diff --git a/0001-CVE-2020-14383.patch b/0001-CVE-2020-14383.patch deleted file mode 100644 index 61395ba..0000000 --- a/0001-CVE-2020-14383.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 2632e8ebae826a7305fe7d3948ee28b77d2ffbc0 Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Fri, 21 Aug 2020 17:10:22 +1200 -Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with - NULL. -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -Based on patches from Francis Brosnan Blázquez -and Jeremy Allison - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Jeremy Allison -(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e) ---- - .../rpc_server/dnsserver/dcerpc_dnsserver.c | 24 ++++++++++--------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -index b6389f2328a..ec610168266 100644 ---- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -@@ -1759,15 +1759,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - TALLOC_CTX *tmp_ctx; - char *name; - const char * const attrs[] = { "name", "dnsRecord", NULL }; -- struct ldb_result *res; -- struct DNS_RPC_RECORDS_ARRAY *recs; -+ struct ldb_result *res = NULL; -+ struct DNS_RPC_RECORDS_ARRAY *recs = NULL; - char **add_names = NULL; -- char *rname; -+ char *rname = NULL; - const char *preference_name = NULL; - int add_count = 0; - int i, ret, len; - WERROR status; -- struct dns_tree *tree, *base, *node; -+ struct dns_tree *tree = NULL; -+ struct dns_tree *base = NULL; -+ struct dns_tree *node = NULL; - - tmp_ctx = talloc_new(mem_ctx); - W_ERROR_HAVE_NO_MEMORY(tmp_ctx); -@@ -1850,9 +1852,9 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - } - } - -- talloc_free(res); -- talloc_free(tree); -- talloc_free(name); -+ TALLOC_FREE(res); -+ TALLOC_FREE(tree); -+ TALLOC_FREE(name); - - /* Add any additional records */ - if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { -@@ -1870,14 +1872,14 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - LDB_SCOPE_ONELEVEL, attrs, - "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))", - encoded_name); -- talloc_free(name); -+ TALLOC_FREE(name); - if (ret != LDB_SUCCESS) { - continue; - } - if (res->count == 1) { - break; - } else { -- talloc_free(res); -+ TALLOC_FREE(res); - continue; - } - } -@@ -1892,8 +1894,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - select_flag, rname, - res->msgs[0], 0, recs, - NULL, NULL); -- talloc_free(rname); -- talloc_free(res); -+ TALLOC_FREE(rname); -+ TALLOC_FREE(res); - if (!W_ERROR_IS_OK(status)) { - talloc_free(tmp_ctx); - return status; --- -2.29.2 diff --git a/0002-CVE-2020-14383.patch b/0002-CVE-2020-14383.patch deleted file mode 100644 index f841646..0000000 --- a/0002-CVE-2020-14383.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 8e09649351e9e8143b4bd0b76bcbd2cfb4d2f281 Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Fri, 21 Aug 2020 17:23:17 +1200 -Subject: [PATCH] CVE-2020-14383: s4/dns: do not crash when additional data not - found -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -Found by Francis Brosnan Blázquez . - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Douglas Bagnall -Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184 - -(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379) ---- - source4/rpc_server/dnsserver/dcerpc_dnsserver.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -index ec610168266..88efc01f154 100644 ---- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c -@@ -1859,8 +1859,8 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - /* Add any additional records */ - if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) { - for (i=0; izones; z2; z2 = z2->next) { - char *encoded_name; -@@ -1877,6 +1877,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - continue; - } - if (res->count == 1) { -+ msg = res->msgs[0]; - break; - } else { - TALLOC_FREE(res); -@@ -1892,7 +1893,7 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate, - } - status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A, - select_flag, rname, -- res->msgs[0], 0, recs, -+ msg, 0, recs, - NULL, NULL); - TALLOC_FREE(rname); - TALLOC_FREE(res); --- -2.29.2 diff --git a/CVE-2020-14318.patch b/CVE-2020-14318.patch deleted file mode 100644 index 2947bf2..0000000 --- a/CVE-2020-14318.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 5dd4c789c13035b805fdd2c3a9c38721657b05b3 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Tue, 7 Jul 2020 18:25:23 -0700 -Subject: [PATCH] s3: smbd: Ensure change notifies can't get set unless the - directory handle is open for SEC_DIR_LIST. - -Remove knownfail entry. - -CVE-2020-14318 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 - -Signed-off-by: Jeremy Allison ---- - source3/smbd/notify.c | 8 ++++++++ - - 1 files changed, 8 insertions(+) - delete mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions - -diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c -index eb6317b7e8a..5f18b5cf794 100644 ---- a/source3/smbd/notify.c -+++ b/source3/smbd/notify.c -@@ -289,6 +289,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, - char fullpath[len+1]; - NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; - -+ /* -+ * Setting a changenotify needs READ/LIST access -+ * on the directory handle. -+ */ -+ if (!(fsp->access_mask & SEC_DIR_LIST)) { -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ - if (fsp->notify != NULL) { - DEBUG(1, ("change_notify_create: fsp->notify != NULL, " - "fname = %s\n", fsp->fsp_name->base_name)); --- -2.29.2 - - -From 22528b76ed6eb6251fdf01875aaa955480e7663d Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Fri, 10 Jul 2020 15:09:33 -0700 -Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test. - -Add knownfail entry. - -CVE-2020-14318 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 - -Signed-off-by: Jeremy Allison ---- - source4/torture/smb2/notify.c | 80 +++++++++++++++++++ - 1 files changed, 80 insertions(+) - create mode 100644 selftest/knownfail.d/smb2_notify_handle_permissions - -diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c -index b65c116b75e..6081d394c6e 100644 ---- a/source4/torture/smb2/notify.c -+++ b/source4/torture/smb2/notify.c -@@ -2649,6 +2649,83 @@ done: - return ok; - } - -+/* -+ Test asking for a change notify on a handle without permissions. -+*/ -+ -+#define BASEDIR_HPERM BASEDIR "_HPERM" -+ -+static bool torture_smb2_notify_handle_permissions( -+ struct torture_context *torture, -+ struct smb2_tree *tree) -+{ -+ bool ret = true; -+ NTSTATUS status; -+ union smb_notify notify; -+ union smb_open io; -+ struct smb2_handle h1 = {{0}}; -+ struct smb2_request *req; -+ -+ smb2_deltree(tree, BASEDIR_HPERM); -+ smb2_util_rmdir(tree, BASEDIR_HPERM); -+ -+ torture_comment(torture, -+ "TESTING CHANGE NOTIFY " -+ "ON A HANDLE WITHOUT PERMISSIONS\n"); -+ -+ /* -+ get a handle on the directory -+ */ -+ ZERO_STRUCT(io.smb2); -+ io.generic.level = RAW_OPEN_SMB2; -+ io.smb2.in.create_flags = 0; -+ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE; -+ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; -+ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL; -+ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ | -+ NTCREATEX_SHARE_ACCESS_WRITE; -+ io.smb2.in.alloc_size = 0; -+ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE; -+ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; -+ io.smb2.in.security_flags = 0; -+ io.smb2.in.fname = BASEDIR_HPERM; -+ -+ status = smb2_create(tree, torture, &io.smb2); -+ CHECK_STATUS(status, NT_STATUS_OK); -+ h1 = io.smb2.out.file.handle; -+ -+ /* ask for a change notify, -+ on file or directory name changes */ -+ ZERO_STRUCT(notify.smb2); -+ notify.smb2.level = RAW_NOTIFY_SMB2; -+ notify.smb2.in.buffer_size = 1000; -+ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME; -+ notify.smb2.in.file.handle = h1; -+ notify.smb2.in.recursive = true; -+ -+ req = smb2_notify_send(tree, ¬ify.smb2); -+ torture_assert_goto(torture, -+ req != NULL, -+ ret, -+ done, -+ "smb2_notify_send failed\n"); -+ -+ /* -+ * Cancel it, we don't really want to wait. -+ */ -+ smb2_cancel(req); -+ status = smb2_notify_recv(req, torture, ¬ify.smb2); -+ /* Handle h1 doesn't have permissions for ChangeNotify. */ -+ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); -+ -+done: -+ if (!smb2_util_handle_empty(h1)) { -+ smb2_util_close(tree, h1); -+ } -+ smb2_deltree(tree, BASEDIR_HPERM); -+ return ret; -+} -+ - /* - basic testing of SMB2 change notify - */ -@@ -2682,6 +2759,9 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx) - torture_smb2_notify_rmdir3); - torture_suite_add_2smb2_test(suite, "rmdir4", - torture_smb2_notify_rmdir4); -+ torture_suite_add_1smb2_test(suite, -+ "handle-permissions", -+ torture_smb2_notify_handle_permissions); - - suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); - --- -2.29.2 diff --git a/CVE-2020-14323.patch b/CVE-2020-14323.patch deleted file mode 100644 index 94e0351..0000000 --- a/CVE-2020-14323.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 595dd9fc4162dd70ad937db8669a0fddbbba9584 Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Thu, 9 Jul 2020 21:49:25 +0200 -Subject: [PATCH] CVE-2020-14323 winbind: Fix invalid lookupsids DoS - -A lookupsids request without extra_data will lead to "state->domain==NULL", -which makes winbindd_lookupsids_recv trying to dereference it. - -Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 -Signed-off-by: Volker Lendecke ---- - source3/winbindd/winbindd_lookupsids.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/winbindd/winbindd_lookupsids.c b/source3/winbindd/winbindd_lookupsids.c -index d28b5fa9f01..a289fd86f0f 100644 ---- a/source3/winbindd/winbindd_lookupsids.c -+++ b/source3/winbindd/winbindd_lookupsids.c -@@ -47,7 +47,7 @@ struct tevent_req *winbindd_lookupsids_send(TALLOC_CTX *mem_ctx, - DEBUG(3, ("lookupsids\n")); - - if (request->extra_len == 0) { -- tevent_req_done(req); -+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER); - return tevent_req_post(req, ev); - } - if (request->extra_data.data[request->extra_len-1] != '\0') { --- -2.29.2 - -From 0b259a48a70bde4dfd482e0720e593ae5a9c414a Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Thu, 9 Jul 2020 21:48:57 +0200 -Subject: [PATCH] CVE-2020-14323 torture4: Add a simple test for invalid - lookup_sids winbind call - -We can't add this test before the fix, add it to knownfail and have the fix -remove the knownfail entry again. As this crashes winbind, many tests after -this one will fail. - -Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134 - -Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436 -Signed-off-by: Volker Lendecke ---- - source4/torture/winbind/struct_based.c | 27 ++++++++++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c -index 9745b621ca9..71f248c0d61 100644 ---- a/source4/torture/winbind/struct_based.c -+++ b/source4/torture/winbind/struct_based.c -@@ -1110,6 +1110,29 @@ static bool torture_winbind_struct_lookup_name_sid(struct torture_context *tortu - return true; - } - -+static bool torture_winbind_struct_lookup_sids_invalid( -+ struct torture_context *torture) -+{ -+ struct winbindd_request req = {0}; -+ struct winbindd_response rep = {0}; -+ bool strict = torture_setting_bool(torture, "strict mode", false); -+ bool ok; -+ -+ torture_comment(torture, -+ "Running WINBINDD_LOOKUP_SIDS (struct based)\n"); -+ -+ ok = true; -+ DO_STRUCT_REQ_REP_EXT(WINBINDD_LOOKUPSIDS, &req, &rep, -+ NSS_STATUS_NOTFOUND, -+ strict, -+ ok=false, -+ talloc_asprintf( -+ torture, -+ "invalid lookupsids succeeded")); -+ -+ return ok; -+} -+ - struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx) - { - struct torture_suite *suite = torture_suite_create(ctx, "struct"); -@@ -1132,6 +1155,10 @@ struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx) - torture_suite_add_simple_test(suite, "getpwent", torture_winbind_struct_getpwent); - torture_suite_add_simple_test(suite, "endpwent", torture_winbind_struct_endpwent); - torture_suite_add_simple_test(suite, "lookup_name_sid", torture_winbind_struct_lookup_name_sid); -+ torture_suite_add_simple_test( -+ suite, -+ "lookup_sids_invalid", -+ torture_winbind_struct_lookup_sids_invalid); - - suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests"); - --- -2.29.2 \ No newline at end of file diff --git a/CVE-2020-1472.patch b/CVE-2020-1472.patch deleted file mode 100644 index e615921..0000000 --- a/CVE-2020-1472.patch +++ /dev/null @@ -1,1842 +0,0 @@ -From 84b8910da08dfa26440405f5e3916f222801859e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 16:04:57 +0200 -Subject: [PATCH 01/19] CVE-2020-1472(ZeroLogon): libcli/auth: add - netlogon_creds_random_challenge() - -It's good to have just a single isolated function that will generate -random challenges, in future we can add some logic in order to -avoid weak values, which are likely to be rejected by a server. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - libcli/auth/credentials.c | 6 ++++++ - libcli/auth/proto.h | 2 ++ - 2 files changed, 8 insertions(+) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index c541eeff470..46259f39306 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -33,6 +33,12 @@ - #include - #include - -+void netlogon_creds_random_challenge(struct netr_Credential *challenge) -+{ -+ ZERO_STRUCTP(challenge); -+ generate_random_buffer(challenge->data, sizeof(challenge->data)); -+} -+ - static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, - const struct netr_Credential *in, - struct netr_Credential *out) -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 88f4a7c6c50..396484a5437 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -13,6 +13,8 @@ - - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ - -+void netlogon_creds_random_challenge(struct netr_Credential *challenge); -+ - NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, - struct netr_LMSessionKey *key); - NTSTATUS netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, --- -2.20.1 - - -From 3d9e8bd6735272b528fc10c7d8289044870229d5 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 16:07:30 +0200 -Subject: [PATCH 02/19] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of - netlogon_creds_random_challenge() - -This will avoid getting flakey tests once our server starts to -reject weak challenges. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - source4/torture/rpc/lsa.c | 2 +- - source4/torture/rpc/netlogon.c | 34 ++++++++++++---------------------- - 2 files changed, 13 insertions(+), 23 deletions(-) - -diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c -index 548ebf8a090..0b1346e055a 100644 ---- a/source4/torture/rpc/lsa.c -+++ b/source4/torture/rpc/lsa.c -@@ -2872,7 +2872,7 @@ static bool check_pw_with_ServerAuthenticate3(struct dcerpc_pipe *p, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), - "ServerReqChallenge failed"); -diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c -index 65188d2dc85..826793717e7 100644 ---- a/source4/torture/rpc/netlogon.c -+++ b/source4/torture/rpc/netlogon.c -@@ -160,7 +160,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), - "ServerReqChallenge failed"); -@@ -229,7 +229,7 @@ bool test_SetupCredentials2ex(struct dcerpc_pipe *p, struct torture_context *tct - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), - "ServerReqChallenge failed"); -@@ -324,7 +324,7 @@ bool test_SetupCredentials3(struct dcerpc_pipe *p, struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), - "ServerReqChallenge failed"); -@@ -396,7 +396,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), - "ServerReqChallenge failed"); -@@ -1283,7 +1283,7 @@ static bool test_ServerReqChallengeGlobal(struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), - "ServerReqChallenge failed on b1"); -@@ -1372,7 +1372,7 @@ static bool test_ServerReqChallengeReuseGlobal(struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), - "ServerReqChallenge failed on b1"); -@@ -1461,7 +1461,7 @@ static bool test_ServerReqChallengeReuseGlobal2(struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), - "ServerReqChallenge failed on b1"); -@@ -1551,7 +1551,7 @@ static bool test_ServerReqChallengeReuseGlobal3(struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), - "ServerReqChallenge failed on b1"); -@@ -1643,8 +1643,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, - r.in.credentials = &credentials1_random; - r.out.return_credentials = &credentials_discard; - -- generate_random_buffer(credentials1_random.data, -- sizeof(credentials1_random.data)); -+ netlogon_creds_random_challenge(&credentials1_random); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), - "ServerReqChallenge failed on b1"); -@@ -1656,7 +1655,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), - "ServerReqChallenge failed on b1"); -@@ -1667,16 +1666,7 @@ static bool test_ServerReqChallengeReuseGlobal4(struct torture_context *tctx, - r.in.credentials = &credentials1_random; - r.out.return_credentials = &credentials_discard; - -- generate_random_buffer(credentials1_random.data, -- sizeof(credentials1_random.data)); -- -- r.in.server_name = NULL; -- r.in.computer_name = "CHALTEST3"; -- r.in.credentials = &credentials1_random; -- r.out.return_credentials = &credentials_discard; -- -- generate_random_buffer(credentials1_random.data, -- sizeof(credentials1_random.data)); -+ netlogon_creds_random_challenge(&credentials1_random); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b1, tctx, &r), - "ServerReqChallenge failed on b1"); -@@ -1752,7 +1742,7 @@ static bool test_ServerReqChallengeReuse(struct torture_context *tctx, - r.in.credentials = &credentials1; - r.out.return_credentials = &credentials2; - -- generate_random_buffer(credentials1.data, sizeof(credentials1.data)); -+ netlogon_creds_random_challenge(&credentials1); - - torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), - "ServerReqChallenge"); --- -2.20.1 - - -From 8cf3efad0e15c3b001cc23d1e1280a91878f778d Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 16:08:38 +0200 -Subject: [PATCH 03/19] CVE-2020-1472(ZeroLogon): libcli/auth: make use of - netlogon_creds_random_challenge() in netlogon_creds_cli.c - -This will avoid getting rejected by the server if we generate -a weak challenge. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - libcli/auth/netlogon_creds_cli.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c -index 407cb471cbc..12cb3149ff6 100644 ---- a/libcli/auth/netlogon_creds_cli.c -+++ b/libcli/auth/netlogon_creds_cli.c -@@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req) - - TALLOC_FREE(state->creds); - -- generate_random_buffer(state->client_challenge.data, -- sizeof(state->client_challenge.data)); -+ netlogon_creds_random_challenge(&state->client_challenge); - - subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, - state->binding_handle, --- -2.20.1 - - -From 2f21d4bd6c68016b1e9c737dc6614131afa2181d Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 04/19] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make - use of netlogon_creds_random_challenge() - -This is not strictly needed, but makes things more clear. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 52b17c10e61..516bbd7f6a8 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -840,8 +840,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p, - - pipe_state->client_challenge = *r->in.credentials; - -- generate_random_buffer(pipe_state->server_challenge.data, -- sizeof(pipe_state->server_challenge.data)); -+ netlogon_creds_random_challenge(&pipe_state->server_challenge); - - *r->out.return_credentials = pipe_state->server_challenge; - --- -2.20.1 - - -From b4df5225f750e686f742466e28f13c55a261674f Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 05/19] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make - use of netlogon_creds_random_challenge() - -This is not strictly needed, but makes things more clear. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 0ab55afeab0..7d1b9db0b86 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -90,8 +90,7 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal - - pipe_state->client_challenge = *r->in.credentials; - -- generate_random_buffer(pipe_state->server_challenge.data, -- sizeof(pipe_state->server_challenge.data)); -+ netlogon_creds_random_challenge(&pipe_state->server_challenge); - - *r->out.return_credentials = pipe_state->server_challenge; - --- -2.20.1 - - -From 18639a64e81866767eaf3e4ea118d932e1cf0d0c Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 16:15:26 +0200 -Subject: [PATCH 06/19] CVE-2020-1472(ZeroLogon): libcli/auth: add - netlogon_creds_is_random_challenge() to avoid weak values - -This is the check Windows is using, so we won't generate challenges, -which are rejected by Windows DCs (and future Samba DCs). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - libcli/auth/credentials.c | 23 ++++++++++++++++++++++- - libcli/auth/proto.h | 1 + - 2 files changed, 23 insertions(+), 1 deletion(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 46259f39306..54a20100b51 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -33,10 +33,31 @@ - #include - #include - -+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge) -+{ -+ /* -+ * If none of the first 5 bytes of the client challenge is unique, the -+ * server MUST fail session-key negotiation without further processing -+ * of the following steps. -+ */ -+ -+ if (challenge->data[1] == challenge->data[0] && -+ challenge->data[2] == challenge->data[0] && -+ challenge->data[3] == challenge->data[0] && -+ challenge->data[4] == challenge->data[0]) -+ { -+ return false; -+ } -+ -+ return true; -+} -+ - void netlogon_creds_random_challenge(struct netr_Credential *challenge) - { - ZERO_STRUCTP(challenge); -- generate_random_buffer(challenge->data, sizeof(challenge->data)); -+ while (!netlogon_creds_is_random_challenge(challenge)) { -+ generate_random_buffer(challenge->data, sizeof(challenge->data)); -+ } - } - - static NTSTATUS netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, -diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h -index 396484a5437..a62668f088f 100644 ---- a/libcli/auth/proto.h -+++ b/libcli/auth/proto.h -@@ -13,6 +13,7 @@ - - /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ - -+bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge); - void netlogon_creds_random_challenge(struct netr_Credential *challenge); - - NTSTATUS netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, --- -2.20.1 - - -From 2eb0f87de8c9d86fad4ca1bd74f05d15af98f56e Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 16:17:29 +0200 -Subject: [PATCH 07/19] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak - client challenges in netlogon_creds_server_init() - -This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: - - 7. If none of the first 5 bytes of the client challenge is unique, the - server MUST fail session-key negotiation without further processing of - the following steps. - -It lets ./zerologon_tester.py from -https://github.com/SecuraBV/CVE-2020-1472.git -report: "Attack failed. Target is probably patched." - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - libcli/auth/credentials.c | 17 ++++++++++++++++- - libcli/auth/wscript_build | 2 +- - 2 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c -index 54a20100b51..23339d98bfa 100644 ---- a/libcli/auth/credentials.c -+++ b/libcli/auth/credentials.c -@@ -24,6 +24,7 @@ - #include "system/time.h" - #include "libcli/auth/libcli_auth.h" - #include "../libcli/security/dom_sid.h" -+#include "lib/util/util_str_escape.h" - - #ifndef HAVE_GNUTLS_AES_CFB8 - #include "lib/crypto/aes.h" -@@ -704,7 +705,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me - - struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); - NTSTATUS status; -- -+ bool ok; - - if (!creds) { - return NULL; -@@ -717,6 +718,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me - dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data)); - dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash)); - -+ ok = netlogon_creds_is_random_challenge(client_challenge); -+ if (!ok) { -+ DBG_WARNING("CVE-2020-1472(ZeroLogon): " -+ "non-random client challenge rejected for " -+ "client_account[%s] client_computer_name[%s]\n", -+ log_escape(mem_ctx, client_account), -+ log_escape(mem_ctx, client_computer_name)); -+ dump_data(DBGLVL_WARNING, -+ client_challenge->data, -+ sizeof(client_challenge->data)); -+ talloc_free(creds); -+ return NULL; -+ } -+ - creds->computer_name = talloc_strdup(creds, client_computer_name); - if (!creds->computer_name) { - talloc_free(creds); -diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build -index 41937623630..2a6a7468e45 100644 ---- a/libcli/auth/wscript_build -+++ b/libcli/auth/wscript_build -@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK', - - bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', - source='credentials.c session.c smbencrypt.c smbdes.c', -- public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS', -+ public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape', - public_headers='credentials.h:domain_credentials.h' - ) - --- -2.20.1 - - -From 592e8e9acdca472115fdf69a3d0904f1740f4fb0 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 19:20:25 +0200 -Subject: [PATCH 08/19] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: - protect netr_ServerPasswordSet2 against unencrypted passwords - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 60 ++++++++++++++++++- - 1 file changed, 59 insertions(+), 1 deletion(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 7d1b9db0b86..4aa6f256a07 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -724,7 +724,10 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal - struct NL_PASSWORD_VERSION version = {}; - const uint32_t *new_version = NULL; - NTSTATUS nt_status; -- DATA_BLOB new_password; -+ DATA_BLOB new_password = data_blob_null; -+ size_t confounder_len; -+ DATA_BLOB dec_blob = data_blob_null; -+ DATA_BLOB enc_blob = data_blob_null; - int ret; - struct samr_CryptPassword password_buf; - -@@ -790,6 +793,61 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal - return NT_STATUS_WRONG_PASSWORD; - } - -+ /* -+ * Make sure the length field was encrypted, -+ * otherwise we are under attack. -+ */ -+ if (new_password.length == r->in.new_password->length) { -+ DBG_WARNING("Length[%zu] field not encrypted\n", -+ new_password.length); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * We don't allow empty passwords for machine accounts. -+ */ -+ if (new_password.length < 2) { -+ DBG_WARNING("Empty password Length[%zu]\n", -+ new_password.length); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * Make sure the confounder part of CryptPassword -+ * buffer was encrypted, otherwise we are under attack. -+ */ -+ confounder_len = 512 - new_password.length; -+ enc_blob = data_blob_const(r->in.new_password->data, confounder_len); -+ dec_blob = data_blob_const(password_buf.data, confounder_len); -+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { -+ DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n", -+ confounder_len); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * Check that the password part was actually encrypted, -+ * otherwise we are under attack. -+ */ -+ enc_blob = data_blob_const(r->in.new_password->data + confounder_len, -+ new_password.length); -+ dec_blob = data_blob_const(password_buf.data + confounder_len, -+ new_password.length); -+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { -+ DBG_WARNING("Password buffer not encrypted Length[%zu]\n", -+ new_password.length); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * don't allow zero buffers -+ */ -+ if (all_zero(new_password.data, new_password.length)) { -+ DBG_WARNING("Password zero buffer Length[%zu]\n", -+ new_password.length); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ - /* fetch the old password hashes (at least one of both has to exist) */ - - ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, --- -2.20.1 - - -From ff66560357d3eb23ce71f6667443e47a0c491833 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Wed, 16 Sep 2020 12:48:21 -0700 -Subject: [PATCH 09/19] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Fix - mem leak onto p->mem_ctx in error path of _netr_ServerPasswordSet2(). - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Jeremy Allison ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 516bbd7f6a8..b26efb78bab 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1385,6 +1385,7 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, - 516); - } - if (!NT_STATUS_IS_OK(status)) { -+ TALLOC_FREE(creds); - return status; - } - --- -2.20.1 - - -From aa57f084ca2cf16e323d172634eacf34db3ff0d7 Mon Sep 17 00:00:00 2001 -From: Jeremy Allison -Date: Wed, 16 Sep 2020 12:53:50 -0700 -Subject: [PATCH 10/19] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: - protect netr_ServerPasswordSet2 against unencrypted passwords - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Jeremy Allison -Signed-off-by: Stefan Metzmacher ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 98 +++++++++++++++++++-- - 1 file changed, 92 insertions(+), 6 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index b26efb78bab..693e254b051 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1343,9 +1343,14 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, - { - NTSTATUS status; - struct netlogon_creds_CredentialState *creds = NULL; -- DATA_BLOB plaintext; -+ DATA_BLOB plaintext = data_blob_null; -+ DATA_BLOB new_password = data_blob_null; -+ size_t confounder_len; -+ DATA_BLOB dec_blob = data_blob_null; -+ DATA_BLOB enc_blob = data_blob_null; - struct samr_CryptPassword password_buf; - struct _samr_Credentials_t cr = { CRED_TYPE_PLAIN_TEXT, {0}}; -+ bool ok; - - become_root(); - status = netr_creds_server_step_check(p, p->mem_ctx, -@@ -1389,18 +1394,99 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, - return status; - } - -- if (!decode_pw_buffer(p->mem_ctx, -- password_buf.data, -- (char**) &plaintext.data, -- &plaintext.length, -- CH_UTF16)) { -+ if (!extract_pw_from_buffer(p->mem_ctx, password_buf.data, &new_password)) { - DEBUG(2,("_netr_ServerPasswordSet2: unable to extract password " - "from a buffer. Rejecting auth request as a wrong password\n")); - TALLOC_FREE(creds); - return NT_STATUS_WRONG_PASSWORD; - } - -+ /* -+ * Make sure the length field was encrypted, -+ * otherwise we are under attack. -+ */ -+ if (new_password.length == r->in.new_password->length) { -+ DBG_WARNING("Length[%zu] field not encrypted\n", -+ new_password.length); -+ TALLOC_FREE(creds); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * We don't allow empty passwords for machine accounts. -+ */ -+ if (new_password.length < 2) { -+ DBG_WARNING("Empty password Length[%zu]\n", -+ new_password.length); -+ TALLOC_FREE(creds); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * Make sure the confounder part of CryptPassword -+ * buffer was encrypted, otherwise we are under attack. -+ */ -+ confounder_len = 512 - new_password.length; -+ enc_blob = data_blob_const(r->in.new_password->data, confounder_len); -+ dec_blob = data_blob_const(password_buf.data, confounder_len); -+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { -+ DBG_WARNING("Confounder buffer not encrypted Length[%zu]\n", -+ confounder_len); -+ TALLOC_FREE(creds); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * Check that the password part was actually encrypted, -+ * otherwise we are under attack. -+ */ -+ enc_blob = data_blob_const(r->in.new_password->data + confounder_len, -+ new_password.length); -+ dec_blob = data_blob_const(password_buf.data + confounder_len, -+ new_password.length); -+ if (data_blob_cmp(&dec_blob, &enc_blob) == 0) { -+ DBG_WARNING("Password buffer not encrypted Length[%zu]\n", -+ new_password.length); -+ TALLOC_FREE(creds); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * don't allow zero buffers -+ */ -+ if (all_zero(new_password.data, new_password.length)) { -+ DBG_WARNING("Password zero buffer Length[%zu]\n", -+ new_password.length); -+ TALLOC_FREE(creds); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* Convert from UTF16 -> plaintext. */ -+ ok = convert_string_talloc(p->mem_ctx, -+ CH_UTF16, -+ CH_UNIX, -+ new_password.data, -+ new_password.length, -+ (void *)&plaintext.data, -+ &plaintext.length); -+ if (!ok) { -+ DBG_WARNING("unable to extract password from a buffer. " -+ "Rejecting auth request as a wrong password\n"); -+ TALLOC_FREE(creds); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ -+ /* -+ * We don't allow empty passwords for machine accounts. -+ */ -+ - cr.creds.password = (const char*) plaintext.data; -+ if (strlen(cr.creds.password) == 0) { -+ DBG_WARNING("Empty plaintext password\n"); -+ TALLOC_FREE(creds); -+ return NT_STATUS_WRONG_PASSWORD; -+ } -+ - status = netr_set_machine_account_password(p->mem_ctx, - p->session_info, - p->msg_ctx, --- -2.20.1 - - -From 1c8234f6da6979a063c96c0eb32ddb55a51ce548 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 10:18:45 +0200 -Subject: [PATCH 11/19] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: - refactor dcesrv_netr_creds_server_step_check() - -We should debug more details about the failing request. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 45 ++++++++++++++----- - 1 file changed, 33 insertions(+), 12 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 4aa6f256a07..7ccf46ae79b 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -624,26 +624,47 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - NTSTATUS nt_status; - int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); - bool schannel_global_required = (schannel == true); -+ struct netlogon_creds_CredentialState *creds = NULL; -+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -+ uint16_t opnum = dce_call->pkt.u.request.opnum; -+ const char *opname = ""; - -- if (schannel_global_required) { -- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -- -- dcesrv_call_auth_info(dce_call, &auth_type, NULL); -- -- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { -- DBG_ERR("[%s] is not using schannel\n", -- computer_name); -- return NT_STATUS_ACCESS_DENIED; -- } -+ if (opnum < ndr_table_netlogon.num_calls) { -+ opname = ndr_table_netlogon.calls[opnum].name; - } - -+ dcesrv_call_auth_info(dce_call, &auth_type, NULL); -+ - nt_status = schannel_check_creds_state(mem_ctx, - dce_call->conn->dce_ctx->lp_ctx, - computer_name, - received_authenticator, - return_authenticator, -- creds_out); -- return nt_status; -+ &creds); -+ if (!NT_STATUS_IS_OK(nt_status)) { -+ ZERO_STRUCTP(return_authenticator); -+ return nt_status; -+ } -+ -+ if (schannel_global_required) { -+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ *creds_out = creds; -+ return NT_STATUS_OK; -+ } -+ -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) without schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ TALLOC_FREE(creds); -+ ZERO_STRUCTP(return_authenticator); -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ *creds_out = creds; -+ return NT_STATUS_OK; - } - - /* --- -2.20.1 - - -From d8e520870c5c8943c289b3f373b1a4bcceefc174 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Wed, 16 Sep 2020 10:56:53 +0200 -Subject: [PATCH 12/19] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: - support "server require schannel:WORKSTATION$ = no" - -This allows to add expections for individual workstations, when using "server schannel = yes". -"server schannel = auto" is very insecure and will be removed soon. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 7ccf46ae79b..7994cb904b7 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -624,6 +624,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - NTSTATUS nt_status; - int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); - bool schannel_global_required = (schannel == true); -+ bool schannel_required = schannel_global_required; - struct netlogon_creds_CredentialState *creds = NULL; - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - uint16_t opnum = dce_call->pkt.u.request.opnum; -@@ -646,7 +647,13 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - return nt_status; - } - -- if (schannel_global_required) { -+ schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, -+ NULL, -+ "server require schannel", -+ creds->account_name, -+ schannel_global_required); -+ -+ if (schannel_required) { - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - *creds_out = creds; - return NT_STATUS_OK; --- -2.20.1 - - -From 629aeb89877ca7d8aef53b5ea2c507d2f146a23b Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 17 Sep 2020 13:37:26 +0200 -Subject: [PATCH 13/19] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log - warnings about unsecure configurations -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This should give admins wawrnings until they have a secure -configuration. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Ralph Boehme -Reviewed-by: Günther Deschner ---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 66 ++++++++++++++++++- - 1 file changed, 63 insertions(+), 3 deletions(-) - -diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c -index 7994cb904b7..9972138dbde 100644 ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -625,10 +625,12 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); - bool schannel_global_required = (schannel == true); - bool schannel_required = schannel_global_required; -+ const char *explicit_opt = NULL; - struct netlogon_creds_CredentialState *creds = NULL; - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - uint16_t opnum = dce_call->pkt.u.request.opnum; - const char *opname = ""; -+ static bool warned_global_once = false; - - if (opnum < ndr_table_netlogon.num_calls) { - opname = ndr_table_netlogon.calls[opnum].name; -@@ -647,11 +649,18 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - return nt_status; - } - -- schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, -+ /* -+ * We don't use lpcfg_parm_bool(), as we -+ * need the explicit_opt pointer in order to -+ * adjust the debug messages. -+ */ -+ explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx, - NULL, - "server require schannel", -- creds->account_name, -- schannel_global_required); -+ creds->account_name); -+ if (explicit_opt != NULL) { -+ schannel_required = lp_bool(explicit_opt); -+ } - - if (schannel_required) { - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -@@ -665,11 +674,62 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc - opname, opnum, - log_escape(mem_ctx, creds->account_name), - log_escape(mem_ctx, creds->computer_name)); -+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' is needed! \n", -+ log_escape(mem_ctx, creds->account_name)); - TALLOC_FREE(creds); - ZERO_STRUCTP(return_authenticator); - return NT_STATUS_ACCESS_DENIED; - } - -+ if (!schannel_global_required && !warned_global_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "Please configure 'server schannel = yes', " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); -+ warned_global_once = true; -+ } -+ -+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) WITH schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' not needed!?\n", -+ log_escape(mem_ctx, creds->account_name)); -+ -+ *creds_out = creds; -+ return NT_STATUS_OK; -+ } -+ -+ -+ if (explicit_opt != NULL) { -+ DBG_INFO("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) without schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ DBG_INFO("CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' still needed!\n", -+ log_escape(mem_ctx, creds->account_name)); -+ } else { -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) without schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' might be needed!\n", -+ log_escape(mem_ctx, creds->account_name)); -+ } -+ - *creds_out = creds; - return NT_STATUS_OK; - } --- -2.20.1 - - -From eab8661ef16856eb0926fe3426f7fe6ac870faae Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 17 Sep 2020 14:57:22 +0200 -Subject: [PATCH 14/19] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: - refactor dcesrv_netr_creds_server_step_check() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -We should debug more details about the failing request. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Günther Deschner -Signed-off-by: Stefan Metzmacher ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 43 +++++++++++++++++---- - 1 file changed, 35 insertions(+), 8 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 693e254b051..c134e07573c 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -47,6 +47,7 @@ - #include "../lib/tsocket/tsocket.h" - #include "lib/param/param.h" - #include "libsmb/dsgetdcname.h" -+#include "lib/util/util_str_escape.h" - - extern userdom_struct current_user_info; - -@@ -1073,19 +1074,21 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - NTSTATUS status; - bool schannel_global_required = (lp_server_schannel() == true) ? true:false; - struct loadparm_context *lp_ctx; -+ struct netlogon_creds_CredentialState *creds = NULL; -+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -+ uint16_t opnum = p->opnum; -+ const char *opname = ""; - - if (creds_out != NULL) { - *creds_out = NULL; - } - -- if (schannel_global_required) { -- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { -- DBG_ERR("[%s] is not using schannel\n", -- computer_name); -- return NT_STATUS_ACCESS_DENIED; -- } -+ if (opnum < ndr_table_netlogon.num_calls) { -+ opname = ndr_table_netlogon.calls[opnum].name; - } - -+ auth_type = p->auth.auth_type; -+ - lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); - if (lp_ctx == NULL) { - DEBUG(0, ("loadparm_init_s3 failed\n")); -@@ -1094,9 +1097,33 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - - status = schannel_check_creds_state(mem_ctx, lp_ctx, - computer_name, received_authenticator, -- return_authenticator, creds_out); -+ return_authenticator, &creds); - talloc_unlink(mem_ctx, lp_ctx); -- return status; -+ -+ if (!NT_STATUS_IS_OK(status)) { -+ ZERO_STRUCTP(return_authenticator); -+ return status; -+ } -+ -+ if (schannel_global_required) { -+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ *creds_out = creds; -+ return NT_STATUS_OK; -+ } -+ -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) without schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ TALLOC_FREE(creds); -+ ZERO_STRUCTP(return_authenticator); -+ return NT_STATUS_ACCESS_DENIED; -+ } -+ -+ *creds_out = creds; -+ return NT_STATUS_OK; - } - - --- -2.20.1 - - -From db2580705011c996a4feb01c4b6f069a4e013135 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 17 Sep 2020 14:23:16 +0200 -Subject: [PATCH 15/19] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: - support "server require schannel:WORKSTATION$ = no" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This allows to add expections for individual workstations, when using "server schannel = yes". -"server schannel = auto" is very insecure and will be removed soon. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Günther Deschner -Signed-off-by: Stefan Metzmacher ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index c134e07573c..3327f4bc0a0 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1073,6 +1073,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - { - NTSTATUS status; - bool schannel_global_required = (lp_server_schannel() == true) ? true:false; -+ bool schannel_required = schannel_global_required; - struct loadparm_context *lp_ctx; - struct netlogon_creds_CredentialState *creds = NULL; - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; -@@ -1105,7 +1106,11 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - return status; - } - -- if (schannel_global_required) { -+ schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM, -+ "server require schannel", -+ creds->account_name, -+ schannel_global_required); -+ if (schannel_required) { - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - *creds_out = creds; - return NT_STATUS_OK; --- -2.20.1 - - -From fa5fc293263150238755fbb8310653550f57049a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?G=C3=BCnther=20Deschner?= -Date: Thu, 17 Sep 2020 14:42:52 +0200 -Subject: [PATCH 16/19] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log - warnings about unsecure configurations -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Pair-Programmed-With: Stefan Metzmacher - -Signed-off-by: Günther Deschner -Signed-off-by: Stefan Metzmacher ---- - source3/rpc_server/netlogon/srv_netlog_nt.c | 70 +++++++++++++++++++-- - 1 file changed, 66 insertions(+), 4 deletions(-) - -diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c -index 3327f4bc0a0..9ef74447b84 100644 ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -1074,11 +1074,13 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - NTSTATUS status; - bool schannel_global_required = (lp_server_schannel() == true) ? true:false; - bool schannel_required = schannel_global_required; -+ const char *explicit_opt = NULL; - struct loadparm_context *lp_ctx; - struct netlogon_creds_CredentialState *creds = NULL; - enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; - uint16_t opnum = p->opnum; - const char *opname = ""; -+ static bool warned_global_once = false; - - if (creds_out != NULL) { - *creds_out = NULL; -@@ -1106,10 +1108,20 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - return status; - } - -- schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM, -- "server require schannel", -- creds->account_name, -- schannel_global_required); -+ /* -+ * We don't use lp_parm_bool(), as we -+ * need the explicit_opt pointer in order to -+ * adjust the debug messages. -+ */ -+ -+ explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, -+ "server require schannel", -+ creds->account_name, -+ NULL); -+ if (explicit_opt != NULL) { -+ schannel_required = lp_bool(explicit_opt); -+ } -+ - if (schannel_required) { - if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { - *creds_out = creds; -@@ -1122,11 +1134,61 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, - opname, opnum, - log_escape(mem_ctx, creds->account_name), - log_escape(mem_ctx, creds->computer_name)); -+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' is needed! \n", -+ log_escape(mem_ctx, creds->account_name)); - TALLOC_FREE(creds); - ZERO_STRUCTP(return_authenticator); - return NT_STATUS_ACCESS_DENIED; - } - -+ if (!schannel_global_required && !warned_global_once) { -+ /* -+ * We want admins to notice their misconfiguration! -+ */ -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "Please configure 'server schannel = yes', " -+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); -+ warned_global_once = true; -+ } -+ -+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) WITH schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' not needed!?\n", -+ log_escape(mem_ctx, creds->account_name)); -+ -+ *creds_out = creds; -+ return NT_STATUS_OK; -+ } -+ -+ if (explicit_opt != NULL) { -+ DBG_INFO("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) without schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ DBG_INFO("CVE-2020-1472(ZeroLogon): " -+ "Option 'server require schannel:%s = no' still needed!\n", -+ log_escape(mem_ctx, creds->account_name)); -+ } else { -+ DBG_ERR("CVE-2020-1472(ZeroLogon): " -+ "%s request (opnum[%u]) without schannel from " -+ "client_account[%s] client_computer_name[%s]\n", -+ opname, opnum, -+ log_escape(mem_ctx, creds->account_name), -+ log_escape(mem_ctx, creds->computer_name)); -+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " -+ "'server require schannel:%s = no' might be needed!\n", -+ log_escape(mem_ctx, creds->account_name)); -+ } -+ - *creds_out = creds; - return NT_STATUS_OK; - } --- -2.20.1 - - -From 296a62d1589dbf33aa751e8346ba5721f6314215 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 17 Sep 2020 17:27:54 +0200 -Subject: [PATCH 17/19] CVE-2020-1472(ZeroLogon): docs-xml: document 'server - require schannel:COMPUTERACCOUNT' - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Stefan Metzmacher ---- - .../smbdotconf/security/serverschannel.xml | 69 +++++++++++++++---- - 1 file changed, 54 insertions(+), 15 deletions(-) - -diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml -index 489492d79b1..b682d086f76 100644 ---- a/docs-xml/smbdotconf/security/serverschannel.xml -+++ b/docs-xml/smbdotconf/security/serverschannel.xml -@@ -7,26 +7,65 @@ - - - -- This option is deprecated with Samba 4.8 and will be removed in future. -- At the same time the default changed to yes, which will be the -- hardcoded behavior in future. If you have the need for the behavior of "auto" -- to be kept, please file a bug at https://bugzilla.samba.org. -+ This option is deprecated and will be removed in future, -+ as it is a security problem if not set to "yes" (which will be -+ the hardcoded behavior in future). - - - -- This controls whether the server offers or even demands the use of the netlogon schannel. -- no does not offer the schannel, auto offers the schannel but does not enforce it, and yes denies access if the client is not able to speak netlogon schannel. -- This is only the case for Windows NT4 before SP4. -- -- -+ Samba will complain in the log files at log level 0, -+ about the security problem if the option is not set to "yes". -+ - -- Please note that with this set to no, you will have to apply the WindowsXP -- WinXP_SignOrSeal.reg registry patch found in the docs/registry subdirectory of the Samba distribution tarball. -- -+ See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 -+ -+ -+ If you still have legacy domain members use the option. -+ -+ -+ This option yields precedence to the option. -+ - - - yes --auto -+ -+ -+ -+ -+ -+ If you still have legacy domain members, which required "server schannel = auto" before, -+ it is possible to specify explicit expection per computer account -+ by using 'server require schannel:COMPUTERACCOUNT = no' as option. -+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of -+ the computer account (including the trailing '$' sign). -+ -+ -+ -+ Samba will complain in the log files at log level 0, -+ about the security problem if the option is not set to "no", -+ but the related computer is actually using the netlogon -+ secure channel (schannel) feature. -+ -+ -+ -+ Samba will warn in the log files at log level 5, -+ if a setting is still needed for the specified computer account. -+ -+ -+ -+ See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 -+ -+ -+ This option takes precedence to the option. -+ -+ -+ server require schannel:LEGACYCOMPUTER1$ = no -+ server require schannel:NASBOX$ = no -+ server require schannel:LEGACYCOMPUTER2$ = no -+ -+ -+ - --- -2.20.1 - - -From 3110ca45379309c55f96e97df5d6d010390cd8c6 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Fri, 18 Sep 2020 12:39:54 +1200 -Subject: [PATCH 18/19] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty - machine acct pwd - -Ensure that an empty machine account password can't be set by -netr_ServerPasswordSet2 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Gary Lockyer ---- - source4/torture/rpc/netlogon.c | 64 +++++++++++++++------------------- - 1 file changed, 29 insertions(+), 35 deletions(-) - -diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c -index 826793717e7..af9d94b99ff 100644 ---- a/source4/torture/rpc/netlogon.c -+++ b/source4/torture/rpc/netlogon.c -@@ -725,45 +725,39 @@ static bool test_SetPassword2_with_flags(struct torture_context *tctx, - - cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); - -- if (!torture_setting_bool(tctx, "dangerous", false)) { -- torture_comment(tctx, -- "Not testing ability to set password to '', enable dangerous tests to perform this test\n"); -+ /* -+ * As a consequence of CVE-2020-1472(ZeroLogon) -+ * Samba explicitly disallows the setting of an empty machine account -+ * password. -+ * -+ * Note that this may fail against Windows, and leave a machine account -+ * with an empty password. -+ */ -+ password = ""; -+ encode_pw_buffer(password_buf.data, password, STR_UNICODE); -+ if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -+ netlogon_creds_aes_encrypt(creds, password_buf.data, 516); - } else { -- /* by changing the machine password to "" -- * we check if the server uses password restrictions -- * for ServerPasswordSet2 -- * (win2k3 accepts "") -- */ -- password = ""; -- encode_pw_buffer(password_buf.data, password, STR_UNICODE); -- if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { -- netlogon_creds_aes_encrypt(creds, password_buf.data, 516); -- } else { -- netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); -- } -- memcpy(new_password.data, password_buf.data, 512); -- new_password.length = IVAL(password_buf.data, 512); -- -- torture_comment(tctx, -- "Testing ServerPasswordSet2 on machine account\n"); -- torture_comment(tctx, -- "Changing machine account password to '%s'\n", password); -- -- netlogon_creds_client_authenticator(creds, &credential); -- -- torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), -- "ServerPasswordSet2 failed"); -- torture_assert_ntstatus_ok(tctx, r.out.result, "ServerPasswordSet2 failed"); -+ netlogon_creds_arcfour_crypt(creds, password_buf.data, 516); -+ } -+ memcpy(new_password.data, password_buf.data, 512); -+ new_password.length = IVAL(password_buf.data, 512); - -- if (!netlogon_creds_client_check(creds, &r.out.return_authenticator->cred)) { -- torture_comment(tctx, "Credential chaining failed\n"); -- } -+ torture_comment(tctx, -+ "Testing ServerPasswordSet2 on machine account\n"); -+ torture_comment(tctx, -+ "Changing machine account password to '%s'\n", password); - -- cli_credentials_set_password(machine_credentials, password, CRED_SPECIFIED); -- } -+ netlogon_creds_client_authenticator(creds, &credential); - -- torture_assert(tctx, test_SetupCredentials(p, tctx, machine_credentials, &creds), -- "ServerPasswordSet failed to actually change the password"); -+ torture_assert_ntstatus_ok( -+ tctx, dcerpc_netr_ServerPasswordSet2_r(b, tctx, &r), -+ "ServerPasswordSet2 failed"); -+ torture_assert_ntstatus_equal( -+ tctx, -+ r.out.result, -+ NT_STATUS_WRONG_PASSWORD, -+ "ServerPasswordSet2 did not return NT_STATUS_WRONG_PASSWORD"); - - /* now try a random password */ - password = generate_random_password(tctx, 8, 255); --- -2.20.1 - - -From a13ddb0fe6ddf29642976f4caff9c2391676645c Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Fri, 18 Sep 2020 15:57:34 +1200 -Subject: [PATCH 19/19] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated - bytes in client challenge - -Ensure that client challenges with the first 5 bytes identical are -rejected. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 - -Signed-off-by: Gary Lockyer - -[abartlet@samba.org: backported from master as test order was flipped] ---- - source4/torture/rpc/netlogon.c | 335 +++++++++++++++++++++++++++++++++ - 1 file changed, 335 insertions(+) - -diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c -index af9d94b99ff..c9e614fda30 100644 ---- a/source4/torture/rpc/netlogon.c -+++ b/source4/torture/rpc/netlogon.c -@@ -486,6 +486,325 @@ bool test_SetupCredentialsPipe(const struct dcerpc_pipe *p1, - return true; - } - -+static bool test_ServerReqChallenge( -+ struct torture_context *tctx, -+ struct dcerpc_pipe *p, -+ struct cli_credentials *credentials) -+{ -+ struct netr_ServerReqChallenge r; -+ struct netr_Credential credentials1, credentials2, credentials3; -+ const char *machine_name; -+ struct dcerpc_binding_handle *b = p->binding_handle; -+ struct netr_ServerAuthenticate2 a; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t out_negotiate_flags = 0; -+ const struct samr_Password *mach_password = NULL; -+ enum netr_SchannelType sec_chan_type = 0; -+ struct netlogon_creds_CredentialState *creds = NULL; -+ const char *account_name = NULL; -+ -+ machine_name = cli_credentials_get_workstation(credentials); -+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); -+ account_name = cli_credentials_get_username(credentials); -+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); -+ -+ torture_comment(tctx, "Testing ServerReqChallenge\n"); -+ -+ r.in.server_name = NULL; -+ r.in.computer_name = machine_name; -+ r.in.credentials = &credentials1; -+ r.out.return_credentials = &credentials2; -+ -+ netlogon_creds_random_challenge(&credentials1); -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), -+ "ServerReqChallenge failed"); -+ torture_assert_ntstatus_ok( -+ tctx, -+ r.out.result, -+ "ServerReqChallenge failed"); -+ a.in.server_name = NULL; -+ a.in.account_name = account_name; -+ a.in.secure_channel_type = sec_chan_type; -+ a.in.computer_name = machine_name; -+ a.in.negotiate_flags = &in_negotiate_flags; -+ a.out.negotiate_flags = &out_negotiate_flags; -+ a.in.credentials = &credentials3; -+ a.out.return_credentials = &credentials3; -+ -+ creds = netlogon_creds_client_init(tctx, a.in.account_name, -+ a.in.computer_name, -+ a.in.secure_channel_type, -+ &credentials1, &credentials2, -+ mach_password, &credentials3, -+ in_negotiate_flags); -+ -+ torture_assert(tctx, creds != NULL, "memory allocation"); -+ -+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), -+ "ServerAuthenticate2 failed"); -+ torture_assert_ntstatus_equal( -+ tctx, -+ a.out.result, -+ NT_STATUS_OK, -+ "ServerAuthenticate2 unexpected"); -+ -+ return true; -+} -+ -+static bool test_ServerReqChallenge_zero_challenge( -+ struct torture_context *tctx, -+ struct dcerpc_pipe *p, -+ struct cli_credentials *credentials) -+{ -+ struct netr_ServerReqChallenge r; -+ struct netr_Credential credentials1, credentials2, credentials3; -+ const char *machine_name; -+ struct dcerpc_binding_handle *b = p->binding_handle; -+ struct netr_ServerAuthenticate2 a; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t out_negotiate_flags = 0; -+ const struct samr_Password *mach_password = NULL; -+ enum netr_SchannelType sec_chan_type = 0; -+ struct netlogon_creds_CredentialState *creds = NULL; -+ const char *account_name = NULL; -+ -+ machine_name = cli_credentials_get_workstation(credentials); -+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); -+ account_name = cli_credentials_get_username(credentials); -+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); -+ -+ torture_comment(tctx, "Testing ServerReqChallenge\n"); -+ -+ r.in.server_name = NULL; -+ r.in.computer_name = machine_name; -+ r.in.credentials = &credentials1; -+ r.out.return_credentials = &credentials2; -+ -+ /* -+ * Set the client challenge to zero, this should fail -+ * CVE-2020-1472(ZeroLogon) -+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 -+ */ -+ ZERO_STRUCT(credentials1); -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), -+ "ServerReqChallenge failed"); -+ torture_assert_ntstatus_ok( -+ tctx, -+ r.out.result, -+ "ServerReqChallenge failed"); -+ a.in.server_name = NULL; -+ a.in.account_name = account_name; -+ a.in.secure_channel_type = sec_chan_type; -+ a.in.computer_name = machine_name; -+ a.in.negotiate_flags = &in_negotiate_flags; -+ a.out.negotiate_flags = &out_negotiate_flags; -+ a.in.credentials = &credentials3; -+ a.out.return_credentials = &credentials3; -+ -+ creds = netlogon_creds_client_init(tctx, a.in.account_name, -+ a.in.computer_name, -+ a.in.secure_channel_type, -+ &credentials1, &credentials2, -+ mach_password, &credentials3, -+ in_negotiate_flags); -+ -+ torture_assert(tctx, creds != NULL, "memory allocation"); -+ -+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), -+ "ServerAuthenticate2 failed"); -+ torture_assert_ntstatus_equal( -+ tctx, -+ a.out.result, -+ NT_STATUS_ACCESS_DENIED, -+ "ServerAuthenticate2 unexpected"); -+ -+ return true; -+} -+ -+static bool test_ServerReqChallenge_5_repeats( -+ struct torture_context *tctx, -+ struct dcerpc_pipe *p, -+ struct cli_credentials *credentials) -+{ -+ struct netr_ServerReqChallenge r; -+ struct netr_Credential credentials1, credentials2, credentials3; -+ const char *machine_name; -+ struct dcerpc_binding_handle *b = p->binding_handle; -+ struct netr_ServerAuthenticate2 a; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t out_negotiate_flags = 0; -+ const struct samr_Password *mach_password = NULL; -+ enum netr_SchannelType sec_chan_type = 0; -+ struct netlogon_creds_CredentialState *creds = NULL; -+ const char *account_name = NULL; -+ -+ machine_name = cli_credentials_get_workstation(credentials); -+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); -+ account_name = cli_credentials_get_username(credentials); -+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); -+ -+ torture_comment(tctx, "Testing ServerReqChallenge\n"); -+ -+ r.in.server_name = NULL; -+ r.in.computer_name = machine_name; -+ r.in.credentials = &credentials1; -+ r.out.return_credentials = &credentials2; -+ -+ /* -+ * Set the first 5 bytes of the client challenge to the same value, -+ * this should fail CVE-2020-1472(ZeroLogon) -+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 -+ */ -+ credentials1.data[0] = 'A'; -+ credentials1.data[1] = 'A'; -+ credentials1.data[2] = 'A'; -+ credentials1.data[3] = 'A'; -+ credentials1.data[4] = 'A'; -+ credentials1.data[5] = 'B'; -+ credentials1.data[6] = 'C'; -+ credentials1.data[7] = 'D'; -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), -+ "ServerReqChallenge failed"); -+ torture_assert_ntstatus_ok( -+ tctx, -+ r.out.result, -+ "ServerReqChallenge failed"); -+ a.in.server_name = NULL; -+ a.in.account_name = account_name; -+ a.in.secure_channel_type = sec_chan_type; -+ a.in.computer_name = machine_name; -+ a.in.negotiate_flags = &in_negotiate_flags; -+ a.out.negotiate_flags = &out_negotiate_flags; -+ a.in.credentials = &credentials3; -+ a.out.return_credentials = &credentials3; -+ -+ creds = netlogon_creds_client_init(tctx, a.in.account_name, -+ a.in.computer_name, -+ a.in.secure_channel_type, -+ &credentials1, &credentials2, -+ mach_password, &credentials3, -+ in_negotiate_flags); -+ -+ torture_assert(tctx, creds != NULL, "memory allocation"); -+ -+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), -+ "ServerAuthenticate2 failed"); -+ torture_assert_ntstatus_equal( -+ tctx, -+ a.out.result, -+ NT_STATUS_ACCESS_DENIED, -+ "ServerAuthenticate2 unexpected"); -+ -+ return true; -+} -+ -+static bool test_ServerReqChallenge_4_repeats( -+ struct torture_context *tctx, -+ struct dcerpc_pipe *p, -+ struct cli_credentials *credentials) -+{ -+ struct netr_ServerReqChallenge r; -+ struct netr_Credential credentials1, credentials2, credentials3; -+ const char *machine_name; -+ struct dcerpc_binding_handle *b = p->binding_handle; -+ struct netr_ServerAuthenticate2 a; -+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; -+ uint32_t out_negotiate_flags = 0; -+ const struct samr_Password *mach_password = NULL; -+ enum netr_SchannelType sec_chan_type = 0; -+ struct netlogon_creds_CredentialState *creds = NULL; -+ const char *account_name = NULL; -+ -+ machine_name = cli_credentials_get_workstation(credentials); -+ mach_password = cli_credentials_get_nt_hash(credentials, tctx); -+ account_name = cli_credentials_get_username(credentials); -+ sec_chan_type = cli_credentials_get_secure_channel_type(credentials); -+ -+ torture_comment(tctx, "Testing ServerReqChallenge\n"); -+ -+ r.in.server_name = NULL; -+ r.in.computer_name = machine_name; -+ r.in.credentials = &credentials1; -+ r.out.return_credentials = &credentials2; -+ -+ /* -+ * Set the first 4 bytes of the client challenge to the same -+ * value, this should pass as 5 bytes identical are needed to -+ * fail for CVE-2020-1472(ZeroLogon) -+ * -+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 -+ */ -+ credentials1.data[0] = 'A'; -+ credentials1.data[1] = 'A'; -+ credentials1.data[2] = 'A'; -+ credentials1.data[3] = 'A'; -+ credentials1.data[4] = 'B'; -+ credentials1.data[5] = 'C'; -+ credentials1.data[6] = 'D'; -+ credentials1.data[7] = 'E'; -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), -+ "ServerReqChallenge failed"); -+ torture_assert_ntstatus_ok( -+ tctx, -+ r.out.result, -+ "ServerReqChallenge failed"); -+ a.in.server_name = NULL; -+ a.in.account_name = account_name; -+ a.in.secure_channel_type = sec_chan_type; -+ a.in.computer_name = machine_name; -+ a.in.negotiate_flags = &in_negotiate_flags; -+ a.out.negotiate_flags = &out_negotiate_flags; -+ a.in.credentials = &credentials3; -+ a.out.return_credentials = &credentials3; -+ -+ creds = netlogon_creds_client_init(tctx, a.in.account_name, -+ a.in.computer_name, -+ a.in.secure_channel_type, -+ &credentials1, &credentials2, -+ mach_password, &credentials3, -+ in_negotiate_flags); -+ -+ torture_assert(tctx, creds != NULL, "memory allocation"); -+ -+ torture_comment(tctx, "Testing ServerAuthenticate2\n"); -+ -+ torture_assert_ntstatus_ok( -+ tctx, -+ dcerpc_netr_ServerAuthenticate2_r(b, tctx, &a), -+ "ServerAuthenticate2 failed"); -+ torture_assert_ntstatus_equal( -+ tctx, -+ a.out.result, -+ NT_STATUS_OK, -+ "ServerAuthenticate2 unexpected"); -+ -+ return true; -+} -+ - /* - try a change password for our machine account - */ -@@ -4954,6 +5273,22 @@ struct torture_suite *torture_rpc_netlogon(TALLOC_CTX *mem_ctx) - torture_rpc_tcase_add_test(tcase, "lsa_over_netlogon", test_lsa_over_netlogon); - torture_rpc_tcase_add_test_creds(tcase, "SetupCredentialsDowngrade", test_SetupCredentialsDowngrade); - -+ torture_rpc_tcase_add_test_creds( -+ tcase, -+ "ServerReqChallenge", -+ test_ServerReqChallenge); -+ torture_rpc_tcase_add_test_creds( -+ tcase, -+ "ServerReqChallenge_zero_challenge", -+ test_ServerReqChallenge_zero_challenge); -+ torture_rpc_tcase_add_test_creds( -+ tcase, -+ "ServerReqChallenge_5_repeats", -+ test_ServerReqChallenge_5_repeats); -+ torture_rpc_tcase_add_test_creds( -+ tcase, -+ "ServerReqChallenge_4_repeats", -+ test_ServerReqChallenge_4_repeats); - return suite; - } - --- -2.20.1 - diff --git a/CVE-2020-27840.patch b/CVE-2020-27840.patch deleted file mode 100644 index 7fd7b75..0000000 --- a/CVE-2020-27840.patch +++ /dev/null @@ -1,257 +0,0 @@ -From 44ed6c2263c2c969bec4229f99b37d8f2e09dde0 Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Thu, 11 Feb 2021 17:05:14 +1300 -Subject: [PATCH 1/3] CVE-2020-27840: pytests:segfault: add ldb.Dn validate - test - -ldb.Dn.validate wraps ldb_dn_explode. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Andrew Bartlett ---- - python/samba/tests/segfault.py | 6 ++++++ - selftest/knownfail.d/python-segfaults | 1 + - 2 files changed, 7 insertions(+) - -diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py -index 07e2d46d56a..70bd5b180e3 100644 ---- a/python/samba/tests/segfault.py -+++ b/python/samba/tests/segfault.py -@@ -174,3 +174,9 @@ class SegfaultTests(samba.tests.TestCase): - def test_dcerpc_idl_inline_arrays(self): - """Inline arrays were incorrectly handled.""" - dnsserver.DNS_RPC_SERVER_INFO_DOTNET().pExtensions -+ -+ @segfault_detector -+ def test_ldb_dn_explode_crash(self): -+ for i in range(106, 550, 5): -+ dn = ldb.Dn(ldb.Ldb(), "a=b%s,c= " % (' ' * i)) -+ dn.validate() -diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults -index 1be0566dcb1..524f7dd013b 100644 ---- a/selftest/knownfail.d/python-segfaults -+++ b/selftest/knownfail.d/python-segfaults -@@ -1 +1,2 @@ - samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3 -+samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_dn_explode_crash --- -2.25.1 - - -From 5fbc51a2cf77ebd7ca42cd7dda58d5fd0ec5127d Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Fri, 11 Dec 2020 16:32:25 +1300 -Subject: [PATCH 2/3] CVE-2020-27840 ldb_dn: avoid head corruption in - ldb_dn_explode - -A DN string with lots of trailing space can cause ldb_dn_explode() to -put a zero byte in the wrong place in the heap. - -When a DN string has a value represented with trailing spaces, -like this - - "CN=foo ,DC=bar" - -the whitespace is supposed to be ignored. We keep track of this in the -`t` pointer, which is NULL when we are not walking through trailing -spaces, and points to the first space when we are. We are walking with -the `p` pointer, writing the value to `d`, and keeping the length in -`l`. - - "CN=foo ,DC= " ==> "foo " - ^ ^ ^ - t p d - --l--- - -The value is finished when we encounter a comma or the end of the -string. If `t` is not NULL at that point, we assume there are trailing -spaces and wind `d and `l` back by the correct amount. Then we switch -to expecting an attribute name (e.g. "CN"), until we get to an "=", -which puts us back into looking for a value. - -Unfortunately, we forget to immediately tell `t` that we'd finished -the last value, we can end up like this: - - "CN=foo ,DC= " ==> "" - ^ ^ ^ - t p d - l=0 - -where `p` is pointing to a new value that contains only spaces, while -`t` is still referring to the old value. `p` notices the value ends, -and we subtract `p - t` from `d`: - - "CN=foo ,DC= " ==> ? "" - ^ ^ ^ - t p d - l ~= SIZE_MAX - 8 - -At that point `d` wants to terminate its string with a '\0', but -instead it terminates someone else's byte. This does not crash if the -number of trailing spaces is small, as `d` will point into a previous -value (a copy of "foo" in this example). Corrupting that value will -ultimately not matter, as we will soon try to allocate a buffer `l` -long, which will be greater than the available memory and the whole -operation will fail properly. - -However, with more spaces, `d` will point into memory before the -beginning of the allocated buffer, with the exact offset depending on -the length of the earlier attributes and the number of spaces. - -What about a longer DN with more attributes? For example, -"CN=foo ,DC= ,DC=example,DC=com" -- since `d` has moved out of -bounds, won't we continue to use it and write more DN values into -mystery memory? Fortunately not, because the aforementioned allocation -of `l` bytes must happen first, and `l` is now huge. The allocation -happens in a talloc_memdup(), which is by default restricted to -allocating 256MB. - -So this allows a person who controls a string parsed by ldb_dn_explode -to corrupt heap memory by placing a single zero byte at a chosen -offset before the allocated buffer. - -An LDAP bind request can send a string DN as a username. This DN is -necessarily parsed before the password is checked, so an attacker does -not need proper credentials. The attacker can easily cause a denial of -service and we cannot rule out more subtle attacks. - -The immediate solution is to reset `t` to NULL when a comma is -encountered, indicating that we are no longer looking at trailing -whitespace. - -Found with the help of Honggfuzz. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Andrew Bartlett ---- - lib/ldb/common/ldb_dn.c | 1 + - selftest/knownfail.d/python-segfaults | 1 - - 2 files changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ldb/common/ldb_dn.c b/lib/ldb/common/ldb_dn.c -index 83f94e3b913..047244287f5 100644 ---- a/lib/ldb/common/ldb_dn.c -+++ b/lib/ldb/common/ldb_dn.c -@@ -570,6 +570,7 @@ static bool ldb_dn_explode(struct ldb_dn *dn) - /* trim back */ - d -= (p - t); - l -= (p - t); -+ t = NULL; - } - - in_attr = true; -diff --git a/selftest/knownfail.d/python-segfaults b/selftest/knownfail.d/python-segfaults -index 524f7dd013b..1be0566dcb1 100644 ---- a/selftest/knownfail.d/python-segfaults -+++ b/selftest/knownfail.d/python-segfaults -@@ -1,2 +1 @@ - samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_net_replicate_init__3 --samba.tests.segfault.samba.tests.segfault.SegfaultTests.test_ldb_dn_explode_crash --- -2.25.1 - - -From 90f08c437ce81f2a96ce0740a93aa00e94eb5f16 Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Thu, 11 Feb 2021 16:28:43 +1300 -Subject: [PATCH 3/3] CVE-2020-27840: pytests: move Dn.validate test to ldb - -We had the test in the Samba Python segfault suite because -a) the signal catching infrastructure was there, and -b) the ldb tests lack Samba's knownfail mechanism, which allowed us to - assert the failure. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14595 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Andrew Bartlett ---- - lib/ldb/tests/python/crash.py | 45 ++++++++++++++++++++++++++++++++++ - lib/ldb/wscript | 1 + - python/samba/tests/segfault.py | 6 ----- - 3 files changed, 46 insertions(+), 6 deletions(-) - create mode 100644 lib/ldb/tests/python/crash.py - -diff --git a/lib/ldb/tests/python/crash.py b/lib/ldb/tests/python/crash.py -new file mode 100644 -index 00000000000..32839814552 ---- /dev/null -+++ b/lib/ldb/tests/python/crash.py -@@ -0,0 +1,45 @@ -+#!/usr/bin/env python3 -+# -+# Tests for crashing functions -+ -+import os -+from unittest import TestCase -+import os -+import sys -+import traceback -+ -+import ldb -+ -+ -+def segfault_detector(f): -+ def wrapper(*args, **kwargs): -+ pid = os.fork() -+ if pid == 0: -+ # child, crashing? -+ try: -+ f(*args, **kwargs) -+ except Exception as e: -+ traceback.print_exc() -+ sys.stderr.flush() -+ sys.stdout.flush() -+ os._exit(0) -+ -+ # parent, waiting -+ pid2, status = os.waitpid(pid, 0) -+ if os.WIFSIGNALED(status): -+ signal = os.WTERMSIG(status) -+ raise AssertionError("Failed with signal %d" % signal) -+ -+ return wrapper -+ -+ -+class LdbDnCrashTests(TestCase): -+ @segfault_detector -+ def test_ldb_dn_explode_crash(self): -+ for i in range(106, 150): -+ dn = ldb.Dn(ldb.Ldb(), "a=b%s,c= " % (' ' * i)) -+ dn.validate() -+ -+if __name__ == '__main__': -+ import unittest -+ unittest.TestProgram() -diff --git a/lib/ldb/wscript b/lib/ldb/wscript -index edc3343e827..33265da373a 100644 ---- a/lib/ldb/wscript -+++ b/lib/ldb/wscript -@@ -614,6 +614,7 @@ def test(ctx): - os.mkdir(tmp_dir) - pyret = samba_utils.RUN_PYTHON_TESTS( - ['tests/python/api.py', -+ 'tests/python/crash.py', - 'tests/python/index.py', - 'tests/python/repack.py'], - extra_env={'SELFTEST_PREFIX': test_prefix}) -diff --git a/python/samba/tests/segfault.py b/python/samba/tests/segfault.py -index 70bd5b180e3..07e2d46d56a 100644 ---- a/python/samba/tests/segfault.py -+++ b/python/samba/tests/segfault.py -@@ -174,9 +174,3 @@ class SegfaultTests(samba.tests.TestCase): - def test_dcerpc_idl_inline_arrays(self): - """Inline arrays were incorrectly handled.""" - dnsserver.DNS_RPC_SERVER_INFO_DOTNET().pExtensions -- -- @segfault_detector -- def test_ldb_dn_explode_crash(self): -- for i in range(106, 550, 5): -- dn = ldb.Dn(ldb.Ldb(), "a=b%s,c= " % (' ' * i)) -- dn.validate() --- -2.25.1 diff --git a/CVE-2021-20254.patch b/CVE-2021-20254.patch deleted file mode 100644 index 974e00a..0000000 --- a/CVE-2021-20254.patch +++ /dev/null @@ -1,234 +0,0 @@ -From 75ad84167f5d2379557ec078d17c9a1c244402fc Mon Sep 17 00:00:00 2001 -From: Volker Lendecke -Date: Sat, 20 Feb 2021 15:50:12 +0100 -Subject: [PATCH] CVE-2021-20254 passdb: Simplify sids_to_unixids() - -Best reviewed with "git show -b", there's a "continue" statement that -changes subsequent indentation. - -Decouple lookup status of ids from ID_TYPE_NOT_SPECIFIED - -Add comments to explain the use of the three lookup -loops. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14571 - -Signed-off-by: Volker Lendecke -Reviewed-by: Jeremy Allison - -Autobuild-User(master): Karolin Seeger -Autobuild-Date(master): Thu Apr 29 09:55:51 UTC 2021 on sn-devel-184 ---- - source3/passdb/lookup_sid.c | 123 +++++++++++++++++++++++++++++------- - 1 file changed, 101 insertions(+), 22 deletions(-) - -diff --git a/source3/passdb/lookup_sid.c b/source3/passdb/lookup_sid.c -index cf80a300189..0e01467b3cb 100644 ---- a/source3/passdb/lookup_sid.c -+++ b/source3/passdb/lookup_sid.c -@@ -29,6 +29,7 @@ - #include "../libcli/security/security.h" - #include "lib/winbind_util.h" - #include "../librpc/gen_ndr/idmap.h" -+#include "lib/util/bitmap.h" - - static bool lookup_unix_user_name(const char *name, struct dom_sid *sid) - { -@@ -1266,7 +1267,9 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, - { - struct wbcDomainSid *wbc_sids = NULL; - struct wbcUnixId *wbc_ids = NULL; -+ struct bitmap *found = NULL; - uint32_t i, num_not_cached; -+ uint32_t wbc_ids_size = 0; - wbcErr err; - bool ret = false; - -@@ -1274,6 +1277,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, - if (wbc_sids == NULL) { - return false; - } -+ found = bitmap_talloc(wbc_sids, num_sids); -+ if (found == NULL) { -+ goto fail; -+ } -+ -+ /* -+ * We go through the requested SID array three times. -+ * First time to look for global_sid_Unix_Users -+ * and global_sid_Unix_Groups SIDS, and to look -+ * for mappings cached in the idmap_cache. -+ * -+ * Use bitmap_set() to mark an ids[] array entry as -+ * being mapped. -+ */ - - num_not_cached = 0; - -@@ -1285,17 +1302,20 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, - &sids[i], &rid)) { - ids[i].type = ID_TYPE_UID; - ids[i].id = rid; -+ bitmap_set(found, i); - continue; - } - if (sid_peek_check_rid(&global_sid_Unix_Groups, - &sids[i], &rid)) { - ids[i].type = ID_TYPE_GID; - ids[i].id = rid; -+ bitmap_set(found, i); - continue; - } - if (idmap_cache_find_sid2unixid(&sids[i], &ids[i], &expired) - && !expired) - { -+ bitmap_set(found, i); - continue; - } - ids[i].type = ID_TYPE_NOT_SPECIFIED; -@@ -1306,62 +1326,121 @@ bool sids_to_unixids(const struct dom_sid *sids, uint32_t num_sids, - if (num_not_cached == 0) { - goto done; - } -- wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, num_not_cached); -+ -+ /* -+ * For the ones that we couldn't map in the loop above, query winbindd -+ * via wbcSidsToUnixIds(). -+ */ -+ -+ wbc_ids_size = num_not_cached; -+ wbc_ids = talloc_array(talloc_tos(), struct wbcUnixId, wbc_ids_size); - if (wbc_ids == NULL) { - goto fail; - } -- for (i=0; i id is a union anyway */ -- ids[i].type = (enum id_type)wbc_ids[num_not_cached].type; -- ids[i].id = wbc_ids[num_not_cached].id.gid; -- break; -- } -- num_not_cached += 1; -+ if (bitmap_query(found, i)) { -+ continue; -+ } -+ -+ SMB_ASSERT(num_not_cached < wbc_ids_size); -+ -+ switch (wbc_ids[num_not_cached].type) { -+ case WBC_ID_TYPE_UID: -+ ids[i].type = ID_TYPE_UID; -+ ids[i].id = wbc_ids[num_not_cached].id.uid; -+ bitmap_set(found, i); -+ break; -+ case WBC_ID_TYPE_GID: -+ ids[i].type = ID_TYPE_GID; -+ ids[i].id = wbc_ids[num_not_cached].id.gid; -+ bitmap_set(found, i); -+ break; -+ case WBC_ID_TYPE_BOTH: -+ ids[i].type = ID_TYPE_BOTH; -+ ids[i].id = wbc_ids[num_not_cached].id.uid; -+ bitmap_set(found, i); -+ break; -+ case WBC_ID_TYPE_NOT_SPECIFIED: -+ /* -+ * wbcSidsToUnixIds() wasn't able to map this -+ * so we still need to check legacy_sid_to_XXX() -+ * below. Don't mark the bitmap entry -+ * as being found so the final loop knows -+ * to try and map this entry. -+ */ -+ ids[i].type = ID_TYPE_NOT_SPECIFIED; -+ ids[i].id = (uint32_t)-1; -+ break; -+ default: -+ /* -+ * A successful return from wbcSidsToUnixIds() -+ * cannot return anything other than the values -+ * checked for above. Ensure this is so. -+ */ -+ smb_panic(__location__); -+ break; - } -+ num_not_cached += 1; - } - -+ /* -+ * Third and final time through the SID array, -+ * try legacy_sid_to_gid()/legacy_sid_to_uid() -+ * for entries we haven't already been able to -+ * map. -+ * -+ * Use bitmap_set() to mark an ids[] array entry as -+ * being mapped. -+ */ -+ - for (i=0; i -Date: Tue, 8 Dec 2020 21:32:09 +1300 -Subject: [PATCH] CVE-2021-20277 ldb/attrib_handlers casefold: stay in bounds - -For a string that had N spaces at the beginning, we would -try to move N bytes beyond the end of the string. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14655 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Andrew Bartlett - -(cherry-picked from commit for master) ---- - lib/ldb/common/attrib_handlers.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/ldb/common/attrib_handlers.c b/lib/ldb/common/attrib_handlers.c -index b5212b731596..c6ef5ad477b0 100644 ---- a/lib/ldb/common/attrib_handlers.c -+++ b/lib/ldb/common/attrib_handlers.c -@@ -76,7 +76,7 @@ int ldb_handler_fold(struct ldb_context *ldb, void *mem_ctx, - - /* remove leading spaces if any */ - if (*s == ' ') { -- for (t = s; *s == ' '; s++) ; -+ for (t = s; *s == ' '; s++, l--) ; - - /* remove leading spaces by moving down the string */ - memmove(t, s, l); diff --git a/backport-CVE-2021-3671.patch b/backport-CVE-2021-3671.patch deleted file mode 100644 index 1e53b4b..0000000 --- a/backport-CVE-2021-3671.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0cb4b939f192376bf5e33637863a91a20f74c5a5 Mon Sep 17 00:00:00 2001 -From: Luke Howard -Date: Fri, 27 Aug 2021 11:42:48 +1000 -Subject: [PATCH] CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ - -In tgs_build_reply(), validate the server name in the TGS-REQ is present before -dereferencing. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 - -[abartlet@samba.org backported from from Heimdal -commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference -to an earlier patch by Joseph Sutton] - -RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ - -Reviewed-by: Andreas Schneider ---- - source4/heimdal/kdc/krb5tgs.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c -index b76726cdd64..d143eb739eb 100644 ---- a/source4/heimdal/kdc/krb5tgs.c -+++ b/source4/heimdal/kdc/krb5tgs.c -@@ -1603,6 +1603,10 @@ tgs_build_reply(krb5_context context, - - s = &adtkt.cname; - r = adtkt.crealm; -+ } else if (s == NULL) { -+ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; -+ krb5_set_error_message(context, ret, "No server in request"); -+ goto out; - } - - _krb5_principalname2krb5_principal(context, &sp, *s, r); --- -GitLab - diff --git a/backport-fix-undefined-shift-in-put_res_rec.patch b/backport-fix-undefined-shift-in-put_res_rec.patch deleted file mode 100644 index 8772d6b..0000000 --- a/backport-fix-undefined-shift-in-put_res_rec.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 14f56750fcf51a1d6daa14da08b34eb789241a23 Mon Sep 17 00:00:00 2001 -From: eaglegai -Date: Thu, 28 Oct 2021 21:51:13 +0800 -Subject: [PATCH] fix undefined-shift in put_res_rec -fuzz error: - ../../source3/libsmb/nmblib.c:451:4: runtime error: left shift of 65312 by 16 - places cannot be represented in type 'int' - -Author: eaglegai - -Signed-off-by: eaglegai -Reviewed-by: Jeremy Allison -Reviewed-by: Douglas Bagnall - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Fri Oct 29 20:29:26 UTC 2021 on sn-devel-184 ---- - source3/libsmb/nmblib.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/source3/libsmb/nmblib.c b/source3/libsmb/nmblib.c -index ff009092bbf..607470f7e4e 100644 ---- a/source3/libsmb/nmblib.c -+++ b/source3/libsmb/nmblib.c -@@ -449,7 +449,7 @@ static int put_res_rec(char *buf, size_t buflen, int offset,struct res_rec *recs - if (buf) { - RSSVAL(buf,offset,recs[i].rr_type); - RSSVAL(buf,offset+2,recs[i].rr_class); -- RSIVAL(buf,offset+4,recs[i].ttl); -+ RSIVAL(buf,offset+4,(unsigned int)recs[i].ttl); - RSSVAL(buf,offset+8,recs[i].rdlength); - memcpy(buf+offset+10,recs[i].rdata,recs[i].rdlength); - } --- -GitLab diff --git a/backport-idl-drsuapi_DsaAddressListItem_V1-limit-recursion.patch b/backport-idl-drsuapi_DsaAddressListItem_V1-limit-recursion.patch deleted file mode 100644 index c44b4d4..0000000 --- a/backport-idl-drsuapi_DsaAddressListItem_V1-limit-recursion.