[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Mon Jan 31 12:41:39 UTC 2022
The branch, v4-15-stable has been updated
via 27bd8a32359 VERSION: Disable GIT_SNAPSHOT for the 4.15.5 release.
via 81aab85bae8 WHATSNEW: Add release notes for Samba 4.15.5.
via e7d0d40e684 CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT().
via d46ffccc078 CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename.
via 9371ace08e6 CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert().
via 66774e97e20 CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks.
via b97f4a6519f CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND.
via dbeef6bc732 CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture.
via f03c42ea77f CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND.
via 700f80d551d CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix
via e3f84b2b9f8 CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.
via 9e90f31639a CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2.
via 3e0d40f5481 CVE-2021-44141: s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
via c7aa173d2a4 CVE-2021-44141: s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
via a180e5726d5 CVE-2021-44141: s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
via 300abd383ea CVE-2021-44141: s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
via a7b6aa7d1f2 CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
via 08c40af6381 CVE-2021-44141: s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file().
via bfcf165b29b CVE-2021-44141: s4: torture: In raw.search:test_one_file() add a second connection.
via c032a254bb5 CVE-2021-44141: s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first.
via 4fc4bd4f20c CVE-2021-44141: s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
via 738c7080e78 CVE-2021-44141: s4: torture: In raw.search:test_one_file() remove the leading '\' in the test filenames.
via 10242faa078 CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf.
via f8698b1f797 CVE-2021-44141: s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
via f77e56e2d1b CVE-2021-44141: s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard.
via e94d2bcbdc6 CVE-2021-44141: s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard'
via 104499b56de CVE-2021-44141: s3: smbd: In unix_convert() remove the now unneeded block indentation.
via 36f480c7c8e CVE-2021-44141: s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard.
via 3471f03816f CVE-2021-44141: s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
via d52dd78e9d8 CVE-2021-44141: s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
via b0fc0efbac5 CVE-2021-44141: s3: smbd: We no longer need determine_path_error().
via 5e42ab3f6a0 CVE-2021-44141: s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
via b73be0c7a7c CVE-2021-44141: s3: smbd: filename_convert() no longer deals with wildcards.
via 6f2c67d9993 CVE-2021-44141: s3: smbd: parse_dfs_path() can ignore wildcards.
via d91d4a17443 CVE-2021-44141: s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
via fc8e6669edb CVE-2021-44141: s3: smbd: dfs_path_lookup() no longer deals with wildcards.
via 12b44645fb9 CVE-2021-44141: s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path().
via 0f1436ed031 CVE-2021-44141: s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path().
via e6d9ef3b1e8 CVE-2021-44141: s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames.
via 5c55cd93e5b CVE-2021-44141: s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname.
via 3490db2a389 CVE-2021-44141: s3: smbd: In dfs_path_lookup(). If we have a DFS path including a @GMT-token, don't throw away the twrp value when parsing the path.
via f8ecb37606e CVE-2021-44141: s3: smbd: filename_convert() is now a one-to-one wrapper around filename_convert_internal().
via 51c024a1b02 CVE-2021-44141: s3: smbd: Remove now unused check_reduced_name_with_privilege().
via 3f60b452049 CVE-2021-44141: s3: smbd: Remove unused check_name_with_privilege().
via 733e66aa31d CVE-2021-44141: s3: smbd: In filename_convert_internal(), remove call to check_name_with_privilege().
via 46ec23c244b CVE-2021-44141: s3: smbd: Remove filename_convert_with_privilege(). No longer used.
via 1c1c7ed9946 CVE-2021-44141: s3: smbd: In call_trans2findfirst() we don't need filename_convert_with_privilege() anymore.
via 0163d21c31a CVE-2021-44141: s3: smbd: Remove split_fname_dir_mask().
via 68ee550a0dd CVE-2021-44141: s3: smbd: In rename_internals(), remove the name spliting and re-combining code.
via 43a9866c46b CVE-2021-44141: s3: smbd: check_name() is now static to filename.c
via 838985e439d CVE-2021-44141: s3: smbd: In rename_internals_fsp(), remove unneeded call to check_name().
via 26ecf18b426 CVE-2021-44141: s3: smbd: Handling SMB_FILE_RENAME_INFORMATION, the destination name is a single component.
via fad0039acab CVE-2021-44141: s3: smbd: Remove the old unlink_internals() implementation.
via a88596028ea CVE-2021-44141: s3: smbd: Comment out the old unlink_internals(). Rename do_unlink() -> unlink_internals().
via 9fb1d11b2ed CVE-2021-44141: s3: smbd: Move to modern debug calls inside do_unlink().
via 9907c8af089 CVE-2021-44141: s3: smbd: Move setting of dirtype if FILE_ATTRIBUTE_NORMAL to do_unlink().
via 8c1a9ccb546 CVE-2021-44141: s3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().
via fc80b553dc6 CVE-2021-44141: s3: smbd: Remove 'const char *src_original_lcomp' parameter from rename_internals().
via cf2de328ea3 CVE-2021-44141: s3: smbd: Inside rename_internals() remove '{ ... }' block around singleton rename code.
via be70e606c61 CVE-2021-44141: s3: smbd: Remove the commented out resolve_wildcards().
via cafca2b7a0e CVE-2021-44141: s3: smbd: Remove all wildcard code from rename_internals().
via ece00d51a7b CVE-2021-44141: s3: smbd: Remove dest_has_wild and all associated code from rename_internals()
via 848b891d978 CVE-2021-44141: s3: smbd: Prepare to remove wildcard matching from rename_internals().
via 992864a49f0 CVE-2021-44141: s3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.
via c7678425514 CVE-2021-44141: s3: smbd: In reply_ntrename(), never set dest_has_wcard.
via 9d0c2fd42fc CVE-2021-44141: s3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP flag for destination lookups.
via 07b47529426 CVE-2021-44141: s3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.
via 7b0eba7ff03 CVE-2021-44141: s3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION info level) prevent destination wildcards.
via 410126c7fb9 CVE-2021-44141: s3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname processing in reply_mv().
via 945c9264243 CVE-2021-44141: s3: smbd: Remove 'bool has_wild' parameter from unlink_internals().
via e4c3d31854f CVE-2021-44141: s3: smbd: Change unlink_internals() to ignore has_wild parameter.
via 79ae11f3cb4 CVE-2021-44141: s3: smbd: In reply_unlink() remove the possibility of receiving a wildcard name.
via d57802650f4 CVE-2021-44141: s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
via 80d8a557dda CVE-2021-44141: s3: torture: Remove the wildcard unlink test code.
via 05d2d29964e CVE-2021-44141: s4: torture: Remove the wildcard rename test code.
via b39ba559c07 CVE-2021-44141: s4: torture: Remove the wildcard unlink test code.
via 6c40cda03e7 CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname for rename target.
via c249f1d09d6 CVE-2021-44141: s3: torture: In torture_mangle(), use torture_deltree() for setup and cleanup.
