import samba-4.14.5-9.el8_5

SOURCES/CVE-2021-44142-v4.14.patch

@@ -0,0 +1,759 @@
+From 2f7332f6c283fbedbd859c79a3f74ca6e07aad46 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 13 Jan 2022 16:48:01 +0100
+Subject: [PATCH 1/5] CVE-2021-44142: libadouble: add defines for icon lengths
+
+From https://www.ietf.org/rfc/rfc1740.txt
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/lib/adouble.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/lib/adouble.h b/source3/lib/adouble.h
+index 90a825c502e0..e3b9263a1f9a 100644
+--- a/source3/lib/adouble.h
++++ b/source3/lib/adouble.h
+@@ -101,6 +101,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC} adouble_type_t;
+ #define ADEDLEN_MACFILEI        4
+ #define ADEDLEN_PRODOSFILEI     8
+ #define ADEDLEN_MSDOSFILEI      2
++#define ADEDLEN_ICONBW          128
++#define ADEDLEN_ICONCOL         1024
+ #define ADEDLEN_DID             4
+ #define ADEDLEN_PRIVDEV         8
+ #define ADEDLEN_PRIVINO         8
+-- 
+2.34.1
+
+
+From fc20cb8268af1203a331ba142b630d4dfb613478 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sat, 20 Nov 2021 16:36:42 +0100
+Subject: [PATCH 2/5] CVE-2021-44142: smbd: add Netatalk xattr used by
+ vfs_fruit to the list of private Samba xattrs
+
+This is an internal xattr that should not be user visible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c]
+---
+ source3/smbd/trans2.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/smbd/trans2.c b/source3/smbd/trans2.c
+index 70a492a96a8a..a200656b76cf 100644
+--- a/source3/smbd/trans2.c
++++ b/source3/smbd/trans2.c
+@@ -45,6 +45,7 @@
+ #include "smb1_utils.h"
+ #include "libcli/smb/smb2_posix.h"
+ #include "lib/util/string_wrappers.h"
++#include "source3/lib/adouble.h"
+ 
+ #define DIR_ENTRY_SAFETY_MARGIN 4096
+ 
+@@ -218,6 +219,7 @@ bool samba_private_attr_name(const char *unix_ea_name)
+ 		SAMBA_XATTR_DOS_ATTRIB,
+ 		SAMBA_XATTR_MARKER,
+ 		XATTR_NTACL_NAME,
++		AFPINFO_EA_NETATALK,
+ 		NULL
+ 	};
+ 
+-- 
+2.34.1
+
+
+From 73302708170a71afce09ff42640ea4fceff4d08a Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 Nov 2021 07:19:32 +0100
+Subject: [PATCH 3/5] CVE-2021-44142: libadouble: harden ad_unpack_xattrs()
+
+This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC,
+which is used for parsing ._ AppleDouble sidecar files, and the buffer
+ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all
+buffer out-of-bounds access checks in ad_unpack_xattrs().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ source3/lib/adouble.c | 21 ++++++++++++++++++---
+ 1 file changed, 18 insertions(+), 3 deletions(-)
+
+diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c
+index 0ab9019cfb59..7875dd6f0df8 100644
+--- a/source3/lib/adouble.c
++++ b/source3/lib/adouble.c
+@@ -707,14 +707,27 @@ static bool ad_pack(struct vfs_handle_struct *handle,
+ static bool ad_unpack_xattrs(struct adouble *ad)
+ {
+ 	struct ad_xattr_header *h = &ad->adx_header;
++	size_t bufsize = talloc_get_size(ad->ad_data);
+ 	const char *p = ad->ad_data;
+ 	uint32_t hoff;
+ 	uint32_t i;
+ 
++	if (ad->ad_type != ADOUBLE_RSRC) {
++		return false;
++	}
++
+ 	if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) {
+ 		return true;
+ 	}
+ 
++	/*
++	 * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an
++	 * ADOUBLE_RSRC type (._ AppleDouble file on-disk).
