[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.16] 27 commits: VERSION: Bump version up to Samba 4.16.11...

Michael Tokarev (@mjt) gitlab at salsa.debian.org
Wed Jul 19 16:53:39 BST 2023 


Michael Tokarev pushed to branch upstream_4.16 at Debian Samba Team / samba


Commits:
76fc517c by Jule Anger at 2023-03-29T16:33:02+02:00
VERSION: Bump version up to Samba 4.16.11...

and re-enable GIT_SNAPSHOT.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
1dd3ae28 by Samuel Cabrero at 2023-07-14T15:16:16+02:00
CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks to parent process

The winbindd_dual_pam_auth_crap() function will be converted to a local
RPC call handler and it won't receive a winbindd_cli_state struct. Move
the checks accessing this struct to the parent.

Signed-off-by: Samuel Cabrero <scabrero at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374)

- - - - -
5c6fe5a4 by Volker Lendecke at 2023-07-14T15:16:16+02:00
CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks

With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.

Discovered via Coverity ID 1504444 Out-of-bounds access

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Volker Lendecke <vl at samba.org>

- - - - -
2eabbe31 by Ralph Boehme at 2023-07-14T15:16:16+02:00
CVE-2022-2127: ntlm_auth: cap lanman response length value

We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
01cf3cf7 by Ralph Boehme at 2023-07-14T15:16:23+02:00
CVE-2023-34966: CI: test for sl_unpack_loop()

Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
cb6f3e22 by Ralph Boehme at 2023-07-14T15:16:23+02:00
CVE-2023-34966: mdssvc: harden sl_unpack_loop()

A malicious client could send a packet where subcount is zero, leading to a busy
loop because

    count -= subcount
=>  count -= 0
=>  while (count > 0)

loops forever.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
92d014bc by Ralph Boehme at 2023-07-14T15:16:26+02:00
CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()

Sends a maliciously crafted packet where the value in a key/value style
dictionary for the "scope" key is a simple string object whereas the server
expects an array. As the server doesn't perform type validation on the value, it
crashes when trying to use the "simple" object as a "complex" one.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
5b4353cc by Ralph Boehme at 2023-07-14T15:16:26+02:00
CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()

Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341

Signed-off-by: Ralph Boehme <slow at samba.org>

- - - - -
843ec381 by Volker Lendecke at 2023-07-14T15:16:29+02:00
CVE-2023-34968: lib: Move subdir_of() to source3/lib/util_path.c

Make it available for other components

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl at samba.org>
(backported from commit d905dbddf8d2655e6c91752b750cbe9c15837ee5)
[slow at samba.org: subdir_of() didn't exist yet in 4.16 so this just adds it]

- - - - -
b09e22cf by Ralph Boehme at 2023-07-14T15:16:29+02:00
CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map

Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
got stat info for the object in mds_add_result() so we can just pass stat info
from there.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
8c95f7ae by Ralph Boehme at 2023-07-14T15:16:29+02:00
CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties()

We were adding the value, but not the key.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
3636b546 by Ralph Boehme at 2023-07-14T15:16:29+02:00
CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob

d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
82cc2a42 by Ralph Boehme at 2023-07-14T15:16:29+02:00
CVE-2023-34968: mdscli: remove response blob allocation

This is handled by the NDR code transparently.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
7bbaa191 by Ralph Boehme at 2023-07-14T15:16:30+02:00
CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
739f72a0 by Ralph Boehme at 2023-07-14T15:16:30+02:00
CVE-2023-34968: rpcclient: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
34f9f1b3 by Ralph Boehme at 2023-07-14T15:16:30+02:00
CVE-2023-34968: mdssvc: remove response blob allocation

This is alreay done by NDR for us.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
0fdfc85f by Ralph Boehme at 2023-07-14T15:16:30+02:00
CVE-2023-34968: mdssvc: switch to doing an early return

Just reduce indentation of the code handling the success case. No change in
behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
d6b9c523 by Ralph Boehme at 2023-07-14T15:16:30+02:00
CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()

sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
cecd415a by Ralph Boehme at 2023-07-14T15:16:30+02:00
CVE-2023-34968: mdscli: return share relative paths

The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.

