[Pkg-samba-maint] [Git][samba-team/samba][master] 33 commits: VERSION: Bump version up to Samba 4.18.5...

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Wed Jul 19 16:05:01 BST 2023 


Michael Tokarev pushed to branch master at Debian Samba Team / samba


Commits:
f2c18045 by Jule Anger at 2023-07-05T12:37:46+02:00
VERSION: Bump version up to Samba 4.18.5...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
19dcb036 by Volker Lendecke at 2023-07-14T15:12:10+02:00
CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks

With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.

Discovered via Coverity ID 1504444 Out-of-bounds access

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
b0956739 by Ralph Boehme at 2023-07-14T15:12:10+02:00
CVE-2022-2127: ntlm_auth: cap lanman response length value

We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
1a208f25 by Ralph Boehme at 2023-07-14T15:12:20+02:00
CVE-2023-34966: CI: test for sl_unpack_loop()

Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
207489b6 by Ralph Boehme at 2023-07-14T15:12:20+02:00
CVE-2023-34966: mdssvc: harden sl_unpack_loop()

A malicious client could send a packet where subcount is zero, leading to a busy
loop because

    count -= subcount
=>  count -= 0
=>  while (count > 0)

loops forever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
4cb78124 by Ralph Boehme at 2023-07-14T15:12:27+02:00
CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()

Sends a maliciously crafted packet where the value in a key/value style
dictionary for the "scope" key is a simple string object whereas the server
expects an array. As the server doesn't perform type validation on the value, it
crashes when trying to use the "simple" object as a "complex" one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
f4aa2147 by Ralph Boehme at 2023-07-14T15:12:27+02:00
CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()

Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
3815bb8a by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map

Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
got stat info for the object in mds_add_result() so we can just pass stat info
from there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a75be03b by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties()

We were adding the value, but not the key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
921a9925 by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob

d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a6e05b4b by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdscli: remove response blob allocation

This is handled by the NDR code transparently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
783dbdd2 by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
de611cca by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: rpcclient: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
e58d0339 by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdssvc: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
beeac1e0 by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdssvc: switch to doing an early return

Just reduce indentation of the code handling the success case. No change in
behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
fdae8c00 by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()

sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
a8424470 by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdscli: return share relative paths

The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.

So given a share

  [spotlight]
    path = /foo/bar
    spotlight = yes

and a file inside this share with a full path of

  /foo/bar/dir/file

previously a search that matched this file would returns the absolute
server-side pato of the file, ie

  /foo/bar/dir/file

This will be change to

  /spotlight/dir/file

As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just

  dir/file

in the example above.

The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.

There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be

  /System/Volumes/Data/foo/bar/dir/file

So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.

Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix

  kMDSStorePathScopes + share_path (from mdssvc_open).

eg

  kMDSStorePathScopes = /System/Volumes/Data
  share_path = /foo/bar
  search result = /System/Volumes/Data/foo/bar/dir/file
  relative path returned by mdscli = dir/file

Makes sense? :)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
7a4ed01e by Ralph Boehme at 2023-07-14T15:12:34+02:00
CVE-2023-34968: mdssvc: return a fake share path

Instead of returning the real server-side absolute path of shares and search
results, return a fake absolute path replacing the path of the share with the
share name, iow for a share "test" with a server-side path of "/foo/bar", we
previously returned

  /foo/bar and
  /foo/bar/search/result

and now return

  /test and
  /test/search/result

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
69cbb041 by Ralph Boehme at 2023-07-14T15:12:41+02:00
CVE-2023-3347: CI: add a test for server-side mandatory signing

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
5f39da85 by Ralph Boehme at 2023-07-14T15:12:41+02:00
CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing()

No change in behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
6be7bd40 by Ralph Boehme at 2023-07-14T15:12:41+02:00
CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in srv_init_signing()

It's now a one-line function, imho the overall code is simpler if that code is
just inlined.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
24157fb3 by Ralph Boehme at 2023-07-14T15:12:41+02:00
CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot()

This is just going to bitrot. Anyone who's interested can just grep for
"signing_mandatory" and look up what it does.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
0815d401 by Ralph Boehme at 2023-07-14T15:12:41+02:00
CVE-2023-3347: smbd: fix "server signing = mandatory"

This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
calling srv_init_signing() very early after accepting the connection in
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
0d7376ca by Stefan Metzmacher at 2023-07-17T10:28:20+02:00
netlogon.idl: add support for netr_LogonGetCapabilities response level 2

We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.

Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)

- - - - -
30c3fa71 by Stefan Metzmacher at 2023-07-17T10:28:20+02:00
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels

The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715)

- - - - -
7818b00d by Stefan Metzmacher at 2023-07-17T10:28:21+02:00
s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)

- - - - -
be141a1c by Stefan Metzmacher at 2023-07-17T10:28:21+02:00
s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224

(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)

- - - - -
bd5d7de1 by Jule Anger at 2023-07-17T22:12:49+02:00
WHATSNEW: Add release notes for Samba 4.18.5.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
50a9b496 by Jule Anger at 2023-07-17T22:12:49+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.18.5 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
003d6fbe by Michael Tokarev at 2023-07-19T17:48:15+03:00
New upstream version 4.18.5+dfsg
- - - - -
e0efd05e by Michael Tokarev at 2023-07-19T17:48:48+03:00
Update upstream source from tag 'upstream/4.18.5+dfsg'

Update to upstream version '4.18.5+dfsg'
with Debian dir d30e3095846a09423c200570252eff47b932b38b
- - - - -
af61ecc8 by Michael Tokarev at 2023-07-19T17:50:56+03:00
remove fix-unsupported-netr_LogonGetCapabilities-l2.patch (fix is included now)

- - - - -
732b3f26 by Michael Tokarev at 2023-07-19T17:56:05+03:00
update changelog; upload version 4.18.5+dfsg-1 to unstable

- - - - -


7 changed files:

- VERSION
- WHATSNEW.txt
- − ctdb/doc/ctdb-etcd.7.html
- − ctdb/doc/ctdb-script.options.5.html
- − ctdb/doc/ctdb-statistics.7.html
- − ctdb/doc/ctdb-tunables.7.html
- − ctdb/doc/ctdb.1.html


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/93f39f76eb3a6d3be8444963633aedae21bb1dc8...732b3f26ec13b17c9f17a77297529d5f02e9eab1

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/93f39f76eb3a6d3be8444963633aedae21bb1dc8...732b3f26ec13b17c9f17a77297529d5f02e9eab1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20230719/3fd2a001/attachment-0001.htm>

More information about the Pkg-samba-maint mailing list