[SCM] Samba Shared Repository - branch v4-15-test updated
Jule Anger
janger at samba.org
Tue Oct 25 09:45:42 UTC 2022
The branch, v4-15-test has been updated
via 1e557547523 VERSION: Bump version up to Samba 4.15.12...
via 37595203ef3 VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release.
via c074cc854b9 WHATSNEW: Add release notes for Samba 4.15.11.
via e9db0373600 CVE-2022-3437 source4/heimdal: Pass correct length to _gssapi_verify_pad()
via 77e0f2febaa CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech()
via 1aca3451551 CVE-2022-3437 source4/heimdal: Check buffer length against overflow for DES{,3} unwrap
via ebac8bf0478 CVE-2022-3437 source4/heimdal: Check the result of _gsskrb5_get_mech()
via 5a62eb5734d CVE-2022-3437 source4/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
via 9f6f1e01aca CVE-2022-3437 source4/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
via 5f6dbf2ab29 CVE-2022-3437 source4/heimdal: Use constant-time memcmp() in unwrap_des3()
via c22914f845b CVE-2022-3437 source4/heimdal: Use constant-time memcmp() for arcfour unwrap
via 310bffc0855 CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
via a49a3ac8e08 CVE-2022-3437 source4/heimdal_build: Add gssapi-subsystem subsystem
via fe1204d9da2 CVE-2022-3437 source4/heimdal: Remove __func__ compatibility workaround
via 9f658aa5fe2 .gitlab-ci: Work around new git restrictions arising from CVE-2022-24765
via 52ed3d07fd5 bootstrap: Migrate to CentOS8 Stream
via ae64b3bfc18 bootstrap: chown the whole cloned repo, not just the subfolders
via 6881b17bf27 bootstrap: Fix CentOS8 runner
from 1ad45400995 VERSION: Bump version up to Samba 4.15.11...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 1e557547523629ffa44ad40f89c9256f1ff90965
Author: Jule Anger <janger at samba.org>
Date: Tue Oct 25 11:43:56 2022 +0200
VERSION: Bump version up to Samba 4.15.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-main.yml | 10 +-
VERSION | 2 +-
WHATSNEW.txt | 54 +-
bootstrap/.gitlab-ci.yml | 4 +-
bootstrap/config.py | 15 +-
bootstrap/generated-dists/Vagrantfile | 10 +-
.../{centos8 => centos8s}/Dockerfile | 2 +-
.../{centos8 => centos8s}/bootstrap.sh | 5 +-
.../{centos8 => centos8s}/locale.sh | 0
.../{centos8 => centos8s}/packages.yml | 0
bootstrap/sha1sum.txt | 2 +-
selftest/tests.py | 5 +
source4/auth/tests/heimdal_unwrap_des.c | 1247 ++++++++++++++++++++
source4/auth/wscript_build | 21 +
source4/heimdal/lib/gssapi/krb5/arcfour.c | 24 +-
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 12 +-
source4/heimdal/lib/gssapi/krb5/unwrap.c | 34 +-
source4/heimdal/lib/krb5/krb5_locl.h | 4 -
source4/heimdal_build/wscript_build | 14 +-
19 files changed, 1401 insertions(+), 64 deletions(-)
rename bootstrap/generated-dists/{centos8 => centos8s}/Dockerfile (90%)
rename bootstrap/generated-dists/{centos8 => centos8s}/bootstrap.sh (93%)
rename bootstrap/generated-dists/{centos8 => centos8s}/locale.sh (100%)
rename bootstrap/generated-dists/{centos8 => centos8s}/packages.yml (100%)
create mode 100644 source4/auth/tests/heimdal_unwrap_des.c
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 125b3901832..e0b9b9d20b9 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -42,7 +42,7 @@ variables:
# Set this to the contents of bootstrap/sha1sum.txt
# which is generated by bootstrap/template.py --render
#
- SAMBA_CI_CONTAINER_TAG: dd2b9a1848eed2d200e1a525695e40f06c23d888
+ SAMBA_CI_CONTAINER_TAG: fbf9c4c8a2055936d4ca279878df7811af46d86d
#
# We use the ubuntu1804 image as default as
# it matches what we have on sn-devel-184.
@@ -64,7 +64,7 @@ variables:
SAMBA_CI_CONTAINER_IMAGE_fedora33: fedora33
SAMBA_CI_CONTAINER_IMAGE_fedora34: fedora34
SAMBA_CI_CONTAINER_IMAGE_centos7: centos7
- SAMBA_CI_CONTAINER_IMAGE_centos8: centos8
+ SAMBA_CI_CONTAINER_IMAGE_centos8s: centos8s
include:
# The image creation details are specified in a separate file
@@ -137,6 +137,8 @@ include:
- export CXX="ccache c++"
- ccache -z -M 500M
- ccache -s
+ # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI
+ - git config --global --add safe.directory `pwd`
after_script:
- mount
- df -h
@@ -594,10 +596,10 @@ centos7-samba-o3:
# We need a newer GnuTLS version on CentOS7
PKG_CONFIG_PATH: "/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig"
-centos8-samba-o3:
+centos8s-samba-o3:
extends: .samba-o3-template
variables:
- SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8}
+ SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8s}
fedora33-samba-o3:
extends: .samba-o3-template
diff --git a/VERSION b/VERSION
index 5bcf8ec242d..1a5355b8a03 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=11
+SAMBA_VERSION_RELEASE=12
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 8c22b675d54..b62e20cbc53 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,54 @@
+ ===============================
+ Release Notes for Samba 4.15.11
+ October 25, 2022
+ ===============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
+ unwrap_des() and unwrap_des3() routines of Heimdal (included
+ in Samba).
+ https://www.samba.org/samba/security/CVE-2022-3437.html
+
+Changes since 4.15.10
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba
+ 4.15.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15134: CVE-2022-3437.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
===============================
Release Notes for Samba 4.15.10
September 28, 2022
@@ -61,8 +112,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.9
July 27, 2022
diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml
index 33534f5f1dd..58e0642a70d 100644
--- a/bootstrap/.gitlab-ci.yml
+++ b/bootstrap/.gitlab-ci.yml
@@ -47,7 +47,7 @@ services:
diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt
# run smoke test with samba-o3 or samba-fuzz
docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \
- /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
+ /bin/bash -c "sudo chown -R samba:samba ${samba_repo_root} && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase"
docker tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG}
docker tag ${ci_image_name} ${ci_image_path}:${timestamp_tag}
# We build all images, but only upload is it's not marked as broken
@@ -112,7 +112,7 @@ fedora33:
fedora34:
extends: .build_image_template
-centos8:
+centos8s:
extends: .build_image_template
centos7:
diff --git a/bootstrap/config.py b/bootstrap/config.py
index fd75a771252..164ab306329 100644
--- a/bootstrap/config.py
+++ b/bootstrap/config.py
@@ -230,7 +230,7 @@ if [ ! -f /usr/bin/python3 ]; then
fi
"""
-CENTOS8_YUM_BOOTSTRAP = r"""
+CENTOS8S_YUM_BOOTSTRAP = r"""
#!/bin/bash
{GENERATED_MARKER}
set -xueo pipefail
@@ -240,10 +240,9 @@ yum install -y dnf-plugins-core
yum install -y epel-release
yum -v repolist all
-yum config-manager --set-enabled PowerTools -y || \
+yum config-manager --set-enabled powertools -y || \
yum config-manager --set-enabled powertools -y
-yum config-manager --set-enabled Devel -y || \
- yum config-manager --set-enabled devel -y
+
yum update -y
yum install -y \
@@ -471,10 +470,10 @@ RPM_DISTS = {
'tracker-devel': '', # do not install
}
},
- 'centos8': {
- 'docker_image': 'centos:8',
- 'vagrant_box': 'centos/8',
- 'bootstrap': CENTOS8_YUM_BOOTSTRAP,
+ 'centos8s': {
+ 'docker_image': 'quay.io/centos/centos:stream8',
+ 'vagrant_box': 'centos/stream8',
+ 'bootstrap': CENTOS8S_YUM_BOOTSTRAP,
'replace': {
'lsb-release': 'redhat-lsb',
'@development-tools': '"@Development Tools"', # add quotes
diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile
index 780320ec7c8..10075800c01 100644
--- a/bootstrap/generated-dists/Vagrantfile
+++ b/bootstrap/generated-dists/Vagrantfile
@@ -17,11 +17,11 @@ Vagrant.configure("2") do |config|
v.vm.provision :shell, path: "centos7/locale.sh"
end
- config.vm.define "centos8" do |v|
