- CVE-2023-3961 CVE-2023-4091 CVE-2023-42669

2023-11-07 16:09:40 +03:00 · 2023-11-07 16:09:40 +03:00 · e8f41cd48b
parent 8e9d4aaa65
commit e8f41cd48b
13 changed files with 326 additions and 803 deletions
--- a/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
+++ b/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
@ -1,38 +0,0 @@
-From 5f87888ed53320538cf773d64868390d8641a40e Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 17:20:32 +0200
-Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities
- response level 2
-
-We don't have any documentation about this yet, but tests against
-a Windows Server 2022 patched with KB5028166 revealed that
-the response for query_level=2 is exactly the same as
-for querey_level=1.
-
-Until we know the reason for query_level=2 we won't
-use it as client nor support it in the server, but
-we want ndrdump to work.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
- librpc/idl/netlogon.idl | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
-index 48a8c8f9310..85dd73ee7e4 100644
--- a/librpc/idl/netlogon.idl
-+++ b/librpc/idl/netlogon.idl
-@@ -1236,6 +1236,7 @@ interface netlogon
- 	/* Function 0x15 */
- 	typedef [switch_type(uint32)] union {
- 		[case(1)] netr_NegotiateFlags server_capabilities;
-+		[case(2)] netr_NegotiateFlags server_capabilities;
- 	} netr_Capabilities;
- 
- 	NTSTATUS netr_LogonGetCapabilities(
-- 
-2.39.3
-
--- a/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
+++ b/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
@ -1,128 +0,0 @@
-From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 17:25:05 +0200
-Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check
- netr_LogonGetCapabilities with different levels
-
-The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
-for unsupported query_levels, we allow it to work with servers
-with or without support for query_level=2.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
- .../knownfail.d/netr_LogonGetCapabilities     |  3 +
- source4/torture/rpc/netlogon.c                | 77 ++++++++++++++++++-
- 2 files changed, 79 insertions(+), 1 deletion(-)
- create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
-
-diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
-new file mode 100644
-index 00000000000..30aadf3bb9d
--- /dev/null
-+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
-@@ -0,0 +1,3 @@
-+^samba3.rpc.schannel.*\.schannel\(nt4_dc
-+^samba3.rpc.schannel.*\.schannel\(ad_dc
-+^samba4.rpc.schannel.*\.schannel\(ad_dc
-diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
-index 1f068eb7826..a3d190f13dd 100644
--- a/source4/torture/rpc/netlogon.c
-+++ b/source4/torture/rpc/netlogon.c
-@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
- 	r.out.capabilities = &capabilities;
- 	r.out.return_authenticator = &return_auth;
- 
-	torture_comment(tctx, "Testing LogonGetCapabilities\n");
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n");
- 
-+	r.in.query_level = 0;
-+	ZERO_STRUCT(return_auth);
-+
-+	/*
-+	 * we need to operate on a temporary copy of creds
-+	 * because dcerpc_netr_LogonGetCapabilities with
-+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
-+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+	 * without looking a the authenticator.
-+	 */
-+	tmp_creds = *creds;
-+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
-+
-+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
-+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
-+				      "LogonGetCapabilities query_level=0 failed");
-+
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n");
-+
-+	r.in.query_level = 3;
-+	ZERO_STRUCT(return_auth);
-+
-+	/*
-+	 * we need to operate on a temporary copy of creds
-+	 * because dcerpc_netr_LogonGetCapabilities with
-+	 * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG
-+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+	 * without looking a the authenticator.
-+	 */
-+	tmp_creds = *creds;
-+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
-+
-+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
-+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE,
-+				      "LogonGetCapabilities query_level=0 failed");
-+
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n");
-+
-+	r.in.query_level = 1;
- 	ZERO_STRUCT(return_auth);
- 
- 	/*
-@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t
- 
- 	*creds = tmp_creds;
- 
-+	torture_assert(tctx, netlogon_creds_client_check(creds,
-+							 &r.out.return_authenticator->cred),
-+		       "Credential chaining failed");
-+
-+	torture_assert_int_equal(tctx, creds->negotiate_flags,
-+				 capabilities.server_capabilities,
-+				 "negotiate flags");
-+
-+	torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n");
-+
-+	r.in.query_level = 2;
-+	ZERO_STRUCT(return_auth);
-+
-+	/*
-+	 * we need to operate on a temporary copy of creds
-+	 * because dcerpc_netr_LogonGetCapabilities with
-+	 * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG
-+	 * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+	 * without looking a the authenticator.
