- nsswitch: add test for pthread_key_delete missuse (bug 15464)

- netlogon: add support for netr_LogonGetCapabilities response level 2

SOURCES/CVE-2023-3961-s3-smbd-Catch-any-incoming-pipe-path-that.patch

@@ -0,0 +1,295 @@
+From 09ee91a8f7e53f688f091fe67e0b95d1d34fb9c9 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 25 Jul 2023 17:41:04 -0700
+Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
+ could exit socket_dir.
+
+For now, SMB_ASSERT() to exit the server. We will remove
+this once the test code is in place.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/rpc_client/local_np.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
+index 0b323404f06..95228d5d801 100644
+--- a/source3/rpc_client/local_np.c
++++ b/source3/rpc_client/local_np.c
+@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
+ 		return tevent_req_post(req, ev);
+ 	}
+ 
++	/*
++	 * Ensure we cannot process a path that exits
++	 * the socket_dir.
++	 */
++	if (ISDOTDOT(lower_case_pipename) ||
++	    (strchr(lower_case_pipename, '/')!=NULL))
++	{
++		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
++			lower_case_pipename);
++		/*
++		 * For now, panic the server until we have
++		 * the test code in place.
++		 */
++		SMB_ASSERT(false);
++		tevent_req_error(req, ENOENT);
++		return tevent_req_post(req, ev);
++	}
++
+ 	state->socketpath = talloc_asprintf(
+ 		state, "%s/np/%s", socket_dir, lower_case_pipename);
+ 	if (tevent_req_nomem(state->socketpath, req)) {
+-- 
+2.39.2
+
+
+From 34d4258e77d7a3f48004e88161ac2398e9669a4b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 25 Jul 2023 17:49:21 -0700
+Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME
+ to show we allow bad pipenames with unix separators through to the UNIX
+ domain socket code.
+
+The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
+as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
+
+Add the knownfail.
+
+BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ selftest/knownfail.d/badpipename |   1 +
+ source3/selftest/tests.py        |  14 ++++
+ source3/torture/proto.h          |   1 +
+ source3/torture/test_smb2.c      | 107 +++++++++++++++++++++++++++++++
+ source3/torture/torture.c        |   4 ++
+ 5 files changed, 127 insertions(+)
+ create mode 100644 selftest/knownfail.d/badpipename
+
+diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename
+new file mode 100644
+index 00000000000..e69715f863d
+--- /dev/null
++++ b/selftest/knownfail.d/badpipename
+@@ -0,0 +1 @@
++^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\)
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 1fdcad1089f..2c8336d35e8 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -296,6 +296,20 @@ plantestsuite("samba3.smbtorture_s3.smb2.SMB2-DFS-FILENAME-LEADING-BACKSLASH",
+                 smbtorture3,
+                 "-mSMB2"])
+ 
++# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
++# Prevent bad pipenames.
++#
++plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME",
++                "fileserver",
++                [os.path.join(samba3srcdir,
++                              "script/tests/test_smbtorture_s3.sh"),
++                'SMB2-INVALID-PIPENAME',
++                '//$SERVER_IP/tmp',
++                '$USERNAME',
++                '$PASSWORD',
++                smbtorture3,
++                "-mSMB2"])
++
+ #
+ # SMB2-NON-DFS-SHARE needs to run against a special share non-msdfs-pathname-share
+ # This is an empty non-DFS share with no links, used merely to test
+diff --git a/source3/torture/proto.h b/source3/torture/proto.h
+index 21d7b3e00a7..3751697596a 100644
+--- a/source3/torture/proto.h
++++ b/source3/torture/proto.h
+@@ -124,6 +124,7 @@ bool run_smb2_dfs_paths(int dummy);
+ bool run_smb2_non_dfs_share(int dummy);
+ bool run_smb2_dfs_share_non_dfs_path(int dummy);
+ bool run_smb2_dfs_filename_leading_backslash(int dummy);
++bool run_smb2_invalid_pipename(int dummy);
+ bool run_smb1_dfs_paths(int dummy);
+ bool run_smb1_dfs_search_paths(int dummy);
+ bool run_smb1_dfs_operations(int dummy);
+diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
+index 269ade4ef61..7ea3d83de10 100644
+--- a/source3/torture/test_smb2.c
++++ b/source3/torture/test_smb2.c
+@@ -5136,3 +5136,110 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy)
+ 	(void)smb2_dfs_delete(cli, dfs_filename_slash);
+ 	return retval;
+ }
++
++bool run_smb2_invalid_pipename(int dummy)
++{
++	struct cli_state *cli = NULL;
++	NTSTATUS status;
++	uint64_t fid_persistent = 0;
++	uint64_t fid_volatile = 0;
++	const char *unknown_pipe = "badpipe";
++	const char *invalid_pipe = "../../../../../../../../../badpipe";
++
++	printf("Starting SMB2-INVALID-PIPENAME\n");
++
++	if (!torture_init_connection(&cli)) {
++		return false;
++	}
++
++	status = smbXcli_negprot(cli->conn,
++				cli->timeout,
++				PROTOCOL_SMB2_02,
++				PROTOCOL_SMB3_11);
++	if (!NT_STATUS_IS_OK(status)) {
++		printf("smbXcli_negprot returned %s\n", nt_errstr(status));
++		return false;
++	}
++
++	status = cli_session_setup_creds(cli, torture_creds);
++	if (!NT_STATUS_IS_OK(status)) {
++		printf("cli_session_setup returned %s\n", nt_errstr(status));
++		return false;
++	}
++
++	status = cli_tree_connect(cli, "IPC$", "?????", NULL);
++	if (!NT_STATUS_IS_OK(status)) {
++		printf("cli_tree_connect returned %s\n", nt_errstr(status));
++		return false;
++	}
++
++	/* Try and connect to an unknown pipename. */
++	status = smb2cli_create(cli->conn,
++				cli->timeout,
++				cli->smb2.session,
++				cli->smb2.tcon,
++				unknown_pipe,
++				SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
++				SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
++				SEC_STD_SYNCHRONIZE|
++					SEC_FILE_READ_DATA|
++					SEC_FILE_WRITE_DATA|
++					SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
++				FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
++				FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
++				FILE_CREATE, /* create_disposition, */
++				0, /* create_options, */
++				NULL, /* smb2_create_blobs *blobs */
++				&fid_persistent,
++				&fid_volatile,
++				NULL, /* struct smb_create_returns * */
++				talloc_tos(), /* mem_ctx. */
++				NULL, /* struct smb2_create_blobs * */
++				NULL); /* struct symlink_reparse_struct */
++	/* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */
++	if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
++		printf("%s:%d smb2cli_create on name %s returned %s\n",
++			__FILE__,
++			__LINE__,
++			unknown_pipe,
++			nt_errstr(status));
++		return false;
++	}
++
++	/* Try and connect to an invalid pipename containing unix separators. */
++	status = smb2cli_create(cli->conn,
++				cli->timeout,
++				cli->smb2.session,
++				cli->smb2.tcon,
++				invalid_pipe,
++				SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
++				SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
++				SEC_STD_SYNCHRONIZE|
++					SEC_FILE_READ_DATA|
++					SEC_FILE_WRITE_DATA|
++					SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
++				FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
++				FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
++				FILE_CREATE, /* create_disposition, */
++				0, /* create_options, */
++				NULL, /* smb2_create_blobs *blobs */
++				&fid_persistent,
++				&fid_volatile,
++				NULL, /* struct smb_create_returns * */
++				talloc_tos(), /* mem_ctx. */
++				NULL, /* struct smb2_create_blobs * */
++				NULL); /* struct symlink_reparse_struct */
++	/*
++	 * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND
++	 * (tested against Windows 2022).
++	 */
++	if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
++		printf("%s:%d smb2cli_create on name %s returned %s\n",
++			__FILE__,
++			__LINE__,
++			invalid_pipe,
++			nt_errstr(status));
++		return false;
++	}
++	return true;
++}
+diff --git a/source3/torture/torture.c b/source3/torture/torture.c
+index 1315b328f5f..d53699c3b02 100644
+--- a/source3/torture/torture.c
++++ b/source3/torture/torture.c
+@@ -15727,6 +15727,10 @@ static struct {
+ 		.name  = "SMB2-DFS-FILENAME-LEADING-BACKSLASH",
+ 		.fn    = run_smb2_dfs_filename_leading_backslash,
+ 	},
++	{
++		.name  = "SMB2-INVALID-PIPENAME",
++		.fn    = run_smb2_invalid_pipename,
++	},
+ 	{
+ 		.name  = "SMB1-TRUNCATED-SESSSETUP",
+ 		.fn    = run_smb1_truncated_sesssetup,
+-- 
+2.39.2
+
+
+From cbd81ca9d7ea1d5a6ea2b1026bc342ff996cca7c Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 25 Jul 2023 17:54:41 -0700
+Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that
+ crashes on bad pipenames.
+
+We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
+
+Remove knowfail.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ selftest/knownfail.d/badpipename | 1 -
+ source3/rpc_client/local_np.c    | 5 -----
+ 2 files changed, 6 deletions(-)
+ delete mode 100644 selftest/knownfail.d/badpipename
+
+diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename
+deleted file mode 100644
+index e69715f863d..00000000000
+--- a/selftest/knownfail.d/badpipename
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\)
+diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
+index 95228d5d801..791ded99a47 100644
+--- a/source3/rpc_client/local_np.c
++++ b/source3/rpc_client/local_np.c
+@@ -551,11 +551,6 @@ struct tevent_req *local_np_connect_send(
+ 	{
+ 		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
+ 			lower_case_pipename);
+-		/*
+-		 * For now, panic the server until we have
+-		 * the test code in place.
+-		 */
+-		SMB_ASSERT(false);
+ 		tevent_req_error(req, ENOENT);
+ 		return tevent_req_post(req, ev);
+ 	}
+-- 
+2.39.2