- v.vm.box = "centos/8"
- v.vm.hostname = "centos8"
- v.vm.provision :shell, path: "centos8/bootstrap.sh"
- v.vm.provision :shell, path: "centos8/locale.sh"
+ config.vm.define "centos8s" do |v|
+ v.vm.box = "centos/stream8"
+ v.vm.hostname = "centos8s"
+ v.vm.provision :shell, path: "centos8s/bootstrap.sh"
+ v.vm.provision :shell, path: "centos8s/locale.sh"
end
config.vm.define "debian10" do |v|
diff --git a/bootstrap/generated-dists/centos8/Dockerfile b/bootstrap/generated-dists/centos8s/Dockerfile
similarity index 90%
rename from bootstrap/generated-dists/centos8/Dockerfile
rename to bootstrap/generated-dists/centos8s/Dockerfile
index f6343e9d5a2..1c932f58a94 100644
--- a/bootstrap/generated-dists/centos8/Dockerfile
+++ b/bootstrap/generated-dists/centos8s/Dockerfile
@@ -3,7 +3,7 @@
# See also bootstrap/config.py
#
-FROM centos:8
+FROM quay.io/centos/centos:stream8
# pass in with --build-arg while build
ARG SHA1SUM
diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh
similarity index 93%
rename from bootstrap/generated-dists/centos8/bootstrap.sh
rename to bootstrap/generated-dists/centos8s/bootstrap.sh
index 60cf3937cf7..1111450c400 100755
--- a/bootstrap/generated-dists/centos8/bootstrap.sh
+++ b/bootstrap/generated-dists/centos8s/bootstrap.sh
@@ -12,10 +12,9 @@ yum install -y dnf-plugins-core
yum install -y epel-release
yum -v repolist all
-yum config-manager --set-enabled PowerTools -y || \
+yum config-manager --set-enabled powertools -y || \
yum config-manager --set-enabled powertools -y
-yum config-manager --set-enabled Devel -y || \
- yum config-manager --set-enabled devel -y
+
yum update -y
yum install -y \
diff --git a/bootstrap/generated-dists/centos8/locale.sh b/bootstrap/generated-dists/centos8s/locale.sh
similarity index 100%
rename from bootstrap/generated-dists/centos8/locale.sh
rename to bootstrap/generated-dists/centos8s/locale.sh
diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8s/packages.yml
similarity index 100%
rename from bootstrap/generated-dists/centos8/packages.yml
rename to bootstrap/generated-dists/centos8s/packages.yml
diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt
index 11369ced5f7..120d935186d 100644
--- a/bootstrap/sha1sum.txt
+++ b/bootstrap/sha1sum.txt
@@ -1 +1 @@
-dd2b9a1848eed2d200e1a525695e40f06c23d888
+fbf9c4c8a2055936d4ca279878df7811af46d86d
diff --git a/selftest/tests.py b/selftest/tests.py
index c87b41c1a66..1331a6841e0 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -47,6 +47,8 @@ with_pam = ("WITH_PAM" in config_hash)
with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash)
pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH")
pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH")
+have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
+using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
planpythontestsuite("none", "samba.tests.source")
if have_man_pages_support:
@@ -429,6 +431,9 @@ plantestsuite("samba.unittests.test_registry_regfio", "none",
[os.path.join(bindir(), "default/source3/test_registry_regfio")])
plantestsuite("samba.unittests.test_oLschema2ldif", "none",
[os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
+if have_heimdal_support and not using_system_gssapi:
+ plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
+ [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))])
if with_elasticsearch_backend:
plantestsuite("samba.unittests.mdsparser_es", "none",
[os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
diff --git a/source4/auth/tests/heimdal_unwrap_des.c b/source4/auth/tests/heimdal_unwrap_des.c
new file mode 100644
index 00000000000..dc31e9d0ad1
--- /dev/null
+++ b/source4/auth/tests/heimdal_unwrap_des.c
@@ -0,0 +1,1247 @@
+/*
+ * Unit tests for source4/heimdal/lib/gssapi/krb5/unwrap.c
+ *
+ * Copyright (C) Catalyst.NET Ltd 2022
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+
+#include <cmocka.h>
+
+#include "includes.h"
+#include "replace.h"
+
+#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_
+#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x)
+
+#include "../../../source4/heimdal/lib/gssapi/gssapi/gssapi.h"
+#include "gsskrb5_locl.h"
+
+/******************************************************************************
+ * Helper functions
+ ******************************************************************************/
+
+const uint8_t *valid_range_begin;
+const uint8_t *valid_range_end;
+const uint8_t *invalid_range_end;
+
+/*
+ * 'array_len' is the size of the passed in array. 'buffer_len' is the size to
+ * report in the resulting buffer.
