From e8f41cd48b634effa9a5e15f5e1c8a8b53a6ad5b Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 7 Nov 2023 16:09:40 +0300 Subject: [PATCH] - CVE-2023-3961 CVE-2023-4091 CVE-2023-42669 --- ...-support-for-netr_LogonGetCapabiliti.patch | 38 ---- ...et-rpc.schannel-also-check-netr_Logo.patch | 128 ------------ ...tlogon-generate-FAULT_INVALID_TAG-fo.patch | 89 --------- ...tlogon-generate-FAULT_INVALID_TAG-fo.patch | 93 --------- ...-add-a-test-for-server-side-mandator.patch | 137 ------------- ...bd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch | 131 ------------- ...bd-inline-smb2_srv_init_signing-code.patch | 73 ------- ...bd-remove-comment-in-smbd_smb2_reque.patch | 36 ---- ...47-smbd-fix-server-signing-mandatory.patch | 63 ------ SOURCES/CVE-2023-3961.patch | 45 +++++ SOURCES/CVE-2023-4091.patch | 183 ++++++++++++++++++ SOURCES/CVE-2023-42669.patch | 86 ++++++++ SPECS/samba.spec | 27 ++- 13 files changed, 326 insertions(+), 803 deletions(-) delete mode 100644 SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch delete mode 100644 SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch delete mode 100644 SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch delete mode 100644 SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch delete mode 100644 SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch delete mode 100644 SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch delete mode 100644 SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch delete mode 100644 SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch delete mode 100644 SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch create mode 100644 SOURCES/CVE-2023-3961.patch create mode 100644 SOURCES/CVE-2023-4091.patch create mode 100644 SOURCES/CVE-2023-42669.patch diff --git a/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch b/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch deleted file mode 100644 index adf158b..0000000 --- a/SOURCES/0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 5f87888ed53320538cf773d64868390d8641a40e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 15 Jul 2023 17:20:32 +0200 -Subject: [PATCH 1/4] netlogon.idl: add support for netr_LogonGetCapabilities - response level 2 - -We don't have any documentation about this yet, but tests against -a Windows Server 2022 patched with KB5028166 revealed that -the response for query_level=2 is exactly the same as -for querey_level=1. - -Until we know the reason for query_level=2 we won't -use it as client nor support it in the server, but -we want ndrdump to work. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - librpc/idl/netlogon.idl | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl -index 48a8c8f9310..85dd73ee7e4 100644 ---- a/librpc/idl/netlogon.idl -+++ b/librpc/idl/netlogon.idl -@@ -1236,6 +1236,7 @@ interface netlogon - /* Function 0x15 */ - typedef [switch_type(uint32)] union { - [case(1)] netr_NegotiateFlags server_capabilities; -+ [case(2)] netr_NegotiateFlags server_capabilities; - } netr_Capabilities; - - NTSTATUS netr_LogonGetCapabilities( --- -2.39.3 - diff --git a/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch b/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch deleted file mode 100644 index 608a91d..0000000 --- a/SOURCES/0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch +++ /dev/null @@ -1,128 +0,0 @@ -From 404ce08e9088968311c714e756f5d58ce2cef715 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 15 Jul 2023 17:25:05 +0200 -Subject: [PATCH 2/4] s4:torture/rpc: let rpc.schannel also check - netr_LogonGetCapabilities with different levels - -The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG -for unsupported query_levels, we allow it to work with servers -with or without support for query_level=2. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - .../knownfail.d/netr_LogonGetCapabilities | 3 + - source4/torture/rpc/netlogon.c | 77 ++++++++++++++++++- - 2 files changed, 79 insertions(+), 1 deletion(-) - create mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities - -diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities -new file mode 100644 -index 00000000000..30aadf3bb9d ---- /dev/null -+++ b/selftest/knownfail.d/netr_LogonGetCapabilities -@@ -0,0 +1,3 @@ -+^samba3.rpc.schannel.*\.schannel\(nt4_dc -+^samba3.rpc.schannel.*\.schannel\(ad_dc -+^samba4.rpc.schannel.*\.schannel\(ad_dc -diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c -index 1f068eb7826..a3d190f13dd 100644 ---- a/source4/torture/rpc/netlogon.c -+++ b/source4/torture/rpc/netlogon.c -@@ -2056,8 +2056,47 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t - r.out.capabilities = &capabilities; - r.out.return_authenticator = &return_auth; - -- torture_comment(tctx, "Testing LogonGetCapabilities\n"); -+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=0\n"); - -+ r.in.query_level = 0; -+ ZERO_STRUCT(return_auth); -+ -+ /* -+ * we need to operate on a temporary copy of creds -+ * because dcerpc_netr_LogonGetCapabilities with -+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG -+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE -+ * without looking a the authenticator. -+ */ -+ tmp_creds = *creds; -+ netlogon_creds_client_authenticator(&tmp_creds, &auth); -+ -+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); -+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE, -+ "LogonGetCapabilities query_level=0 failed"); -+ -+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=3\n"); -+ -+ r.in.query_level = 3; -+ ZERO_STRUCT(return_auth); -+ -+ /* -+ * we need to operate on a temporary copy of creds -+ * because dcerpc_netr_LogonGetCapabilities with -+ * an unknown query level returns DCERPC_NCA_S_FAULT_INVALID_TAG -+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE -+ * without looking a the authenticator. -+ */ -+ tmp_creds = *creds; -+ netlogon_creds_client_authenticator(&tmp_creds, &auth); -+ -+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); -+ torture_assert_ntstatus_equal(tctx, status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE, -+ "LogonGetCapabilities query_level=0 failed"); -+ -+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=1\n"); -+ -+ r.in.query_level = 1; - ZERO_STRUCT(return_auth); - - /* -@@ -2077,6 +2116,42 @@ bool test_netlogon_capabilities(struct dcerpc_pipe *p, struct torture_context *t - - *creds = tmp_creds; - -+ torture_assert(tctx, netlogon_creds_client_check(creds, -+ &r.out.return_authenticator->cred), -+ "Credential chaining failed"); -+ -+ torture_assert_int_equal(tctx, creds->negotiate_flags, -+ capabilities.server_capabilities, -+ "negotiate flags"); -+ -+ torture_comment(tctx, "Testing LogonGetCapabilities with query_level=2\n"); -+ -+ r.in.query_level = 2; -+ ZERO_STRUCT(return_auth); -+ -+ /* -+ * we need to operate on a temporary copy of creds -+ * because dcerpc_netr_LogonGetCapabilities with -+ * an query level 2 may returns DCERPC_NCA_S_FAULT_INVALID_TAG -+ * => NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE -+ * without looking a the authenticator. -+ */ -+ tmp_creds = *creds; -+ netlogon_creds_client_authenticator(&tmp_creds, &auth); -+ -+ status = dcerpc_netr_LogonGetCapabilities_r(b, tctx, &r); -+ if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE)) { -+ /* -+ * an server without KB5028166 returns -+ * DCERPC_NCA_S_FAULT_INVALID_TAG => -+ * NT_STATUS_RPC_ENUM_VALUE_OUT_OF_RANGE -+ */ -+ return true; -+ } -+ torture_assert_ntstatus_ok(tctx, status, "LogonGetCapabilities query_level=2 failed"); -+ -+ *creds = tmp_creds; -+ - torture_assert(tctx, netlogon_creds_client_check(creds, - &r.out.return_authenticator->cred), - "Credential chaining failed"); --- -2.39.3 - diff --git a/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch b/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch deleted file mode 100644 index febbea8..0000000 --- a/SOURCES/0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch +++ /dev/null @@ -1,89 +0,0 @@ -From d5f1097b6220676d56ed5fc6707acf667b704518 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 15 Jul 2023 16:11:48 +0200 -Subject: [PATCH 3/4] s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for - invalid netr_LogonGetCapabilities levels - -This is important as Windows clients with KB5028166 seem to -call netr_LogonGetCapabilities with query_level=2 after -a call with query_level=1. - -An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG -for query_level values other than 1. -While Samba tries to return NT_STATUS_NOT_SUPPORTED, but -later fails to marshall the response, which results -in DCERPC_FAULT_BAD_STUB_DATA instead. - -Because we don't have any documentation for level 2 yet, -we just try to behave like an unpatched server and -generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of -DCERPC_FAULT_BAD_STUB_DATA. -Which allows patched Windows clients to keep working -against a Samba DC. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett ---- - .../knownfail.d/netr_LogonGetCapabilities | 2 -- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++++++++++++++++--- - 2 files changed, 24 insertions(+), 6 deletions(-) - -diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities -index 30aadf3bb9d..99c7ac711ed 100644 ---- a/selftest/knownfail.d/netr_LogonGetCapabilities -+++ b/selftest/knownfail.d/netr_LogonGetCapabilities -@@ -1,3 +1 @@ - ^samba3.rpc.schannel.*\.schannel\(nt4_dc --^samba3.rpc.schannel.*\.schannel\(ad_dc --^samba4.rpc.schannel.*\.schannel\(ad_dc -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 6ccba65d3bf..dc2167f08b2 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -2364,6 +2364,30 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c - struct netlogon_creds_CredentialState *creds; - NTSTATUS status; - -+ switch (r->in.query_level) { -+ case 1: -+ break; -+ case 2: -+ /* -+ * Until we know the details behind KB5028166 -+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG -+ * like an unpatched Windows Server. -+ */ -+ FALL_THROUGH; -+ default: -+ /* -+ * There would not be a way to marshall the -+ * the response. Which would mean our final -+ * ndr_push would fail an we would return -+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. -+ * -+ * But it's important to match a Windows server -+ * especially before KB5028166, see also our bug #15418 -+ * Otherwise Windows client would stop talking to us. -+ */ -+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); -+ } -+ - status = dcesrv_netr_creds_server_step_check(dce_call, - mem_ctx, - r->in.computer_name, -@@ -2375,10 +2399,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c - } - NT_STATUS_NOT_OK_RETURN(status); - -- if (r->in.query_level != 1) { -- return NT_STATUS_NOT_SUPPORTED; -- } -- - r->out.capabilities->server_capabilities = creds->negotiate_flags; - - return NT_STATUS_OK; --- -2.39.3 - diff --git a/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch b/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch deleted file mode 100644 index bdd2669..0000000 --- a/SOURCES/0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch +++ /dev/null @@ -1,93 +0,0 @@ -From dfeabce44fbb78083fbbb2aa634fc4172cf83db9 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Sat, 15 Jul 2023 16:11:48 +0200 -Subject: [PATCH 4/4] s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for - invalid netr_LogonGetCapabilities levels - -This is important as Windows clients with KB5028166 seem to -call netr_LogonGetCapabilities with query_level=2 after -a call with query_level=1. - -An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG -for query_level values other than 1. -While Samba tries to return NT_STATUS_NOT_SUPPORTED, but -later fails to marshall the response, which results -in DCERPC_FAULT_BAD_STUB_DATA instead. - -Because we don't have any documentation for level 2 yet, -we just try to behave like an unpatched server and -generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of -DCERPC_FAULT_BAD_STUB_DATA. -Which allows patched Windows clients to keep working -against a Samba DC. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Stefan Metzmacher -Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224 ---- - .../knownfail.d/netr_LogonGetCapabilities | 1 - - source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++++++++++++++++--- - 2 files changed, 25 insertions(+), 5 deletions(-) - delete mode 100644 selftest/knownfail.d/netr_LogonGetCapabilities - -diff --git a/selftest/knownfail.d/netr_LogonGetCapabilities b/selftest/knownfail.d/netr_LogonGetCapabilities -deleted file mode 100644 -index 99c7ac711ed..00000000000 ---- a/selftest/knownfail.d/netr_LogonGetCapabilities -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.rpc.schannel.*\.schannel\(nt4_dc -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 3ba58e61206..e8aa14167fc 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -2284,6 +2284,31 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, - struct netlogon_creds_CredentialState *creds; - NTSTATUS status; - -+ switch (r->in.query_level) { -+ case 1: -+ break; -+ case 2: -+ /* -+ * Until we know the details behind KB5028166 -+ * just return DCERPC_NCA_S_FAULT_INVALID_TAG -+ * like an unpatched Windows Server. -+ */ -+ FALL_THROUGH; -+ default: -+ /* -+ * There would not be a way to marshall the -+ * the response. Which would mean our final -+ * ndr_push would fail an we would return -+ * an RPC-level fault with DCERPC_FAULT_BAD_STUB_DATA. -+ * -+ * But it's important to match a Windows server -+ * especially before KB5028166, see also our bug #15418 -+ * Otherwise Windows client would stop talking to us. -+ */ -+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; -+ return NT_STATUS_NOT_SUPPORTED; -+ } -+ - become_root(); - status = dcesrv_netr_creds_server_step_check(p->dce_call, - p->mem_ctx, -@@ -2296,10 +2321,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, - return status; - } - -- if (r->in.query_level != 1) { -- return NT_STATUS_NOT_SUPPORTED; -- } -- - r->out.capabilities->server_capabilities = creds->negotiate_flags; - - return NT_STATUS_OK; --- -2.39.3 - diff --git a/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch b/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch deleted file mode 100644 index 92d7698..0000000 --- a/SOURCES/0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch +++ /dev/null @@ -1,137 +0,0 @@ -From a9a2b182df738fd283f820e162d189d20010ad63 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Tue, 20 Jun 2023 12:46:31 +0200 -Subject: [PATCH 1/5] CVE-2023-3347: CI: add a test for server-side mandatory - signing - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 - -Signed-off-by: Ralph Boehme ---- - .../samba3.smb2.session-require-signing | 1 + - selftest/target/Samba3.pm | 1 + - source3/selftest/tests.py | 2 + - source4/torture/smb2/session.c | 64 +++++++++++++++++++ - source4/torture/smb2/smb2.c | 1 + - 5 files changed, 69 insertions(+) - create mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing - -diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing -new file mode 100644 -index 00000000000..53b7a7022a8 ---- /dev/null -+++ b/selftest/knownfail.d/samba3.smb2.session-require-signing -@@ -0,0 +1 @@ -+^samba3.smb2.session-require-signing.bug15397 -diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm -index d9e17473615..b4c3c130e9a 100755 ---- a/selftest/target/Samba3.pm -+++ b/selftest/target/Samba3.pm -@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid - # values required for tests to succeed - create krb5 conf = no - map to guest = bad user -+ server signing = required - "; - - my $ret = $self->provision( -diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py -index b069630605a..d2b5409d0a9 100755 ---- a/source3/selftest/tests.py -+++ b/source3/selftest/tests.py -@@ -1097,6 +1097,8 @@ for t in tests: - # Certain tests fail when run against ad_member with MIT kerberos because the private krb5.conf overrides the provisioned lib/krb5.conf, - # ad_member_idmap_rid sets "create krb5.conf = no" - plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER/tmp -k yes -U$DC_USERNAME@$REALM%$DC_PASSWORD', 'krb5') -+ elif t == "smb2.session-require-signing": -+ plansmbtorture4testsuite(t, "ad_member_idmap_rid", '//$SERVER_IP/tmp -U$DC_USERNAME@$REALM%$DC_PASSWORD') - elif t == "rpc.lsa": - plansmbtorture4testsuite(t, "nt4_dc", '//$SERVER_IP/tmp -U$USERNAME%$PASSWORD', 'over ncacn_np ') - plansmbtorture4testsuite(t, "nt4_dc", 'ncacn_ip_tcp:$SERVER_IP -U$USERNAME%$PASSWORD', 'over ncacn_ip_tcp ') -diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c -index 51df51542d4..823304f190f 100644 ---- a/source4/torture/smb2/session.c -+++ b/source4/torture/smb2/session.c -@@ -5498,3 +5498,67 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx) - - return suite; - } -+ -+static bool test_session_require_sign_bug15397(struct torture_context *tctx, -+ struct smb2_tree *_tree) -+{ -+ const char *host = torture_setting_string(tctx, "host", NULL); -+ const char *share = torture_setting_string(tctx, "share", NULL); -+ struct cli_credentials *_creds = samba_cmdline_get_creds(); -+ struct cli_credentials *creds = NULL; -+ struct smbcli_options options; -+ struct smb2_tree *tree = NULL; -+ uint8_t security_mode; -+ NTSTATUS status; -+ bool ok = true; -+ -+ /* -+ * Setup our own connection so we can control the signing flags -+ */ -+ -+ creds = cli_credentials_shallow_copy(tctx, _creds); -+ torture_assert(tctx, creds != NULL, "cli_credentials_shallow_copy"); -+ -+ options = _tree->session->transport->options; -+ options.client_guid = GUID_random(); -+ options.signing = SMB_SIGNING_IF_REQUIRED; -+ -+ status = smb2_connect(tctx, -+ host, -+ lpcfg_smb_ports(tctx->lp_ctx), -+ share, -+ lpcfg_resolve_context(tctx->lp_ctx), -+ creds, -+ &tree, -+ tctx->ev, -+ &options, -+ lpcfg_socket_options(tctx->lp_ctx), -+ lpcfg_gensec_settings(tctx, tctx->lp_ctx)); -+ torture_assert_ntstatus_ok_goto(tctx, status, ok, done, -+ "smb2_connect failed"); -+ -+ security_mode = smb2cli_session_security_mode(tree->session->smbXcli); -+ -+ torture_assert_int_equal_goto( -+ tctx, -+ security_mode, -+ SMB2_NEGOTIATE_SIGNING_REQUIRED | SMB2_NEGOTIATE_SIGNING_ENABLED, -+ ok, -+ done, -+ "Signing not required"); -+ -+done: -+ return ok; -+} -+ -+struct torture_suite *torture_smb2_session_req_sign_init(TALLOC_CTX *ctx) -+{ -+ struct torture_suite *suite = -+ torture_suite_create(ctx, "session-require-signing"); -+ -+ torture_suite_add_1smb2_test(suite, "bug15397", -+ test_session_require_sign_bug15397); -+ -+ suite->description = talloc_strdup(suite, "SMB2-SESSION require signing tests"); -+ return suite; -+} -diff --git a/source4/torture/smb2/smb2.c b/source4/torture/smb2/smb2.c -index c595b108ce8..5b6477e47bc 100644 ---- a/source4/torture/smb2/smb2.c -+++ b/source4/torture/smb2/smb2.c -@@ -189,6 +189,7 @@ NTSTATUS torture_smb2_init(TALLOC_CTX *ctx) - torture_suite_add_suite(suite, torture_smb2_sharemode_init(suite)); - torture_suite_add_1smb2_test(suite, "hold-oplock", test_smb2_hold_oplock); - torture_suite_add_suite(suite, torture_smb2_session_init(suite)); -+ torture_suite_add_suite(suite, torture_smb2_session_req_sign_init(suite)); - torture_suite_add_suite(suite, torture_smb2_replay_init(suite)); - torture_suite_add_simple_test(suite, "dosmode", torture_smb2_dosmode); - torture_suite_add_simple_test(suite, "async_dosmode", torture_smb2_async_dosmode); --- -2.39.3 - diff --git a/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch b/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch deleted file mode 100644 index fe3e3cf..0000000 --- a/SOURCES/0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Wed, 21 Jun 2023 15:06:12 +0200 -Subject: [PATCH 2/5] CVE-2023-3347: smbd: pass lp_ctx to - smb[1|2]_srv_init_signing() - -No change in behaviour. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 - -Signed-off-by: Ralph Boehme ---- - source3/smbd/proto.h | 3 ++- - source3/smbd/smb1_signing.c | 10 ++-------- - source3/smbd/smb1_signing.h | 3 ++- - source3/smbd/smb2_signing.c | 25 +++++++++++++++---------- - 4 files changed, 21 insertions(+), 20 deletions(-) - -diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h -index a39f0a2edfa..3884617e77b 100644 ---- a/source3/smbd/proto.h -+++ b/source3/smbd/proto.h -@@ -52,7 +52,8 @@ struct dcesrv_context; - - /* The following definitions come from smbd/smb2_signing.c */ - --bool smb2_srv_init_signing(struct smbXsrv_connection *conn); -+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, -+ struct smbXsrv_connection *conn); - bool srv_init_signing(struct smbXsrv_connection *conn); - - /* The following definitions come from smbd/aio.c */ -diff --git a/source3/smbd/smb1_signing.c b/source3/smbd/smb1_signing.c -index 6bcb0629c4f..aa3027d5318 100644 ---- a/source3/smbd/smb1_signing.c -+++ b/source3/smbd/smb1_signing.c -@@ -170,18 +170,13 @@ static void