Update to version 4.16.4

resolves: #2111490
resolves: #2108196, #2111729 - Security fixes for CVE-2022-32742
resolves: #2108205, #2111731 - Security fixes for CVE-2022-32744
resolves: #2108211, #2111732 - Security fixes for CVE-2022-32745
resolves: #2108215, #2111734 - Security fixes for CVE-2022-32746

Guenther

.gitignore

@@ -295,3 +295,5 @@ samba-3.6.0pre1.tar.gz
 /samba-4.16.2.tar.asc
 /samba-4.16.3.tar.xz
 /samba-4.16.3.tar.asc
+/samba-4.16.4.tar.xz
+/samba-4.16.4.tar.asc

samba-mount_h.patch

@@ -0,0 +1,36 @@
+From 37b1f282d1b549063d2fca07caca812292be1d3b Mon Sep 17 00:00:00 2001
+From: Andreas Schneider <asn@samba.org>
+Date: Fri, 29 Jul 2022 10:08:24 +0200
+Subject: [PATCH] lib:replace: Remove <sys/mount.h> from filesys.h
+
+You need to be careful if you include <sys/mount.h> or <linux/mount.h>
+at least since glibc 2.36.
+
+Details at:
+https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15132
+
+Signed-off-by: Andreas Schneider <asn@samba.org>
+---
+ lib/replace/system/filesys.h | 4 ----
+ 1 file changed, 4 deletions(-)
+
+diff --git a/lib/replace/system/filesys.h b/lib/replace/system/filesys.h
+index 034e5d5886c..190c6b90f93 100644
+--- a/lib/replace/system/filesys.h
++++ b/lib/replace/system/filesys.h
+@@ -36,10 +36,6 @@
+ #include <sys/param.h>
+ #endif
+ 
+-#ifdef HAVE_SYS_MOUNT_H
+-#include <sys/mount.h>
+-#endif
+-
+ #ifdef HAVE_MNTENT_H
+ #include <mntent.h>
+ #endif
+-- 
+2.37.1
+

samba-s4u.patch

@@ -1,7 +1,7 @@
-From 17eb98d3f8ebd0fe48e218bb03a3c0165b9b6e95 Mon Sep 17 00:00:00 2001
+From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Fri, 27 Sep 2019 18:25:03 +0300
-Subject: [PATCH 1/4] mit-kdc: add basic loacl realm S4U support
+Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
 
 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
@@ -236,7 +236,7 @@ index 793fe366c35..22534c09974 100644
  
  
 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index 27b15828468..994dfed312b 100644
+index cb72b5de294..03c2c2ea1de 100644
 --- a/source4/kdc/mit_samba.c
 +++ b/source4/kdc/mit_samba.c
 @@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
@@ -247,7 +247,7 @@ index 27b15828468..994dfed312b 100644
  				    krb5_db_entry *client,
  				    krb5_db_entry *server,
  				    krb5_db_entry *krbtgt,
-@@ -682,7 +681,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
+@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
  								  context,
  								  *pac,
  								  server->princ,
@@ -256,7 +256,7 @@ index 27b15828468..994dfed312b 100644
  								  deleg_blob);
  		if (!NT_STATUS_IS_OK(nt_status)) {
  			DEBUG(0, ("Update delegation info failed: %s\n",
-@@ -1004,41 +1003,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
+@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
  }
  
  int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
@@ -333,13 +333,13 @@ index 4431e82a1b2..9370ab533af 100644
  int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
  				      char *pwd,
 -- 
-2.33.1
+2.37.1
 
 
-From f4fc23103f47b712baf3b4b0ebcb42d0f3f3fd42 Mon Sep 17 00:00:00 2001
+From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Fri, 27 Sep 2019 18:35:30 +0300
-Subject: [PATCH 2/4] krb5-mit: enable S4U client support for MIT build
+Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
 
 Signed-off-by: Isaac Boukris <iboukris@gmail.com>
 Pair-Programmed-With: Andreas Schneider <asn@samba.org>
@@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider <asn@samba.org>
  3 files changed, 185 insertions(+), 13 deletions(-)
 
 diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
-index 61d651b4d5f..462acec90b6 100644
+index 4321f07ca09..3fd95e47fca 100644
 --- a/lib/krb5_wrap/krb5_samba.c
 +++ b/lib/krb5_wrap/krb5_samba.c
-@@ -2699,6 +2699,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
+@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
  
  	return 0;
  }
@@ -611,20 +611,20 @@ index 544d9d853cc..c14d8c72d8c 100644
  				ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
  								     ccache,
 -- 
-2.33.1
+2.37.1
 