++	 */
++	if (bufsize != AD_XATTR_MAX_HDR_SIZE) {
++		return false;
++	}
++
+ 	/* 2 bytes padding */
+ 	hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2;
+ 
+@@ -964,9 +977,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
+ 		ad->ad_eid[eid].ade_len = len;
+ 	}
+ 
+-	ok = ad_unpack_xattrs(ad);
+-	if (!ok) {
+-		return false;
++	if (ad->ad_type == ADOUBLE_RSRC) {
++		ok = ad_unpack_xattrs(ad);
++		if (!ok) {
++			return false;
++		}
+ 	}
+ 
+ 	return true;
+-- 
+2.34.1
+
+
+From 0cfe02ac7ad197ea9fb4b19f296b73e5e7baf0af Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 25 Nov 2021 15:04:03 +0100
+Subject: [PATCH 4/5] CVE-2021-44142: libadouble: add basic cmocka tests
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+[slow@samba.org: conflict due to missing test in selftest/tests.py]
+---
+ selftest/knownfail.d/samba.unittests.adouble |   3 +
+ selftest/tests.py                            |   2 +
+ source3/lib/test_adouble.c                   | 389 +++++++++++++++++++
+ source3/wscript_build                        |   5 +
+ 4 files changed, 399 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba.unittests.adouble
+ create mode 100644 source3/lib/test_adouble.c
+
+diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
+new file mode 100644
+index 000000000000..8b0314f2faec
+--- /dev/null
++++ b/selftest/knownfail.d/samba.unittests.adouble
+@@ -0,0 +1,3 @@
++^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
++^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
++^samba.unittests.adouble.parse_abouble_date2\(none\)
+diff --git a/selftest/tests.py b/selftest/tests.py
+index af1e46061852..f4a1056f1dc8 100644
+--- a/selftest/tests.py
++++ b/selftest/tests.py
+@@ -427,3 +427,5 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
+                   [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration])
+ plantestsuite("samba.unittests.credentials", "none",
+               [os.path.join(bindir(), "default/auth/credentials/test_creds")])
++plantestsuite("samba.unittests.adouble", "none",
++              [os.path.join(bindir(), "test_adouble")])
+diff --git a/source3/lib/test_adouble.c b/source3/lib/test_adouble.c
+new file mode 100644
+index 000000000000..615c22469c91
+--- /dev/null
++++ b/source3/lib/test_adouble.c
+@@ -0,0 +1,389 @@
++/*
++ * Unix SMB/CIFS implementation.
++ *
++ * Copyright (C) 2021 Ralph Boehme <slow@samba.org>
++ *
++ * This program is free software; you can redistribute it and/or modify
++ * it under the terms of the GNU General Public License as published by
++ * the Free Software Foundation; either version 3 of the License, or
++ * (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include "adouble.c"
++#include <cmocka.h>
++
++static int setup_talloc_context(void **state)
++{
++	TALLOC_CTX *frame = talloc_stackframe();
++
++	*state = frame;
++	return 0;
++}
++
++static int teardown_talloc_context(void **state)
++{
++	TALLOC_CTX *frame = *state;
++
++	TALLOC_FREE(frame);
++	return 0;
++}
++
++/*
++ * Basic and sane buffer.
++ */
++static uint8_t ad_basic[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * An empty FinderInfo entry.
++ */
++static uint8_t ad_finderinfo1[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x52,	/* off: points at end of buffer */
++	0x00, 0x00, 0x00, 0x00,	/* len: 0, so off+len don't exceed bufferlen */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A dangerous FinderInfo with correct length exceeding buffer by one byte.
++ */
++static uint8_t ad_finderinfo2[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x33,	/* off: points at beginng of data + 1 */
++	0x00, 0x00, 0x00, 0x20,	/* len: 32, so off+len exceeds bufferlen by 1 */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++static uint8_t ad_finderinfo3[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x33,	/* off: points at beginng of data + 1 */
++	0x00, 0x00, 0x00, 0x1f,	/* len: 31, so off+len don't exceed buf */
++	/* adentry 2: Resourcefork */
++	0x00, 0x00, 0x00, 0x02,	/* eid: Resourcefork */
++	0x00, 0x00, 0x00, 0x52,	/* offset */
++	0xff, 0xff, 0xff, 0x00,	/* length */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A dangerous name entry.
++ */
++static uint8_t ad_name[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Name */
++	0x00, 0x00, 0x00, 0x03,	/* eid: Name */
++	0x00, 0x00, 0x00, 0x52,	/* off: points at end of buffer */
++	0x00, 0x00, 0x00, 0x01,	/* len: 1, so off+len exceeds bufferlen */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A empty ADEID_FILEDATESI entry.
++ */
++static uint8_t ad_date1[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Dates */
++	0x00, 0x00, 0x00, 0x08,	/* eid: dates */
++	0x00, 0x00, 0x00, 0x52,	/* off: end of buffer */
++	0x00, 0x00, 0x00, 0x00,	/* len: 0, empty entry, valid */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++/*
++ * A dangerous ADEID_FILEDATESI entry, invalid length.
