packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!128 fix CVE-2022-3437

Browse Source 
From: @xinghe_1 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot 2022-10-27 13:46:09 +00:00 committed by Gitee
commit 2378fe9b1d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
12 changed files with 1925 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
backport-0001-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,39 @@
From fe1204d9da2c6f761c4dc4421f67057b10eaf430 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 12 Oct 2022 13:56:08 +1300
Subject: [PATCH 05/15] CVE-2022-3437 source4/heimdal: Remove __func__
compatibility workaround
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
source4/heimdal/lib/krb5/krb5_locl.h | 4 ----
1 file changed, 4 deletions(-)
diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h
index 49c614d5efe..d3360c556ce 100644
--- a/source4/heimdal/lib/krb5/krb5_locl.h
+++ b/source4/heimdal/lib/krb5/krb5_locl.h
@@ -188,10 +188,6 @@ struct _krb5_krb_auth_data;
#define ALLOC(X, N) (X) = calloc((N), sizeof(*(X)))
#define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0)
-#ifndef __func__
-#define __func__ "unknown-function"
-#endif
-
#define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum))
#ifndef PATH_SEP
--
2.25.1

58
backport-0002-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,58 @@
From a49a3ac8e082921c2793a073b5991c4693f167ab Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 12 Oct 2022 13:55:51 +1300
Subject: [PATCH 06/15] CVE-2022-3437 source4/heimdal_build: Add
gssapi-subsystem subsystem
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[jsutton@samba.org Adapted to older wscript_build file]
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
source4/heimdal_build/wscript_build | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build
index e91c8ab2eeb..41152192798 100644
--- a/source4/heimdal_build/wscript_build
+++ b/source4/heimdal_build/wscript_build
@@ -571,8 +571,8 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"):
HEIMDAL_AUTOPROTO_PRIVATE('lib/gssapi/krb5/gsskrb5-private.h',
HEIMDAL_GSSAPI_KRB5_SOURCE)
- HEIMDAL_LIBRARY('gssapi',
- HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + '''
+ HEIMDAL_SUBSYSTEM('gssapi-subsystem',
+ HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + '''
lib/gssapi/mech/context.c lib/gssapi/mech/gss_krb5.c lib/gssapi/mech/gss_mech_switch.c
lib/gssapi/mech/gss_process_context_token.c lib/gssapi/mech/gss_buffer_set.c
lib/gssapi/mech/gss_aeap.c lib/gssapi/mech/gss_add_cred.c lib/gssapi/mech/gss_cred.c
@@ -597,10 +597,16 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"):
lib/gssapi/mech/gss_set_cred_option.c lib/gssapi/mech/gss_pseudo_random.c ../heimdal_build/gssapi-glue.c''',
includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech',
deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind heimbase',
- vnum='2.0.0',
- version_script='lib/gssapi/version-script.map',
)
+ HEIMDAL_LIBRARY('gssapi',
+ '',
+ includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech',
+ deps='gssapi-subsystem',
+ vnum='2.0.0',
+ version_script='lib/gssapi/version-script.map',
+ )
+
if not bld.CONFIG_SET("USING_SYSTEM_KRB5"):
# expand_path.c needs some of the install paths
HEIMDAL_SUBSYSTEM('HEIMDAL_CONFIG',
--
2.25.1