-+	 */
-+	tmp_creds = *creds;
-+	netlogon_creds_client_authenticator(&tmp_creds, &auth);
-+
-+	status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r);
-+	if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) {
-+		/*
-+		 * an server without KB5028166 returns
-+		 * DCERPC_NCA_S_FAULT_INVALID_TAG =>
-+		 * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE
-+		 */
-+		return true;
-+	}
-+	torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed");
-+
-+	*creds = tmp_creds;
-+
- 	torture_assert(tctx, netlogon_creds_client_check(creds,
- 							 &r.out.return_authenticator->cred),
- 		       "Credential chaining failed");
-- 
-2.39.3
-
--- a/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+++ b/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
@ -1,89 +0,0 @@
-From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 16:11:48 +0200
-Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
- invalid netr_LogonGetCapabilities levels
-
-This is important as Windows clients with KB5028166 seem to
-call netr_LogonGetCapabilities with query_level=2 after
-a call with query_level=1.
-
-An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
-for query_level values other than 1.
-While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
-later fails to marshall the response, which results
-in DCERPC_FAULT_BAD_STUB_DATA instead.
-
-Because we don't have any documentation for level 2 yet,
-we just try to behave like an unpatched server and
-generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
-DCERPC_FAULT_BAD_STUB_DATA.
-Which allows patched Windows clients to keep working
-against a Samba DC.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
- .../knownfail.d/netr_LogonGetCapabilities     |  2 --
- source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++---
- 2 files changed, 24 insertions(+), 6 deletions(-)
-
-diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
-index 30aadf3bb9d..99c7ac711ed 100644
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
-+++ b/selftest/knownfail.d/netr_LogonGetCapabilities
-@@ -1,3 +1 @@
- ^samba3.rpc.schannel.*\.schannel\(nt4_dc
-^samba3.rpc.schannel.*\.schannel\(ad_dc
-^samba4.rpc.schannel.*\.schannel\(ad_dc
-diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-index 6ccba65d3bf..dc2167f08b2 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
-+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
-@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
- 	struct netlogon_creds_CredentialState *creds;
- 	NTSTATUS status;
- 
-+	switch (r->in.query_level) {
-+	case 1:
-+		break;
-+	case 2:
-+		/*
-+		 * Until we know the details behind KB5028166
-+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
-+		 * like an unpatched Windows Server.
-+		 */
-+		FALL_THROUGH;
-+	default:
-+		/*
-+		 * There would not be a way to marshall the
-+		 * the response. Which would mean our final
-+		 * ndr_push would fail an we would return
-+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
-+		 *
-+		 * But it's important to match a Windows server
-+		 * especially before KB5028166, see also our bug #15418
-+		 * Otherwise Windows client would stop talking to us.
-+		 */
-+		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
-+	}
-+
- 	status = dcesrv_netr_creds_server_step_check(dce_call,
- 						     mem_ctx,
- 						     r->in.computer_name,
-@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
- 	}
- 	NT_STATUS_NOT_OK_RETURN(status);
- 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
- 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
- 
- 	return NT_STATUS_OK;
-- 
-2.39.3
-
--- a/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
+++ b/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
@ -1,93 +0,0 @@
-From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001
-From: Stefan Metzmacher <metze@samba.org>
-Date: Sat, 15 Jul 2023 16:11:48 +0200
-Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
- invalid netr_LogonGetCapabilities levels
-
-This is important as Windows clients with KB5028166 seem to
-call netr_LogonGetCapabilities with query_level=2 after
-a call with query_level=1.
-
-An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
-for query_level values other than 1.
-While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
-later fails to marshall the response, which results
-in DCERPC_FAULT_BAD_STUB_DATA instead.
-
-Because we don't have any documentation for level 2 yet,
-we just try to behave like an unpatched server and
-generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
-DCERPC_FAULT_BAD_STUB_DATA.
