The branch, v4-15-test has been updated via 1e557547523 VERSION: Bump version up to Samba 4.15.12... via 37595203ef3 VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release. via c074cc854b9 WHATSNEW: Add release notes for Samba 4.15.11. via e9db0373600 CVE-2022-3437 source4/heimdal: Pass correct length to _gssapi_verify_pad() via 77e0f2febaa CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech() via 1aca3451551 CVE-2022-3437 source4/heimdal: Check buffer length against overflow for DES{,3} unwrap via ebac8bf0478 CVE-2022-3437 source4/heimdal: Check the result of _gsskrb5_get_mech() via 5a62eb5734d CVE-2022-3437 source4/heimdal: Avoid undefined behaviour in _gssapi_verify_pad() via 9f6f1e01aca CVE-2022-3437 source4/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap via 5f6dbf2ab29 CVE-2022-3437 source4/heimdal: Use constant-time memcmp() in unwrap_des3() via c22914f845b CVE-2022-3437 source4/heimdal: Use constant-time memcmp() for arcfour unwrap via 310bffc0855 CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3() via a49a3ac8e08 CVE-2022-3437 source4/heimdal_build: Add gssapi-subsystem subsystem via fe1204d9da2 CVE-2022-3437 source4/heimdal: Remove __func__ compatibility workaround via 9f658aa5fe2 .gitlab-ci: Work around new git restrictions arising from CVE-2022-24765 via 52ed3d07fd5 bootstrap: Migrate to CentOS8 Stream via ae64b3bfc18 bootstrap: chown the whole cloned repo, not just the subfolders via 6881b17bf27 bootstrap: Fix CentOS8 runner from 1ad45400995 VERSION: Bump version up to Samba 4.15.11...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test - Log ----------------------------------------------------------------- commit 1e557547523629ffa44ad40f89c9256f1ff90965 Author: Jule Anger <jan...@samba.org> Date: Tue Oct 25 11:43:56 2022 +0200 VERSION: Bump version up to Samba 4.15.12... and re-enable GIT_SNAPSHOT. Signed-off-by: Jule Anger <jan...@samba.org> ----------------------------------------------------------------------- Summary of changes: .gitlab-ci-main.yml | 10 +- VERSION | 2 +- WHATSNEW.txt | 54 +- bootstrap/.gitlab-ci.yml | 4 +- bootstrap/config.py | 15 +- bootstrap/generated-dists/Vagrantfile | 10 +- .../{centos8 => centos8s}/Dockerfile | 2 +- .../{centos8 => centos8s}/bootstrap.sh | 5 +- .../{centos8 => centos8s}/locale.sh | 0 .../{centos8 => centos8s}/packages.yml | 0 bootstrap/sha1sum.txt | 2 +- selftest/tests.py | 5 + source4/auth/tests/heimdal_unwrap_des.c | 1247 ++++++++++++++++++++ source4/auth/wscript_build | 21 + source4/heimdal/lib/gssapi/krb5/arcfour.c | 24 +- source4/heimdal/lib/gssapi/krb5/decapsulate.c | 12 +- source4/heimdal/lib/gssapi/krb5/unwrap.c | 34 +- source4/heimdal/lib/krb5/krb5_locl.h | 4 - source4/heimdal_build/wscript_build | 14 +- 19 files changed, 1401 insertions(+), 64 deletions(-) rename bootstrap/generated-dists/{centos8 => centos8s}/Dockerfile (90%) rename bootstrap/generated-dists/{centos8 => centos8s}/bootstrap.sh (93%) rename bootstrap/generated-dists/{centos8 => centos8s}/locale.sh (100%) rename bootstrap/generated-dists/{centos8 => centos8s}/packages.yml (100%) create mode 100644 source4/auth/tests/heimdal_unwrap_des.c Changeset truncated at 500 lines: diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml index 125b3901832..e0b9b9d20b9 100644 --- a/.gitlab-ci-main.yml +++ b/.gitlab-ci-main.yml @@ -42,7 +42,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: dd2b9a1848eed2d200e1a525695e40f06c23d888 + SAMBA_CI_CONTAINER_TAG: fbf9c4c8a2055936d4ca279878df7811af46d86d # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -64,7 +64,7 @@ variables: SAMBA_CI_CONTAINER_IMAGE_fedora33: fedora33 SAMBA_CI_CONTAINER_IMAGE_fedora34: fedora34 SAMBA_CI_CONTAINER_IMAGE_centos7: centos7 - SAMBA_CI_CONTAINER_IMAGE_centos8: centos8 + SAMBA_CI_CONTAINER_IMAGE_centos8s: centos8s include: # The image creation details are specified in a separate file @@ -137,6 +137,8 @@ include: - export CXX="ccache c++" - ccache -z -M 500M - ccache -s + # We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI + - git config --global --add safe.directory `pwd` after_script: - mount - df -h @@ -594,10 +596,10 @@ centos7-samba-o3: # We need a newer GnuTLS version on CentOS7 PKG_CONFIG_PATH: "/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig" -centos8-samba-o3: +centos8s-samba-o3: extends: .samba-o3-template variables: - SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8} + SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_centos8s} fedora33-samba-o3: extends: .samba-o3-template diff --git a/VERSION b/VERSION index 5bcf8ec242d..1a5355b8a03 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=15 -SAMBA_VERSION_RELEASE=11 +SAMBA_VERSION_RELEASE=12 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 8c22b675d54..b62e20cbc53 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,54 @@ + =============================== + Release Notes for Samba 4.15.11 + October 25, 2022 + =============================== + + +This is a security release in order to address the following defect: + +o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI + unwrap_des() and unwrap_des3() routines of Heimdal (included + in Samba). + https://www.samba.org/samba/security/CVE-2022-3437.html + +Changes since 4.15.10 +--------------------- + +o Andrew Bartlett <abart...@samba.org> + * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba + 4.15. + +o Andreas Schneider <a...@samba.org> + * BUG 15193: Allow rebuild of Centos 8 images after move to vault for Samba + 4.15. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15134: CVE-2022-3437. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- =============================== Release Notes for Samba 4.15.10 September 28, 2022 @@ -61,8 +112,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.15.9 July 27, 2022 diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 33534f5f1dd..58e0642a70d 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -47,7 +47,7 @@ services: diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt # run smoke test with samba-o3 or samba-fuzz docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \ - /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" + /bin/bash -c "sudo chown -R samba:samba ${samba_repo_root} && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" docker tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG} docker tag ${ci_image_name} ${ci_image_path}:${timestamp_tag} # We build all images, but only upload is it's not marked as broken @@ -112,7 +112,7 @@ fedora33: fedora34: extends: .build_image_template -centos8: +centos8s: extends: .build_image_template centos7: diff --git a/bootstrap/config.py b/bootstrap/config.py index fd75a771252..164ab306329 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -230,7 +230,7 @@ if [ ! -f /usr/bin/python3 ]; then fi """ -CENTOS8_YUM_BOOTSTRAP = r""" +CENTOS8S_YUM_BOOTSTRAP = r""" #!/bin/bash {GENERATED_MARKER} set -xueo pipefail @@ -240,10 +240,9 @@ yum install -y dnf-plugins-core yum install -y epel-release yum -v repolist all -yum config-manager --set-enabled PowerTools -y || \ +yum config-manager --set-enabled powertools -y || \ yum config-manager --set-enabled powertools -y -yum config-manager --set-enabled Devel -y || \ - yum config-manager --set-enabled devel -y + yum update -y yum install -y \ @@ -471,10 +470,10 @@ RPM_DISTS = { 'tracker-devel': '', # do not install } }, - 'centos8': { - 'docker_image': 'centos:8', - 'vagrant_box': 'centos/8', - 'bootstrap': CENTOS8_YUM_BOOTSTRAP, + 'centos8s': { + 'docker_image': 'quay.io/centos/centos:stream8', + 'vagrant_box': 'centos/stream8', + 'bootstrap': CENTOS8S_YUM_BOOTSTRAP, 'replace': { 'lsb-release': 'redhat-lsb', '@development-tools': '"@Development Tools"', # add quotes diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 780320ec7c8..10075800c01 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -17,11 +17,11 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "centos7/locale.sh" end - config.vm.define "centos8" do |v| - v.vm.box = "centos/8" - v.vm.hostname = "centos8" - v.vm.provision :shell, path: "centos8/bootstrap.sh" - v.vm.provision :shell, path: "centos8/locale.sh" + config.vm.define "centos8s" do |v| + v.vm.box = "centos/stream8" + v.vm.hostname = "centos8s" + v.vm.provision :shell, path: "centos8s/bootstrap.sh" + v.vm.provision :shell, path: "centos8s/locale.sh" end config.vm.define "debian10" do |v| diff --git a/bootstrap/generated-dists/centos8/Dockerfile b/bootstrap/generated-dists/centos8s/Dockerfile similarity index 