Jule Anger [Wed, 19 Jul 2023 14:50:00 +0000 (16:50 +0200)]
VERSION: Bump version up to Samba 4.16.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 17 Jul 2023 19:39:58 +0000 (21:39 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.16.11 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 17 Jul 2023 19:39:40 +0000 (21:39 +0200)]
WHATSNEW: Add release notes for Samba 4.16.11.
Signed-off-by: Jule Anger <janger@samba.org>
Stefan Metzmacher [Sat, 15 Jul 2023 14:11:48 +0000 (16:11 +0200)]
s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
(cherry picked from commit
dfeabce44fbb78083fbbb2aa634fc4172cf83db9)
Stefan Metzmacher [Sat, 15 Jul 2023 14:11:48 +0000 (16:11 +0200)]
s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d5f1097b6220676d56ed5fc6707acf667b704518)
Stefan Metzmacher [Sat, 15 Jul 2023 15:25:05 +0000 (17:25 +0200)]
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with different levels
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
404ce08e9088968311c714e756f5d58ce2cef715)
Stefan Metzmacher [Sat, 15 Jul 2023 15:20:32 +0000 (17:20 +0200)]
netlogon.idl: add support for netr_LogonGetCapabilities response level 2
We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.
Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5f87888ed53320538cf773d64868390d8641a40e)
Ralph Boehme [Mon, 5 Jun 2023 16:02:20 +0000 (18:02 +0200)]
CVE-2023-34968: mdssvc: return a fake share path
Instead of returning the real server-side absolute path of shares and search
results, return a fake absolute path replacing the path of the share with the
share name, iow for a share "test" with a server-side path of "/foo/bar", we
previously returned
/foo/bar and
/foo/bar/search/result
and now return
/test and
/test/search/result
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 17 Jun 2023 11:53:27 +0000 (13:53 +0200)]
CVE-2023-34968: mdscli: return share relative paths
The next commit will change the Samba Spotlight server to return absolute paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.
So given a share
[spotlight]
path = /foo/bar
spotlight = yes
and a file inside this share with a full path of
/foo/bar/dir/file
previously a search that matched this file would returns the absolute
server-side pato of the file, ie
/foo/bar/dir/file
This will be change to
/spotlight/dir/file
As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate these
fake paths. The only way to do this sensibly is by makeing the paths relative to
the containing share, so just
dir/file
in the example above.
The client learns about the share root path prefix – real server-side of fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the absolute
path to relative.
There is however an additional twist: the macOS Spotlight server prefixes this
absolute path with another prefix, typically "/System/Volumes/Data", so in the
example above the full path for the same search would be
/System/Volumes/Data/foo/bar/dir/file
So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of "fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes". Samba
just returns "/" for this.
Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix
kMDSStorePathScopes + share_path (from mdssvc_open).
eg
kMDSStorePathScopes = /System/Volumes/Data
share_path = /foo/bar
search result = /System/Volumes/Data/foo/bar/dir/file
relative path returned by mdscli = dir/file
Makes sense? :)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 19 Jun 2023 16:16:57 +0000 (18:16 +0200)]
CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()
sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:05:22 +0000 (11:05 +0200)]
CVE-2023-34968: mdssvc: switch to doing an early return
Just reduce indentation of the code handling the success case. No change in
behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:42:10 +0000 (11:42 +0200)]
CVE-2023-34968: mdssvc: remove response blob allocation
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:35:41 +0000 (11:35 +0200)]
CVE-2023-34968: rpcclient: remove response blob allocation
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 20 Jun 2023 09:28:47 +0000 (11:28 +0200)]
CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 19 Jun 2023 16:28:41 +0000 (18:28 +0200)]
CVE-2023-34968: mdscli: remove response blob allocation
This is handled by the NDR code transparently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Mon, 19 Jun 2023 15:14:38 +0000 (17:14 +0200)]
CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating spotlight_blob
d is talloc_free()d at the end of the functions and the buffer was later used
after beeing freed in the DCERPC layer when sending the packet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Sat, 17 Jun 2023 11:39:55 +0000 (13:39 +0200)]
CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in slrpc_fetch_properties()
We were adding the value, but not the key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Ralph Boehme [Tue, 6 Jun 2023 13:17:26 +0000 (15:17 +0200)]
CVE-2023-34968: mdssvc: cache and reuse stat info in struct sl_inode_path_map
Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we already
got stat info for the object in mds_add_result() so we can just pass stat info
from there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Volker Lendecke [Sat, 15 Oct 2022 11:29:14 +0000 (13:29 +0200)]
CVE-2023-34968: lib: Move subdir_of() to source3/lib/util_path.c
Make it available for other components
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15207
Signed-off-by: Volker Lendecke <vl@samba.org>
(backported from commit
d905dbddf8d2655e6c91752b750cbe9c15837ee5)
[slow@samba.org: subdir_of() didn't exist yet in 4.16 so this just adds it]
Ralph Boehme [Fri, 26 May 2023 13:06:38 +0000 (15:06 +0200)]
CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()
Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a key. If
the types don't match, return NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 31 May 2023 14:26:14 +0000 (16:26 +0200)]
CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()
Sends a maliciously crafted packet where the value in a key/value style
dictionary for the "scope" key is a simple string object whereas the server
expects an array. As the server doesn't perform type validation on the value, it
crashes when trying to use the "simple" object as a "complex" one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Fri, 26 May 2023 11:06:19 +0000 (13:06 +0200)]
CVE-2023-34966: mdssvc: harden sl_unpack_loop()
A malicious client could send a packet where subcount is zero, leading to a busy
loop because
count -= subcount
=> count -= 0
=> while (count > 0)
loops forever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Wed, 31 May 2023 13:34:26 +0000 (15:34 +0200)]
CVE-2023-34966: CI: test for sl_unpack_loop()
Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
Signed-off-by: Ralph Boehme <slow@samba.org>
Ralph Boehme [Fri, 16 Jun 2023 10:28:47 +0000 (12:28 +0200)]
CVE-2022-2127: ntlm_auth: cap lanman response length value
We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
Signed-off-by: Ralph Boehme <slow@samba.org>
Volker Lendecke [Fri, 20 May 2022 08:55:23 +0000 (10:55 +0200)]
CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks
With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.
Discovered via Coverity ID
1504444 Out-of-bounds access
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
Signed-off-by: Volker Lendecke <vl@samba.org>
Samuel Cabrero [Thu, 24 Feb 2022 16:48:27 +0000 (17:48 +0100)]
CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks to parent process
The winbindd_dual_pam_auth_crap() function will be converted to a local
RPC call handler and it won't receive a winbindd_cli_state struct. Move
the checks accessing this struct to the parent.
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
74a511a8eab72cc82940738a1e20e63e12b81374)
Jule Anger [Wed, 29 Mar 2023 14:33:02 +0000 (16:33 +0200)]
VERSION: Bump version up to Samba 4.16.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 22 Mar 2023 09:26:09 +0000 (10:26 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.16.10 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 22 Mar 2023 09:24:15 +0000 (10:24 +0100)]
WHATSNEW: Add release notes for Samba 4.16.10.