+ */
+static const gss_buffer_desc get_input_buffer(TALLOC_CTX *mem_ctx,
+ const uint8_t array[],
+ const size_t array_len,
+ const size_t buffer_len)
+{
+ gss_buffer_desc buf;
+
+ /* Add some padding to catch invalid memory accesses. */
+ const size_t padding = 0x100;
+ const size_t padded_len = array_len + padding;
+
+ uint8_t *data = talloc_size(mem_ctx, padded_len);
+ assert_non_null(data);
+
+ memcpy(data, array, array_len);
+ memset(data + array_len, 0, padding);
+
+ assert_in_range(buffer_len, 0, array_len);
+
+ buf.value = data;
+ buf.length = buffer_len;
+
+ valid_range_begin = buf.value;
+ valid_range_end = valid_range_begin + buf.length;
+ invalid_range_end = valid_range_begin + padded_len;
+
+ return buf;
+}
+
+static void assert_mem_in_valid_range(const uint8_t *ptr, const size_t len)
+{
+ /* Ensure we've set up the range pointers properly. */
+ assert_non_null(valid_range_begin);
+ assert_non_null(valid_range_end);
+ assert_non_null(invalid_range_end);
+
+ /*
+ * Ensure the length isn't excessively large (a symptom of integer
+ * underflow).
+ */
+ assert_in_range(len, 0, 0x1000);
+
+ /* Ensure the memory is in our valid range. */
+ assert_in_range(ptr, valid_range_begin, valid_range_end);
+ assert_in_range(ptr + len, valid_range_begin, valid_range_end);
+}
+
+/*
+ * This function takes a pointer to volatile to allow it to be called from the
+ * ct_memcmp() wrapper.
+ */
+static void assert_mem_outside_invalid_range(const volatile uint8_t *ptr,
+ const size_t len)
+{
+ const LargestIntegralType _valid_range_end
+ = cast_ptr_to_largest_integral_type(valid_range_end);
+ const LargestIntegralType _invalid_range_end
+ = cast_ptr_to_largest_integral_type(invalid_range_end);
+ const LargestIntegralType _ptr = cast_ptr_to_largest_integral_type(ptr);
+ const LargestIntegralType _len = cast_to_largest_integral_type(len);
+
+ /* Ensure we've set up the range pointers properly. */
+ assert_non_null(valid_range_begin);
+ assert_non_null(valid_range_end);
+ assert_non_null(invalid_range_end);
+
+ /*
+ * Ensure the length isn't excessively large (a symptom of integer
+ * underflow).
+ */
+ assert_in_range(len, 0, 0x1000);
+
+ /* Ensure the memory is outside the invalid range. */
+ if (_ptr < _invalid_range_end && _ptr + _len > _valid_range_end) {
+ fail();
+ }
+}
+
+/*****************************************************************************
+ * wrapped functions
+ *****************************************************************************/
+
+krb5_keyblock dummy_key;
+
+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock **keyblock);
+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_keyblock **keyblock)
+{
+ *keyblock = &dummy_key;
+ return 0;
+}
+
+void __wrap_krb5_free_keyblock(krb5_context context,
+ krb5_keyblock *keyblock);
+void __wrap_krb5_free_keyblock(krb5_context context,
+ krb5_keyblock *keyblock)
+{
+ assert_ptr_equal(&dummy_key, keyblock);
+}
+
+struct krb5_crypto_data dummy_crypto;
+
+krb5_error_code __wrap_krb5_crypto_init(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_enctype etype,
+ krb5_crypto *crypto);
+krb5_error_code __wrap_krb5_crypto_init(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_enctype etype,
+ krb5_crypto *crypto)
+{
+ static const LargestIntegralType etypes[] = {ETYPE_DES3_CBC_NONE, 0};
+
+ assert_ptr_equal(&dummy_key, key);
+ assert_in_set(etype, etypes, ARRAY_SIZE(etypes));
+
+ *crypto = &dummy_crypto;
+
+ return 0;
+}
+
+krb5_error_code __wrap_krb5_decrypt(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result);
+krb5_error_code __wrap_krb5_decrypt(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result)
+{
+ assert_ptr_equal(&dummy_crypto, crypto);
+ assert_int_equal(KRB5_KU_USAGE_SEAL, usage);
+
+ assert_mem_in_valid_range(data, len);
+
+ check_expected(len);
+ check_expected_ptr(data);
+
+ result->data = malloc(len);
+ assert_non_null(result->data);
+ result->length = len;
--
Samba Shared Repository
More information about the samba-cvs
mailing list