11 changed files with 2323 additions and 857 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/samba-4.18.6.tar.xz
+SOURCES/samba-4.19.4.tar.xz
 SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/.samba.metadata
+++ b/.samba.metadata
@ -1,2 +1,2 @@
-12b41f2a849cb6c40e9f5b174bb1cd823a060bd7 SOURCES/samba-4.18.6.tar.xz
+6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz
 971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg
--- a/SOURCES/CVE-2023-3961.patch
+++ b/SOURCES/CVE-2023-3961.patch
@ -1,45 +0,0 @@
 From ae476e1c28b797fe221172ed1066bf8efa476d8d Mon Sep 17 00:00:00 2001
 From: Jeremy Allison <jra@samba.org>
 Date: Tue, 25 Jul 2023 17:41:04 -0700
 Subject: [PATCH] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
 could exit socket_dir.
 For now, SMB_ASSERT() to exit the server. We will remove
 this once the test code is in place.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
 Signed-off-by: Jeremy Allison <jra@samba.org>
 ---
 source3/rpc_client/local_np.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
 index 0e912d0e35a..dfed7e7beb6 100644
 --- a/source3/rpc_client/local_np.c
 +++ b/source3/rpc_client/local_np.c
@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
 		return tevent_req_post(req, ev);
 	}
 +	/*
 +	 * Ensure we cannot process a path that exits
 +	 * the socket_dir.
 +	 */
 +	if (ISDOTDOT(lower_case_pipename) ||
 +	    (strchr(lower_case_pipename, '/')!=NULL))
 +	{
 +		DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
 +			lower_case_pipename);
 +		/*
 +		 * For now, panic the server until we have
 +		 * the test code in place.
 +		 */
 +		SMB_ASSERT(false);
 +		tevent_req_error(req, ENOENT);
 +		return tevent_req_post(req, ev);
 +	}
 +
 	state->socketpath = talloc_asprintf(
 		state, "%s/np/%s", socket_dir, lower_case_pipename);
 	if (tevent_req_nomem(state->socketpath, req)) {
--- a/SOURCES/CVE-2023-4091.patch
+++ b/SOURCES/CVE-2023-4091.patch
@ -1,183 +0,0 @@
 From b1fd65694185c26f1e196d84ee8756300e631bd5 Mon Sep 17 00:00:00 2001
 From: Ralph Boehme <slow@samba.org>
 Date: Tue, 1 Aug 2023 12:30:00 +0200
 Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on
 read-only file
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
 Signed-off-by: Ralph Boehme <slow@samba.org>
 ---
 selftest/knownfail.d/samba3.smb2.acls |   1 +
 source4/torture/smb2/acls.c           | 143 ++++++++++++++++++++++++++
 2 files changed, 144 insertions(+)
 create mode 100644 selftest/knownfail.d/samba3.smb2.acls
 diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
 new file mode 100644
 index 00000000000..18df260c0e5
 --- /dev/null
 +++ b/selftest/knownfail.d/samba3.smb2.acls
@@ -0,0 +1 @@
 +^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
 diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
 index bbf201bcf4b..53f482c5541 100644
 --- a/source4/torture/smb2/acls.c
 +++ b/source4/torture/smb2/acls.c
@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
 	return ret;
 }
 +static bool test_overwrite_read_only_file(struct torture_context *tctx,
 +					  struct smb2_tree *tree)
 +{
 +	NTSTATUS status;
 +	struct smb2_create c;
 +	const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
 +	struct smb2_handle handle = {{0}};
 +	union smb_fileinfo q;
 +	union smb_setfileinfo set;
 +	struct security_descriptor *sd = NULL, *sd_orig = NULL;
 +	const char *owner_sid = NULL;
 +	int i;
 +	bool ret = true;
 +
 +	struct tcase {
 +		int disposition;
 +		const char *disposition_string;
 +		NTSTATUS expected_status;
 +	} tcases[] = {
 +#define TCASE(d, s) {				\
 +		.disposition = d,		\
 +		.disposition_string = #d,	\
 +		.expected_status = s,		\
 +	}
 +		TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
 +		TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
 +		TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
 +		TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
 +	};
 +#undef TCASE
 +
 +	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
 +	torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
 +
 +	c = (struct smb2_create) {
 +		.in.desired_access = SEC_STD_READ_CONTROL |
 +			SEC_STD_WRITE_DAC |