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 2f8c3b62266b729b47d5ba25f1966786c1af0e5f Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Thu, 30 Jan 2020 08:52:34 +1300 -Subject: [PATCH] idl: drsuapi_DsaAddressListItem_V1 limit recursion - -Limit number of drsuapi_DsaAddressListItem_V1 elements to 1024 - -Credit to OSS-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - librpc/idl/drsuapi.idl | 2 +- - 1 files changed, 1 insertion(+), 1 deletions(-) - delete mode 100644 selftest/knownfail.d/bug-14254 - -diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl -index 2aaae8dce59..04725276121 100644 ---- a/librpc/idl/drsuapi.idl -+++ b/librpc/idl/drsuapi.idl -@@ -1452,7 +1452,7 @@ interface drsuapi - /* list of network names of the DCs - * to which the referral is directed */ - typedef struct { -- drsuapi_DsaAddressListItem_V1 *next; -+ [max_recursion(1024)] drsuapi_DsaAddressListItem_V1 *next; - lsa_String *address; - } drsuapi_DsaAddressListItem_V1; - --- -GitLab - diff --git a/backport-idl-limit-recurion-on-recursive-elements.patch b/backport-idl-limit-recurion-on-recursive-elements.patch deleted file mode 100644 index 150db31..0000000 --- a/backport-idl-limit-recurion-on-recursive-elements.patch +++ /dev/null @@ -1,126 +0,0 @@ -From 575d39048e3b4f619d65d65303ac809c40c5d495 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Fri, 7 Feb 2020 15:18:45 +1300 -Subject: [PATCH] idl: limit recurion on recursive elements - -Limit the max_recursion on self recursive definitions in the idl to -20,000. This value is hopefully large eneough to not impact normal -operation, but small eneough to prevent stack over flow issues. - -Credit to OSS-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andrew Bartlett -Autobuild-Date(master): Thu Feb 27 02:29:21 UTC 2020 on sn-devel-184 ---- - librpc/idl/drsblobs.idl | 2 +- - librpc/idl/drsuapi.idl | 12 ++++++++---- - librpc/idl/ioctl.idl | 2 +- - source3/librpc/idl/secrets.idl | 2 +- - source3/librpc/idl/smbXsrv.idl | 2 +- - 5 files changed, 12 insertions(+), 8 deletions(-) - -diff --git a/librpc/idl/drsblobs.idl b/librpc/idl/drsblobs.idl -index 072546a4369..b096b671c80 100644 ---- a/librpc/idl/drsblobs.idl -+++ b/librpc/idl/drsblobs.idl -@@ -579,7 +579,7 @@ interface drsblobs { - } ExtendedErrorParam; - - typedef [public] struct { -- ExtendedErrorInfo *next; -+ [max_recursion(20000)] ExtendedErrorInfo *next; - ExtendedErrorComputerName computer_name; - hyper pid; - NTTIME time; -diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl -index 04725276121..db00eb8639e 100644 ---- a/librpc/idl/drsuapi.idl -+++ b/librpc/idl/drsuapi.idl -@@ -690,7 +690,8 @@ interface drsuapi - } drsuapi_DsReplicaMetaDataCtr; - - typedef [public,noprint] struct { -- drsuapi_DsReplicaObjectListItemEx *next_object; -+ [max_recursion(20000)] -+ drsuapi_DsReplicaObjectListItemEx *next_object; - drsuapi_DsReplicaObject object; - boolean32 is_nc_prefix; - GUID *parent_object_guid; -@@ -1308,7 +1309,8 @@ interface drsuapi - /*****************/ - /* Function 0x11 */ - typedef [public,noprint] struct { -- drsuapi_DsReplicaObjectListItem *next_object; -+ [max_recursion(20000)] -+ drsuapi_DsReplicaObjectListItem *next_object; - drsuapi_DsReplicaObject object; - } drsuapi_DsReplicaObjectListItem; - -@@ -1408,7 +1410,8 @@ interface drsuapi - } drsuapi_DsAddEntry_AttrErr_V1; - - typedef [noprint] struct { -- drsuapi_DsAddEntry_AttrErrListItem_V1 *next; -+ [max_recursion(20000)] -+ drsuapi_DsAddEntry_AttrErrListItem_V1 *next; - drsuapi_DsAddEntry_AttrErr_V1 err_data; - } drsuapi_DsAddEntry_AttrErrListItem_V1; - -@@ -1464,7 +1467,8 @@ interface drsuapi - drsuapi_DsAddEntry_RefType ref_type; - uint16 addr_list_count; - drsuapi_DsaAddressListItem_V1 *addr_list; -- drsuapi_DsAddEntry_RefErrListItem_V1 *next; -+ [max_recursion(20000)] -+ drsuapi_DsAddEntry_RefErrListItem_V1 *next; - boolean32 is_choice_set; - drsuapi_DsAddEntry_ChoiceType choice; - } drsuapi_DsAddEntry_RefErrListItem_V1; -diff --git a/librpc/idl/ioctl.idl b/librpc/idl/ioctl.idl -index ba68fbcb8f6..390e8562f69 100644 ---- a/librpc/idl/ioctl.idl -+++ b/librpc/idl/ioctl.idl -@@ -151,7 +151,7 @@ interface netinterface - } fsctl_sockaddr_storage; - - typedef [public,relative_base,noprint] struct { -- [relative] fsctl_net_iface_info *next; -+ [relative,max_recursion(20000)] fsctl_net_iface_info *next; - uint32 ifindex; - fsctl_net_iface_capability capability; - [value(0)] uint32 reserved; -diff --git a/source3/librpc/idl/secrets.idl b/source3/librpc/idl/secrets.idl -index 2c06fa6990d..186d925e45e 100644 ---- a/source3/librpc/idl/secrets.idl -+++ b/source3/librpc/idl/secrets.idl -@@ -100,7 +100,7 @@ import "misc.idl", "samr.idl", "lsa.idl", "netlogon.idl", "security.idl"; - - NTTIME password_last_change; - hyper password_changes; -- secrets_domain_info1_change *next_change; -+ [max_recursion(20000)] secrets_domain_info1_change *next_change; - - [ref] secrets_domain_info1_password *password; - secrets_domain_info1_password *old_password; -diff --git a/source3/librpc/idl/smbXsrv.idl b/source3/librpc/idl/smbXsrv.idl -index c6ce9c48789..4d9249fb3bb 100644 ---- a/source3/librpc/idl/smbXsrv.idl -+++ b/source3/librpc/idl/smbXsrv.idl -@@ -267,7 +267,7 @@ interface smbXsrv - - typedef struct { - [ignore] smbXsrv_session_auth0 *prev; -- smbXsrv_session_auth0 *next; -+ [max_recursion(20000)] smbXsrv_session_auth0 *next; - [ignore] smbXsrv_session *session; - [ignore] smbXsrv_connection *connection; - [ignore] gensec_security *gensec; --- -GitLab - diff --git a/backport-lib-ldb-Limit-depth-of-ldb_parse_tree.patch b/backport-lib-ldb-Limit-depth-of-ldb_parse_tree.patch deleted file mode 100644 index f202693..0000000 --- a/backport-lib-ldb-Limit-depth-of-ldb_parse_tree.patch +++ /dev/null @@ -1,300 +0,0 @@ -From a699256f438527455aaff6c73c88ee87ac7083ef Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Tue, 21 Apr 2020 15:37:40 +1200 -Subject: [PATCH] lib ldb: Limit depth of ldb_parse_tree - -Limit the number of nested conditionals allowed by ldb_parse tree to -128, to avoid potential stack overflow issues. - -Credit Oss-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19508 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Gary Lockyer -Autobuild-Date(master): Sun May 10 23:21:08 UTC 2020 on sn-devel-184 ---- - lib/ldb/common/ldb_parse.c | 72 +++++++++++++++++++++++------ - lib/ldb/tests/ldb_parse_test.c | 83 +++++++++++++++++++++++++++++++++- - 2 files changed, 140 insertions(+), 15 deletions(-) - -diff --git a/lib/ldb/common/ldb_parse.c b/lib/ldb/common/ldb_parse.c -index 452c5830ed5..7e15206b168 100644 ---- a/lib/ldb/common/ldb_parse.c -+++ b/lib/ldb/common/ldb_parse.c -@@ -43,6 +43,16 @@ - #include "ldb_private.h" - #include "system/locale.h" - -+/* -+ * Maximum depth of the filter parse tree, the value chosen is small enough to -+ * avoid triggering ASAN stack overflow checks. But large enough to be useful. -+ * -+ * On Windows clients the maximum number of levels of recursion allowed is 100. -+ * In the LDAP server, Windows restricts clients to 512 nested -+ * (eg) OR statements. -+ */ -+#define LDB_MAX_PARSE_TREE_DEPTH 128 -+ - static int ldb_parse_hex2char(const char *x) - { - if (isxdigit(x[0]) && isxdigit(x[1])) { -@@ -231,7 +241,11 @@ static struct ldb_val **ldb_wildcard_decode(TALLOC_CTX *mem_ctx, const char *str - return ret; - } - --static struct ldb_parse_tree *ldb_parse_filter(TALLOC_CTX *mem_ctx, const char **s); -+static struct ldb_parse_tree *ldb_parse_filter( -+ TALLOC_CTX *mem_ctx, -+ const char **s, -+ unsigned depth, -+ unsigned max_depth); - - - /* -@@ -498,7 +512,11 @@ static struct ldb_parse_tree *ldb_parse_simple(TALLOC_CTX *mem_ctx, const char * - ::= '|' - ::= | - */ --static struct ldb_parse_tree *ldb_parse_filterlist(TALLOC_CTX *mem_ctx, const char **s) -+static struct ldb_parse_tree *ldb_parse_filterlist( -+ TALLOC_CTX *mem_ctx, -+ const char **s, -+ unsigned depth, -+ unsigned max_depth) - { - struct ldb_parse_tree *ret, *next; - enum ldb_parse_op op; -@@ -533,7 +551,8 @@ static struct ldb_parse_tree *ldb_parse_filterlist(TALLOC_CTX *mem_ctx, const ch - return NULL; - } - -- ret->u.list.elements[0] = ldb_parse_filter(ret->u.list.elements, &p); -+ ret->u.list.elements[0] = -+ ldb_parse_filter(ret->u.list.elements, &p, depth, max_depth); - if (!ret->u.list.elements[0]) { - talloc_free(ret); - return NULL; -@@ -547,7 +566,8 @@ static struct ldb_parse_tree *ldb_parse_filterlist(TALLOC_CTX *mem_ctx, const ch - break; - } - -- next = ldb_parse_filter(ret->u.list.elements, &p); -+ next = ldb_parse_filter( -+ ret->u.list.elements, &p, depth, max_depth); - if (next == NULL) { - /* an invalid filter element */ - talloc_free(ret); -@@ -576,7 +596,11 @@ static struct ldb_parse_tree *ldb_parse_filterlist(TALLOC_CTX *mem_ctx, const ch - /* - ::= '!' - */ --static struct ldb_parse_tree *ldb_parse_not(TALLOC_CTX *mem_ctx, const char **s) -+static struct ldb_parse_tree *ldb_parse_not( -+ TALLOC_CTX *mem_ctx, -+ const char **s, -+ unsigned depth, -+ unsigned max_depth) - { - struct ldb_parse_tree *ret; - const char *p = *s; -@@ -593,7 +617,7 @@ static struct ldb_parse_tree *ldb_parse_not(TALLOC_CTX *mem_ctx, const char **s) - } - - ret->operation = LDB_OP_NOT; -- ret->u.isnot.child = ldb_parse_filter(ret, &p); -+ ret->u.isnot.child = ldb_parse_filter(ret, &p, depth, max_depth); - if (!ret->u.isnot.child) { - talloc_free(ret); - return NULL; -@@ -608,7 +632,11 @@ static struct ldb_parse_tree *ldb_parse_not(TALLOC_CTX *mem_ctx, const char **s) - parse a filtercomp - ::= | | | - */ --static struct ldb_parse_tree *ldb_parse_filtercomp(TALLOC_CTX *mem_ctx, const char **s) -+static struct ldb_parse_tree *ldb_parse_filtercomp( -+ TALLOC_CTX *mem_ctx, -+ const char **s, -+ unsigned depth, -+ unsigned max_depth) - { - struct ldb_parse_tree *ret; - const char *p = *s; -@@ -617,15 +645,15 @@ static struct ldb_parse_tree *ldb_parse_filtercomp(TALLOC_CTX *mem_ctx, const ch - - switch (*p) { - case '&': -- ret = ldb_parse_filterlist(mem_ctx, &p); -+ ret = ldb_parse_filterlist(mem_ctx, &p, depth, max_depth); - break; - - case '|': -- ret = ldb_parse_filterlist(mem_ctx, &p); -+ ret = ldb_parse_filterlist(mem_ctx, &p, depth, max_depth); - break; - - case '!': -- ret = ldb_parse_not(mem_ctx, &p); -+ ret = ldb_parse_not(mem_ctx, &p, depth, max_depth); - break; - - case '(': -@@ -641,21 +669,34 @@ static struct ldb_parse_tree *ldb_parse_filtercomp(TALLOC_CTX *mem_ctx, const ch - return ret; - } - -- - /* - ::= '(' ')' - */ --static struct ldb_parse_tree *ldb_parse_filter(TALLOC_CTX *mem_ctx, const char **s) -+static struct ldb_parse_tree *ldb_parse_filter( -+ TALLOC_CTX *mem_ctx, -+ const char **s, -+ unsigned depth, -+ unsigned max_depth) - { - struct ldb_parse_tree *ret; - const char *p = *s; - -+ /* -+ * Check the depth of the parse tree, and reject the input if -+ * max_depth exceeded. This avoids stack overflow -+ * issues. -+ */ -+ if (depth > max_depth) { -+ return NULL; -+ } -+ depth++; -+ - if (*p != '(') { - return NULL; - } - p++; - -- ret = ldb_parse_filtercomp(mem_ctx, &p); -+ ret = ldb_parse_filtercomp(mem_ctx, &p, depth, max_depth); - - if (*p != ')') { - return NULL; -@@ -679,6 +720,8 @@ static struct ldb_parse_tree *ldb_parse_filter(TALLOC_CTX *mem_ctx, const char * - */ - struct ldb_parse_tree *ldb_parse_tree(TALLOC_CTX *mem_ctx, const char *s) - { -+ unsigned depth = 0; -+ - while (s && isspace((unsigned char)*s)) s++; - - if (s == NULL || *s == 0) { -@@ -686,7 +729,8 @@ struct ldb_parse_tree *ldb_parse_tree(TALLOC_CTX *mem_ctx, const char *s) - } - - if (*s == '(') { -- return ldb_parse_filter(mem_ctx, &s); -+ return ldb_parse_filter( -+ mem_ctx, &s, depth, LDB_MAX_PARSE_TREE_DEPTH); - } - - return ldb_parse_simple(mem_ctx, &s); -diff --git a/lib/ldb/tests/ldb_parse_test.c b/lib/ldb/tests/ldb_parse_test.c -index a739d7795d1..d7442b954ea 100644 ---- a/lib/ldb/tests/ldb_parse_test.c -+++ b/lib/ldb/tests/ldb_parse_test.c -@@ -81,10 +81,91 @@ static void test_parse_filtertype(void **state) - test_roundtrip(ctx, " ", "(|(objectClass=*)(distinguishedName=*))"); - } - -+/* -+ * Test that a nested query with 128 levels of nesting is accepted -+ */ -+static void test_nested_filter_eq_limit(void **state) -+{ -+ struct test_ctx *ctx = -+ talloc_get_type_abort(*state, struct test_ctx); -+ -+ /* -+ * 128 nested clauses -+ */ -+ const char *nested_query = "" -+ "(|(!(|(&(|(|(|(|(|(|(|(|(|(|(|(|" -+ "(|(!(|(&(|(|(|(|(|(|(!(|(!(|(|(|" -+ "(|(!(|(&(|(|(&(|(|(|(|(|(!(!(!(|" -+ "(|(!(|(&(|(|(|(|(|(|(|(|(|(|(|(|" -+ "(|(!(|(&(|(|(|(!(|(|(&(|(|(|(|(|" -+ "(|(!(|(&(|(|(&(|(|(|(|(|(&(&(|(|" -+ "(|(!(|(&(|(|(|(|(|(|(!(|(|(|(|(|" -+ "(|(!(|(&(|(|(!(|(|(|(|(|(|(|(|(|" -+ "(a=b)" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))"; -+ -+ struct ldb_parse_tree *tree = ldb_parse_tree(ctx, nested_query); -+ -+ assert_non_null(tree); -+ /* -+ * Check that we get the same query back -+ */ -+ test_roundtrip(ctx, nested_query, nested_query); -+} -+ -+/* -+ * Test that a nested query with 129 levels of nesting is rejected. -+ */ -+static void test_nested_filter_gt_limit(void **state) -+{ -+ struct test_ctx *ctx = -+ talloc_get_type_abort(*state, struct test_ctx); -+ -+ /* -+ * 129 nested clauses -+ */ -+ const char *nested_query = "" -+ "(|(!(|(|(&(|(|(|(|(&(|(|(|(|(|(|" -+ "(|(!(|(|(&(|(|(|(|(|(|(|(|(|(|(|" -+ "(|(!(|(|(&(|(|(!(|(|(|(|(!(|(|(|" -+ "(|(!(|(|(&(|(|(|(|(|(|(|(|(|(|(|" -+ "(|(!(|(|(&(|(|(|(!(&(|(|(|(|(|(|" -+ "(|(!(|(|(&(|(|(|(|(|(|(|(|(|(|(|" -+ "(|(!(|(|(&(|(|(|(|(|(|(|(|(|(|(|" -+ "(|(!(|(|(&(|(|(|(|(|(|(|(|(&(|(|" -+ "(|" -+ "(a=b)" -+ ")" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))" -+ "))))))))))))))))"; -+ -+ struct ldb_parse_tree *tree = ldb_parse_tree(ctx, nested_query); -+ -+ assert_null(tree); -+} -+ - int main(int argc, const char **argv) - { - const struct CMUnitTest tests[] = { -- cmocka_unit_test_setup_teardown(test_parse_filtertype, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_parse_filtertype, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_nested_filter_eq_limit, setup, teardown), -+ cmocka_unit_test_setup_teardown( -+ test_nested_filter_gt_limit, setup, teardown), - }; - - cmocka_set_message_output(CM_OUTPUT_SUBUNIT); --- -GitLab - diff --git a/backport-librpc-ndr-Heap-buffer-overflow-in-lzxpress_decompress.patch b/backport-librpc-ndr-Heap-buffer-overflow-in-lzxpress_decompress.patch deleted file mode 100644 index 18c2509..0000000 --- a/backport-librpc-ndr-Heap-buffer-overflow-in-lzxpress_decompress.patch +++ /dev/null @@ -1,208 +0,0 @@ -From ae6927e4f08dcea89729d8e54363e98effab6624 Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Fri, 24 Jan 2020 10:41:35 +1300 -Subject: [PATCH] librpc ndr: Heap-buffer-overflow in lzxpress_decompress - -Reproducer for oss-fuzz Issue 20083 - -Project: samba -Fuzzing Engine: libFuzzer -Fuzz Target: fuzz_ndr_drsuapi_TYPE_OUT -Job Type: libfuzzer_asan_samba -Platform Id: linux - -Crash Type: Heap-buffer-overflow READ 1 -Crash Address: 0x6040000002fd -Crash State: - lzxpress_decompress - ndr_pull_compression_xpress_chunk - ndr_pull_compression_start - -Sanitizer: address (ASAN) - -Recommended Security Severity: Medium - -Credit to OSS-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - librpc/ndr/libndr.h | 5 +- - librpc/tests/test_ndr.c | 84 ++++++++++++++++++++++++++ - librpc/wscript_build | 8 +++ - python/samba/tests/blackbox/ndrdump.py | 13 ++++ - selftest/knownfail.d/bug-14236 | 1 + - source4/selftest/tests.py | 2 + - 6 files changed, 112 insertions(+), 1 deletion(-) - create mode 100644 librpc/tests/test_ndr.c - create mode 100644 selftest/knownfail.d/bug-14236 - -diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h -index 58ef517d363..b7cccf3dfc5 100644 ---- a/librpc/ndr/libndr.h -+++ b/librpc/ndr/libndr.h -@@ -309,7 +309,10 @@ enum ndr_compression_alg { - } while (0) - - #define NDR_PULL_NEED_BYTES(ndr, n) do { \ -- if (unlikely((n) > ndr->data_size || ndr->offset + (n) > ndr->data_size)) { \ -+ if (unlikely(\ -+ (n) > ndr->data_size || \ -+ ndr->offset + (n) > ndr->data_size || \ -+ ndr->offset + (n) < ndr->offset)) { \ - if (ndr->flags & LIBNDR_FLAG_INCOMPLETE_BUFFER) { \ - uint32_t _available = ndr->data_size - ndr->offset; \ - uint32_t _missing = n - _available; \ -diff --git a/librpc/tests/test_ndr.c b/librpc/tests/test_ndr.c -new file mode 100644 -index 00000000000..1c074d71023 ---- /dev/null -+++ b/librpc/tests/test_ndr.c -@@ -0,0 +1,84 @@ -+/* -+ * Tests for librpc ndr functions -+ * -+ * Copyright (C) Catalyst.NET Ltd 2020 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ * -+ */ -+ -+/* -+ * from cmocka.c: -+ * These headers or their equivalents should be included prior to -+ * including -+ * this header file. -+ * -+ * #include -+ * #include -+ * #include -+ * -+ * This allows test applications to use custom definitions of C standard -+ * library functions and types. -+ * -+ */ -+#include -+#include -+#include -+#include -+#include -+ -+#include "librpc/ndr/libndr.h" -+ -+/* -+ * Test NDR_PULL_NEED_BYTES integer overflow handling. -+ */ -+static enum ndr_err_code wrap_NDR_PULL_NEED_BYTES( -+ struct ndr_pull *ndr, -+ uint32_t bytes) { -+ -+ NDR_PULL_NEED_BYTES(ndr, bytes); -+ return NDR_ERR_SUCCESS; -+} -+ -+static void test_NDR_PULL_NEED_BYTES(void **state) -+{ -+ struct ndr_pull ndr = {0}; -+ enum ndr_err_code err; -+ -+ ndr.data_size = UINT32_MAX; -+ ndr.offset = UINT32_MAX -1; -+ -+ /* -+ * This will not cause an overflow -+ */ -+ err = wrap_NDR_PULL_NEED_BYTES(&ndr, 1); -+ assert_int_equal(NDR_ERR_SUCCESS, err); -+ -+ /* -+ * This will cause an overflow -+ * and (offset + n) will be less than data_size -+ */ -+ err = wrap_NDR_PULL_NEED_BYTES(&ndr, 2); -+ assert_int_equal(NDR_ERR_BUFSIZE, err); -+} -+ -+int main(int argc, const char **argv) -+{ -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test(test_NDR_PULL_NEED_BYTES), -+ }; -+ -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ return cmocka_run_group_tests(tests, NULL, NULL); -+} -diff --git a/librpc/wscript_build b/librpc/wscript_build -index 5eb78e6010a8..ec8697fbcc58 100644 ---- a/librpc/wscript_build -+++ b/librpc/wscript_build -@@ -698,3 +698,11 @@ bld.SAMBA_BINARY('test_ndr_string', - ndr_nbt - ''', - for_selftest=True) -+ -+bld.SAMBA_BINARY('test_ndr', -+ source='tests/test_ndr.c', -+ deps=''' -+ cmocka -+ ndr -+ ''', -+ for_selftest=True) -diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py -index b3c837819b15..205519c3f8a6 100644 ---- a/python/samba/tests/blackbox/ndrdump.py -+++ b/python/samba/tests/blackbox/ndrdump.py -@@ -437,3 +437,16 @@ def test_fuzzed_drsuapi_DsGetNCChanges(self): - except BlackboxProcessError as e: - self.fail(e) - self.assertEqual(actual, expected) -+ -+ def test_ndrdump_fuzzed_ndr_compression(self): -+ expected = 'pull returned Buffer Size Error' -+ command = ( -+ "ndrdump drsuapi 3 out --base64-input " -+ "--input BwAAAAcAAAAGAAAAAwAgICAgICAJAAAAICAgIAkAAAAgIAAA//////8=") -+ try: -+ actual = self.check_exit_code(command, 2) -+ except BlackboxProcessError as e: -+ self.fail(e) -+ # check_output will return bytes -+ # convert expected to bytes for python 3 -+ self.assertRegex(actual.decode('utf8'), expected + '$') -diff --git a/selftest/knownfail.d/bug-14236 b/selftest/knownfail.d/bug-14236 -new file mode 100644 -index 00000000000..64b956997a6 ---- /dev/null -+++ b/selftest/knownfail.d/bug-14236 -@@ -0,0 +1 @@ -+^samba.tests.blackbox.ndrdump.samba.tests.blackbox.ndrdump.NdrDumpTests.test_ndrdump_fuzzed_ndr_compression -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index f570d35dfba..ab2c4f69da0 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -1334,6 +1334,8 @@ plantestsuite("libcli.drsuapi.repl_decrypt", "none", - [os.path.join(bindir(), "test_ldap_message")]) - plantestsuite("librpc.ndr.ndr_macros", "none", - [os.path.join(bindir(), "test_ndr_macros")]) -+plantestsuite("librpc.ndr.ndr", "none", -+ [os.path.join(bindir(), "test_ndr")]) - - # process restart and limit tests, these break the environment so need to run - # in their own specific environment --- -GitLab - diff --git a/backport-librpc-ndr-NDR_PULL_ALIGN-check-for-unsigned-overflow.patch b/backport-librpc-ndr-NDR_PULL_ALIGN-check-for-unsigned-overflow.patch deleted file mode 100644 index 3b737a1..0000000 --- a/backport-librpc-ndr-NDR_PULL_ALIGN-check-for-unsigned-overflow.