SOURCES/CVE-2023-4091-smbtorture-test-overwrite-dispositions-on.patch

@@ -0,0 +1,239 @@
+From a4a3868fda277ddf0f174b77a859c33e4c339538 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 12:30:00 +0200
+Subject: [PATCH 1/2] CVE-2023-4091: smbtorture: test overwrite dispositions on
+ read-only file
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/samba3.smb2.acls |   1 +
+ source4/torture/smb2/acls.c           | 143 ++++++++++++++++++++++++++
+ 2 files changed, 144 insertions(+)
+ create mode 100644 selftest/knownfail.d/samba3.smb2.acls
+
+diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
+new file mode 100644
+index 000000000000..18df260c0e50
+--- /dev/null
++++ b/selftest/knownfail.d/samba3.smb2.acls
+@@ -0,0 +1 @@
++^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
+diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
+index a27d4e079e67..5a892d004ea8 100644
+--- a/source4/torture/smb2/acls.c
++++ b/source4/torture/smb2/acls.c
+@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
+ 	return ret;
+ }
+ 
++static bool test_overwrite_read_only_file(struct torture_context *tctx,
++					  struct smb2_tree *tree)
++{
++	NTSTATUS status;
++	struct smb2_create c;
++	const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
++	struct smb2_handle handle = {{0}};
++	union smb_fileinfo q;
++	union smb_setfileinfo set;
++	struct security_descriptor *sd = NULL, *sd_orig = NULL;
++	const char *owner_sid = NULL;
++	int i;
++	bool ret = true;
++
++	struct tcase {
++		int disposition;
++		const char *disposition_string;
++		NTSTATUS expected_status;
++	} tcases[] = {
++#define TCASE(d, s) {				\
++		.disposition = d,		\
++		.disposition_string = #d,	\
++		.expected_status = s,		\
++	}
++		TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
++		TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
++		TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
++		TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
++	};
++#undef TCASE
++
++	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
++	torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
++
++	c = (struct smb2_create) {
++		.in.desired_access = SEC_STD_READ_CONTROL |
++			SEC_STD_WRITE_DAC |
++			SEC_STD_WRITE_OWNER,
++		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
++		.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
++			NTCREATEX_SHARE_ACCESS_WRITE,
++		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
++		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
++		.in.fname = fname,
++	};
++
++	status = smb2_create(tree, tctx, &c);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_create failed\n");
++	handle = c.out.file.handle;
++
++	torture_comment(tctx, "get the original sd\n");
++
++	ZERO_STRUCT(q);
++	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
++	q.query_secdesc.in.file.handle = handle;
++	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
++
++	status = smb2_getinfo_file(tree, tctx, &q);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_getinfo_file failed\n");
++	sd_orig = q.query_secdesc.out.sd;
++
++	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
++
++	sd = security_descriptor_dacl_create(tctx,
++					0, NULL, NULL,
++					owner_sid,
++					SEC_ACE_TYPE_ACCESS_ALLOWED,
++					SEC_FILE_READ_DATA,
++					0,
++					NULL);
++
++	ZERO_STRUCT(set);
++	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
++	set.set_secdesc.in.file.handle = handle;
++	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
++	set.set_secdesc.in.sd = sd;
++
++	status = smb2_setinfo_file(tree, &set);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_setinfo_file failed\n");
++
++	smb2_util_close(tree, handle);
++	ZERO_STRUCT(handle);
++
++	for (i = 0; i < ARRAY_SIZE(tcases); i++) {
++		torture_comment(tctx, "Verify open with %s dispostion\n",
++				tcases[i].disposition_string);
++
++		c = (struct smb2_create) {
++			.in.create_disposition = tcases[i].disposition,
++			.in.desired_access = SEC_FILE_READ_DATA,
++			.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
++			.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
++			.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
++			.in.fname = fname,
++		};
++
++		status = smb2_create(tree, tctx, &c);
++		smb2_util_close(tree, c.out.file.handle);
++		torture_assert_ntstatus_equal_goto(
++			tctx, status, tcases[i].expected_status, ret, done,
++			"smb2_create failed\n");
++	};
++
++	torture_comment(tctx, "put back original sd\n");
++
++	c = (struct smb2_create) {
++		.in.desired_access = SEC_STD_WRITE_DAC,
++		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
++		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
++		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
++		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
++		.in.fname = fname,
++	};
++
++	status = smb2_create(tree, tctx, &c);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_create failed\n");
++	handle = c.out.file.handle;
++
++	ZERO_STRUCT(set);
++	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
++	set.set_secdesc.in.file.handle = handle;
++	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
++	set.set_secdesc.in.sd = sd_orig;
++
++	status = smb2_setinfo_file(tree, &set);
++	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
++					"smb2_setinfo_file failed\n");
++
++	smb2_util_close(tree, handle);
++	ZERO_STRUCT(handle);
++
++done:
++	smb2_util_close(tree, handle);
++	smb2_util_unlink(tree, fname);
++	smb2_deltree(tree, BASEDIR);
++	return ret;
++}
++
+ /*
+    basic testing of SMB2 ACLs
+ */
+@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
+ 			test_deny1);
+ 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
+ 			test_mxac_not_granted);
++	torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
+ 
+ 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
+ 
+-- 
+2.41.0
+
+
+From 5b5e2b1714e4a242b1cea44deff1f380620872c9 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 13:04:36 +0200
+Subject: [PATCH 2/2] CVE-2023-4091: smbd: use open_access_mask for access
+ check in open_file()
+
+If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
+FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
+access check we're using access_mask which doesn't contain the additional
+right, which means we can end up truncating a file for which the user has
+only read-only access via an SD.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+---
+ selftest/knownfail.d/samba3.smb2.acls | 1 -
+ source3/smbd/open.c                   | 4 ++--
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+ delete mode 100644 selftest/knownfail.d/samba3.smb2.acls
+
+diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
+deleted file mode 100644
+index 18df260c0e50..000000000000
+--- a/selftest/knownfail.d/samba3.smb2.acls
++++ /dev/null
+@@ -1 +0,0 @@
+-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 94f50becb247..0c9ddfe7c948 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req,
+ 						dirfsp,
+ 						fsp,
+ 						false,
+-						access_mask);
++						open_access_mask);
+ 
+ 				if (!NT_STATUS_IS_OK(status)) {
+ 					DBG_DEBUG("smbd_check_access_rights_fsp"
+@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req,
+ 			status = smbd_check_access_rights_fsp(dirfsp,
+ 							      fsp,
+ 							      false,
+-							      access_mask);
++							      open_access_mask);
+ 
+ 			if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
+ 			    posix_open &&
+-- 
+2.41.0