1351
backport-0003-CVE-2022-3437.patch Normal file
View File

File diff suppressed because it is too large Load Diff

81
backport-0004-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,81 @@
From c22914f845b3eba1c9ad444333f3d044352b7e2c Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 12 Oct 2022 13:57:13 +1300
Subject: [PATCH 08/15] CVE-2022-3437 source4/heimdal: Use constant-time
memcmp() for arcfour unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[jsutton@samba.org Adapted to small differences in comparisons, and
removed erroneous duplicate code in conflicting region]
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
source4/heimdal/lib/gssapi/krb5/arcfour.c | 24 +++++++----------------
1 file changed, 7 insertions(+), 17 deletions(-)
diff --git a/source4/heimdal/lib/gssapi/krb5/arcfour.c b/source4/heimdal/lib/gssapi/krb5/arcfour.c
index a61f7686e95..c6b317ff683 100644
--- a/source4/heimdal/lib/gssapi/krb5/arcfour.c
+++ b/source4/heimdal/lib/gssapi/krb5/arcfour.c
@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+ cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
else
- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+ cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
memset(SND_SEQ, 0, sizeof(SND_SEQ));
if (cmp != 0) {
@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
if (context_handle->more_flags & LOCAL)
- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+ cmp = ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
else
- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+ cmp = ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
if (cmp != 0) {
*minor_status = 0;
@@ -1266,19 +1266,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
_gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
if (ctx->more_flags & LOCAL) {
- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
+ cmp = ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
} else {
- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
- }
- if (cmp != 0) {
- *minor_status = 0;
- return GSS_S_BAD_MIC;
- }
-
- if (ctx->more_flags & LOCAL) {
- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
- } else {
- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
+ cmp = ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
}
if (cmp != 0) {
*minor_status = 0;
@@ -1353,7 +1343,7 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
return GSS_S_FAILURE;
}
- cmp = memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
+ cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
if (cmp != 0) {
*minor_status = 0;
return GSS_S_BAD_MIC;
--
2.25.1

35
backport-0005-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,35 @@
From 5f6dbf2ab29bcd30c701cab3daecf5a6a53a44cd Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 12 Oct 2022 13:57:55 +1300
Subject: [PATCH 09/15] CVE-2022-3437 source4/heimdal: Use constant-time
memcmp() in unwrap_des3()
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
source4/heimdal/lib/gssapi/krb5/unwrap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
index b3da35ee9e2..7111a7944fe 100644
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
@@ -227,7 +227,7 @@ unwrap_des3
if (ret)
return ret;
- if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+ if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
return GSS_S_BAD_SIG;
p += 2;
if (ct_memcmp (p, "\x02\x00", 2) == 0) {
--
2.25.1

51
backport-0006-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,51 @@
From 9f6f1e01aca4f00a5d23127803c81939253e0577 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 12 Oct 2022 13:57:42 +1300
Subject: [PATCH 10/15] CVE-2022-3437 source4/heimdal: Don't pass NULL pointers
to memcpy() in DES unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
index 7111a7944fe..9639091cb3a 100644
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
@@ -180,9 +180,10 @@ unwrap_des
output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE;
- memcpy (output_message_buffer->value,
- p + 24,
- output_message_buffer->length);
+ if (output_message_buffer->value != NULL)
+ memcpy (output_message_buffer->value,
+ p + 24,
+ output_message_buffer->length);
return GSS_S_COMPLETE;
}
#endif
@@ -374,9 +375,10 @@ unwrap_des3
output_message_buffer->value = malloc(output_message_buffer->length);
if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
return GSS_S_FAILURE;
- memcpy (output_message_buffer->value,
- p + 36,
- output_message_buffer->length);
+ if (output_message_buffer->value != NULL)
+ memcpy (output_message_buffer->value,
+ p + 36,
+ output_message_buffer->length);
return GSS_S_COMPLETE;
}
--
2.25.1

57
backport-0007-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,57 @@
From 5a62eb5734d50fe556934aefa3bac5698372f00e Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 15 Aug 2022 16:53:45 +1200
Subject: [PATCH 11/15] CVE-2022-3437 source4/heimdal: Avoid undefined
behaviour in _gssapi_verify_pad()
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.
In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.
That would be undefined behaviour.
The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
index 86085f56950..4e3fcd659e9 100644
--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
if (wrapped_token->length < 1)
return GSS_S_BAD_MECH;
- pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
- padlength = *pad;
+ pad = (u_char *)wrapped_token->value + wrapped_token->length;
+ padlength = pad[-1];
if (padlength > datalen)
return GSS_S_BAD_MECH;
- for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+ for (i = padlength; i > 0 && *--pad == padlength; i--)
;
if (i != 0)
return GSS_S_BAD_MIC;
--
2.25.1

