diff --git a/SOURCES/CVE-2023-3961-pipename-4.18.6.patch b/SOURCES/CVE-2023-3961-pipename-4.18.6.patch new file mode 100644 index 0000000..7aa0e97 --- /dev/null +++ b/SOURCES/CVE-2023-3961-pipename-4.18.6.patch @@ -0,0 +1,296 @@ +From c87e6b4ec57120cf1d14e82fd2bfc162ce65f663 Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 25 Jul 2023 17:41:04 -0700 +Subject: [PATCH 1/3] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that + could exit socket_dir. + +For now, SMB_ASSERT() to exit the server. We will remove +this once the test code is in place. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 + +Signed-off-by: Jeremy Allison +--- + source3/rpc_client/local_np.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c +index 0b323404f06..95228d5d801 100644 +--- a/source3/rpc_client/local_np.c ++++ b/source3/rpc_client/local_np.c +@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send( + return tevent_req_post(req, ev); + } + ++ /* ++ * Ensure we cannot process a path that exits ++ * the socket_dir. ++ */ ++ if (ISDOTDOT(lower_case_pipename) || ++ (strchr(lower_case_pipename, '/')!=NULL)) ++ { ++ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", ++ lower_case_pipename); ++ /* ++ * For now, panic the server until we have ++ * the test code in place. ++ */ ++ SMB_ASSERT(false); ++ tevent_req_error(req, ENOENT); ++ return tevent_req_post(req, ev); ++ } ++ + state->socketpath = talloc_asprintf( + state, "%s/np/%s", socket_dir, lower_case_pipename); + if (tevent_req_nomem(state->socketpath, req)) { +-- +2.41.0 + + +From 1571d37b9cfb4df7333639b5ddfbe7e321959f4e Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 25 Jul 2023 17:49:21 -0700 +Subject: [PATCH 2/3] CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME + to show we allow bad pipenames with unix separators through to the UNIX + domain socket code. + +The raw SMB2-INVALID-PIPENAME test passes against Windows 2022, +as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND. + +Add the knownfail. + +BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422 + +Signed-off-by: Jeremy Allison +--- + selftest/knownfail.d/badpipename | 1 + + source3/selftest/tests.py | 14 ++++ + source3/torture/proto.h | 1 + + source3/torture/test_smb2.c | 107 +++++++++++++++++++++++++++++++ + source3/torture/torture.c | 4 ++ + 5 files changed, 127 insertions(+) + create mode 100644 selftest/knownfail.d/badpipename + +diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename +new file mode 100644 +index 00000000000..e69715f863d +--- /dev/null ++++ b/selftest/knownfail.d/badpipename +@@ -0,0 +1 @@ ++^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) +diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py +index 178f550b5b7..139f98637cb 100755 +--- a/source3/selftest/tests.py ++++ b/source3/selftest/tests.py +@@ -296,6 +296,20 @@ plantestsuite("samba3.smbtorture_s3.smb2.SMB2-DFS-FILENAME-LEADING-BACKSLASH", + smbtorture3, + "-mSMB2"]) + ++# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 ++# Prevent bad pipenames. ++# ++plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME", ++ "fileserver", ++ [os.path.join(samba3srcdir, ++ "script/tests/test_smbtorture_s3.sh"), ++ 'SMB2-INVALID-PIPENAME', ++ '//$SERVER_IP/tmp', ++ '$USERNAME', ++ '$PASSWORD', ++ smbtorture3, ++ "-mSMB2"]) ++ + # + # SMB2-NON-DFS-SHARE needs to run against a special share non-msdfs-pathname-share + # This is an empty non-DFS share with no links, used merely to test +diff --git a/source3/torture/proto.h b/source3/torture/proto.h +index 5e6d914c3da..ecd7fa2ef2d 100644 +--- a/source3/torture/proto.h ++++ b/source3/torture/proto.h +@@ -124,6 +124,7 @@ bool run_smb2_dfs_paths(int dummy); + bool run_smb2_non_dfs_share(int dummy); + bool