SOURCES/CVE-2023-42669-s4-rpc_server-Disable-rpcecho-server-by.patch

@@ -0,0 +1,123 @@
+From e534a858d15589f27181b82c8ed8abefc56fb95f Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 12 Sep 2023 18:59:44 +1200
+Subject: [PATCH 1/2] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
+ default
+
+The rpcecho server is useful in development and testing, but should never
+have been allowed into production, as it includes the facility to
+do a blocking sleep() in the single-threaded rpc worker.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
+ lib/param/loadparm.c                                   | 2 +-
+ selftest/target/Samba4.pm                              | 2 +-
+ source3/param/loadparm.c                               | 2 +-
+ source4/rpc_server/wscript_build                       | 3 ++-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+index 8a217cc7f11..c6642b795fd 100644
+--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+@@ -6,6 +6,6 @@
+ 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
+ </description>
+ 
+-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+ <value type="example">rpcecho</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 16cb0d47f31..83b05260e09 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
+ 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
+ 
+-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
++	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+ 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
+ 	/* the winbind method for domain controllers is for both RODC
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index d15156a538b..5687d2a8587 100755
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
+ 	wins support = yes
+ 	server role = $ctx->{server_role}
+ 	server services = +echo $services
+-        dcerpc endpoint servers = +winreg +srvsvc
++        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
+ 	notify:inotify = false
+ 	ldb:nosync = true
+ 	ldap server require strong auth = yes
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 12718ced9e7..e33751a27e3 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ 
+ 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
+ 
+-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
++	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ 
+ 	Globals.tls_enabled = true;
+ 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
+diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
+index 0e44a3c2bae..31ec4f60c9a 100644
+--- a/source4/rpc_server/wscript_build
++++ b/source4/rpc_server/wscript_build
+@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
+                  source='echo/rpc_echo.c',
+                  subsystem='dcerpc_server',
+                  init_function='dcerpc_server_rpcecho_init',
+-                 deps='ndr-standard events'
++                 deps='ndr-standard events',
++                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
+                  )
+ 
+ 
+-- 
+2.25.1
+
+
+From 8ce92246a016f3e7f23b6a94ceb666f776e56998 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 12 Sep 2023 19:01:03 +1200
+Subject: [PATCH 2/2] CVE-2023-42669 s3-rpc_server: Disable rpcecho for
+ consistency with the AD DC
+
+The rpcecho server in source3 does have samba the sleep() feature that
+the s4 version has, but the task architecture is different, so there
+is not the same impact.  Hoever equally this is not something that
+should be enabled on production builds of Samba, so restrict to
+selftest builds.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+---
+ source3/rpc_server/wscript_build | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
+index 341df41a321..5ed81283395 100644
+--- a/source3/rpc_server/wscript_build
++++ b/source3/rpc_server/wscript_build
+@@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho',
+                   RPC_WORKER
+                   RPC_RPCECHO
+                   ''',
++                  for_selftest=True,
+                   install_path='${SAMBA_LIBEXECDIR}')
+ 
+ bld.SAMBA3_BINARY('rpcd_classic',
+-- 
+2.25.1