 +			SEC_STD_WRITE_OWNER,
 +		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
 +		.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
 +			NTCREATEX_SHARE_ACCESS_WRITE,
 +		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
 +		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
 +		.in.fname = fname,
 +	};
 +
 +	status = smb2_create(tree, tctx, &c);
 +	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 +					"smb2_create failed\n");
 +	handle = c.out.file.handle;
 +
 +	torture_comment(tctx, "get the original sd\n");
 +
 +	ZERO_STRUCT(q);
 +	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
 +	q.query_secdesc.in.file.handle = handle;
 +	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
 +
 +	status = smb2_getinfo_file(tree, tctx, &q);
 +	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 +					"smb2_getinfo_file failed\n");
 +	sd_orig = q.query_secdesc.out.sd;
 +
 +	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
 +
 +	sd = security_descriptor_dacl_create(tctx,
 +					0, NULL, NULL,
 +					owner_sid,
 +					SEC_ACE_TYPE_ACCESS_ALLOWED,
 +					SEC_FILE_READ_DATA,
 +					0,
 +					NULL);
 +
 +	ZERO_STRUCT(set);
 +	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
 +	set.set_secdesc.in.file.handle = handle;
 +	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
 +	set.set_secdesc.in.sd = sd;
 +
 +	status = smb2_setinfo_file(tree, &set);
 +	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 +					"smb2_setinfo_file failed\n");
 +
 +	smb2_util_close(tree, handle);
 +	ZERO_STRUCT(handle);
 +
 +	for (i = 0; i < ARRAY_SIZE(tcases); i++) {
 +		torture_comment(tctx, "Verify open with %s dispostion\n",
 +				tcases[i].disposition_string);
 +
 +		c = (struct smb2_create) {
 +			.in.create_disposition = tcases[i].disposition,
 +			.in.desired_access = SEC_FILE_READ_DATA,
 +			.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
 +			.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
 +			.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
 +			.in.fname = fname,
 +		};
 +
 +		status = smb2_create(tree, tctx, &c);
 +		smb2_util_close(tree, c.out.file.handle);
 +		torture_assert_ntstatus_equal_goto(
 +			tctx, status, tcases[i].expected_status, ret, done,
 +			"smb2_create failed\n");
 +	};
 +
 +	torture_comment(tctx, "put back original sd\n");
 +
 +	c = (struct smb2_create) {
 +		.in.desired_access = SEC_STD_WRITE_DAC,
 +		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
 +		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
 +		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
 +		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
 +		.in.fname = fname,
 +	};
 +
 +	status = smb2_create(tree, tctx, &c);
 +	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 +					"smb2_create failed\n");
 +	handle = c.out.file.handle;
 +
 +	ZERO_STRUCT(set);
 +	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
 +	set.set_secdesc.in.file.handle = handle;
 +	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
 +	set.set_secdesc.in.sd = sd_orig;
 +
 +	status = smb2_setinfo_file(tree, &set);
 +	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
 +					"smb2_setinfo_file failed\n");
 +
 +	smb2_util_close(tree, handle);
 +	ZERO_STRUCT(handle);
 +
 +done:
 +	smb2_util_close(tree, handle);
 +	smb2_util_unlink(tree, fname);
 +	smb2_deltree(tree, BASEDIR);
 +	return ret;
 +}
 +
 /*
    basic testing of SMB2 ACLs
 */
@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
 			test_deny1);
 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
 			test_mxac_not_granted);
 +	torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
--- a/SOURCES/CVE-2023-42669.patch
+++ b/SOURCES/CVE-2023-42669.patch
@ -1,86 +0,0 @@
 From 3cf1beed5df7d8b5d854517de7de322c6a5bc7fa Mon Sep 17 00:00:00 2001
 From: Andrew Bartlett <abartlet@samba.org>
 Date: Tue, 12 Sep 2023 18:59:44 +1200
 Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
 default
 The rpcecho server is useful in development and testing, but should never
 have been allowed into production, as it includes the facility to
 do a blocking sleep() in the single-threaded rpc worker.