50
backport-0008-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,50 @@
From ebac8bf0478e19849f83af6d44b73d7ab3afd25b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 15 Aug 2022 16:53:55 +1200
Subject: [PATCH 12/15] CVE-2022-3437 source4/heimdal: Check the result of
_gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
selftest/knownfail.d/heimdal-des-overflow | 1 -
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 4 ++++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
index 23acbb43d31..68b304530db 100644
--- a/selftest/knownfail.d/heimdal-des-overflow
+++ b/selftest/knownfail.d/heimdal-des-overflow
@@ -3,7 +3,6 @@
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
index 4e3fcd659e9..031a621eabc 100644
--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
if (mech_len != mech->length)
return GSS_S_BAD_MECH;
+ if (mech_len > total_len)
+ return GSS_S_BAD_MECH;
+ if (p - *str > total_len - mech_len)
+ return GSS_S_BAD_MECH;
if (ct_memcmp(p,
mech->elements,
mech->length) != 0)
--
2.25.1

79
backport-0009-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,79 @@
From 1aca34515515f2cb00fbf5ad8b9212b319f01836 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 15 Aug 2022 16:54:23 +1200
Subject: [PATCH 13/15] CVE-2022-3437 source4/heimdal: Check buffer length
against overflow for DES{,3} unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
selftest/knownfail.d/heimdal-des-overflow | 5 -----
source4/heimdal/lib/gssapi/krb5/unwrap.c | 14 ++++++++++++++
2 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
index 68b304530db..94a49bbee7f 100644
--- a/selftest/knownfail.d/heimdal-des-overflow
+++ b/selftest/knownfail.d/heimdal-des-overflow
@@ -1,8 +1,3 @@
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
index 9639091cb3a..70d26a75ccf 100644
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
@@ -64,6 +64,8 @@ unwrap_des
if (IS_DCE_STYLE(context_handle)) {
token_len = 22 + 8 + 15; /* 45 */
+ if (input_message_buffer->length < token_len)
+ return GSS_S_BAD_MECH;
} else {
token_len = input_message_buffer->length;
}
@@ -76,6 +78,11 @@ unwrap_des
if (ret)
return ret;
+ len = (p - (u_char *)input_message_buffer->value)
+ + 22 + 8;
+ if (input_message_buffer->length < len)
+ return GSS_S_BAD_MECH;
+
if (memcmp (p, "\x00\x00", 2) != 0)
return GSS_S_BAD_SIG;
p += 2;
@@ -216,6 +223,8 @@ unwrap_des3
if (IS_DCE_STYLE(context_handle)) {
token_len = 34 + 8 + 15; /* 57 */
+ if (input_message_buffer->length < token_len)
+ return GSS_S_BAD_MECH;
} else {
token_len = input_message_buffer->length;
}
@@ -228,6 +237,11 @@ unwrap_des3
if (ret)
return ret;
+ len = (p - (u_char *)input_message_buffer->value)
+ + 34 + 8;
+ if (input_message_buffer->length < len)
+ return GSS_S_BAD_MECH;
+
if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
return GSS_S_BAD_SIG;
p += 2;
--
2.25.1

48
backport-0010-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,48 @@
From 77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 10 Oct 2022 20:33:09 +1300
Subject: [PATCH 14/15] CVE-2022-3437 source4/heimdal: Check for overflow in
_gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
selftest/knownfail.d/heimdal-des-overflow | 1 -
source4/heimdal/lib/gssapi/krb5/decapsulate.c | 2 ++
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
index 94a49bbee7f..a7416dc61d9 100644
--- a/selftest/knownfail.d/heimdal-des-overflow
+++ b/selftest/knownfail.d/heimdal-des-overflow
@@ -1,3 +1,2 @@
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
diff --git a/source4/heimdal/lib/gssapi/krb5/decapsulate.c b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
index 031a621eabc..d7b75a64222 100644
--- a/source4/heimdal/lib/gssapi/krb5/decapsulate.c
+++ b/source4/heimdal/lib/gssapi/krb5/decapsulate.c
@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
e = der_get_length (p, total_len - 1, &len, &len_len);
if (e || 1 + len_len + len != total_len)
return -1;
+ if (total_len < 1 + len_len + 1)
+ return -1;
p += len_len;
if (*p++ != 0x06)
return -1;
--
2.25.1

