug.cgi?id=16019
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>

Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Fri Mar 13 09:00:05 UTC 2026 on atb-devel-224

(cherry picked from commit 8497fb05d8d9c082b7ba318844970f0b3227aff9)

- - - - -
f7753823 by Andreas Schneider at 2026-04-14T13:20:17+00:00
wafsamba: Add -D_FORTIFY_SOURCE=3 when stack protector is enabled

The capability check in SAMBA_CONFIG_H() already tests that the compiler
accepts both -Wp,-D_FORTIFY_SOURCE and the stack protector flag
together, but only the stack protector flag was added to EXTRA_CFLAGS on
success.

The glibc normally silently downgrades to the supported level if the on
specified is not supported.

Note that -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=3 only sets it if not
already defined.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16040

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Anoop C S <anoopcs at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Fri Mar 27 08:33:09 UTC 2026 on atb-devel-224

(cherry picked from commit 333ac047c3fc151222e5ee6aaa75452276b0031e)

- - - - -
83ad6bad by Noel Power at 2026-04-14T13:20:17+00:00
s3/librpc/crypto: Don't keep growing in memory keytab

When we have long living concurrent connections every rpc bind
ends up calling and subsequently adding keytab entries to the
memory keytab returned by 'gse_krb5_get_server_keytab(...)'. This is
happening because as long as there is a handle open for the
keytab named "MEMORY:cifs_srv_keytab" then we keep adding entries to
it.

Note: There is no leak of gensec_security nor the krb5_keytab
      it contains. When rpc clients connected to the rpc worker process
      exit the gensec_security and the krb5_keytab structures are
      destructed as expected. However because we use a fixed name
      "MEMORY:cifs_srv_keytab" clients end up with a handle to a
      reference counted shared keytab. Destruction of the keytab results
      in the associated reference count being decremented. When the
      reference count reaches 0 the keytab is destroyed.

To avoid the keytab being extended the easiest solution is to ensure a
unique memory keytab is created for each client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16042
Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Noel Power <npower at samba.org>
Autobuild-Date(master): Mon Mar 30 09:36:45 UTC 2026 on atb-devel-224

(cherry picked from commit c28a86c45d9d9673de18f9c29ea80dff12c9e7dd)

- - - - -
490f6ed1 by Björn Jacke at 2026-04-14T14:22:35+00:00
samba_cross.py: autobuild fails with trailing space at line endings

autobuild fails with trailing space at line endings, so we need to strip() only
at "\n" here strictly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16057

Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Fri Apr 10 21:20:52 UTC 2026 on atb-devel-224

(cherry picked from commit 2f8dfde1210395175e726455bdb63a7b97245a72)

Autobuild-User(v4-23-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-23-test): Tue Apr 14 14:22:35 UTC 2026 on atb-devel-224

- - - - -
494e8b66 by Noel Power at 2026-04-16T10:45:13+00:00
s3/modules: Fix vfs snapper not finding files in subdirs

when trying to browse on windows a snapper share (exposed via windows previous versions) files in subdirs are not visible. In other words only files that are in the root dir of the versioned share can be seen

/ashare/file1
/ashare/file2
/ashare/subdir
/ashare/subdir/subfile1

For example with the file hierarchy above only file1, file2 and subdir are visible. Navigating into subdir shows an empty dir

snapper_gmt_openat is failing because when calling snapper_gmt_convert
it doesn't take into account the path to the subdirectory.
snapper_gmt_convert is just passed the leaf name where it constructs the
snapper path based on the base dir of the share.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16058

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit f45b832a17a82a394076476d809b274ddbd720b0)

- - - - -
9fc56116 by Noel Power at 2026-04-16T11:47:43+00:00
s3/modules: fix snapper_gmt_fstatat

snapper_gmt_fstatat is failing when called on items in a
'previous version' snapshot because the wrong timestamp value is
passed (the raw timewarp value is used) and snapper_gmt_convert cannot
find the valid snapshot instance to use.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16058

Signed-off-by: Noel Power <noel.power at suse.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>