 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
 Signed-off-by: Andrew Bartlett <abartlet@samba.org>
 ---
 docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
 lib/param/loadparm.c                                   | 2 +-
 selftest/target/Samba4.pm                              | 2 +-
 source3/param/loadparm.c                               | 2 +-
 source4/rpc_server/wscript_build                       | 3 ++-
 5 files changed, 6 insertions(+), 5 deletions(-)
 diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
 index 8a217cc7f118..c6642b795fd6 100644
 --- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
 +++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
 </description>
 -<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
 +<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
 <value type="example">rpcecho</value>
 </samba:parameter>
 diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
 index 9a7ae4f95fe8..673b913e6e5a 100644
 --- a/lib/param/loadparm.c
 +++ b/lib/param/loadparm.c
@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
 -	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
 +	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
 	/* the winbind method for domain controllers is for both RODC
 diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
 index 49e3c174b07e..5f1f1bfffad6 100755
 --- a/selftest/target/Samba4.pm
 +++ b/selftest/target/Samba4.pm
@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
 	wins support = yes
 	server role = $ctx->{server_role}
 	server services = +echo $services
 -        dcerpc endpoint servers = +winreg +srvsvc
 +        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
 	notify:inotify = false
 	ldb:nosync = true
 	ldap server require strong auth = yes
 diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
 index 1c3644589126..e7f4bbe3995e 100644
 --- a/source3/param/loadparm.c
 +++ b/source3/param/loadparm.c
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
 -	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
 +	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
 	Globals.tls_enabled = true;
 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
 diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
 index 0e44a3c2baed..31ec4f60c9a6 100644
 --- a/source4/rpc_server/wscript_build
 +++ b/source4/rpc_server/wscript_build
@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
                  source='echo/rpc_echo.c',
                  subsystem='dcerpc_server',
                  init_function='dcerpc_server_rpcecho_init',
 -                 deps='ndr-standard events'
 +                 deps='ndr-standard events',
 +                 enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
                  )