Signed-off-by: Jule Anger <janger@samba.org>
Rob van der Linde [Mon, 27 Feb 2023 01:06:23 +0000 (14:06 +1300)]
CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Fri, 3 Mar 2023 04:52:13 +0000 (17:52 +1300)]
CVE-2023-0614 ldb: Release LDB 2.5.3
* CVE-2023-0614 Not-secret but access controlled LDAP attributes can be discovered (bug 15270)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
[abartlet@samba.org Adapted to LDB 2.5 series in Samba 4.16]
Andrew Bartlett [Thu, 2 Mar 2023 04:24:15 +0000 (17:24 +1300)]
CVE-2023-0614 lib/ldb-samba Ensure ACLs are evaluated on SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN
Setting the LDB_HANDLE_FLAG_UNTRUSTED tells the acl_read module to operate on this request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Thu, 2 Mar 2023 03:51:25 +0000 (16:51 +1300)]
CVE-2023-0614 lib/ldb-samba: Add test for SAMBA_LDAP_MATCH_RULE_TRANSITIVE_EVAL / LDAP_MATCHING_RULE_IN_CHAIN with and ACL hidden attributes
The chain for transitive evaluation does consider ACLs, avoiding the disclosure of
confidential information.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Fri, 3 Mar 2023 03:49:00 +0000 (16:49 +1300)]
CVE-2023-0614 dsdb: Add pre-cleanup and self.addCleanup() of OU created in match_rules tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Thu, 2 Mar 2023 03:31:17 +0000 (16:31 +1300)]
CVE-2023-0614 dsdb: Add DSDB_MARK_REQ_UNTRUSTED
This will allow our dsdb helper search functions to mark the new
request as untrusted, forcing read ACL evaluation (per current behaviour).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
[abartlet@samba.org adapted due to Samba 4.16 and lower
not having the patches for CVE-2022-32743]
Joseph Sutton [Thu, 23 Feb 2023 21:03:25 +0000 (10:03 +1300)]
CVE-2023-0614 s4-dsdb: Treat confidential attributes as unindexed
In the unlikely case that someone adds a confidential indexed attribute
to the schema, LDAP search expressions on that attribute could disclose
information via timing differences. Let's not use the index for searches
on confidential attributes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:35:55 +0000 (17:35 +1300)]
CVE-2023-0614 ldb: Filter on search base before redacting message
Redaction may be expensive if we end up needing to fetch a security
descriptor to verify rights to an attribute. Checking the search scope
is probably cheaper, so do that first.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 14 Feb 2023 00:17:24 +0000 (13:17 +1300)]
CVE-2023-0614 ldb: Centralise checking for inaccessible matches
This makes it less likely that we forget to handle a case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 15 Feb 2023 23:35:34 +0000 (12:35 +1300)]
CVE-2023-0614 ldb: Use binary search to check whether attribute is secret
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 27 Feb 2023 00:31:44 +0000 (13:31 +1300)]
CVE-2023-0614 s4-acl: Avoid calling dsdb_module_am_system() if we can help it
If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:34:29 +0000 (17:34 +1300)]
CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
marks inaccessible any message elements used by an LDAP search filter
that the user has no right to access. Make the various ldb_match_*()
functions check whether message elements are accessible, and refuse to
match any that are not. Remaining message elements, not mentioned in the
search filter, are checked in aclread_callback(), and any inaccessible
elements are removed at this point.
Certain attributes, namely objectClass, distinguishedName, name, and
objectGUID, are always present, and hence the presence of said
attributes is always allowed to be checked in a search filter. This
corresponds with the behaviour of Windows.
Further, we unconditionally allow the attributes isDeleted and
isRecycled in a check for presence or equality. Windows is not known to
make this special exception, but it seems mostly harmless, and should
mitigate the performance impact on searches made by the show_deleted
module.
As a result of all these changes, our behaviour regarding confidential
attributes happens to match Windows more closely. For the test in
confidential_attr.py, we can now model our attribute handling with
DC_MODE_RETURN_ALL, which corresponds to the behaviour exhibited by
Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org adapted due to Samba 4.17 and lower
not having the patches for CVE-2020-25720 and 4.16 and lower
not having the patches for CVE-2022-32743 ]
Joseph Sutton [Mon, 27 Feb 2023 00:55:36 +0000 (13:55 +1300)]
CVE-2023-0614 s4-acl: Split out function to set up access checking variables
These variables are often used together, and it is useful to have the
setup code in one place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org adapted to the use of
acl_check_access_on_attribute as
acl_check_access_on_attribute_implicit_owner is
only in Samba 4.18 and newer]
Joseph Sutton [Sun, 26 Feb 2023 23:19:08 +0000 (12:19 +1300)]
CVE-2023-0614 s4-dsdb: Add samdb_result_dom_sid_buf()
This function parses a SID from an ldb_message, similar to
samdb_result_dom_sid(), but does it without allocating anything.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted for simple conflicts due to
56297449f9c2e94505a72a70a3a3c5990d00d37f trimming
trailing whitespace]
Joseph Sutton [Mon, 27 Feb 2023 00:40:33 +0000 (13:40 +1300)]
CVE-2023-0614 s4-acl: Split out logic to remove access checking attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:31:54 +0000 (17:31 +1300)]
CVE-2023-0614 ldb: Add ldb_parse_tree_get_attr()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 19:32:41 +0000 (08:32 +1300)]
CVE-2023-0614 tests/krb5: Add test for confidential attributes timing differences
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 6 Feb 2023 20:25:48 +0000 (09:25 +1300)]
CVE-2023-0614 schema_samba4.ldif: Allocate previously added OID
DSDB_CONTROL_CALCULATED_DEFAULT_SD_OID was added in commit
08187833fee57a8dba6c67546dfca516cd1f9d7a.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 25 Aug 2022 08:15:33 +0000 (20:15 +1200)]
schema_samba4.ldif: Allocate previously added OIDs
DSDB_CONTROL_FORCE_ALLOW_VALIDATED_DNS_HOSTNAME_SPN_WRITE_OID was added
to source4/dsdb/samdb/samdb.h in commit
c2ab1f4696fa3f52918a126d0b37993a07f68bcb.