smbd_shm_signing_free(TALLOC_CTX *mem_ctx, void *ptr) - Called by server negprot when signing has been negotiated. - ************************************************************/ - --bool smb1_srv_init_signing(struct smbXsrv_connection *conn) -+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx, -+ struct smbXsrv_connection *conn) - { - bool allowed = true; - bool desired; - bool mandatory = false; - -- struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); -- if (lp_ctx == NULL) { -- DEBUG(10, ("loadparm_init_s3 failed\n")); -- return false; -- } -- - /* - * if the client and server allow signing, - * we desire to use it. -@@ -195,7 +190,6 @@ bool smb1_srv_init_signing(struct smbXsrv_connection *conn) - */ - - desired = lpcfg_server_signing_allowed(lp_ctx, &mandatory); -- talloc_unlink(conn, lp_ctx); - - if (lp_async_smb_echo_handler()) { - struct smbd_shm_signing *s; -diff --git a/source3/smbd/smb1_signing.h b/source3/smbd/smb1_signing.h -index 56c59c5bbc2..26f60420dfa 100644 ---- a/source3/smbd/smb1_signing.h -+++ b/source3/smbd/smb1_signing.h -@@ -33,4 +33,5 @@ bool smb1_srv_is_signing_negotiated(struct smbXsrv_connection *conn); - void smb1_srv_set_signing(struct smbXsrv_connection *conn, - const DATA_BLOB user_session_key, - const DATA_BLOB response); --bool smb1_srv_init_signing(struct smbXsrv_connection *conn); -+bool smb1_srv_init_signing(struct loadparm_context *lp_ctx, -+ struct smbXsrv_connection *conn); -diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c -index 4691ef4d613..c1f876f9cd7 100644 ---- a/source3/smbd/smb2_signing.c -+++ b/source3/smbd/smb2_signing.c -@@ -26,32 +26,37 @@ - #include "lib/param/param.h" - #include "smb2_signing.h" - --bool smb2_srv_init_signing(struct smbXsrv_connection *conn) -+bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, -+ struct smbXsrv_connection *conn) - { -- struct loadparm_context *lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); -- if (lp_ctx == NULL) { -- DBG_DEBUG("loadparm_init_s3 failed\n"); -- return false; -- } -- - /* - * For SMB2 all we need to know is if signing is mandatory. - * It is always allowed and desired, whatever the smb.conf says. - */ - (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); -- talloc_unlink(conn, lp_ctx); - return true; - } - - bool srv_init_signing(struct smbXsrv_connection *conn) - { -+ struct loadparm_context *lp_ctx = NULL; -+ bool ok; -+ -+ lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); -+ if (lp_ctx == NULL) { -+ DBG_DEBUG("loadparm_init_s3 failed\n"); -+ return false; -+ } -+ - #if defined(WITH_SMB1SERVER) - if (conn->protocol >= PROTOCOL_SMB2_02) { - #endif -- return smb2_srv_init_signing(conn); -+ ok = smb2_srv_init_signing(lp_ctx, conn); - #if defined(WITH_SMB1SERVER) - } else { -- return smb1_srv_init_signing(conn); -+ ok = smb1_srv_init_signing(lp_ctx, conn); - } - #endif -+ talloc_unlink(conn, lp_ctx); -+ return ok; - } --- -2.39.3 - diff --git a/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch b/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch deleted file mode 100644 index f0822aa..0000000 --- a/SOURCES/0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 59131d6c345864dcf1ed3331c52ce35ddc5db2dc Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Wed, 21 Jun 2023 15:10:58 +0200 -Subject: [PATCH 3/5] CVE-2023-3347: smbd: inline smb2_srv_init_signing() code - in srv_init_signing() - -It's now a one-line function, imho the overall code is simpler if that code is -just inlined. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 - -Signed-off-by: Ralph Boehme ---- - source3/smbd/proto.h | 2 -- - source3/smbd/smb2_signing.c | 19 ++++++------------- - 2 files changed, 6 insertions(+), 15 deletions(-) - -diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h -index 3884617e77b..78e1b48be09 100644 ---- a/source3/smbd/proto.h -+++ b/source3/smbd/proto.h -@@ -52,8 +52,6 @@ struct dcesrv_context; - - /* The following definitions come from smbd/smb2_signing.c */ - --bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, -- struct smbXsrv_connection *conn); - bool srv_init_signing(struct smbXsrv_connection *conn); - - /* The following definitions come from smbd/aio.c */ -diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c -index c1f876f9cd7..ef4a54d5710 100644 ---- a/source3/smbd/smb2_signing.c -+++ b/source3/smbd/smb2_signing.c -@@ -26,21 +26,10 @@ - #include "lib/param/param.h" - #include "smb2_signing.h" - --bool smb2_srv_init_signing(struct loadparm_context *lp_ctx, -- struct smbXsrv_connection *conn) --{ -- /* -- * For SMB2 all we need to know is if signing is mandatory. -- * It is always allowed and desired, whatever the smb.conf says. -- */ -- (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); -- return true; --} -- - bool srv_init_signing(struct smbXsrv_connection *conn) - { - struct loadparm_context *lp_ctx = NULL; -- bool ok; -+ bool ok = true; - - lp_ctx = loadparm_init_s3(conn, loadparm_s3_helpers()); - if (lp_ctx == NULL) { -@@ -51,7 +40,11 @@ bool srv_init_signing(struct smbXsrv_connection *conn) - #if defined(WITH_SMB1SERVER) - if (conn->protocol >= PROTOCOL_SMB2_02) { - #endif -- ok = smb2_srv_init_signing(lp_ctx, conn); -+ /* -+ * For SMB2 all we need to know is if signing