--- a/SOURCES/samba-4.18.6.tar.asc
+++ b/SOURCES/samba-4.18.6.tar.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmTc/5EACgkQqplEL7aA
 tiB+4RAAkcRhO1/ZC7sXgqAqTZY05On8g2GLeuBh2Q+u7QIyjcDLuJWzp0TkrbMn
 LBGtFAyCxM1JbW/K1UNafeQcf3UKzY1nIPtUpqVjN7qMxt0BDZ6MsXGbB/qhyGMZ
 YnsZ8of/8NOUKx5KbrSeN5TqjICWTVRKi7KPcBrD51sTSt5unXYrolyJpKoPjYYU
 lQS8cnh/shfvvFX4fYf9XtFS2OcQqCTFrLeajb6DU7Ep6ZBZa9r3m5Gk3ZvhBu9r
 qowmQDqbNfo++wIkOaehD6tQsWcY2XvfBCFLqtSnF1SraN0jpdYr08dbcRGyuhFd
 DS9+4BwCCML0mip7aaP6NHZpN+LvyYkAKPuKo8mW8pxe3i8ctxcTyN6SfmZA6RlE
 bcmRQSkBD/e0jjBX5nR0zsaT01bgE1bBvbro0ZKHpR7/k6WeV+k6jDmqqXnYj3uB
 61fCtf41w1b2pMhty70niga2gxaHrSqu9gqSl2wk/uMhwtdntqrJtaWIChWM0CRs
 b6pfbjEZM2NDhsLe3idvY9Hl1hlKrMtoLJTu7fksTDVJzWPfqOCyIOc1DkxbCqlG
 XB9fbre57DWIpRvNK4pu108LiGbavK2rLC6wlcjshP3/9BA3c3HO/JPQGtDAn1UE
 JVQlYT1Fzzp9RU8U5Khz9D7pB3k6K19ZIo3q5xTA/V5O6axB5WM=
 =GnJM
 -----END PGP SIGNATURE-----
--- a/SOURCES/samba-4.19-redhat.patch
+++ b/SOURCES/samba-4.19-redhat.patch
--- a/SOURCES/samba-4.19.4.tar.asc
+++ b/SOURCES/samba-4.19.4.tar.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmWcCFAACgkQqplEL7aA
 tiDKSBAAuWA9jT6xCfFACIlme7DbEoUm/Bsbf+GM2Somd3pgajekiNxo7CsW9Xub
 Vmpj0Q5OKiri81XTqA8LlqMCBliqfw/rnP48kCH0YqXzjqD6aYuwmk0Q4G3wWBTJ
 2ZT/wOpbM3YooFfE9Iffz6uNgAiQ/8kpBt2m6Zzfy8n1ThfztyGAGaSmrUWxgUlq
 XjRjtgTw4isZBm+RzCFSGuPxvWvxRlfD5JCe2gc221rI3kbaQE2GSxdZ6D0635Ln
 iy64SLIAKkQCrrFFckudSCCLKgLNdIClEwzamhhCbmCxnWMDufzN+BQZhq3axQ+x
 svPfZqltVSQztr4nPGvKdebtVLL2Zyf/LtXWQP/s66quHlHFoEAC7MuD6tEMQVar
 JQUCN51Gs0Yk12iReQFm6/Uo35aPAlai1e2uOkNzS5FnagRObYt6FYeQripks4I8
 ZW5VvF4cE0zqdjrlG+Ttqmpbj7i6AUJj9wSbrEOFDUhTL+QPPOfJ05yr1BHmS6nJ
 vuuUs+ei/DnYEFS91P81h5NuOdpRHIBTG6LUOLz5KOoNdIgvzjD/Ugyscj4AFTBo
 +NTG9nNr6gkLV/6dxDRR2/sbU6P+FZBL+JVUoDR7XQ7oHG7sFV+/8Dtu8RivEw++
 1sNGqxvGkwu7JunMkJO5YZRwXi81v3nmHkWKgb0+52iYXgmdesY=
 =kOPP
 -----END PGP SIGNATURE-----
--- a/SOURCES/samba-winbind-systemd-sysusers.conf
+++ b/SOURCES/samba-winbind-systemd-sysusers.conf
@ -0,0 +1,2 @@
 #Type Name       ID
 g     wbpriv     88
--- a/SOURCES/smb.conf.vendor
+++ b/SOURCES/smb.conf.vendor
@ -18,6 +18,9 @@
 	load printers = yes
 	cups options = raw
 	# Install samba-usershares package for support
 	include = /etc/samba/usershares.conf
 [homes]
 	comment = Home Directories
 	valid users = %S, %D%w%S
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
`@ -1,2 +1,2 @@`
	`SOURCES/samba-4.18.6.tar.xz`	`SOURCES/samba-4.19.4.tar.xz`
	`SOURCES/samba-pubkey_AA99442FB680B620.gpg`	`SOURCES/samba-pubkey_AA99442FB680B620.gpg`
`@ -1,2 +1,2 @@`
	`12b41f2a849cb6c40e9f5b174bb1cd823a060bd7 SOURCES/samba-4.18.6.tar.xz`	`6a164128df94dd89e785ca9f42d7be5714f16bed SOURCES/samba-4.19.4.tar.xz`
	`971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg`	`971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg`