import samba-4.15.5-10.el8_6

SOURCES/CVE-2022-32742-v4-15.patch

@@ -0,0 +1,216 @@
+From 9ccec2afdaf8af463f321eb37d3c3bb90d1d432e Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 7 Jun 2022 09:40:45 -0700
+Subject: [PATCH 1/2] CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
+
+Reproduces the test code in:
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
+
+Add knownfail.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+---
+ selftest/knownfail.d/bad-write |  2 +
+ source4/torture/raw/write.c    | 89 ++++++++++++++++++++++++++++++++++
+ 2 files changed, 91 insertions(+)
+ create mode 100644 selftest/knownfail.d/bad-write
+
+diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write
+new file mode 100644
+index 00000000000..5fc16606a13
+--- /dev/null
++++ b/selftest/knownfail.d/bad-write
+@@ -0,0 +1,2 @@
++^samba3.raw.write.bad-write\(nt4_dc_smb1\)
++^samba3.raw.write.bad-write\(ad_dc_smb1\)
+diff --git a/source4/torture/raw/write.c b/source4/torture/raw/write.c
+index 0a2f50f425b..661485bb548 100644
+--- a/source4/torture/raw/write.c
++++ b/source4/torture/raw/write.c
+@@ -25,6 +25,7 @@
+ #include "libcli/libcli.h"
+ #include "torture/util.h"
+ #include "torture/raw/proto.h"
++#include "libcli/raw/raw_proto.h"
+ 
+ #define CHECK_STATUS(status, correct) do { \
+ 	if (!NT_STATUS_EQUAL(status, correct)) { \
+@@ -694,6 +695,93 @@ done:
+ 	return ret;
+ }
+ 
++/*
++  test a deliberately bad SMB1 write.
++*/
++static bool test_bad_write(struct torture_context *tctx,
++		       struct smbcli_state *cli)
++{
++	bool ret = false;
++	int fnum = -1;
++	struct smbcli_request *req = NULL;
++	const char *fname = BASEDIR "\\badwrite.txt";
++	bool ok = false;
++
++	if (!torture_setup_dir(cli, BASEDIR)) {
++		torture_fail(tctx, "failed to setup basedir");
++	}
++
++	torture_comment(tctx, "Testing RAW_BAD_WRITE\n");
++
++	fnum = smbcli_open(cli->tree, fname, O_RDWR|O_CREAT, DENY_NONE);
++	if (fnum == -1) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx,
++				"Failed to create %s - %s\n",
++				fname,
++				smbcli_errstr(cli->tree)));
++	}
++
++	req = smbcli_request_setup(cli->tree,
++				   SMBwrite,
++				   5,
++				   0);
++	if (req == NULL) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx, "talloc fail\n"));
++	}
++
++	SSVAL(req->out.vwv, VWV(0), fnum);
++	SSVAL(req->out.vwv, VWV(1), 65535); /* bad write length. */
++	SIVAL(req->out.vwv, VWV(2), 0); /* offset */
++	SSVAL(req->out.vwv, VWV(4), 0); /* remaining. */
++
++        if (!smbcli_request_send(req)) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx, "Send failed\n"));
++        }
++
++        if (!smbcli_request_receive(req)) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx, "Reveive failed\n"));
++	}
++
++	/*
++	 * Check for expected error codes.
++	 * ntvfs returns NT_STATUS_UNSUCCESSFUL.
++	 */
++	ok = (NT_STATUS_EQUAL(req->status, NT_STATUS_INVALID_PARAMETER) ||
++	     NT_STATUS_EQUAL(req->status, NT_STATUS_UNSUCCESSFUL));
++
++	if (!ok) {
++		torture_fail_goto(tctx,
++			done,
++			talloc_asprintf(tctx,
++				"Should have returned "
++				"NT_STATUS_INVALID_PARAMETER or "
++				"NT_STATUS_UNSUCCESSFUL "
++				"got %s\n",
++				nt_errstr(req->status)));
++        }
++
++	ret = true;
++
++done:
++	if (req != NULL) {
++		smbcli_request_destroy(req);
++	}
++	if (fnum != -1) {
++		smbcli_close(cli->tree, fnum);
++	}
++	smb_raw_exit(cli->session);
++	smbcli_deltree(cli->tree, BASEDIR);
++	return ret;
++}
++
+ /*
+    basic testing of write calls
+ */
+@@ -705,6 +793,7 @@ struct torture_suite *torture_raw_write(TALLOC_CTX *mem_ctx)
+ 	torture_suite_add_1smb_test(suite, "write unlock", test_writeunlock);
+ 	torture_suite_add_1smb_test(suite, "write close", test_writeclose);
+ 	torture_suite_add_1smb_test(suite, "writex", test_writex);
++	torture_suite_add_1smb_test(suite, "bad-write", test_bad_write);
+ 
+ 	return suite;
+ }
+-- 
+2.34.1
+
+
+From 9097c5363605e1d5f99ff5a59dc6795c612d472f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Wed, 8 Jun 2022 13:50:51 -0700
+Subject: [PATCH 2/2] CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
+
+Fixes the raw.write.bad-write test.
+
+NB. We need the two (==0) changes in source3/smbd/reply.c
+as the gcc optimizer now knows that the return from
+smbreq_bufrem() can never be less than zero.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
+
+Remove knownfail.
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: David Disseldorp <ddiss@samba.org>
+
+---
+ selftest/knownfail.d/bad-write | 2 --
+ source3/include/smb_macros.h   | 2 +-
+ source3/smbd/reply.c           | 4 ++--
+ 3 files changed, 3 insertions(+), 5 deletions(-)
+ delete mode 100644 selftest/knownfail.d/bad-write
+
+diff --git a/selftest/knownfail.d/bad-write b/selftest/knownfail.d/bad-write
+deleted file mode 100644
+index 5fc16606a13..00000000000
+--- a/selftest/knownfail.d/bad-write
++++ /dev/null
+@@ -1,2 +0,0 @@
+-^samba3.raw.write.bad-write\(nt4_dc_smb1\)
+-^samba3.raw.write.bad-write\(ad_dc_smb1\)
+diff --git a/source3/include/smb_macros.h b/source3/include/smb_macros.h
+index 344a997cbd2..c75b93fcc25 100644
+--- a/source3/include/smb_macros.h
++++ b/source3/include/smb_macros.h
+@@ -152,7 +152,7 @@
+ 
+ /* the remaining number of bytes in smb buffer 'buf' from pointer 'p'. */
+ #define smb_bufrem(buf, p) (smb_buflen(buf)-PTR_DIFF(p, smb_buf(buf)))
+-#define smbreq_bufrem(req, p) (req->buflen - PTR_DIFF(p, req->buf))
++#define smbreq_bufrem(req, p) ((req)->buflen < PTR_DIFF((p), (req)->buf) ? 0 : (req)->buflen - PTR_DIFF((p), (req)->buf))
+ 
+ 
+ /* Note that chain_size must be available as an extern int to this macro. */
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index d4573d3da55..e1a47a65662 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -345,7 +345,7 @@ size_t srvstr_get_path_req(TALLOC_CTX *mem_ctx, struct smb_request *req,
+ {
+ 	ssize_t bufrem = smbreq_bufrem(req, src);
+ 
+-	if (bufrem < 0) {
++	if (bufrem == 0) {
+ 		*err = NT_STATUS_INVALID_PARAMETER;
+ 		return 0;
+ 	}
+@@ -383,7 +383,7 @@ size_t srvstr_pull_req_talloc(TALLOC_CTX *ctx, struct smb_request *req,
+ {
+ 	ssize_t bufrem = smbreq_bufrem(req, src);
+ 
+-	if (bufrem < 0) {
++	if (bufrem == 0) {
+ 		return 0;
+ 	}
+ 
+-- 
+2.34.1
+