via cf109e26b7a CVE-2021-44141: s3: torture: In test_mask(), use torture_deltree() for setup.
via 8349c57f76f CVE-2021-44141: s3: torture: In run_streamerror(), use torture_deltree() for setup.
via ff64b0f32d0 CVE-2021-44141: s3: torture: In torture_chkpath_test(), use torture_deltree() for setup and cleanup.
via 18ac36f7aed CVE-2021-44141: s3: torture: In torture_casetable(), use torture_deltree() for setup and cleanup.
via 04304b9f92c CVE-2021-44141: s3: torture: In torture_utable(), use torture_deltree() for setup.
via 919b3c8d3fb CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree() for setup and cleanup.
via 74fe15a05ad CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree() for setup and cleanup.
via 57fbf7564c7 CVE-2021-44141: s3: torture: Add torture_deltree() for setup and teardown.
via db095ee5f03 CVE-2021-44141: s4: libcli: smbcli_unlink() is no longer used with wildcard patterns.
via 2cfbfd3e0a6 CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.
via ee3a5f2ee00 CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() in base.casetable test.
via 745d08fe10a CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.
via 6f9580493e2 CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to remove wildcards in base.chkpath test.
via a0fd6cd62f3 CVE-2021-44141: s4: torture: In raw.notify test use smbcli_unlink_wcard() in place of smbcli_unlink().
via cf661f306af CVE-2021-44141: s4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of smbcli_unlink().
via 550ece56400 CVE-2021-44141: s4: libcli: Add smbcli_unlink_wcard().
via 0e2b3fb982d CVE-2021-44142: libadouble: harden parsing code
via 4533a7b4319 CVE-2021-44142: libadouble: add basic cmocka tests
via b4c0b4620f1 CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
via 22b40919249 CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs
via eee61be9b58 CVE-2021-44142: libadouble: add defines for icon lengths
via 7a516257ea3 CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object
via d392b10c55b CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN
via 60506e99312 VERSION: Bump version up to Samba 4.15.5...
from bd9db127ff4 VERSION: Disable GIT_SNAPSHOT for the 4.15.4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
commit 27bd8a323591486e76e916a6084c7300bf358eec
Author: Jule Anger <janger at samba.org>
Date: Mon Jan 31 10:39:24 2022 +0100
VERSION: Disable GIT_SNAPSHOT for the 4.15.5 release.
Signed-off-by: Jule Anger <janger at samba.org>
commit 81aab85bae818572236c7fcaf91ec4539974108e
Author: Jule Anger <janger at samba.org>
Date: Mon Jan 31 10:34:04 2022 +0100
WHATSNEW: Add release notes for Samba 4.15.5.
Signed-off-by: Jule Anger <janger at samba.org>
commit e7d0d40e684702d7fcbb781e0f6c072be86a1386
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 22:19:29 2021 -0800
CVE-2021-44141: s3: smbd: Inside rename_internals_fsp(), we must use vfs_stat() for existence, not SMB_VFS_STAT().
We need to take SMB1+POSIX into account here and do an LSTAT if it's
a POSIX name.
Remove knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit d46ffccc0780b9ef6b5a49e3e17b665345bd4362
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 22:15:46 2021 -0800
CVE-2021-44141: s3: torture: Add a test samba3.blackbox.test_symlink_rename.SMB1.posix that shows we still leak target info across a SMB1+POSIX rename.
Add a knownfail.d/posix_sylink_rename
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 9371ace08e603c745be14d6131b7a7713b36e782
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 14:39:42 2021 -0800
CVE-2021-44141: s3: smbd: Fix a subtle bug in the error returns from filename_convert().
If filename_convert() fails to convert the path, we never call
check_name(). This means we can return an incorrect error code
(NT_STATUS_ACCESS_DENIED) if we ran into a symlink that points
outside the share to a non-readable directory. We need to make
sure in this case we always call check_name().
Remove knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 66774e97e200d686be9c54739dc67ff0ed56af6f
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 14:33:17 2021 -0800
CVE-2021-44141: s3: smbd: Inside check_reduced_name() ensure we return the correct error codes when failing symlinks.
NT_STATUS_OBJECT_PATH_NOT_FOUND for a path component failure.
NT_STATUS_OBJECT_NAME_NOT_FOUND for a terminal component failure.
Remove:
samba3.blackbox.test_symlink_traversal.SMB1.posix
samba3.blackbox.smbclient_s3.*.Ensure\ widelinks\ are\ restricted\(.*\)
samba3.blackbox.smbclient_s3.*.follow\ symlinks\ \=\ no\(.*\)
in knownfail.d/symlink_traversal as we now pass these. Only one more fix
remaining to get rid of knownfail.d/symlink_traversal completely.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit b97f4a6519f64cbcea2b6baa33d853faf4bc24cb
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 11:44:09 2021 -0800
CVE-2021-44141: s3: smbd: For SMB1+POSIX clients trying to open a symlink, always return NT_STATUS_OBJECT_NAME_NOT_FOUND.
Matches the error return from openat_pathref_fsp().
NT_STATUS_OBJECT_PATH_NOT_FOUND is for a bad component in a path, not
a bad terminal symlink.
Remove knownfail.d/simple_posix_open, we now pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit dbeef6bc732f05da5b35274cb0782a914e7392d7
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 17:56:35 2021 -0800
CVE-2021-44141: s3: torture: Change expected error return for samba3.smbtorture_s3.plain.POSIX.smbtorture.
Trying to open a symlink as a terminal component should return
NT_STATUS_OBJECT_NAME_NOT_FOUND, not NT_STATUS_OBJECT_PATH_NOT_FOUND.
Mark as knownfail.d/simple_posix_open until we fix the server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit f03c42ea77f4ec6a4a66583bfd1d195bd2ac6731
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 12:56:51 2021 -0800
CVE-2021-44141: s3: torture: In test_smbclient_s3, change the error codes expected for test_widelinks() and test_nosymlinks() from ACCESS_DENIED to NT_STATUS_OBJECT_NAME_NOT_FOUND.
For SMB1/2/3 (minus posix) we need to treat bad symlinks
as though they don't exist.
Add to knwownfail.d/symlink_traversal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 700f80d551d85b3141c2cd0abd7be5efb6948a51
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 12:34:38 2021 -0800
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.posix
Add to knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit e3f84b2b9f8eda2e5e3192452b698bfce4b7516c
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 12:32:19 2021 -0800
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB1.
Add to knownfail.d/symlink_traversal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 9e90f31639a71ba4c8099c9da4ad25102a36873b
Author: Jeremy Allison <jra at samba.org>
Date: Tue Dec 7 12:28:54 2021 -0800
CVE-2021-44141: s3: torture: Add samba3.blackbox.test_symlink_traversal.SMB2.
Add to knownfail.d/symlink_traversal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 3e0d40f5481f2343fa93e204f2c432e1a2335c98
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 18 12:16:44 2021 -0800
CVE-2021-44141: s3: smbtorture3: Fix POSIX-BLOCKING-LOCK to actually negotiate SMB1+POSIX before using POSIX calls.