SOURCES/memory-corruption-since-samba-4-18.patch

@@ -0,0 +1,613 @@
+From ced40c5a805dcfb06d5f3d68aa45a0aaa44bfdca Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Sep 2023 13:57:26 +0200
+Subject: [PATCH 1/5] nsswitch: add test for pthread_key_delete missuse (bug
+ 15464)
+
+This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
+written by Krzysztof Piotr Oledzki <ole@ans.pl>
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 62af25d44e542548d8cdecb061a6001e0071ee76)
+---
+ nsswitch/b15464-testcase.c            | 77 +++++++++++++++++++++++++++
+ nsswitch/wscript_build                |  5 ++
+ selftest/knownfail.d/b15464_testcase  |  1 +
+ source3/selftest/tests.py             |  6 +++
+ testprogs/blackbox/b15464-testcase.sh | 21 ++++++++
+ 5 files changed, 110 insertions(+)
+ create mode 100644 nsswitch/b15464-testcase.c
+ create mode 100644 selftest/knownfail.d/b15464_testcase
+ create mode 100755 testprogs/blackbox/b15464-testcase.sh
+
+diff --git a/nsswitch/b15464-testcase.c b/nsswitch/b15464-testcase.c
+new file mode 100644
+index 000000000000..decb474a81ee
+--- /dev/null
++++ b/nsswitch/b15464-testcase.c
+@@ -0,0 +1,77 @@
++#include "replace.h"
++#include "system/wait.h"
++#include "system/threads.h"
++#include <assert.h>
++
++int main(int argc, const char *argv[])
++{
++	pid_t pid;
++	int wstatus;
++	pthread_key_t k1;
++	pthread_key_t k2;
++	pthread_key_t k3;
++	char *val = NULL;
++	const char *nss_winbind = (argc >= 2 ? argv[1] : "bin/plugins/libnss_winbind.so.2");
++	void *nss_winbind_handle = NULL;
++	union {
++		int (*fn)(void);
++		void *symbol;
++	} nss_winbind_endpwent = { .symbol = NULL, };
++
++	/*
++	 * load and invoke something simple like
++	 * _nss_winbind_endpwent in order to
++	 * get the libnss_winbind internal going
++	 */
++	nss_winbind_handle = dlopen(nss_winbind, RTLD_NOW);
++	printf("%d: nss_winbind[%s] nss_winbind_handle[%p]\n",
++	       getpid(), nss_winbind, nss_winbind_handle);
++	assert(nss_winbind_handle != NULL);
++
++	nss_winbind_endpwent.symbol = dlsym(nss_winbind_handle,
++					    "_nss_winbind_endpwent");
++	printf("%d: nss_winbind_handle[%p] _nss_winbind_endpwent[%p]\n",
++	       getpid(), nss_winbind_handle, nss_winbind_endpwent.symbol);
++	assert(nss_winbind_endpwent.symbol != NULL);
++	(void)nss_winbind_endpwent.fn();
++
++	val = malloc(1);
++	assert(val != NULL);
++
++	pthread_key_create(&k1, NULL);
++	pthread_setspecific(k1, val);
++	printf("%d: k1=%d\n", getpid(), k1);
++
++	pid = fork();
++	if (pid) {
++		free(val);
++		wait(&wstatus);
++		return WEXITSTATUS(wstatus);
++	}
++
++	pthread_key_create(&k2, NULL);
++	pthread_setspecific(k2, val);
++
++	printf("%d: Hello after fork, k1=%d, k2=%d\n", getpid(), k1, k2);
++
++	pid = fork();
++
++	if (pid) {
++		free(val);
++		wait(&wstatus);
++		return WEXITSTATUS(wstatus);
++	}
++
++	pthread_key_create(&k3, NULL);
++	pthread_setspecific(k3, val);
++
++	printf("%d: Hello after fork2, k1=%d, k2=%d, k3=%d\n", getpid(), k1, k2, k3);
++
++	if (k1 == k2 || k2 == k3) {
++		printf("%d: FAIL inconsistent keys\n", getpid());
++		return 1;
++	}
++
++	printf("%d: OK consistent keys\n", getpid());
++	return 0;
++}
+diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
+index 3247b6c2b7c3..4e62bb4c9461 100644
+--- a/nsswitch/wscript_build
++++ b/nsswitch/wscript_build
+@@ -15,6 +15,11 @@ if bld.CONFIG_SET('HAVE_PTHREAD'):
+ 		     deps='wbclient pthread',
+ 		     for_selftest=True
+ 		     )
++    bld.SAMBA_BINARY('b15464-testcase',
++		     source='b15464-testcase.c',
++		     deps='replace pthread dl',
++		     for_selftest=True
++		     )
+ 
+ # The nss_wrapper code relies strictly on the linux implementation and
+ # name, so compile but do not install a copy under this name.
+diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
+new file mode 100644
+index 000000000000..94dd7db7c2a5
+--- /dev/null
++++ b/selftest/knownfail.d/b15464_testcase
+@@ -0,0 +1 @@
++^b15464_testcase.run.b15464-testcase
+diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
+index 0c834ed48b5e..ea17ead3eda7 100755
+--- a/source3/selftest/tests.py
++++ b/source3/selftest/tests.py
+@@ -67,6 +67,8 @@ except KeyError:
+     samba4bindir = bindir()
