Update to version 4.16.4

resolves: #2111490
resolves: #2108196, #2111729 - Security fixes for CVE-2022-32742
resolves: #2108205, #2111731 - Security fixes for CVE-2022-32744
resolves: #2108211, #2111732 - Security fixes for CVE-2022-32745
resolves: #2108215, #2111734 - Security fixes for CVE-2022-32746

Guenther
This commit is contained in:
Günther Deschner 2022-07-27 14:36:13 +02:00
parent 8939f84a48
commit b41f002876
5 changed files with 69 additions and 48 deletions

2
.gitignore vendored
View File

@ -295,3 +295,5 @@ samba-3.6.0pre1.tar.gz
/samba-4.16.2.tar.asc
/samba-4.16.3.tar.xz
/samba-4.16.3.tar.asc
/samba-4.16.4.tar.xz
/samba-4.16.4.tar.asc

36
samba-mount_h.patch Normal file
View File

@ -0,0 +1,36 @@
From 37b1f282d1b549063d2fca07caca812292be1d3b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 29 Jul 2022 10:08:24 +0200
Subject: [PATCH] lib:replace: Remove <sys/mount.h> from filesys.h
You need to be careful if you include <sys/mount.h> or <linux/mount.h>
at least since glibc 2.36.
Details at:
https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15132
Signed-off-by: Andreas Schneider <asn@samba.org>
---
lib/replace/system/filesys.h | 4 ----
1 file changed, 4 deletions(-)
diff --git a/lib/replace/system/filesys.h b/lib/replace/system/filesys.h
index 034e5d5886c..190c6b90f93 100644
--- a/lib/replace/system/filesys.h
+++ b/lib/replace/system/filesys.h
@@ -36,10 +36,6 @@
#include <sys/param.h>
#endif
-#ifdef HAVE_SYS_MOUNT_H
-#include <sys/mount.h>
-#endif
-
#ifdef HAVE_MNTENT_H
#include <mntent.h>
#endif
--
2.37.1

View File

@ -1,7 +1,7 @@
From 17eb98d3f8ebd0fe48e218bb03a3c0165b9b6e95 Mon Sep 17 00:00:00 2001
From 5d7ec9a00b6f4c6768c606d37d235415f2006445 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:25:03 +0300
Subject: [PATCH 1/4] mit-kdc: add basic loacl realm S4U support
Subject: [PATCH 1/3] mit-kdc: add basic loacl realm S4U support
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
@ -236,7 +236,7 @@ index 793fe366c35..22534c09974 100644
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 27b15828468..994dfed312b 100644
index cb72b5de294..03c2c2ea1de 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -517,7 +517,6 @@ int mit_samba_get_pac(struct mit_samba_context *smb_ctx,
@ -247,7 +247,7 @@ index 27b15828468..994dfed312b 100644
krb5_db_entry *client,
krb5_db_entry *server,
krb5_db_entry *krbtgt,
@@ -682,7 +681,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
@@ -689,7 +688,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
context,
*pac,
server->princ,
@ -256,7 +256,7 @@ index 27b15828468..994dfed312b 100644
deleg_blob);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(0, ("Update delegation info failed: %s\n",
@@ -1004,41 +1003,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
@@ -1081,41 +1080,17 @@ int mit_samba_check_client_access(struct mit_samba_context *ctx,
}
int mit_samba_check_s4u2proxy(struct mit_samba_context *ctx,
@ -333,13 +333,13 @@ index 4431e82a1b2..9370ab533af 100644
int mit_samba_kpasswd_change_password(struct mit_samba_context *ctx,
char *pwd,
--
2.33.1
2.37.1
From f4fc23103f47b712baf3b4b0ebcb42d0f3f3fd42 Mon Sep 17 00:00:00 2001
From 325912375cf54743ab8ea557172a72b870002e9f Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 27 Sep 2019 18:35:30 +0300
Subject: [PATCH 2/4] krb5-mit: enable S4U client support for MIT build
Subject: [PATCH 2/3] krb5-mit: enable S4U client support for MIT build
Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Pair-Programmed-With: Andreas Schneider <asn@samba.org>
@ -350,10 +350,10 @@ Pair-Programmed-With: Andreas Schneider <asn@samba.org>
3 files changed, 185 insertions(+), 13 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 61d651b4d5f..462acec90b6 100644
index 4321f07ca09..3fd95e47fca 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -2699,6 +2699,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
@@ -2702,6 +2702,191 @@ krb5_error_code smb_krb5_kinit_s4u2_ccache(krb5_context ctx,
return 0;
}
@ -611,20 +611,20 @@ index 544d9d853cc..c14d8c72d8c 100644
ret = smb_krb5_kinit_password_ccache(smb_krb5_context->krb5_context,
ccache,
--
2.33.1
2.37.1
From 48d73d552f2fbbdb07bd9aff4d0294883b70417f Mon Sep 17 00:00:00 2001
From a5713b1558192f24348f7794da84bf65cf78e6ec Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sat, 19 Sep 2020 14:16:20 +0200
Subject: [PATCH 3/4] wip: for canonicalization with new MIT kdc code
Subject: [PATCH 3/3] wip: for canonicalization with new MIT kdc code
---
source4/kdc/mit_samba.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 994dfed312b..9d039e5601b 100644
index 03c2c2ea1de..30fade56531 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -232,6 +232,9 @@ int mit_samba_get_principal(struct mit_samba_context *ctx,
@ -638,33 +638,5 @@ index 994dfed312b..9d039e5601b 100644
KRB5_KDB_FLAG_INCLUDE_PAC)) {
/*
--
2.33.1
From f5f54026d151f6d899e8ff52d8829a2f9cf57f25 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 21 Dec 2021 12:17:11 +0100
Subject: [PATCH 4/4] s4:kdc: Also cannoicalize krbtgt principals when
enforcing canonicalization
Signed-off-by: Andreas Schneider <asn@samba.org>
---
source4/kdc/db-glue.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8d17038cfe6..77c0c0e4746 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -946,7 +946,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT) {
p->is_krbtgt = true;
- if (flags & (SDB_F_CANON)) {
+ if (flags & (SDB_F_CANON|SDB_F_FORCE_CANON)) {
/*
* When requested to do so, ensure that the
* both realm values in the principal are set
--
2.33.1
2.37.1

View File

@ -134,13 +134,13 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global baserelease 2
%global baserelease 0
%global samba_version 4.16.3
%global samba_version 4.16.4
%global talloc_version 2.3.3
%global tdb_version 1.4.6
%global tevent_version 0.12.0
%global ldb_version 2.5.1
%global ldb_version 2.5.2
# This should be rc1 or nil
%global pre_release %nil
@ -207,6 +207,8 @@ Source201: README.downgrade
Patch0: samba-s4u.patch
# https://gitlab.com/samba-team/samba/-/merge_requests/2477
Patch1: samba-4.16-waf-crypto.patch
# https://gitlab.com/samba-team/samba/-/merge_requests/2647
Patch2: samba-mount_h.patch
Requires(pre): /usr/sbin/groupadd
Requires(post): systemd
@ -2979,6 +2981,7 @@ fi
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kpasswd_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/pac_align_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc
@ -3005,6 +3008,7 @@ fi
%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
%{python3_sitearch}/samba/tests/krb5/kdc_tests.py
%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py
%{python3_sitearch}/samba/tests/krb5/kpasswd_tests.py
%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
%{python3_sitearch}/samba/tests/krb5/pac_align_tests.py
%{python3_sitearch}/samba/tests/krb5/raw_testcase.py
@ -4163,6 +4167,13 @@ fi
%endif
%changelog
* Wed Jul 27 2022 Guenther Deschner <gdeschner@redhat.com> - 4.16.4-0
- resolves: #2111490 - Update to version 4.16.4
- resolves: #2108196, #2111729 - Security fixes for CVE-2022-32742
- resolves: #2108205, #2111731 - Security fixes for CVE-2022-32744
- resolves: #2108211, #2111732 - Security fixes for CVE-2022-32745
- resolves: #2108215, #2111734 - Security fixes for CVE-2022-32746
* Sat Jul 23 2022 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.16.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild

View File

@ -1,2 +1,2 @@
SHA512 (samba-4.16.3.tar.xz) = aa11e65e52f57fd940d6b381fff7bac77bf94b421c1980b3731b36b815d27b6218f3192a7a8a1b9c7d27f80e381c9a7c8b7a0f76a2ec6cfad6b8748bbfd958cc
SHA512 (samba-4.16.3.tar.asc) = 98f07c312263e3ff4594fa1204184f15212f0c4771d45b349ab48981caefaa94aa7ae5223922d1cbaac9f423554b7a5c4107cb3a3599041cf38af6f665a9289a
SHA512 (samba-4.16.4.tar.xz) = 263c33f202462c50ba9205232cc59f17eef6526bbe97cc1c6be6606e5e2fa8e235f24693da5ef00106ed126c5e2e1d83e2cfc0d2a690303ac94a8737e6760e95
SHA512 (samba-4.16.4.tar.asc) = aec1d0dc15169dfa0f68776cff083b8a9ecfeb348d20cde02e236eda3548e1df13f6df3e9275ede6e8fdc6193b2fd304d2f493507b49f5877dbb6b7181d90367