This must be done before doing POSIX calls on a connection.
Remove the final entry in knownfail.d/posix_infolevel_fails
samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
And remove the file knownfail.d/posix_infolevel_fails itself.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit c7aa173d2a44b3cf254b3739c7aedc2d5c8c0d58
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 00:05:35 2021 -0800
CVE-2021-44141: s3: tests: Fix the samba3.blackbox.acl_xattr test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entries in knownfail.d/posix_infolevel_fails.
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit a180e5726d598192e99ac4a26a2a3752bf7ac7c7
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 12:12:36 2021 -0800
CVE-2021-44141: s3: tests: Fix the samba3.blackbox.inherit_owner test to actually negotiate SMB1+POSIX before using POSIX calls.
Remove the following entry in knownfail.d/posix_infolevel_fails.
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 300abd383ea7fc0b1b8c59d5a8c90201f216dcd6
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 12:15:06 2021 -0800
CVE-2021-44141: s4: torture: Fix unix.info2 test to actually negotiate SMB1+POSIX before using POSIX calls.
Cope with the minor difference in wildcard search return when
we're actually using SMB1+POSIX on the server (SMB1+POSIX treats
all directory search paths as wildcards).
Remove the following entries in knownfail.d/posix_infolevel_fails.
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit a7b6aa7d1f20dfb565605d662404d3988c83e5c8
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:51:39 2021 -0800
CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() by using the SMB1+POSIX connection for POSIX info levels.
Remove the following entry in knownfail.d/posix_infolevel_fails.
^samba3.raw.search.one\ file\ search.*
from knownfail.d/posix_infolevel_fails
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 08c40af638154fa009e6b6f526a357b10ba7e3ba
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:48:20 2021 -0800
CVE-2021-44141: s4: torture: raw.search: Add setup_smb1_posix(). Call it on the second connection in test_one_file().
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit bfcf165b29b30dd1f8037ab0f9a9e03731d2642f
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:44:05 2021 -0800
CVE-2021-44141: s4: torture: In raw.search:test_one_file() add a second connection.
Change from torture_suite_add_1smb_test() to torture_suite_add_2smb_test().
Not yet used. We will need this to do SMB1+POSIX search calls on
a connection on which we have negotiated SMB1+POSIX.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit c032a254bb5b703f510c42880ea5416982df9577
Author: Jeremy Allison <jra at samba.org>
Date: Sat Nov 20 20:17:11 2021 -0800
CVE-2021-44141: s3: smbclient: Give a message if we try and use any POSIX command without negotiating POSIX first.
Ensure we only use a POSIX command if POSIX is set up.
Issue the message: Command "posix" must be issued before the "XXXX" command can be used.
After the parameter parsing has been done.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 4fc4bd4f20cdfcf1df63f76f2f9940808b286c72
Author: Jeremy Allison <jra at samba.org>
Date: Thu Nov 18 11:48:42 2021 -0800
CVE-2021-44141: s3: smbd: Tighten up info level checks for SMB1+POSIX to make sure POSIX was negotiated first.
Add knownfail file
knownfail.d/posix_infolevel_fails
for tests that don't currently negotiate
SMB1+POSIX before using SMB1+POSIX calls.
These are:
samba3.smbtorture_s3.plain.POSIX-BLOCKING-LOCK.smbtorture\(nt4_dc_smb1\)
samba3.blackbox.acl_xattr.NT1.nt_affects_posix.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chown.*
samba3.blackbox.acl_xattr.NT1.nt_affects_chgrp.*
samba3.blackbox.inherit_owner.*.NT1.*verify.*unix\ owner.*
samba3.unix.info2.info2\(nt4_dc_smb1\)
samba3.unix.info2.info2\(ad_dc_smb1\)
samba3.raw.search.one\ file\ search.*
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 738c7080e78553b9f6eeef778522a1df9a88f977
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 14:18:47 2021 -0800
CVE-2021-44141: s4: torture: In raw.search:test_one_file() remove the leading '\\' in the test filenames.
We'll soon be using this under SMB1+POSIX and neither Windows or POSIX
need a leading '\\' (and SMB1+POSIX sees the '\\' as part of the name).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 10242faa0785ca277d584274c151467e78e787bf
Author: Jeremy Allison <jra at samba.org>
Date: Fri Nov 19 12:54:47 2021 -0800
CVE-2021-44141: s4: torture: Fix raw.search:test_one_file() to use torture_result() instead of printf.
I think this test pre-dates torture_result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit f8698b1f797ddf2c6e418e683e6c68392ad3ef9e
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 13:06:27 2021 -0800
CVE-2021-44141: s3: smbd: Remove 'struct uc_state' name_has_wildcard element.
It is never set or looked at.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit f77e56e2d1baff6f0ff78e10d6bbba49d106edd9
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 13:05:55 2021 -0800
CVE-2021-44141: s3: smbd: In unix_convert_step_stat() remove use of state->name_was_wildcard.
It can never be true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit e94d2bcbdc6d4899be71b74a2daf39e65474558c
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 13:03:47 2021 -0800
CVE-2021-44141: s3: smbd: In unix_convert_step() remove all use of 'state->name_was_wildcard'
We know it is never true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 104499b56ded1960c0fa7f2dfd49eea4d0f76172
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:59:50 2021 -0800
CVE-2021-44141: s3: smbd: In unix_convert() remove the now unneeded block indentation.
We removed the 'if (state->name_has_wildcard) {' clause, so
the block no longer needs indenting.
Best seen with git show -b.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 36f480c7c8ea88238a040415f677ad0a57fec60c
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:55:41 2021 -0800
CVE-2021-44141: s3: smbd: In unix_convert(), remove all references to state->name_has_wildcard.
It is never set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 3471f03816f8133f501288c8e468c36cdad8ae65
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:53:36 2021 -0800
CVE-2021-44141: s3: smbd: Inside unix_convert(), never set state->name_is_wildcard.
We error out immediately if it's set anyway.
Preparing to remove 'state->name_is_wildcard' structure element.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit d52dd78e9d8cecbc9e913c0b91f345cafe755dbd
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:40:43 2021 -0800
CVE-2021-44141: s3: smbd: UCF_ALWAYS_ALLOW_WCARD_LCOMP 0x00000002 is no longer used.
Hurrah !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit b0fc0efbac5b1c4144769ec5a2855f4276b9c7a2
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 12:37:15 2021 -0800
CVE-2021-44141: s3: smbd: We no longer need determine_path_error().
Now we don't have to consider wildcards just
return NT_STATUS_OBJECT_PATH_NOT_FOUND for
the cases we used to call it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 5e42ab3f6a09ec469ef882dca24f1372711646a0
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:33:42 2021 -0800
CVE-2021-44141: s3: smbd: Inside 'struct uc_state', remove allow_wcard_last_component.
This is never allowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit b73be0c7a7c86943416cb83de387341ebfb169fd
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:30:42 2021 -0800
CVE-2021-44141: s3: smbd: filename_convert() no longer deals with wildcards.
These are already errored out with NT_STATUS_OBJECT_NAME_INVALID
in the unix_convert() code.
Remove the check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 6f2c67d9993925e45245c7c3f1aa947d72cd2573
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:48:23 2021 -0800
CVE-2021-44141: s3: smbd: parse_dfs_path() can ignore wildcards.
If one is passed to filename_convert(), it will error out there
with NT_STATUS_OBJECT_NAME_INVALID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit d91d4a17443ab833bd210c10ac68b3992cb97370
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:42:23 2021 -0800
CVE-2021-44141: s3: smbd: Remove 'bool search_wcard_flag' from parse_dfs_path().
Never set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit fc8e6669edb9e20fbc3a4f06dccccbb7ec676f70
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:31:40 2021 -0800
CVE-2021-44141: s3: smbd: dfs_path_lookup() no longer deals with wildcards.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 12b44645fb92de451cf82de12b46a43fdc1c2cc1
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:28:40 2021 -0800
CVE-2021-44141: s3: smbd: Fix call_trans2findfirst() to use filename_convert_smb1_search_path().
filename_convert() no longer has to handle wildcards.
UCF_ALWAYS_ALLOW_WCARD_LCOMP is now unused.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 0f1436ed031b702ab5853b6a21e476a1c47b243c
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 11:22:03 2021 -0800
CVE-2021-44141: s3: smbd: Convert reply_search() to use filename_convert_smb1_search_path().
Cleans up this code path nicely !
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit e6d9ef3b1e8e19c1b02a3320a619464b1c319a51
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:35:09 2021 -0800
CVE-2021-44141: s3: smbd: Add filename_convert_smb1_search_path() - deals with SMB1 search pathnames.
SMB1search and trans2 findfirst are unique in that
they are the only passed in pathnames that can contain
a terminal wildcard component.
Deal with these two special cases with this new function
that strips off the terminal wildcard and returns as
the mask, and pass the non-wildcard parent directory
component through the standard filename_convert().
Uses new helper function strip_gmt_from_raw_dfs().
When SMB1search and trans2 findfirst have been
converted to use this function, we can strip all
wildcard handling out of filename_convert() as
we now know it will only ever be given valid
pathnames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 5c55cd93e5bd1481e88edd4fa0c76f4679bdfcc6
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 16:14:08 2021 -0800
CVE-2021-44141: s3: smbd: Allow dfs_redirect() to return a TWRP token it got from a parsed pathname.
This one is subtle. If an SMB1 request has both a DFS path and a @GMT token,
the unix_convert() inside the DFS path processing will remove the @GMT
token, not allowing the subsequent unix_convert() inside filename_convert()
to see it. By returning it from dfs_redirect() we can ensure it's correctly
added to the smb_filename returned from filename_convert().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 3490db2a38981b10ad165d9815ff026ad1b8513d
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 16:00:26 2021 -0800
CVE-2021-44141: s3: smbd: In dfs_path_lookup(). If we have a DFS path including a @GMT-token, don't throw away the twrp value when parsing the path.
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit f8ecb37606ef65a53fbf45c7a4305454de1e53af
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:19:38 2021 -0800
CVE-2021-44141: s3: smbd: filename_convert() is now a one-to-one wrapper around filename_convert_internal().
Remove filename_convert() and rename filename_convert_internal() -> filename_convert().
Move the old DEBUG(..) statements to DBG_XXX() so they don't print the wrong name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 51c024a1b029c0ca66594336d5474b8cc64c4452
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:14:03 2021 -0800
CVE-2021-44141: s3: smbd: Remove now unused check_reduced_name_with_privilege().
We now only have one function that does this check (check_reduced_name()),
used everywhere.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 3f60b452049e4c10cec414a7da8709f2ceb3f929
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:13:13 2021 -0800
CVE-2021-44141: s3: smbd: Remove unused check_name_with_privilege().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 733e66aa31da219f7bc54cd380451d380d6ca3a1
Author: Jeremy Allison <jra at samba.org>
Date: Fri Dec 3 10:10:45 2021 -0800
CVE-2021-44141: s3: smbd: In filename_convert_internal(), remove call to check_name_with_privilege().
We now always pass NULL as struct smb_request *smbreq,
so this code path can never be taken.
Comment out check_name_with_privilege() as it's now
no longer used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 46ec23c244bc001a5bb1105a2d1e23ebfdd78ca4
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 17:55:26 2021 -0800
CVE-2021-44141: s3: smbd: Remove filename_convert_with_privilege(). No longer used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 1c1c7ed99466ace89eb61d4783903b8b8a718e27
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 17:51:42 2021 -0800
CVE-2021-44141: s3: smbd: In call_trans2findfirst() we don't need filename_convert_with_privilege() anymore.
It was extra-paranoid code now not needed as the new VFS
version of filename_convert() does the same job.
There are now no remaining callers of filename_convert_with_privilege().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 0163d21c31ad978182adba73bae8f0ee48c69e53
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:51:45 2021 -0800
CVE-2021-44141: s3: smbd: Remove split_fname_dir_mask().
No longer used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 68ee550a0dd41e31fd6ffdd1aeda8adb3595a8cf
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:49:46 2021 -0800
CVE-2021-44141: s3: smbd: In rename_internals(), remove the name spliting and re-combining code.
filename_convert() handles mangled names just fine, so we don't
need to split the last component and check for mangle.
Now we don't take wildcard names this is not needed. This was the
last caller of split_fname_dir_mask(), so ifdef it out.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 43a9866c46b9a82af34693e5c17c0c627169cb76
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:47:13 2021 -0800
CVE-2021-44141: s3: smbd: check_name() is now static to filename.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 838985e439df0c1b741516ff141da02ecbf5656f
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:45:13 2021 -0800
CVE-2021-44141: s3: smbd: In rename_internals_fsp(), remove unneeded call to check_name().
All callers have gone through filename_convert(), which has
already called check_name() on the destination.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 26ecf18b426eb3f2db9d60f02ece2af5e6fa057e
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:35:17 2021 -0800
CVE-2021-44141: s3: smbd: Handling SMB_FILE_RENAME_INFORMATION, the destination name is a single component.
No errors should be allowed from filename_convert().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit fad0039acabd43eaf6853af60e5d245a2691a664
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:16:52 2021 -0800
CVE-2021-44141: s3: smbd: Remove the old unlink_internals() implementation.
No longer used. filename_convert() already handles mangled
names just fine, so we don't need this logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit a88596028eac6facd644afa7eb5bf9ed34915c30
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:14:40 2021 -0800
CVE-2021-44141: s3: smbd: Comment out the old unlink_internals(). Rename do_unlink() -> unlink_internals().
One parameter needs changing position. The logic inside unlink_internals()
is no longer needed if it doesn't accept wildcards. filename_convert()
already handles mangled names just fine, so we don't need this logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 9fb1d11b2edafe0b2e8fb8cfbe34e1da046b3d97
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:11:20 2021 -0800
CVE-2021-44141: s3: smbd: Move to modern debug calls inside do_unlink().