-Which allows patched Windows clients to keep working
-against a Samba DC.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-
-Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
-Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
---
- .../knownfail.d/netr_LogonGetCapabilities     |  1 -
- source3/rpc_server/netlogon/srv_netlog_nt.c   | 29 ++++++++++++++++---
- 2 files changed, 25 insertions(+), 5 deletions(-)
- delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities
-
-diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities
-deleted file mode 100644
-index 99c7ac711ed..00000000000
--- a/selftest/knownfail.d/netr_LogonGetCapabilities
-+++ /dev/null
-@@ -1 +0,0 @@
-^samba3.rpc.schannel.*\.schannel\(nt4_dc
-diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
-index 3ba58e61206..e8aa14167fc 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
-+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
-@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
- 	struct netlogon_creds_CredentialState *creds;
- 	NTSTATUS status;
- 
-+	switch (r->in.query_level) {
-+	case 1:
-+		break;
-+	case 2:
-+		/*
-+		 * Until we know the details behind KB5028166
-+		 * just return DCERPC_NCA_S_FAULT_INVALID_TAG
-+		 * like an unpatched Windows Server.
-+		 */
-+		FALL_THROUGH;
-+	default:
-+		/*
-+		 * There would not be a way to marshall the
-+		 * the response. Which would mean our final
-+		 * ndr_push would fail an we would return
-+		 * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA.
-+		 *
-+		 * But it's important to match a Windows server
-+		 * especially before KB5028166, see also our bug #15418
-+		 * Otherwise Windows client would stop talking to us.
-+		 */
-+		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
-+		return NT_STATUS_NOT_SUPPORTED;
-+	}
-+
- 	become_root();
- 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
- 						p->mem_ctx,
-@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
- 		return status;
- 	}
- 
-	if (r->in.query_level != 1) {
-		return NT_STATUS_NOT_SUPPORTED;
-	}
-
- 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
- 
- 	return NT_STATUS_OK;
-- 
-2.39.3
-
--- a/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
+++ b/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
@ -1,137 +0,0 @@
-From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 20 Jun 2023 12:46:31 +0200
-Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory
- signing
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- .../samba3.smb2.session-require-signing       |  1 +
- selftest/target/Samba3.pm                     |  1 +
- source3/selftest/tests.py                     |  2 +
- source4/torture/smb2/session.c                | 64 +++++++++++++++++++
- source4/torture/smb2/smb2.c                   |  1 +
- 5 files changed, 69 insertions(+)
- create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
-
-diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
-new file mode 100644
-index 00000000000..53b7a7022a8
--- /dev/null
-+++ b/selftest/knownfail.d/samba3.smb2.session-require-signing
-@@ -0,0 +1 @@
-+^samba3.smb2.session-require-signing.bug15397
-diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
-index d9e17473615..b4c3c130e9a 100755
--- a/selftest/target/Samba3.pm
-+++ b/selftest/target/Samba3.pm
-@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid
- 	# values required for tests to succeed
- 	create krb5 conf = no
-         map to guest = bad user
-+	server signing = required
- ";
- 
- 	my $ret = $self->provision(
-diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
-index b069630605a..d2b5409d0a9 100755
--- a/source3/selftest/tests.py
-+++ b/source3/selftest/tests.py
-@@ -1097,6 +1097,8 @@ for t in tests:
-         # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf,
-         # ad_member_idmap_rid sets "create krb5.conf = no"
-         plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5')
-+    elif t == "smb2.session-require-signing":
-+        plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD')
-     elif t == "rpc.lsa":
-         plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ')
-         plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ')
-diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
-index 51df51542d4..823304f190f 100644
--- a/source4/torture/smb2/session.c
-+++ b/source4/torture/smb2/session.c
-@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
- 
- 	return suite;
- }
-+
-+static bool test_session_require_sign_bug15397(struct torture_context *tctx,
-+					       struct smb2_tree *_tree)
-+{
-+	const char *host = torture_setting_string(tctx, "host", NULL);
-+	const char *share = torture_setting_string(tctx, "share", NULL);
-+	struct cli_credentials *_creds = samba_cmdline_get_creds();
-+	struct cli_credentials *creds = NULL;
-+	struct smbcli_options options;
-+	struct smb2_tree *tree = NULL;
-+	uint8_t security_mode;
-+	NTSTATUS status;
-+	bool ok = true;
-+
-+	/*
-+	 * Setup our own connection so we can control the signing flags
-+	 */
-+
-+	creds = cli_credentials_shallow_copy(tctx, _creds);
-+	torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy");
-+
-+	options = _tree->session->transport->options;