++ */
++static uint8_t ad_date2[] = {
++	0x00, 0x05, 0x16, 0x07, /* Magic */
++	0x00, 0x02, 0x00, 0x00, /* Version */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x00, 0x00, 0x00, /* Filler */
++	0x00, 0x02,             /* Count */
++	/* adentry 1: FinderInfo */
++	0x00, 0x00, 0x00, 0x09,	/* eid: FinderInfo */
++	0x00, 0x00, 0x00, 0x32,	/* offset */
++	0x00, 0x00, 0x00, 0x20,	/* length */
++	/* adentry 2: Dates */
++	0x00, 0x00, 0x00, 0x08,	/* eid: dates */
++	0x00, 0x00, 0x00, 0x43,	/* off: FinderInfo buf but one byte short */
++	0x00, 0x00, 0x00, 0x0f,	/* len: 15, so off+len don't exceed bufferlen */
++	/* FinderInfo data: 32 bytes */
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++	0x00, 0x00, 0x00, 0x00,
++};
++
++static struct adouble *parse_adouble(TALLOC_CTX *mem_ctx,
++				     uint8_t *adbuf,
++				     size_t adsize,
++				     off_t filesize)
++{
++	struct adouble *ad = NULL;
++	bool ok;
++
++	ad = talloc_zero(mem_ctx, struct adouble);
++	ad->ad_data = talloc_zero_size(ad, adsize);
++	assert_non_null(ad);
++
++	memcpy(ad->ad_data, adbuf, adsize);
++
++	ok = ad_unpack(ad, 2, filesize);
++	if (!ok) {
++		return NULL;
++	}
++
++	return ad;
++}
++
++static void parse_abouble_basic(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++	char *p = NULL;
++
++	ad = parse_adouble(frame, ad_basic, sizeof(ad_basic), 0xffffff52);
++	assert_non_null(ad);
++
++	p = ad_get_entry(ad, ADEID_FINDERI);
++	assert_non_null(p);
++
++	return;
++}
++
++static void parse_abouble_finderinfo1(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++	char *p = NULL;
++
++	ad = parse_adouble(frame,
++			   ad_finderinfo1,
++			   sizeof(ad_finderinfo1),
++			   0xffffff52);
++	assert_non_null(ad);
++
++	p = ad_get_entry(ad, ADEID_FINDERI);
++	assert_null(p);
++
++	return;
++}
++
++static void parse_abouble_finderinfo2(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame,
++			   ad_finderinfo2,
++			   sizeof(ad_finderinfo2),
++			   0xffffff52);
++	assert_null(ad);
++
++	return;
++}
++
++static void parse_abouble_finderinfo3(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame,
++			   ad_finderinfo3,
++			   sizeof(ad_finderinfo3),
++			   0xffffff52);
++	assert_null(ad);
++
++	return;
++}
++
++static void parse_abouble_name(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame, ad_name, sizeof(ad_name), 0x52);
++	assert_null(ad);
++
++	return;
++}
++
++static void parse_abouble_date1(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++	char *p = NULL;
++
++	ad = parse_adouble(frame, ad_date1, sizeof(ad_date1), 0x52);
++	assert_non_null(ad);
++
++	p = ad_get_entry(ad, ADEID_FILEDATESI);
++	assert_null(p);
++
++	return;
++}
++
++static void parse_abouble_date2(void **state)
++{
++	TALLOC_CTX *frame = *state;
++	struct adouble *ad = NULL;
++
++	ad = parse_adouble(frame, ad_date2, sizeof(ad_date2), 0x52);
++	assert_null(ad);
++
++	return;
++}
++
++int main(int argc, char *argv[])
++{
++	int rc;
++	const struct CMUnitTest tests[] = {
++		cmocka_unit_test(parse_abouble_basic),
++		cmocka_unit_test(parse_abouble_finderinfo1),
++		cmocka_unit_test(parse_abouble_finderinfo2),
++		cmocka_unit_test(parse_abouble_finderinfo3),
++		cmocka_unit_test(parse_abouble_name),
++		cmocka_unit_test(parse_abouble_date1),
++		cmocka_unit_test(parse_abouble_date2),
++	};
++
++	if (argc == 2) {
++		cmocka_set_test_filter(argv[1]);
++	}
++	cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
++
++	rc = cmocka_run_group_tests(tests,
++				    setup_talloc_context,
++				    teardown_talloc_context);
++
++	return rc;
++}
+diff --git a/source3/wscript_build b/source3/wscript_build
+index a143477a5064..95e589cfc734 100644
+--- a/source3/wscript_build
++++ b/source3/wscript_build
+@@ -1088,6 +1088,11 @@ bld.SAMBA3_SUBSYSTEM('ADOUBLE',
+                     source='lib/adouble.c',
+                     deps='STRING_REPLACE')
+ 
++bld.SAMBA3_BINARY('test_adouble',
++                 source='lib/test_adouble.c',
++                 deps='smbd_base STRING_REPLACE cmocka',
++                 for_selftest=True)
++
+ bld.SAMBA3_SUBSYSTEM('STRING_REPLACE',
+                     source='lib/string_replace.c')
+ 
+-- 
+2.34.1
+
+
+From 793ca8c474a74f82745a266f4a4bf9e20443ad53 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Thu, 13 Jan 2022 17:03:02 +0100
+Subject: [PATCH 5/5] CVE-2021-44142: libadouble: harden parsing code
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/samba.unittests.adouble |   3 -
+ source3/lib/adouble.c                        | 115 ++++++++++++++++---
+ 2 files changed, 101 insertions(+), 17 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba.unittests.adouble
+
+diff --git a/selftest/knownfail.d/samba.unittests.adouble b/selftest/knownfail.d/samba.unittests.adouble
+deleted file mode 100644
+index 8b0314f2faec..000000000000
+--- a/selftest/knownfail.d/samba.unittests.adouble
++++ /dev/null
+@@ -1,3 +0,0 @@
+-^samba.unittests.adouble.parse_abouble_finderinfo2\(none\)
+-^samba.unittests.adouble.parse_abouble_finderinfo3\(none\)
+-^samba.unittests.adouble.parse_abouble_date2\(none\)
+diff --git a/source3/lib/adouble.c b/source3/lib/adouble.c
+index 7875dd6f0df8..48cc0007c23c 100644
+--- a/source3/lib/adouble.c
++++ b/source3/lib/adouble.c
+@@ -269,6 +269,95 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
+ 	return ad->ad_eid[eid].ade_off = off;
+ }
+ 
++/*
++ * All entries besides FinderInfo and resource fork must fit into the
++ * buffer. FinderInfo is special as it may be larger then the default 32 bytes
++ * if it contains marshalled xattrs, which we will fixup that in
++ * ad_convert(). The first 32 bytes however must also be part of the buffer.
++ *
++ * The resource fork is never accessed directly by the ad_data buf.
++ */
++static bool ad_entry_check_size(uint32_t eid,
++				size_t bufsize,
++				uint32_t off,
++				uint32_t got_len)
++{
++	struct {
++		off_t expected_len;
++		bool fixed_size;
++		bool minimum_size;
++	} ad_checks[] = {
++		[ADEID_DFORK] = {-1, false, false}, /* not applicable */
++		[ADEID_RFORK] = {-1, false, false}, /* no limit */
++		[ADEID_NAME] = {ADEDLEN_NAME, false, false},
++		[ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false},
++		[ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false},
++		[ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false},
++		[ADEID_FILEI] = {ADEDLEN_FILEI, true, false},
++		[ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false},
++		[ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true},
++		[ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false},
++		[ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false},
++		[ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false},
++		[ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false},
++		[ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false},
++		[ADEID_DID] = {ADEDLEN_DID, true, false},
++		[ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false},
++		[ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false},
++		[ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false},
++		[ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false},
++	};
++
++	if (eid >= ADEID_MAX) {
++		return false;
++	}
++	if (got_len == 0) {
++		/* Entry present, but empty, allow */
++		return true;
++	}
++	if (ad_checks[eid].expected_len == 0) {
++		/*
++		 * Shouldn't happen: implicitly initialized to zero because
++		 * explicit initializer missing.
++		 */
++		return false;
++	}
++	if (ad_checks[eid].expected_len == -1) {
++		/* Unused or no limit */
++		return true;
++	}
++	if (ad_checks[eid].fixed_size) {
++		if (ad_checks[eid].expected_len != got_len) {
++			/* Wrong size fo fixed size entry. */
++			return false;
++		}
++	} else {
++		if (ad_checks[eid].minimum_size) {
++			if (got_len < ad_checks[eid].expected_len) {
++				/*
++				 * Too small for variable sized entry with
++				 * minimum size.
++				 */
++				return false;
++			}
++		} else {
++			if (got_len > ad_checks[eid].expected_len) {
++				/* Too big for variable sized entry. */
++				return false;
++			}
++		}
++	}
++	if (off + got_len < off) {
++		/* wrap around */
++		return false;
++	}
++	if (off + got_len > bufsize) {
++		/* overflow */
++		return false;
++	}
++	return true;
++}
++
+ /**
+  * Return a pointer to an AppleDouble entry
+  *
+@@ -276,8 +365,15 @@ size_t ad_setentryoff(struct adouble *ad, int eid, size_t off)
+  **/
+ char *ad_get_entry(const struct adouble *ad, int eid)
+ {
++	size_t bufsize = talloc_get_size(ad->ad_data);
+ 	off_t off = ad_getentryoff(ad, eid);
+ 	size_t len = ad_getentrylen(ad, eid);
++	bool valid;
++
++	valid = ad_entry_check_size(eid, bufsize, off, len);
++	if (!valid) {
++		return NULL;
++	}
+ 
+ 	if (off == 0 || len == 0) {
+ 		return NULL;
+@@ -914,20 +1010,11 @@ static bool ad_unpack(struct adouble *ad, const size_t nentries,
+ 			return false;
+ 		}
+ 
+-		/*
+-		 * All entries besides FinderInfo and resource fork
+-		 * must fit into the buffer. FinderInfo is special as
+-		 * it may be larger then the default 32 bytes (if it
+-		 * contains marshalled xattrs), but we will fixup that
+-		 * in ad_convert(). And the resource fork is never
+-		 * accessed directly by the ad_data buf (also see
+-		 * comment above) anyway.
+-		 */
+-		if ((eid != ADEID_RFORK) &&
+-		    (eid != ADEID_FINDERI) &&
+-		    ((off + len) > bufsize)) {
+-			DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n",
+-				  eid, off, len));
++		ok = ad_entry_check_size(eid, bufsize, off, len);
++		if (!ok) {
++			DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] "
++				"off [%"PRIu32"] len [%"PRIu32"]\n",
++				eid, bufsize, off, len);
+ 			return false;
+ 		}
+ 
+-- 
+2.34.1
+

SOURCES/samba-4.14-fix-domain-join-segfault.patch

@@ -0,0 +1,39 @@
+From 0ef9fe22f56ef3ff202f88426c3ee48c15e4a71e Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 Nov 2021 11:59:45 +0100
+Subject: [PATCH] smbd: s3-dsgetdcname: handle num_ips == 0
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14923
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Guenther Deschner <gd@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Fri Dec  3 12:54:04 UTC 2021 on sn-devel-184
+
+(cherry picked from commit 5e3df5f9ee64a80898f73585b19113354f463c44)
+---
+ source3/libsmb/dsgetdcname.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/source3/libsmb/dsgetdcname.c b/source3/libsmb/dsgetdcname.c
+index f8ae96109b71..5954e48d747b 100644
+--- a/source3/libsmb/dsgetdcname.c
++++ b/source3/libsmb/dsgetdcname.c
+@@ -572,6 +572,10 @@ static NTSTATUS discover_dc_dns(TALLOC_CTX *mem_ctx,
+ 	for (i = 0; i < numdcs; i++) {
+ 		size_t j;
+ 
++		if (dcs[i].num_ips == 0) {
++			continue;
++		}
++
+ 		dclist[ret_count].hostname =
+ 			talloc_move(dclist, &dcs[i].hostname);
+ 
+-- 
+2.33.1
+

SOURCES/samba-4.14-fix-username-map-script.patch

@@ -0,0 +1,227 @@
+From 0e179b5f06988c576a1fff505c06920d51fe8ed4 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 12 Nov 2021 15:27:58 +0100
+Subject: [PATCH 1/3] CVE-2020-25727: idmap_nss: verify that the name of the
+ sid belongs to the configured domain
+
+We already check the sid belongs to the domain, but checking the name
+too feels better and make it easier to understand.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit bfd093648b4af51d104096c0cb3535e8706671e5)
+---
+ source3/winbindd/idmap_nss.c | 26 +++++++++++++++++++++-----
+ 1 file changed, 21 insertions(+), 5 deletions(-)
+
+diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c
+index da50e2b4aa7..2729a0de3f3 100644
+--- a/source3/winbindd/idmap_nss.c
++++ b/source3/winbindd/idmap_nss.c
+@@ -139,18 +139,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
+ 	for (i = 0; ids[i]; i++) {
+ 		struct group *gr;
+ 		enum lsa_SidType type;
+-		const char *p = NULL;
++		const char *_domain = NULL;
++		const char *_name = NULL;
++		char *domain = NULL;
+ 		char *name = NULL;
+ 		bool ret;
+ 
+ 		/* by default calls to winbindd are disabled
+ 		   the following call will not recurse so this is safe */
+ 		(void)winbind_on();
+-		ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL,
+-					 &p, &type);
++		ret = winbind_lookup_sid(talloc_tos(),
++					 ids[i]->sid,
++					 &_domain,
++					 &_name,
++					 &type);
+ 		(void)winbind_off();
+-		name = discard_const_p(char, p);
+-
+ 		if (!ret) {
+ 			/* TODO: how do we know if the name is really not mapped,
+ 			 * or something just failed ? */
+@@ -158,6 +161,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
+ 			continue;
+ 		}
+ 
++		domain = discard_const_p(char, _domain);
++		name = discard_const_p(char, _name);
++
++		if (!strequal(domain, dom->name)) {
++			struct dom_sid_buf buf;
++			DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n",
++			        dom->name, dom_sid_str_buf(ids[i]->sid, &buf),
++				sid_type_lookup(type), domain, name);
++			ids[i]->status = ID_UNMAPPED;
++			continue;
++		}
++
+ 		switch (type) {
+ 		case SID_NAME_USER: {
+ 			struct passwd *pw;
+@@ -190,6 +205,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma
+ 			ids[i]->status = ID_UNKNOWN;
+ 			break;
+ 		}
++		TALLOC_FREE(domain);
+ 		TALLOC_FREE(name);
+ 	}
+ 	return NT_STATUS_OK;
+-- 
+2.34.1
+
+
+From 704ae4b8308e9ae6c50e3548f98de65e97ab6aa6 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Fri, 12 Nov 2021 20:53:30 +1300
+Subject: [PATCH 2/3] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent
+ uid' to make room for new accounts
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit fdbee5e074ebd76d659613b8b7114d70f938c38a)
+---
+ nsswitch/nsstest.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c
+index e2ee9fbf3af..45270cdc459 100644
+--- a/nsswitch/nsstest.c
++++ b/nsswitch/nsstest.c
+@@ -466,7 +466,7 @@ static void nss_test_errors(void)
+ 		printf("ERROR Non existent user gave error %d\n", last_error);
+ 	}
+ 
+-	pwd = getpwuid(0xFFF0);
++	pwd = getpwuid(0xFF00);
+ 	if (pwd || last_error != NSS_STATUS_NOTFOUND) {
+ 		total_errors++;
+ 		printf("ERROR Non existent uid gave error %d\n", last_error);
+-- 
+2.34.1
+
+
+From 844723aa82cec67fd863fc327bde9fb04eab438d Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Fri, 12 Nov 2021 16:10:31 +1300
+Subject: [PATCH 3/3] CVE-2020-25717: s3:auth: Fallback to a SID/UID based
+ mapping if the named based lookup fails
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Before the CVE-2020-25717 fixes we had a fallback from
+getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and
+unpredictable.
+
+Now we do the fallback based on sid_to_uid() followed by
+getpwuid() on the returned uid.
+
+This obsoletes 'username map [script]' based workaround adviced
+for CVE-2020-25717, when nss_winbindd is not used or
+idmap_nss is actually used.
+
+In future we may decide to prefer or only do the SID/UID based
+lookup, but for now we want to keep this unchanged as much as possible.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
+
+Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+
+[metze@samba.org moved the new logic into the fallback codepath only
+ in order to avoid behavior changes as much as possible]
+Reviewed-by: Ralph Boehme <slow@samba.org>
+
+Autobuild-User(master): Ralph Böhme <slow@samba.org>
+Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184
+
+(cherry picked from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e)
+---
+ source3/auth/auth_util.c | 34 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
+index 065b525500f..7a97dd45f11 100644
+--- a/source3/auth/auth_util.c
++++ b/source3/auth/auth_util.c
+@@ -1862,7 +1862,9 @@ const struct auth_session_info *get_session_info_system(void)
+ ***************************************************************************/
+ 
+ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+-			      const char *username, char **found_username,
++			      const char *username,
++			      const struct dom_sid *sid,
++			      char **found_username,
+ 			      struct passwd **pwd,
+ 			      bool *username_was_mapped)
+ {
+@@ -1897,6 +1899,31 @@ static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain,
+ 	}
+ 
+ 	passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false);
++	if (!passwd && !*username_was_mapped) {
++		struct dom_sid_buf buf;
++		uid_t uid;
++		bool ok;
++
++		DBG_DEBUG("Failed to find authenticated user %s via "
++			  "getpwnam(), fallback to sid_to_uid(%s).\n",
++			  dom_user, dom_sid_str_buf(sid, &buf));
++
++		ok = sid_to_uid(sid, &uid);
++		if (!ok) {
++			DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n",
++				dom_sid_str_buf(sid, &buf), dom_user);
++			return NT_STATUS_NO_SUCH_USER;
++		}
++		passwd = getpwuid_alloc(mem_ctx, uid);
++		if (!passwd) {
++			DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n",
++				(long long)uid,
++				dom_sid_str_buf(sid, &buf),
++				dom_user);
++			return NT_STATUS_NO_SUCH_USER;
++		}
++		real_username = talloc_strdup(mem_ctx, passwd->pw_name);
++	}
+ 	if (!passwd) {
+ 		DEBUG(3, ("Failed to find authenticated user %s via "
+ 			  "getpwnam(), denying access.\n", dom_user));
+@@ -2042,6 +2069,7 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 	bool username_was_mapped;
+ 	struct passwd *pwd;
+ 	struct auth_serversupplied_info *result;
++	struct dom_sid sid;
+ 	TALLOC_CTX *tmp_ctx = talloc_stackframe();
+ 
+ 	/* 
+@@ -2088,9 +2116,13 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
+ 
+ 	/* this call will try to create the user if necessary */
+ 
++	sid_copy(&sid, info3->base.domain_sid);
++	sid_append_rid(&sid, info3->base.rid);
++
+ 	nt_status = check_account(tmp_ctx,
+ 				  nt_domain,
+ 				  nt_username,
++				  &sid,
+ 				  &found_username,
+ 				  &pwd,
+ 				  &username_was_mapped);
+-- 
+2.34.1
+

SOURCES/samba-4.14-recursive-delete-of-veto-files.patch

@@ -0,0 +1,295 @@
+From 505e48439364c4027aa11aeda467bbd2060b89f4 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 21 Oct 2021 15:06:20 -0700
+Subject: [PATCH] s3: smbd: Add two tests showing recursive directory delete of
+ a directory containing veto file and msdfs links over SMB2.
+
+Add knownfail.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+(cherry picked from commit ad0082d79a681b981154747dcde5713e1933b88f)
+(cherry picked from commit dab3fa1d8c27e696afa15e071331f646e06d9706)
+---
+ selftest/target/Samba3.pm               |  16 ++
+ source3/script/tests/test_veto_rmdir.sh | 217 ++++++++++++++++++++++++
+ source3/selftest/tests.py               |   3 +
+ 3 files changed, 236 insertions(+)
+ create mode 100755 source3/script/tests/test_veto_rmdir.sh
+
+diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
+index 14a1f1223b1..bbff9d74817 100755
+--- a/selftest/target/Samba3.pm
++++ b/selftest/target/Samba3.pm
+@@ -1460,6 +1460,9 @@ sub setup_fileserver
+ 	my $bad_iconv_sharedir="$share_dir/bad_iconv";
+ 	push(@dirs, $bad_iconv_sharedir);
+ 
++	my $veto_sharedir="$share_dir/veto";
++	push(@dirs,$veto_sharedir);
++
+ 	my $ip4 = Samba::get_ipv4_addr("FILESERVER");
+ 	my $fileserver_options = "
+ 	kernel change notify = yes
+@@ -1568,6 +1571,19 @@ sub setup_fileserver
+ 	comment = smb username is [%U]
+ 	vfs objects =
+ 
++[veto_files_nodelete]
++	path = $veto_sharedir
++	read only = no
++	msdfs root = yes
++	veto files = /veto_name*/
++	delete veto files = no
++
++[veto_files_delete]
++	path = $veto_sharedir
++	msdfs root = yes
++	veto files = /veto_name*/
++	delete veto files = yes
++
+ [homes]
+ 	comment = Home directories
+ 	browseable = No
+diff --git a/source3/script/tests/test_veto_rmdir.sh b/source3/script/tests/test_veto_rmdir.sh
+new file mode 100755
+index 00000000000..d3df8f1bba0
+--- /dev/null
++++ b/source3/script/tests/test_veto_rmdir.sh
+@@ -0,0 +1,217 @@
++#!/bin/sh
++#
++# Check smbclient can (or cannot) delete a directory containing veto files.
++# BUG: https://bugzilla.samba.org/show_bug.cgi?id=14878
++#
++
++if [ $# -lt 6 ]; then
++cat <<EOF
++Usage: $0 SERVER SERVER_IP USERNAME PASSWORD SHAREPATH SMBCLIENT
++EOF
++exit 1;
++fi
++
++SERVER=${1}
++SERVER_IP=${2}
++USERNAME=${3}
++PASSWORD=${4}
++SHAREPATH=${5}
++SMBCLIENT=${6}
++shift 6
++SMBCLIENT="$VALGRIND ${SMBCLIENT}"
++ADDARGS="$@"
++
++incdir=$(dirname "$0")/../../../testprogs/blackbox
++. "$incdir"/subunit.sh
++
++failed=0
++
++rmdir_path="$SHAREPATH/dir"
++
++test_veto_nodelete_rmdir()
++{
++    local veto_path="$rmdir_path/veto_name1"
++    local msdfs_link_path="$rmdir_path/dfs_link"
++    local tmpfile=$PREFIX/smbclient.in.$$
++
++    # Create rmdir directory.
++    mkdir -p "$rmdir_path"
++    # Create veto file underneath.
++    touch "$veto_path"
++    # Create msdfs link underneath.
++    ln -s "msdfs:$SERVER_IP\\ro-tmp" "$msdfs_link_path"
++
++    cat > "$tmpfile" <<EOF
++cd dir
++ls
++quit
++EOF
++
++    local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_nodelete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
++    eval echo "$cmd"
++    out=$(eval "$cmd")
++    ret=$?
++
++    # Check for smbclient error.
++    if [ $ret != 0 ] ; then
++        echo "Failed accessing share veto_files_nodelete - $ret"
++        echo "$out"
++        return 1
++    fi
++
++    # We should only see the dfs_link file.
++    echo "$out" | grep dfs_link
++    ret=$?
++    if [ $ret -ne 0 ] ; then
++       echo "Failed to see dfs_link in share veto_files_nodelete"
++       echo "$out"
++       return 1
++    fi
++
++    # Now remove the dfs_link file.
++    rm -rf "$msdfs_link_path"
++
++    # Try and remove the directory, should fail with NT_STATUS_DIRECTORY_NOT_EMPTY.
++    cat > "$tmpfile" <<EOF
++rd dir
++quit
++EOF
++
++    local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_nodelete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
++    eval echo "$cmd"
++    out=$(eval "$cmd")
++    ret=$?
++
++    # Check for smbclient error.
++    if [ $ret != 0 ] ; then
++        echo "Failed accessing share veto_files_nodelete - $ret"
++        echo "$out"
++        return 1
++    fi
++
++    # We should get NT_STATUS_DIRECTORY_NOT_EMPTY.
++    echo "$out" | grep NT_STATUS_DIRECTORY_NOT_EMPTY
++    ret=$?
++    if [ $ret -ne 0 ] ; then
++       echo "Failed to get error NT_STATUS_DIRECTORY_NOT_EMPTY in share veto_files_nodelete"
++       echo "$out"
++       return 1
++    fi
++
++    # remove the veto file - directory should now be empty.
++    rm -rf "$veto_path"
++
++    # Try and remove the directory, should now succeed.
++    cat > "$tmpfile" <<EOF
++rd dir
++quit
++EOF
++
++    local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_nodelete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
++    eval echo "$cmd"
++    out=$(eval "$cmd")
++    ret=$?
++
++    # Check for smbclient error.
++    if [ $ret != 0 ] ; then
++        echo "Failed accessing share veto_files_nodelete - $ret"
++        echo "$out"
++        return 1
++    fi
++
++    # We should get no NT_STATUS_ errors.
++    echo "$out" | grep NT_STATUS_
++    ret=$?
++    if [ $ret -eq 0 ] ; then
++       echo "Got error NT_STATUS_ in share veto_files_nodelete"
++       echo "$out"
++       return 1
++    fi
++
++    return 0
++}
++
++test_veto_delete_rmdir()
++{
++    local veto_path="$rmdir_path/veto_name1"
++    local msdfs_link_path="$rmdir_path/dfs_link"
++    local tmpfile=$PREFIX/smbclient.in.$$
++
++    # Create rmdir directory.
++    mkdir -p "$rmdir_path"
++    # Create veto file underneath.
++    touch "$veto_path"
++    # Create msdfs link underneath.
++    ln -s "msdfs:$SERVER_IP\\ro-tmp" "$msdfs_link_path"
++
++    cat > "$tmpfile" <<EOF
++cd dir
++ls
++quit
++EOF
++
++    local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_delete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
++    eval echo "$cmd"
++    out=$(eval "$cmd")
++    ret=$?
++
++    # Check for smbclient error.
++    if [ $ret != 0 ] ; then
++        echo "Failed accessing share veto_files_delete - $ret"
++        echo "$out"
++        return 1
++    fi
++
++    # We should only see the dfs_link file.
++    echo "$out" | grep dfs_link
++    ret=$?
++    if [ $ret -ne 0 ] ; then
++       echo "Failed to see dfs_link in share veto_files_delete"
++       echo "$out"
++       return 1
++    fi
++
++    # Now remove the dfs_link file.
++    rm -rf "$msdfs_link_path"
++
++    # Try and remove the directory, should now succeed.
++    cat > "$tmpfile" <<EOF
++rd dir
++quit
++EOF
++
++    local cmd='CLI_FORCE_INTERACTIVE=yes $SMBCLIENT //$SERVER/veto_files_delete -U$USERNAME%$PASSWORD $ADDARGS < $tmpfile 2>&1'
++    eval echo "$cmd"
++    out=$(eval "$cmd")
++    ret=$?
++
++    # Check for smbclient error.
++    if [ $ret != 0 ] ; then
++        echo "Failed accessing share veto_files_delete - $ret"
++        echo "$out"
++        return 1
++    fi
++
++    # We should get no NT_STATUS_ errors.
++    echo "$out" | grep NT_STATUS_
++    ret=$?
++    if [ $ret -eq 0 ] ; then
++       echo "Got error NT_STATUS_ in share veto_files_delete"
++       echo "$out"
++       return 1
++    fi
++
++    return 0
++}
++
++testit "rmdir cannot delete directory containing a veto file" \
++   test_veto_nodelete_rmdir || failed=$(expr "$failed" + 1)
++
++rm -rf "$rmdir_path"
++
++testit "rmdir can delete directory containing a veto file" \
++   test_veto_delete_rmdir || failed=$(expr "$failed" + 1)
++
++rm -rf "$rmdir_path"
++
++exit "$failed"
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 651be239825..82f32ec4232 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -498,6 +498,9 @@ for env in ["fileserver"]:
+     plantestsuite("samba3.blackbox.smbclient_iconv.CORE", env + "_smb1_done",
+                   [os.path.join(samba3srcdir, "script/tests/test_smbclient_iconv.sh"),
+                    '$SERVER', '$SERVER_IP', 'bad_iconv', '$USERNAME', '$PASSWORD', smbclient3, '-mCORE'])
++    plantestsuite("samba3.blackbox.test_veto_rmdir", env,
++                  [os.path.join(samba3srcdir, "script/tests/test_veto_rmdir.sh"),
++                  '$SERVER', '$SERVER_IP', '$USERNAME', '$PASSWORD', '$LOCAL_PATH/veto', smbclient3])
+ 
+     #
+     # tar command tests
+-- 
+2.33.1
+

SPECS/samba.spec

@@ -108,7 +108,7 @@
 
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
-%global baserelease 7
+%global baserelease 9
 
 %global samba_version 4.14.5
 %global talloc_version 2.3.2
@@ -184,6 +184,11 @@ Patch3:         CVE-2020-25717.patch
 Patch4:         samba-4.14-krb5pac.patch
 Patch5:         samba-4.14-fix-winbind-no-trusted-domain.patch
 Patch6:         samba-4.14-IPA-DC-add-missing-checks.patch
+Patch7:         samba-4.14-recursive-delete-of-veto-files.patch
+Patch8:         samba-4.14-del-dir-with-dangling-symlinks.patch
+Patch9:         samba-4.14-fix-username-map-script.patch
+Patch10:        samba-4.14-fix-domain-join-segfault.patch
+Patch11:        CVE-2021-44142-v4.14.patch
 
 Requires(pre): /usr/sbin/groupadd
 Requires(post): systemd
@@ -3915,6 +3920,14 @@ fi
 %endif
 
 %changelog
+* Thu Jan 27 2022 Andreas Schneider <asn@redhat.com> - 4.14.5-9
+- resolves: rhbz#2046174 - Fix username map script regression of CVE-2020-25717
+- resolves: rhbz#2046160 - Fix possible segfault while joining a domain
+- resolves: rhbz#2046152 - Fix CVE-2021-44142
+
+* Thu Dec 02 2021 Pavel Filipenský <pfilipen@redhat.com> - 4.14.5-8
+- resolves: rhbz#2026717 - Dir containing dangling symlinks cannot be deleted
+
 * Mon Nov 22 2021 Andreas Schneider <asn@redhat.com> - 4.14.5-7
 - related: rhbz#2021171 - Fix CVE-2020-25717
 - Fix running ktest (selftest)