We will be changing its name next.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 9907c8af089a6263349566f002747d84edf926d3
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 9 16:08:07 2021 -0800
CVE-2021-44141: s3: smbd: Move setting of dirtype if FILE_ATTRIBUTE_NORMAL to do_unlink().
Now we don't use wildcards when calling in unlink_internals()
the logic inside it serves no purpose and can be replaced with
a direct call to do_unlink() (which we will rename to unlink_internals()).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
commit 8c1a9ccb546e7677dc05e98bd6aa77681e0d7510
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:40:55 2021 -0800
CVE-2021-44141: s3: smbd: Remove 'const char *src_original_lcomp' from reply_mv().
No longer used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit fc80b553dc6c6a17fa496e1347174ffb802c3ffb
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:39:42 2021 -0800
CVE-2021-44141: s3: smbd: Remove 'const char *src_original_lcomp' parameter from rename_internals().
No longer used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit cf2de328ea36011d9f4594bac84fce0b8db0889e
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:35:54 2021 -0800
CVE-2021-44141: s3: smbd: Inside rename_internals() remove '{ ... }' block around singleton rename code.
Best viewed with 'git show -b'
As we're touching the DEBUG() code, change it to modern DBG_NOTICE().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit be70e606c61cd2da8f27718f5a227728494793e3
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:31:36 2021 -0800
CVE-2021-44141: s3: smbd: Remove the commented out resolve_wildcards().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit cafca2b7a0eca282d24d8f3571bc14ef725f30e4
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:29:43 2021 -0800
CVE-2021-44141: s3: smbd: Remove all wildcard code from rename_internals().
We no longer use resolve_wildcards() so comment it out
for later removal. Keep the '{ ... }' block around the
singleton rename for now, to keep the diff small.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ece00d51a7b28ec96c0a173ca40feb61aaf5dbe3
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:26:28 2021 -0800
CVE-2021-44141: s3: smbd: Remove dest_has_wild and all associated code from rename_internals()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 848b891d978d928dc3199f7f1e146bfc0b7ab988
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:25:03 2021 -0800
CVE-2021-44141: s3: smbd: Prepare to remove wildcard matching from rename_internals().
src_has_wild and dest_has_wild can never be true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 992864a49f099052c452eb5e1da733f39294d94a
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:17:51 2021 -0800
CVE-2021-44141: s3: smbd: In reply_ntrename() remove 'bool dest_has_wcard' and all uses.
It's always false now.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c7678425514417b524800e65098bc8608849c457
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:14:57 2021 -0800
CVE-2021-44141: s3: smbd: In reply_ntrename(), never set dest_has_wcard.
It can never be true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 9d0c2fd42fc77de7a9748ef2ecd7d284b5105e37
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:12:46 2021 -0800
CVE-2021-44141: s3: smbd: In reply_ntrename() remove the UCF_ALWAYS_ALLOW_WCARD_LCOMP flag for destination lookups.
We know the destination will never be a wildcard.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 07b47529426d4623270c2541b840bf71cfca9d59
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:08:13 2021 -0800
CVE-2021-44141: s3: smbd: In SMBntrename (0xa5) prevent wildcards in destination name.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 7b0eba7ff03aa79400c4dbac224122209c8e8995
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 16:07:07 2021 -0800
CVE-2021-44141: s3: smbd: In smb_file_rename_information() (SMB_FILE_RENAME_INFORMATION info level) prevent destination wildcards.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 410126c7fb939c3bebee318376602e5084a93e12
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:56:31 2021 -0800
CVE-2021-44141: s3: smbd: Remove UCF_ALWAYS_ALLOW_WCARD_LCOMP flag from pathname processing in reply_mv().
We are no longer supporting wildcard rename via SMBmv (0x7)
as WindowsXP SMB1 and above do not use it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 945c9264243c811346d28ce0aeb740bdbe1083dc
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:03:03 2021 -0800
CVE-2021-44141: s3: smbd: Remove 'bool has_wild' parameter from unlink_internals().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit e4c3d31854fa1969d946bd6a7cfcf25db5d21d7b
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:53:29 2021 -0800
CVE-2021-44141: s3: smbd: Change unlink_internals() to ignore has_wild parameter.
It's always passed as false now so we can remove the (horrible)
enumeration code for unlink.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 79ae11f3cb464ffe381c62451ad38125f1872156
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:31:44 2021 -0800
CVE-2021-44141: s3: smbd: In reply_unlink() remove the possibility of receiving a wildcard name.
This was the only user of "has_wild=true" passed to
unlink_internals().
Next commit will remove this functionality from unlink_internals().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit d57802650f48391ef906283963c86e31466702c4
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:24:07 2021 -0800
CVE-2021-44141: s3: smbd: Remove support for SMBcopy SMB_COM_COPY (0x29)
It's not used in our client code or tested.
From MS-CIFS.
This command was introduced in the LAN Manager 1.0 dialect
It was rendered obsolete in the NT LAN Manager dialect.
This command was used to perform server-side file copies, but
is no longer used. Clients SHOULD
NOT send requests using this command code.
Servers receiving requests with this command code
SHOULD return STATUS_NOT_IMPLEMENTED (ERRDOS/ERRbadfunc).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 80d8a557dda29441f4091ec76bed86d23fd3f223
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:18:35 2021 -0800
CVE-2021-44141: s3: torture: Remove the wildcard unlink test code.
This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 05d2d29964ef5ef0e519b9621002138423d99bf9
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:22:39 2021 -0800
CVE-2021-44141: s4: torture: Remove the wildcard rename test code.
This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit b39ba559c078b371a3b212a4c26e589fae811417
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:05:20 2021 -0800
CVE-2021-44141: s4: torture: Remove the wildcard unlink test code.
This is pre WindowXP SMB1 functionality, and we
need to remove this from the server in order to
move towards SMB2-only, so the test must go.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6c40cda03e7011fe6ad7df2170a11bcfcce38e40
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:10:41 2021 -0800
CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_unlink_test() use a valid pathname for rename target.
