Compare commits

...

3 Commits

Author SHA1 Message Date
04e2eb07a7 Update to 4.18.6-2.alma.1 2023-11-23 10:49:17 +03:00
791775af87 Merge branch 'c8' into a8 2023-11-23 10:33:34 +03:00
bb27d63e76 - Fix CVE-2023-3347
- netlogon: add support for netr_LogonGetCapabilities response level 2
2023-08-03 11:09:27 +03:00
4 changed files with 675 additions and 3 deletions

View File

@ -0,0 +1,295 @@
From 09ee91a8f7e53f688f091fe67e0b95d1d34fb9c9 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 25 Jul 2023 17:41:04 -0700
Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/rpc_client/local_np.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
index 0b323404f06..95228d5d801 100644
--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
return tevent_req_post(req, ev);
}
+ /*
+ * Ensure we cannot process a path that exits
+ * the socket_dir.
+ */
+ if (ISDOTDOT(lower_case_pipename) ||
+ (strchr(lower_case_pipename, '/')!=NULL))
+ {
+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
+ lower_case_pipename);
+ /*
+ * For now, panic the server until we have
+ * the test code in place.
+ */
+ SMB_ASSERT(false);
+ tevent_req_error(req, ENOENT);
+ return tevent_req_post(req, ev);
+ }
+
state->socketpath = talloc_asprintf(
state, "%s/np/%s", socket_dir, lower_case_pipename);
if (tevent_req_nomem(state->socketpath, req)) {
--
2.39.2
From 34d4258e77d7a3f48004e88161ac2398e9669a4b Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 25 Jul 2023 17:49:21 -0700
Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME
to show we allow bad pipenames with unix separators through to the UNIX
domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
---
selftest/knownfail.d/badpipename | 1 +
source3/selftest/tests.py | 14 ++++
source3/torture/proto.h | 1 +
source3/torture/test_smb2.c | 107 +++++++++++++++++++++++++++++++
source3/torture/torture.c | 4 ++
5 files changed, 127 insertions(+)
create mode 100644 selftest/knownfail.d/badpipename
diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename
new file mode 100644
index 00000000000..e69715f863d
--- /dev/null
+++ b/selftest/knownfail.d/badpipename
@@ -0,0 +1 @@
+^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 1fdcad1089f..2c8336d35e8 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -296,6 +296,20 @@ plantestsuite("samba3.smbtorture_s3.smb2.SMB2-DFS-FILENAME-LEADING-BACKSLASH",
smbtorture3,
"-mSMB2"])
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
+# Prevent bad pipenames.
+#
+plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME",
+ "fileserver",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_smbtorture_s3.sh"),
+ 'SMB2-INVALID-PIPENAME',
+ '//$SERVER_IP/tmp',
+ '$USERNAME',
+ '$PASSWORD',
+ smbtorture3,
+ "-mSMB2"])
+
#
# SMB2-NON-DFS-SHARE needs to run against a special share non-msdfs-pathname-share
# This is an empty non-DFS share with no links, used merely to test
diff --git a/source3/torture/proto.h b/source3/torture/proto.h
index 21d7b3e00a7..3751697596a 100644
--- a/source3/torture/proto.h
+++ b/source3/torture/proto.h
@@ -124,6 +124,7 @@ bool run_smb2_dfs_paths(int dummy);
bool run_smb2_non_dfs_share(int dummy);
bool run_smb2_dfs_share_non_dfs_path(int dummy);
bool run_smb2_dfs_filename_leading_backslash(int dummy);
+bool run_smb2_invalid_pipename(int dummy);
bool run_smb1_dfs_paths(int dummy);
bool run_smb1_dfs_search_paths(int dummy);
bool run_smb1_dfs_operations(int dummy);
diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c
index 269ade4ef61..7ea3d83de10 100644
--- a/source3/torture/test_smb2.c
+++ b/source3/torture/test_smb2.c
@@ -5136,3 +5136,110 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy)
(void)smb2_dfs_delete(cli, dfs_filename_slash);
return retval;
}
+
+bool run_smb2_invalid_pipename(int dummy)
+{
+ struct cli_state *cli = NULL;
+ NTSTATUS status;
+ uint64_t fid_persistent = 0;
+ uint64_t fid_volatile = 0;
+ const char *unknown_pipe = "badpipe";
+ const char *invalid_pipe = "../../../../../../../../../badpipe";
+
+ printf("Starting SMB2-INVALID-PIPENAME\n");
+
+ if (!torture_init_connection(&cli)) {
+ return false;
+ }
+
+ status = smbXcli_negprot(cli->conn,
+ cli->timeout,
+ PROTOCOL_SMB2_02,
+ PROTOCOL_SMB3_11);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smbXcli_negprot returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_session_setup_creds(cli, torture_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_session_setup returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_tree_connect(cli, "IPC$", "?????", NULL);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_tree_connect returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ /* Try and connect to an unknown pipename. */
+ status = smb2cli_create(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ unknown_pipe,
+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
+ SEC_STD_SYNCHRONIZE|
+ SEC_FILE_READ_DATA|
+ SEC_FILE_WRITE_DATA|
+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
+ FILE_CREATE, /* create_disposition, */
+ 0, /* create_options, */
+ NULL, /* smb2_create_blobs *blobs */
+ &fid_persistent,
+ &fid_volatile,
+ NULL, /* struct smb_create_returns * */
+ talloc_tos(), /* mem_ctx. */
+ NULL, /* struct smb2_create_blobs * */
+ NULL); /* struct symlink_reparse_struct */
+ /* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ printf("%s:%d smb2cli_create on name %s returned %s\n",
+ __FILE__,
+ __LINE__,
+ unknown_pipe,
+ nt_errstr(status));
+ return false;
+ }
+
+ /* Try and connect to an invalid pipename containing unix separators. */
+ status = smb2cli_create(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ invalid_pipe,
+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
+ SEC_STD_SYNCHRONIZE|
+ SEC_FILE_READ_DATA|
+ SEC_FILE_WRITE_DATA|
+ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
+ FILE_CREATE, /* create_disposition, */
+ 0, /* create_options, */
+ NULL, /* smb2_create_blobs *blobs */
+ &fid_persistent,
+ &fid_volatile,
+ NULL, /* struct smb_create_returns * */
+ talloc_tos(), /* mem_ctx. */
+ NULL, /* struct smb2_create_blobs * */
+ NULL); /* struct symlink_reparse_struct */
+ /*
+ * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND
+ * (tested against Windows 2022).
+ */
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ printf("%s:%d smb2cli_create on name %s returned %s\n",
+ __FILE__,
+ __LINE__,
+ invalid_pipe,
+ nt_errstr(status));
+ return false;
+ }
+ return true;
+}
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 1315b328f5f..d53699c3b02 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -15727,6 +15727,10 @@ static struct {
.name = "SMB2-DFS-FILENAME-LEADING-BACKSLASH",
.fn = run_smb2_dfs_filename_leading_backslash,
},
+ {
+ .name = "SMB2-INVALID-PIPENAME",
+ .fn = run_smb2_invalid_pipename,
+ },
{
.name = "SMB1-TRUNCATED-SESSSETUP",
.fn = run_smb1_truncated_sesssetup,
--
2.39.2
From cbd81ca9d7ea1d5a6ea2b1026bc342ff996cca7c Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 25 Jul 2023 17:54:41 -0700
Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that
crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
---
selftest/knownfail.d/badpipename | 1 -
source3/rpc_client/local_np.c | 5 -----
2 files changed, 6 deletions(-)
delete mode 100644 selftest/knownfail.d/badpipename
diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename
deleted file mode 100644
index e69715f863d..00000000000
--- a/selftest/knownfail.d/badpipename
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\)
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
index 95228d5d801..791ded99a47 100644
--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
@@ -551,11 +551,6 @@ struct tevent_req *local_np_connect_send(
{
DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
lower_case_pipename);
- /*
- * For now, panic the server until we have
- * the test code in place.
- */
- SMB_ASSERT(false);
tevent_req_error(req, ENOENT);
return tevent_req_post(req, ev);
}
--
2.39.2

View File

@ -0,0 +1,239 @@
From a4a3868fda277ddf0f174b77a859c33e4c339538 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 1 Aug 2023 12:30:00 +0200
Subject: [PATCH 1/2] CVE-2023-4091: smbtorture: test overwrite dispositions on
read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
---
selftest/knownfail.d/samba3.smb2.acls | 1 +
source4/torture/smb2/acls.c | 143 ++++++++++++++++++++++++++
2 files changed, 144 insertions(+)
create mode 100644 selftest/knownfail.d/samba3.smb2.acls
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
new file mode 100644
index 000000000000..18df260c0e50
--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.acls
@@ -0,0 +1 @@
+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
index a27d4e079e67..5a892d004ea8 100644
--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
return ret;
}
+static bool test_overwrite_read_only_file(struct torture_context *tctx,
+ struct smb2_tree *tree)
+{
+ NTSTATUS status;
+ struct smb2_create c;
+ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
+ struct smb2_handle handle = {{0}};
+ union smb_fileinfo q;
+ union smb_setfileinfo set;
+ struct security_descriptor *sd = NULL, *sd_orig = NULL;
+ const char *owner_sid = NULL;
+ int i;
+ bool ret = true;
+
+ struct tcase {
+ int disposition;
+ const char *disposition_string;
+ NTSTATUS expected_status;
+ } tcases[] = {
+#define TCASE(d, s) { \
+ .disposition = d, \
+ .disposition_string = #d, \
+ .expected_status = s, \
+ }
+ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
+ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
+ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
+ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
+ };
+#undef TCASE
+
+ ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
+
+ c = (struct smb2_create) {
+ .in.desired_access = SEC_STD_READ_CONTROL |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+ NTCREATEX_SHARE_ACCESS_WRITE,
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_create failed\n");
+ handle = c.out.file.handle;
+
+ torture_comment(tctx, "get the original sd\n");
+
+ ZERO_STRUCT(q);
+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+ q.query_secdesc.in.file.handle = handle;
+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
+
+ status = smb2_getinfo_file(tree, tctx, &q);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_getinfo_file failed\n");
+ sd_orig = q.query_secdesc.out.sd;
+
+ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+ sd = security_descriptor_dacl_create(tctx,
+ 0, NULL, NULL,
+ owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_FILE_READ_DATA,
+ 0,
+ NULL);
+
+ ZERO_STRUCT(set);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.handle = handle;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd;
+
+ status = smb2_setinfo_file(tree, &set);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_setinfo_file failed\n");
+
+ smb2_util_close(tree, handle);
+ ZERO_STRUCT(handle);
+
+ for (i = 0; i < ARRAY_SIZE(tcases); i++) {
+ torture_comment(tctx, "Verify open with %s dispostion\n",
+ tcases[i].disposition_string);
+
+ c = (struct smb2_create) {
+ .in.create_disposition = tcases[i].disposition,
+ .in.desired_access = SEC_FILE_READ_DATA,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ smb2_util_close(tree, c.out.file.handle);
+ torture_assert_ntstatus_equal_goto(
+ tctx, status, tcases[i].expected_status, ret, done,
+ "smb2_create failed\n");
+ };
+
+ torture_comment(tctx, "put back original sd\n");
+
+ c = (struct smb2_create) {
+ .in.desired_access = SEC_STD_WRITE_DAC,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_create failed\n");
+ handle = c.out.file.handle;
+
+ ZERO_STRUCT(set);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.handle = handle;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd_orig;
+
+ status = smb2_setinfo_file(tree, &set);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_setinfo_file failed\n");
+
+ smb2_util_close(tree, handle);
+ ZERO_STRUCT(handle);
+
+done:
+ smb2_util_close(tree, handle);
+ smb2_util_unlink(tree, fname);
+ smb2_deltree(tree, BASEDIR);
+ return ret;
+}
+
/*
basic testing of SMB2 ACLs
*/
@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
test_deny1);
torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
test_mxac_not_granted);
+ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
--
2.41.0
From 5b5e2b1714e4a242b1cea44deff1f380620872c9 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 1 Aug 2023 13:04:36 +0200
Subject: [PATCH 2/2] CVE-2023-4091: smbd: use open_access_mask for access
check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
---
selftest/knownfail.d/samba3.smb2.acls | 1 -
source3/smbd/open.c | 4 ++--
2 files changed, 2 insertions(+), 3 deletions(-)
delete mode 100644 selftest/knownfail.d/samba3.smb2.acls
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
deleted file mode 100644
index 18df260c0e50..000000000000
--- a/selftest/knownfail.d/samba3.smb2.acls
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
diff --git a/source3/smbd/open.c b/source3/smbd/open.c
index 94f50becb247..0c9ddfe7c948 100644
--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req,
dirfsp,
fsp,
false,
- access_mask);
+ open_access_mask);
if (!NT_STATUS_IS_OK(status)) {
DBG_DEBUG("smbd_check_access_rights_fsp"
@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req,
status = smbd_check_access_rights_fsp(dirfsp,
fsp,
false,
- access_mask);
+ open_access_mask);
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
posix_open &&
--
2.41.0

View File

@ -0,0 +1,123 @@
From e534a858d15589f27181b82c8ed8abefc56fb95f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Sep 2023 18:59:44 +1200
Subject: [PATCH 1/2] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
lib/param/loadparm.c | 2 +-
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 2 +-
source4/rpc_server/wscript_build | 3 ++-
5 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
index 8a217cc7f11..c6642b795fd 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
</description>
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
<value type="example">rpcecho</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 16cb0d47f31..83b05260e09 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index d15156a538b..5687d2a8587 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
wins support = yes
server role = $ctx->{server_role}
server services = +echo $services
- dcerpc endpoint servers = +winreg +srvsvc
+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho
notify:inotify = false
ldb:nosync = true
ldap server require strong auth = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 12718ced9e7..e33751a27e3 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true;
Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index 0e44a3c2bae..31ec4f60c9a 100644
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
source='echo/rpc_echo.c',
subsystem='dcerpc_server',
init_function='dcerpc_server_rpcecho_init',
- deps='ndr-standard events'
+ deps='ndr-standard events',
+ enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
)
--
2.25.1
From 8ce92246a016f3e7f23b6a94ceb666f776e56998 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Sep 2023 19:01:03 +1200
Subject: [PATCH 2/2] CVE-2023-42669 s3-rpc_server: Disable rpcecho for
consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
source3/rpc_server/wscript_build | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build
index 341df41a321..5ed81283395 100644
--- a/source3/rpc_server/wscript_build
+++ b/source3/rpc_server/wscript_build
@@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho',
RPC_WORKER
RPC_RPCECHO
''',
+ for_selftest=True,
install_path='${SAMBA_LIBEXECDIR}')
bld.SAMBA3_BINARY('rpcd_classic',
--
2.25.1

View File

@ -138,7 +138,7 @@
%define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not")
%global samba_version 4.18.6 %global samba_version 4.18.6
%global baserelease 1 %global baserelease 2
# This should be rc1 or %%nil # This should be rc1 or %%nil
%global pre_release %nil %global pre_release %nil
@ -202,7 +202,7 @@
Name: samba Name: samba
Version: %{samba_version} Version: %{samba_version}
Release: %{samba_release}%{?dist} Release: %{samba_release}%{?dist}.alma.1
%if 0%{?fedora} %if 0%{?fedora}
Epoch: 2 Epoch: 2
@ -234,6 +234,14 @@ Source17: samba-usershares-systemd-sysusers.conf
Source201: README.downgrade Source201: README.downgrade
Source202: samba.abignore Source202: samba.abignore
# Patches were taken from:
# https://attachments.samba.org/attachment.cgi?id=18128
Patch1: CVE-2023-3961-s3-smbd-Catch-any-incoming-pipe-path-that.patch
# https://attachments.samba.org/attachment.cgi?id=18131
Patch2: CVE-2023-4091-smbtorture-test-overwrite-dispositions-on.patch
# https://attachments.samba.org/attachment.cgi?id=18136
Patch3: CVE-2023-42669-s4-rpc_server-Disable-rpcecho-server-by.patch
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
Requires(pre): %{name}-common = %{samba_depver} Requires(pre): %{name}-common = %{samba_depver}
@ -2024,7 +2032,6 @@ fi
%{_libexecdir}/samba/rpcd_fsrvp %{_libexecdir}/samba/rpcd_fsrvp
%{_libexecdir}/samba/rpcd_lsad %{_libexecdir}/samba/rpcd_lsad
%{_libexecdir}/samba/rpcd_mdssvc %{_libexecdir}/samba/rpcd_mdssvc
%{_libexecdir}/samba/rpcd_rpcecho
%{_libexecdir}/samba/rpcd_spoolss %{_libexecdir}/samba/rpcd_spoolss
%{_libexecdir}/samba/rpcd_winreg %{_libexecdir}/samba/rpcd_winreg
%{_mandir}/man8/samba-dcerpcd.8* %{_mandir}/man8/samba-dcerpcd.8*
@ -4328,6 +4335,14 @@ fi
%endif %endif
%changelog %changelog
* Thu Nov 23 2023 Eduard Abdullin <eabdullin@almalinux.org> - 4.18.6-2.alma.1
- CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
could exit socket_dir.
- CVE-2023-4091: smbtorture: test overwrite dispositions on
read-only file
- CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
default
* Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-1 * Thu Aug 17 2023 Andreas Schneider <asn@redhat.com> - 4.18.6-1
- related: rhbz#2190417 - Update to version 4.18.6 - related: rhbz#2190417 - Update to version 4.18.6
- resolves: rhbz#2232564 - Fix the rpc dsgetinfo command - resolves: rhbz#2232564 - Fix the rpc dsgetinfo command