Autobuild-User(master): Anoop C S <anoopcs at samba.org>
Autobuild-Date(master): Wed Apr 15 15:29:38 UTC 2026 on atb-devel-224

(cherry picked from commit 78b7ed68e8da0c95ddc60fac58a6821ab723865b)

Autobuild-User(v4-23-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-23-test): Thu Apr 16 11:47:43 UTC 2026 on atb-devel-224

- - - - -
cc3e9f01 by Thales Antunes de Oliveira Barretto at 2026-04-20T14:06:16+00:00
vfs_glusterfs: fix directory fd leak via FSP extension destructor

When Samba closes a directory backed by vfs_glusterfs, the glfs_fd_t
opened by vfs_gluster_openat() is never closed.  This leaks one
libgfapi file descriptor and one server-side fd_t in glusterfsd per
directory open/close cycle.  With persistent SMB2 connections the
leak is unbounded and drives monotonic RSS growth on the GlusterFS
brick process.

The leak happens because vfs_glusterfs creates two independent
glfs_fd_t handles per directory: one via glfs_open() in
vfs_gluster_openat(), stored in the FSP extension, and another via
glfs_opendir() in vfs_gluster_fdopendir(), tracked by struct smb_Dir.
On close, smb_Dir_destructor() closes the opendir handle and sets the
pathref fd to -1.  fd_close() then returns early without calling
SMB_VFS_CLOSE, so vfs_gluster_close() never runs and the glfs_open()
handle is orphaned.  The original code passed NULL as the destroy
callback to VFS_ADD_FSP_EXTENSION, so there was no safety net.

The default VFS does not have this problem because fdopendir(3) wraps
the existing kernel fd rather than opening a new handle.  libgfapi
has no equivalent -- glfs_opendir() always creates an independent
handle by path.  The actual glfs_fd_t is stored in the FSP extension,
not in fsp->fh->fd (which holds a sentinel value), so Samba's generic
close path cannot reach it.

Register vfs_gluster_fsp_ext_destroy() as the FSP extension destroy
callback.  It calls glfs_close() on the stored pointer and is invoked
by vfs_remove_all_fsp_extensions() during file_free(), which runs
unconditionally for every fsp.  In the explicit close path,
vfs_gluster_close() NULLs the extension pointer before calling
VFS_REMOVE_FSP_EXTENSION to prevent double-close.  This follows the
same pattern used by vfs_ceph_new.c (vfs_ceph_fsp_ext_destroy_cb).

Observed on a production file server with persistent SMB2 connections
and continuous directory operations.  GlusterFS brick statedumps
showed fd_t pool growth from 1,993 to 80,350 active instances over
6 days, roughly 13,000 leaked fds per day per brick.

RN: Fix a directory file descriptor leak in vfs_glusterfs that caused
unbounded memory growth on the GlusterFS brick with persistent SMB2
connections.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16043

Signed-off-by: Thales Antunes de Oliveira Barretto <thales.barretto.git at gmail.com>
Reviewed-by: Anoop C S <anoopcs at samba.org>
Reviewed-by: Guenther Deschner <gd at samba.org>

Autobuild-User(master): Günther Deschner <gd at samba.org>
Autobuild-Date(master): Wed Apr  8 16:46:12 UTC 2026 on atb-devel-224

(cherry picked from commit e7c1c49e647adeaf2c6dda0d42f48305c0a5bc58)

- - - - -
e3175487 by Andreas Schneider at 2026-04-20T14:06:16+00:00
s3:libsmb: Add a talloc context to the internal data structure

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Anoop C S <anoopcs at samba.org>
(cherry picked from commit 959ea545fbd899dba14dc1216b8f4dca8cdb9b52)

- - - - -
7bded2db by Andreas Schneider at 2026-04-20T14:06:16+00:00
selftest: Add some hardlinks for testing SMB3 posix extensions

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15960

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3a5826d2facf140e610ca08cc80340c7aa5cf96a)

- - - - -
b745256e by Andreas Schneider at 2026-04-20T14:06:16+00:00
s4:torture: Implement posix extension tests for libsmbclient