DSDB_EXTENDED_SCHEMA_LOAD was added in commit
1fd4cdfafaa6a41c824d1b3d76635bf3e446de0f.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
672ec6135f9ae3d7b5439523a4f456c19fb03a88)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
[abartlet@samba.org This required as context for the above bug]
Joseph Sutton [Mon, 6 Feb 2023 20:48:37 +0000 (09:48 +1300)]
CVE-2023-0614 s4:dsdb:tests: Fix <GUID={}> search in confidential attributes test
The object returned by schema_format_value() is a bytes object.
Therefore the search expression would resemble:
(lastKnownParent=<GUID=b'
00000000-0000-0000-0000-
000000000000'>)
which, due to the extra characters, would fail to match anything.
Fix it to be:
(lastKnownParent=<GUID=
00000000-0000-0000-0000-
000000000000>)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 6 Feb 2023 20:35:24 +0000 (09:35 +1300)]
CVE-2023-0614 s4:dsdb/extended_dn_in: Don't modify a search tree we don't own
In extended_dn_fix_filter() we had:
req->op.search.tree = ldb_parse_tree_copy_shallow(req, req->op.search.tree);
which overwrote the parse tree on an existing ldb request with a fixed
up tree. This became a problem if a module performed another search with
that same request structure, as extended_dn_in would try to fix up the
already-modified tree for a second time. The fixed-up tree element now
having an extended DN, it would fall foul of the ldb_dn_match_allowed()
check in extended_dn_filter_callback(), and be replaced with an
ALWAYS_FALSE match rule. In practice this meant that <GUID={}> searches
would only work for one search in an ldb request, and fail for
subsequent ones.
Fix this by creating a new request with the modified tree, and leaving
the original request unmodified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Sun, 26 Feb 2023 21:31:52 +0000 (10:31 +1300)]
CVE-2023-0614 ldb: Make use of ldb_filter_attrs_in_place()
Change all uses of ldb_kv_filter_attrs() to use
ldb_filter_attrs_in_place() instead. This function does less work than
its predecessor, and no longer requires the allocation of a second ldb
message. Some of the work is able to be split out into separate
functions that each accomplish a single task, with a purpose to make the
code clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:30:19 +0000 (17:30 +1300)]
CVE-2023-0614 ldb: Make ldb_filter_attrs_in_place() work in place
ldb_filter_attrs() previously did too much. Now its replacement,
ldb_filter_attrs_in_place(), only does the actual filtering, while
taking ownership of each element's values is handled in a separate
function, ldb_msg_elements_take_ownership().
Also, ldb_filter_attrs_in_place() no longer adds the distinguishedName
to the message if it is missing. That is handled in another function,
ldb_msg_add_distinguished_name().
As we're now modifying the original message rather than copying it into
a new one, we no longer need the filtered_msg parameter.
We adapt a test, based on ldb_filter_attrs_test, to exercise the new
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:29:03 +0000 (17:29 +1300)]
CVE-2023-0614 ldb: Add function to filter message in place
At present this function is an exact duplicate of ldb_filter_attrs(),
but in the next commit we shall modify it to work in place, without the
need for the allocation of a second message.