is mandatory. -+ * It is always allowed and desired, whatever the smb.conf says. -+ */ -+ (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); - #if defined(WITH_SMB1SERVER) - } else { - ok = smb1_srv_init_signing(lp_ctx, conn); --- -2.39.3 - diff --git a/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch b/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch deleted file mode 100644 index 539c940..0000000 --- a/SOURCES/0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 5a222ac37183ba5dd717d81c7e57f78e59695a67 Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Tue, 20 Jun 2023 18:13:23 +0200 -Subject: [PATCH 4/5] CVE-2023-3347: smbd: remove comment in - smbd_smb2_request_process_negprot() - -This is just going to bitrot. Anyone who's interested can just grep for -"signing_mandatory" and look up what it does. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 - -Signed-off-by: Ralph Boehme ---- - source3/smbd/smb2_negprot.c | 6 ------ - 1 file changed, 6 deletions(-) - -diff --git a/source3/smbd/smb2_negprot.c b/source3/smbd/smb2_negprot.c -index 9d4ce160e5c..885769be24d 100644 ---- a/source3/smbd/smb2_negprot.c -+++ b/source3/smbd/smb2_negprot.c -@@ -368,12 +368,6 @@ NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req) - } - - security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED; -- /* -- * We use xconn->smb2.signing_mandatory set up via -- * srv_init_signing() -> smb2_srv_init_signing(). -- * This calls lpcfg_server_signing_allowed() to get the correct -- * defaults, e.g. signing_required for an ad_dc. -- */ - if (xconn->smb2.signing_mandatory) { - security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED; - } --- -2.39.3 - diff --git a/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch b/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch deleted file mode 100644 index d85c2a0..0000000 --- a/SOURCES/0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 9bab902fc50f88869b253c4089d83b3e33a1075a Mon Sep 17 00:00:00 2001 -From: Ralph Boehme -Date: Tue, 20 Jun 2023 15:33:02 +0200 -Subject: [PATCH 5/5] CVE-2023-3347: smbd: fix "server signing = mandatory" - -This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because when -calling srv_init_signing() very early after accepting the connection in -smbd_add_connection(), conn->protocol is still PROTOCOL_NONE. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397 - -Signed-off-by: Ralph Boehme - -Autobuild-User(master): Jule Anger -Autobuild-Date(master): Fri Jul 21 13:03:09 UTC 2023 on atb-devel-224 ---- - .../samba3.smb2.session-require-signing | 1 - - source3/smbd/smb2_signing.c | 19 ++++++++----------- - 2 files changed, 8 insertions(+), 12 deletions(-) - delete mode 100644 selftest/knownfail.d/samba3.smb2.session-require-signing - -diff --git a/selftest/knownfail.d/samba3.smb2.session-require-signing b/selftest/knownfail.d/samba3.smb2.session-require-signing -deleted file mode 100644 -index 53b7a7022a8..00000000000 ---- a/selftest/knownfail.d/samba3.smb2.session-require-signing -+++ /dev/null -@@ -1 +0,0 @@ --^samba3.smb2.session-require-signing.bug15397 -diff --git a/source3/smbd/smb2_signing.c b/source3/smbd/smb2_signing.c -index ef4a54d5710..73d07380dfa 100644 ---- a/source3/smbd/smb2_signing.c -+++ b/source3/smbd/smb2_signing.c -@@ -37,19 +37,16 @@ bool srv_init_signing(struct smbXsrv_connection *conn) - return false; - } - -+ /* -+ * For SMB2 all we need to know is if signing is mandatory. -+ * It is always allowed and desired, whatever the smb.conf says. -+ */ -+ (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); -+ - #if defined(WITH_SMB1SERVER) -- if (conn->protocol >= PROTOCOL_SMB2_02) { --#endif -- /* -- * For SMB2 all we need to know is if signing is mandatory. -- * It is always allowed and desired, whatever the smb.conf says. -- */ -- (void)lpcfg_server_signing_allowed(lp_ctx, &conn->smb2.signing_mandatory); --#if defined(WITH_SMB1SERVER) -- } else { -- ok = smb1_srv_init_signing(lp_ctx, conn); -- } -+ ok = smb1_srv_init_signing(lp_ctx, conn); - #endif -+ - talloc_unlink(conn, lp_ctx); - return ok; - } --- -2.39.3 - diff --git a/SOURCES/CVE-2023-3961.patch b/SOURCES/CVE-2023-3961.patch new file mode 100644 index 0000000..0cde519 --- /dev/null +++ b/SOURCES/CVE-2023-3961.patch @@ -0,0 +1,45 @@ +From ae476e1c28b797fe221172ed1066bf8efa476d8d Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 25 Jul 2023 17:41:04 -0700 +Subject: [PATCH] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that + could exit socket_dir. + +For now, SMB_ASSERT() to exit the server. We will remove +this once the test code is in place. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 + +Signed-off-by: Jeremy Allison +--- + source3/rpc_client/local_np.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c +index 0e912d0e35a..dfed7e7beb6 100644 +--- a/source3/rpc_client/local_np.c ++++ b/source3/rpc_client/local_np.c +@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send( + return tevent_req_post(req, ev); + } + ++ /* ++ * Ensure we cannot process a path that exits ++ * the socket_dir. ++ */ ++ if (ISDOTDOT(lower_case_pipename) || ++ (strchr(lower_case_pipename, '/')!=NULL)) ++ { ++ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", ++ lower_case_pipename); ++ /* ++ * For now, panic the server until we have ++ * the test code in place. ++ */ ++ SMB_ASSERT(false); ++ tevent_req_error(req, ENOENT); ++ return tevent_req_post(req, ev); ++ } ++ + state->socketpath = talloc_asprintf( + state, "%s/np/%s", socket_dir, lower_case_pipename); + if (tevent_req_nomem(state->socketpath, req)) { diff --git a/SOURCES/CVE-2023-4091.patch b/SOURCES/CVE-2023-4091.patch new file mode 100644 index 0000000..4241a71 --- /dev/null +++ b/SOURCES/CVE-2023-4091.patch @@ -0,0 +1,183 @@ +From b1fd65694185c26f1e196d84ee8756300e631bd5 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 1 Aug 2023 12:30:00 +0200 +Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on + read-only file + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 + +Signed-off-by: Ralph Boehme +--- + selftest/knownfail.d/samba3.smb2.acls | 1 + + source4/torture/smb2/acls.c | 143 ++++++++++++++++++++++++++ + 2 files changed, 144 insertions(+) + create mode 100644 selftest/knownfail.d/samba3.smb2.acls + +diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls +new file mode 100644 +index 00000000000..18df260c0e5 +--- /dev/null ++++ b/selftest/knownfail.d/samba3.smb2.acls +@@ -0,0 +1 @@ ++^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE +diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c +index bbf201bcf4b..53f482c5541 100644 +--- a/source4/torture/smb2/acls.c ++++ b/source4/torture/smb2/acls.c +@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx, + return ret; + } + ++static bool test_overwrite_read_only_file(struct torture_context *tctx, ++ struct smb2_tree *tree) ++{ ++ NTSTATUS status; ++ struct smb2_create c; ++ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt"; ++ struct smb2_handle handle = {{0}}; ++ union smb_fileinfo q; ++ union smb_setfileinfo set; ++ struct security_descriptor *sd = NULL, *sd_orig = NULL; ++ const char *owner_sid = NULL; ++ int i; ++ bool ret = true; ++ ++ struct tcase { ++ int disposition; ++ const char *disposition_string; ++ NTSTATUS expected_status; ++ } tcases[] = { ++#define TCASE(d, s) { \ ++ .disposition = d, \ ++ .disposition_string = #d, \ ++ .expected_status = s, \ ++ } ++ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK), ++ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED), ++ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED), ++ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED), ++ }; ++#undef TCASE ++ ++ ret = smb2_util_setup_dir(tctx, tree, BASEDIR); ++ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok"); ++ ++ c = (struct smb2_create) { ++ .in.desired_access = SEC_STD_READ_CONTROL | ++ SEC_STD_WRITE_DAC | ++ SEC_STD_WRITE_OWNER, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_READ | ++ NTCREATEX_SHARE_ACCESS_WRITE, ++ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_create failed\n"); ++ handle = c.out.file.handle; ++ ++ torture_comment(tctx, "get the original sd\n"); ++ ++ ZERO_STRUCT(q); ++ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; ++ q.query_secdesc.in.file.handle = handle; ++ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; ++ ++ status = smb2_getinfo_file(tree, tctx, &q); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_getinfo_file failed\n"); ++ sd_orig = q.query_secdesc.out.sd; ++ ++ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); ++ ++ sd = security_descriptor_dacl_create(tctx, ++ 0, NULL, NULL, ++ owner_sid, ++ SEC_ACE_TYPE_ACCESS_ALLOWED, ++ SEC_FILE_READ_DATA, ++ 0, ++ NULL); ++ ++ ZERO_STRUCT(set); ++ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; ++ set.set_secdesc.in.file.handle = handle; ++ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; ++ set.set_secdesc.in.sd = sd; ++ ++ status = smb2_setinfo_file(tree, &set); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_setinfo_file failed\n"); ++ ++ smb2_util_close(tree, handle); ++ ZERO_STRUCT(handle); ++ ++ for (i = 0; i < ARRAY_SIZE(tcases); i++) { ++ torture_comment(tctx, "Verify open with %s dispostion\n", ++ tcases[i].disposition_string); ++ ++ c = (struct smb2_create) { ++ .in.create_disposition = tcases[i].disposition, ++ .in.desired_access = SEC_FILE_READ_DATA, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ smb2_util_close(tree, c.out.file.handle); ++ torture_assert_ntstatus_equal_goto( ++ tctx, status, tcases[i].expected_status, ret, done, ++ "smb2_create failed\n"); ++ }; ++ ++ torture_comment(tctx, "put back original sd\n"); ++ ++ c = (struct smb2_create) { ++ .in.desired_access = SEC_STD_WRITE_DAC, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, ++ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_create failed\n"); ++ handle = c.out.file.handle; ++ ++ ZERO_STRUCT(set); ++ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; ++ set.set_secdesc.in.file.handle = handle; ++ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; ++ set.set_secdesc.in.sd = sd_orig; ++ ++ status = smb2_setinfo_file(tree, &set); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_setinfo_file failed\n"); ++ ++ smb2_util_close(tree, handle); ++ ZERO_STRUCT(handle); ++ ++done: ++ smb2_util_close(tree, handle); ++ smb2_util_unlink(tree, fname); ++ smb2_deltree(tree, BASEDIR); ++ return ret; ++} ++ + /* + basic testing of SMB2 ACLs + */ +@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) + test_deny1); + torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED", + test_mxac_not_granted); ++ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file); + + suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); + diff --git a/SOURCES/CVE-2023-42669.patch b/SOURCES/CVE-2023-42669.patch new file mode 100644 index 0000000..c9e0d49 --- /dev/null +++ b/SOURCES/CVE-2023-42669.patch @@ -0,0 +1,86 @@ +From 3cf1beed5df7d8b5d854517de7de322c6a5bc7fa Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Tue, 12 Sep 2023 18:59:44 +1200 +Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by + default + +The rpcecho server is useful in development and testing, but should never +have been allowed into production, as it includes the facility to +do a blocking sleep() in the single-threaded rpc worker. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett +--- + docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- + lib/param/loadparm.c | 2 +- + selftest/target/Samba4.pm | 2 +- + source3/param/loadparm.c | 2 +- + source4/rpc_server/wscript_build | 3 ++- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +index 8a217cc7f118..c6642b795fd6 100644 +--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml ++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +@@ -6,6 +6,6 @@ + Specifies which DCE/RPC endpoint servers should be run. + + +-epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver ++epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver + rpcecho + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 9a7ae4f95fe8..673b913e6e5a 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); + lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); + +- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); ++ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); + lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); + /* the winbind method for domain controllers is for both RODC +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 49e3c174b07e..5f1f1bfffad6 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -783,7 +783,7 @@ sub provision_raw_step1($$) + wins support = yes + server role = $ctx->{server_role} + server services = +echo $services +- dcerpc endpoint servers = +winreg +srvsvc ++ dcerpc endpoint servers = +winreg +srvsvc +rpcecho + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 1c3644589126..e7f4bbe3995e 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); + +- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); ++ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + + Globals.tls_enabled = true; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 0e44a3c2baed..31ec4f60c9a6 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', + source='echo/rpc_echo.c', + subsystem='dcerpc_server', + init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' ++ deps='ndr-standard events', ++ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') + ) + + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index a9896b1..06cb212 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -138,7 +138,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global samba_version 4.18.6 -%global baserelease 100 +%global baserelease 101 # This should be rc1 or %%nil %global pre_release %nil @@ -202,7 +202,7 @@ Name: samba Version: %{samba_version} -Release: %{samba_release}%{?dist}.alma +Release: %{samba_release}%{?dist}.alma.1 %if 0%{?fedora} Epoch: 2 @@ -234,19 +234,13 @@ Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore -# Patches were taken from upstream and backported -# https://github.com/samba-team/samba/commit/dfeabce44fbb78083fbbb2aa634fc4172cf83db9 -Patch0001: 0001-netlogon.idl-add-support-for-netr_LogonGetCapabiliti.patch -Patch0002: 0002-s4-torture-rpc-let-rpc.schannel-also-check-netr_Logo.patch -Patch0003: 0003-s4-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch -Patch0004: 0004-s3-rpc_server-netlogon-generate-FAULT_INVALID_TAG-fo.patch - -# https://github.com/samba-team/samba/commit/9bab902fc50f88869b253c4089d83b3e33a1075a -Patch0005: 0005-CVE-2023-3347-CI-add-a-test-for-server-side-mandator.patch -Patch0006: 0006-CVE-2023-3347-smbd-pass-lp_ctx-to-smb-1-2-_srv_init_.patch -Patch0007: 0007-CVE-2023-3347-smbd-inline-smb2_srv_init_signing-code.patch -Patch0008: 0008-CVE-2023-3347-smbd-remove-comment-in-smbd_smb2_reque.patch -Patch0009: 0009-CVE-2023-3347-smbd-fix-server-signing-mandatory.patch +# Patches were taken from upstream: +# https://github.com/samba-team/samba/commit/ae476e1c28b797fe221172ed1066bf8efa476d8d +Patch0: CVE-2023-3961.patch +# https://github.com/samba-team/samba/commit/b1fd65694185c26f1e196d84ee8756300e631bd5 +Patch1: CVE-2023-4091.patch +# https://github.com/samba-team/samba/commit/3cf1beed5df7d8b5d854517de7de322c6a5bc7fa +Patch2: CVE-2023-42669.patch Requires(pre): /usr/sbin/groupadd @@ -4342,6 +4336,9 @@ fi %endif %changelog +* Tue Nov 07 2023 Eduard Abdullin - 4.18.6-101.alma.1 +- CVE-2023-3961 CVE-2023-4091 CVE-2023-42669 + * Thu Aug 17 2023 Andreas Schneider - 4.18.6-100 - related: rhbz#2190415 - Update to version 4.18.6 - resolves: rhbz#2211617 - Fix the rpcclient dfsgetinfo command