+     config_h = os.path.join(samba4bindir, "default/include/config.h")
+ 
++bbdir = os.path.join(srcdir(), "testprogs/blackbox")
++
+ # check available features
+ config_hash = dict()
+ f = open(config_h, 'r')
+@@ -936,6 +938,10 @@ if with_pthreadpool:
+                   [os.path.join(samba3srcdir,
+                                 "script/tests/test_libwbclient_threads.sh"),
+                    "$DOMAIN", "$DC_USERNAME"])
++    plantestsuite("b15464_testcase", "none",
++                  [os.path.join(bbdir, "b15464-testcase.sh"),
++                   binpath("b15464-testcase"),
++                   binpath("plugins/libnss_winbind.so.2")])
+ 
+ plantestsuite("samba3.test_nfs4_acl", "none",
+               [os.path.join(bindir(), "test_nfs4_acls"),
+diff --git a/testprogs/blackbox/b15464-testcase.sh b/testprogs/blackbox/b15464-testcase.sh
+new file mode 100755
+index 000000000000..b0c88260d4cc
+--- /dev/null
++++ b/testprogs/blackbox/b15464-testcase.sh
+@@ -0,0 +1,21 @@
++#!/bin/sh
++# Blackbox wrapper for bug 15464
++# Copyright (C) 2023 Stefan Metzmacher
++
++if [ $# -lt 2 ]; then
++	cat <<EOF
++Usage: b15464-testcase.sh B15464_TESTCASE LIBNSS_WINBIND
++EOF
++	exit 1
++fi
++
++b15464_testcase=$1
++libnss_winbind=$2
++shift 2
++failed=0
++
++. $(dirname $0)/subunit.sh
++
++testit "run b15464-testcase" $VALGRIND $b15464_testcase $libnss_winbind || failed=$(expr $failed + 1)
++
++testok $0 $failed
+-- 
+2.34.1
+
+
+From 08728ee7847d7864d4c72a4ac1ddfeca78934326 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 7 Sep 2023 16:02:32 +0200
+Subject: [PATCH 2/5] nsswitch/wb_common.c: fix build without HAVE_PTHREAD
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 4faf806412c4408db25448b1f67c09359ec2f81f)
+---
+ nsswitch/wb_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index d569e761ebe4..c382a44c1209 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -104,7 +104,6 @@ static void wb_thread_ctx_initialize(void)
+ 				 wb_thread_ctx_destructor);
+ 	assert(ret == 0);
+ }
+-#endif
+ 
+ static struct winbindd_context *get_wb_thread_ctx(void)
+ {
+@@ -139,6 +138,7 @@ static struct winbindd_context *get_wb_thread_ctx(void)
+ 	}
+ 	return ctx;
+ }
++#endif /* HAVE_PTHREAD */
+ 
+ static struct winbindd_context *get_wb_global_ctx(void)
+ {
+-- 
+2.34.1
+
+
+From d1f43cd4cc6aeb2ac9fcaee9aa512012ca92ecb3 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Sep 2023 09:53:42 +0200
+Subject: [PATCH 3/5] nsswitch/wb_common.c: winbind_destructor can always use
+ get_wb_global_ctx()
+
+The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
+required magic.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 836823e5047d0eb18e66707386ba03b812adfaf8)
+---
+ nsswitch/wb_common.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index c382a44c1209..d56e48d9bdb8 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -246,14 +246,10 @@ static void winbind_destructor(void)
+ 		return;
+ 	}
+ 
+-#ifdef HAVE_PTHREAD_H
+-	ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
++	ctx = get_wb_global_ctx();
+ 	if (ctx == NULL) {
+ 		return;
+ 	}
+-#else
+-	ctx = get_wb_global_ctx();
+-#endif
+ 
+ 	winbind_close_sock(ctx);
+ }
+-- 
+2.34.1
+
+
+From 6e29ea5b9efe5cf166cc9d633c1dc4eb8f192736 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 8 Sep 2023 09:56:47 +0200
+Subject: [PATCH 4/5] nsswitch/wb_common.c: don't operate on a stale
+ wb_global_ctx.key
+
+If nss_winbind is loaded into a process that uses fork multiple times
+without any further calls into nss_winbind, wb_atfork_child handler
+was using a wb_global_ctx.key that was no longer registered in the
+pthread library, so we operated on a slot that was potentially
+reused by other libraries or the main application. Which is likely
+to cause memory corruption.
+
+So we better don't call pthread_key_delete() in wb_atfork_child().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Reported-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 91b30a7261e6455d3a4f31728c23e4849e3945b9)
+---
+ nsswitch/wb_common.c                 | 5 -----
+ selftest/knownfail.d/b15464_testcase | 1 -
+ 2 files changed, 6 deletions(-)
+ delete mode 100644 selftest/knownfail.d/b15464_testcase
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index d56e48d9bdb8..38f9f334016b 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -76,11 +76,6 @@ static void wb_atfork_child(void)
+ 
+ 	winbind_close_sock(ctx);
+ 	free(ctx);
+-
+-	ret = pthread_key_delete(wb_global_ctx.key);
+-	assert(ret == 0);
+-
+-	wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
+ }
+ 
+ static void wb_thread_ctx_destructor(void *p)
+diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
+deleted file mode 100644
+index 94dd7db7c2a5..000000000000
+--- a/selftest/knownfail.d/b15464_testcase
++++ /dev/null
+@@ -1 +0,0 @@
+-^b15464_testcase.run.b15464-testcase
+-- 
+2.34.1
+
+
+From 61ca2c66e0a3c837f2c542b8d9321a8d8cd03382 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 7 Sep 2023 15:59:59 +0200
+Subject: [PATCH 5/5] nsswitch/wb_common.c: fix socket fd and memory leaks of
+ global state
+
+When we are called in wb_atfork_child() or winbind_destructor(),
+wb_thread_ctx_destructor() is not called for the global state
+of the current nor any other thread, which means we would
+leak the related memory and socket fds.
+
+Now we maintain a global list protected by a global mutex.
+We traverse the list and close all socket fds, which are no
+longer used (winbind_destructor) or no longer valid in the
+current process (wb_atfork_child), in addition we 'autofree'
+the ones, which are only visible internally as global (per thread)
+context.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
+
+Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+
+Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
+Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224
+
+(cherry picked from commit 4af3faace481d23869b64485b791bdd43d8972c5)
+---
+ nsswitch/wb_common.c | 143 ++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 113 insertions(+), 30 deletions(-)
+
+diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
+index 38f9f334016b..b7f84435a4ee 100644
+--- a/nsswitch/wb_common.c
++++ b/nsswitch/wb_common.c
+@@ -26,6 +26,7 @@
+ #include "replace.h"
+ #include "system/select.h"
+ #include "winbind_client.h"
++#include "lib/util/dlinklist.h"
+ #include <assert.h>
+ 
+ #ifdef HAVE_PTHREAD_H
+@@ -37,67 +38,112 @@ static __thread char client_name[32];
+ /* Global context */
+ 
+ struct winbindd_context {
++	struct winbindd_context *prev, *next;
+ 	int winbindd_fd;	/* winbind file descriptor */
+ 	bool is_privileged;	/* using the privileged socket? */
+ 	pid_t our_pid;		/* calling process pid */
++	bool autofree;		/* this is a thread global context */
+ };
+ 
+ static struct wb_global_ctx {
+-	bool initialized;
+ #ifdef HAVE_PTHREAD
+ 	pthread_once_t control;
+ 	pthread_key_t key;
++	bool key_initialized;
++#ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
++#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
+ #else
+-	bool dummy;
++#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
+ #endif
++#define WB_GLOBAL_LIST_LOCK do { \
++	int __pret = pthread_mutex_lock(&wb_global_ctx.list_mutex); \
++	assert(__pret == 0); \
++} while(0)
++#define WB_GLOBAL_LIST_UNLOCK do { \
++	int __pret = pthread_mutex_unlock(&wb_global_ctx.list_mutex); \
++	assert(__pret == 0); \
++} while(0)
++	pthread_mutex_t list_mutex;
++#else /* => not HAVE_PTHREAD */
++#define WB_GLOBAL_LIST_LOCK do { } while(0)
++#define WB_GLOBAL_LIST_UNLOCK do { } while(0)
++#endif /* not HAVE_PTHREAD */
++	struct winbindd_context *list;
+ } wb_global_ctx = {
+ #ifdef HAVE_PTHREAD
+ 	.control = PTHREAD_ONCE_INIT,
++	.list_mutex = WB_GLOBAL_MUTEX_INITIALIZER,
+ #endif
++	.list = NULL,
+ };
+ 
+ static void winbind_close_sock(struct winbindd_context *ctx);
++static void winbind_ctx_free_locked(struct winbindd_context *ctx);
++static void winbind_cleanup_list(void);
+ 
+ #ifdef HAVE_PTHREAD
+ static void wb_thread_ctx_initialize(void);
+ 
++static void wb_atfork_prepare(void)
++{
++	WB_GLOBAL_LIST_LOCK;
++}
++
++static void wb_atfork_parent(void)
++{
++	WB_GLOBAL_LIST_UNLOCK;
++}
++
+ static void wb_atfork_child(void)
+ {
+-	struct winbindd_context *ctx = NULL;
+-	int ret;
++	wb_global_ctx.list_mutex = (pthread_mutex_t)WB_GLOBAL_MUTEX_INITIALIZER;
+ 
+-	ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