90% rename from bootstrap/generated-dists/centos8/Dockerfile rename to bootstrap/generated-dists/centos8s/Dockerfile index f6343e9d5a2..1c932f58a94 100644 --- a/bootstrap/generated-dists/centos8/Dockerfile +++ b/bootstrap/generated-dists/centos8s/Dockerfile @@ -3,7 +3,7 @@ # See also bootstrap/config.py # -FROM centos:8 +FROM quay.io/centos/centos:stream8 # pass in with --build-arg while build ARG SHA1SUM diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8s/bootstrap.sh similarity index 93% rename from bootstrap/generated-dists/centos8/bootstrap.sh rename to bootstrap/generated-dists/centos8s/bootstrap.sh index 60cf3937cf7..1111450c400 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8s/bootstrap.sh @@ -12,10 +12,9 @@ yum install -y dnf-plugins-core yum install -y epel-release yum -v repolist all -yum config-manager --set-enabled PowerTools -y || \ +yum config-manager --set-enabled powertools -y || \ yum config-manager --set-enabled powertools -y -yum config-manager --set-enabled Devel -y || \ - yum config-manager --set-enabled devel -y + yum update -y yum install -y \ diff --git a/bootstrap/generated-dists/centos8/locale.sh b/bootstrap/generated-dists/centos8s/locale.sh similarity index 100% rename from bootstrap/generated-dists/centos8/locale.sh rename to bootstrap/generated-dists/centos8s/locale.sh diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8s/packages.yml similarity index 100% rename from bootstrap/generated-dists/centos8/packages.yml rename to bootstrap/generated-dists/centos8s/packages.yml diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 11369ced5f7..120d935186d 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -dd2b9a1848eed2d200e1a525695e40f06c23d888 +fbf9c4c8a2055936d4ca279878df7811af46d86d diff --git a/selftest/tests.py b/selftest/tests.py index c87b41c1a66..1331a6841e0 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -47,6 +47,8 @@ with_pam = ("WITH_PAM" in config_hash) with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash) pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH") pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH") +have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash +using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash planpythontestsuite("none", "samba.tests.source") if have_man_pages_support: @@ -429,6 +431,9 @@ plantestsuite("samba.unittests.test_registry_regfio", "none", [os.path.join(bindir(), "default/source3/test_registry_regfio")]) plantestsuite("samba.unittests.test_oLschema2ldif", "none", [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")]) +if have_heimdal_support and not using_system_gssapi: + plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none", + [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))]) if with_elasticsearch_backend: plantestsuite("samba.unittests.mdsparser_es", "none", [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration]) diff --git a/source4/auth/tests/heimdal_unwrap_des.c b/source4/auth/tests/heimdal_unwrap_des.c new file mode 100644 index 00000000000..dc31e9d0ad1 --- /dev/null +++ b/source4/auth/tests/heimdal_unwrap_des.c @@ -0,0 +1,1247 @@ +/* + * Unit tests for source4/heimdal/lib/gssapi/krb5/unwrap.c + * + * Copyright (C) Catalyst.NET Ltd 2022 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see <http://www.gnu.org/licenses/>. + * + */ + +/* + * from cmocka.c: + * These headers or their equivalents should be included prior to + * including + * this header file. + * + * #include <stdarg.h> + * #include <stddef.h> + * #include <setjmp.h> + * + * This allows test applications to use custom definitions of C standard + * library functions and types. + * + */ + +#include <stdarg.h> +#include <stddef.h> +#include <setjmp.h> + +#include <cmocka.h> + +#include "includes.h" +#include "replace.h" + +#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_ +#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x) + +#include "../../../source4/heimdal/lib/gssapi/gssapi/gssapi.h" +#include "gsskrb5_locl.h" + +/****************************************************************************** + * Helper functions + ******************************************************************************/ + +const uint8_t *valid_range_begin; +const uint8_t *valid_range_end; +const uint8_t *invalid_range_end; + +/* + * 'array_len' is the size of the passed in array. 