The server will not be supporting wildcard rename soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit c249f1d09d60fb637a118c0ade7714cc3fcb1866
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:21:47 2021 -0800
CVE-2021-44141: s3: torture: In torture_mangle(), use torture_deltree() for setup and cleanup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit cf109e26b7ae918833cb4610dbcba8dc9f7c5bc0
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:20:07 2021 -0800
CVE-2021-44141: s3: torture: In test_mask(), use torture_deltree() for setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 8349c57f76fcd53810620fc79d6b892ed2141ae6
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:18:56 2021 -0800
CVE-2021-44141: s3: torture: In run_streamerror(), use torture_deltree() for setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ff64b0f32d0f0b41926badff7aab53c32759bc94
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:16:38 2021 -0800
CVE-2021-44141: s3: torture: In torture_chkpath_test(), use torture_deltree() for setup and cleanup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 18ac36f7aed4e46f2c029d67c0e97ce4c32e9bbe
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:14:53 2021 -0800
CVE-2021-44141: s3: torture: In torture_casetable(), use torture_deltree() for setup and cleanup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 04304b9f92cb6b17fa368ed039f84f3a75cf9016
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:13:41 2021 -0800
CVE-2021-44141: s3: torture: In torture_utable(), use torture_deltree() for setup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 919b3c8d3fb9c5248a79ff01e096353cab3fd9f0
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 13:51:12 2021 -0800
CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_rename_test() use torture_deltree() for setup and cleanup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 74fe15a05ad913112c4a76431b9e280e17ab2ee4
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 12:51:54 2021 -0800
CVE-2021-44141: s3: torture: In run_smb1_wild_mangle_unlink_test() use torture_deltree() for setup and cleanup.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 57fbf7564c7a0bea68ec80f774deb2fba22f3afb
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 13:47:07 2021 -0800
CVE-2021-44141: s3: torture: Add torture_deltree() for setup and teardown.
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit db095ee5f039dc079200f1791c62c168ec57f2aa
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 14:23:10 2021 -0800
CVE-2021-44141: s4: libcli: smbcli_unlink() is no longer used with wildcard patterns.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 2cfbfd3e0a6fd012944cad4e0fe7fe2a8688b7cc
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 18:08:32 2021 -0800
CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to setup and cleanup in masktest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit ee3a5f2ee00cbd78446cff2e815f6cf3600e17a8
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 18:03:57 2021 -0800
CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() in base.casetable test.
Avoid smbcli_unlink() calls with a wildcard path.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 745d08fe10a824ef1fe1fcf57fadfd6c8b6ae216
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 17:58:58 2021 -0800
CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to cleanup in base.mangle test.
Avoid using smbcli_unlink() calls with wildcard names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 6f9580493e250a00d100a3f96253d00bd4294b55
Author: Jeremy Allison <jra at samba.org>
Date: Wed Dec 1 17:52:37 2021 -0800
CVE-2021-44141: s4: torture: Use smbcli_unlink_wcard() to remove wildcards in base.chkpath test.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit a0fd6cd62f3d773371fa5f460306a562e524e6eb
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 12:08:49 2021 -0800
CVE-2021-44141: s4: torture: In raw.notify test use smbcli_unlink_wcard() in place of smbcli_unlink().
We know we have a wildcard mask here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit cf661f306afaf66feeea11bb2d9e7f7e3c988914
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 12:10:14 2021 -0800
CVE-2021-44141: s4: libcli: In smbcli_deltree() use smbcli_unlink_wcard() in place of smbcli_unlink().
We know we have a wildcard mask here.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 550ece56400dc7391296943cf93ce0a4e54f9843
Author: Jeremy Allison <jra at samba.org>
Date: Thu Dec 2 12:05:51 2021 -0800
CVE-2021-44141: s4: libcli: Add smbcli_unlink_wcard().
We will use this in place of smbcli_unlink() when we
know we are using a wildcard pattern. If can be used
to generally replace smbcli_unlink() as it calls down
to smbcli_unlink() is no wildcard is detected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14911
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
commit 0e2b3fb982d1f53d111e10d9197ed2ec2e13712c
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 13 17:03:02 2022 +0100
CVE-2021-44142: libadouble: harden parsing code
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 4533a7b4319cd95815d2dcd5fe5075539fb850e5
Author: Ralph Boehme <slow at samba.org>
Date: Thu Nov 25 15:04:03 2021 +0100
CVE-2021-44142: libadouble: add basic cmocka tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
[slow at samba.org: conflict due to missing test in selftest/tests.py]
commit b4c0b4620f12055207adb0519c8d91c3021f354a
Author: Ralph Boehme <slow at samba.org>
Date: Fri Nov 26 07:19:32 2021 +0100
CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
which is used for parsing ._ AppleDouble sidecar files, and the buffer
ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
buffer out-of-bounds access checks in ad_unpack_xattrs().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 22b4091924977f6437b59627f33a8e6f02b41011
Author: Ralph Boehme <slow at samba.org>
Date: Sat Nov 20 16:36:42 2021 +0100
CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs
This is an internal xattr that should not be user visible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit eee61be9b5867b63b73b0b1fea03f44a4e1235b7
Author: Ralph Boehme <slow at samba.org>
Date: Thu Jan 13 16:48:01 2022 +0100
CVE-2021-44142: libadouble: add defines for icon lengths
From https://www.ietf.org/rfc/rfc1740.txt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
commit 7a516257ea310fa045bdf14e677eaa97f2a83c33
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jan 18 12:02:45 2022 +1300
CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object
If an added SPN already exists on an object, we still want to check the
rest of the element values for conflicts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
commit d392b10c55bbcedda01fdd87fe6035fa3a6986b3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jan 18 11:56:38 2022 +1300
CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPN
This test currently fails, as re-adding an SPN means that later checks
do not run.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 58 +-
python/samba/tests/ldap_spn.py | 7 +
selftest/target/Samba3.pm | 2 +-
selftest/tests.py | 2 +
selftest/todo_smb2_tests_to_port.list | 2 -
source3/client/client.c | 79 ++
source3/lib/adouble.c | 136 +-
source3/lib/adouble.h | 2 +
source3/lib/test_adouble.c | 389 ++++++
source3/printing/nt_printing.c | 2 +-
source3/script/tests/test_acl_xattr.sh | 12 +-
source3/script/tests/test_inherit_owner.sh | 2 +-
source3/script/tests/test_smbclient_s3.sh | 10 +-
.../script/tests/test_symlink_rename_smb1_posix.sh | 186 +++
.../script/tests/test_symlink_traversal_smb1.sh | 263 ++++
.../tests/test_symlink_traversal_smb1_posix.sh | 270 ++++
.../script/tests/test_symlink_traversal_smb2.sh | 263 ++++
source3/selftest/tests.py | 22 +-
source3/smbd/filename.c | 665 ++++++----
source3/smbd/msdfs.c | 30 +-
source3/smbd/nttrans.c | 50 +-
source3/smbd/open.c | 13 +-
source3/smbd/proto.h | 22 +-
source3/smbd/reply.c | 1344 ++------------------
source3/smbd/smbd.h | 2 +-
source3/smbd/trans2.c | 194 +--
source3/smbd/vfs.c | 191 +--
source3/torture/mangle_test.c | 9 +-
source3/torture/masktest.c | 3 +-
source3/torture/proto.h | 1 +
source3/torture/torture.c | 238 ++--
source3/torture/utable.c | 8 +-
source3/wscript_build | 5 +
source4/dsdb/samdb/ldb_modules/samldb.c | 3 +-
source4/libcli/clideltree.c | 2 +-
source4/libcli/clifile.c | 100 +-
source4/libcli/libcli.h | 5 +
source4/torture/basic/base.c | 4 +-
source4/torture/basic/mangle_test.c | 2 +-
source4/torture/basic/utable.c | 2 +-
source4/torture/masktest.c | 2 +-
source4/torture/raw/notify.c | 2 +-
source4/torture/raw/rename.c | 33 -
source4/torture/raw/search.c | 161 ++-
source4/torture/raw/unlink.c | 72 --
source4/torture/unix/unix_info2.c | 42 +-
47 files changed, 2698 insertions(+), 2216 deletions(-)
create mode 100644 source3/lib/test_adouble.c
create mode 100755 source3/script/tests/test_symlink_rename_smb1_posix.sh
create mode 100755 source3/script/tests/test_symlink_traversal_smb1.sh
create mode 100755 source3/script/tests/test_symlink_traversal_smb1_posix.sh
create mode 100755 source3/script/tests/test_symlink_traversal_smb2.sh
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index ad5995baf95..8583d916565 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 9cb58de2a61..292c34457df 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,58 @@
+ ==============================
+ Release Notes for Samba 4.15.5
+ January 31, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
+ of a symlink exists.
+ https://www.samba.org/samba/security/CVE-2021-44141.html
+
+o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
+ https://www.samba.org/samba/security/CVE-2021-44142.html
+
+o CVE-2022-0336: Re-adding an SPN skips subsequent SPN conflict checks.
+ https://www.samba.org/samba/security/CVE-2022-0336.html
+
+
+Changes since 4.15.4
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14911: CVE-2021-44141
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 14914: CVE-2021-44142
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14950: CVE-2022-0336
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.libera.chat or the
+#samba-technical:matrix.org matrix channel.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.15.4
January 19, 2022
@@ -61,8 +116,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.3
December 08, 2021
diff --git a/python/samba/tests/ldap_spn.py b/python/samba/tests/ldap_spn.py
index 8a398ffaa49..6ebdf8f9a32 100644
--- a/python/samba/tests/ldap_spn.py
+++ b/python/samba/tests/ldap_spn.py
@@ -268,6 +268,8 @@ class LdapSpnTestBase(TestCase):
for k in ('dNSHostName', 'servicePrincipalName'):
if isinstance(m.get(k), str):
m[k] = m[k].format(dnsname=f"x.{REALM}")
+ elif isinstance(m.get(k), list):
+ m[k] = [x.format(dnsname=f"x.{REALM}") for x in m[k]]
msg = ldb.Message.from_dict(samdb, m, op)
@@ -727,6 +729,11 @@ class LdapSpnSambaOnlyTest(LdapSpnTestBase):
('user:C', 'host/{dnsname}', '*', ok),
('user:D', 'www/{dnsname}', 'D', denied),
),
+ ("add a conflict, along with a re-added SPN",
+ ('A', 'cifs/{dnsname}', '*', ok),
+ ('B', 'cifs/heeble.example.net', 'B', ok),
+ ('B', ['cifs/heeble.example.net', 'host/{dnsname}'], 'B', constraint),
+ ),
("changing dNSHostName after host",
('A', {'dNSHostName': '{dnsname}'}, '*', ok),
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 84903b87d3e..b901fd2677a 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -2496,7 +2496,7 @@ sub provision($$)
create_file_chmod("$widelinks_target", 0666) or return undef;
##
- ## This link should get ACCESS_DENIED
+ ## This link should get an error
##
symlink "$widelinks_target", "$widelinks_shrdir/source";
##
diff --git a/selftest/tests.py b/selftest/tests.py
index e7338985caf..c87b41c1a66 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -434,3 +434,5 @@ if with_elasticsearch_backend:
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
plantestsuite("samba.unittests.credentials", "none",
[os.path.join(bindir(), "default/auth/credentials/test_creds")])
+plantestsuite("samba.unittests.adouble", "none",
+ [os.path.join(bindir(), "test_adouble")])
diff --git a/selftest/todo_smb2_tests_to_port.list b/selftest/todo_smb2_tests_to_port.list
index a9d7b8b48c5..dc1df963918 100644
--- a/selftest/todo_smb2_tests_to_port.list
+++ b/selftest/todo_smb2_tests_to_port.list
@@ -242,7 +242,6 @@ samba3.smbtorture_s3.crypt_client.TRANS2(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.UID-REGRESSION-TEST(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.UNLINK(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.W2K(nt4_dc_smb1)
-samba3.smbtorture_s3.crypt_client.WILDDELETE(nt4_dc_smb1)
samba3.smbtorture_s3.crypt_client.XCOPY(nt4_dc_smb1)
samba3.smbtorture_s3.crypt.POSIX-ACL-OPLOCK(nt4_dc_smb1)
samba3.smbtorture_s3.crypt.POSIX-ACL-SHAREROOT(nt4_dc_smb1)
@@ -327,7 +326,6 @@ samba3.smbtorture_s3.plain.TRANS2(fileserver_smb1)
samba3.smbtorture_s3.plain.UID-REGRESSION-TEST(fileserver_smb1)
samba3.smbtorture_s3.plain.UNLINK(fileserver_smb1)
samba3.smbtorture_s3.plain.W2K(fileserver_smb1)
-samba3.smbtorture_s3.plain.WILDDELETE(fileserver_smb1)
samba3.smbtorture_s3.plain.WINDOWS-BAD-SYMLINK(nt4_dc_smb1)
samba3.smbtorture_s3.plain.XCOPY(fileserver_smb1)
samba3.smbtorture_s3.vfs_aio_fork(fileserver_smb1).RW1(fileserver_smb1)
diff --git a/source3/client/client.c b/source3/client/client.c
index a8e11044b39..5ad6ee7b844 100644
--- a/source3/client/client.c
+++ b/source3/client/client.c
@@ -2839,6 +2839,11 @@ static int cmd_posix_open(void)
d_printf("posix_open <filename> 0<mode>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_open\" command can be used.\n");
+ return 1;
+ }
mode = (mode_t)strtol(buf, (char **)NULL, 8);
status = cli_resolve_path(ctx, "",
@@ -2900,6 +2905,11 @@ static int cmd_posix_mkdir(void)
d_printf("posix_mkdir <filename> 0<mode>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_mkdir\" command can be used.\n");
+ return 1;
+ }
mode = (mode_t)strtol(buf, (char **)NULL, 8);
status = cli_resolve_path(ctx, "",
@@ -2934,6 +2944,11 @@ static int cmd_posix_unlink(void)
d_printf("posix_unlink <filename>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_unlink\" command can be used.\n");
+ return 1;
+ }
mask = talloc_asprintf(ctx,
"%s%s",
client_get_cur_dir(),
@@ -2979,6 +2994,11 @@ static int cmd_posix_rmdir(void)
d_printf("posix_rmdir <filename>\n");
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_rmdir\" command can be used.\n");
+ return 1;
+ }
mask = talloc_asprintf(ctx,
"%s%s",
client_get_cur_dir(),
@@ -3178,6 +3198,12 @@ static int cmd_lock(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"lock\" command can be used.\n");
+ return 1;
+ }
+
len = (uint64_t)strtol(buf, (char **)NULL, 16);
status = cli_posix_lock(cli, fnum, start, len, true, lock_type);
@@ -3214,6 +3240,12 @@ static int cmd_unlock(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"unlock\" command can be used.\n");
+ return 1;
+ }
+
len = (uint64_t)strtol(buf, (char **)NULL, 16);
status = cli_posix_unlock(cli, fnum, start, len);
@@ -3237,6 +3269,12 @@ static int cmd_posix_whoami(void)
bool guest = false;
uint32_t i;
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"posix_whoami\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_whoami(cli,
ctx,
&uid,
@@ -3374,6 +3412,12 @@ static int cmd_link(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"link\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_hardlink(targetcli, targetname, newname);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s linking files (%s -> %s)\n",
@@ -3427,6 +3471,12 @@ static int cmd_readlink(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"readlink\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_readlink(targetcli, name, talloc_tos(), &linkname);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s readlink on file %s\n",