+-	if (ctx == NULL) {
+-		return;
+-	}
++	if (wb_global_ctx.key_initialized) {
++		int ret;
+ 
+-	ret = pthread_setspecific(wb_global_ctx.key, NULL);
+-	assert(ret == 0);
++		/*
++		 * After a fork the child still believes
++		 * it is the same thread as in the parent.
++		 * So pthread_getspecific() would return the
++		 * value of the thread that called fork().
++		 *
++		 * But we don't want that behavior, so
++		 * we just clear the reference and let
++		 * winbind_cleanup_list() below 'autofree'
++		 * the parent threads global context.
++		 */
++		ret = pthread_setspecific(wb_global_ctx.key, NULL);
++		assert(ret == 0);
++	}
+ 
+-	winbind_close_sock(ctx);
+-	free(ctx);
++	/*
++	 * But we need to close/cleanup the global state
++	 * of the parents threads.
++	 */
++	winbind_cleanup_list();
+ }
+ 
+ static void wb_thread_ctx_destructor(void *p)
+ {
+ 	struct winbindd_context *ctx = (struct winbindd_context *)p;
+ 
+-	winbind_close_sock(ctx);
+-	free(ctx);
++	winbindd_ctx_free(ctx);
+ }
+ 
+ static void wb_thread_ctx_initialize(void)
+ {
+ 	int ret;
+ 
+-	ret = pthread_atfork(NULL,
+-			     NULL,
++	ret = pthread_atfork(wb_atfork_prepare,
++			     wb_atfork_parent,
+ 			     wb_atfork_child);
+ 	assert(ret == 0);
+ 
+ 	ret = pthread_key_create(&wb_global_ctx.key,
+ 				 wb_thread_ctx_destructor);
+ 	assert(ret == 0);
++
++	wb_global_ctx.key_initialized = true;
+ }
+ 
+ static struct winbindd_context *get_wb_thread_ctx(void)
+@@ -123,9 +169,14 @@ static struct winbindd_context *get_wb_thread_ctx(void)
+ 	*ctx = (struct winbindd_context) {
+ 		.winbindd_fd = -1,
+ 		.is_privileged = false,
+-		.our_pid = 0
++		.our_pid = 0,
++		.autofree = true,
+ 	};
+ 
++	WB_GLOBAL_LIST_LOCK;
++	DLIST_ADD_END(wb_global_ctx.list, ctx);
++	WB_GLOBAL_LIST_UNLOCK;
++
+ 	ret = pthread_setspecific(wb_global_ctx.key, ctx);
+ 	if (ret != 0) {
+ 		free(ctx);
+@@ -142,7 +193,8 @@ static struct winbindd_context *get_wb_global_ctx(void)
+ 	static struct winbindd_context _ctx = {
+ 		.winbindd_fd = -1,
+ 		.is_privileged = false,
+-		.our_pid = 0
++		.our_pid = 0,
++		.autofree = false,
+ 	};
+ #endif
+ 
+@@ -150,9 +202,11 @@ static struct winbindd_context *get_wb_global_ctx(void)
+ 	ctx = get_wb_thread_ctx();
+ #else
+ 	ctx = &_ctx;
++	if (ctx->prev == NULL && ctx->next == NULL) {
++		DLIST_ADD_END(wb_global_ctx.list, ctx);
++	}
+ #endif
+ 
+-	wb_global_ctx.initialized = true;
+ 	return ctx;
+ }
+ 
+@@ -226,6 +280,30 @@ static void winbind_close_sock(struct winbindd_context *ctx)
+ 	}
+ }
+ 
++static void winbind_ctx_free_locked(struct winbindd_context *ctx)
++{
++	winbind_close_sock(ctx);
++	DLIST_REMOVE(wb_global_ctx.list, ctx);
++	free(ctx);
++}
++
++static void winbind_cleanup_list(void)
++{
++	struct winbindd_context *ctx = NULL, *next = NULL;
++
++	WB_GLOBAL_LIST_LOCK;
++	for (ctx = wb_global_ctx.list; ctx != NULL; ctx = next) {
++		next = ctx->next;
++
++		if (ctx->autofree) {
++			winbind_ctx_free_locked(ctx);
++		} else {
++			winbind_close_sock(ctx);
++		}
++	}
++	WB_GLOBAL_LIST_UNLOCK;
++}
++
+ /* Destructor for global context to ensure fd is closed */
+ 
+ #ifdef HAVE_DESTRUCTOR_ATTRIBUTE
+@@ -235,18 +313,18 @@ __attribute__((destructor))
+ #endif
+ static void winbind_destructor(void)
+ {
+-	struct winbindd_context *ctx;
+-
+-	if (!wb_global_ctx.initialized) {
+-		return;
++#ifdef HAVE_PTHREAD
++	if (wb_global_ctx.key_initialized) {
++		int ret;
++		ret = pthread_key_delete(wb_global_ctx.key);
++		assert(ret == 0);
++		wb_global_ctx.key_initialized = false;
+ 	}
+ 
+-	ctx = get_wb_global_ctx();
+-	if (ctx == NULL) {
+-		return;
+-	}
++	wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
++#endif /* HAVE_PTHREAD */
+ 
+-	winbind_close_sock(ctx);
++	winbind_cleanup_list();
+ }
+ 
+ #define CONNECT_TIMEOUT 30
+@@ -928,11 +1006,16 @@ struct winbindd_context *winbindd_ctx_create(void)
+ 
+ 	ctx->winbindd_fd = -1;
+ 
++	WB_GLOBAL_LIST_LOCK;
++	DLIST_ADD_END(wb_global_ctx.list, ctx);
++	WB_GLOBAL_LIST_UNLOCK;
++
+ 	return ctx;
+ }
+ 
+ void winbindd_ctx_free(struct winbindd_context *ctx)
+ {
+-	winbind_close_sock(ctx);
+-	free(ctx);
++	WB_GLOBAL_LIST_LOCK;
++	winbind_ctx_free_locked(ctx);
++	WB_GLOBAL_LIST_UNLOCK;
+ }
+-- 
+2.34.1