58
backport-0011-CVE-2022-3437.patch Normal file
View File

@ -0,0 +1,58 @@
From e9db03736007721e37c4fba847ce4aa0c4520924 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 12 Oct 2022 13:57:33 +1300
Subject: [PATCH 15/15] CVE-2022-3437 source4/heimdal: Pass correct length to
_gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://download.samba.org/pub/samba/patches/security/samba-4.15.11-security-2022-10-25.patch
---
selftest/knownfail.d/heimdal-des-overflow | 2 --
source4/heimdal/lib/gssapi/krb5/unwrap.c | 4 ++--
2 files changed, 2 insertions(+), 4 deletions(-)
delete mode 100644 selftest/knownfail.d/heimdal-des-overflow
diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow
deleted file mode 100644
index a7416dc61d9..00000000000
--- a/selftest/knownfail.d/heimdal-des-overflow
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none
-^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none
diff --git a/source4/heimdal/lib/gssapi/krb5/unwrap.c b/source4/heimdal/lib/gssapi/krb5/unwrap.c
index 70d26a75ccf..ed8f7d78ffa 100644
--- a/source4/heimdal/lib/gssapi/krb5/unwrap.c
+++ b/source4/heimdal/lib/gssapi/krb5/unwrap.c
@@ -124,7 +124,7 @@ unwrap_des
} else {
/* check pad */
ret = _gssapi_verify_pad(input_message_buffer,
- input_message_buffer->length - len,
+ input_message_buffer->length - len - 8,
&padlength);
if (ret)
return ret;
@@ -289,7 +289,7 @@ unwrap_des3
} else {
/* check pad */
ret = _gssapi_verify_pad(input_message_buffer,
- input_message_buffer->length - len,
+ input_message_buffer->length - len - 8,
&padlength);
if (ret)
return ret;
--
2.25.1

19
samba.spec
View File

@ -48,7 +48,7 @@
Name: samba
Version: 4.15.3
Release: 11
Release: 12
Summary: A suite for Linux to interoperate with Windows
License: GPLv3+ and LGPLv3+
@ -94,6 +94,17 @@ Patch25: 0014-CVE-2022-32743-s4-rpc_server-common-Add-dcesrv_samdb.patch
Patch26: 0015-CVE-2022-32743-s4-rpc_server-netlogon-Reconnect-to-s.patch
Patch27: backport-0001-CVE-2022-1615-util-genrand-don-t-ignore-errors-in-random-number-ge.patch
Patch28: backport-0002-CVE-2022-1615-py-uptodateness-more-details-in-missing-dn-report.patch
Patch29: backport-0001-CVE-2022-3437.patch
Patch30: backport-0002-CVE-2022-3437.patch
Patch31: backport-0003-CVE-2022-3437.patch
Patch32: backport-0004-CVE-2022-3437.patch
Patch33: backport-0005-CVE-2022-3437.patch
Patch34: backport-0006-CVE-2022-3437.patch
Patch35: backport-0007-CVE-2022-3437.patch
Patch36: backport-0008-CVE-2022-3437.patch
Patch37: backport-0009-CVE-2022-3437.patch
Patch38: backport-0010-CVE-2022-3437.patch
Patch39: backport-0011-CVE-2022-3437.patch
BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel
@ -3417,6 +3428,12 @@ fi
%endif
%changelog
* Wed Oct 26 2022 xinghe <xinghe2@h-partners.com> - 4.15.3-12
- Type:cves
- ID:CVE-2022-3437
- SUG:NA
- DESC:fix CVE-2022-3437
* Thu Sep 29 2022 xinghe <xinghe2@h-partners.com> - 4.15.3-11
- Type:bugfix
- ID:NA