The test is a near duplicate of the existing test for
ldb_filter_attrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Fri, 3 Mar 2023 04:27:38 +0000 (17:27 +1300)]
CVE-2023-0614 ldb: Add function to add distinguishedName to message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted to conflict from lack of new
ldb_ascii_toupper() in ldb_private.h]
Joseph Sutton [Fri, 3 Mar 2023 04:26:04 +0000 (17:26 +1300)]
CVE-2023-0614 ldb: Add function to remove excess capacity from an ldb message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted to conflict from lack of new
ldb_ascii_toupper() in ldb_private.h]
Joseph Sutton [Fri, 3 Mar 2023 04:23:42 +0000 (17:23 +1300)]
CVE-2023-0614 ldb: Add function to take ownership of an ldb message
Many places in Samba depend upon various components of an ldb message
being talloc allocated, and hence able to be used as talloc contexts.
The elements and values of an unpacked ldb message point to unowned data
inside the memory-mapped database, and this function ensures that such
messages have talloc ownership of said elements and values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 15 Feb 2023 01:08:57 +0000 (14:08 +1300)]
CVE-2023-0614 ldb:tests: Ensure all tests are accounted for
Add ldb_filter_attrs_test to the list of tests so that it actually gets
run.
Remove a duplicate ldb_msg_test that was accidentally added in commit
5ca90e758ade97fb5e335029c7a1768094e70564.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Tue, 14 Feb 2023 23:34:51 +0000 (12:34 +1300)]
CVE-2023-0614 ldb:tests: Ensure ldb_val data is zero-terminated
If the value of an ldb message element is not zero-terminated, calling
ldb_msg_find_attr_as_string() will cause the function to read off the
end of the buffer in an attempt to verify that the value is
zero-terminated. This can cause unexpected behaviour and make the test
randomly fail.
To avoid this, we must have a terminating null byte that is *not*
counted as part of the length, and so we must calculate the length with
strlen() rather than sizeof.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 19:29:33 +0000 (08:29 +1300)]
CVE-2023-0614 s4-acl: Use ldb functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 19:28:36 +0000 (08:28 +1300)]
CVE-2023-0614 ldb: Add functions for handling inaccessible message elements
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 19:00:32 +0000 (08:00 +1300)]
CVE-2023-0614 s4-acl: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Adapted to code without newer
acl_check_access_on_attribute_implicit_owner name]
Joseph Sutton [Mon, 6 Feb 2023 20:29:51 +0000 (09:29 +1300)]
CVE-2023-0614 s4:dsdb: Use talloc_get_type_abort() more consistently
It is better to explicitly abort than to dereference a NULL pointer or
try to read data cast to the wrong type.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Thu, 26 Jan 2023 18:57:27 +0000 (07:57 +1300)]
CVE-2023-0614 libcli/security: Make some parameters const
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Updated to add const to sec_access_check_ds()
instead of the sec_access_check_ds_implicit_owner() wrapper
found in 4.18 and later]
Andrew Bartlett [Thu, 2 Mar 2023 21:31:40 +0000 (10:31 +1300)]
CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py to be slower by matching on large objects
This changes the slow aspect to be the object matching not the filter parsing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Andrew Bartlett [Mon, 13 Mar 2023 04:20:00 +0000 (17:20 +1300)]
CVE-2023-0614 selftest: Use setUpClass() to reduce "make test TESTS=large_ldap" time
This reduces the elapsed time to 6m from 20m on my laptop.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15332
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Mar 14 07:16:04 UTC 2023 on atb-devel-224
(cherry picked from commit
b4a6c054ec6acefacd22cb7230a783d20cb07c05)
[abartlet@samba.org Included in the security release as this
makes working on the large_ldap test practical by reducing
the elapsed time taken]
Andrew Bartlett [Mon, 13 Mar 2023 01:25:56 +0000 (14:25 +1300)]
CVE-2023-0614 lib/ldb: Avoid allocation and memcpy() for every wildcard match candidate
The value can be quite large, the allocation will take much
longer than the actual match and is repeated per candidate
record.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15331
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit
cad96f59a08192df927fb1df4e9787c7f70991a2)
[abartlet@samba.org Included in the security release as this
makes the new large_ldap.py timeout test more reliable]
Jule Anger [Thu, 16 Feb 2023 16:30:41 +0000 (17:30 +0100)]
VERSION: Bump version up to Samba 4.16.10...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Thu, 16 Feb 2023 16:30:12 +0000 (17:30 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.16.9 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Thu, 16 Feb 2023 16:28:06 +0000 (17:28 +0100)]
WHATSNEW: Add release notes for Samba 4.16.9.
Signed-off-by: Jule Anger <janger@samba.org>
Ralph Boehme [Wed, 18 Jan 2023 15:21:16 +0000 (16:21 +0100)]
mdssvc: fix kMDScopeArray parsing
In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams"
request has changed from
string: kMDScopeArray
sl_array_t(#1): {
string: /foo/bar
}
to:
string: kMDScopeArray
sl_array_t(#1): {
sl_array_t(#1): {
string: /foo/bar
}
}
With this patch we check both encodings. Bug fixed according to user feedback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299
RN: Spotlight doesn't work with latest macOS Ventura
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
1dd0cd2f4e644ad43b0e7ee2aaae19799e859585)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Feb 10 12:15:02 UTC 2023 on sn-devel-184
Andrew Walker [Tue, 27 Dec 2022 15:59:14 +0000 (10:59 -0500)]
lib/replace - add extra check to bsd_attr_list
The FreeBSD extattr API may return success and truncated
namelist. We need to check for this in bsd_attr_list to
ensure that we don't accidentally read off the end of the
buffer. In the case of a truncated value, the pascal
strings for attr names will reflect the lengths as if
the value were not truncated. For example:
`58DosStrea`
In case of short read we now set error to ERANGE and
fail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Mon Jan 2 14:27:23 UTC 2023 on sn-devel-184
(cherry picked from commit
01cdc5e00be78a51f0766634cc7fe50de2088203)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jan 23 10:59:28 UTC 2023 on sn-devel-184
Jeremy Allison [Thu, 10 Nov 2022 22:43:15 +0000 (14:43 -0800)]
s3: smbd: Always use metadata_fsp() when processing fsctls.
Currently all fsctls we implement need the base fsp, not
an alternate data stream fsp. We may revisit this later
if we implement fsctls that operate on an ADS.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Walker <awalker@ixsystems.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 14 18:13:31 UTC 2022 on sn-devel-184
(cherry picked from commit
fa4eba131b882c3858b28f5fd9864998e19a4510)
Jeremy Allison [Thu, 10 Nov 2022 22:41:15 +0000 (14:41 -0800)]
s3: smbd: Add test to show smbd crashes when doing an FSCTL on a named stream handle.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
(back-ported from commit
abc4495e4591964bb4625c2669a1f84213faab77)
Stefan Metzmacher [Thu, 16 Dec 2021 17:24:16 +0000 (18:24 +0100)]
s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15286
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
e27084f5d8c3a151c5d0b266118f0d71b641dc85)
Samuel Cabrero [Thu, 22 Dec 2022 15:32:40 +0000 (16:32 +0100)]
CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary loadparm_context allocations
After s3 and s4 rpc servers merge the loadparm_context is available in
the dcesrv_context structure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Jan 9 15:17:14 UTC 2023 on sn-devel-184
(cherry picked from commit
56837f3d3169a02d0d92bd085d9c8250415ce29b)
Samuel Cabrero [Mon, 9 Jan 2023 11:17:48 +0000 (12:17 +0100)]
CVE-2022-38023 docs-xml/smbdotconf: The "server schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
02fba22b8c9e9b33ab430555ef45500c45eaa9d1)
Samuel Cabrero [Thu, 22 Dec 2022 10:05:33 +0000 (11:05 +0100)]
CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
By default we'll now require schannel connections with privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
a0b97e262318dc56fe663da89b0ee3172b2e7848)
Samuel Cabrero [Thu, 22 Dec 2022 08:29:04 +0000 (09:29 +0100)]
CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
Some checks are also required for _netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
ca07f4340ce58a7e940a1123888b7409176412f7)
Samuel Cabrero [Thu, 22 Dec 2022 15:30:26 +0000 (16:30 +0100)]
CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()
After s3 and s4 rpc servers merge we can avoid duplicated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
25300d354c80995997d552581cd91dddaf4bbf48)
Samuel Cabrero [Thu, 22 Dec 2022 13:03:23 +0000 (14:03 +0100)]
CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc
Will be used later by s3 netlogon server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
121e7b0e39478c5291100652ac92c263f406076b)
Samuel Cabrero [Thu, 5 Jan 2023 17:13:09 +0000 (18:13 +0100)]
CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
d9e6b490db3ead7e79bb3ff0c1f9ef8ab8bdc65b)
Samuel Cabrero [Thu, 22 Dec 2022 15:46:15 +0000 (16:46 +0100)]
CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
3cd18690f83d2f85e847fc703ac127b4b04189fc)
Samuel Cabrero [Wed, 21 Dec 2022 14:53:04 +0000 (15:53 +0100)]
CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
Follow s4 netlogon server changes and move the checks to the RPC bind
hook. Next commits will remove the s3 netr_creds_server_step_check()
function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
8141eae47aad849741beb138fae866c772e4ec4c)
Jeremy Allison [Tue, 8 Nov 2022 18:13:18 +0000 (10:13 -0800)]
s4: libcli: Ignore errors when getting A records after fetching AAAA records.
The target may only be available over IPv6.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15226
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Wed Nov 9 20:34:07 UTC 2022 on sn-devel-184
(cherry picked from commit
10537a89bb0b461ba31d614b7c9ed56a842422e7)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Mon Jan 16 10:47:49 UTC 2023 on sn-devel-184
Jeremy Allison [Tue, 15 Nov 2022 21:29:46 +0000 (13:29 -0800)]
s3: smbd: In synthetic_pathref() change DBG_ERR -> DBG_NOTICE to avoid spamming the logs.
Can easily be seen by doing make test TESTS=fruit
and looking in st/nt4_dc/smbd_test.log.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15210
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 16 06:00:56 UTC 2022 on sn-devel-184
(cherry picked from commit
f0ca9546102acf09f1834c03f8907ed26bfc80f8)
Jeremy Allison [Thu, 20 Oct 2022 22:19:05 +0000 (15:19 -0700)]
s3: smbd: Cause SMB2_OP_FLUSH to go synchronous in a compound anywhere but the last operation in the list.
Async read and write go synchronous in the same case,
so do the same here.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Thu Nov 17 05:55:42 UTC 2022 on sn-devel-184
(cherry picked from commit
26adf3344337f4e8d5d2107e6ba42e5ea7656372)
Jeremy Allison [Thu, 20 Oct 2022 22:08:14 +0000 (15:08 -0700)]
s3: smbd: Add utility function smbd_smb2_is_last_in_compound().
Not yet used. Returns true if we're processing the last SMB2 request in a
compound.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
e668c3a82cd566b405c976d45659dd79786948de)
Jeremy Allison [Thu, 20 Oct 2022 21:22:25 +0000 (14:22 -0700)]
s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_FLUSH test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_FLUSH
compound if we immediately close the file afterward.
Internally the flushes go async and we free the req, then
we process the close. When the flushes complete they try to access
already freed data.
Extra test which will allow me to test when the final
component (flush) of the compound goes async and returns
NT_STATUS_PENDING.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
6f149dfd9d8d2619a9e18975ebcf5e69df2b7766)
Jeremy Allison [Tue, 18 Oct 2022 23:22:33 +0000 (16:22 -0700)]
s4: torture: Add an async SMB2_OP_FLUSH + SMB2_OP_CLOSE test to smb2.compound_async.
Shows we fail sending an SMB2_OP_FLUSH + SMB2_OP_CLOSE
compound. Internally the flush goes async and
we free the req, then we process the close.
When the flush completes it tries to access
already freed data.