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15960

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e6e1cd753509698766de46df29c490fae5fcde9d)

- - - - -
c3a6f0a9 by Andreas Schneider at 2026-04-20T14:06:16+00:00
libsmbclient: Fix negotiating posix_extensions

Without this, smbc_setOptionPosixExtensions() does nothing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15960

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 8c276ff55efd3577e2a141613190231eefb8063f)

- - - - -
11368c3e by Andreas Schneider at 2026-04-20T14:06:16+00:00
s3:libsmb: Call the correct function in smbc_fgetxattr()

Looks like nobody ever tested this.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15960

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1b5e40ef37eacaf2598401b43c1e9944e88a2308)

- - - - -
f5baf08e by Andreas Schneider at 2026-04-20T15:06:30+00:00
s3:include: Fix the smbc_fgetxattr() documentation in libsmbclient

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15960

Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>

Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Dec  9 19:33:22 UTC 2025 on atb-devel-224

(cherry picked from commit 2493bfa84e48badb9e7e8460e16aea68f90f431b)

Autobuild-User(v4-23-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-23-test): Mon Apr 20 15:06:30 UTC 2026 on atb-devel-224

- - - - -
c42d7d19 by Björn Jacke at 2026-04-21T13:10:49+02:00
WHATSNEW: Add release notes for Samba 4.23.7.

Signed-off-by: Bjoern Jacke <bjacke at samba.org>

- - - - -
89de873f by Björn Jacke at 2026-04-21T13:12:07+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.23.7 release.

Signed-off-by: Bjoern Jacke <bjacke at samba.org>

- - - - -
fc6ba3ec by Björn Jacke at 2026-04-21T13:36:33+02:00
VERSION: Bump version up to Samba 4.23.8...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Bjoern Jacke <bjacke at samba.org>

- - - - -
a74f1704 by Michael Tokarev at 2026-04-21T15:20:56+03:00
New upstream version 4.23.7+dfsg
- - - - -
219a7387 by Michael Tokarev at 2026-04-21T15:21:30+03:00
Update upstream source from tag 'upstream/4.23.7+dfsg'

Update to upstream version '4.23.7+dfsg'
with Debian dir a113058f6090baa16a4ab8bcff421dee6eafe21e
- - - - -
876123a5 by Michael Tokarev at 2026-04-21T15:23:31+03:00
update changelog; upload version 4.23.7+dfsg-1 to unstable

- - - - -
cbb4833c by Stefan Metzmacher at 2026-04-27T12:59:57+00:00
third_party/ngtcp2: import v1.22.1 for CVE-2026-40170

For CVE-2026-40170 see:
https://github.com/ngtcp2/ngtcp2/security/advisories/GHSA-f523-465f-8c8f

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16059

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 706dc118b3bdbe03ada53939c1634ab13c91455a)

Autobuild-User(v4-23-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-23-test): Mon Apr 27 12:59:57 UTC 2026 on atb-devel-224

- - - - -
a7465333 by Stefan Metzmacher at 2026-05-12T16:45:12+00:00
pam_winbind: only chown the home directory if it was created

Otherwise we may change the permission for '/'
if some systemuser (e.g. nobody) has no homedir and root
runs 'su - nobody'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16073

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Bjoern Jacke <bjacke at samba.org>

Autobuild-User(master): Björn Jacke <bjacke at samba.org>
Autobuild-Date(master): Sun May 10 23:22:27 UTC 2026 on atb-devel-224

(cherry picked from commit 79caa6ef08b9b333e17bb0762e95e18e250db463)

Autobuild-User(v4-23-test): Björn Jacke <bjacke at samba.org>
Autobuild-Date(v4-23-test): Tue May 12 16:45:12 UTC 2026 on atb-devel-224

- - - - -
1eda6653 by Björn Jacke at 2026-05-15T14:33:41+02:00
VERSION: re-enable GIT_SNAPSHOT

This should have been in commit
fc6ba3ecd245a8372599ac2a9e07533266a1e671.

Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
39856d43 by Volker Lendecke at 2026-05-15T14:35:34+02:00
CVE-2026-1933: tests: Fix permissions used for creating reparse points

SEC_STD_ALL does not lead to fsp->access_mask to include the required
bits.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15992

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
7443fb5a by Stefan Metzmacher at 2026-05-15T14:35:34+02:00
CVE-2026-1933: smbd: Add access checks to reparse point operations

On a share marked "read only = yes" and on file handles opened R/O
users can set or delete the reparse point xattrs on files that the
user has write-access in the file system for. Add the required access
checks.

Thanks to Asim Viladi Oglu Manizada for reporting the issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15992

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
25311190 by Douglas Bagnall at 2026-05-15T14:35:34+02:00
CVE-2026-2340: test whether vfs_worm allows overwrite

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15997

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl at samba.org>

- - - - -
7962e747 by Pavel Kohout at 2026-05-15T14:35:34+02:00
CVE-2026-2340: vfs_worm: Check destination WORM status in rename

vfs_worm_renameat() only checked if the source file was WORM-protected,
but not the destination. This allowed overwriting immutable files via
SMB2 rename with ReplaceIfExists=1, bypassing WORM protection.

Add destination check using FSTATAT on the destination dirfsp, as
suggested by the maintainer.

CWE-284 (Improper Access Control)

Reported-by: Pavel Kohout, Aisle Research, www.aisle.com

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15997

To backport to 4.23 we change the name of dst_dirfsp and src_dirfsp to
dstfsp and srcfsp, respectively (accounting for
76796180cf3af3252db2c29d0e95282a498a8527 in 4.24/master).

Signed-off-by: Pavel Kohout <pavel.kohout at aisle.com>
Reviewed-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
f040d9a3 by Douglas Bagnall at 2026-05-15T14:35:34+02:00
CVE-2026-3012: gpo tests: fix test cleanup

These tests are going to fail soon but as currently written they do
not clean up after themselves, erroring instead of failing and causing
cascading errors in subsequent tests. For now we don't care to make
the other tests less fragile.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>

- - - - -
d77bf593 by Douglas Bagnall at 2026-05-15T14:35:34+02:00
CVE-2026-3012: do not fetch certificate over http

In the case where a certificate was found via HTTP, it was trusted
without verification and put in the global CA store.

There is no means to check the certificate other than by comparing it
to certificates we may have gathered via LDAP, but in that case there
is no advantage over just using the LDAP-derived certificates.

Using the LDAP certificates was already the fallback case if HTTP
failed, so we just make it the default.

The HTTP fetch depends on the NDES service, which is a variant of
Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
Samba implements none of that protocol other than the HTTP fetch. SCEP
is for clients that are not true domain members. Domain members can
access to certificates over LDAP. This patch is not reducing SCEP
client support because Samba never had it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003

Reported-by: Arad Inbar, DREAM Security Research Team
Reported-by: Nir Somech, DREAM Security Research Team
Reported-by: Ben Grinberg, DREAM Security Research Team

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>

- - - - -
2b9d1982 by Douglas Bagnall at 2026-05-15T14:35:34+02:00
CVE-2026-3012: gp_auto_enrol: skip CAs not found in LDAP

If a certificate is mentioned in a GPO but is not present as a
cACertificate attribute on a pKIEnrollmentService object, we have no way
of obtaining it, so we might as well forget it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>

- - - - -
2d8f4ac9 by Douglas Bagnall at 2026-05-15T14:35:34+02:00
CVE-2026-3012: gpo tests should use real certificates

Or at least, more real than a short arbitrary byte string, so that
the certificates can be parsed.

This shows that certificate enrolment works via LDAP in the situations
where we would have fetched them via HTTP.