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 6d05fb3ea772c3642624ec6e0fb4e8d099bcdb8e Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Wed, 22 Jan 2020 14:16:02 +1300 -Subject: [PATCH] librpc ndr: NDR_PULL_ALIGN check for unsigned overflow - -Handle uint32 overflow in NDR_PULL_ALIGN - -Credit to OSS-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14236 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - librpc/ndr/libndr.h | 7 +++++++ - selftest/knownfail.d/bug-14236 | 1 - - 2 files changed, 7 insertions(+), 1 deletion(-) - -diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h -index b7cccf3dfc5..c2c7e263049 100644 ---- a/librpc/ndr/libndr.h -+++ b/librpc/ndr/libndr.h -@@ -331,6 +331,13 @@ enum ndr_compression_alg { - if (unlikely(ndr->flags & LIBNDR_FLAG_PAD_CHECK)) { \ - ndr_check_padding(ndr, n); \ - } \ -+ if(unlikely( \ -+ ((ndr->offset + (n-1)) & (~(n-1))) < ndr->offset)) {\ -+ return ndr_pull_error( \ -+ ndr, \ -+ NDR_ERR_BUFSIZE, \ -+ "Pull align (overflow) %u", (unsigned)n); \ -+ } \ - ndr->offset = (ndr->offset + (n-1)) & ~(n-1); \ - } \ - if (unlikely(ndr->offset > ndr->data_size)) { \ --- -GitLab - diff --git a/backport-librpc-ndr-add-recursion-check-macros.patch b/backport-librpc-ndr-add-recursion-check-macros.patch deleted file mode 100644 index e65a3f2..0000000 --- a/backport-librpc-ndr-add-recursion-check-macros.patch +++ /dev/null @@ -1,277 +0,0 @@ -From ba518a1debbe2dd8231ba2fb9bbb07eef743d86f Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Thu, 30 Jan 2020 08:49:07 +1300 -Subject: [PATCH] librpc ndr: add recursion check macros - -Add macros to check the recursion depth. - -Credit to OSS-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19280 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - librpc/ndr/libndr.h | 37 ++++++++- - librpc/ndr/ndr.c | 2 + - librpc/tests/test_ndr_macros.c | 138 +++++++++++++++++++++++++++++++++ - librpc/wscript_build | 9 +++ - source4/selftest/tests.py | 2 + - 5 files changed, 187 insertions(+), 1 deletion(-) - create mode 100644 librpc/tests/test_ndr_macros.c - -diff --git a/librpc/ndr/libndr.h b/librpc/ndr/libndr.h -index 8d407c40e43..fd87db928ed 100644 ---- a/librpc/ndr/libndr.h -+++ b/librpc/ndr/libndr.h -@@ -79,6 +79,14 @@ struct ndr_pull { - /* this is used to ensure we generate unique reference IDs - between request and reply */ - uint32_t ptr_count; -+ uint32_t recursion_depth; -+ /* -+ * The global maximum depth for recursion. When set it overrides the -+ * value supplied by the max_recursion idl attribute. This is needed -+ * for fuzzing as ASAN uses a low threshold for stack depth to check -+ * for stack overflow. -+ */ -+ uint32_t global_max_recursion; - }; - - /* structure passed to functions that generate NDR formatted data */ -@@ -249,7 +257,9 @@ enum ndr_err_code { - NDR_ERR_UNREAD_BYTES, - NDR_ERR_NDR64, - NDR_ERR_FLAGS, -- NDR_ERR_INCOMPLETE_BUFFER -+ NDR_ERR_INCOMPLETE_BUFFER, -+ NDR_ERR_MAX_RECURSION_EXCEEDED, -+ NDR_ERR_UNDERFLOW - }; - - #define NDR_ERR_CODE_IS_SUCCESS(x) (x == NDR_ERR_SUCCESS) -@@ -357,6 +367,31 @@ enum ndr_compression_alg { - } \ - } while(0) - -+#define NDR_RECURSION_CHECK(ndr, d) do { \ -+ uint32_t _ndr_min_ = (d); \ -+ if (ndr->global_max_recursion && ndr->global_max_recursion < (d)) { \ -+ _ndr_min_ = ndr->global_max_recursion; \ -+ } \ -+ ndr->recursion_depth++; \ -+ if (unlikely(ndr->recursion_depth > _ndr_min_)) { \ -+ return ndr_pull_error( \ -+ ndr, \ -+ NDR_ERR_MAX_RECURSION_EXCEEDED, \ -+ "Depth of recursion exceeds (%u)", \ -+ (unsigned) d); \ -+ } \ -+} while (0) -+ -+#define NDR_RECURSION_UNWIND(ndr) do { \ -+ if (unlikely(ndr->recursion_depth == 0)) { \ -+ return ndr_pull_error( \ -+ ndr, \ -+ NDR_ERR_UNDERFLOW, \ -+ "ndr_pull.recursion_depth is 0"); \ -+ } \ -+ ndr->recursion_depth--; \ -+} while (0) -+ - /* these are used to make the error checking on each element in libndr - less tedious, hopefully making the code more readable */ - #define NDR_CHECK(call) do { \ -diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c -index f96a0bca08b..afe22a28602 100644 ---- a/librpc/ndr/ndr.c -+++ b/librpc/ndr/ndr.c -@@ -1950,6 +1950,8 @@ static const struct { - { NDR_ERR_UNREAD_BYTES, "Unread Bytes" }, - { NDR_ERR_NDR64, "NDR64 assertion error" }, - { NDR_ERR_INCOMPLETE_BUFFER, "Incomplete Buffer" }, -+ { NDR_ERR_MAX_RECURSION_EXCEEDED, "Maximum Recursion Exceeded" }, -+ { NDR_ERR_UNDERFLOW, "Underflow" }, - { 0, NULL } - }; - -diff --git a/librpc/tests/test_ndr_macros.c b/librpc/tests/test_ndr_macros.c -new file mode 100644 -index 00000000000..0cd20d3e8f3 ---- /dev/null -+++ b/librpc/tests/test_ndr_macros.c -@@ -0,0 +1,138 @@ -+/* -+ * Tests for librpc ndr functions -+ * -+ * Copyright (C) Catalyst.NET Ltd 2020 -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 3 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program. If not, see . -+ * -+ */ -+ -+/* -+ * from cmocka.c: -+ * These headers or their equivalents should be included prior to -+ * including -+ * this header file. -+ * -+ * #include -+ * #include -+ * #include -+ * -+ * This allows test applications to use custom definitions of C standard -+ * library functions and types. -+ * -+ */ -+#include -+#include -+#include -+#include -+#include -+ -+#include "librpc/ndr/libndr.h" -+ -+/* -+ * Test NDR_RECURSION_CHECK. -+ */ -+static enum ndr_err_code wrap_NDR_RECURSION_CHECK( -+ struct ndr_pull *ndr, -+ uint32_t bytes) { -+ -+ NDR_RECURSION_CHECK(ndr, bytes); -+ return NDR_ERR_SUCCESS; -+} -+ -+static void test_NDR_RECURSION_CHECK(void **state) -+{ -+ struct ndr_pull ndr = {0}; -+ enum ndr_err_code err; -+ -+ -+ ndr.global_max_recursion = 0; -+ ndr.recursion_depth = 42; -+ err = wrap_NDR_RECURSION_CHECK(&ndr, 43); -+ assert_int_equal(NDR_ERR_SUCCESS, err); -+ assert_int_equal(43, ndr.recursion_depth); -+ -+ ndr.global_max_recursion = 0; -+ ndr.recursion_depth = 43; -+ err = wrap_NDR_RECURSION_CHECK(&ndr, 43); -+ assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err); -+ assert_int_equal(44, ndr.recursion_depth); -+ -+ ndr.global_max_recursion = 0; -+ ndr.recursion_depth = 44; -+ err = wrap_NDR_RECURSION_CHECK(&ndr, 43); -+ assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err); -+ assert_int_equal(45, ndr.recursion_depth); -+ -+ ndr.global_max_recursion = 5; -+ ndr.recursion_depth = 5; -+ err = wrap_NDR_RECURSION_CHECK(&ndr, 20); -+ assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err); -+ assert_int_equal(6, ndr.recursion_depth); -+ -+ ndr.global_max_recursion = 5; -+ ndr.recursion_depth = 4; -+ err = wrap_NDR_RECURSION_CHECK(&ndr, 20); -+ assert_int_equal(NDR_ERR_SUCCESS, err); -+ assert_int_equal(5, ndr.recursion_depth); -+ -+ ndr.global_max_recursion = 20; -+ ndr.recursion_depth = 5; -+ err = wrap_NDR_RECURSION_CHECK(&ndr, 5); -+ assert_int_equal(NDR_ERR_MAX_RECURSION_EXCEEDED, err); -+ assert_int_equal(6, ndr.recursion_depth); -+ -+ ndr.global_max_recursion = 20; -+ ndr.recursion_depth = 4; -+ err = wrap_NDR_RECURSION_CHECK(&ndr, 5); -+ assert_int_equal(NDR_ERR_SUCCESS, err); -+ assert_int_equal(5, ndr.recursion_depth); -+} -+ -+/* -+ * Test NDR_RECURSION_RETURN. -+ */ -+static enum ndr_err_code wrap_NDR_RECURSION_UNWIND( -+ struct ndr_pull *ndr) { -+ -+ NDR_RECURSION_UNWIND(ndr); -+ return NDR_ERR_SUCCESS; -+} -+ -+static void test_NDR_RECURSION_UNWIND(void **state) -+{ -+ struct ndr_pull ndr = {0}; -+ enum ndr_err_code err; -+ -+ ndr.recursion_depth = 5; -+ err = wrap_NDR_RECURSION_UNWIND(&ndr); -+ assert_int_equal(NDR_ERR_SUCCESS, err); -+ assert_int_equal(4, ndr.recursion_depth); -+ -+ ndr.recursion_depth = 0; -+ err = wrap_NDR_RECURSION_UNWIND(&ndr); -+ assert_int_equal(NDR_ERR_UNDERFLOW, err); -+ assert_int_equal(0, ndr.recursion_depth); -+ -+} -+int main(int argc, const char **argv) -+{ -+ const struct CMUnitTest tests[] = { -+ cmocka_unit_test(test_NDR_RECURSION_CHECK), -+ cmocka_unit_test(test_NDR_RECURSION_UNWIND), -+ }; -+ -+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); -+ return cmocka_run_group_tests(tests, NULL, NULL); -+} -diff --git a/librpc/wscript_build b/librpc/wscript_build -index ec8697fbcc5..f0bf7f7785e 100644 ---- a/librpc/wscript_build -+++ b/librpc/wscript_build -@@ -690,6 +690,14 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP_STATE', - # - # Cmocka tests - # -+bld.SAMBA_BINARY('test_ndr_macros', -+ source='tests/test_ndr_macros.c', -+ deps=''' -+ cmocka -+ ndr -+ ''', -+ for_selftest=True) -+ - bld.SAMBA_BINARY('test_ndr_string', - source='tests/test_ndr_string.c', - deps=''' -diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py -index 5cdb3d27b77..389a142db7d 100755 ---- a/source4/selftest/tests.py -+++ b/source4/selftest/tests.py -@@ -1346,6 +1346,8 @@ plantestsuite("librpc.ndr.ndr_string", "none", - [os.path.join(bindir(), "test_ndr_dns_nbt")]) - plantestsuite("libcli.ldap.ldap_message", "none", - [os.path.join(bindir(), "test_ldap_message")]) -+plantestsuite("librpc.ndr.ndr_macros", "none", -+ [os.path.join(bindir(), "test_ndr_macros")]) - - # process restart and limit tests, these break the environment so need to run - # in their own specific environment --- -GitLab - diff --git a/backport-lzxpress-add-bounds-checking-to-lzxpress_decompress.patch b/backport-lzxpress-add-bounds-checking-to-lzxpress_decompress.patch deleted file mode 100644 index 92dbaac..0000000 --- a/backport-lzxpress-add-bounds-checking-to-lzxpress_decompress.patch +++ /dev/null @@ -1,110 +0,0 @@ -From a97c78fb221a2f1aaca2effdb44c51e4f78ddd93 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Thu, 7 Nov 2019 10:03:36 +0100 -Subject: [PATCH] lzxpress: add bounds checking to lzxpress_decompress() - -lzxpress_decompress() would wander past the end of the array in -numerous locations. - -Credit to OSS-Fuzz. - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14190 -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19382 -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=20083 -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22485 -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22667 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Douglas Bagnall - -Autobuild-User(master): Douglas Bagnall -Autobuild-Date(master): Sun Aug 9 00:30:26 UTC 2020 on sn-devel-184 ---- - lib/compression/lzxpress.c | 32 ++++++++++++++++++++++++++++++-- - 1 file changed, 30 insertions(+), 2 deletions(-) - -diff --git a/lib/compression/lzxpress.c b/lib/compression/lzxpress.c -index 024aba4c2ce..d8326304455 100644 ---- a/lib/compression/lzxpress.c -+++ b/lib/compression/lzxpress.c -@@ -252,8 +252,24 @@ ssize_t lzxpress_decompress(const uint8_t *input, - offset = 0; - nibble_index = 0; - -+#define __CHECK_BYTES(__size, __index, __needed) do { \ -+ if (unlikely(__index >= __size)) { \ -+ return -1; \ -+ } else { \ -+ uint32_t __avail = __size - __index; \ -+ if (unlikely(__needed > __avail)) { \ -+ return -1; \ -+ } \ -+ } \ -+} while(0) -+#define CHECK_INPUT_BYTES(__needed) \ -+ __CHECK_BYTES(input_size, input_index, __needed) -+#define CHECK_OUTPUT_BYTES(__needed) \ -+ __CHECK_BYTES(max_output_size, output_index, __needed) -+ - do { - if (indicator_bit == 0) { -+ CHECK_INPUT_BYTES(4); - indicator = PULL_LE_UINT32(input, input_index); - input_index += sizeof(uint32_t); - indicator_bit = 32; -@@ -266,10 +282,13 @@ ssize_t lzxpress_decompress(const uint8_t *input, - * check whether the 4th bit of the value in indicator is set - */ - if (((indicator >> indicator_bit) & 1) == 0) { -+ CHECK_INPUT_BYTES(1); -+ CHECK_OUTPUT_BYTES(1); - output[output_index] = input[input_index]; - input_index += sizeof(uint8_t); - output_index += sizeof(uint8_t); - } else { -+ CHECK_INPUT_BYTES(2); - length = PULL_LE_UINT16(input, input_index); - input_index += sizeof(uint16_t); - offset = length / 8; -@@ -277,6 +296,7 @@ ssize_t lzxpress_decompress(const uint8_t *input, - - if (length == 7) { - if (nibble_index == 0) { -+ CHECK_INPUT_BYTES(1); - nibble_index = input_index; - length = input[input_index] % 16; - input_index += sizeof(uint8_t); -@@ -286,9 +306,11 @@ ssize_t lzxpress_decompress(const uint8_t *input, - } - - if (length == 15) { -+ CHECK_INPUT_BYTES(1); - length = input[input_index]; - input_index += sizeof(uint8_t); - if (length == 255) { -+ CHECK_INPUT_BYTES(2); - length = PULL_LE_UINT16(input, input_index); - input_index += sizeof(uint16_t); - length -= (15 + 7); -@@ -299,10 +321,16 @@ ssize_t lzxpress_decompress(const uint8_t *input, - } - - length += 3; -+ if (length == 0) { -+ return -1; -+ } - -- do { -- if ((output_index >= max_output_size) || ((offset + 1) > output_index)) break; -+ if (offset >= output_index) { -+ return -1; -+ } -+ CHECK_OUTPUT_BYTES(length); - -+ do { - output[output_index] = output[output_index - offset - 1]; - - output_index += sizeof(uint8_t); --- -GitLab - diff --git a/backport-lzxpress-avoid-technically-undefined-shift.patch b/backport-lzxpress-avoid-technically-undefined-shift.patch deleted file mode 100644 index 4446971..0000000 --- a/backport-lzxpress-avoid-technically-undefined-shift.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 0c461f3bd589764c496b530f698e313df50667e6 Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Thu, 6 Aug 2020 17:17:01 +1200 -Subject: [PATCH] lzxpress: avoid technically undefined shift - -UBSAN: - - runtime error: left shift of 1 by 31 places cannot be represented in type 'int' - -Credit to OSS-fuzz. - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22283 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Gary Lockyer - -Autobuild-User(master): Jeremy Allison -Autobuild-Date(master): Mon Aug 31 22:31:13 UTC 2020 on sn-devel-184 ---- - lib/compression/lzxpress.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/compression/lzxpress.c b/lib/compression/lzxpress.c -index d8326304455c..3453dd36f2aa 100644 ---- a/lib/compression/lzxpress.c -+++ b/lib/compression/lzxpress.c -@@ -180,7 +180,7 @@ ssize_t lzxpress_compress(const uint8_t *uncompressed, - } - } - -- indic |= 1 << (32 - ((indic_bit % 32) + 1)); -+ indic |= 1U << (32 - ((indic_bit % 32) + 1)); - - if (best_len > 9) { - if (nibble_index == 0) { diff --git a/backport-pidl-Add-recursive-depth-checks.patch b/backport-pidl-Add-recursive-depth-checks.patch deleted file mode 100644 index 0007965..0000000 --- a/backport-pidl-Add-recursive-depth-checks.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 5d323f2a2e36c23a007d93394f25df0f3d30942d Mon Sep 17 00:00:00 2001 -From: Gary Lockyer -Date: Thu, 30 Jan 2020 08:51:47 +1300 -Subject: [PATCH] pidl: Add recursive depth checks. - -Add new parameter to elements "max_recursion" and modify pidl to call -NDR_RECURSION_CHECK and NDR_RECURSION_UNWIND for element tagged with -that attribute. - -Credit to OSS-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=19820 -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14254 - -Signed-off-by: Gary Lockyer -Reviewed-by: Andrew Bartlett ---- - pidl/lib/Parse/Pidl/NDR.pm | 1 + - pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm | 7 +++++++ - 2 files changed, 8 insertions(+) - -diff --git a/pidl/lib/Parse/Pidl/NDR.pm b/pidl/lib/Parse/Pidl/NDR.pm -index 44338a1298d8..d17d0b404ed0 100644 ---- a/pidl/lib/Parse/Pidl/NDR.pm -+++ b/pidl/lib/Parse/Pidl/NDR.pm -@@ -1101,6 +1101,7 @@ my %property_list = ( - "gensize" => ["TYPEDEF", "STRUCT", "UNION"], - "value" => ["ELEMENT"], - "flag" => ["ELEMENT", "TYPEDEF", "STRUCT", "UNION", "ENUM", "BITMAP", "PIPE"], -+ "max_recursion" => ["ELEMENT"], - - # generic - "public" => ["FUNCTION", "TYPEDEF", "STRUCT", "UNION", "ENUM", "BITMAP", "PIPE"], -diff --git a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm -index 0d58cb5f03d5..119590f66969 100644 ---- a/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm -+++ b/pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm -@@ -993,7 +993,14 @@ sub ParseDataPull($$$$$$$) - - $var_name = get_pointer_to($var_name); - -+ if (my $depth = has_property($e, "max_recursion")) { -+ my $d = parse_int($depth); -+ $self->pidl("NDR_RECURSION_CHECK($ndr, $d);"); -+ } - $self->pidl("NDR_CHECK(".TypeFunctionName("ndr_pull", $l->{DATA_TYPE})."($ndr, $ndr_flags, $var_name));"); -+ if (has_property($e, "max_recursion")) { -+ $self->pidl("NDR_RECURSION_UNWIND($ndr);"); -+ } - - my $pl = GetPrevLevel($e, $l); - diff --git a/backport-utils-asn1-avoid-undefined-behaviour.patch b/backport-utils-asn1-avoid-undefined-behaviour.patch deleted file mode 100644 index 5f2278b..0000000 --- a/backport-utils-asn1-avoid-undefined-behaviour.patch +++ /dev/null @@ -1,38 +0,0 @@ -From ed9abf94b3167a1a61b5da163e9b07b06c8a457b Mon Sep 17 00:00:00 2001 -From: Douglas Bagnall -Date: Sun, 6 Sep 2020 09:35:49 +1200 -Subject: [PATCH] utils/asn1: avoid undefined behaviour warning - -UBSAN does not like an int >= 1<<24 being shifted left. -We check the overflow in the very next line. - -Credit to OSS-Fuzz. - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=25436 - -Signed-off-by: Douglas Bagnall -Reviewed-by: Andrew Bartlett - -Autobuild-User(master): Andrew Bartlett -Autobuild-Date(master): Fri Sep 11 05:05:59 UTC 2020 on sn-devel-184 ---- - lib/util/asn1.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/lib/util/asn1.c b/lib/util/asn1.c -index 6b1b4bc2877f..9ab9e1b08449 100644 ---- a/lib/util/asn1.c -+++ b/lib/util/asn1.c -@@ -1071,7 +1071,11 @@ bool asn1_read_enumerated(struct asn1_data *data, int *v) - if (!asn1_read_uint8(data, &b)) { - return false; - } -- *v = (*v << 8) + b; -+ /* -+ * To please/fool the Undefined Behaviour Sanitizer we cast to -+ * unsigned for the left shift. -+ */ -+ *v = ((unsigned int)*v << 8) + b; - } - return asn1_end_tag(data); - } diff --git a/backport-witness-idl-fix-length-calculation-for-witness_IPaddrInfoList.patch b/backport-witness-idl-fix-length-calculation-for-witness_IPaddrInfoList.patch deleted file mode 100644 index d3eb512..0000000 --- a/backport-witness-idl-fix-length-calculation-for-witness_IPaddrInfoList.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 8cce23acb9f9bdde8bff3c3a7ffa83361e3a64a6 Mon Sep 17 00:00:00 2001 -From: Stefan Metzmacher -Date: Fri, 31 Jul 2020 11:27:25 +0200 -Subject: [PATCH] witness.idl: fix length calculation for - witness_IPaddrInfoList - -If r->num is 0, we should not dereference r->addr. - -Using ndr_size_witness_IPaddrInfoList() also make this much simpler -and avoids the magic 12. - -Credit Oss-Fuzz - -REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=22175 -REF: https://oss-fuzz.com/testcase-detail/5686294157197312 - -BUG: https://bugzilla.samba.org/show_bug.cgi?id=14452 - -Signed-off-by: Stefan Metzmacher -Reviewed-by: Samuel Cabrero ---- - librpc/idl/witness.idl | 6 +++--- - source4/torture/ndr/witness.c | 24 ------------------------ - 2 files changed, 3 insertions(+), 27 deletions(-) - -diff --git a/librpc/idl/witness.idl b/librpc/idl/witness.idl -index e230a5ea709..652c0e9cb65 100644 ---- a/librpc/idl/witness.idl -+++ b/librpc/idl/witness.idl -@@ -98,14 +98,14 @@ interface witness - WITNESS_IPADDR_OFFLINE = 0x10 - } witness_IPaddrInfo_flags; - -- typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize] struct { -+ typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] struct { - witness_IPaddrInfo_flags flags; - [flag(NDR_BIG_ENDIAN)] ipv4address ipv4; - [flag(NDR_BIG_ENDIAN)] ipv6address ipv6; - } witness_IPaddrInfo; - -- typedef [flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN)] struct { -- [value(12+(r->num*ndr_size_witness_IPaddrInfo(r->addr, ndr->flags)))] uint32 length; -+ typedef [public,flag(NDR_NOALIGN|NDR_LITTLE_ENDIAN),gensize] struct { -+ [value(ndr_size_witness_IPaddrInfoList(r, ndr->flags))] uint32 length; - [value(0)] uint32 reserved; - uint32 num; - witness_IPaddrInfo addr[num]; --- -GitLab - diff --git a/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg b/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg deleted file mode 100644 index a61ebc4..0000000 Binary files a/gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg and /dev/null differ diff --git a/samba-4.12.5.tar.asc b/samba-4.12.5.tar.asc deleted file mode 100644 index ec3af40..0000000 --- a/samba-4.12.5.tar.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iHMEABECADMWIQRS+8C4bZVLCEMyTNxvM5FbZWi36gUCXv3BXhUcc2FtYmEtYnVn -c0BzYW1iYS5vcmcACgkQbzORW2Vot+quPwCcDfpwxTo7ZDrFD768SgWqRmKI/+QA -oJqPMNOtzBJYbxVbKY+OyCqwQ2Zl -=2OtH ------END PGP SIGNATURE----- diff --git a/samba-4.15.3.tar.asc b/samba-4.15.3.tar.asc new file mode 100644 index 0000000..dbc01c2 --- /dev/null +++ b/samba-4.15.3.tar.