SOURCES/samba.abignore

@@ -0,0 +1,5 @@
+#################################################
+# This is a grouping library without any code
+#################################################
+[suppress_file]
+file_name_regexp=.*libdcerpc-samr\\.so.*

SPECS/samba.spec

@@ -132,7 +132,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%global baserelease 8
+%global baserelease 10
 
 %global samba_version 4.15.5
 %global talloc_version 2.3.3
@@ -198,6 +198,7 @@ Source11:       smb.conf.vendor
 Source12:       smb.conf.example
 Source13:       pam_winbind.conf
 Source14:       samba.pamd
+Source15:       samba.abignore
 
 Source201:      README.downgrade
 
@@ -215,6 +216,7 @@ Patch10:        samba-4-15-fix-create-local-krb5-conf.patch
 Patch11:        samba-4-15-username-map.patch
 Patch12:        samba-4-15-kerberos-clock-skew.patch
 Patch13:        samba-4-15-smbd-upn.patch
+Patch14:        CVE-2022-32742-v4-15.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -735,7 +737,6 @@ library.
 ### PYTHON3
 %package -n python3-%{name}
 Summary: Samba Python3 libraries
-Requires: %{name} = %{samba_depver}
 Requires: %{name}-client-libs = %{samba_depver}
 Requires: %{name}-common-libs = %{samba_depver}
 Requires: %{name}-libs = %{samba_depver}
@@ -4113,6 +4114,13 @@ fi
 %endif
 
 %changelog
+* Mon Sep 12 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-10
+- resolves: rhbz#2126041 - Do not require samba package in python3-samba
+
+* Fri Sep 09 2022 Andreas Schneider <asn@redhat.com> - 4.15.5-9
+- Fix CVE-2022-32742
+- resolves: rhbz#2125552
+
 * Wed Apr 27 2022 Pavel Filipenský <pfilipen@redhat.com> - 4.15.5-8
 - resolves: rhbz#2079303 - Fix username map for unix groups
 - resolves: rhbz#2079299 - PAM Kerberos authentication fails with a clock skew error