This does not fix the advanced_gp_cert_auto_enroll_ext test which
wants to install certificates it has no access too. This will not be
fixed in the security release.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton at catalyst.net.nz>

- - - - -
9ac7c27d by Volker Lendecke at 2026-05-15T14:35:34+02:00
CVE-2026-3238: winsserver4: Dissolve direct variable initialization

Checks are required before the packet is dereferenced

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16012

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
2d7d92ef by Volker Lendecke at 2026-05-15T14:35:34+02:00
CVE-2026-3238: winsserver4: Validate incoming packets

Avoid NULL pointer dereferences, leading to a crash in the nbt process
serving wins.

Thanks to Arad Inbar, Erez Cohen, Nir Somech and Ben Grinberg from
DREAM Security Research Team for pointing out this crash bug out to
the Samba team.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16012

Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
df3455cf by Stefan Metzmacher at 2026-05-15T14:35:34+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: inline string_sub2() into string_sub() the only caller

This will simplify further changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
db426990 by Stefan Metzmacher at 2026-05-15T14:35:34+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: remove unused talloc_strdup(insert) from talloc_string_sub2()

The insert string is not modified, so we do not need to copy it.

This will simplify further changes.

Review with: git show --patience

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
fd5f6d69 by Stefan Metzmacher at 2026-05-15T14:35:34+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: factor out a mask_unsafe_character() helper function

This moves the logic into a single place and
makes if more flexible to be used with more
values than STRING_SUB_UNSAFE_CHARACTERS.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
b54d6560 by Stefan Metzmacher at 2026-05-15T14:35:34+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: split out realloc_string_sub_raw()

This will allow realloc_string_sub2() to use it in order
to have the logic in one place only.

And it will also allow adjacted callers to be
more flexible.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
0c13febc by Stefan Metzmacher at 2026-05-15T14:35:34+02:00
CVE-2026-4480/CVE-2026-4408: s3:lib: fix potential memory leak in talloc_sub_basic()

This makes the code easier to understand...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
9374f35a by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480/CVE-2026-4408: s3:lib: let realloc_string_sub2() use realloc_string_sub_raw()

We don't need this logic more than once!

But we leave the strange calling convention of
realloc_string_sub2(), where the caller it
not allowed to use the passed pointer when
NULL is returned...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
20ba81c2 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: let mask_unsafe_character() check all control characters

There's no reason to mask only \r and \n.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
62d75721 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: add more unsafe characters to STRING_SUB_UNSAFE_CHARACTERS

|&<> are unsafe characters for shell processing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
20fcc138 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: let log_escape() make use of iscntrl()

using iscntrl() also handles 0x7F (DEL).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
6f9febc2 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: add talloc_string_sub_{mixed_quoting,unsafe}() helpers

This is the basic helper function for the security problems.

talloc_string_sub_mixed_quoting() checks for strange quoting
in smb.conf options.

And talloc_string_sub_unsafe() tries to autodetect how the unsafe
(client controlled value) and masked and single quote it,
as a fallback for strange quoting a fixed fallback string
is used and the caller should warn the admin and give
hints how to fix the configuration.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Pair-Programmed-With: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
9e7b5f0a by Douglas Bagnall at 2026-05-15T14:35:35+02:00
CVE-2026-4480/CVE-2026-4408: lib/util: add test_string_sub unittests

This demonstrates the logic of talloc_string_sub_{mixed_quoting,unsafe}()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033
BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
2531aac7 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480: s3:printing: mask and/or single quote jobname passed as %J to "print command"

Fix an unauthenticated remote code execution vulnerability with
printing set to anything *but* cups and iprint, for example "lprng",
so that "print command" is executed upon job submission. If the
client-controlled job name is handed to the "print command" via %J,
rpcd_spoolssd passes this to the shell without escaping critical
characters.

Using single quotes (directly) around %J, '%J' would avoid the
problem, we now try to autodetect if we can use '%J' implicitly
or we fallback to a fixed "__CVE-2026-4480_FallbackJobname__"
string instead of the client provided jobname.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
3d2384d7 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480: s3:testparm: warn about 'print command' %J usage

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
c6729f4b by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4480: docs-xml/smbdotconf: clarify '%J' in 'print command'

Admins should use '%J'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16033

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
14b16002 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4408: lib/util: introduce strstr_for_invalid_account_characters()

This splits out the logic from samaccountname_bad_chars_check()
in source4/dsdb/samdb/ldb_modules/samldb.c, this will be used
in other places soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
d1c6fc6e by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4408: s3:samr-server: only allow _samr_ValidatePassword as DC

This is only supported with 'rpc start on demand helpers = no',
as it needs ncacn_ip_tcp, but we better also restrict it to DCs.