run_smb2_dfs_share_non_dfs_path(int dummy); + bool run_smb2_dfs_filename_leading_backslash(int dummy); ++bool run_smb2_invalid_pipename(int dummy); + bool run_smb1_dfs_paths(int dummy); + bool run_smb1_dfs_search_paths(int dummy); + bool run_smb1_dfs_operations(int dummy); +diff --git a/source3/torture/test_smb2.c b/source3/torture/test_smb2.c +index dc249643aa6..337181ae893 100644 +--- a/source3/torture/test_smb2.c ++++ b/source3/torture/test_smb2.c +@@ -5136,3 +5136,110 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy) + (void)smb2_dfs_delete(cli, dfs_filename_slash); + return retval; + } ++ ++bool run_smb2_invalid_pipename(int dummy) ++{ ++ struct cli_state *cli = NULL; ++ NTSTATUS status; ++ uint64_t fid_persistent = 0; ++ uint64_t fid_volatile = 0; ++ const char *unknown_pipe = "badpipe"; ++ const char *invalid_pipe = "../../../../../../../../../badpipe"; ++ ++ printf("Starting SMB2-INVALID-PIPENAME\n"); ++ ++ if (!torture_init_connection(&cli)) { ++ return false; ++ } ++ ++ status = smbXcli_negprot(cli->conn, ++ cli->timeout, ++ PROTOCOL_SMB2_02, ++ PROTOCOL_SMB3_11); ++ if (!NT_STATUS_IS_OK(status)) { ++ printf("smbXcli_negprot returned %s\n", nt_errstr(status)); ++ return false; ++ } ++ ++ status = cli_session_setup_creds(cli, torture_creds); ++ if (!NT_STATUS_IS_OK(status)) { ++ printf("cli_session_setup returned %s\n", nt_errstr(status)); ++ return false; ++ } ++ ++ status = cli_tree_connect(cli, "IPC$", "?????", NULL); ++ if (!NT_STATUS_IS_OK(status)) { ++ printf("cli_tree_connect returned %s\n", nt_errstr(status)); ++ return false; ++ } ++ ++ /* Try and connect to an unknown pipename. */ ++ status = smb2cli_create(cli->conn, ++ cli->timeout, ++ cli->smb2.session, ++ cli->smb2.tcon, ++ unknown_pipe, ++ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ ++ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ ++ SEC_STD_SYNCHRONIZE| ++ SEC_FILE_READ_DATA| ++ SEC_FILE_WRITE_DATA| ++ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ ++ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ ++ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ ++ FILE_CREATE, /* create_disposition, */ ++ 0, /* create_options, */ ++ NULL, /* smb2_create_blobs *blobs */ ++ &fid_persistent, ++ &fid_volatile, ++ NULL, /* struct smb_create_returns * */ ++ talloc_tos(), /* mem_ctx. */ ++ NULL, /* struct smb2_create_blobs * */ ++ NULL); /* struct symlink_reparse_struct */ ++ /* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */ ++ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { ++ printf("%s:%d smb2cli_create on name %s returned %s\n", ++ __FILE__, ++ __LINE__, ++ unknown_pipe, ++ nt_errstr(status)); ++ return false; ++ } ++ ++ /* Try and connect to an invalid pipename containing unix separators. */ ++ status = smb2cli_create(cli->conn, ++ cli->timeout, ++ cli->smb2.session, ++ cli->smb2.tcon, ++ invalid_pipe, ++ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */ ++ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */ ++ SEC_STD_SYNCHRONIZE| ++ SEC_FILE_READ_DATA| ++ SEC_FILE_WRITE_DATA| ++ SEC_FILE_READ_ATTRIBUTE, /* desired_access, */ ++ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */ ++ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */ ++ FILE_CREATE, /* create_disposition, */ ++ 0, /* create_options, */ ++ NULL, /* smb2_create_blobs *blobs */ ++ &fid_persistent, ++ &fid_volatile, ++ NULL, /* struct smb_create_returns * */ ++ talloc_tos(), /* mem_ctx. */ ++ NULL, /* struct smb2_create_blobs * */ ++ NULL); /* struct symlink_reparse_struct */ ++ /* ++ * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND ++ * (tested against Windows 2022). ++ */ ++ if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { ++ printf("%s:%d smb2cli_create on name %s