From 12f268eb60043ca3780e8fa745c2a1b4db18217e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Wed, 27 Jul 2022 15:19:02 +0200 Subject: [PATCH] Update to Samba 4.15.9 resolves: #2108196, #2111729 - Security fixes for CVE-2022-32742 resolves: #2108205, #2111731 - Security fixes for CVE-2022-32744 resolves: #2108211, #2111732 - Security fixes for CVE-2022-32745 resolves: #2108215, #2111734 - Security fixes for CVE-2022-32746 Guenther --- .gitignore | 2 + samba-s4u.patch | 115 +++++++++++++----------------------------------- samba.spec | 12 ++++- sources | 4 +- 4 files changed, 44 insertions(+), 89 deletions(-) diff --git a/.gitignore b/.gitignore index a2a1a1e..3657bf8 100644 --- a/.gitignore +++ b/.gitignore @@ -285,3 +285,5 @@ samba-3.6.0pre1.tar.gz /samba-4.15.7.tar.asc /samba-4.15.8.tar.xz /samba-4.15.8.tar.asc +/samba-4.15.9.tar.xz +/samba-4.15.9.tar.asc diff --git a/samba-s4u.patch b/samba-s4u.patch index 8e84d96..9e02ff7 100644 --- a/samba-s4u.patch +++ b/samba-s4u.patch @@ -1,4 +1,4 @@ -From 0b196043f08ea4c025f19c4519175a3a73e1d185 Mon Sep 17 00:00:00 2001 +From cfdb01091c4ad005654da9b4a64251a6d02ea637 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:25:03 +0300 Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support @@ -12,10 +12,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 71 insertions(+), 106 deletions(-) diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c -index f35210669c2..b1c7c5dcc5e 100644 +index dada3b79144..677ec1007c9 100644 --- a/source4/kdc/mit-kdb/kdb_samba_policies.c +++ b/source4/kdc/mit-kdb/kdb_samba_policies.c -@@ -195,13 +195,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -197,13 +197,17 @@ static krb5_error_code ks_verify_pac(krb5_context context, krb5_keyblock *krbtgt_key, krb5_timestamp authtime, krb5_authdata **tgt_auth_data, @@ -36,7 +36,7 @@ index f35210669c2..b1c7c5dcc5e 100644 mit_ctx = ks_get_context(context); if (mit_ctx == NULL) { -@@ -233,41 +237,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -235,41 +239,43 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = krb5_pac_parse(context, authdata[0]->contents, authdata[0]->length, @@ -106,7 +106,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { goto done; } -@@ -275,17 +281,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, +@@ -277,17 +283,22 @@ static krb5_error_code ks_verify_pac(krb5_context context, code = mit_samba_reget_pac(mit_ctx, context, flags, @@ -133,7 +133,7 @@ index f35210669c2..b1c7c5dcc5e 100644 return code; } -@@ -314,6 +325,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -316,6 +327,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krb5_authdata **pac_auth_data = NULL; krb5_authdata **authdata = NULL; krb5_boolean is_as_req; @@ -141,7 +141,7 @@ index f35210669c2..b1c7c5dcc5e 100644 krb5_error_code code; krb5_pac pac = NULL; krb5_data pac_data; -@@ -325,11 +337,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -327,11 +339,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, krbtgt = krbtgt == NULL ? local_krbtgt : krbtgt; krbtgt_key = krbtgt_key == NULL ? local_krbtgt_key : krbtgt_key; @@ -153,7 +153,7 @@ index f35210669c2..b1c7c5dcc5e 100644 is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); /* -@@ -390,6 +397,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -392,6 +399,16 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, ks_client_princ = client->princ; } @@ -170,7 +170,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (client_entry == NULL) { client_entry = client; } -@@ -454,7 +471,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -456,7 +473,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, code = ks_verify_pac(context, flags, @@ -179,7 +179,7 @@ index f35210669c2..b1c7c5dcc5e 100644 client_entry, server, krbtgt, -@@ -494,7 +511,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -497,7 +514,7 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, is_as_req ? "AS-REQ" : "TGS-REQ", client_name); code = krb5_pac_sign(context, pac, authtime, ks_client_princ, @@ -188,7 +188,7 @@ index f35210669c2..b1c7c5dcc5e 100644 if (code != 0) { DBG_ERR("krb5_pac_sign failed: %d\n", code); goto done; -@@ -520,12 +537,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, +@@ -523,12 +540,6 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context, KRB5_AUTHDATA_IF_RELEVANT, authdata, signed_auth_data); @@ -201,7 +201,7 @@ index f35210669c2..b1c7c5dcc5e 100644 done: if (client_entry != NULL && client_entry != client) { ks_free_principal(context, client_entry); -@@ -551,32 +562,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, +@@ -554,32 +565,13 @@ krb5_error_code kdb_samba_db_check_allowed_to_delegate(krb5_context context, * server; -> delegating service * proxy; -> target principal */ @@ -236,10 +236,10 @@ index f35210669c2..b1c7c5dcc5e 100644 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index 4239332f0d9..acc3cba6254 100644 +index ef4e8c2ed38..962fd05e1ac 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -501,7 +501,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -247,7 +247,7 @@ index 4239332f0d9..acc3cba6254 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -665,7 +664,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, +@@ -688,7 +687,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, context, *pac, server->princ, @@ -256,7 +256,7 @@ index 4239332f0d9..acc3cba6254 100644 deleg_blob); if (!NT_STATUS_IS_OK(nt_status)) { DEBUG(0, ("Update delegation info failed: %s\n", -@@ -987,41 +986,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -1080,41 +1079,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, } int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -309,10 +309,10 @@ index 4239332f0d9..acc3cba6254 100644 static krb5_error_code mit_samba_change_pwd_error(krb5_context context, diff --git a/source4/kdc/mit_samba.h b/source4/kdc/mit_samba.h -index 636c77ec97c..9cb00c9610e 100644 +index 4431e82a1b2..9370ab533af 100644 --- a/source4/kdc/mit_samba.h +++ b/source4/kdc/mit_samba.h -@@ -56,7 +56,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, +@@ -57,7 +57,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx, krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx, krb5_context context, int flags, @@ -320,7 +320,7 @@ index 636c77ec97c..9cb00c9610e 100644 krb5_db_entry *client, krb5_db_entry *server, krb5_db_entry *krbtgt, -@@ -73,9 +72,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, +@@ -74,9 +73,8 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx, DATA_BLOB *e_data); int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx, @@ -333,10 +333,10 @@ index 636c77ec97c..9cb00c9610e 100644 int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx, char *pwd, -- -2.33.1 +2.37.1 -From 992d38fa35c01f2f0bdb39d387fa29e8eb8d3d37 Mon Sep 17 00:00:00 2001 +From 6e985cf7d5f29292c5f2dd2de75867dd30ef3df6 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Fri, 27 Sep 2019 18:35:30 +0300 Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build @@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider 3 files changed, 185 insertions(+), 13 deletions(-) diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c -index fff5b4e2a22..791b417d5ba 100644 +index 610efcc9b87..96686147006 100644 --- a/lib/krb5_wrap/krb5_samba.c +++ b/lib/krb5_wrap/krb5_samba.c -@@ -2694,6 +2694,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, +@@ -2697,6 +2697,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx, return 0; } @@ -611,66 +611,23 @@ index 544d9d853cc..c14d8c72d8c 100644 ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context, ccache, -- -2.33.1 +2.37.1 -From f1951b501ca0fb3e613f04437c99dc1bbf204609 Mon Sep 17 00:00:00 2001 +From 3a9c224f229128451c878b262a716d48cb9f75d6 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 19 Sep 2020 14:16:20 +0200 Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code --- - source4/heimdal/lib/hdb/hdb.h | 1 + - source4/kdc/db-glue.c | 8 ++++++-- - source4/kdc/mit_samba.c | 3 +++ - source4/kdc/sdb.h | 1 + - 4 files changed, 11 insertions(+), 2 deletions(-) + source4/kdc/mit_samba.c | 3 +++ + 1 file changed, 3 insertions(+) -diff --git a/source4/heimdal/lib/hdb/hdb.h b/source4/heimdal/lib/hdb/hdb.h -index 5ef9d9565f3..dafaffc6c2d 100644 ---- a/source4/heimdal/lib/hdb/hdb.h -+++ b/source4/heimdal/lib/hdb/hdb.h -@@ -63,6 +63,7 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; - #define HDB_F_ALL_KVNOS 2048 /* we want all the keys, live or not */ - #define HDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define HDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define HDB_F_FORCE_CANON 16384 /* force canonicalition */ - - /* hdb_capability_flags */ - #define HDB_CAP_F_HANDLE_ENTERPRISE_PRINCIPAL 1 -diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c -index aff74f2ee71..d16b4c3329a 100644 ---- a/source4/kdc/db-glue.c -+++ b/source4/kdc/db-glue.c -@@ -916,17 +916,21 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, - } - } - -- } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { -+ } else if (ent_type == SAMBA_KDC_ENT_TYPE_ANY && principal == NULL) { // was this supposed to be || ? - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { - krb5_clear_error_message(context); - goto out; - } -- } else if ((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) { -+ } else if (((flags & SDB_F_CANON) && (flags & SDB_F_FOR_AS_REQ)) || (flags & SDB_F_FORCE_CANON)){ - /* - * SDB_F_CANON maps from the canonicalize flag in the - * packet, and has a different meaning between AS-REQ - * and TGS-REQ. We only change the principal in the AS-REQ case -+ * -+ * The SDB_F_FORCE_CANON if for the new MIT kdc code that wants -+ * the canonical name in all lookups, and takes care to canonicalize -+ * only when appropriate. - */ - ret = smb_krb5_make_principal(context, &entry_ex->entry.principal, lpcfg_realm(lp_ctx), samAccountName, NULL); - if (ret) { diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c -index acc3cba6254..f0b9df8b613 100644 +index 962fd05e1ac..9dc1bdf870b 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c -@@ -224,6 +224,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, +@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx, if (kflags & KRB5_KDB_FLAG_CANONICALIZE) { sflags |= SDB_F_CANON; } @@ -680,18 +637,6 @@ index acc3cba6254..f0b9df8b613 100644 if (kflags & (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY | KRB5_KDB_FLAG_INCLUDE_PAC)) { /* -diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h -index c929acccce6..a9115ec23d7 100644 ---- a/source4/kdc/sdb.h -+++ b/source4/kdc/sdb.h -@@ -116,6 +116,7 @@ struct sdb_entry_ex { - #define SDB_F_KVNO_SPECIFIED 128 /* we want a particular KVNO */ - #define SDB_F_FOR_AS_REQ 4096 /* fetch is for a AS REQ */ - #define SDB_F_FOR_TGS_REQ 8192 /* fetch is for a TGS REQ */ -+#define SDB_F_FORCE_CANON 16384 /* force canonicalition */ - - void sdb_free_entry(struct sdb_entry_ex *e); - void free_sdb_entry(struct sdb_entry *s); -- -2.33.1 +2.37.1 diff --git a/samba.spec b/samba.spec index e2f10a0..8d048a9 100644 --- a/samba.spec +++ b/samba.spec @@ -131,11 +131,11 @@ %global baserelease 0 -%global samba_version 4.15.8 +%global samba_version 4.15.9 %global talloc_version 2.3.3 %global tdb_version 1.4.4 %global tevent_version 0.11.0 -%global ldb_version 2.4.3 +%global ldb_version 2.4.4 # This should be rc1 or nil %global pre_release %nil @@ -2921,6 +2921,7 @@ fi %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc %{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc @@ -2946,6 +2947,7 @@ fi %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py %{python3_sitearch}/samba/tests/krb5/kdc_tests.py %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py %{python3_sitearch}/samba/tests/krb5/raw_testcase.py %{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py @@ -4101,6 +4103,12 @@ fi %endif %changelog +* Wed Jul 27 2022 Guenther Deschner - 4.15.9-0 +- resolves: #2108196, #2111729 - Security fixes for CVE-2022-32742 +- resolves: #2108205, #2111731 - Security fixes for CVE-2022-32744 +- resolves: #2108211, #2111732 - Security fixes for CVE-2022-32745 +- resolves: #2108215, #2111734 - Security fixes for CVE-2022-32746 + * Tue Jun 28 2022 Pavel Filipenský - 4.15.8-0 - Update to Samba 4.15.8 diff --git a/sources b/sources index 2c90338..0a7f943 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (samba-4.15.8.tar.asc) = cdfa733821554edb8cce5519bfadbe2ed3b06db6dc9799f617b7a83e3969ea65283b5a1bce81b37e90760722ee2e02b91a47ea4e03114981a5cf80a618123c4f -SHA512 (samba-4.15.8.tar.xz) = 754bcdc3dea45f58a9d00ed8cf3f4a2da9196421f7e6cf532dff75d060e097fc81b2f1df504431b53ad08379d5f854fc10a84b7daf60c6a76a147c49e8285fae +SHA512 (samba-4.15.9.tar.xz) = eea088cc5debad291e6334f480770b27d973ae330069b0e4ec7e02fc5721e444fb5c9d58f560c181768f6ffea850be6ff602c0cd6404e6a85950024495072ce6 +SHA512 (samba-4.15.9.tar.asc) = 358fcc91b56cc84606179f5bdd88e2e7d24b5a44796da54b0f12a8d0e4641c0851c95e86a2a0c24c8bf3503af7b874887fcb28f84779b4a7bb65cf5a8220e6f6