diff -Nru samba-4.7.6+dfsg~ubuntu/debian/changelog samba-4.7.6+dfsg~ubuntu/debian/changelog --- samba-4.7.6+dfsg~ubuntu/debian/changelog 2021-11-10 14:29:48.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/changelog 2022-11-09 14:42:14.000000000 +0000 @@ -1,3 +1,66 @@ +samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.29) bionic; urgency=medium + + * d/p/win-22H2-fix.patch: fix interoperability with Windows 22H2 + clients (LP: #1993934) + + -- Andreas Hasenack Wed, 09 Nov 2022 11:42:14 -0300 + +samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.28) bionic-security; urgency=medium + + * SECURITY UPDATE: code exec via out-of-bounds read/write in vfs_fruit + - debian/patches/CVE-2021-44142-1.patch: add defines for icon lengths + in source3/modules/vfs_fruit.c. + - debian/patches/CVE-2021-44142-2.patch: add Netatalk xattr used by + vfs_fruit to the list of private Samba xattrs in + source3/smbd/trans2.c. + - debian/patches/CVE-2021-44142-3.patch: harden ad_unpack_xattrs() in + source3/modules/vfs_fruit.c. + - debian/patches/CVE-2021-44142-4.patch: tweak buffer size check in + source3/modules/vfs_fruit.c. + - debian/patches/CVE-2021-44142-5.patch: add basic cmocka tests in + selftest/knownfail.d/samba.unittests.adouble, selftest/tests.py, + source3/lib/test_adouble.c, source3/wscript_build. + - debian/patches/CVE-2021-44142-6.patch: harden parsing code in + source3/modules/vfs_fruit.c. + - CVE-2021-44142 + + -- Marc Deslauriers Tue, 25 Jan 2022 10:20:03 -0500 + +samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.27) bionic-security; urgency=medium + + * SECURITY REGRESSION: Kerberos authentication on standalone server in + MIT realm broken + - debian/patches/bug14922.patch: fix MIT Realm regression in + source3/auth/user_krb5.c. + + -- Marc Deslauriers Mon, 13 Dec 2021 07:12:56 -0500 + +samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.26) bionic-security; urgency=medium + + * SECURITY UPDATE: SMB1 client connections can be downgraded to plaintext + authentication + - debian/patches/CVE-2016-2124-*.patch: upstream commits to fix issue. + - CVE-2016-2124 + * SECURITY UPDATE: user in AD Domain could become root on domain members + - debian/patches/CVE-2020-25717-*.patch: upstream commits to fix issue. + - debian/patches/bug14901-*.patch: upstream commits to fix regression. + - CVE-2020-25717 + * SECURITY UPDATE: insufficient access and conformance checking of data + stored + - debian/patches/CVE-2020-25722-1.patch: restrict the setting of + privileged attributes during LDAP add/modify in + source4/dsdb/samdb/ldb_modules/samldb.c. + - debian/patches/CVE-2020-25722-2.patch: ensure the structural + objectclass cannot be changed in + source4/dsdb/samdb/ldb_modules/objectclass.c. + - CVE-2020-25722 + * SECURITY UPDATE: null pointer deref in kerberos server + - debian/patches/CVE-2021-3671.patch: validate sname in TGS-REQ in + source4/heimdal/kdc/krb5tgs.c. + - CVE-2021-3671 + + -- Marc Deslauriers Thu, 02 Dec 2021 08:23:22 -0500 + samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.24) bionic; urgency=medium * samba.postinst: do not populate sambashare from the Ubuntu admin group diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-1.patch samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-1.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-1.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,49 @@ +From 8b9d36221930a487ca5c51bf2e38ed04de9d50f7 Mon Sep 17 00:00:00 2001 +From: Volker Lendecke +Date: Thu, 18 Oct 2018 05:46:37 +0200 +Subject: [PATCH] lib: Add dom_sid_str_buf + +This is modeled after server_id_str_buf, which as an API to me is easier to +use: I can rely on the compiler to get the buffer size right. + +It is designed to violate README.Coding's "Make use of helper variables", but +as this API is simple enough and the output should never be a surprise at all, +I think that's worth it. + +Signed-off-by: Volker Lendecke +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Fri Nov 2 20:11:11 CET 2018 on sn-devel-144 +--- + libcli/security/dom_sid.c | 10 ++++++++++ + libcli/security/dom_sid.h | 2 ++ + 2 files changed, 12 insertions(+) + +--- a/libcli/security/dom_sid.c ++++ b/libcli/security/dom_sid.c +@@ -425,3 +425,13 @@ char *dom_sid_string(TALLOC_CTX *mem_ctx + talloc_set_name_const(result, result); + return result; + } ++ ++char *dom_sid_str_buf(const struct dom_sid *sid, struct dom_sid_buf *dst) ++{ ++ int ret; ++ ret = dom_sid_string_buf(sid, dst->buf, sizeof(dst->buf)); ++ if ((ret < 0) || (ret >= sizeof(dst->buf))) { ++ strlcpy(dst->buf, "(INVALID SID)", sizeof(dst->buf)); ++ } ++ return dst->buf; ++} +--- a/libcli/security/dom_sid.h ++++ b/libcli/security/dom_sid.h +@@ -88,6 +88,8 @@ bool dom_sid_in_domain(const struct dom_ + int dom_sid_string_buf(const struct dom_sid *sid, char *buf, int buflen); + char *dom_sid_string(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); + ++struct dom_sid_buf { char buf[DOM_SID_STR_BUFLEN]; }; ++char *dom_sid_str_buf(const struct dom_sid *sid, struct dom_sid_buf *dst); + + const char *sid_type_lookup(uint32_t sid_type); + const struct security_token *get_system_token(void); diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-2.patch samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-2.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-2.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,92 @@ +From 9b272b42b18c277887dc4eb657e372dccd3d5f5a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 12 Nov 2021 15:27:58 +0100 +Subject: [PATCH 2/7] CVE-2020-25717: idmap_nss: verify that the name of the + sid belongs to the configured domain + +We already check the sid belongs to the domain, but checking the name +too feels better and make it easier to understand. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Ralph Boehme + +[abartlet@samba.org backorted from commit bfd093648b4af51d104096c0cb3535e8706671e5 + as header libcli/security/dom_sid.h was not present for struct dom_sid_buf] + +[abartlet@samba.org fix CVE marker] +--- + source3/winbindd/idmap_nss.c | 27 ++++++++++++++++++++++----- + 1 file changed, 22 insertions(+), 5 deletions(-) + +diff --git a/source3/winbindd/idmap_nss.c b/source3/winbindd/idmap_nss.c +index 9e1efefeb24..3ffffd0a20e 100644 +--- a/source3/winbindd/idmap_nss.c ++++ b/source3/winbindd/idmap_nss.c +@@ -25,6 +25,7 @@ + #include "nsswitch/winbind_client.h" + #include "idmap.h" + #include "lib/winbind_util.h" ++#include "libcli/security/dom_sid.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_IDMAP +@@ -135,18 +136,21 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma + for (i = 0; ids[i]; i++) { + struct group *gr; + enum lsa_SidType type; +- const char *p = NULL; ++ const char *_domain = NULL; ++ const char *_name = NULL; ++ char *domain = NULL; + char *name = NULL; + bool ret; + + /* by default calls to winbindd are disabled + the following call will not recurse so this is safe */ + (void)winbind_on(); +- ret = winbind_lookup_sid(talloc_tos(), ids[i]->sid, NULL, +- &p, &type); ++ ret = winbind_lookup_sid(talloc_tos(), ++ ids[i]->sid, ++ &_domain, ++ &_name, ++ &type); + (void)winbind_off(); +- name = discard_const_p(char, p); +- + if (!ret) { + /* TODO: how do we know if the name is really not mapped, + * or something just failed ? */ +@@ -154,6 +158,18 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma + continue; + } + ++ domain = discard_const_p(char, _domain); ++ name = discard_const_p(char, _name); ++ ++ if (!strequal(domain, dom->name)) { ++ struct dom_sid_buf buf; ++ DBG_ERR("DOMAIN[%s] ignoring SID[%s] belongs to %s [%s\\%s]\n", ++ dom->name, dom_sid_str_buf(ids[i]->sid, &buf), ++ sid_type_lookup(type), domain, name); ++ ids[i]->status = ID_UNMAPPED; ++ continue; ++ } ++ + switch (type) { + case SID_NAME_USER: { + struct passwd *pw; +@@ -186,6 +202,7 @@ static NTSTATUS idmap_nss_sids_to_unixids(struct idmap_domain *dom, struct id_ma + ids[i]->status = ID_UNKNOWN; + break; + } ++ TALLOC_FREE(domain); + TALLOC_FREE(name); + } + return NT_STATUS_OK; +-- +2.25.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-3.patch samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-3.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/bug14901-3.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,112 @@ +From e05e7ec2d5d0a4ec20a6fdd97b82b1520fd676ca Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 12 Nov 2021 16:10:31 +1300 +Subject: [PATCH 7/7] CVE-2020-25717: s3:auth: Fallback to a SID/UID based + mapping if the named based lookup fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Before the CVE-2020-25717 fixes we had a fallback from +getpwnam('DOMAIN\user') to getpwnam('user') which was very dangerous and +unpredictable. + +Now we do the fallback based on sid_to_uid() followed by +getpwuid() on the returned uid. + +This obsoletes 'username map [script]' based workaround adviced +for CVE-2020-25717, when nss_winbindd is not used or +idmap_nss is actually used. + +In future we may decide to prefer or only do the SID/UID based +lookup, but for now we want to keep this unchanged as much as possible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Andrew Bartlett +Signed-off-by: Stefan Metzmacher + +[metze@samba.org moved the new logic into the fallback codepath only + in order to avoid behavior changes as much as possible] +Reviewed-by: Ralph Boehme + +Autobuild-User(master): Ralph Böhme +Autobuild-Date(master): Mon Nov 15 19:01:56 UTC 2021 on sn-devel-184 + +[abartlet@samba.org backported from commit 0a546be05295a7e4a552f9f4f0c74aeb2e9a0d6e + as usage.py is not present in Samba 4.10] +--- + selftest/knownfail.d/idmap_nss_sid_mapping | 2 -- + source3/auth/auth_util.c | 34 +++++++++++++++++++++- + 2 files changed, 33 insertions(+), 3 deletions(-) + delete mode 100644 selftest/knownfail.d/idmap_nss_sid_mapping + +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1207,7 +1207,9 @@ const struct auth_session_info *get_sess + ***************************************************************************/ + + static NTSTATUS check_account(TALLOC_CTX *mem_ctx, const char *domain, +- const char *username, char **found_username, ++ const char *username, ++ const struct dom_sid *sid, ++ char **found_username, + struct passwd **pwd, + bool *username_was_mapped) + { +@@ -1242,6 +1244,31 @@ static NTSTATUS check_account(TALLOC_CTX + } + + passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false); ++ if (!passwd && !*username_was_mapped) { ++ struct dom_sid_buf buf; ++ uid_t uid; ++ bool ok; ++ ++ DBG_DEBUG("Failed to find authenticated user %s via " ++ "getpwnam(), fallback to sid_to_uid(%s).\n", ++ dom_user, dom_sid_str_buf(sid, &buf)); ++ ++ ok = sid_to_uid(sid, &uid); ++ if (!ok) { ++ DBG_ERR("Failed to convert SID %s to a UID (dom_user[%s])\n", ++ dom_sid_str_buf(sid, &buf), dom_user); ++ return NT_STATUS_NO_SUCH_USER; ++ } ++ passwd = getpwuid_alloc(mem_ctx, uid); ++ if (!passwd) { ++ DBG_ERR("Failed to find local account with UID %lld for SID %s (dom_user[%s])\n", ++ (long long)uid, ++ dom_sid_str_buf(sid, &buf), ++ dom_user); ++ return NT_STATUS_NO_SUCH_USER; ++ } ++ real_username = talloc_strdup(mem_ctx, passwd->pw_name); ++ } + if (!passwd) { + DEBUG(3, ("Failed to find authenticated user %s via " + "getpwnam(), denying access.\n", dom_user)); +@@ -1387,6 +1414,7 @@ NTSTATUS make_server_info_info3(TALLOC_C + bool username_was_mapped; + struct passwd *pwd; + struct auth_serversupplied_info *result; ++ struct dom_sid sid; + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + + /* +@@ -1433,9 +1461,13 @@ NTSTATUS make_server_info_info3(TALLOC_C + + /* this call will try to create the user if necessary */ + ++ sid_copy(&sid, info3->base.domain_sid); ++ sid_append_rid(&sid, info3->base.rid); ++ + nt_status = check_account(tmp_ctx, + nt_domain, + nt_username, ++ &sid, + &found_username, + &pwd, + &username_was_mapped); diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/bug14922.patch samba-4.7.6+dfsg~ubuntu/debian/patches/bug14922.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/bug14922.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/bug14922.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,62 @@ +From 1e27b820dff2ff9ef99b4d5dc8e85548a2ad92b4 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 26 Nov 2021 10:57:17 +0100 +Subject: [PATCH] CVE-2020-25717: s3-auth: fix MIT Realm regression + +This looks like a regression introduced by the recent security fixes. This +commit should hopefully fixes it. + +As a quick solution it might be possible to use the username map script based on +the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not +sure this behaves identical, but it might work in the standalone server case. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 + +Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Ralph Boehme +Signed-off-by: Stefan Metzmacher +(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b) +--- + source3/auth/user_krb5.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index b8f37cbeee0..169bf563368 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + char *fuser = NULL; + char *unixuser = NULL; + struct passwd *pw = NULL; ++ bool may_retry = false; + + DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); + +@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + domain = realm; + } else { + domain = lp_workgroup(); ++ may_retry = true; + } + + fuser = talloc_asprintf(mem_ctx, +@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + *mapped_to_guest = false; + + pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); ++ if (may_retry && pw == NULL && !*is_mapped) { ++ fuser = talloc_strdup(mem_ctx, user); ++ if (!fuser) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); ++ } + if (pw) { + if (!unixuser) { + return NT_STATUS_NO_MEMORY; +-- +2.25.1 + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-1.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-1.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-1.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,62 @@ +From b1545cf4c40809bf0ecc6dc09411277775313a5c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 24 Nov 2016 09:12:59 +0100 +Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non + spnego authentication if we require kerberos + +We should not send NTLM[v2] data on the wire if the user asked for kerberos +only. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 + +Signed-off-by: Stefan Metzmacher +--- + source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c +index 6ee4929e8d7..a0a1f4baa56 100644 +--- a/source4/libcli/smb_composite/sesssetup.c ++++ b/source4/libcli/smb_composite/sesssetup.c +@@ -620,6 +620,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se + struct composite_context *c; + struct sesssetup_state *state; + NTSTATUS status; ++ enum credentials_use_kerberos krb5_state = ++ cli_credentials_get_kerberos_state(io->in.credentials); + + c = composite_create(session, session->transport->ev); + if (c == NULL) return NULL; +@@ -635,6 +637,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se + + /* no session setup at all in earliest protocol varients */ + if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return c; ++ } + ZERO_STRUCT(io->out); + composite_done(c); + return c; +@@ -642,9 +648,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se + + /* see what session setup interface we will use */ + if (session->transport->negotiate.protocol < PROTOCOL_NT1) { ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return c; ++ } + status = session_setup_old(c, session, io, &state->req); + } else if (!session->transport->options.use_spnego || + !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return c; ++ } + status = session_setup_nt1(c, session, io, &state->req); + } else { + struct tevent_req *subreq = NULL; +-- +2.31.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-2.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-2.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2016-2124-2.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,32 @@ +From 363417d8e3b42a539f374b26f7a5f2a7c0e5e2e8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 27 Oct 2016 10:40:28 +0200 +Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego + authentication if we require kerberos + +We should not send NTLM[v2] nor plaintext data on the wire if the user +asked for kerberos only. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 + +Signed-off-by: Stefan Metzmacher +--- + source3/libsmb/cliconnect.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/source3/libsmb/cliconnect.c ++++ b/source3/libsmb/cliconnect.c +@@ -1456,6 +1456,13 @@ struct tevent_req *cli_session_setup_cre + return req; + } + ++ if (krb5_state == CRED_MUST_USE_KERBEROS) { ++ DBG_WARNING("Kerberos authentication requested, but " ++ "the server does not support SPNEGO authentication\n"); ++ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); ++ return tevent_req_post(req, ev); ++ } ++ + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) { + /* + * SessionSetupAndX was introduced by LANMAN 1.0. So we skip diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-01.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-01.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-01.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-01.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,56 @@ +From fadb11b98765a7bd379186444f9622294d2d19d6 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Sat, 18 Jan 2020 08:06:45 +0100 +Subject: [PATCH 01/30] s3/auth: use set_current_user_info() in + auth3_generate_session_info_pac() + +This delays reloading config slightly, but I don't see how could affect +observable behaviour other then log messages coming from the functions in +between the different locations for lp_load_with_shares() like +make_session_info_krb5() are sent to a different logfile if "log file" uses %U. + +Signed-off-by: Ralph Boehme +Reviewed-by: Andreas Schneider +(cherry picked from commit dc4b1e39ce1f2201a2d6ae2d4cffef2448f69a62) + +[scabrero@samba.org Prerequisite for CVE-2020-25717 backport] +--- + source3/auth/auth_generic.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 6dedeedd302..82fcc150620 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -157,12 +157,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + } + } + +- /* setup the string used by %U */ +- sub_set_smb_name(username); +- +- /* reload services so that the new %U is taken into account */ +- lp_load_with_shares(get_dyn_CONFIGFILE()); +- + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, + info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, +@@ -174,6 +168,14 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + goto done; + } + ++ /* setup the string used by %U */ ++ set_current_user_info((*session_info)->unix_info->sanitized_username, ++ (*session_info)->unix_info->unix_name, ++ (*session_info)->info->domain_name); ++ ++ /* reload services so that the new %U is taken into account */ ++ lp_load_with_shares(get_dyn_CONFIGFILE()); ++ + DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n", + ntuser, ntdomain, rhost)); + +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-02.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-02.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-02.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-02.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,29 @@ +From 69c750df9573253d53a5aea7f213a003e61eb633 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 4 Nov 2021 11:51:08 +0100 +Subject: [PATCH 02/30] selftest: Fix ktest usermap file + +The user was not mapped: + +user_in_list: checking user |KTEST/administrator| against |KTEST\Administrator| +The user 'KTEST/administrator' has no mapping. Skip it next time. + +Signed-off-by: Samuel Cabrero + +[scabrero@samba.org Once smb_getpswnam() fallbacks are removed the user + has to be mapped] +--- + selftest/target/Samba3.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -970,7 +970,7 @@ sub setup_ktest($$$) + + open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map"); + print USERMAP " +-$ret->{USERNAME} = KTEST\\Administrator ++$ret->{USERNAME} = KTEST/Administrator + "; + close(USERMAP); + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-03.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-03.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-03.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-03.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,52 @@ +From 26e77e64641ee58fc1eea65bf38fb5a7958e88c3 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 16:42:00 +0200 +Subject: [PATCH 03/30] selftest/Samba3: replace (winbindd => "yes", skip_wait + => 1) with (winbindd => "offline") + +This is much more flexible and concentrates the logic in a single place. + +We'll use winbindd => "offline" in other places soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de) +(cherry picked from commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d) + +[scabrero@samba.org Backported to 4.7] +--- + selftest/target/Samba3.pm | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1179,7 +1179,7 @@ sub check_or_start($$$$$) { + + $ENV{ENVNAME} = "$ENV{ENVNAME}.winbindd"; + +- if ($winbindd ne "yes") { ++ if ($winbindd ne "yes" and $winbindd ne "offline") { + $SIG{USR1} = $SIG{ALRM} = $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub { + my $signame = shift; + print("Skip winbindd received signal $signame"); +@@ -2230,11 +2230,15 @@ sub wait_for_start($$$$$) + } + } + +- if ($winbindd eq "yes") { ++ if ($winbindd eq "yes" or $winbindd eq "offline") { + print "checking for winbindd\n"; + my $count = 0; + do { +- $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --ping-dc"); ++ if ($winbindd eq "yes") { ++ $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --ping-dc"); ++ } elsif ($winbindd eq "offline") { ++ $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --ping"); ++ } + if ($ret != 0) { + sleep(1); + } diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-04.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-04.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-04.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-04.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,45 @@ +From 1eea56bfa51aacdf72754212197396eeaa8b21a4 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 22 Oct 2021 16:20:36 +0200 +Subject: [PATCH 04/30] CVE-2020-25719 CVE-2020-25717: selftest: remove + "gensec:require_pac" settings + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + selftest/selftest.pl | 2 -- + selftest/target/Samba4.pm | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/selftest/selftest.pl b/selftest/selftest.pl +index 9bfd4e50015..7759e7475d0 100755 +--- a/selftest/selftest.pl ++++ b/selftest/selftest.pl +@@ -607,8 +607,6 @@ sub write_clientconf($$$) + client lanman auth = Yes + log level = 1 + torture:basedir = $clientdir +-#We don't want to pass our self-tests if the PAC code is wrong +- gensec:require_pac = true + #We don't want to run 'speed' tests for very long + torture:timelimit = 1 + winbind separator = / +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 7da68c44776..3d465b2252c 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -604,8 +604,6 @@ sub provision_raw_step1($$) + notify:inotify = false + ldb:nosync = true + ldap server require strong auth = yes +-#We don't want to pass our self-tests if the PAC code is wrong +- gensec:require_pac = true + log file = $ctx->{logdir}/log.\%m + log level = $ctx->{server_loglevel} + lanman auth = Yes +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-05.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-05.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-05.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-05.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,163 @@ +From 0baec48c6b758aa3bb395abba0007cf84bd54767 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 17:29:34 +0200 +Subject: [PATCH 05/30] CVE-2020-25717: s3:winbindd: make sure we default to + r->out.authoritative = true + +We need to make sure that temporary failures don't trigger a fallback +to the local SAM that silently ignores the domain name part for users. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported for 4.10 due to no logon_id for +log_authentication() neither is_allowed_domain()] +[scabrero@samba.org Backported for 4.7 due to different return types, + info3 instead of netr_Validation] +--- + source3/winbindd/winbindd_dual_srv.c | 7 +++++++ + source3/winbindd/winbindd_irpc.c | 8 ++++++++ + source3/winbindd/winbindd_pam.c | 13 ++++++++++--- + source3/winbindd/winbindd_pam_auth_crap.c | 9 +++++++++ + source3/winbindd/winbindd_util.c | 7 +++++++ + 5 files changed, 41 insertions(+), 3 deletions(-) + +--- a/source3/winbindd/winbindd_dual_srv.c ++++ b/source3/winbindd/winbindd_dual_srv.c +@@ -868,6 +868,13 @@ NTSTATUS _winbind_SamLogon(struct pipes_ + DATA_BLOB lm_response, nt_response; + uint32_t flags = 0; + ++ /* ++ * Make sure we start with authoritative=true, ++ * it will only set to false if we don't know the ++ * domain. ++ */ ++ r->out.authoritative = true; ++ + domain = wb_child_domain(); + if (domain == NULL) { + return NT_STATUS_REQUEST_NOT_ACCEPTED; +--- a/source3/winbindd/winbindd_irpc.c ++++ b/source3/winbindd/winbindd_irpc.c +@@ -134,6 +134,14 @@ static NTSTATUS wb_irpc_SamLogon(struct + { + struct winbindd_domain *domain; + const char *target_domain_name; ++ ++ /* ++ * Make sure we start with authoritative=true, ++ * it will only set to false if we don't know the ++ * domain. ++ */ ++ req->out.authoritative = true; ++ + if (req->in.logon.network == NULL) { + return NT_STATUS_REQUEST_NOT_ACCEPTED; + } +--- a/source3/winbindd/winbindd_pam.c ++++ b/source3/winbindd/winbindd_pam.c +@@ -1553,7 +1553,7 @@ static NTSTATUS winbindd_dual_pam_auth_s + fstring name_domain, name_user; + NTSTATUS result; + struct netr_SamInfo3 *my_info3 = NULL; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + + *info3 = NULL; +@@ -1983,6 +1983,13 @@ done: + result = NT_STATUS_NO_LOGON_SERVERS; + } + ++ /* ++ * Here we don't alter ++ * state->response->data.auth.authoritative based ++ * on the servers response ++ * as we don't want a fallback to the local sam ++ * for interactive PAM logons ++ */ + set_auth_errors(state->response, result); + + DEBUG(NT_STATUS_IS_OK(result) ? 5 : 2, ("Plain-text authentication for user %s returned %s (PAM: %d)\n", +@@ -2118,7 +2125,7 @@ enum winbindd_result winbindd_dual_pam_a + const char *name_user = NULL; + const char *name_domain = NULL; + const char *workstation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + + DATA_BLOB lm_resp, nt_resp; +@@ -2177,7 +2184,6 @@ enum winbindd_result winbindd_dual_pam_a + &flags, + &info3); + if (!NT_STATUS_IS_OK(result)) { +- state->response->data.auth.authoritative = authoritative; + goto done; + } + +@@ -2210,6 +2216,7 @@ done: + } + + set_auth_errors(state->response, result); ++ state->response->data.auth.authoritative = authoritative; + + return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR; + } +--- a/source3/winbindd/winbindd_pam_auth_crap.c ++++ b/source3/winbindd/winbindd_pam_auth_crap.c +@@ -23,6 +23,7 @@ + struct winbindd_pam_auth_crap_state { + struct winbindd_response *response; + struct netr_SamInfo3 *info3; ++ bool authoritative; + uint32_t flags; + }; + +@@ -45,6 +46,8 @@ struct tevent_req *winbindd_pam_auth_cra + return NULL; + } + ++ state->authoritative = true; ++ + if (request->flags & WBFLAG_PAM_AUTH_PAC) { + NTSTATUS status; + +@@ -85,6 +88,11 @@ struct tevent_req *winbindd_pam_auth_cra + + domain = find_auth_domain(request->flags, auth_domain); + if (domain == NULL) { ++ /* ++ * We don't know the domain so ++ * we're not authoritative ++ */ ++ state->authoritative = false; + tevent_req_nterror(req, NT_STATUS_NO_SUCH_USER); + return tevent_req_post(req, ev); + } +@@ -128,6 +136,7 @@ NTSTATUS winbindd_pam_auth_crap_recv(str + + if (tevent_req_is_nterror(req, &status)) { + set_auth_errors(response, status); ++ response->data.auth.authoritative = state->authoritative; + return status; + } + +--- a/source3/winbindd/winbindd_util.c ++++ b/source3/winbindd/winbindd_util.c +@@ -1614,6 +1614,13 @@ void winbindd_unset_locator_kdc_env(cons + + void set_auth_errors(struct winbindd_response *resp, NTSTATUS result) + { ++ /* ++ * Make sure we start with authoritative=true, ++ * it will only set to false if we don't know the ++ * domain. ++ */ ++ resp->data.auth.authoritative = true; ++ + resp->data.auth.nt_status = NT_STATUS_V(result); + fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result)); + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-06.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-06.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-06.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-06.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,36 @@ +From fcd92561a6cd147d3564d3eed5dc138604fd7e6b Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 17:29:34 +0200 +Subject: [PATCH 06/30] CVE-2020-25717: s4:auth/ntlm: make sure + auth_check_password() defaults to r->out.authoritative = true + +We need to make sure that temporary failures don't trigger a fallback +to the local SAM that silently ignores the domain name part for users. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/auth/ntlm/auth.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c +index 0e76348e385..94e255f3787 100644 +--- a/source4/auth/ntlm/auth.c ++++ b/source4/auth/ntlm/auth.c +@@ -166,6 +166,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx, + /*TODO: create a new event context here! */ + ev = auth_ctx->event_ctx; + ++ /* ++ * We are authoritative by default ++ */ ++ *pauthoritative = 1; ++ + subreq = auth_check_password_send(mem_ctx, + ev, + auth_ctx, +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-07.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-07.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-07.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-07.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,56 @@ +From 40210a246dbaf73aa72ec408c9b0678c4bcc5a63 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 07/30] CVE-2020-25717: s4:torture: start with authoritative = + 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/torture/rpc/samlogon.c | 4 ++-- + source4/torture/rpc/schannel.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source4/torture/rpc/samlogon.c b/source4/torture/rpc/samlogon.c +index e689dfd5e98..957cb410712 100644 +--- a/source4/torture/rpc/samlogon.c ++++ b/source4/torture/rpc/samlogon.c +@@ -1385,7 +1385,7 @@ static bool test_SamLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + + union netr_LogonLevel logon; + union netr_Validation validation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + + ZERO_STRUCT(logon); +@@ -1498,7 +1498,7 @@ bool test_InteractiveLogon(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, + + union netr_LogonLevel logon; + union netr_Validation validation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + struct dcerpc_binding_handle *b = p->binding_handle; + + ZERO_STRUCT(a); +diff --git a/source4/torture/rpc/schannel.c b/source4/torture/rpc/schannel.c +index de3a36eaa4f..3357b8eda82 100644 +--- a/source4/torture/rpc/schannel.c ++++ b/source4/torture/rpc/schannel.c +@@ -50,7 +50,7 @@ bool test_netlogon_ex_ops(struct dcerpc_pipe *p, struct torture_context *tctx, + struct netr_NetworkInfo ninfo; + union netr_LogonLevel logon; + union netr_Validation validation; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t _flags = 0; + DATA_BLOB names_blob, chal, lm_resp, nt_resp; + int i; +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-08.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-08.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-08.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-08.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,42 @@ +From 5e523690070a4cfc03ab3c8bfab5ea528e496c48 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 08/30] CVE-2020-25717: s4:smb_server: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/smb_server/smb/sesssetup.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source4/smb_server/smb/sesssetup.c b/source4/smb_server/smb/sesssetup.c +index 13f13934412..5e817eecd4b 100644 +--- a/source4/smb_server/smb/sesssetup.c ++++ b/source4/smb_server/smb/sesssetup.c +@@ -102,7 +102,7 @@ static void sesssetup_old_send(struct tevent_req *subreq) + struct auth_session_info *session_info; + struct smbsrv_session *smb_sess; + NTSTATUS status; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags; + + status = auth_check_password_recv(subreq, req, &user_info_dc, +@@ -243,7 +243,7 @@ static void sesssetup_nt1_send(struct tevent_req *subreq) + struct auth_user_info_dc *user_info_dc = NULL; + struct auth_session_info *session_info; + struct smbsrv_session *smb_sess; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags; + NTSTATUS status; + +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-09.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-09.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-09.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-09.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,33 @@ +From dea8c99814df23fe1b6d2874fe52c522a2eccfb8 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 09/30] CVE-2020-25717: s4:auth_simple: start with + authoritative = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source4/auth/ntlm/auth_simple.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source4/auth/ntlm/auth_simple.c b/source4/auth/ntlm/auth_simple.c +index d7811b9e5b2..b4ef9ee2090 100644 +--- a/source4/auth/ntlm/auth_simple.c ++++ b/source4/auth/ntlm/auth_simple.c +@@ -146,7 +146,7 @@ static void authenticate_ldap_simple_bind_done(struct tevent_req *subreq) + const struct tsocket_address *local_address = user_info->local_host; + const char *transport_protection = AUTHZ_TRANSPORT_PROTECTION_NONE; + struct auth_user_info_dc *user_info_dc = NULL; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + NTSTATUS nt_status; + +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-10.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-10.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-10.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-10.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,92 @@ +From b28c31049d5efacff3a7ff6ea751a73695918e3e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 10/30] CVE-2020-25717: s3:ntlm_auth: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/utils/ntlm_auth.c | 4 ++-- + source3/utils/ntlm_auth_diagnostics.c | 10 +++++----- + 2 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index d094ab4fa3e..ec5d505c3b6 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -1747,7 +1747,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod + TALLOC_FREE(mem_ctx); + + } else { +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + if (!domain) { + domain = smb_xstrdup(get_winbind_domain()); +@@ -2216,7 +2216,7 @@ static bool check_auth_crap(void) + char *hex_lm_key; + char *hex_user_session_key; + char *error_string; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + setbuf(stdout, NULL); + +diff --git a/source3/utils/ntlm_auth_diagnostics.c b/source3/utils/ntlm_auth_diagnostics.c +index 41591a8de33..fc0fc19bacb 100644 +--- a/source3/utils/ntlm_auth_diagnostics.c ++++ b/source3/utils/ntlm_auth_diagnostics.c +@@ -54,7 +54,7 @@ static bool test_lm_ntlm_broken(enum ntlm_break break_which) + DATA_BLOB lm_response = data_blob(NULL, 24); + DATA_BLOB nt_response = data_blob(NULL, 24); + DATA_BLOB session_key = data_blob(NULL, 16); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar lm_key[8]; + uchar user_session_key[16]; + uchar lm_hash[16]; +@@ -177,7 +177,7 @@ static bool test_ntlm_in_lm(void) + NTSTATUS nt_status; + uint32_t flags = 0; + DATA_BLOB nt_response = data_blob(NULL, 24); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar lm_key[8]; + uchar lm_hash[16]; + uchar user_session_key[16]; +@@ -245,7 +245,7 @@ static bool test_ntlm_in_both(void) + uint32_t flags = 0; + DATA_BLOB nt_response = data_blob(NULL, 24); + DATA_BLOB session_key = data_blob(NULL, 16); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint8_t lm_key[8]; + uint8_t lm_hash[16]; + uint8_t user_session_key[16]; +@@ -322,7 +322,7 @@ static bool test_lmv2_ntlmv2_broken(enum ntlm_break break_which) + DATA_BLOB lmv2_response = data_blob_null; + DATA_BLOB ntlmv2_session_key = data_blob_null; + DATA_BLOB names_blob = NTLMv2_generate_names_blob(NULL, get_winbind_netbios_name(), get_winbind_domain()); +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar user_session_key[16]; + DATA_BLOB chall = get_challenge(); + char *error_string; +@@ -452,7 +452,7 @@ static bool test_plaintext(enum ntlm_break break_which) + char *password; + smb_ucs2_t *nt_response_ucs2; + size_t converted_size; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uchar user_session_key[16]; + uchar lm_key[16]; + static const uchar zeros[8] = { 0, }; +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-11.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-11.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-11.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-11.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,39 @@ +From f0431426bf540847a380521c1dc62c9f6275fad6 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 11/30] CVE-2020-25717: s3:torture: start with authoritative = + 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.10 due to missing commit +a5548af018643f2e78c482e33ef0e6073db149e4 to check return value +of SMBOWFencrypt()] +[scabrero@samba.org Backported to 4.7 due to different variable + declarations] +--- + source3/torture/pdbtest.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/torture/pdbtest.c b/source3/torture/pdbtest.c +index 251dbbfd761..ecc97c43107 100644 +--- a/source3/torture/pdbtest.c ++++ b/source3/torture/pdbtest.c +@@ -270,7 +270,7 @@ static bool test_auth(TALLOC_CTX *mem_ctx, struct samu *pdb_entry) + struct auth_serversupplied_info *server_info; + NTSTATUS status; + bool ok; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, + local_nt_response); +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-12.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-12.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-12.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-12.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,36 @@ +From 4cc59a8416d64d00b45fe6e5d23fb98b1829d464 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 12/30] CVE-2020-25717: s3:rpcclient: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.7 due to different variable + declarations] +--- + source3/rpcclient/cmd_netlogon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c +index 4488ec2e0d9..685a4a643ca 100644 +--- a/source3/rpcclient/cmd_netlogon.c ++++ b/source3/rpcclient/cmd_netlogon.c +@@ -779,7 +779,7 @@ static NTSTATUS cmd_netlogon_sam_logon(struct rpc_pipe_client *cli, + uint32_t logon_param = 0; + const char *workstation = NULL; + struct netr_SamInfo3 *info3 = NULL; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + uint32_t flags = 0; + + /* Check arguments */ +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-13.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-13.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-13.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-13.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,51 @@ +From 7c1cbc6cd16ec3ccefbb2613513520c4e0aa30dd Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 13/30] CVE-2020-25717: s3:auth: start with authoritative = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.10 due to missing commits +7f75dec865256049e99f7fcf46317cd2d53e95d1 and +434030ba711e677fdd167a255d05c1cd4db943b7] +[scabrero@samba.org Backported to 4.7, check_ntlm_password is sync] +--- + source3/auth/auth_generic.c | 2 +- + source3/auth/auth_samba4.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 82fcc150620..39dc5877f12 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -413,7 +413,7 @@ NTSTATUS auth_check_password_session_info(struct auth4_context *auth_context, + { + NTSTATUS nt_status; + void *server_info; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + nt_status = auth_context->check_ntlm_password(auth_context, + talloc_tos(), +diff --git a/source3/auth/auth_samba4.c b/source3/auth/auth_samba4.c +index 46c8f9ffd62..f1786802998 100644 +--- a/source3/auth/auth_samba4.c ++++ b/source3/auth/auth_samba4.c +@@ -118,7 +118,7 @@ static NTSTATUS check_samba4_security(const struct auth_context *auth_context, + NTSTATUS nt_status; + struct auth_user_info_dc *user_info_dc; + struct auth4_context *auth4_context; +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); + if (!NT_STATUS_IS_OK(nt_status)) { +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-14.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-14.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-14.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-14.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,35 @@ +From 9976394aad8291631fb26c55347b6f92bd355d54 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 26 Oct 2021 17:42:41 +0200 +Subject: [PATCH 14/30] CVE-2020-25717: auth/ntlmssp: start with authoritative + = 1 + +This is not strictly needed, but makes it easier to audit +that we don't miss important places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.7, check_ntlm_password is sync] +--- + auth/ntlmssp/ntlmssp_server.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/auth/ntlmssp/ntlmssp_server.c b/auth/ntlmssp/ntlmssp_server.c +index 42f72ffab5b..ea7563dc586 100644 +--- a/auth/ntlmssp/ntlmssp_server.c ++++ b/auth/ntlmssp/ntlmssp_server.c +@@ -737,7 +737,7 @@ static NTSTATUS ntlmssp_server_check_password(struct gensec_security *gensec_sec + NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED; + + if (auth_context->check_ntlm_password) { +- uint8_t authoritative = 0; ++ uint8_t authoritative = 1; + + nt_status = auth_context->check_ntlm_password(auth_context, + gensec_ntlmssp, +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-15.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-15.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-15.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-15.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,86 @@ +From b4b5ed9322256b04b54f0f1194067c34ece2dba8 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 28 Sep 2021 10:43:40 +0200 +Subject: [PATCH 15/30] CVE-2020-25717: loadparm: Add new parameter "min domain + uid" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Samuel Cabrero +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported from master/4.15 due to + conflicts with other new parameters] +--- + docs-xml/smbdotconf/security/mindomainuid.xml | 17 +++++++++++++++++ + docs-xml/smbdotconf/winbind/idmapconfig.xml | 4 ++++ + lib/param/loadparm.c | 4 ++++ + source3/param/loadparm.c | 2 ++ + 4 files changed, 27 insertions(+) + create mode 100644 docs-xml/smbdotconf/security/mindomainuid.xml + +--- /dev/null ++++ b/docs-xml/smbdotconf/security/mindomainuid.xml +@@ -0,0 +1,17 @@ ++ ++ ++ ++ The integer parameter specifies the minimum uid allowed when mapping a ++ local account to a domain account. ++ ++ ++ ++ Note that this option interacts with the configured idmap ranges! ++ ++ ++ ++1000 ++ +--- a/docs-xml/smbdotconf/winbind/idmapconfig.xml ++++ b/docs-xml/smbdotconf/winbind/idmapconfig.xml +@@ -80,6 +80,9 @@ + authoritative for a unix ID to SID mapping, so it must be set + for each individually configured domain and for the default + configuration. The configured ranges must be mutually disjoint. ++ ++ ++ Note that the low value interacts with the option! + + + +@@ -115,4 +118,5 @@ + + + ++min domain uid + +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -3003,6 +3003,10 @@ struct loadparm_context *loadparm_init(T + lpcfg_do_global_parameter( + lp_ctx, "ldap max search request size", "256000"); + ++ lpcfg_do_global_parameter(lp_ctx, ++ "min domain uid", ++ "1000"); ++ + for (i = 0; parm_table[i].label; i++) { + if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { + lp_ctx->flags[i] |= FLAG_DEFAULT; +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -953,6 +953,8 @@ static void init_globals(struct loadparm + Globals.ldap_max_authenticated_request_size = 16777216; + Globals.ldap_max_search_request_size = 256000; + ++ Globals.min_domain_uid = 1000; ++ + /* Now put back the settings that were set with lp_set_cmdline() */ + apply_lp_set_cmdline(); + } diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-16.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-16.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-16.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-16.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,34 @@ +From 4a6185e823328cc270de0f589336dd82f4f4f008 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 19:57:18 +0200 +Subject: [PATCH 16/30] CVE-2020-25717: s3:auth: let + auth3_generate_session_info_pac() forward the low level errors + +Mapping everything to ACCESS_DENIED makes it hard to debug problems, +which may happen because of our more restrictive behaviour in future. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_generic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 39dc5877f12..bc0bd704626 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -164,7 +164,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", + nt_errstr(status))); +- status = NT_STATUS_ACCESS_DENIED; ++ status = nt_status_squash(status); + goto done; + } + +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-17.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-17.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-17.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-17.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,41 @@ +From fa1b9b016072034caf5ba1c6e0ee6d4121854088 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Tue, 28 Sep 2021 10:45:11 +0200 +Subject: [PATCH 17/30] CVE-2020-25717: s3:auth: Check minimum domain uid + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Samuel Cabrero +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_util.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1448,6 +1448,22 @@ NTSTATUS make_server_info_info3(TALLOC_C + } + } + goto out; ++ } else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) && ++ !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) { ++ /* ++ * !is_myname(domain) because when smbd starts tries to setup ++ * the guest user info, calling this function with nobody ++ * username. Nobody is usually uid 65535 but it can be changed ++ * to a regular user with 'guest account' parameter ++ */ ++ nt_status = NT_STATUS_INVALID_TOKEN; ++ DBG_NOTICE("Username '%s%s%s' is invalid on this system, " ++ "it does not meet 'min domain uid' " ++ "restriction (%u < %u): %s\n", ++ nt_domain, lp_winbind_separator(), nt_username, ++ pwd->pw_uid, lp_min_domain_uid(), ++ nt_errstr(nt_status)); ++ goto out; + } + + result = make_server_info(tmp_ctx); diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-18.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-18.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-18.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-18.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,33 @@ +From 6a61a7e093f6c4b651fc3f0ae6584e414fc2e125 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 17:40:30 +0200 +Subject: [PATCH 18/30] CVE-2020-25717: s3:auth: we should not try to + autocreate the guest account + +We should avoid autocreation of users as much as possible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/user_krb5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c +index 8998f9c8f8a..074e8c7eb71 100644 +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -155,7 +155,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + if (!fuser) { + return NT_STATUS_NO_MEMORY; + } +- pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); ++ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, false); + } + + /* extra sanity check that the guest account is valid */ +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-19.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-19.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-19.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-19.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,33 @@ +From a7135176955e4378ad4952ee7ef89d15315a594e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 18:08:20 +0200 +Subject: [PATCH 19/30] CVE-2020-25717: s3:auth: no longer let check_account() + autocreate local users + +So far we autocreated local user accounts based on just the +account_name (just ignoring any domain part). + +This only happens via a possible 'add user script', +which is not typically defined on domain members +and on NT4 DCs local users already exist in the +local passdb anyway. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1243,7 +1243,7 @@ static NTSTATUS check_account(TALLOC_CTX + return NT_STATUS_NO_MEMORY; + } + +- passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, true ); ++ passwd = smb_getpwnam(mem_ctx, dom_user, &real_username, false); + if (!passwd) { + DEBUG(3, ("Failed to find authenticated user %s via " + "getpwnam(), denying access.\n", dom_user)); diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-20.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-20.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-20.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-20.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,142 @@ +From f2d82d79058a8b0f5e0cd4e71365064c66637a7c Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 8 Oct 2021 12:33:16 +0200 +Subject: [PATCH 20/30] CVE-2020-25717: s3:auth: remove fallbacks in + smb_getpwnam() + +So far we tried getpwnam("DOMAIN\account") first and +always did a fallback to getpwnam("account") completely +ignoring the domain part, this just causes problems +as we mix "DOMAIN1\account", "DOMAIN2\account", +and "account"! + +As we require a running winbindd for domain member setups +we should no longer do a fallback to just "account" for +users served by winbindd! + +For users of the local SAM don't use this code path, +as check_sam_security() doesn't call check_account(). + +The only case where smb_getpwnam("account") happens is +when map_username() via ("username map [script]") mapped +"DOMAIN\account" to something without '\', but that is +explicitly desired by the admin. + +Note: use 'git show -w' + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Pair-Programmed-With: Stefan Metzmacher + +Signed-off-by: Ralph Boehme +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.7 removing + selftest/knownfail.d/ktest after fixing user mapping in ktest + environment] +--- + source3/auth/auth_util.c | 77 ++++++++++++++++++++++------------------ + 1 file changed, 42 insertions(+), 35 deletions(-) + +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -1278,7 +1278,7 @@ struct passwd *smb_getpwnam( TALLOC_CTX + { + struct passwd *pw = NULL; + char *p = NULL; +- char *username = NULL; ++ const char *username = NULL; + + /* we only save a copy of the username it has been mangled + by winbindd use default domain */ +@@ -1297,48 +1297,55 @@ struct passwd *smb_getpwnam( TALLOC_CTX + /* code for a DOMAIN\user string */ + + if ( p ) { +- pw = Get_Pwnam_alloc( mem_ctx, domuser ); +- if ( pw ) { +- /* make sure we get the case of the username correct */ +- /* work around 'winbind use default domain = yes' */ +- +- if ( lp_winbind_use_default_domain() && +- !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { +- char *domain; +- +- /* split the domain and username into 2 strings */ +- *p = '\0'; +- domain = username; +- +- *p_save_username = talloc_asprintf(mem_ctx, +- "%s%c%s", +- domain, +- *lp_winbind_separator(), +- pw->pw_name); +- if (!*p_save_username) { +- TALLOC_FREE(pw); +- return NULL; +- } +- } else { +- *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); +- } ++ const char *domain = NULL; + +- /* whew -- done! */ +- return pw; +- } ++ /* split the domain and username into 2 strings */ ++ *p = '\0'; ++ domain = username; ++ p++; ++ username = p; + +- /* setup for lookup of just the username */ +- /* remember that p and username are overlapping memory */ ++ if (strequal(domain, get_global_sam_name())) { ++ /* ++ * This typically don't happen ++ * as check_sam_Security() ++ * don't call make_server_info_info3() ++ * and thus check_account(). ++ * ++ * But we better keep this. ++ */ ++ goto username_only; ++ } + +- p++; +- username = talloc_strdup(mem_ctx, p); +- if (!username) { ++ pw = Get_Pwnam_alloc( mem_ctx, domuser ); ++ if (pw == NULL) { + return NULL; + } ++ /* make sure we get the case of the username correct */ ++ /* work around 'winbind use default domain = yes' */ ++ ++ if ( lp_winbind_use_default_domain() && ++ !strchr_m( pw->pw_name, *lp_winbind_separator() ) ) { ++ *p_save_username = talloc_asprintf(mem_ctx, ++ "%s%c%s", ++ domain, ++ *lp_winbind_separator(), ++ pw->pw_name); ++ if (!*p_save_username) { ++ TALLOC_FREE(pw); ++ return NULL; ++ } ++ } else { ++ *p_save_username = talloc_strdup(mem_ctx, pw->pw_name); ++ } ++ ++ /* whew -- done! */ ++ return pw; ++ + } + + /* just lookup a plain username */ +- ++username_only: + pw = Get_Pwnam_alloc(mem_ctx, username); + + /* Create local user if requested but only if winbindd diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-21.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-21.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-21.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-21.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,39 @@ +From 6675ac457229387e294d3b3b06833b3dfc6749c6 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 18:03:55 +0200 +Subject: [PATCH 21/30] CVE-2020-25717: s3:auth: don't let create_local_token + depend on !winbind_ping() + +We always require a running winbindd on a domain member, so +we should better fail a request instead of silently alter +the behaviour, which results in a different unix token, just +because winbindd might be restarted. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_util.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/source3/auth/auth_util.c ++++ b/source3/auth/auth_util.c +@@ -578,13 +578,11 @@ NTSTATUS create_local_token(TALLOC_CTX * + } + + /* +- * If winbind is not around, we can not make much use of the SIDs the +- * domain controller provided us with. Likewise if the user name was +- * mapped to some local unix user. ++ * If the user name was mapped to some local unix user, ++ * we can not make much use of the SIDs the ++ * domain controller provided us with. + */ +- +- if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || +- (server_info->nss_token)) { ++ if (server_info->nss_token) { + char *found_username = NULL; + status = create_token_from_username(session_info, + server_info->unix_name, diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-22.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-22.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-22.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-22.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,72 @@ +From fea06955dfb5c62bcd8d10333fac70db2e193871 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 18:11:57 +0200 +Subject: [PATCH 22/30] CVE-2020-25717: auth/gensec: always require a PAC in + domain mode (DC or member) + +AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set +on the service account, which can only be explicitly configured, +but that's an invalid configuration! + +We still try to support standalone servers in an MIT realm, +as legacy setup. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.7 due to lack of debug class macro] +--- + auth/gensec/gensec_util.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/auth/gensec/gensec_util.c b/auth/gensec/gensec_util.c +index ca5e581f63f..15a771221ce 100644 +--- a/auth/gensec/gensec_util.c ++++ b/auth/gensec/gensec_util.c +@@ -25,6 +25,8 @@ + #include "auth/gensec/gensec_internal.h" + #include "auth/common_auth.h" + #include "../lib/util/asn1.h" ++#include "param/param.h" ++#include "libds/common/roles.h" + + NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, + struct gensec_security *gensec_security, +@@ -43,10 +45,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx, + session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS; + + if (!pac_blob) { +- if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) { +- DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n", +- principal_string)); +- return NT_STATUS_ACCESS_DENIED; ++ enum server_role server_role = ++ lpcfg_server_role(gensec_security->settings->lp_ctx); ++ ++ /* ++ * For any domain setup (DC or member) we require having ++ * a PAC, as the service ticket comes from an AD DC, ++ * which will always provide a PAC, unless ++ * UF_NO_AUTH_DATA_REQUIRED is configured for our ++ * account, but that's just an invalid configuration, ++ * the admin configured for us! ++ * ++ * As a legacy case, we still allow kerberos tickets from an MIT ++ * realm, but only in standalone mode. In that mode we'll only ++ * ever accept a kerberos authentication with a keytab file ++ * being explicitly configured via the 'keytab method' option. ++ */ ++ if (server_role != ROLE_STANDALONE) { ++ DBG_WARNING("Unable to find PAC in ticket from %s, " ++ "failing to allow access\n", ++ principal_string); ++ return NT_STATUS_NO_IMPERSONATION_TOKEN; + } + DBG_NOTICE("Unable to find PAC for %s, resorting to local " + "user lookup\n", principal_string); +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-23.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-23.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-23.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-23.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,135 @@ +From f2fa7ade39b1ccac63eaba2e29899c6896c3ccc0 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 11 Oct 2021 23:17:19 +0200 +Subject: [PATCH 23/30] CVE-2020-25717: s4:auth: remove unused + auth_generate_session_info_principal() + +We'll require a PAC at the main gensec layer already. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported from master/4.15 as + check_password is sync in 4.14] +[scabrero@samba.org Backported to 4.7 due to different return code] +--- + source4/auth/auth.h | 8 ------ + source4/auth/ntlm/auth.c | 49 ++++-------------------------------- + source4/auth/ntlm/auth_sam.c | 12 --------- + 3 files changed, 5 insertions(+), 64 deletions(-) + +--- a/source4/auth/auth.h ++++ b/source4/auth/auth.h +@@ -73,14 +73,6 @@ struct auth_operations { + TALLOC_CTX *mem_ctx, + struct auth_user_info_dc **interim_info, + bool *authoritative); +- +- /* Lookup a 'session info interim' return based only on the principal or DN */ +- NTSTATUS (*get_user_info_dc_principal)(TALLOC_CTX *mem_ctx, +- struct auth4_context *auth_context, +- const char *principal, +- struct ldb_dn *user_dn, +- struct auth_user_info_dc **interim_info); +- uint32_t flags; + }; + + struct auth_method_context { +--- a/source4/auth/ntlm/auth.c ++++ b/source4/auth/ntlm/auth.c +@@ -83,48 +83,6 @@ _PUBLIC_ NTSTATUS auth_get_challenge(str + return NT_STATUS_OK; + } + +-/**************************************************************************** +-Used in the gensec_gssapi and gensec_krb5 server-side code, where the +-PAC isn't available, and for tokenGroups in the DSDB stack. +- +- Supply either a principal or a DN +-****************************************************************************/ +-static NTSTATUS auth_generate_session_info_principal(struct auth4_context *auth_ctx, +- TALLOC_CTX *mem_ctx, +- const char *principal, +- struct ldb_dn *user_dn, +- uint32_t session_info_flags, +- struct auth_session_info **session_info) +-{ +- NTSTATUS nt_status; +- struct auth_method_context *method; +- struct auth_user_info_dc *user_info_dc; +- +- for (method = auth_ctx->methods; method; method = method->next) { +- if (!method->ops->get_user_info_dc_principal) { +- continue; +- } +- +- nt_status = method->ops->get_user_info_dc_principal(mem_ctx, auth_ctx, principal, user_dn, &user_info_dc); +- if (NT_STATUS_EQUAL(nt_status, NT_STATUS_NOT_IMPLEMENTED)) { +- continue; +- } +- if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; +- } +- +- nt_status = auth_generate_session_info_wrapper(auth_ctx, mem_ctx, +- user_info_dc, +- user_info_dc->info->account_name, +- session_info_flags, session_info); +- talloc_free(user_info_dc); +- +- return nt_status; +- } +- +- return NT_STATUS_NOT_IMPLEMENTED; +-} +- + /** + * Check a user's Plaintext, LM or NTLM password. + * (sync version) +@@ -598,8 +556,11 @@ static NTSTATUS auth_generate_session_in + TALLOC_CTX *tmp_ctx; + + if (!pac_blob) { +- return auth_generate_session_info_principal(auth_ctx, mem_ctx, principal_name, +- NULL, session_info_flags, session_info); ++ /* ++ * This should already be catched at the main ++ * gensec layer, but better check twice ++ */ ++ return NT_STATUS_INTERNAL_ERROR; + } + + tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); +--- a/source4/auth/ntlm/auth_sam.c ++++ b/source4/auth/ntlm/auth_sam.c +@@ -931,28 +931,16 @@ static NTSTATUS authsam_failtrusts_check + return NT_STATUS_NO_TRUST_LSA_SECRET; + } + +-/* Wrapper for the auth subsystem pointer */ +-static NTSTATUS authsam_get_user_info_dc_principal_wrapper(TALLOC_CTX *mem_ctx, +- struct auth4_context *auth_context, +- const char *principal, +- struct ldb_dn *user_dn, +- struct auth_user_info_dc **user_info_dc) +-{ +- return authsam_get_user_info_dc_principal(mem_ctx, auth_context->lp_ctx, auth_context->sam_ctx, +- principal, user_dn, user_info_dc); +-} + static const struct auth_operations sam_ignoredomain_ops = { + .name = "sam_ignoredomain", + .want_check = authsam_ignoredomain_want_check, + .check_password = authsam_check_password_internals, +- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, + }; + + static const struct auth_operations sam_ops = { + .name = "sam", + .want_check = authsam_want_check, + .check_password = authsam_check_password_internals, +- .get_user_info_dc_principal = authsam_get_user_info_dc_principal_wrapper, + }; + + static const struct auth_operations sam_failtrusts_ops = { diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-24.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-24.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-24.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-24.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,74 @@ +From d59d28cbb303db3dca6879ed28f67c1f6b50b57c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 21 Sep 2021 12:27:28 +0200 +Subject: [PATCH 24/30] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in + ntlm_auth_generate_session_info_pac() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/utils/ntlm_auth.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index ec5d505c3b6..da18ec4f112 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -820,23 +820,27 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + if (!p) { + DEBUG(3, ("[%s] Doesn't look like a valid principal\n", + princ_name)); +- return NT_STATUS_LOGON_FAILURE; ++ status = NT_STATUS_LOGON_FAILURE; ++ goto done; + } + + user = talloc_strndup(mem_ctx, princ_name, p - princ_name); + if (!user) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + + realm = talloc_strdup(talloc_tos(), p + 1); + if (!realm) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + + if (!strequal(realm, lp_realm())) { + DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); + if (!lp_allow_trusted_domains()) { +- return NT_STATUS_LOGON_FAILURE; ++ status = NT_STATUS_LOGON_FAILURE; ++ goto done; + } + } + +@@ -844,7 +848,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + domain = talloc_strdup(mem_ctx, + logon_info->info3.base.logon_domain.string); + if (!domain) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); + } else { +@@ -874,7 +879,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + domain = talloc_strdup(mem_ctx, realm); + } + if (!domain) { +- return NT_STATUS_NO_MEMORY; ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + } + DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); + } +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-25.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-25.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-25.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-25.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,142 @@ +From 29cdb666adfec8ffd954f131e274743dcbab4c34 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 21 Sep 2021 12:44:01 +0200 +Subject: [PATCH 25/30] CVE-2020-25717: s3:ntlm_auth: let + ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO + only + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/utils/ntlm_auth.c | 91 ++++++++++++--------------------------- + 1 file changed, 28 insertions(+), 63 deletions(-) + +diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c +index da18ec4f112..7c28a8435d5 100644 +--- a/source3/utils/ntlm_auth.c ++++ b/source3/utils/ntlm_auth.c +@@ -792,10 +792,8 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + struct PAC_LOGON_INFO *logon_info = NULL; + char *unixuser; + NTSTATUS status; +- char *domain = NULL; +- char *realm = NULL; +- char *user = NULL; +- char *p; ++ const char *domain = ""; ++ const char *user = ""; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { +@@ -812,79 +810,46 @@ static NTSTATUS ntlm_auth_generate_session_info_pac(struct auth4_context *auth_c + if (!NT_STATUS_IS_OK(status)) { + goto done; + } +- } +- +- DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); +- +- p = strchr_m(princ_name, '@'); +- if (!p) { +- DEBUG(3, ("[%s] Doesn't look like a valid principal\n", +- princ_name)); +- status = NT_STATUS_LOGON_FAILURE; ++ } else { ++ status = NT_STATUS_ACCESS_DENIED; ++ DBG_WARNING("Kerberos ticket for[%s] has no PAC: %s\n", ++ princ_name, nt_errstr(status)); + goto done; + } + +- user = talloc_strndup(mem_ctx, princ_name, p - princ_name); +- if (!user) { +- status = NT_STATUS_NO_MEMORY; +- goto done; ++ if (logon_info->info3.base.account_name.string != NULL) { ++ user = logon_info->info3.base.account_name.string; ++ } else { ++ user = ""; ++ } ++ if (logon_info->info3.base.logon_domain.string != NULL) { ++ domain = logon_info->info3.base.logon_domain.string; ++ } else { ++ domain = ""; + } + +- realm = talloc_strdup(talloc_tos(), p + 1); +- if (!realm) { +- status = NT_STATUS_NO_MEMORY; ++ if (strlen(user) == 0 || strlen(domain) == 0) { ++ status = NT_STATUS_ACCESS_DENIED; ++ DBG_WARNING("Kerberos ticket for[%s] has invalid " ++ "account_name[%s]/logon_domain[%s]: %s\n", ++ princ_name, ++ logon_info->info3.base.account_name.string, ++ logon_info->info3.base.logon_domain.string, ++ nt_errstr(status)); + goto done; + } + +- if (!strequal(realm, lp_realm())) { +- DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); ++ DBG_NOTICE("Kerberos ticket principal name is [%s] " ++ "account_name[%s]/logon_domain[%s]\n", ++ princ_name, user, domain); ++ ++ if (!strequal(domain, lp_workgroup())) { + if (!lp_allow_trusted_domains()) { + status = NT_STATUS_LOGON_FAILURE; + goto done; + } + } + +- if (logon_info && logon_info->info3.base.logon_domain.string) { +- domain = talloc_strdup(mem_ctx, +- logon_info->info3.base.logon_domain.string); +- if (!domain) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); +- } else { +- +- /* If we have winbind running, we can (and must) shorten the +- username by using the short netbios name. Otherwise we will +- have inconsistent user names. With Kerberos, we get the +- fully qualified realm, with ntlmssp we get the short +- name. And even w2k3 does use ntlmssp if you for example +- connect to an ip address. */ +- +- wbcErr wbc_status; +- struct wbcDomainInfo *info = NULL; +- +- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", +- realm)); +- +- wbc_status = wbcDomainInfo(realm, &info); +- +- if (WBC_ERROR_IS_OK(wbc_status)) { +- domain = talloc_strdup(mem_ctx, +- info->short_name); +- wbcFreeMemory(info); +- } else { +- DEBUG(3, ("Could not find short name: %s\n", +- wbcErrorString(wbc_status))); +- domain = talloc_strdup(mem_ctx, realm); +- } +- if (!domain) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); +- } +- + unixuser = talloc_asprintf(tmp_ctx, "%s%c%s", domain, winbind_separator(), user); + if (!unixuser) { + status = NT_STATUS_NO_MEMORY; +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-26.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-26.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-26.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-26.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,321 @@ +From e147cbe688b0f699cc07788c5c3420f0831fe0ad Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 4 Oct 2021 19:42:20 +0200 +Subject: [PATCH 26/30] CVE-2020-25717: s3:auth: let + auth3_generate_session_info_pac() delegate everything to + make_server_info_wbcAuthUserInfo() + +This consolidates the code paths used for NTLMSSP and Kerberos! + +I checked what we were already doing for NTLMSSP, which is this: + +a) source3/auth/auth_winbind.c calls wbcAuthenticateUserEx() +b) as a domain member we require a valid response from winbindd, + otherwise we'll return NT_STATUS_NO_LOGON_SERVERS +c) we call make_server_info_wbcAuthUserInfo(), which internally + calls make_server_info_info3() +d) auth_check_ntlm_password() calls + smb_pam_accountcheck(unix_username, rhost), where rhost + is only an ipv4 or ipv6 address (without reverse dns lookup) +e) from auth3_check_password_send/auth3_check_password_recv() + server_returned_info will be passed to auth3_generate_session_info(), + triggered by gensec_session_info(), which means we'll call into + create_local_token() in order to transform auth_serversupplied_info + into auth_session_info. + +For Kerberos gensec_session_info() will call +auth3_generate_session_info_pac() via the gensec_generate_session_info_pac() +helper function. The current logic is this: + +a) gensec_generate_session_info_pac() is the function that + evaluates the 'gensec:require_pac', which defaulted to 'no' + before. +b) auth3_generate_session_info_pac() called + wbcAuthenticateUserEx() in order to pass the PAC blob + to winbindd, but only to prime its cache, e.g. netsamlogon cache + and others. Most failures were just ignored. +c) If the PAC blob is available, it extracted the PAC_LOGON_INFO + from it. +d) Then we called the horrible get_user_from_kerberos_info() function: + - It uses a first part of the tickets principal name (before the @) + as username and combines that with the 'logon_info->base.logon_domain' + if the logon_info (PAC) is present. + - As a fallback without a PAC it's tries to ask winbindd for a mapping + from realm to netbios domain name. + - Finally is falls back to using the realm as netbios domain name + With this information is builds 'userdomain+winbind_separator+useraccount' + and calls map_username() followed by smb_getpwnam() with create=true, + Note this is similar to the make_server_info_info3() => check_account() + => smb_getpwnam() logic under 3. + - It also calls smb_pam_accountcheck(), but may pass the reverse DNS lookup name + instead of the ip address as rhost. + - It does some MAP_TO_GUEST_ON_BAD_UID logic and auto creates the + guest account. +e) We called create_info3_from_pac_logon_info() +f) make_session_info_krb5() calls gets called and triggers this: + - If get_user_from_kerberos_info() mapped to guest, it calls + make_server_info_guest() + - If create_info3_from_pac_logon_info() created a info3 from logon_info, + it calls make_server_info_info3() + - Without a PAC it tries pdb_getsampwnam()/make_server_info_sam() with + a fallback to make_server_info_pw() + From there it calls create_local_token() + +I tried to change auth3_generate_session_info_pac() to behave similar +to auth_winbind.c together with auth3_generate_session_info() as +a domain member, as we now rely on a PAC: + +a) As domain member we require a PAC and always call wbcAuthenticateUserEx() + and require a valid response! +b) we call make_server_info_wbcAuthUserInfo(), which internally + calls make_server_info_info3(). Note make_server_info_info3() + handles MAP_TO_GUEST_ON_BAD_UID and make_server_info_guest() + internally. +c) Similar to auth_check_ntlm_password() we now call + smb_pam_accountcheck(unix_username, rhost), where rhost + is only an ipv4 or ipv6 address (without reverse dns lookup) +d) From there it calls create_local_token() + +As standalone server (in an MIT realm) we continue +with the already existing code logic, which works without a PAC: +a) we keep smb_getpwnam() with create=true logic as it + also requires an explicit 'add user script' option. +b) In the following commits we assert that there's + actually no PAC in this mode, which means we can + remove unused and confusing code. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported due to change in structure + initialization with { 0 } to zero ] +[abartlet@samba.org backported to 4.12 due to conflict + with code not present to reload shared on krb5 login] +--- + source3/auth/auth_generic.c | 139 ++++++++++++++++++++++++++++-------- + 1 file changed, 110 insertions(+), 29 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index bc0bd704626..31d824a71e5 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -44,6 +44,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + uint32_t session_info_flags, + struct auth_session_info **session_info) + { ++ enum server_role server_role = lp_server_role(); + TALLOC_CTX *tmp_ctx; + struct PAC_LOGON_INFO *logon_info = NULL; + struct netr_SamInfo3 *info3_copy = NULL; +@@ -52,39 +53,59 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + char *ntuser; + char *ntdomain; + char *username; +- char *rhost; ++ const char *rhost; + struct passwd *pw; + NTSTATUS status; +- int rc; + + tmp_ctx = talloc_new(mem_ctx); + if (!tmp_ctx) { + return NT_STATUS_NO_MEMORY; + } + +- if (pac_blob) { +-#ifdef HAVE_KRB5 +- struct wbcAuthUserParams params = {}; ++ if (tsocket_address_is_inet(remote_address, "ip")) { ++ rhost = tsocket_address_inet_addr_string( ++ remote_address, tmp_ctx); ++ if (rhost == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ } else { ++ rhost = "127.0.0.1"; ++ } ++ ++ if (server_role != ROLE_STANDALONE) { ++ struct wbcAuthUserParams params = { 0 }; + struct wbcAuthUserInfo *info = NULL; + struct wbcAuthErrorInfo *err = NULL; ++ struct auth_serversupplied_info *server_info = NULL; ++ char *original_user_name = NULL; ++ char *p = NULL; + wbcErr wbc_err; + ++ if (pac_blob == NULL) { ++ /* ++ * This should already be catched at the main ++ * gensec layer, but better check twice ++ */ ++ status = NT_STATUS_INTERNAL_ERROR; ++ goto done; ++ } ++ + /* + * Let winbind decode the PAC. + * This will also store the user + * data in the netsamlogon cache. + * +- * We need to do this *before* we +- * call get_user_from_kerberos_info() +- * as that does a user lookup that +- * expects info in the netsamlogon cache. +- * +- * See BUG: https://bugzilla.samba.org/show_bug.cgi?id=11259 ++ * This used to be a cache prime ++ * optimization, but now we delegate ++ * all logic to winbindd, as we require ++ * winbindd as domain member anyway. + */ + params.level = WBC_AUTH_USER_LEVEL_PAC; + params.password.pac.data = pac_blob->data; + params.password.pac.length = pac_blob->length; + ++ /* we are contacting the privileged pipe */ + become_root(); + wbc_err = wbcAuthenticateUserEx(¶ms, &info, &err); + unbecome_root(); +@@ -97,18 +118,90 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + */ + + switch (wbc_err) { +- case WBC_ERR_WINBIND_NOT_AVAILABLE: + case WBC_ERR_SUCCESS: + break; ++ case WBC_ERR_WINBIND_NOT_AVAILABLE: ++ status = NT_STATUS_NO_LOGON_SERVERS; ++ DBG_ERR("winbindd not running - " ++ "but required as domain member: %s\n", ++ nt_errstr(status)); ++ goto done; + case WBC_ERR_AUTH_ERROR: + status = NT_STATUS(err->nt_status); + wbcFreeMemory(err); + goto done; ++ case WBC_ERR_NO_MEMORY: ++ status = NT_STATUS_NO_MEMORY; ++ goto done; + default: + status = NT_STATUS_LOGON_FAILURE; + goto done; + } + ++ status = make_server_info_wbcAuthUserInfo(tmp_ctx, ++ info->account_name, ++ info->domain_name, ++ info, &server_info); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n", ++ nt_errstr(status))); ++ goto done; ++ } ++ ++ /* We skip doing this step if the caller asked us not to */ ++ if (!(server_info->guest)) { ++ const char *unix_username = server_info->unix_name; ++ ++ /* We might not be root if we are an RPC call */ ++ become_root(); ++ status = smb_pam_accountcheck(unix_username, rhost); ++ unbecome_root(); ++ ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(3, ("check_ntlm_password: PAM Account for user [%s] " ++ "FAILED with error %s\n", ++ unix_username, nt_errstr(status))); ++ goto done; ++ } ++ ++ DEBUG(5, ("check_ntlm_password: PAM Account for user [%s] " ++ "succeeded\n", unix_username)); ++ } ++ ++ DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); ++ ++ p = strchr_m(princ_name, '@'); ++ if (!p) { ++ DEBUG(3, ("[%s] Doesn't look like a valid principal\n", ++ princ_name)); ++ status = NT_STATUS_LOGON_FAILURE; ++ goto done; ++ } ++ ++ original_user_name = talloc_strndup(tmp_ctx, princ_name, p - princ_name); ++ if (original_user_name == NULL) { ++ status = NT_STATUS_NO_MEMORY; ++ goto done; ++ } ++ ++ status = create_local_token(mem_ctx, ++ server_info, ++ NULL, ++ original_user_name, ++ session_info); ++ if (!NT_STATUS_IS_OK(status)) { ++ DEBUG(10, ("create_local_token failed: %s\n", ++ nt_errstr(status))); ++ goto done; ++ } ++ ++ goto session_info_ready; ++ } ++ ++ /* This is the standalone legacy code path */ ++ ++ if (pac_blob != NULL) { ++#ifdef HAVE_KRB5 + status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, + NULL, NULL, 0, &logon_info); + #else +@@ -119,22 +212,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + } + } + +- rc = get_remote_hostname(remote_address, +- &rhost, +- tmp_ctx); +- if (rc < 0) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- if (strequal(rhost, "UNKNOWN")) { +- rhost = tsocket_address_inet_addr_string(remote_address, +- tmp_ctx); +- if (rhost == NULL) { +- status = NT_STATUS_NO_MEMORY; +- goto done; +- } +- } +- + status = get_user_from_kerberos_info(tmp_ctx, rhost, + princ_name, logon_info, + &is_mapped, &is_guest, +@@ -168,6 +245,8 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + goto done; + } + ++session_info_ready: ++ + /* setup the string used by %U */ + set_current_user_info((*session_info)->unix_info->sanitized_username, + (*session_info)->unix_info->unix_name, +@@ -177,7 +256,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + lp_load_with_shares(get_dyn_CONFIGFILE()); + + DEBUG(5, (__location__ "OK: user: %s domain: %s client: %s\n", +- ntuser, ntdomain, rhost)); ++ (*session_info)->info->account_name, ++ (*session_info)->info->domain_name, ++ rhost)); + + status = NT_STATUS_OK; + +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-27.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-27.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-27.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-27.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,45 @@ +From dd2b8d5019dde6af0c51741b9bc4ec120f39133a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 17:14:01 +0200 +Subject: [PATCH 27/30] CVE-2020-25717: selftest: configure 'ktest' env with + winbindd and idmap_autorid + +The 'ktest' environment was/is designed to test kerberos in an active +directory member setup. It was created at a time we wanted to test +smbd/winbindd with kerberos without having the source4 ad dc available. + +This still applies to testing the build with system krb5 libraries +but without relying on a running ad dc. + +As a domain member setup requires a running winbindd, we should test it +that way, in order to reflect a valid setup. + +As a side effect it provides a way to demonstrate that we can accept +smb connections authenticated via kerberos, but no connection to +a domain controller! In order get this working offline, we need an +idmap backend with ID_TYPE_BOTH support, so we use 'autorid', which +should be the default choice. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14646 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[scabrero@samba.org Backported to 4.11 Run winbindd in offline mode + but keep the user name mapping to avoid having to backport fixes + for bso#14539] +--- + selftest/target/Samba3.pm | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -1020,7 +1020,7 @@ $ret->{USERNAME} = KTEST/Administrator + # access the share for tests. + chmod 0777, "$prefix/share"; + +- if (not $self->check_or_start($ret, "yes", "no", "yes")) { ++ if (not $self->check_or_start($ret, "yes", "offline", "yes")) { + return undef; + } + return $ret; diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-28.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-28.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-28.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-28.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,85 @@ +From b4c67e3a4124215594248f7e560193868ae34547 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 5 Oct 2021 18:12:49 +0200 +Subject: [PATCH 28/30] CVE-2020-25717: s3:auth: let + auth3_generate_session_info_pac() reject a PAC in standalone mode + +We should be strict in standalone mode, that we only support MIT realms +without a PAC in order to keep the code sane. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher + +[abartlet@samba.org Backported to Samba 4.12 has conflcits + as the share reload code is in a different spot] +--- + source3/auth/auth_generic.c | 29 +++++++++-------------------- + 1 file changed, 9 insertions(+), 20 deletions(-) + +diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c +index 31d824a71e5..a84e6f4e94e 100644 +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -46,8 +46,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + { + enum server_role server_role = lp_server_role(); + TALLOC_CTX *tmp_ctx; +- struct PAC_LOGON_INFO *logon_info = NULL; +- struct netr_SamInfo3 *info3_copy = NULL; + bool is_mapped; + bool is_guest; + char *ntuser; +@@ -201,19 +199,20 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + /* This is the standalone legacy code path */ + + if (pac_blob != NULL) { +-#ifdef HAVE_KRB5 +- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL, +- NULL, NULL, 0, &logon_info); +-#else +- status = NT_STATUS_ACCESS_DENIED; +-#endif ++ /* ++ * In standalone mode we don't expect a PAC! ++ * we only support MIT realms ++ */ ++ status = NT_STATUS_BAD_TOKEN_TYPE; ++ DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n", ++ princ_name, nt_errstr(status)); + if (!NT_STATUS_IS_OK(status)) { + goto done; + } + } + + status = get_user_from_kerberos_info(tmp_ctx, rhost, +- princ_name, logon_info, ++ princ_name, NULL, + &is_mapped, &is_guest, + &ntuser, &ntdomain, + &username, &pw); +@@ -224,19 +223,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, + goto done; + } + +- /* Get the info3 from the PAC data if we have it */ +- if (logon_info) { +- status = create_info3_from_pac_logon_info(tmp_ctx, +- logon_info, +- &info3_copy); +- if (!NT_STATUS_IS_OK(status)) { +- goto done; +- } +- } +- + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, +- info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, ++ NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", +-- +2.33.1 + + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-29.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-29.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-29.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-29.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,140 @@ +From 5570c45d7c1bb0a5d03249532f75da2747819afb Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 17:59:59 +0200 +Subject: [PATCH 29/30] CVE-2020-25717: s3:auth: simplify + get_user_from_kerberos_info() by removing the unused logon_info argument + +This code is only every called in standalone mode on a MIT realm, +it means we never have a PAC and we also don't have winbindd arround. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_generic.c | 2 +- + source3/auth/proto.h | 1 - + source3/auth/user_krb5.c | 57 +++++++------------------------------ + 3 files changed, 11 insertions(+), 49 deletions(-) + +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -212,7 +212,7 @@ static NTSTATUS auth3_generate_session_i + } + + status = get_user_from_kerberos_info(tmp_ctx, rhost, +- princ_name, NULL, ++ princ_name, + &is_mapped, &is_guest, + &ntuser, &ntdomain, + &username, &pw); +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -381,7 +381,6 @@ struct PAC_LOGON_INFO; + NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + const char *cli_name, + const char *princ_name, +- struct PAC_LOGON_INFO *logon_info, + bool *is_mapped, + bool *mapped_to_guest, + char **ntuser, +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -31,7 +31,6 @@ + NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + const char *cli_name, + const char *princ_name, +- struct PAC_LOGON_INFO *logon_info, + bool *is_mapped, + bool *mapped_to_guest, + char **ntuser, +@@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TAL + struct passwd **_pw) + { + NTSTATUS status; +- char *domain = NULL; +- char *realm = NULL; ++ const char *domain = NULL; ++ const char *realm = NULL; + char *user = NULL; + char *p; + char *fuser = NULL; +@@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TAL + return NT_STATUS_NO_MEMORY; + } + +- realm = talloc_strdup(talloc_tos(), p + 1); +- if (!realm) { +- return NT_STATUS_NO_MEMORY; +- } ++ realm = p + 1; + + if (!strequal(realm, lp_realm())) { + DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm)); + if (!lp_allow_trusted_domains()) { + return NT_STATUS_LOGON_FAILURE; + } +- } +- +- if (logon_info && logon_info->info3.base.logon_domain.string) { +- domain = talloc_strdup(mem_ctx, +- logon_info->info3.base.logon_domain.string); +- if (!domain) { +- return NT_STATUS_NO_MEMORY; +- } +- DEBUG(10, ("Domain is [%s] (using PAC)\n", domain)); ++ domain = realm; + } else { +- +- /* If we have winbind running, we can (and must) shorten the +- username by using the short netbios name. Otherwise we will +- have inconsistent user names. With Kerberos, we get the +- fully qualified realm, with ntlmssp we get the short +- name. And even w2k3 does use ntlmssp if you for example +- connect to an ip address. */ +- +- wbcErr wbc_status; +- struct wbcDomainInfo *info = NULL; +- +- DEBUG(10, ("Mapping [%s] to short name using winbindd\n", +- realm)); +- +- wbc_status = wbcDomainInfo(realm, &info); +- +- if (WBC_ERROR_IS_OK(wbc_status)) { +- domain = talloc_strdup(mem_ctx, +- info->short_name); +- wbcFreeMemory(info); +- } else { +- DEBUG(3, ("Could not find short name: %s\n", +- wbcErrorString(wbc_status))); +- domain = talloc_strdup(mem_ctx, realm); +- } +- if (!domain) { +- return NT_STATUS_NO_MEMORY; +- } +- DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); ++ domain = lp_workgroup(); + } + + fuser = talloc_asprintf(mem_ctx, +@@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TAL + return NT_STATUS_NO_MEMORY; + } + *ntuser = user; +- *ntdomain = domain; ++ *ntdomain = talloc_strdup(mem_ctx, domain); ++ if (*ntdomain == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ + *_pw = pw; + + return NT_STATUS_OK; +@@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_C + NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, + const char *cli_name, + const char *princ_name, +- struct PAC_LOGON_INFO *logon_info, + bool *is_mapped, + bool *mapped_to_guest, + char **ntuser, diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-30.