returned %s\n", ++ __FILE__, ++ __LINE__, ++ invalid_pipe, ++ nt_errstr(status)); ++ return false; ++ } ++ return true; ++} +diff --git a/source3/torture/torture.c b/source3/torture/torture.c +index 63fe4ac6f7f..99eab0b2768 100644 +--- a/source3/torture/torture.c ++++ b/source3/torture/torture.c +@@ -15727,6 +15727,10 @@ static struct { + .name = "SMB2-DFS-FILENAME-LEADING-BACKSLASH", + .fn = run_smb2_dfs_filename_leading_backslash, + }, ++ { ++ .name = "SMB2-INVALID-PIPENAME", ++ .fn = run_smb2_invalid_pipename, ++ }, + { + .name = "SMB1-TRUNCATED-SESSSETUP", + .fn = run_smb1_truncated_sesssetup, +-- +2.41.0 + + +From fbd7c2a5912e21a2b514624ed886a77e2f4c65fd Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 25 Jul 2023 17:54:41 -0700 +Subject: [PATCH 3/3] CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that + crashes on bad pipenames. + +We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND). + +Remove knowfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422 + +Signed-off-by: Jeremy Allison +--- + selftest/knownfail.d/badpipename | 1 - + source3/rpc_client/local_np.c | 5 ----- + 2 files changed, 6 deletions(-) + delete mode 100644 selftest/knownfail.d/badpipename + +diff --git a/selftest/knownfail.d/badpipename b/selftest/knownfail.d/badpipename +deleted file mode 100644 +index e69715f863d..00000000000 +--- a/selftest/knownfail.d/badpipename ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\) +diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c +index 95228d5d801..791ded99a47 100644 +--- a/source3/rpc_client/local_np.c ++++ b/source3/rpc_client/local_np.c +@@ -551,11 +551,6 @@ struct tevent_req *local_np_connect_send( + { + DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n", + lower_case_pipename); +- /* +- * For now, panic the server until we have +- * the test code in place. +- */ +- SMB_ASSERT(false); + tevent_req_error(req, ENOENT); + return tevent_req_post(req, ev); + } +-- +2.41.0 + diff --git a/SOURCES/CVE-2023-4091-truncate-4.18.patch b/SOURCES/CVE-2023-4091-truncate-4.18.patch new file mode 100644 index 0000000..8b4b2cc --- /dev/null +++ b/SOURCES/CVE-2023-4091-truncate-4.18.patch @@ -0,0 +1,240 @@ +From a4a3868fda277ddf0f174b77a859c33e4c339538 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 1 Aug 2023 12:30:00 +0200 +Subject: [PATCH 1/2] CVE-2023-4091: smbtorture: test overwrite dispositions on + read-only file + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 + +Signed-off-by: Ralph Boehme +--- + selftest/knownfail.d/samba3.smb2.acls | 1 + + source4/torture/smb2/acls.c | 143 ++++++++++++++++++++++++++ + 2 files changed, 144 insertions(+) + create mode 100644 selftest/knownfail.d/samba3.smb2.acls + +diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls +new file mode 100644 +index 000000000000..18df260c0e50 +--- /dev/null ++++ b/selftest/knownfail.d/samba3.smb2.acls +@@ -0,0 +1 @@ ++^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE +diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c +index a27d4e079e67..5a892d004ea8 100644 +--- a/source4/torture/smb2/acls.c ++++ b/source4/torture/smb2/acls.c +@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx, + return ret; + } + ++static bool test_overwrite_read_only_file(struct torture_context *tctx, ++ struct smb2_tree *tree) ++{ ++ NTSTATUS status; ++ struct smb2_create c; ++ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt"; ++ struct smb2_handle handle = {{0}}; ++ union smb_fileinfo q; ++ union smb_setfileinfo set; ++ struct security_descriptor *sd = NULL, *sd_orig = NULL; ++ const char *owner_sid = NULL; ++ int i; ++ bool ret = true; ++ ++ struct tcase { ++ int disposition; ++ const char *disposition_string; ++ NTSTATUS expected_status; ++ } tcases[] = { ++#define TCASE(d, s) { \ ++ .disposition = d, \ ++ .disposition_string = #d, \ ++ .expected_status = s, \ ++ } ++ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK), ++ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED), ++ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED), ++ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED), ++ }; ++#undef TCASE ++ ++ ret = smb2_util_setup_dir(tctx, tree, BASEDIR); ++ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok"); ++ ++ c = (struct smb2_create) { ++ .in.desired_access = SEC_STD_READ_CONTROL | ++ SEC_STD_WRITE_DAC | ++ SEC_STD_WRITE_OWNER, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_READ | ++ NTCREATEX_SHARE_ACCESS_WRITE, ++ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_create failed\n"); ++ handle = c.out.file.handle; ++ ++ torture_comment(tctx, "get the original sd\n"); ++ ++ ZERO_STRUCT(q); ++ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC; ++ q.query_secdesc.in.file.handle = handle; ++ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER; ++ ++ status = smb2_getinfo_file(tree, tctx, &q); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_getinfo_file failed\n"); ++ sd_orig = q.query_secdesc.out.sd; ++ ++ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid); ++ ++ sd = security_descriptor_dacl_create(tctx, ++ 0, NULL, NULL, ++ owner_sid, ++ SEC_ACE_TYPE_ACCESS_ALLOWED, ++ SEC_FILE_READ_DATA, ++ 0, ++ NULL); ++ ++ ZERO_STRUCT(set); ++ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; ++ set.set_secdesc.in.file.handle = handle; ++ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; ++ set.set_secdesc.in.sd = sd; ++ ++ status = smb2_setinfo_file(tree, &set); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_setinfo_file failed\n"); ++ ++ smb2_util_close(tree, handle); ++ ZERO_STRUCT(handle); ++ ++ for (i = 0; i < ARRAY_SIZE(tcases); i++) { ++ torture_comment(tctx, "Verify open with %s dispostion\n", ++ tcases[i].disposition_string); ++ ++ c = (struct smb2_create) { ++ .in.create_disposition = tcases[i].disposition, ++ .in.desired_access = SEC_FILE_READ_DATA, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ smb2_util_close(tree, c.out.file.handle); ++ torture_assert_ntstatus_equal_goto( ++ tctx, status, tcases[i].expected_status, ret, done, ++ "smb2_create failed\n"); ++ }; ++ ++ torture_comment(tctx, "put back original sd\n"); ++ ++ c = (struct smb2_create) { ++ .in.desired_access = SEC_STD_WRITE_DAC, ++ .in.file_attributes = FILE_ATTRIBUTE_NORMAL, ++ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK, ++ .in.create_disposition = NTCREATEX_DISP_OPEN_IF, ++ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS, ++ .in.fname = fname, ++ }; ++ ++ status = smb2_create(tree, tctx, &c); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_create failed\n"); ++ handle = c.out.file.handle; ++ ++ ZERO_STRUCT(set); ++ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC; ++ set.set_secdesc.in.file.handle = handle; ++ set.set_secdesc.in.secinfo_flags = SECINFO_DACL; ++ set.set_secdesc.in.sd = sd_orig; ++ ++ status = smb2_setinfo_file(tree, &set); ++ torture_assert_ntstatus_ok_goto(tctx, status, ret, done, ++ "smb2_setinfo_file failed\n"); ++ ++ smb2_util_close(tree, handle); ++ ZERO_STRUCT(handle); ++ ++done: ++ smb2_util_close(tree, handle); ++ smb2_util_unlink(tree, fname); ++ smb2_deltree(tree, BASEDIR); ++ return ret; ++} ++ + /* + basic testing of SMB2 ACLs + */ +@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx) + test_deny1); + torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED", + test_mxac_not_granted); ++ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file); + + suite->description = talloc_strdup(suite, "SMB2-ACLS tests"); + +-- +2.41.0 + + +From 5b5e2b1714e4a242b1cea44deff1f380620872c9 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 1 Aug 2023 13:04:36 +0200 +Subject: [PATCH 2/2] CVE-2023-4091: smbd: use open_access_mask for access + check in open_file() + +If the client requested FILE_OVERWRITE[_IF], we're implicitly adding +FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the +access check we're using access_mask which doesn't contain the additional +right, which means we can end up truncating a file for which the user has +only read-only access via an SD. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439 + +Signed-off-by: Ralph Boehme +--- + selftest/knownfail.d/samba3.smb2.acls | 1 - + source3/smbd/open.c | 4 ++-- + 2 files changed, 2 insertions(+), 3 deletions(-) + delete mode 100644 selftest/knownfail.d/samba3.smb2.acls + +diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls +deleted file mode 100644 +index 18df260c0e50..000000000000 +--- a/selftest/knownfail.d/samba3.smb2.acls ++++ /dev/null +@@ -1 +0,0 @@ +-^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE +diff --git a/source3/smbd/open.c b/source3/smbd/open.c +index 94f50becb247..0c9ddfe7c948 100644 +--- a/source3/smbd/open.c ++++ b/source3/smbd/open.c +@@ -1442,7 +1442,7 @@ static NTSTATUS open_file(struct smb_request *req, + dirfsp, + fsp, + false, +- access_mask); ++ open_access_mask); + + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("smbd_check_access_rights_fsp" +@@ -1633,7 +1633,7 @@ static NTSTATUS open_file(struct smb_request *req, + status = smbd_check_access_rights_fsp(dirfsp, + fsp, + false, +- access_mask); ++ open_access_mask); + + if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) && + posix_open && +-- +2.41.0 + diff --git a/SOURCES/CVE-2023-42669-remove-rpcecho-4.18.patch b/SOURCES/CVE-2023-42669-remove-rpcecho-4.18.patch new file mode 100644 index 0000000..7f8b80c --- /dev/null +++ b/SOURCES/CVE-2023-42669-remove-rpcecho-4.18.patch @@ -0,0 +1,124 @@ +From e534a858d15589f27181b82c8ed8abefc56fb95f Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Tue, 12 Sep 2023 18:59:44 +1200 +Subject: [PATCH 1/2] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by + default + +The rpcecho server is useful in development and testing, but should never +have been allowed into production, as it includes the facility to +do a blocking sleep() in the single-threaded rpc worker. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett +--- + docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +- + lib/param/loadparm.c | 2 +- + selftest/target/Samba4.pm | 2 +- + source3/param/loadparm.c | 2 +- + source4/rpc_server/wscript_build | 3 ++- + 5 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +index 8a217cc7f11..c6642b795fd 100644 +--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml ++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml +@@ -6,6 +6,6 @@ + Specifies which DCE/RPC endpoint servers should be run. + + +-epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver ++epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver + rpcecho + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 16cb0d47f31..83b05260e09 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default"); + lpcfg_do_global_parameter(lp_ctx, "max connections", "0"); + +- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); ++ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver"); + lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns"); + lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true"); + /* the winbind method for domain controllers is for both RODC +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index d15156a538b..5687d2a8587 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -783,7 +783,7 @@ sub provision_raw_step1($$) + wins support = yes + server role = $ctx->{server_role} + server services = +echo $services +- dcerpc endpoint servers = +winreg +srvsvc ++ dcerpc endpoint servers = +winreg +srvsvc +rpcecho + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 12718ced9e7..e33751a27e3 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + + Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL); + +- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); ++ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL); + + Globals.tls_enabled = true; + Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE; +diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build +index 0e44a3c2bae..31ec4f60c9a 100644 +--- a/source4/rpc_server/wscript_build ++++ b/source4/rpc_server/wscript_build +@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho', + source='echo/rpc_echo.c', + subsystem='dcerpc_server', + init_function='dcerpc_server_rpcecho_init', +- deps='ndr-standard events' ++ deps='ndr-standard events', ++ enabled=bld.CONFIG_GET('ENABLE_SELFTEST') + ) + + +-- +2.25.1 + + +From 8ce92246a016f3e7f23b6a94ceb666f776e56998 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Tue, 12 Sep 2023 19:01:03 +1200 +Subject: [PATCH 2/2] CVE-2023-42669 s3-rpc_server: Disable rpcecho for + consistency with the AD DC + +The rpcecho server in source3 does have samba the sleep() feature that +the s4 version has, but the task architecture is different, so there +is not the same impact. Hoever equally this is not something that +should be enabled on production builds of Samba, so restrict to +selftest builds. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474 + +Signed-off-by: Andrew Bartlett +--- + source3/rpc_server/wscript_build | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/source3/rpc_server/wscript_build b/source3/rpc_server/wscript_build +index 341df41a321..5ed81283395 100644 +--- a/source3/rpc_server/wscript_build ++++ b/source3/rpc_server/wscript_build +@@ -38,6 +38,7 @@ bld.SAMBA3_BINARY('rpcd_rpcecho', + RPC_WORKER + RPC_RPCECHO + ''', ++ for_selftest=True, + install_path='${SAMBA_LIBEXECDIR}') + + bld.SAMBA3_BINARY('rpcd_classic', +-- +2.25.1 + diff --git a/SPECS/samba.spec b/SPECS/samba.spec index ececade..12942bc 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -138,7 +138,7 @@ %define samba_requires_eq() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} = %%{epoch}:%%{version}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") %global samba_version 4.18.6 -%global baserelease 100 +%global baserelease 101 # This should be rc1 or %%nil %global pre_release %nil @@ -234,6 +234,10 @@ Source17: samba-usershares-systemd-sysusers.conf Source201: README.downgrade Source202: samba.abignore +Patch0: CVE-2023-3961-pipename-4.18.6.patch +Patch1: CVE-2023-4091-truncate-4.18.patch +Patch2: CVE-2023-42669-remove-rpcecho-4.18.patch + Requires(pre): /usr/sbin/groupadd Requires(pre): %{name}-common = %{samba_depver} @@ -2024,7 +2028,6 @@ fi %{_libexecdir}/samba/rpcd_fsrvp %{_libexecdir}/samba/rpcd_lsad %{_libexecdir}/samba/rpcd_mdssvc -%{_libexecdir}/samba/rpcd_rpcecho %{_libexecdir}/samba/rpcd_spoolss %{_libexecdir}/samba/rpcd_winreg %{_mandir}/man8/samba-dcerpcd.8* @@ -4328,6 +4331,14 @@ fi %endif %changelog +* Mon Oct 09 2023 Pavel Filipenský - 4.18.6-101 +- resolves: RHEL-11937 + Fix CVE-2023-3961 - smbd must check the pipename +- resolves: RHEL-11937 + Fix CVE-2023-4091 - SMB clients can truncate files +- resolves: RHEL-11937 + Fix CVE-2023-42669 - Remove rpcecho server + * Thu Aug 17 2023 Andreas Schneider - 4.18.6-100 - related: rhbz#2190415 - Update to version 4.18.6 - resolves: rhbz#2211617 - Fix the rpcclient dfsgetinfo command