SPECS/samba.spec

@@ -138,7 +138,7 @@
 %define samba_requires_eq()  %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
 
 %global samba_version 4.18.6
-%global baserelease 1
+%global baserelease 3
 # This should be rc1 or %%nil
 %global pre_release %nil
 
@@ -202,7 +202,7 @@
 
 Name:           samba
 Version:        %{samba_version}
-Release:        %{samba_release}%{?dist}
+Release:        %{samba_release}%{?dist}.alma.1
 
 %if 0%{?fedora}
 Epoch:          2
@@ -234,6 +234,16 @@ Source17:       samba-usershares-systemd-sysusers.conf
 Source201:      README.downgrade
 Source202:      samba.abignore
 
+# Patches were taken from:
+# https://attachments.samba.org/attachment.cgi?id=18128
+Patch1:         CVE-2023-3961-s3-smbd-Catch-any-incoming-pipe-path-that.patch
+# https://attachments.samba.org/attachment.cgi?id=18131
+Patch2:         CVE-2023-4091-smbtorture-test-overwrite-dispositions-on.patch
+# https://attachments.samba.org/attachment.cgi?id=18136
+Patch3:         CVE-2023-42669-s4-rpc_server-Disable-rpcecho-server-by.patch
+# https://attachments.samba.org/attachment.cgi?id=18104
+Patch4:         memory-corruption-since-samba-4-18.patch
+
 Requires(pre): /usr/sbin/groupadd
 
 Requires(pre): %{name}-common = %{samba_depver}
@@ -2024,7 +2034,6 @@ fi
 %{_libexecdir}/samba/rpcd_fsrvp
 %{_libexecdir}/samba/rpcd_lsad
 %{_libexecdir}/samba/rpcd_mdssvc
-%{_libexecdir}/samba/rpcd_rpcecho
 %{_libexecdir}/samba/rpcd_spoolss
 %{_libexecdir}/samba/rpcd_winreg
 %{_mandir}/man8/samba-dcerpcd.8*
@@ -4328,6 +4337,18 @@ fi
 %endif
 
 %changelog
+* Wed Feb 21 2024 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.6-3.alma.1
+- Fix libnss_winbind causes memory corruption since samba-4.18,
+ impacts sendmail, zabbix, potentially more
+
+* Thu Nov 23 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.6-2.alma.1
+- CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
+ could exit socket_dir.
+- CVE-2023-4091: smbtorture: test overwrite dispositions on
+ read-only file
+- CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
+ default
+
 * Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-1
 - related: rhbz#2190417 - Update to version 4.18.6
 - resolves: rhbz#2232564 - Fix the rpc dsgetinfo command