 
-From 48d73d552f2fbbdb07bd9aff4d0294883b70417f Mon Sep 17 00:00:00 2001
+From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001
 From: Isaac Boukris <iboukris@gmail.com>
 Date: Sat, 19 Sep 2020 14:16:20 +0200
-Subject: [PATCH 3/4] wip: for canonicalization with new MIT kdc code
+Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
 
 ---
  source4/kdc/mit_samba.c | 3 +++
  1 file changed, 3 insertions(+)
 
 diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
-index 994dfed312b..9d039e5601b 100644
+index 03c2c2ea1de..30fade56531 100644
 --- a/source4/kdc/mit_samba.c
 +++ b/source4/kdc/mit_samba.c
 @@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
@@ -638,33 +638,5 @@ index 994dfed312b..9d039e5601b 100644
  		      KRB5_KDB_FLAG_INCLUDE_PAC)) {
  		/*
 -- 
-2.33.1
-
-
-From f5f54026d151f6d899e8ff52d8829a2f9cf57f25 Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@samba.org>
-Date: Tue, 21 Dec 2021 12:17:11 +0100
-Subject: [PATCH 4/4] s4:kdc: Also cannoicalize krbtgt principals when
- enforcing canonicalization
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source4/kdc/db-glue.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
-index 8d17038cfe6..77c0c0e4746 100644
---- a/source4/kdc/db-glue.c
-+++ b/source4/kdc/db-glue.c
-@@ -946,7 +946,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
- 	if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
- 		p->is_krbtgt = true;
- 
--		if (flags & (SDB_F_CANON)) {
-+		if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) {
- 			/*
- 			 * When requested to do so, ensure that the
- 			 * both realm values in the principal are set
--- 
-2.33.1
+2.37.1
 

samba.spec

@@ -134,13 +134,13 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%global baserelease 2
+%global baserelease 0
 
-%global samba_version 4.16.3
+%global samba_version 4.16.4
 %global talloc_version 2.3.3
 %global tdb_version 1.4.6
 %global tevent_version 0.12.0
-%global ldb_version 2.5.1
+%global ldb_version 2.5.2
 # This should be rc1 or nil
 %global pre_release %nil
 
@@ -207,6 +207,8 @@ Source201:      README.downgrade
 Patch0:         samba-s4u.patch
 # https://gitlab.com/samba-team/samba/-/merge_requests/2477
 Patch1:         samba-4.16-waf-crypto.patch
+# https://gitlab.com/samba-team/samba/-/merge_requests/2647
+Patch2:         samba-mount_h.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -2979,6 +2981,7 @@ fi
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
+%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc
 %{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
@@ -3005,6 +3008,7 @@ fi
 %{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
 %{python3_sitearch}/samba/tests/krb5/kdc_tests.py
 %{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
+%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py
 %{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
 %{python3_sitearch}/samba/tests/krb5/pac_align_tests.py
 %{python3_sitearch}/samba/tests/krb5/raw_testcase.py
@@ -4163,6 +4167,13 @@ fi
 %endif
 
 %changelog
+* Wed Jul 27 2022 Guenther Deschner <gdeschner@redhat.com> - 4.16.4-0
+- resolves: #2111490 - Update to version 4.16.4
+- resolves: #2108196, #2111729 - Security fixes for CVE-2022-32742
+- resolves: #2108205, #2111731 - Security fixes for CVE-2022-32744
+- resolves: #2108211, #2111732 - Security fixes for CVE-2022-32745
+- resolves: #2108215, #2111734 - Security fixes for CVE-2022-32746
+
 * Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.16.3-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
 

sources

@@ -1,2 +1,2 @@
-SHA512 (samba-4.16.3.tar.xz) = aa11e65e52f57fd940d6b381fff7bac77bf94b421c1980b3731b36b815d27b6218f3192a7a8a1b9c7d27f80e381c9a7c8b7a0f76a2ec6cfad6b8748bbfd958cc
-SHA512 (samba-4.16.3.tar.asc) = 98f07c312263e3ff4594fa1204184f15212f0c4771d45b349ab48981caefaa94aa7ae5223922d1cbaac9f423554b7a5c4107cb3a3599041cf38af6f665a9289a
+SHA512 (samba-4.16.4.tar.xz) = 263c33f202462c50ba9205232cc59f17eef6526bbe97cc1c6be6606e5e2fa8e235f24693da5ef00106ed126c5e2e1d83e2cfc0d2a690303ac94a8737e6760e95
+SHA512 (samba-4.16.4.tar.asc) = aec1d0dc15169dfa0f68776cff083b8a9ecfeb348d20cde02e236eda3548e1df13f6df3e9275ede6e8fdc6193b2fd304d2f493507b49f5877dbb6b7181d90367