'buffer_len' is the size to + * report in the resulting buffer. + */ +static const gss_buffer_desc get_input_buffer(TALLOC_CTX *mem_ctx, + const uint8_t array[], + const size_t array_len, + const size_t buffer_len) +{ + gss_buffer_desc buf; + + /* Add some padding to catch invalid memory accesses. */ + const size_t padding = 0x100; + const size_t padded_len = array_len + padding; + + uint8_t *data = talloc_size(mem_ctx, padded_len); + assert_non_null(data); + + memcpy(data, array, array_len); + memset(data + array_len, 0, padding); + + assert_in_range(buffer_len, 0, array_len); + + buf.value = data; + buf.length = buffer_len; + + valid_range_begin = buf.value; + valid_range_end = valid_range_begin + buf.length; + invalid_range_end = valid_range_begin + padded_len; + + return buf; +} + +static void assert_mem_in_valid_range(const uint8_t *ptr, const size_t len) +{ + /* Ensure we've set up the range pointers properly. */ + assert_non_null(valid_range_begin); + assert_non_null(valid_range_end); + assert_non_null(invalid_range_end); + + /* + * Ensure the length isn't excessively large (a symptom of integer + * underflow). + */ + assert_in_range(len, 0, 0x1000); + + /* Ensure the memory is in our valid range. */ + assert_in_range(ptr, valid_range_begin, valid_range_end); + assert_in_range(ptr + len, valid_range_begin, valid_range_end); +} + +/* + * This function takes a pointer to volatile to allow it to be called from the + * ct_memcmp() wrapper. + */ +static void assert_mem_outside_invalid_range(const volatile uint8_t *ptr, + const size_t len) +{ + const LargestIntegralType _valid_range_end + = cast_ptr_to_largest_integral_type(valid_range_end); + const LargestIntegralType _invalid_range_end + = cast_ptr_to_largest_integral_type(invalid_range_end); + const LargestIntegralType _ptr = cast_ptr_to_largest_integral_type(ptr); + const LargestIntegralType _len = cast_to_largest_integral_type(len); + + /* Ensure we've set up the range pointers properly. */ + assert_non_null(valid_range_begin); + assert_non_null(valid_range_end); + assert_non_null(invalid_range_end); + + /* + * Ensure the length isn't excessively large (a symptom of integer + * underflow). + */ + assert_in_range(len, 0, 0x1000); + + /* Ensure the memory is outside the invalid range. */ + if (_ptr < _invalid_range_end && _ptr + _len > _valid_range_end) { + fail(); + } +} + +/***************************************************************************** + * wrapped functions + *****************************************************************************/ + +krb5_keyblock dummy_key; + +krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock **keyblock); +krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context, + krb5_auth_context auth_context, + krb5_keyblock **keyblock) +{ + *keyblock = &dummy_key; + return 0; +} + +void __wrap_krb5_free_keyblock(krb5_context context, + krb5_keyblock *keyblock); +void __wrap_krb5_free_keyblock(krb5_context context, + krb5_keyblock *keyblock) +{ + assert_ptr_equal(&dummy_key, keyblock); +} + +struct krb5_crypto_data dummy_crypto; + +krb5_error_code __wrap_krb5_crypto_init(krb5_context context, + const krb5_keyblock *key, + krb5_enctype etype, + krb5_crypto *crypto); +krb5_error_code __wrap_krb5_crypto_init(krb5_context context, + const krb5_keyblock *key, + krb5_enctype etype, + krb5_crypto *crypto) +{ + static const LargestIntegralType etypes[] = {ETYPE_DES3_CBC_NONE, 0}; + + assert_ptr_equal(&dummy_key, key); + assert_in_set(etype, etypes, ARRAY_SIZE(etypes)); + + *crypto = &dummy_crypto; + + return 0; +} + +krb5_error_code __wrap_krb5_decrypt(krb5_context context, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + krb5_data *result); +krb5_error_code __wrap_krb5_decrypt(krb5_context context, + krb5_crypto crypto, + unsigned usage, + void *data, + size_t len, + krb5_data *result) +{ + assert_ptr_equal(&dummy_crypto, crypto); + assert_int_equal(KRB5_KU_USAGE_SEAL, usage); + + assert_mem_in_valid_range(data, len); + + check_expected(len); + check_expected_ptr(data); + + result->data = malloc(len); + assert_non_null(result->data); + result->length = len; -- Samba Shared Repository