Found using the Apple MacOSX client at SNIA SDC 2022.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15172
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(back-ported from commit
17a110c1b58196eb8ecf3c76eb97e8508976c544)
Andrew Walker [Fri, 2 Sep 2022 20:31:32 +0000 (16:31 -0400)]
nsswitch:libwbclient - fix leak in wbcCtxPingDc2
Memory allocated for response is never freed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15164
Signed-off-by: Andrew Walker <awalker@ixsystems.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Christof Schmitt <cs@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Sep 6 20:10:17 UTC 2022 on sn-devel-184
(cherry picked from commit
aa9f3a2da97ae13cce3e50fe3d58f143200e9a17)
Jeremy Allison [Fri, 28 Oct 2022 22:31:39 +0000 (15:31 -0700)]
s3: libsmbclient: Fix smbc_getxattr() to return 0 on success.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Nov 1 18:31:22 UTC 2022 on sn-devel-184
(cherry picked from commit
bdbb38d16c8eaff33484bb747efa639c4d8e7f35)
Jeremy Allison [Fri, 28 Oct 2022 22:28:41 +0000 (15:28 -0700)]
s4: torture: Show return value for smbc_getxattr() is incorrect (returns >0 for success, should return zero).
Add torture test to show smbc_getxattr() should return -1 on
failure, 0 on success.
Add knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14808
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>
(cherry picked from commit
74636dfe24c15677261fc40c0a4ec62404898cf4)
Stefan Metzmacher [Sat, 31 Dec 2022 00:24:57 +0000 (01:24 +0100)]
s4:lib/messaging: fix interaction between imessaging_context_destructor and irpc_destructor
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15280
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0d096931196524a2d1bf59470bc629dc9231131e)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Fri Jan 13 10:31:22 UTC 2023 on sn-devel-184
Stefan Metzmacher [Wed, 28 Dec 2022 12:50:45 +0000 (13:50 +0100)]
s3:rpc_server/srvsvc: make sure we (re-)load all shares as root.
This fixes a regression in commit
f03665bb7e8ea97699062630f2aa1bac4c5dfc7f
The use of reload_services() has a lot of side effects, e.g. reopen of
log files and other things, which are only useful in smbd, but not in rpcd_classic.
It was also unloading the user and registry shares we loaded a few lines
above.
We need to do all (re-)loading as root, otherwise we won't be able
to read root only smb.conf files, access registry shares, ...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Walker <awalker@ixsystems.com>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Dec 29 21:14:02 UTC 2022 on sn-devel-184
(cherry picked from commit
f28553105be7465026bcc0fcbbed6a1a8c2133dd)
Stefan Metzmacher [Wed, 28 Dec 2022 15:18:40 +0000 (16:18 +0100)]
selftest: add samba3.blackbox.registry_share
This demonstrates the regression introduced by
f03665bb7e8ea97699062630f2aa1bac4c5dfc7f, where
registry shares are no longer listed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Walker <awalker@ixsystems.com>
(cherry picked from commit
a00c7395fbc7974a61a70ae54ea6ae6349933de2)
Volker Lendecke [Wed, 9 Nov 2022 13:04:23 +0000 (14:04 +0100)]
testprogs: Add testit_grep_count() helper
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
55feb593012fc5b24e795a00081666fca740429c)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15243
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15266
Andreas Schneider [Fri, 22 Apr 2022 13:46:04 +0000 (15:46 +0200)]
testprogs: Reformat subunit.sh
shfmt -w -p -i 0 -fn testprogs/blackbox/subunit.sh
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
(cherry picked from commit
561e9256551ae3fe1d6ff4974884714d69d91898)
Andreas Schneider [Thu, 22 Dec 2022 09:31:11 +0000 (10:31 +0100)]
s3:client: Fix a use-after-free issue in smbclient
Detected by
make test TESTS="samba3.blackbox.chdir-cache"
with an optimized build or with AddressSanitizer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
9c707b4be27e2a6f79886d3ec8b5066c922b99bd)
Autobuild-User(v4-16-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-16-test): Tue Jan 3 19:19:57 UTC 2023 on sn-devel-184
Andreas Schneider [Thu, 22 Dec 2022 09:36:02 +0000 (10:36 +0100)]
s3:script: Improve test_chdir_cache.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15268
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
0d1961267cd9e8f1158a407c5d135514c363f37e)
Andreas Schneider [Fri, 22 Apr 2022 13:34:08 +0000 (15:34 +0200)]
s3:tests: Reformat test_chdir_cache.sh
shfmt -f source3/script/| xargs shfmt -w -p -i 0 -fn
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>