samba/backport-0010-CVE-2022-37966.patch

From 903a2e1a15a1eceff4e261145535b313e439cb14 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 26 Oct 2022 14:29:54 +1300
Subject: [PATCH 10/54] CVE-2022-37966 tests/krb5: Add 'etypes' parameter to
 _tgs_req()

This lets us select the encryption types we claim to support in the
request body.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
[jsutton@samba.org Adapted to 4.17 version of function taking different
 parameters]

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
 python/samba/tests/krb5/kdc_tgs_tests.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index f514e321fee1..cd023e5e32d9 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -70,6 +70,7 @@ class KdcTgsBaseTests(KDCBaseTest):
                  srealm=None,
                  use_fast=False,
                  expect_claims=True,
+                 etypes=None,
                  expect_pac=True,
                  expect_pac_attrs=None,
                  expect_pac_attrs_pac_request=None,
@@ -135,7 +136,8 @@ class KdcTgsBaseTests(KDCBaseTest):
 
             pac_options = None
 
-        etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+        if etypes is None:
+            etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
 
         if expected_error:
             check_error_fn = self.generic_check_kdc_error
-- 
2.34.1
fix CVE-2022-38023 CVE-2022-37966 CVE-2022-37967 2022-12-29 07:17:40 +00:00			`From 903a2e1a15a1eceff4e261145535b313e439cb14 Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Wed, 26 Oct 2022 14:29:54 +1300`
			`Subject: [PATCH 10/54] CVE-2022-37966 tests/krb5: Add 'etypes' parameter to`
			`_tgs_req()`

			`This lets us select the encryption types we claim to support in the`
			`request body.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Stefan Metzmacher <metze@samba.org>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`

			`(similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)`
			`[jsutton@samba.org Adapted to 4.17 version of function taking different`
			`parameters]`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17695`
			`---`
			`python/samba/tests/krb5/kdc_tgs_tests.py \| 4 +++-`
			`1 file changed, 3 insertions(+), 1 deletion(-)`

			`diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py`
			`index f514e321fee1..cd023e5e32d9 100755`
			`--- a/python/samba/tests/krb5/kdc_tgs_tests.py`
			`+++ b/python/samba/tests/krb5/kdc_tgs_tests.py`
			`@@ -70,6 +70,7 @@ class KdcTgsBaseTests(KDCBaseTest):`
			`srealm=None,`
			`use_fast=False,`
			`expect_claims=True,`
			`+ etypes=None,`
			`expect_pac=True,`
			`expect_pac_attrs=None,`
			`expect_pac_attrs_pac_request=None,`
			`@@ -135,7 +136,8 @@ class KdcTgsBaseTests(KDCBaseTest):`

			`pac_options = None`

			`- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)`
			`+ if etypes is None:`
			`+ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)`

			`if expected_error:`
			`check_error_fn = self.generic_check_kdc_error`
			`--`
			`2.34.1`