Maybe only FreeIPA needs it as NT4 didn't support ncacn_ip_tcp.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
9a77a1c6 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4408: s3:samr-server: deny, mask and/or single quote username to 'check password script'

We pass this on to the check password script, prevent remote command
execution.

We now try to autodetect if we could implicitly use '%u' for the
replacement and fallback to a fixed fallback username.

Admins should make use of SAMBA_CPS_ACCOUNT_NAME
instead of passing '%u' to 'check password script'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Pair-Programmed-With: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
94133ecf by Douglas Bagnall at 2026-05-15T14:35:35+02:00
CVE-2026-4408: s3:samr-server: make check_password_complexity_internal() non-static, for easier testing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
57e21c34 by Douglas Bagnall at 2026-05-15T14:35:35+02:00
CVE-2026-4408: s3:torture: tests for password complexity scripts

This tries to demonstrate the new logic for %u in
'check password script'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>

Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>

- - - - -
132a5634 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4408: s3:testparm: warn about 'check password script' %u usage

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
902436a3 by Stefan Metzmacher at 2026-05-15T14:35:35+02:00
CVE-2026-4408: docs-xml/smbdotconf: clarify '%u' in 'check password script'

Admins should use SAMBA_CPS_ACCOUNT_NAME.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=16034

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>

- - - - -
08a164ca by Björn Jacke at 2026-05-15T14:35:35+02:00
WHATSNEW: Add release notes for Samba 4.23.8.

Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
11bc23b9 by Björn Jacke at 2026-05-15T14:38:40+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.23.8 release.

Signed-off-by: Bjoern Jacke <bjacke at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a360c6aa by Michael Tokarev at 2026-05-26T16:01:49+03:00
New upstream version 4.23.8+dfsg
- - - - -
51fda616 by Michael Tokarev at 2026-05-26T16:02:05+03:00
Update upstream source from tag 'upstream/4.23.8+dfsg'

Update to upstream version '4.23.8+dfsg'
with Debian dir d2e993488972b8078514dccd3e5f5cd9054a55ea
- - - - -
4487a386 by Michael Tokarev at 2026-05-26T16:04:09+03:00
update changelog; upload version 4.23.8+dfsg-1 to unstable

- - - - -

145 changed files:

- VERSION
- WHATSNEW.txt
- buildtools/wafsamba/samba_autoconf.py
- buildtools/wafsamba/samba_cross.py
- debian/changelog
- docs-xml/smbdotconf/printing/printcommand.xml
- docs-xml/smbdotconf/security/checkpasswordscript.xml
- lib/util/samba_util.h
- lib/util/substitute.c
- lib/util/substitute.h
- + lib/util/tests/test_string_sub.c
- lib/util/util_str.c
- lib/util/util_str_escape.c
- lib/util/wscript_build
- nsswitch/pam_winbind.c
- python/samba/gp/gp_cert_auto_enroll_ext.py
- python/samba/tests/gpo.py
- python/samba/tests/smb3unix.py
- script/autobuild.py
- + selftest/knownfail.d/gpo-auto-enrol
- selftest/target/Samba3.pm
- selftest/tests.py
- source3/include/libsmb_internal.h
- source3/include/libsmbclient.h
- source3/lib/substitute.c
- source3/lib/substitute_generic.c
- source3/librpc/crypto/gse_krb5.c
- source3/libsmb/libsmb_compat.c
- source3/libsmb/libsmb_context.c
- source3/libsmb/libsmb_server.c
- source3/modules/util_reparse.c
- source3/modules/vfs_glusterfs.c
- source3/modules/vfs_snapper.c
- source3/modules/vfs_worm.c
- source3/printing/print_generic.c
- source3/rpc_server/rpcd_spoolss.c
- source3/rpc_server/samr/srv_samr_chgpasswd.c
- source3/rpc_server/samr/srv_samr_nt.c
- source3/rpc_server/samr/srv_samr_util.h
- source3/script/tests/test_worm.sh
- + source3/torture/test_rpc_samr.c
- source3/torture/wscript_build
- source3/utils/testparm.c
- source4/nbt_server/wins/winsserver.c
- source4/selftest/tests.py
- source4/torture/libsmbclient/libsmbclient.c
- third_party/ngtcp2/crypto/CMakeLists.txt
- third_party/ngtcp2/crypto/Makefile.am
- third_party/ngtcp2/crypto/boringssl/boringssl.c
- third_party/ngtcp2/crypto/boringssl/libngtcp2_crypto_boringssl.pc.in
- third_party/ngtcp2/crypto/gnutls/gnutls.c
- third_party/ngtcp2/crypto/gnutls/libngtcp2_crypto_gnutls.pc.in
- third_party/ngtcp2/crypto/includes/CMakeLists.txt
- third_party/ngtcp2/crypto/includes/Makefile.am
- third_party/ngtcp2/crypto/includes/ngtcp2/ngtcp2_crypto.h
- third_party/ngtcp2/crypto/ossl/CMakeLists.txt
- third_party/ngtcp2/crypto/ossl/libngtcp2_crypto_ossl.pc.in
- third_party/ngtcp2/crypto/ossl/ossl.c
- third_party/ngtcp2/crypto/picotls/libngtcp2_crypto_picotls.pc.in
- third_party/ngtcp2/crypto/picotls/picotls.c
- third_party/ngtcp2/crypto/quictls/.gitignore
- third_party/ngtcp2/crypto/quictls/CMakeLists.txt
- third_party/ngtcp2/crypto/quictls/Makefile.am
- + third_party/ngtcp2/crypto/quictls/libngtcp2_crypto_libressl.pc.in
- third_party/ngtcp2/crypto/quictls/libngtcp2_crypto_quictls.pc.in
- third_party/ngtcp2/crypto/quictls/quictls.c
- third_party/ngtcp2/crypto/shared.c
- third_party/ngtcp2/crypto/shared.h
- third_party/ngtcp2/crypto/wolfssl/libngtcp2_crypto_wolfssl.pc.in
- third_party/ngtcp2/crypto/wolfssl/wolfssl.c
- third_party/ngtcp2/lib/CMakeLists.txt
- third_party/ngtcp2/lib/Makefile.am
- third_party/ngtcp2/lib/config.cmake.in
- third_party/ngtcp2/lib/includes/ngtcp2/ngtcp2.h
- third_party/ngtcp2/lib/ngtcp2_acktr.c
- third_party/ngtcp2/lib/ngtcp2_acktr.h
- third_party/ngtcp2/lib/ngtcp2_addr.c
- third_party/ngtcp2/lib/ngtcp2_addr.h
- third_party/ngtcp2/lib/ngtcp2_balloc.c
- third_party/ngtcp2/lib/ngtcp2_bbr.c
- third_party/ngtcp2/lib/ngtcp2_bbr.h
- third_party/ngtcp2/lib/ngtcp2_buf.c
- third_party/ngtcp2/lib/ngtcp2_buf.h
- + third_party/ngtcp2/lib/ngtcp2_callbacks.c
- + third_party/ngtcp2/lib/ngtcp2_callbacks.h
- third_party/ngtcp2/lib/ngtcp2_cc.c
- third_party/ngtcp2/lib/ngtcp2_cc.h
- third_party/ngtcp2/lib/ngtcp2_cid.c
- third_party/ngtcp2/lib/ngtcp2_cid.h
- third_party/ngtcp2/lib/ngtcp2_conn.c
- third_party/ngtcp2/lib/ngtcp2_conn.h
- + third_party/ngtcp2/lib/ngtcp2_conn_info.c
- + third_party/ngtcp2/lib/ngtcp2_conn_info.h
- third_party/ngtcp2/lib/ngtcp2_conn_stat.h
- third_party/ngtcp2/lib/ngtcp2_conv.c
- third_party/ngtcp2/lib/ngtcp2_crypto.c
- third_party/ngtcp2/lib/ngtcp2_crypto.h
- third_party/ngtcp2/lib/ngtcp2_dcidtr.c
- third_party/ngtcp2/lib/ngtcp2_dcidtr.h
- third_party/ngtcp2/lib/ngtcp2_frame_chain.c
- third_party/ngtcp2/lib/ngtcp2_frame_chain.h
- third_party/ngtcp2/lib/ngtcp2_gaptr.c
- third_party/ngtcp2/lib/ngtcp2_ksl.c
- third_party/ngtcp2/lib/ngtcp2_ksl.h
- third_party/ngtcp2/lib/ngtcp2_log.c
- third_party/ngtcp2/lib/ngtcp2_log.h
- third_party/ngtcp2/lib/ngtcp2_macro.h
- third_party/ngtcp2/lib/ngtcp2_map.c
- third_party/ngtcp2/lib/ngtcp2_map.h
- third_party/ngtcp2/lib/ngtcp2_net.h
- third_party/ngtcp2/lib/ngtcp2_objalloc.h
- third_party/ngtcp2/lib/ngtcp2_path.c
- third_party/ngtcp2/lib/ngtcp2_path.h
- + third_party/ngtcp2/lib/ngtcp2_pcg.c
- + third_party/ngtcp2/lib/ngtcp2_pcg.h
- third_party/ngtcp2/lib/ngtcp2_pkt.c
- third_party/ngtcp2/lib/ngtcp2_pkt.h
- third_party/ngtcp2/lib/ngtcp2_ppe.c
- third_party/ngtcp2/lib/ngtcp2_pv.c
- third_party/ngtcp2/lib/ngtcp2_pv.h
- third_party/ngtcp2/lib/ngtcp2_qlog.c
- third_party/ngtcp2/lib/ngtcp2_qlog.h
- third_party/ngtcp2/lib/ngtcp2_range.c
- + third_party/ngtcp2/lib/ngtcp2_ratelim.c
- + third_party/ngtcp2/lib/ngtcp2_ratelim.h
- third_party/ngtcp2/lib/ngtcp2_ringbuf.c
- third_party/ngtcp2/lib/ngtcp2_ringbuf.h
- third_party/ngtcp2/lib/ngtcp2_rob.c
- third_party/ngtcp2/lib/ngtcp2_rob.h
- third_party/ngtcp2/lib/ngtcp2_rst.c
- third_party/ngtcp2/lib/ngtcp2_rst.h
- third_party/ngtcp2/lib/ngtcp2_rtb.c
- third_party/ngtcp2/lib/ngtcp2_rtb.h
- third_party/ngtcp2/lib/ngtcp2_settings.c
- third_party/ngtcp2/lib/ngtcp2_settings.h
- third_party/ngtcp2/lib/ngtcp2_str.c
- third_party/ngtcp2/lib/ngtcp2_str.h
- third_party/ngtcp2/lib/ngtcp2_strm.c
- third_party/ngtcp2/lib/ngtcp2_strm.h
- third_party/ngtcp2/lib/ngtcp2_transport_params.c
- third_party/ngtcp2/lib/ngtcp2_transport_params.h
- third_party/ngtcp2/lib/ngtcp2_vec.c
- third_party/ngtcp2/lib/ngtcp2_vec.h
- third_party/ngtcp2/lib/ngtcp2_window_filter.c
- third_party/ngtcp2/wscript

The diff was not included because it is too large.

View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/d45a8b67d7929d7208937570e65f34e38e40f0bb...4487a3865f3af4c310833b3ef7838530e3dcf920

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/d45a8b67d7929d7208937570e65f34e38e40f0bb...4487a3865f3af4c310833b3ef7838530e3dcf920
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20260526/ba8a3fe6/attachment-0001.htm>