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-30.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-30.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25717-30.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,93 @@ +From 9f182ff1d1aa6705be027cf2347b7bc126b0d30d Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 8 Oct 2021 18:03:04 +0200 +Subject: [PATCH 30/30] CVE-2020-25717: s3:auth: simplify + make_session_info_krb5() by removing unused arguments + +This is only ever be called in standalone mode with an MIT realm, +so we don't have a PAC/info3 structure. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 + +Signed-off-by: Stefan Metzmacher +--- + source3/auth/auth_generic.c | 2 +- + source3/auth/proto.h | 2 -- + source3/auth/user_krb5.c | 20 +------------------- + 3 files changed, 2 insertions(+), 22 deletions(-) + +--- a/source3/auth/auth_generic.c ++++ b/source3/auth/auth_generic.c +@@ -225,7 +225,7 @@ static NTSTATUS auth3_generate_session_i + + status = make_session_info_krb5(mem_ctx, + ntuser, ntdomain, username, pw, +- NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */, ++ is_guest, is_mapped, + session_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", +--- a/source3/auth/proto.h ++++ b/source3/auth/proto.h +@@ -392,9 +392,7 @@ NTSTATUS make_session_info_krb5(TALLOC_C + char *ntdomain, + char *username, + struct passwd *pw, +- const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, +- DATA_BLOB *session_key, + struct auth_session_info **session_info); + + /* The following definitions come from auth/auth_samba4.c */ +--- a/source3/auth/user_krb5.c ++++ b/source3/auth/user_krb5.c +@@ -150,9 +150,7 @@ NTSTATUS make_session_info_krb5(TALLOC_C + char *ntdomain, + char *username, + struct passwd *pw, +- const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, +- DATA_BLOB *session_key, + struct auth_session_info **session_info) + { + NTSTATUS status; +@@ -166,20 +164,6 @@ NTSTATUS make_session_info_krb5(TALLOC_C + return status; + } + +- } else if (info3) { +- /* pass the unmapped username here since map_username() +- will be called again in make_server_info_info3() */ +- +- status = make_server_info_info3(mem_ctx, +- ntuser, ntdomain, +- &server_info, +- info3); +- if (!NT_STATUS_IS_OK(status)) { +- DEBUG(1, ("make_server_info_info3 failed: %s!\n", +- nt_errstr(status))); +- return status; +- } +- + } else { + /* + * We didn't get a PAC, we have to make up the user +@@ -231,7 +215,7 @@ NTSTATUS make_session_info_krb5(TALLOC_C + + server_info->nss_token |= username_was_mapped; + +- status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info); ++ status = create_local_token(mem_ctx, server_info, NULL, ntuser, session_info); + talloc_free(server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(10,("failed to create local token: %s\n", +@@ -261,9 +245,7 @@ NTSTATUS make_session_info_krb5(TALLOC_C + char *ntdomain, + char *username, + struct passwd *pw, +- const struct netr_SamInfo3 *info3, + bool mapped_to_guest, bool username_was_mapped, +- DATA_BLOB *session_key, + struct auth_session_info **session_info) + { + return NT_STATUS_NOT_IMPLEMENTED; diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-1.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-1.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-1.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,229 @@ +Backport of: + +From a1db33d368c4bdcd0ad7f27413df51a7192218bc Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Fri, 13 Aug 2021 17:42:23 +1200 +Subject: [PATCH 075/262] CVE-2020-25722 dsdb: Restrict the setting of + privileged attributes during LDAP add/modify + +The remaining failures in the priv_attrs (not the strict one) test are +due to missing objectclass constraints on the administrator which should +be addressed, but are not a security issue. + +A better test for confirming constraints between objectclass and +userAccountControl UF_NORMAL_ACCONT/UF_WORKSTATION_TRUST values would +be user_account_control.py. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14703 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14778 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14775 + +Signed-off-by: Andrew Bartlett +Reviewed-by: Douglas Bagnall +--- + selftest/knownfail.d/priv_attr | 24 ---- + source4/dsdb/samdb/ldb_modules/samldb.c | 148 +++++++++++++++++++++--- + 2 files changed, 129 insertions(+), 43 deletions(-) + +--- a/source4/dsdb/samdb/ldb_modules/samldb.c ++++ b/source4/dsdb/samdb/ldb_modules/samldb.c +@@ -1924,6 +1924,29 @@ static int samldb_check_user_account_con + return ret; + } + ++static int samldb_get_domain_secdesc(struct samldb_ctx *ac, ++ struct security_descriptor **domain_sd) ++{ ++ const char * const sd_attrs[] = {"ntSecurityDescriptor", NULL}; ++ struct ldb_result *res; ++ struct ldb_dn *domain_dn = ldb_get_default_basedn(ldb_module_get_ctx(ac->module)); ++ int ret = dsdb_module_search_dn(ac->module, ac, &res, ++ domain_dn, ++ sd_attrs, ++ DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, ++ ac->req); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ if (res->count != 1) { ++ return ldb_module_operr(ac->module); ++ } ++ ++ return dsdb_get_sd_from_ldb_message(ldb_module_get_ctx(ac->module), ++ ac, res->msgs[0], domain_sd); ++ ++} ++ + /** + * Validate that the restriction in point 5 of MS-SAMR 3.1.1.8.10 userAccountControl is honoured + * +@@ -1935,12 +1958,8 @@ static int samldb_check_user_account_con + { + int i, ret = 0; + bool need_acl_check = false; +- struct ldb_result *res; +- const char * const sd_attrs[] = {"ntSecurityDescriptor", NULL}; + struct security_token *user_token; + struct security_descriptor *domain_sd; +- struct ldb_dn *domain_dn = ldb_get_default_basedn(ldb_module_get_ctx(ac->module)); +- struct ldb_context *ldb = ldb_module_get_ctx(ac->module); + const struct uac_to_guid { + uint32_t uac; + uint32_t priv_to_change_from; +@@ -2026,21 +2045,7 @@ static int samldb_check_user_account_con + return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; + } + +- ret = dsdb_module_search_dn(ac->module, ac, &res, +- domain_dn, +- sd_attrs, +- DSDB_FLAG_NEXT_MODULE | DSDB_SEARCH_SHOW_DELETED, +- ac->req); +- if (ret != LDB_SUCCESS) { +- return ret; +- } +- if (res->count != 1) { +- return ldb_module_operr(ac->module); +- } +- +- ret = dsdb_get_sd_from_ldb_message(ldb, +- ac, res->msgs[0], &domain_sd); +- ++ ret = samldb_get_domain_secdesc(ac, &domain_sd); + if (ret != LDB_SUCCESS) { + return ret; + } +@@ -2102,6 +2107,8 @@ static int samldb_check_user_account_con + return ldb_module_operr(ac->module); + } + if (map[i].guid) { ++ struct ldb_dn *domain_dn ++ = ldb_get_default_basedn(ldb_module_get_ctx(ac->module)); + dsdb_acl_debug(domain_sd, acl_user_token(ac->module), + domain_dn, + true, +@@ -3433,7 +3440,98 @@ static char *refer_if_rodc(struct ldb_co + return NULL; + } + ++/* ++ * Restrict all access to sensitive attributes. ++ * ++ * We don't want to even inspect the values, so we can use the same ++ * routine for ADD and MODIFY. ++ * ++ */ ++ ++static int samldb_check_sensitive_attributes(struct samldb_ctx *ac) ++{ ++ struct ldb_message_element *el = NULL; ++ struct security_token *user_token = NULL; ++ int ret; + ++ if (dsdb_module_am_system(ac->module)) { ++ return LDB_SUCCESS; ++ } ++ ++ user_token = acl_user_token(ac->module); ++ if (user_token == NULL) { ++ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; ++ } ++ ++ el = ldb_msg_find_element(ac->msg, "sidHistory"); ++ if (el) { ++ /* ++ * sidHistory is restricted to the (not implemented ++ * yet in Samba) DsAddSidHistory call (direct LDB access is ++ * as SYSTEM so will bypass this). ++ * ++ * If you want to modify this, say to merge domains, ++ * directly modify the sam.ldb as root. ++ */ ++ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), ++ "sidHistory " ++ "(entry %s) cannot be created " ++ "or changed over LDAP!", ++ ldb_dn_get_linearized(ac->msg->dn)); ++ return LDB_ERR_UNWILLING_TO_PERFORM; ++ } ++ ++ el = ldb_msg_find_element(ac->msg, "msDS-SecondaryKrbTgtNumber"); ++ if (el) { ++ struct security_descriptor *domain_sd; ++ /* ++ * msDS-SecondaryKrbTgtNumber allows the creator to ++ * become an RODC, this is trusted as an RODC ++ * account ++ */ ++ ret = samldb_get_domain_secdesc(ac, &domain_sd); ++ if (ret != LDB_SUCCESS) { ++ return ret; ++ } ++ ret = acl_check_extended_right(ac, domain_sd, ++ user_token, ++ GUID_DRS_DS_INSTALL_REPLICA, ++ SEC_ADS_CONTROL_ACCESS, ++ NULL); ++ if (ret != LDB_SUCCESS) { ++ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), ++ "msDS-SecondaryKrbTgtNumber " ++ "(entry %s) cannot be created " ++ "or changed without " ++ "DS-Install-Replica extended right!", ++ ldb_dn_get_linearized(ac->msg->dn)); ++ return ret; ++ } ++ } ++ ++ el = ldb_msg_find_element(ac->msg, "msDS-AllowedToDelegateTo"); ++ if (el) { ++ /* ++ * msDS-AllowedToDelegateTo is incredibly powerful, ++ * given that it allows a server to become ANY USER on ++ * the target server only listed by SPN so needs to be ++ * protected just as the userAccountControl ++ * UF_TRUSTED_FOR_DELEGATION is. ++ */ ++ ++ bool have_priv = security_token_has_privilege(user_token, ++ SEC_PRIV_ENABLE_DELEGATION); ++ if (have_priv == false) { ++ ldb_asprintf_errstring(ldb_module_get_ctx(ac->module), ++ "msDS-AllowedToDelegateTo " ++ "(entry %s) cannot be created " ++ "or changed without SePrivEnableDelegation!", ++ ldb_dn_get_linearized(ac->msg->dn)); ++ return LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS; ++ } ++ } ++ return LDB_SUCCESS; ++} + /* add */ + static int samldb_add(struct ldb_module *module, struct ldb_request *req) + { +@@ -3480,6 +3578,12 @@ static int samldb_add(struct ldb_module + return ldb_operr(ldb); + } + ++ ret = samldb_check_sensitive_attributes(ac); ++ if (ret != LDB_SUCCESS) { ++ talloc_free(ac); ++ return ret; ++ } ++ + el = ldb_msg_find_element(ac->msg, "fSMORoleOwner"); + if (el != NULL) { + ret = samldb_fsmo_role_owner_check(ac); +@@ -3687,6 +3791,12 @@ static int samldb_modify(struct ldb_modu + return ldb_operr(ldb); + } + ++ ret = samldb_check_sensitive_attributes(ac); ++ if (ret != LDB_SUCCESS) { ++ talloc_free(ac); ++ return ret; ++ } ++ + if (is_undelete == NULL) { + el = ldb_msg_find_element(ac->msg, "primaryGroupID"); + if (el != NULL) { diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-2.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-2.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2020-25722-2.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,88 @@ +Backport of: + +From 6c59e700e5191f067f270a944048e5a435a91574 Mon Sep 17 00:00:00 2001 +From: Andrew Bartlett +Date: Wed, 20 Oct 2021 11:36:58 +1300 +Subject: [PATCH 246/262] CVE-2020-25722 Ensure the structural objectclass + cannot be changed + +If the structural objectclass is allowed to change, then the restrictions +locking an object to remaining a user or computer will not be enforcable. + +Likewise other LDAP inheritance rules, which allow only certain +child objects can be bypassed, which can in turn allow creation of +(unprivileged) users where only DNS objects were expected. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889 + +Signed-off-by: Andrew Bartlett +Reviewed-by: Joseph Sutton +--- + selftest/knownfail.d/ldap | 1 - + selftest/knownfail.d/modify-order | 2 +- + selftest/knownfail.d/uac_mod_lock | 28 --------------- + selftest/knownfail.d/uac_objectclass_restrict | 4 --- + source4/dsdb/samdb/ldb_modules/objectclass.c | 36 +++++++++++++++++++ + 5 files changed, 37 insertions(+), 34 deletions(-) + delete mode 100644 selftest/knownfail.d/uac_mod_lock + +--- a/source4/dsdb/samdb/ldb_modules/objectclass.c ++++ b/source4/dsdb/samdb/ldb_modules/objectclass.c +@@ -805,6 +805,7 @@ static int objectclass_do_mod(struct oc_ + struct ldb_message_element *oc_el_entry, *oc_el_change; + struct ldb_val *vals; + struct ldb_message *msg; ++ const struct dsdb_class *current_structural_objectclass; + const struct dsdb_class *objectclass; + unsigned int i, j, k; + bool found; +@@ -824,6 +825,22 @@ static int objectclass_do_mod(struct oc_ + return ldb_operr(ldb); + } + ++ /* ++ * Get the current new top-most structural object class ++ * ++ * We must not allow this to change ++ */ ++ ++ current_structural_objectclass ++ = dsdb_get_last_structural_class(ac->schema, ++ oc_el_entry); ++ if (current_structural_objectclass == NULL) { ++ ldb_asprintf_errstring(ldb, ++ "objectclass: cannot find current structural objectclass on %s!", ++ ldb_dn_get_linearized(ac->search_res->message->dn)); ++ return LDB_ERR_OBJECT_CLASS_VIOLATION; ++ } ++ + /* use a new message structure */ + msg = ldb_msg_new(ac); + if (msg == NULL) { +@@ -933,6 +950,25 @@ static int objectclass_do_mod(struct oc_ + return LDB_ERR_OBJECT_CLASS_VIOLATION; + } + ++ /* ++ * Has (so far, we re-check for each and every ++ * "objectclass" in the message) the structural ++ * objectclass changed? ++ */ ++ ++ if (objectclass != current_structural_objectclass) { ++ const char *dn ++ = ldb_dn_get_linearized(ac->search_res->message->dn); ++ ldb_asprintf_errstring(ldb, ++ "objectclass: not permitted " ++ "to change the structural " ++ "objectClass on %s [%s] => [%s]!", ++ dn, ++ current_structural_objectclass->lDAPDisplayName, ++ objectclass->lDAPDisplayName); ++ return LDB_ERR_OBJECT_CLASS_VIOLATION; ++ } ++ + /* Check for unrelated objectclasses */ + ret = check_unrelated_objectclasses(ac->module, ac->schema, + objectclass, diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-3671.