-+	options.client_guid = GUID_random();
-+	options.signing = SMB_SIGNING_IF_REQUIRED;
-+
-+	status = smb2_connect(tctx,
-+			      host,
-+			      lpcfg_smb_ports(tctx->lp_ctx),
-+			      share,
-+			      lpcfg_resolve_context(tctx->lp_ctx),
-+			      creds,
-+			      &tree,
-+			      tctx->ev,
-+			      &options,
-+			      lpcfg_socket_options(tctx->lp_ctx),
-+			      lpcfg_gensec_settings(tctx, tctx->lp_ctx));
-+	torture_assert_ntstatus_ok_goto(tctx, status, ok, done,
-+					"smb2_connect failed");
-+
-+	security_mode = smb2cli_session_security_mode(tree->session->smbXcli);
-+
-+	torture_assert_int_equal_goto(
-+		tctx,
-+		security_mode,
-+		SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED,
-+		ok,
-+		done,
-+		"Signing not required");
-+
-+done:
-+	return ok;
-+}
-+
-+struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx)
-+{
-+	struct torture_suite *suite =
-+	    torture_suite_create(ctx, "session-require-signing");
-+
-+	torture_suite_add_1smb2_test(suite, "bug15397",
-+				     test_session_require_sign_bug15397);
-+
-+	suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests");
-+	return suite;
-+}
-diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c
-index c595b108ce8..5b6477e47bc 100644
--- a/source4/torture/smb2/smb2.c
-+++ b/source4/torture/smb2/smb2.c
-@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx)
- 	torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite));
- 	torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock);
- 	torture_suite_add_suite(suite, torture_smb2_session_init(suite));
-+	torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite));
- 	torture_suite_add_suite(suite, torture_smb2_replay_init(suite));
- 	torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode);
- 	torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode);
-- 
-2.39.3
-
--- a/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
+++ b/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
@ -1,131 +0,0 @@
-From 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Wed, 21 Jun 2023 15:06:12 +0200
-Subject: [PATCH 2/5] CVE-2023-3347: smbd: pass lp_ctx to
- smb[1|2]_srv_init_signing()
-
-No change in behaviour.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- source3/smbd/proto.h        |  3 ++-
- source3/smbd/smb1_signing.c | 10 ++--------
- source3/smbd/smb1_signing.h |  3 ++-
- source3/smbd/smb2_signing.c | 25 +++++++++++++++----------
- 4 files changed, 21 insertions(+), 20 deletions(-)
-
-diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
-index a39f0a2edfa..3884617e77b 100644
--- a/source3/smbd/proto.h
-+++ b/source3/smbd/proto.h
-@@ -52,7 +52,8 @@ struct dcesrv_context;
- 
- /* The following definitions come from smbd/smb2_signing.c */
- 
-bool smb2_srv_init_signing(struct smbXsrv_connection *conn);
-+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn);
- bool srv_init_signing(struct smbXsrv_connection *conn);
- 
- /* The following definitions come from smbd/aio.c  */
-diff --git a/source3/smbd/smb1_signing.c b/source3/smbd/smb1_signing.c
-index 6bcb0629c4f..aa3027d5318 100644
--- a/source3/smbd/smb1_signing.c
-+++ b/source3/smbd/smb1_signing.c
-@@ -170,18 +170,13 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr)
-  Called by server negprot when signing has been negotiated.
- ************************************************************/
- 
-bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
-+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn)
- {
- 	bool allowed = true;
- 	bool desired;
- 	bool mandatory = false;
- 
-	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
-	if (lp_ctx == NULL) {
-		DEBUG(10, ("loadparm_init_s3 failed\n"));
-		return false;
-	}
-
- 	/*
- 	 * if the client and server allow signing,
- 	 * we desire to use it.
-@@ -195,7 +190,6 @@ bool smb1_srv_init_signing(struct smbXsrv_connection *conn)
- 	 */
- 
- 	desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory);
-	talloc_unlink(conn, lp_ctx);
- 
- 	if (lp_async_smb_echo_handler()) {
- 		struct smbd_shm_signing *s;
-diff --git a/source3/smbd/smb1_signing.h b/source3/smbd/smb1_signing.h
-index 56c59c5bbc2..26f60420dfa 100644
--- a/source3/smbd/smb1_signing.h
-+++ b/source3/smbd/smb1_signing.h
-@@ -33,4 +33,5 @@ bool smb1_srv_is_signing_negotiated(struct smbXsrv_connection *conn);
- void smb1_srv_set_signing(struct smbXsrv_connection *conn,
- 		     const DATA_BLOB user_session_key,
- 		     const DATA_BLOB response);
-bool smb1_srv_init_signing(struct smbXsrv_connection *conn);
-+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn);
-diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
-index 4691ef4d613..c1f876f9cd7 100644
--- a/source3/smbd/smb2_signing.c
-+++ b/source3/smbd/smb2_signing.c
-@@ -26,32 +26,37 @@
- #include "lib/param/param.h"
- #include "smb2_signing.h"
- 
-bool smb2_srv_init_signing(struct smbXsrv_connection *conn)
-+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-+			   struct smbXsrv_connection *conn)
- {
-	struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
-	if (lp_ctx == NULL) {
-		DBG_DEBUG("loadparm_init_s3 failed\n");
-		return false;
-	}
-
- 	/*
- 	 * For SMB2 all we need to know is if signing is mandatory.
- 	 * It is always allowed and desired, whatever the smb.conf says.
- 	 */
- 	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-	talloc_unlink(conn, lp_ctx);
- 	return true;
- }
- 
- bool srv_init_signing(struct smbXsrv_connection *conn)
- {
-+	struct loadparm_context *lp_ctx = NULL;
-+	bool ok;
-+
-+	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
-+	if (lp_ctx == NULL) {
-+		DBG_DEBUG("loadparm_init_s3 failed\n");
-+		return false;
-+	}
-+
- #if defined(WITH_SMB1SERVER)
- 	if (conn->protocol >= PROTOCOL_SMB2_02) {
- #endif
-		return smb2_srv_init_signing(conn);
-+		ok = smb2_srv_init_signing(lp_ctx, conn);
- #if defined(WITH_SMB1SERVER)
- 	} else {
-		return smb1_srv_init_signing(conn);
-+		ok = smb1_srv_init_signing(lp_ctx, conn);
- 	}
- #endif
-+	talloc_unlink(conn, lp_ctx);
-+	return ok;
- }
-- 
-2.39.3
-
--- a/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
+++ b/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
@ -1,73 +0,0 @@
-From 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Wed, 21 Jun 2023 15:10:58 +0200
-Subject: [PATCH 3/5] CVE-2023-3347: smbd: inline smb2_srv_init_signing() code
- in srv_init_signing()
-
-It's now a one-line function, imho the overall code is simpler if that code is
-just inlined.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- source3/smbd/proto.h        |  2 --
- source3/smbd/smb2_signing.c | 19 ++++++-------------
- 2 files changed, 6 insertions(+), 15 deletions(-)
-
-diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h
-index 3884617e77b..78e1b48be09 100644
--- a/source3/smbd/proto.h
-+++ b/source3/smbd/proto.h
-@@ -52,8 +52,6 @@ struct dcesrv_context;
- 
- /* The following definitions come from smbd/smb2_signing.c */
- 
-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-			   struct smbXsrv_connection *conn);
- bool srv_init_signing(struct smbXsrv_connection *conn);
- 
- /* The following definitions come from smbd/aio.c  */
-diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
-index c1f876f9cd7..ef4a54d5710 100644
--- a/source3/smbd/smb2_signing.c
-+++ b/source3/smbd/smb2_signing.c
-@@ -26,21 +26,10 @@
- #include "lib/param/param.h"
- #include "smb2_signing.h"
- 
-bool smb2_srv_init_signing(struct loadparm_context *lp_ctx,
-			   struct smbXsrv_connection *conn)
-{
-	/*
-	 * For SMB2 all we need to know is if signing is mandatory.
-	 * It is always allowed and desired, whatever the smb.conf says.
-	 */
-	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-	return true;
-}
-
- bool srv_init_signing(struct smbXsrv_connection *conn)
- {
- 	struct loadparm_context *lp_ctx = NULL;
-	bool ok;
-+	bool ok = true;
- 
- 	lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers());
- 	if (lp_ctx == NULL) {
-@@ -51,7 +40,11 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
- #if defined(WITH_SMB1SERVER)
- 	if (conn->protocol >= PROTOCOL_SMB2_02) {
- #endif
-		ok = smb2_srv_init_signing(lp_ctx, conn);
-+		/*
-+		 * For SMB2 all we need to know is if signing is mandatory.
-+		 * It is always allowed and desired, whatever the smb.conf says.
-+		 */
-+		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
- #if defined(WITH_SMB1SERVER)
- 	} else {
- 		ok = smb1_srv_init_signing(lp_ctx, conn);
-- 
-2.39.3
-
--- a/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
+++ b/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
@ -1,36 +0,0 @@
-From 5a222ac37183ba5dd717d81c7e57f78e59695a67 Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 20 Jun 2023 18:13:23 +0200
-Subject: [PATCH 4/5] CVE-2023-3347: smbd: remove comment in
- smbd_smb2_request_process_negprot()
-
-This is just going to bitrot. Anyone who's interested can just grep for
-"signing_mandatory" and look up what it does.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
---
- source3/smbd/smb2_negprot.c | 6 ------
- 1 file changed, 6 deletions(-)
-
-diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c
-index 9d4ce160e5c..885769be24d 100644
--- a/source3/smbd/smb2_negprot.c
-+++ b/source3/smbd/smb2_negprot.c
-@@ -368,12 +368,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
- 	}
- 
- 	security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
-	/*
-	 * We use xconn->smb2.signing_mandatory set up via
-	 * srv_init_signing() -> smb2_srv_init_signing().
-	 * This calls lpcfg_server_signing_allowed() to get the correct
-	 * defaults, e.g. signing_required for an ad_dc.
-	 */
- 	if (xconn->smb2.signing_mandatory) {
- 		security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
- 	}
-- 
-2.39.3
-
--- a/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch
+++ b/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch
@ -1,63 +0,0 @@
-From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Tue, 20 Jun 2023 15:33:02 +0200
-Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory"
-
-This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when
-calling srv_init_signing() very early after accepting the connection in
-smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
-
-Signed-off-by: Ralph Boehme <slow@samba.org>
-
-Autobuild-User(master): Jule Anger <janger@samba.org>
-Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224
---
- .../samba3.smb2.session-require-signing       |  1 -
- source3/smbd/smb2_signing.c                   | 19 ++++++++-----------
- 2 files changed, 8 insertions(+), 12 deletions(-)
- delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing
-
-diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing
-deleted file mode 100644
-index 53b7a7022a8..00000000000
--- a/selftest/knownfail.d/samba3.smb2.session-require-signing
-+++ /dev/null
-@@ -1 +0,0 @@
-^samba3.smb2.session-require-signing.bug15397
-diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c
-index ef4a54d5710..73d07380dfa 100644
--- a/source3/smbd/smb2_signing.c
-+++ b/source3/smbd/smb2_signing.c
-@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn)
- 		return false;
- 	}
- 
-+	/*
-+	 * For SMB2 all we need to know is if signing is mandatory.
-+	 * It is always allowed and desired, whatever the smb.conf says.
-+	 */
-+	(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-+
- #if defined(WITH_SMB1SERVER)
-	if (conn->protocol >= PROTOCOL_SMB2_02) {
-#endif
-		/*
-		 * For SMB2 all we need to know is if signing is mandatory.
-		 * It is always allowed and desired, whatever the smb.conf says.
-		 */
-		(void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory);
-#if defined(WITH_SMB1SERVER)
-	} else {
-		ok = smb1_srv_init_signing(lp_ctx, conn);
-	}
-+	ok = smb1_srv_init_signing(lp_ctx, conn);
- #endif
-+
- 	talloc_unlink(conn, lp_ctx);
- 	return ok;
- }
-- 
-2.39.3
-
--- a/SOURCES/CVE-2023-3961.patch
+++ b/SOURCES/CVE-2023-3961.patch
@ -0,0 +1,45 @@
+From ae476e1c28b797fe221172ed1066bf8efa476d8d Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 25 Jul 2023 17:41:04 -0700
+Subject: [PATCH] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
+ could exit socket_dir.
+
+For now, SMB_ASSERT() to exit the server. We will remove
+this once the test code is in place.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/rpc_client/local_np.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
+index 0e912d0e35a..dfed7e7beb6 100644
+--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
+@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
+ 		return tevent_req_post(req, ev);
+ 	}
+ 
+	/*
+	 * Ensure we cannot process a path that exits
+	 * the socket_dir.
+	 */
+	if (ISDOTDOT(lower_case_pipename) ||
+	    (strchr(lower_case_pipename, '/')!=NULL))
+	{
+		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
+			lower_case_pipename);
+		/*
+		 * For now, panic the server until we have
+		 * the test code in place.
+		 */
+		SMB_ASSERT(false);
+		tevent_req_error(req, ENOENT);
+		return tevent_req_post(req, ev);
+	}
+
+ 	state->socketpath = talloc_asprintf(
+ 		state, "%s/np/%s", socket_dir, lower_case_pipename);
+ 	if (tevent_req_nomem(state->socketpath, req)) {
--- a/SOURCES/CVE-2023-4091.patch
+++ b/SOURCES/CVE-2023-4091.patch
@ -0,0 +1,183 @@
+From b1fd65694185c26f1e196d84ee8756300e631bd5 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 12:30:00 +0200
+Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on
+ read-only file
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/samba3.smb2.acls |   1 +
+ source4/torture/smb2/acls.c           | 143 ++++++++++++++++++++++++++
+ 2 files changed, 144 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba3.smb2.acls
+
+diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
+new file mode 100644
+index 00000000000..18df260c0e5
+--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.acls
+@@ -0,0 +1 @@
+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
+diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
+index bbf201bcf4b..53f482c5541 100644
+--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
+@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
+ 	return ret;
+ }
+ 
+static bool test_overwrite_read_only_file(struct torture_context *tctx,
+					  struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	struct smb2_create c;
+	const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
+	struct smb2_handle handle = {{0}};
+	union smb_fileinfo q;
+	union smb_setfileinfo set;
+	struct security_descriptor *sd = NULL, *sd_orig = NULL;
+	const char *owner_sid = NULL;
+	int i;
+	bool ret = true;
+
+	struct tcase {
+		int disposition;
+		const char *disposition_string;
+		NTSTATUS expected_status;
+	} tcases[] = {
+#define TCASE(d, s) {				\
+		.disposition = d,		\
+		.disposition_string = #d,	\
+		.expected_status = s,		\
+	}
+		TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
+		TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
+		TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
+		TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
+	};
+#undef TCASE
+
+	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+	torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
+
+	c = (struct smb2_create) {
+		.in.desired_access = SEC_STD_READ_CONTROL |
+			SEC_STD_WRITE_DAC |
+			SEC_STD_WRITE_OWNER,
+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+		.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+			NTCREATEX_SHARE_ACCESS_WRITE,
+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+		.in.fname = fname,
+	};
+
+	status = smb2_create(tree, tctx, &c);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_create failed\n");
+	handle = c.out.file.handle;
+
+	torture_comment(tctx, "get the original sd\n");
+
+	ZERO_STRUCT(q);
+	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+	q.query_secdesc.in.file.handle = handle;
+	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
+
+	status = smb2_getinfo_file(tree, tctx, &q);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_getinfo_file failed\n");
+	sd_orig = q.query_secdesc.out.sd;
+
+	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+	sd = security_descriptor_dacl_create(tctx,
+					0, NULL, NULL,
+					owner_sid,
+					SEC_ACE_TYPE_ACCESS_ALLOWED,
+					SEC_FILE_READ_DATA,
+					0,
+					NULL);
+
+	ZERO_STRUCT(set);
+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+	set.set_secdesc.in.file.handle = handle;
+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+	set.set_secdesc.in.sd = sd;
+
+	status = smb2_setinfo_file(tree, &set);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_setinfo_file failed\n");
+
+	smb2_util_close(tree, handle);
+	ZERO_STRUCT(handle);
+
+	for (i = 0; i < ARRAY_SIZE(tcases); i++) {
+		torture_comment(tctx, "Verify open with %s dispostion\n",
+				tcases[i].disposition_string);
+
+		c = (struct smb2_create) {
+			.in.create_disposition = tcases[i].disposition,
+			.in.desired_access = SEC_FILE_READ_DATA,
+			.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+			.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+			.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+			.in.fname = fname,
+		};
+
+		status = smb2_create(tree, tctx, &c);
+		smb2_util_close(tree, c.out.file.handle);
+		torture_assert_ntstatus_equal_goto(
+			tctx, status, tcases[i].expected_status, ret, done,
+			"smb2_create failed\n");
+	};
+
+	torture_comment(tctx, "put back original sd\n");
+
+	c = (struct smb2_create) {
+		.in.desired_access = SEC_STD_WRITE_DAC,
+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+		.in.fname = fname,
+	};
+
+	status = smb2_create(tree, tctx, &c);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_create failed\n");
+	handle = c.out.file.handle;
+
+	ZERO_STRUCT(set);
+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+	set.set_secdesc.in.file.handle = handle;
+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+	set.set_secdesc.in.sd = sd_orig;
+
+	status = smb2_setinfo_file(tree, &set);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_setinfo_file failed\n");
+
+	smb2_util_close(tree, handle);
+	ZERO_STRUCT(handle);
+
+done:
+	smb2_util_close(tree, handle);
+	smb2_util_unlink(tree, fname);
+	smb2_deltree(tree, BASEDIR);
+	return ret;
+}
+
+ /*
+    basic testing of SMB2 ACLs
+ */
+@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
+ 			test_deny1);