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmGww0kACgkQqplEL7aA +tiCzMg/+IzBD53oeYFSSt6V9o1ZhD/7bL425n/7Ea2iLaHkOEQWN3AgKV7h1rdSb +tS/Ys3xUf9LB1ZVkXbu17oWj5pG8aWcp6Ky80uXHycZ5X0/fcHegSU5SIyUfLs0F +d3BXvFWkPIy8H9a55wFTpJte2ofRoFqWUG4MAlOq83ummnmrz0W5j6QcufVIRjWq +hGMbg8Vjk+UEtKNO7fl8iSQ0ZRyXCkBR3biDBtMbvtoluaVkixxwwSPqgDoNXgju +ox2EbVfHLSHc+7Tb30uKQq/mf3uhf6ASIrajNVrXotK1fgpCCKnMLb9qRHEftttY +DwYKQvsrHCw9vYg/xyO2NOBr82mxjE6NBLsV1Kp8pdc4vInmAqOCsQpOuZ0SgO6u +sZk4c5AkfH7pZtHeNtlefiGe8/7ApU6UC6kkXT3mnLBtWKMBte9/NR6ZgCLle7tV +aAx6Io9j/rAeueRRgIK98bzxXSufjtFyNmM+Qr7IXnFHtJNM919ib4pr5DzpGwAc ++FMG0LfmU0XiUXcbw/IZ3AOD2DBwZC58ZezO3alUS8eRqNTP13v3Uhg9F78+eyah +Wbohx05Y4MA1ywtMd8z/dZn97nw3bw+z6fLNC//1Sq1qo1fXipaoSQW1LK9IHeVO +cV7cvd2c16p7NN3Op+34QY7Nc7b1uhtTV3v3tiEQYR/uQx+tyz8= +=fu6B +-----END PGP SIGNATURE----- diff --git a/samba-4.12.5.tar.gz b/samba-4.15.3.tar.gz similarity index 64% rename from samba-4.12.5.tar.gz rename to samba-4.15.3.tar.gz index 252e7fe..10c234e 100644 Binary files a/samba-4.12.5.tar.gz and b/samba-4.15.3.tar.gz differ diff --git a/samba-pubkey_AA99442FB680B620.gpg b/samba-pubkey_AA99442FB680B620.gpg new file mode 100644 index 0000000..c901409 Binary files /dev/null and b/samba-pubkey_AA99442FB680B620.gpg differ diff --git a/samba.spec b/samba.spec index db56458..aeb6941 100644 --- a/samba.spec +++ b/samba.spec @@ -3,10 +3,10 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version }\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") -%define talloc_version 2.3.1 -%define tdb_version 1.4.3 -%define tevent_version 0.10.2 -%define ldb_version 2.1.4 +%global talloc_version 2.3.3 +%global tdb_version 1.4.4 +%global tevent_version 0.11.0 +%global ldb_version 2.4.1 %undefine _strict_symbol_defs_build @@ -32,7 +32,7 @@ %global with_dc 1 %endif -%global required_mit_krb5 1.18 +%global required_mit_krb5 1.19 %global with_clustering_support 0 @@ -45,11 +45,11 @@ %global with_vfs_io_uring 0 %global _systemd_extra "Environment=KRB5CCNAME=FILE:/run/samba/krb5cc_samba" -%define samba_depver %{version}-%{release} +%global samba_depver %{version}-%{release} Name: samba -Version: 4.12.5 -Release: 9 +Version: 4.15.3 +Release: 2 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -57,7 +57,7 @@ URL: https://www.samba.org Source0: https://download.samba.org/pub/samba/stable/%{name}-%{version}.tar.gz Source1: https://download.samba.org/pub/samba/stable/%{name}-%{version}.tar.asc -Source2: gpgkey-52FBC0B86D954B0843324CDC6F33915B6568B7EA.gpg +Source2: samba-pubkey_AA99442FB680B620.gpg Source3: samba.logrotate Source4: smb.conf.vendor Source5: smb.conf.example @@ -66,35 +66,16 @@ Source7: samba.pamd Source201: README.downgrade -Patch0: CVE-2020-1472.patch -Patch1: 0001-CVE-2020-14383.patch -Patch2: 0002-CVE-2020-14383.patch -Patch3: CVE-2020-14318.patch -Patch4: CVE-2020-14323.patch -Patch5: CVE-2021-20277.patch -Patch6: CVE-2020-27840.patch -Patch7: CVE-2021-20254.patch -Patch8: backport-CVE-2021-3671.patch -Patch9: backport-lzxpress-add-bounds-checking-to-lzxpress_decompress.patch -Patch10: backport-librpc-ndr-NDR_PULL_ALIGN-check-for-unsigned-overflow.patch -Patch11: backport-librpc-ndr-add-recursion-check-macros.patch -Patch12: backport-librpc-ndr-Heap-buffer-overflow-in-lzxpress_decompress.patch -Patch13: backport-pidl-Add-recursive-depth-checks.patch -Patch14: backport-idl-drsuapi_DsaAddressListItem_V1-limit-recursion.patch -Patch15: backport-idl-limit-recurion-on-recursive-elements.patch -Patch16: backport-lib-ldb-Limit-depth-of-ldb_parse_tree.patch -Patch17: backport-witness-idl-fix-length-calculation-for-witness_IPaddrInfoList.patch -Patch18: backport-lzxpress-avoid-technically-undefined-shift.patch -Patch19: backport-utils-asn1-avoid-undefined-behaviour.patch -Patch20: backport-fix-undefined-shift-in-put_res_rec.patch - -BuildRequires: avahi-devel bison cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel +BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel -BuildRequires: libcap-devel libicu-devel libcmocka-devel libnsl2-devel libtirpc-devel libuuid-devel libxslt lmdb ncurses-devel openldap-devel +BuildRequires: libcap-devel libicu-devel libcmocka-devel libtirpc-devel libuuid-devel libxslt lmdb ncurses-devel openldap-devel BuildRequires: pam-devel perl-interpreter perl-generators perl(Archive::Tar) perl(Test::More) popt-devel python3-devel python3-setuptools quota-devel -BuildRequires: readline-devel rpcgen rpcsvc-proto-devel sed libtasn1-devel libtasn1-tools xfsprogs-devel xz zlib-devel >= 1.2.3 +BuildRequires: readline-devel rpcgen rpcsvc-proto-devel sed libtasn1-devel libtasn1-tools xfsprogs-devel xz zlib-devel >= 1.2.3 python3-dns BuildRequires: gcc BuildRequires: chrpath +%if %{?openEuler:1}0 +BuildRequires: cups-devel +%endif %if %{with_winexe} BuildRequires: mingw32-gcc @@ -104,7 +85,7 @@ BuildRequires: mingw64-gcc BuildRequires: pkgconfig(libsystemd) %if %{with_vfs_glusterfs} -BuildRequires: glusterfs-api-devel >= 3.4.0.16 glusterfs-devel >= 3.4.0.16 +BuildRequires: glusterfs-api-devel >= 3.4.0.16 glusterfs-devel >= 3.4.0.16 libgfapi0 %endif %if %{with_vfs_cephfs} @@ -112,7 +93,7 @@ BuildRequires: libcephfs-devel %endif %if %{with_dc} -BuildRequires: python3-iso8601 bind krb5-server >= %{required_mit_krb5} +BuildRequires: python3-iso8601 bind krb5-server >= %{required_mit_krb5} python3-pyasn1 %endif BuildRequires: perl(ExtUtils::MakeMaker) perl(FindBin) perl(Parse::Yapp) libtalloc-devel >= %{talloc_version} python3-talloc-devel >= %{talloc_version} @@ -122,7 +103,7 @@ BuildRequires: libtdb-devel >= %{tdb_version} python3-tdb >= %{tdb_version} BuildRequires: libldb-devel >= %{ldb_version} python3-ldb-devel >= %{ldb_version} %if %{with testsuite} || %{with_dc} -BuildRequires: ldb-tools tdb-tools python3-gpg python3-markdown +BuildRequires: ldb-tools tdb-tools python3-gpg python3-markdown python3-cryptography %endif %if %{with_vfs_io_uring} @@ -203,6 +184,14 @@ Obsoletes: samba4-common < %{samba_depver} %{name}-common-libs This package contains some common basic files needed by %{name} client and server. +# ctdb-tests package has been dropped if we do not build the testsuite +%if %with_clustering_support +%if %{without testsuite} +Obsoletes: ctdb-tests < %{samba_depver} +# endif without testsuite +%endif +# endif with clustering support +%endif %package common-tools Summary: Tools package for %{name} @@ -495,6 +484,7 @@ projects to store temporary data. If an application is already using TDB for temporary data it is very easy to convert that application to be cluster aware and use CTDB instead. +%if %{with testsuite} ### CTDB-TEST %package -n ctdb-tests Summary: The test package fors CTDB clustered database @@ -508,6 +498,9 @@ Obsoletes: ctdb-devel < %{samba_depver} %description -n ctdb-tests This package contains the test suite for CTDB clustered database. +#endif with testsuite +%endif +#endif with clustering %endif %package help @@ -560,6 +553,13 @@ export LDFLAGS="%{__global_ldflags} -fuse-ld=gold" %configure \ --enable-fhs \ +%if %{?openEuler:1}0 + --enable-cups \ + --enable-iprint \ +%else + --disable-cups \ + --disable-iprint \ +%endif --with-piddir=/run \ --with-sockets-dir=/run/samba \ --with-modulesdir=%{_libdir}/samba \ @@ -624,7 +624,6 @@ install -d -m 0755 %{buildroot}/var/lib/samba/scripts install -d -m 0755 %{buildroot}/var/lib/samba/sysvol install -d -m 0755 %{buildroot}/var/lib/samba/winbindd_privileged install -d -m 0755 %{buildroot}/var/log/samba/old -install -d -m 0755 %{buildroot}/var/spool/samba install -d -m 0755 %{buildroot}/run/samba install -d -m 0755 %{buildroot}/run/winbindd install -d -m 0755 %{buildroot}/%{_libdir}/samba @@ -641,8 +640,9 @@ then exit -1 fi - +%if %{?openEuler:1}0 touch %{buildroot}%{_libexecdir}/samba/cups_backend_smb +%endif # Install other stuff install -d -m 0755 %{buildroot}%{_sysconfdir}/logrotate.d @@ -719,7 +719,9 @@ chrpath -d %{buildroot}%{python3_sitearch}/%{name}/samba3/*.so* chrpath -d %{buildroot}%{python3_sitearch}/%{name}/dcerpc/*.so* find %{buildroot}%{_libexecdir}/ctdb -type f ! -name ctdb_lvs ! -name ctdb_natgw| xargs chrpath -d +%if %{?openEuler:1}0 chrpath -d %{buildroot}%{_libexecdir}/%{name}/smbspool_krb5_wrapper +%endif chrpath -d %{buildroot}%{_bindir}/rpcclient chrpath -d %{buildroot}%{_bindir}/smbclient chrpath -d %{buildroot}%{_bindir}/regshell @@ -751,7 +753,6 @@ chrpath -d %{buildroot}%{_bindir}/masktest chrpath -d %{buildroot}%{_bindir}/ndrdump chrpath -d %{buildroot}%{_bindir}/locktest chrpath -d %{buildroot}%{_bindir}/gentest -chrpath -d %{buildroot}%{_bindir}/mdfind chrpath -d %{buildroot}%{_bindir}/wbinfo chrpath -d %{buildroot}%{_bindir}/ntlm_auth chrpath -d %{buildroot}%{_bindir}/ltdbtool @@ -770,7 +771,6 @@ echo "%{_libdir}/%{name}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %if ! %with_dc for i in \ %{_libdir}/samba/libdfs-server-ad-samba4.so \ - %{_libdir}/samba/libdnsserver-common-samba4.so \ %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so \ %{_libdir}/samba/libscavenge-dns-records-samba4.so \ %{_libdir}/samba/ldb/ildap.so \ @@ -899,15 +899,19 @@ fi %post client /sbin/ldconfig +%if %{?openEuler:1}0 %{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \ cups_backend_smb \ %{_bindir}/smbspool 10 +%endif %postun client /sbin/ldconfig +%if %{?openEuler:1}0 if [ $1 -eq 0 ] ; then %{_sbindir}/update-alternatives --remove cups_backend_smb %{_bindir}/smbspool fi +%endif %if %{with_dc} %ldconfig_scriptlets -n python3-samba-dc @@ -929,15 +933,19 @@ fi %endif %post krb5-printing +%if %{?openEuler:1}0 %{_sbindir}/update-alternatives --install %{_libexecdir}/samba/cups_backend_smb \ cups_backend_smb \ %{_libexecdir}/samba/smbspool_krb5_wrapper 50 +%endif /sbin/ldconfig %postun krb5-printing +%if %{?openEuler:1}0 if [ $1 -eq 0 ] ; then %{_sbindir}/update-alternatives --remove cups_backend_smb %{_libexecdir}/samba/smbspool_krb5_wrapper fi +%endif /sbin/ldconfig %ldconfig_scriptlets libs @@ -1117,15 +1125,16 @@ fi %{_libdir}/samba/vfs/time_audit.so %{_libdir}/samba/vfs/unityed_media.so %{_libdir}/samba/vfs/virusfilter.so +%{_libdir}/samba/vfs/widelinks.so %{_libdir}/samba/vfs/worm.so %{_libdir}/samba/vfs/xattr_tdb.so +%{_libexecdir}/samba/samba-bgqd %dir %{_datadir}/samba %dir %{_datadir}/samba/mdssvc %{_datadir}/samba/mdssvc/elasticsearch_mappings.json %{_unitdir}/nmb.service %{_unitdir}/smb.service -%attr(1777,root,root) %dir /var/spool/samba %dir %{_sysconfdir}/openldap/schema %config %{_sysconfdir}/openldap/schema/samba.schema %config(noreplace) %{_sysconfdir}/pam.d/samba @@ -1141,6 +1150,7 @@ fi %{_libdir}/samba/libauth4-samba4.so %{_libdir}/samba/libauth-unix-token-samba4.so %{_libdir}/samba/libdcerpc-samba4.so +%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libshares-samba4.so %{_libdir}/samba/libsmbpasswdparser-samba4.so %{_libdir}/samba/libxattr-tdb-samba4.so @@ -1151,9 +1161,8 @@ fi %{_bindir}/cifsdd %{_bindir}/dbwrap_tool %{_bindir}/dumpmscat -%{_bindir}/findsmb %{_bindir}/mvxattr -%{_bindir}/mdfind +%{_bindir}/mdsearch %{_bindir}/nmblookup %{_bindir}/oLschema2ldif %{_bindir}/regdiff @@ -1171,8 +1180,10 @@ fi %{_bindir}/smbspool %{_bindir}/smbtar %{_bindir}/smbtree +%if %{?openEuler:1}0 %dir %{_libexecdir}/samba %ghost %{_libexecdir}/samba/cups_backend_smb +%endif %{_libdir}/libdcerpc-binding.so.* @@ -1211,10 +1222,10 @@ fi %{_libdir}/samba/libclidns-samba4.so %{_libdir}/samba/libcluster-samba4.so %{_libdir}/samba/libcmdline-contexts-samba4.so -%{_libdir}/samba/libcmdline-credentials-samba4.so %{_libdir}/samba/libcommon-auth-samba4.so %{_libdir}/samba/libctdb-event-client-samba4.so %{_libdir}/samba/libdbwrap-samba4.so +%{_libdir}/samba/libdcerpc-pkt-auth-samba4.so %{_libdir}/samba/libdcerpc-samba-samba4.so %{_libdir}/samba/libevents-samba4.so %{_libdir}/samba/libflag-mapping-samba4.so @@ -1259,7 +1270,6 @@ fi %{_libdir}/samba/libsmb-transport-samba4.so %{_libdir}/samba/libsmbclient-raw-samba4.so %{_libdir}/samba/libsmbd-base-samba4.so -%{_libdir}/samba/libsmbd-conn-samba4.so %{_libdir}/samba/libsmbd-shim-samba4.so %{_libdir}/samba/libsmbldaphelper-samba4.so %{_libdir}/samba/libsys-rw-samba4.so @@ -1270,7 +1280,6 @@ fi %{_libdir}/samba/libtime-basic-samba4.so %{_libdir}/samba/libtorture-samba4.so %{_libdir}/samba/libtrusts-util-samba4.so -%{_libdir}/samba/libutil-cmdline-samba4.so %{_libdir}/samba/libutil-reg-samba4.so %{_libdir}/samba/libutil-setid-samba4.so %{_libdir}/samba/libutil-tdb-samba4.so @@ -1304,8 +1313,7 @@ fi %config(noreplace) %{_sysconfdir}/samba/lmhosts %config(noreplace) %{_sysconfdir}/sysconfig/samba -%{_libdir}/samba/libpopt-samba3-cmdline-samba4.so -%{_libdir}/samba/libpopt-samba3-samba4.so +%{_libdir}/samba/libcmdline-samba4.so %dir %{_libdir}/samba/ldb @@ -1319,6 +1327,7 @@ fi %{_bindir}/net %{_bindir}/pdbedit %{_bindir}/profiles +%{_bindir}/samba-tool %{_bindir}/smbcontrol %{_bindir}/smbpasswd %{_bindir}/testparm @@ -1327,7 +1336,6 @@ fi %if %{with_dc} %files dc %{_unitdir}/samba.service -%{_bindir}/samba-tool %{_sbindir}/samba %{_sbindir}/samba_dnsupdate %{_sbindir}/samba_downgrade_db @@ -1418,7 +1426,6 @@ fi %{_libdir}/samba/service/winbindd.so %{_libdir}/samba/service/wrepl.so %{_libdir}/libdcerpc-server.so.* -%{_libdir}/samba/libdnsserver-common-samba4.so %{_libdir}/samba/libdsdb-module-samba4.so %{_libdir}/samba/libdsdb-garbage-collect-tombstones-samba4.so %{_libdir}/samba/libscavenge-dns-records-samba4.so @@ -1427,11 +1434,11 @@ fi %files dc-bind-dlz %attr(770,root,named) %dir /var/lib/samba/bind-dns %dir %{_libdir}/samba/bind9 -%{_libdir}/samba/bind9/dlz_bind9.so -%{_libdir}/samba/bind9/dlz_bind9_9.so %{_libdir}/samba/bind9/dlz_bind9_10.so %{_libdir}/samba/bind9/dlz_bind9_11.so %{_libdir}/samba/bind9/dlz_bind9_12.so +%{_libdir}/samba/bind9/dlz_bind9_14.so +%{_libdir}/samba/bind9/dlz_bind9_16.so %config(noreplace) /etc/ld.so.conf.d/* #endif with_dc %endif @@ -1503,7 +1510,6 @@ fi %dir %{_includedir}/samba-4.0/util %{_includedir}/samba-4.0/util/attr.h %{_includedir}/samba-4.0/util/blocking.h -%{_includedir}/samba-4.0/util/byteorder.h %{_includedir}/samba-4.0/util/data_blob.h %{_includedir}/samba-4.0/util/debug.h %{_includedir}/samba-4.0/util/discard.h @@ -1512,7 +1518,6 @@ fi %{_includedir}/samba-4.0/util/idtree.h %{_includedir}/samba-4.0/util/idtree_random.h %{_includedir}/samba-4.0/util/signal.h -%{_includedir}/samba-4.0/util/string_wrappers.h %{_includedir}/samba-4.0/util/substitute.h %{_includedir}/samba-4.0/util/tevent_ntstatus.h %{_includedir}/samba-4.0/util/tevent_unix.h @@ -1578,7 +1583,9 @@ fi %endif %files krb5-printing +%if %{?openEuler:1}0 %attr(0700,root,root) %{_libexecdir}/samba/smbspool_krb5_wrapper +%endif %config(noreplace) /etc/ld.so.conf.d/* %if %with_libsmbclient @@ -1638,6 +1645,7 @@ fi %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/Template.pm %dir %{perl_vendorlib}/Parse/Pidl/Samba4/NDR %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Server.pm +%attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/ServerCompat.pm %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Client.pm %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/NDR/Parser.pm %attr(644,root,root) %{perl_vendorlib}/Parse/Pidl/Samba4/TDR.pm @@ -1652,14 +1660,19 @@ fi %{python3_sitearch}/samba/__pycache__/auth_util.*.pyc %{python3_sitearch}/samba/__pycache__/colour.*.pyc %{python3_sitearch}/samba/__pycache__/common.*.pyc -%{python3_sitearch}/samba/__pycache__/compat.*.pyc %{python3_sitearch}/samba/__pycache__/dbchecker.*.pyc %{python3_sitearch}/samba/__pycache__/descriptor.*.pyc +%{python3_sitearch}/samba/__pycache__/dnsresolver.*.pyc %{python3_sitearch}/samba/__pycache__/drs_utils.*.pyc %{python3_sitearch}/samba/__pycache__/getopt.*.pyc %{python3_sitearch}/samba/__pycache__/gpclass.*.pyc %{python3_sitearch}/samba/__pycache__/gp_ext_loader.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_gnome_settings_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_msgs_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_scripts_ext.*.pyc %{python3_sitearch}/samba/__pycache__/gp_sec_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_smb_conf_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/gp_sudoers_ext.*.pyc %{python3_sitearch}/samba/__pycache__/graph.*.pyc %{python3_sitearch}/samba/__pycache__/hostconfig.*.pyc %{python3_sitearch}/samba/__pycache__/idmap.*.pyc @@ -1674,8 +1687,17 @@ fi %{python3_sitearch}/samba/__pycache__/sites.*.pyc %{python3_sitearch}/samba/__pycache__/subnets.*.pyc %{python3_sitearch}/samba/__pycache__/tdb_util.*.pyc +%{python3_sitearch}/samba/__pycache__/trust_utils.*.pyc %{python3_sitearch}/samba/__pycache__/upgrade.*.pyc %{python3_sitearch}/samba/__pycache__/upgradehelpers.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_access_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_files_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_issue_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_motd_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_openssh_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_startup_scripts_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_sudoers_ext.*.pyc +%{python3_sitearch}/samba/__pycache__/vgp_symlink_ext.*.pyc %{python3_sitearch}/samba/__pycache__/xattr.*.pyc %{python3_sitearch}/samba/_glue.*.so %{python3_sitearch}/samba/_ldb.*.so @@ -1684,7 +1706,6 @@ fi %{python3_sitearch}/samba/dbchecker.py %{python3_sitearch}/samba/colour.py %{python3_sitearch}/samba/common.py -%{python3_sitearch}/samba/compat.py %{python3_sitearch}/samba/credentials.*.so %{python3_sitearch}/samba/crypto.*.so %dir %{python3_sitearch}/samba/dcerpc @@ -1705,6 +1726,7 @@ fi %{python3_sitearch}/samba/dcerpc/idmap.*.so %{python3_sitearch}/samba/dcerpc/initshutdown.*.so %{python3_sitearch}/samba/dcerpc/irpc.*.so +%{python3_sitearch}/samba/dcerpc/krb5ccache.*.so %{python3_sitearch}/samba/dcerpc/krb5pac.*.so %{python3_sitearch}/samba/dcerpc/lsa.*.so %{python3_sitearch}/samba/dcerpc/messaging.*.so @@ -1731,10 +1753,15 @@ fi %{python3_sitearch}/samba/dcerpc/wkssvc.*.so %{python3_sitearch}/samba/dcerpc/xattr.*.so %{python3_sitearch}/samba/descriptor.py +%{python3_sitearch}/samba/dnsresolver.py %{python3_sitearch}/samba/drs_utils.py +%{python3_sitearch}/samba/dsdb.*.so +%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/gensec.*.so %{python3_sitearch}/samba/getopt.py %{python3_sitearch}/samba/gpclass.py +%{python3_sitearch}/samba/gp_gnome_settings_ext.py +%{python3_sitearch}/samba/gp_scripts_ext.py %{python3_sitearch}/samba/gp_sec_ext.py %{python3_sitearch}/samba/gpo.*.so %{python3_sitearch}/samba/graph.py @@ -1744,6 +1771,7 @@ fi %{python3_sitearch}/samba/messaging.*.so %{python3_sitearch}/samba/ndr.py %{python3_sitearch}/samba/net.*.so +%{python3_sitearch}/samba/net_s3.*.so %{python3_sitearch}/samba/ntstatus.*.so %{python3_sitearch}/samba/posix_eadb.*.so %dir %{python3_sitearch}/samba/emulate @@ -1755,6 +1783,9 @@ fi %{python3_sitearch}/samba/emulate/traffic.py %{python3_sitearch}/samba/emulate/traffic_packets.py %{python3_sitearch}/samba/gp_ext_loader.py +%{python3_sitearch}/samba/gp_msgs_ext.py +%{python3_sitearch}/samba/gp_smb_conf_ext.py +%{python3_sitearch}/samba/gp_sudoers_ext.py %dir %{python3_sitearch}/samba/gp_parse %{python3_sitearch}/samba/gp_parse/__init__.py %dir %{python3_sitearch}/samba/gp_parse/__pycache__ @@ -1843,7 +1874,9 @@ fi %{python3_sitearch}/samba/samba3/__init__.py %dir %{python3_sitearch}/samba/samba3/__pycache__ %{python3_sitearch}/samba/samba3/__pycache__/__init__.*.pyc -%{python3_sitearch}/samba/samba3/libsmb_samba_internal.*.so +%{python3_sitearch}/samba/samba3/__pycache__/libsmb_samba_internal.*.pyc +%{python3_sitearch}/samba/samba3/libsmb_samba_cwrapper.cpython*.so +%{python3_sitearch}/samba/samba3/libsmb_samba_internal.py %{python3_sitearch}/samba/samba3/mdscli.*.so %{python3_sitearch}/samba/samba3/param.*.so %{python3_sitearch}/samba/samba3/passdb.*.so @@ -1858,12 +1891,17 @@ fi %{python3_sitearch}/samba/subunit/__pycache__/run.*.pyc %{python3_sitearch}/samba/subunit/run.py %{python3_sitearch}/samba/tdb_util.py -%dir %{python3_sitearch}/samba/third_party -%{python3_sitearch}/samba/third_party/__init__.py -%dir %{python3_sitearch}/samba/third_party/__pycache__ -%{python3_sitearch}/samba/third_party/__pycache__/__init__.*.pyc +%{python3_sitearch}/samba/trust_utils.py %{python3_sitearch}/samba/upgrade.py %{python3_sitearch}/samba/upgradehelpers.py +%{python3_sitearch}/samba/vgp_access_ext.py +%{python3_sitearch}/samba/vgp_files_ext.py +%{python3_sitearch}/samba/vgp_issue_ext.py +%{python3_sitearch}/samba/vgp_motd_ext.py +%{python3_sitearch}/samba/vgp_openssh_ext.py +%{python3_sitearch}/samba/vgp_startup_scripts_ext.py +%{python3_sitearch}/samba/vgp_sudoers_ext.py +%{python3_sitearch}/samba/vgp_symlink_ext.py %{python3_sitearch}/samba/werror.*.so %{python3_sitearch}/samba/xattr.py %{python3_sitearch}/samba/xattr_native.*.so @@ -1893,8 +1931,6 @@ fi %{python3_sitearch}/samba/dcerpc/dnsserver.*.so %{python3_sitearch}/samba/dckeytab.*.so -%{python3_sitearch}/samba/dsdb.*.so -%{python3_sitearch}/samba/dsdb_dns.*.so %{python3_sitearch}/samba/domain_update.py %{python3_sitearch}/samba/forest_update.py %{python3_sitearch}/samba/ms_forest_updates_markdown.py @@ -1959,8 +1995,10 @@ fi %{python3_sitearch}/samba/tests/__pycache__/complex_expressions.*.pyc %{python3_sitearch}/samba/tests/__pycache__/core.*.pyc %{python3_sitearch}/samba/tests/__pycache__/credentials.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/cred_opt.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dckeytab.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dns_aging.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_forwarder.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_invalid.*.pyc @@ -1968,6 +2006,8 @@ fi %{python3_sitearch}/samba/tests/__pycache__/dns_tkey.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dns_wildcard.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/dsdb_dns.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_lock.*.pyc %{python3_sitearch}/samba/tests/__pycache__/dsdb_schema_attributes.*.pyc %{python3_sitearch}/samba/tests/__pycache__/docs.*.pyc @@ -1979,17 +2019,22 @@ fi %{python3_sitearch}/samba/tests/__pycache__/getdcname.*.pyc %{python3_sitearch}/samba/tests/__pycache__/glue.*.pyc %{python3_sitearch}/samba/tests/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/gpo_member.*.pyc %{python3_sitearch}/samba/tests/__pycache__/graph.*.pyc %{python3_sitearch}/samba/tests/__pycache__/group_audit.*.pyc %{python3_sitearch}/samba/tests/__pycache__/hostconfig.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/imports.*.pyc %{python3_sitearch}/samba/tests/__pycache__/join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/krb5_credentials.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_raw.*.pyc %{python3_sitearch}/samba/tests/__pycache__/ldap_referrals.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_spn.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ldap_upn_sam_account.*.pyc %{python3_sitearch}/samba/tests/__pycache__/loadparm.*.pyc %{python3_sitearch}/samba/tests/__pycache__/libsmb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/lsa_string.*.pyc %{python3_sitearch}/samba/tests/__pycache__/messaging.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/ndr.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netbios.*.pyc %{python3_sitearch}/samba/tests/__pycache__/netcmd.*.pyc %{python3_sitearch}/samba/tests/__pycache__/net_join_no_spnego.