@@ -3466,6 +3516,11 @@ static int cmd_symlink(void)
link_target = buf;
if (SERVER_HAS_UNIX_CIFS(cli)) {
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"symlink\" command can be used.\n");
+ return 1;
+ }
newname = talloc_asprintf(ctx, "%s%s", client_get_cur_dir(),
buf2);
if (!newname) {
@@ -3549,6 +3604,12 @@ static int cmd_chmod(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"chmod\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_chmod(targetcli, targetname, mode);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s chmod file %s 0%o\n",
@@ -3713,6 +3774,12 @@ static int cmd_getfacl(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"getfacl\" command can be used.\n");
+ return 1;
+ }
+
status = cli_unix_extensions_version(targetcli, &major, &minor,
&caplow, &caphigh);
if (!NT_STATUS_IS_OK(status)) {
@@ -4012,6 +4079,12 @@ static int cmd_stat(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"stat\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_stat(targetcli, targetname, &sbuf);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s stat file %s\n",
@@ -4126,6 +4199,12 @@ static int cmd_chown(void)
return 1;
}
+ if (CLI_DIRSEP_CHAR != '/') {
+ d_printf("Command \"posix\" must be issued before "
+ "the \"chown\" command can be used.\n");
+ return 1;
+ }
+
status = cli_posix_chown(targetcli, targetname, uid, gid);
if (!NT_STATUS_IS_OK(status)) {
d_printf("%s chown file %s uid=%d, gid=%d\n",
diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c
index f809a445081..37fb686f17b 100644
--- a/source3/lib/adouble.c
+++ b/source3/lib/adouble.c
@@ -269,6 +269,95 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
return ad->ad_eid[eid].ade_off = off;
}
+/*
+ * All entries besides FinderInfo and resource fork must fit into the
+ * buffer. FinderInfo is special as it may be larger then the default 32 bytes
+ * if it contains marshalled xattrs, which we will fixup that in
+ * ad_convert(). The first 32 bytes however must also be part of the buffer.
+ *
+ * The resource fork is never accessed directly by the ad_data buf.
+ */
+static bool ad_entry_check_size(uint32_t eid,
+ size_t bufsize,
+ uint32_t off,
+ uint32_t got_len)
+{
+ struct {
+ off_t expected_len;
+ bool fixed_size;
+ bool minimum_size;
+ } ad_checks[] = {
+ [ADEID_DFORK] = {-1, false, false}, /* not applicable */
+ [ADEID_RFORK] = {-1, false, false}, /* no limit */
+ [ADEID_NAME] = {ADEDLEN_NAME, false, false},
+ [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
+ [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
+ [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
+ [ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
+ [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
+ [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
+ [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
+ [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
+ [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
+ [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
+ [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
+ [ADEID_DID] = {ADEDLEN_DID, true, false},
+ [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
+ [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
+ [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
+ [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
+ };
+
+ if (eid >= ADEID_MAX) {
+ return false;
+ }
+ if (got_len == 0) {
+ /* Entry present, but empty, allow */
+ return true;
+ }
+ if (ad_checks[eid].expected_len == 0) {
+ /*
+ * Shouldn't happen: implicitly initialized to zero because
+ * explicit initializer missing.
+ */
+ return false;
+ }
+ if (ad_checks[eid].expected_len == -1) {
+ /* Unused or no limit */
+ return true;
+ }
+ if (ad_checks[eid].fixed_size) {
+ if (ad_checks[eid].expected_len != got_len) {
+ /* Wrong size fo fixed size entry. */
+ return false;
+ }
+ } else {
+ if (ad_checks[eid].minimum_size) {
+ if (got_len < ad_checks[eid].expected_len) {
+ /*
+ * Too small for variable sized entry with
+ * minimum size.
+ */
+ return false;
+ }
+ } else {
+ if (got_len > ad_checks[eid].expected_len) {
+ /* Too big for variable sized entry. */
+ return false;
+ }
+ }
+ }
+ if (off + got_len < off) {
+ /* wrap around */
+ return false;
+ }
+ if (off + got_len > bufsize) {
+ /* overflow */
+ return false;
+ }
+ return true;
+}
+
/**
* Return a pointer to an AppleDouble entry
*
@@ -276,8 +365,15 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
**/
char *ad_get_entry(const struct adouble *ad, int eid)
{
+ size_t bufsize = talloc_get_size(ad->ad_data);
off_t off = ad_getentryoff(ad, eid);
size_t len = ad_getentrylen(ad, eid);
+ bool valid;
+
+ valid = ad_entry_check_size(eid, bufsize, off, len);
+ if (!valid) {
+ return NULL;
+ }
if (off == 0 || len == 0) {
return NULL;
@@ -707,14 +803,27 @@ static bool ad_pack(struct vfs_handle_struct *handle,
static bool ad_unpack_xattrs(struct adouble *ad)
{
struct ad_xattr_header *h = &ad->adx_header;
+ size_t bufsize = talloc_get_size(ad->ad_data);
const char *p = ad->ad_data;
uint32_t hoff;
uint32_t i;
+ if (ad->ad_type != ADOUBLE_RSRC) {
+ return false;
+ }
+
if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
return true;
}
+ /*
+ * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
+ * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
+ */
+ if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
+ return false;
+ }
+
/* 2 bytes padding */
hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
@@ -901,20 +1010,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
return false;
}
- /*
- * All entries besides FinderInfo and resource fork
- * must fit into the buffer. FinderInfo is special as
- * it may be larger then the default 32 bytes (if it
- * contains marshalled xattrs), but we will fixup that
- * in ad_convert(). And the resource fork is never
- * accessed directly by the ad_data buf (also see
- * comment above) anyway.
- */
- if ((eid != ADEID_RFORK) &&
- (eid != ADEID_FINDERI) &&
- ((off + len) > bufsize)) {
- DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
- eid, off, len));
+ ok = ad_entry_check_size(eid, bufsize, off, len);
+ if (!ok) {
+ DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
--
Samba Shared Repository
More information about the samba-cvs
mailing list