+ 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
+ 			test_mxac_not_granted);
+	torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
+ 
+ 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
+ 
--- a/SOURCES/CVE-2023-42669.patch
+++ b/SOURCES/CVE-2023-42669.patch
@ -0,0 +1,86 @@
+From 3cf1beed5df7d8b5d854517de7de322c6a5bc7fa Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 12 Sep 2023 18:59:44 +1200
+Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
+ default
+
+The rpcecho server is useful in development and testing, but should never
+have been allowed into production, as it includes the facility to
+do a blocking sleep() in the single-threaded rpc worker.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
+ lib/param/loadparm.c                                   | 2 +-
+ selftest/target/Samba4.pm                              | 2 +-
+ source3/param/loadparm.c                               | 2 +-
+ source4/rpc_server/wscript_build                       | 3 ++-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+index 8a217cc7f118..c6642b795fd6 100644
+--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+@@ -6,6 +6,6 @@
+ 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
+ </description>
+ 
+-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+ <value type="example">rpcecho</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 9a7ae4f95fe8..673b913e6e5a 100644
+--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
+@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
+ 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
+ 
+-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+ 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
+ 	/* the winbind method for domain controllers is for both RODC
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index 49e3c174b07e..5f1f1bfffad6 100755
+--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
+@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
+ 	wins support = yes
+ 	server role = $ctx->{server_role}
+ 	server services = +echo $services
+-        dcerpc endpoint servers = +winreg +srvsvc
+        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
+ 	notify:inotify = false
+ 	ldb:nosync = true
+ 	ldap server require strong auth = yes
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 1c3644589126..e7f4bbe3995e 100644
+--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
+@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ 
+ 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
+ 
+-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ 
+ 	Globals.tls_enabled = true;
+ 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
+diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
+index 0e44a3c2baed..31ec4f60c9a6 100644
+--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
+@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
+                  source='echo/rpc_echo.c',
+                  subsystem='dcerpc_server',
+                  init_function='dcerpc_server_rpcecho_init',
+-                 deps='ndr-standard events'
+                 deps='ndr-standard events',
+                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
+                  )
+ 
+ 
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@ -138,7 +138,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")

 %global samba_version 4.18.6
-%global baserelease 100
+%global baserelease 101
 # This should be rc1 or %%nil
 %global pre_release %nil

@ -202,7 +202,7 @@

 Name:           samba
 Version:        %{samba_version}
-Release:        %{samba_release}%{?dist}.alma
+Release:        %{samba_release}%{?dist}.alma.1

 %if 0%{?fedora}
 Epoch:          2
@ -234,19 +234,13 @@ Source17:       samba-usershares-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore

-# Patches were taken from upstream and backported
-# https://github.com/samba-team/samba/commit/dfeabce44fbb78083fbbb2aa634fc4172cf83db9
-Patch0001: 0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch
-Patch0002: 0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch
-Patch0003: 0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
-Patch0004: 0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch
-
-# https://github.com/samba-team/samba/commit/9bab902fc50f88869b253c4089d83b3e33a1075a
-Patch0005: 0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch
-Patch0006: 0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch
-Patch0007: 0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch
-Patch0008: 0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch
-Patch0009: 0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch 
+# Patches were taken from upstream:
+# https://github.com/samba-team/samba/commit/ae476e1c28b797fe221172ed1066bf8efa476d8d
+Patch0: CVE-2023-3961.patch
+# https://github.com/samba-team/samba/commit/b1fd65694185c26f1e196d84ee8756300e631bd5
+Patch1: CVE-2023-4091.patch
+# https://github.com/samba-team/samba/commit/3cf1beed5df7d8b5d854517de7de322c6a5bc7fa
+Patch2: CVE-2023-42669.patch

 Requires(pre): /usr/sbin/groupadd

@ -4342,6 +4336,9 @@ fi
 %endif

 %changelog
+* Tue Nov 07 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.6-101.alma.1
+- CVE-2023-3961 CVE-2023-4091 CVE-2023-42669
+
 * Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-100
 - related: rhbz#2190415 - Update to version 4.18.6
 - resolves: rhbz#2211617 - Fix the rpcclient dfsgetinfo command