*.pyc @@ -2025,13 +2070,16 @@ fi %{python3_sitearch}/samba/tests/__pycache__/s3passdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3registry.*.pyc %{python3_sitearch}/samba/tests/__pycache__/s3windb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/s3_net_join.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba3sam.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samba_upgradedns_lmdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb.*.pyc %{python3_sitearch}/samba/tests/__pycache__/samdb_api.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/sddl.*.pyc %{python3_sitearch}/samba/tests/__pycache__/security.*.pyc %{python3_sitearch}/samba/tests/__pycache__/segfault.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smb.*.pyc +%{python3_sitearch}/samba/tests/__pycache__/smb-notify.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_base.*.pyc %{python3_sitearch}/samba/tests/__pycache__/smbd_fuzztest.*.pyc %{python3_sitearch}/samba/tests/__pycache__/source.*.pyc @@ -2062,10 +2110,14 @@ fi %{python3_sitearch}/samba/tests/blackbox/__pycache__/bug13653.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/check_output.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/downgradedatabase.*.pyc -%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdfind.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/mdsearch.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/ndrdump.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/netads_json.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/samba_dnsupdate.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_basic.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_dfs_propagate_inherit.*.pyc +%{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcacls_propagate_inhertance.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/smbcontrol_process.*.pyc %{python3_sitearch}/samba/tests/blackbox/__pycache__/traffic_learner.*.pyc @@ -2074,10 +2126,14 @@ fi %{python3_sitearch}/samba/tests/blackbox/bug13653.py %{python3_sitearch}/samba/tests/blackbox/check_output.py %{python3_sitearch}/samba/tests/blackbox/downgradedatabase.py -%{python3_sitearch}/samba/tests/blackbox/mdfind.py +%{python3_sitearch}/samba/tests/blackbox/mdsearch.py %{python3_sitearch}/samba/tests/blackbox/ndrdump.py %{python3_sitearch}/samba/tests/blackbox/netads_json.py %{python3_sitearch}/samba/tests/blackbox/samba_dnsupdate.py +%{python3_sitearch}/samba/tests/blackbox/smbcacls.py +%{python3_sitearch}/samba/tests/blackbox/smbcacls_basic.py +%{python3_sitearch}/samba/tests/blackbox/smbcacls_dfs_propagate_inherit.py +%{python3_sitearch}/samba/tests/blackbox/smbcacls_propagate_inhertance.py %{python3_sitearch}/samba/tests/blackbox/smbcontrol.py %{python3_sitearch}/samba/tests/blackbox/smbcontrol_process.py %{python3_sitearch}/samba/tests/blackbox/traffic_learner.py @@ -2087,14 +2143,18 @@ fi %{python3_sitearch}/samba/tests/complex_expressions.py %{python3_sitearch}/samba/tests/core.py %{python3_sitearch}/samba/tests/credentials.py +%{python3_sitearch}/samba/tests/cred_opt.py %dir %{python3_sitearch}/samba/tests/dcerpc %{python3_sitearch}/samba/tests/dcerpc/__init__.py %dir %{python3_sitearch}/samba/tests/dcerpc/__pycache__ %{python3_sitearch}/samba/tests/dcerpc/__pycache__/__init__.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/array.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/bare.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/createtrustrelax.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/binding.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/dnsserver.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/integer.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/lsa.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/mdssvc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/misc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/raw_protocol.*.pyc @@ -2103,14 +2163,18 @@ fi %{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpc_talloc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/rpcecho.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/sam.*.pyc +%{python3_sitearch}/samba/tests/dcerpc/__pycache__/samr_change_password.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/srvsvc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/string_tests.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/testrpc.*.pyc %{python3_sitearch}/samba/tests/dcerpc/__pycache__/unix.*.pyc %{python3_sitearch}/samba/tests/dcerpc/array.py %{python3_sitearch}/samba/tests/dcerpc/bare.py +%{python3_sitearch}/samba/tests/dcerpc/binding.py +%{python3_sitearch}/samba/tests/dcerpc/createtrustrelax.py %{python3_sitearch}/samba/tests/dcerpc/dnsserver.py %{python3_sitearch}/samba/tests/dcerpc/integer.py +%{python3_sitearch}/samba/tests/dcerpc/lsa.py %{python3_sitearch}/samba/tests/dcerpc/mdssvc.py %{python3_sitearch}/samba/tests/dcerpc/misc.py %{python3_sitearch}/samba/tests/dcerpc/raw_protocol.py @@ -2119,12 +2183,14 @@ fi %{python3_sitearch}/samba/tests/dcerpc/rpc_talloc.py %{python3_sitearch}/samba/tests/dcerpc/rpcecho.py %{python3_sitearch}/samba/tests/dcerpc/sam.py +%{python3_sitearch}/samba/tests/dcerpc/samr_change_password.py %{python3_sitearch}/samba/tests/dcerpc/srvsvc.py %{python3_sitearch}/samba/tests/dcerpc/string_tests.py %{python3_sitearch}/samba/tests/dcerpc/testrpc.py %{python3_sitearch}/samba/tests/dcerpc/unix.py %{python3_sitearch}/samba/tests/dckeytab.py %{python3_sitearch}/samba/tests/dns.py +%{python3_sitearch}/samba/tests/dns_aging.py %{python3_sitearch}/samba/tests/dns_base.py %{python3_sitearch}/samba/tests/dns_forwarder.py %dir %{python3_sitearch}/samba/tests/dns_forwarder_helpers @@ -2135,6 +2201,8 @@ fi %{python3_sitearch}/samba/tests/dns_tkey.py %{python3_sitearch}/samba/tests/dns_wildcard.py %{python3_sitearch}/samba/tests/dsdb.py +%{python3_sitearch}/samba/tests/dsdb_api.py +%{python3_sitearch}/samba/tests/dsdb_dns.py %{python3_sitearch}/samba/tests/dsdb_lock.py %{python3_sitearch}/samba/tests/dsdb_schema_attributes.py %{python3_sitearch}/samba/tests/docs.py @@ -2154,9 +2222,11 @@ fi %{python3_sitearch}/samba/tests/get_opt.py %{python3_sitearch}/samba/tests/glue.py %{python3_sitearch}/samba/tests/gpo.py +%{python3_sitearch}/samba/tests/gpo_member.py %{python3_sitearch}/samba/tests/graph.py %{python3_sitearch}/samba/tests/group_audit.py %{python3_sitearch}/samba/tests/hostconfig.py +%{python3_sitearch}/samba/tests/imports.py %{python3_sitearch}/samba/tests/join.py %dir %{python3_sitearch}/samba/tests/kcc %{python3_sitearch}/samba/tests/kcc/__init__.py @@ -2170,13 +2240,68 @@ fi %{python3_sitearch}/samba/tests/kcc/graph_utils.py %{python3_sitearch}/samba/tests/kcc/kcc_utils.py %{python3_sitearch}/samba/tests/kcc/ldif_import_export.py +%dir %{python3_sitearch}/samba/tests/krb5 +%dir %{python3_sitearch}/samba/tests/krb5/__pycache__ +%{python3_sitearch}/samba/tests/krb5/__pycache__/alias_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_tgs_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/ms_kile_client_principal_lookup_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/raw_testcase.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_constants.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rfc4120_pyasn1.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/rodc_tests*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/salt_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/simple_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/spn_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/s4u_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ccache.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_idmap_nss.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_ldap.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_min_domain_uid.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_rpc.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/test_smb.*.pyc +%{python3_sitearch}/samba/tests/krb5/__pycache__/xrealm_tests.*.pyc +%{python3_sitearch}/samba/tests/krb5/alias_tests.py +%{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py +%{python3_sitearch}/samba/tests/krb5/as_req_tests.py +%{python3_sitearch}/samba/tests/krb5/compatability_tests.py +%{python3_sitearch}/samba/tests/krb5/fast_tests.py +%{python3_sitearch}/samba/tests/krb5/kcrypto.py +%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py +%{python3_sitearch}/samba/tests/krb5/kdc_tests.py +%{python3_sitearch}/samba/tests/krb5/kdc_tgs_tests.py +%{python3_sitearch}/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +%{python3_sitearch}/samba/tests/krb5/raw_testcase.py +%{python3_sitearch}/samba/tests/krb5/rfc4120_constants.py +%{python3_sitearch}/samba/tests/krb5/rfc4120_pyasn1.py +%{python3_sitearch}/samba/tests/krb5/rodc_tests.py +%{python3_sitearch}/samba/tests/krb5/salt_tests.py +%{python3_sitearch}/samba/tests/krb5/simple_tests.py +%{python3_sitearch}/samba/tests/krb5/spn_tests.py +%{python3_sitearch}/samba/tests/krb5/test_ccache.py +%{python3_sitearch}/samba/tests/krb5/test_idmap_nss.py +%{python3_sitearch}/samba/tests/krb5/test_ldap.py +%{python3_sitearch}/samba/tests/krb5/test_min_domain_uid.py +%{python3_sitearch}/samba/tests/krb5/test_rpc.py +%{python3_sitearch}/samba/tests/krb5/test_smb.py +%{python3_sitearch}/samba/tests/krb5/s4u_tests.py +%{python3_sitearch}/samba/tests/krb5/xrealm_tests.py %{python3_sitearch}/samba/tests/krb5_credentials.py %{python3_sitearch}/samba/tests/ldap_raw.py %{python3_sitearch}/samba/tests/ldap_referrals.py +%{python3_sitearch}/samba/tests/ldap_spn.py +%{python3_sitearch}/samba/tests/ldap_upn_sam_account.py %{python3_sitearch}/samba/tests/libsmb.py %{python3_sitearch}/samba/tests/loadparm.py %{python3_sitearch}/samba/tests/lsa_string.py %{python3_sitearch}/samba/tests/messaging.py +%{python3_sitearch}/samba/tests/ndr.py %{python3_sitearch}/samba/tests/netbios.py %{python3_sitearch}/samba/tests/netcmd.py %{python3_sitearch}/samba/tests/net_join_no_spnego.py @@ -2212,6 +2337,7 @@ fi %{python3_sitearch}/samba/tests/s3passdb.py %{python3_sitearch}/samba/tests/s3registry.py %{python3_sitearch}/samba/tests/s3windb.py +%{python3_sitearch}/samba/tests/s3_net_join.py %{python3_sitearch}/samba/tests/samba3sam.py %{python3_sitearch}/samba/tests/samba_upgradedns_lmdb.py %dir %{python3_sitearch}/samba/tests/samba_tool @@ -2228,6 +2354,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/forest.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/fsmo.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/gpo_exts.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/group.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/help.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/join.*.pyc @@ -2239,6 +2366,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/promote_dc_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_lmdb_size.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_password_check.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/provision_userPassword_crypt.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/rodc.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/schema.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/sites.*.pyc @@ -2246,6 +2374,9 @@ fi %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_check_password_script.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_base.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_gpg.*.pyc +%{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_virtualCryptSHA_userPassword.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/user_wdigest.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/visualize.*.pyc %{python3_sitearch}/samba/tests/samba_tool/__pycache__/visualize_drs.*.pyc @@ -2259,6 +2390,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/forest.py %{python3_sitearch}/samba/tests/samba_tool/fsmo.py %{python3_sitearch}/samba/tests/samba_tool/gpo.py +%{python3_sitearch}/samba/tests/samba_tool/gpo_exts.py %{python3_sitearch}/samba/tests/samba_tool/group.py %{python3_sitearch}/samba/tests/samba_tool/help.py %{python3_sitearch}/samba/tests/samba_tool/join.py @@ -2270,6 +2402,7 @@ fi %{python3_sitearch}/samba/tests/samba_tool/promote_dc_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_lmdb_size.py %{python3_sitearch}/samba/tests/samba_tool/provision_password_check.py +%{python3_sitearch}/samba/tests/samba_tool/provision_userPassword_crypt.py %{python3_sitearch}/samba/tests/samba_tool/rodc.py %{python3_sitearch}/samba/tests/samba_tool/schema.py %{python3_sitearch}/samba/tests/samba_tool/sites.py @@ -2277,14 +2410,19 @@ fi %{python3_sitearch}/samba/tests/samba_tool/user.py %{python3_sitearch}/samba/tests/samba_tool/user_check_password_script.py %{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA.py +%{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_base.py +%{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_gpg.py +%{python3_sitearch}/samba/tests/samba_tool/user_virtualCryptSHA_userPassword.py %{python3_sitearch}/samba/tests/samba_tool/user_wdigest.py %{python3_sitearch}/samba/tests/samba_tool/visualize.py %{python3_sitearch}/samba/tests/samba_tool/visualize_drs.py %{python3_sitearch}/samba/tests/samdb.py %{python3_sitearch}/samba/tests/samdb_api.py +%{python3_sitearch}/samba/tests/sddl.py %{python3_sitearch}/samba/tests/security.py %{python3_sitearch}/samba/tests/segfault.py %{python3_sitearch}/samba/tests/smb.py +%{python3_sitearch}/samba/tests/smb-notify.py %{python3_sitearch}/samba/tests/smbd_base.py %{python3_sitearch}/samba/tests/smbd_fuzztest.py %{python3_sitearch}/samba/tests/source.py @@ -2338,7 +2476,9 @@ fi %files winbind-krb5-locator %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%dir %{_libdir}/samba/krb5 %{_libdir}/samba/krb5/winbind_krb5_locator.so +%{_libdir}/samba/krb5/async_dns_krb5_locator.so %config(noreplace) /etc/ld.so.conf.d/* %files winbind-modules @@ -2384,11 +2524,10 @@ fi %{_sbindir}/ctdbd %{_sbindir}/ctdbd_wrapper %{_bindir}/ctdb -%{_bindir}/ctdb_local_daemons -%{_bindir}/ping_pong -%{_bindir}/ltdbtool %{_bindir}/ctdb_diagnostics +%{_bindir}/ltdbtool %{_bindir}/onnode +%{_bindir}/ping_pong %dir %{_libexecdir}/ctdb %{_libexecdir}/ctdb/ctdb-config @@ -2403,6 +2542,7 @@ fi %{_libexecdir}/ctdb/ctdb_recovery_helper %{_libexecdir}/ctdb/ctdb_takeover_helper %{_libexecdir}/ctdb/smnotify +%{_libexecdir}/ctdb/tdb_mutex_check %dir %{_localstatedir}/lib/ctdb/ %dir %{_localstatedir}/lib/ctdb/persistent @@ -2428,6 +2568,7 @@ fi %{_datadir}/ctdb/events/legacy/31.clamd.script %{_datadir}/ctdb/events/legacy/40.vsftpd.script %{_datadir}/ctdb/events/legacy/41.httpd.script +%{_datadir}/ctdb/events/legacy/48.netbios.script %{_datadir}/ctdb/events/legacy/49.winbind.script %{_datadir}/ctdb/events/legacy/50.samba.script %{_datadir}/ctdb/events/legacy/60.nfs.script @@ -2435,8 +2576,10 @@ fi %{_datadir}/ctdb/events/legacy/91.lvs.script %config(noreplace) /etc/ld.so.conf.d/* +%if %{with testsuite} %files -n ctdb-tests %doc ctdb/tests/README +%{_bindir}/ctdb_local_daemons %{_bindir}/ctdb_run_tests %{_bindir}/ctdb_run_cluster_tests @@ -2528,6 +2671,7 @@ fi %{_datadir}/ctdb/tests/INTEGRATION/database/basics.004.wipe.sh %{_datadir}/ctdb/tests/INTEGRATION/database/basics.010.backup_restore.sh %{_datadir}/ctdb/tests/INTEGRATION/database/fetch.001.ring.sh +%{_datadir}/ctdb/tests/INTEGRATION/database/fetch.002.ring-hotkeys.sh %{_datadir}/ctdb/tests/INTEGRATION/database/readonly.001.basic.sh %{_datadir}/ctdb/tests/INTEGRATION/database/recovery.001.volatile.sh %{_datadir}/ctdb/tests/INTEGRATION/database/recovery.002.large.sh @@ -2572,7 +2716,6 @@ fi %{_datadir}/ctdb/tests/INTEGRATION/simple/basics.005.process_exists.sh %{_datadir}/ctdb/tests/INTEGRATION/simple/basics.010.statistics.sh %{_datadir}/ctdb/tests/INTEGRATION/simple/basics.011.statistics_reset.sh -%{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.001.isnotrecmaster.sh %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.002.recmaster_yield.sh %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.010.getrelock.sh %{_datadir}/ctdb/tests/INTEGRATION/simple/cluster.012.reclock_command.sh @@ -2640,6 +2783,8 @@ fi %{_datadir}/ctdb/tests/UNIT/cunit/sock_io_test_001.sh %{_datadir}/ctdb/tests/UNIT/cunit/srvid_test_001.sh %{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_001.sh +%{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_002.sh +%{_datadir}/ctdb/tests/UNIT/cunit/system_socket_test_003.sh %dir %{_datadir}/ctdb/tests/UNIT/eventd %dir %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb %{_datadir}/ctdb/tests/UNIT/eventd/etc-ctdb/ctdb.conf @@ -2823,6 +2968,8 @@ fi %{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.monitor.002.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.shutdown.002.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/41.httpd.startup.002.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/48.netbios.shutdown.011.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/48.netbios.startup.011.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.monitor.101.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.monitor.102.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/49.winbind.shutdown.002.sh @@ -2912,6 +3059,7 @@ fi %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/31.clamd.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/40.vsftpd.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/41.httpd.sh +%{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/48.netbios.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/49.winbind.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/50.samba.sh %{_datadir}/ctdb/tests/UNIT/eventscripts/scripts/60.nfs.sh @@ -2943,6 +3091,7 @@ fi %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/kill %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/killall %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/multipath +%{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/nfsconf %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/net %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pidof %{_datadir}/ctdb/tests/UNIT/eventscripts/stubs/pkill @@ -3103,6 +3252,7 @@ fi %{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbstatus.001.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.getdbstatus.002.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.getpid.001.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.getpid.010.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.getreclock.001.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.getreclock.002.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.getvar.001.sh @@ -3129,6 +3279,7 @@ fi %{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.006.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.007.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.008.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.lvs.010.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.001.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.002.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.003.sh @@ -3137,6 +3288,7 @@ fi %{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.006.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.007.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.008.sh +%{_datadir}/ctdb/tests/UNIT/tool/ctdb.natgw.010.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.001.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.002.sh %{_datadir}/ctdb/tests/UNIT/tool/ctdb.nodestatus.003.sh @@ -3207,12 +3359,17 @@ fi %dir %{_datadir}/ctdb/tests/UNIT/tool/scripts %{_datadir}/ctdb/tests/UNIT/tool/scripts/local.sh %config(noreplace) /etc/ld.so.conf.d/* - +#endif with_testsuite +%endif #endif with_clustering_support %endif %files help %{_mandir}/man* +%dir %{_datadir}/samba/admx +%{_datadir}/samba/admx/samba.admx +%dir %{_datadir}/samba/admx/en-US +%{_datadir}/samba/admx/en-US/samba.adml %if %{with_winexe} ### WINEXE @@ -3221,28 +3378,17 @@ fi %endif %changelog -* Fri Nov 05 2021 gaihuiying - 4.12.5-9 +* Tue Jan 18 2022 zengwefeng - 4.15.3-2 - Type:bugfix - ID:NA - SUG:NA -- DESC:fix undefined shift in put_res_rec +- DESC:add "openEuler" macro to control if cups is needed -* Fri Oct 29 2021 gaihuiying - 4.12.5-8 -- Type:bugfix +* Tue Jan 18 2022 zengwefeng - 4.15.3-1 +- Type:requirement - ID:NA - SUG:NA -- DESC:fix fuzz error: - idl: drsuapi_DsaAddressListItem_V1 limit recursion - idl: limit recurion on recursive-elements - lib: ldb Limit depth of ldb_parse_tree - librpc: ndr add recursion check macros - librpc: ndr Heap-buffer-overflow in lzxpress_decompress - librpc: ndr NDR_PULL_ALIGN check for unsigned overflow - lzxpress: add bounds checking to lzxpress decompress - lzxpress: avoid technically undefined shift - pidl: Add recursive depth checks - utils: asn1 avoid undefined behaviour - witness: idl fix length calculation for witness_IPaddrInfoList +- DESC:update samba to 4.15.3 * Mon Oct 25 2021 gaihuiying - 4.12.5-7 - Type:cves @@ -3341,7 +3487,7 @@ fi - Type: enhancement - ID: NA - SUG: NA -- DESC:modify spec file +- DESC:modify spec file * Mon Sep 23 2019 huzhiyu - 4.9.1-3 - Package init