So given a share

  [spotlight]
    path = /foo/bar
    spotlight = yes

and a file inside this share with a full path of

  /foo/bar/dir/file

previously a search that matched this file would returns the absolute
server-side pato of the file, ie

  /foo/bar/dir/file

This will be change to

  /spotlight/dir/file

As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just

  dir/file

in the example above.

The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.

There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be

  /System/Volumes/Data/foo/bar/dir/file

So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.

Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix

  kMDSStorePathScopes + share_path (from mdssvc_open).

eg

  kMDSStorePathScopes = /System/Volumes/Data
  share_path = /foo/bar
  search result = /System/Volumes/Data/foo/bar/dir/file
  relative path returned by mdscli = dir/file

Makes sense? :)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
18098436 by Ralph Boehme at 2023-07-14T15:16:30+02:00
CVE-2023-34968: mdssvc: return a fake share path

Instead of returning the real server-side absolute path of shares and search
results, return a fake absolute path replacing the path of the share with the
share name, iow for a share "test" with a server-side path of "/foo/bar", we
previously returned

  /foo/bar and
  /foo/bar/search/result

and now return

  /test and
  /test/search/result

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388

Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>

- - - - -
6e878581 by Stefan Metzmacher at 2023-07-17T10:28:47+02:00
netlogon.idl: add support for netr_LogonGetCapabilities response level 2

We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.

Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)

- - - - -
5d48ea23 by Stefan Metzmacher at 2023-07-17T10:28:47+02:00
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels

The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715)

- - - - -
585df7e0 by Stefan Metzmacher at 2023-07-17T10:28:47+02:00
s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)

- - - - -
caf21883 by Stefan Metzmacher at 2023-07-17T10:28:47+02:00
s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels

This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.

An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.

Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418

Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>

Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224

(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)

- - - - -
40053373 by Jule Anger at 2023-07-17T22:26:51+02:00
WHATSNEW: Add release notes for Samba 4.16.11.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
225a003a by Jule Anger at 2023-07-17T22:26:51+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.16.11 release.

Signed-off-by: Jule Anger <janger at samba.org>

- - - - -
db02e53e by Michael Tokarev at 2023-07-19T18:41:29+03:00
New upstream version 4.16.11+dfsg
- - - - -


30 changed files:

- VERSION
- WHATSNEW.txt
- ctdb/doc/ctdb-etcd.7
- ctdb/doc/ctdb-etcd.7.html
- ctdb/doc/ctdb-script.options.5
- ctdb/doc/ctdb-script.options.5.html
- ctdb/doc/ctdb-statistics.7
- ctdb/doc/ctdb-statistics.7.html
- ctdb/doc/ctdb-tunables.7
- ctdb/doc/ctdb-tunables.7.html
- ctdb/doc/ctdb.1
- ctdb/doc/ctdb.1.html
- ctdb/doc/ctdb.7
- ctdb/doc/ctdb.7.html
- ctdb/doc/ctdb.conf.5
- ctdb/doc/ctdb.conf.5.html
- ctdb/doc/ctdb.sysconfig.5
- ctdb/doc/ctdb.sysconfig.5.html
- ctdb/doc/ctdb_diagnostics.1
- ctdb/doc/ctdb_diagnostics.1.html
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7
- ctdb/doc/ctdb_mutex_ceph_rados_helper.7.html
- ctdb/doc/ctdbd.1
- ctdb/doc/ctdbd.1.html
- ctdb/doc/ctdbd_wrapper.1
- ctdb/doc/ctdbd_wrapper.1.html
- ctdb/doc/ltdbtool.1
- ctdb/doc/ltdbtool.1.html
- ctdb/doc/onnode.1
- ctdb/doc/onnode.1.html


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/1d035b0007d8d1c2a31d3213726e73adbf64d63d...db02e53ea51c4c03e0c4be403b7cdbfd0589cb3a

-- 
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/1d035b0007d8d1c2a31d3213726e73adbf64d63d...db02e53ea51c4c03e0c4be403b7cdbfd0589cb3a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20230719/ea3e83d6/attachment-0001.htm>

More information about the Pkg-samba-maint mailing list