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-3671.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-3671.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-3671.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,34 @@ +From 0cb4b939f192376bf5e33637863a91a20f74c5a5 Mon Sep 17 00:00:00 2001 +From: Luke Howard +Date: Fri, 27 Aug 2021 11:42:48 +1000 +Subject: [PATCH] CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ + +In tgs_build_reply(), validate the server name in the TGS-REQ is present before +dereferencing. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 + +[abartlet@samba.org backported from from Heimdal +commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference +to an earlier patch by Joseph Sutton] + +RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ + +Reviewed-by: Andreas Schneider +--- + source4/heimdal/kdc/krb5tgs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/source4/heimdal/kdc/krb5tgs.c ++++ b/source4/heimdal/kdc/krb5tgs.c +@@ -1597,6 +1597,10 @@ tgs_build_reply(krb5_context context, + + s = &adtkt.cname; + r = adtkt.crealm; ++ } else if (s == NULL) { ++ ret = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; ++ krb5_set_error_message(context, ret, "No server in request"); ++ goto out; + } + + _krb5_principalname2krb5_principal(context, &sp, *s, r); diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-1.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-1.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-1.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-1.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,25 @@ +From 592aca7ac48947ff264ff2f24980a22863c644fb Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 13 Jan 2022 16:48:01 +0100 +Subject: [PATCH 1/6] CVE-2021-44142: libadouble: add defines for icon lengths + +From https://www.ietf.org/rfc/rfc1740.txt + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +--- + source3/modules/vfs_fruit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -279,6 +279,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC + #define ADEDLEN_MACFILEI 4 + #define ADEDLEN_PRODOSFILEI 8 + #define ADEDLEN_MSDOSFILEI 2 ++#define ADEDLEN_ICONBW 128 ++#define ADEDLEN_ICONCOL 1024 + #define ADEDLEN_DID 4 + #define ADEDLEN_PRIVDEV 8 + #define ADEDLEN_PRIVINO 8 diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-2.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-2.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-2.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-2.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,43 @@ +From 0c9e24ea2abb1882d74cf705dd4c692eb1705adb Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Sat, 20 Nov 2021 16:36:42 +0100 +Subject: [PATCH 2/6] CVE-2021-44142: smbd: add Netatalk xattr used by + vfs_fruit to the list of private Samba xattrs + +This is an internal xattr that should not be user visible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c] +--- + source3/smbd/trans2.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/source3/smbd/trans2.c ++++ b/source3/smbd/trans2.c +@@ -176,6 +176,16 @@ void aapl_force_zero_file_id(struct smbd + Refuse to allow clients to overwrite our private xattrs. + ****************************************************************************/ + ++/* ++ * Taken from vfs_fruit.c ++ */ ++#define NETATALK_META_XATTR "org.netatalk.Metadata" ++#if defined(HAVE_ATTROPEN) ++#define AFPINFO_EA_NETATALK NETATALK_META_XATTR ++#else ++#define AFPINFO_EA_NETATALK "user." NETATALK_META_XATTR ++#endif ++ + bool samba_private_attr_name(const char *unix_ea_name) + { + static const char * const prohibited_ea_names[] = { +@@ -183,6 +193,7 @@ bool samba_private_attr_name(const char + SAMBA_XATTR_DOS_ATTRIB, + SAMBA_XATTR_MARKER, + XATTR_NTACL_NAME, ++ AFPINFO_EA_NETATALK, + NULL + }; + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-3.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-3.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-3.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-3.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,64 @@ +From d9cfe712fed17e0f031e3955a04a712a12a31c26 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 26 Nov 2021 07:19:32 +0100 +Subject: [PATCH 3/6] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() + +This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC, +which is used for parsing ._ AppleDouble sidecar files, and the buffer +ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all +buffer out-of-bounds access checks in ad_unpack_xattrs(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +--- + source3/modules/vfs_fruit.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -675,14 +675,27 @@ static bool ad_pack(struct adouble *ad) + static bool ad_unpack_xattrs(struct adouble *ad) + { + struct ad_xattr_header *h = &ad->adx_header; ++ size_t bufsize = talloc_get_size(ad->ad_data); + const char *p = ad->ad_data; + uint32_t hoff; + uint32_t i; + ++ if (ad->ad_type != ADOUBLE_RSRC) { ++ return false; ++ } ++ + if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) { + return true; + } + ++ /* ++ * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an ++ * ADOUBLE_RSRC type (._ AppleDouble file on-disk). ++ */ ++ if (bufsize != AD_XATTR_MAX_HDR_SIZE) { ++ return false; ++ } ++ + /* 2 bytes padding */ + hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2; + +@@ -930,11 +943,12 @@ static bool ad_unpack(struct adouble *ad + ad->ad_eid[eid].ade_len = len; + } + +- ok = ad_unpack_xattrs(ad); +- if (!ok) { +- return false; ++ if (ad->ad_type == ADOUBLE_RSRC) { ++ ok = ad_unpack_xattrs(ad); ++ if (!ok) { ++ return false; ++ } + } +- + return true; + } + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-4.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-4.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-4.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-4.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,20 @@ +From d5f8a6f423f6bfba706d57459d78046920d61ce5 Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Fri, 21 Jan 2022 14:52:53 +0000 +Subject: [PATCH 4/6] vfs_fruit: CVE-2021-44142 tweak buffer size check + +--- + source3/modules/vfs_fruit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -692,7 +692,7 @@ static bool ad_unpack_xattrs(struct adou + * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an + * ADOUBLE_RSRC type (._ AppleDouble file on-disk). + */ +- if (bufsize != AD_XATTR_MAX_HDR_SIZE) { ++ if (bufsize < AD_DATASZ_DOT_UND || bufsize > AD_XATTR_MAX_HDR_SIZE) { + return false; + } + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-5.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-5.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-5.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-5.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,438 @@ +Backport of: + +From ed9a8dcdb970962d0e9afbd52672e4295f3e31c6 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 25 Nov 2021 15:04:03 +0100 +Subject: [PATCH 5/6] CVE-2021-44142: libadouble: add basic cmocka tests + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +[slow@samba.org: conflict due to missing test in selftest/tests.py] +--- + selftest/knownfail.d/samba.unittests.adouble | 3 + + selftest/tests.py | 2 + + source3/lib/test_adouble.c | 386 +++++++++++++++++++ + source3/wscript_build | 5 + + 4 files changed, 396 insertions(+) + create mode 100644 selftest/knownfail.d/samba.unittests.adouble + create mode 100644 source3/lib/test_adouble.c + +--- /dev/null ++++ b/selftest/knownfail.d/samba.unittests.adouble +@@ -0,0 +1,3 @@ ++^samba.unittests.adouble.parse_abouble_finderinfo2\(none\) ++^samba.unittests.adouble.parse_abouble_finderinfo3\(none\) ++^samba.unittests.adouble.parse_abouble_date2\(none\) +--- a/selftest/tests.py ++++ b/selftest/tests.py +@@ -163,3 +163,6 @@ plantestsuite("samba.unittests.smb1cli_s + [os.path.join(bindir(), "default/libcli/smb/test_smb1cli_session")]) + plantestsuite("samba.unittests.ntlm_check", "none", + [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) ++ ++plantestsuite("samba.unittests.adouble", "none", ++ [os.path.join(bindir(), "test_adouble")]) +--- /dev/null ++++ b/source3/lib/test_adouble.c +@@ -0,0 +1,386 @@ ++/* ++ * Unix SMB/CIFS implementation. ++ * ++ * Copyright (C) 2021 Ralph Boehme ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see . ++ */ ++ ++#include "vfs_fruit.c" ++#include ++ ++static int setup_talloc_context(void **state) ++{ ++ TALLOC_CTX *frame = talloc_stackframe(); ++ ++ *state = frame; ++ return 0; ++} ++ ++static int teardown_talloc_context(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ ++ TALLOC_FREE(frame); ++ return 0; ++} ++ ++/* ++ * Basic and sane buffer. ++ */ ++static uint8_t ad_basic[] = { ++ 0x00, 0x05, 0x16, 0x07, /* Magic */ ++ 0x00, 0x02, 0x00, 0x00, /* Version */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x02, /* Count */ ++ /* adentry 1: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x32, /* offset */ ++ 0x00, 0x00, 0x00, 0x20, /* length */ ++ /* adentry 2: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x52, /* offset */ ++ 0xff, 0xff, 0xff, 0x00, /* length */ ++ /* FinderInfo data: 32 bytes */ ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++}; ++ ++/* ++ * An empty FinderInfo entry. ++ */ ++static uint8_t ad_finderinfo1[] = { ++ 0x00, 0x05, 0x16, 0x07, /* Magic */ ++ 0x00, 0x02, 0x00, 0x00, /* Version */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x02, /* Count */ ++ /* adentry 1: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */ ++ 0x00, 0x00, 0x00, 0x00, /* len: 0, so off+len don't exceed bufferlen */ ++ /* adentry 2: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x52, /* offset */ ++ 0xff, 0xff, 0xff, 0x00, /* length */ ++ /* FinderInfo data: 32 bytes */ ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++}; ++ ++/* ++ * A dangerous FinderInfo with correct length exceeding buffer by one byte. ++ */ ++static uint8_t ad_finderinfo2[] = { ++ 0x00, 0x05, 0x16, 0x07, /* Magic */ ++ 0x00, 0x02, 0x00, 0x00, /* Version */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x02, /* Count */ ++ /* adentry 1: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */ ++ 0x00, 0x00, 0x00, 0x20, /* len: 32, so off+len exceeds bufferlen by 1 */ ++ /* adentry 2: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x52, /* offset */ ++ 0xff, 0xff, 0xff, 0x00, /* length */ ++ /* FinderInfo data: 32 bytes */ ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++}; ++ ++static uint8_t ad_finderinfo3[] = { ++ 0x00, 0x05, 0x16, 0x07, /* Magic */ ++ 0x00, 0x02, 0x00, 0x00, /* Version */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x02, /* Count */ ++ /* adentry 1: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x33, /* off: points at beginng of data + 1 */ ++ 0x00, 0x00, 0x00, 0x1f, /* len: 31, so off+len don't exceed buf */ ++ /* adentry 2: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x02, /* eid: Resourcefork */ ++ 0x00, 0x00, 0x00, 0x52, /* offset */ ++ 0xff, 0xff, 0xff, 0x00, /* length */ ++ /* FinderInfo data: 32 bytes */ ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++}; ++ ++/* ++ * A dangerous name entry. ++ */ ++static uint8_t ad_name[] = { ++ 0x00, 0x05, 0x16, 0x07, /* Magic */ ++ 0x00, 0x02, 0x00, 0x00, /* Version */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x02, /* Count */ ++ /* adentry 1: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x32, /* offset */ ++ 0x00, 0x00, 0x00, 0x20, /* length */ ++ /* adentry 2: Name */ ++ 0x00, 0x00, 0x00, 0x03, /* eid: Name */ ++ 0x00, 0x00, 0x00, 0x52, /* off: points at end of buffer */ ++ 0x00, 0x00, 0x00, 0x01, /* len: 1, so off+len exceeds bufferlen */ ++ /* FinderInfo data: 32 bytes */ ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++}; ++ ++/* ++ * A empty ADEID_FILEDATESI entry. ++ */ ++static uint8_t ad_date1[] = { ++ 0x00, 0x05, 0x16, 0x07, /* Magic */ ++ 0x00, 0x02, 0x00, 0x00, /* Version */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x02, /* Count */ ++ /* adentry 1: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x32, /* offset */ ++ 0x00, 0x00, 0x00, 0x20, /* length */ ++ /* adentry 2: Dates */ ++ 0x00, 0x00, 0x00, 0x08, /* eid: dates */ ++ 0x00, 0x00, 0x00, 0x52, /* off: end of buffer */ ++ 0x00, 0x00, 0x00, 0x00, /* len: 0, empty entry, valid */ ++ /* FinderInfo data: 32 bytes */ ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++}; ++ ++/* ++ * A dangerous ADEID_FILEDATESI entry, invalid length. ++ */ ++static uint8_t ad_date2[] = { ++ 0x00, 0x05, 0x16, 0x07, /* Magic */ ++ 0x00, 0x02, 0x00, 0x00, /* Version */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x00, 0x00, 0x00, /* Filler */ ++ 0x00, 0x02, /* Count */ ++ /* adentry 1: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x09, /* eid: FinderInfo */ ++ 0x00, 0x00, 0x00, 0x32, /* offset */ ++ 0x00, 0x00, 0x00, 0x20, /* length */ ++ /* adentry 2: Dates */ ++ 0x00, 0x00, 0x00, 0x08, /* eid: dates */ ++ 0x00, 0x00, 0x00, 0x43, /* off: FinderInfo buf but one byte short */ ++ 0x00, 0x00, 0x00, 0x0f, /* len: 15, so off+len don't exceed bufferlen */ ++ /* FinderInfo data: 32 bytes */ ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++}; ++ ++static struct adouble *parse_adouble(TALLOC_CTX *mem_ctx, ++ uint8_t *adbuf, ++ size_t adsize, ++ off_t filesize) ++{ ++ struct adouble *ad = NULL; ++ bool ok; ++ ++ ad = talloc_zero(mem_ctx, struct adouble); ++ ad->ad_data = talloc_zero_size(ad, adsize); ++ assert_non_null(ad); ++ ++ memcpy(ad->ad_data, adbuf, adsize); ++ ++ ok = ad_unpack(ad, 2, filesize); ++ if (!ok) { ++ return NULL; ++ } ++ ++ return ad; ++} ++ ++static void parse_abouble_basic(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ struct adouble *ad = NULL; ++ char *p = NULL; ++ ++ ad = parse_adouble(frame, ad_basic, sizeof(ad_basic), 0xffffff52); ++ assert_non_null(ad); ++ ++ p = ad_get_entry(ad, ADEID_FINDERI); ++ assert_non_null(p); ++ ++ return; ++} ++ ++static void parse_abouble_finderinfo1(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ struct adouble *ad = NULL; ++ char *p = NULL; ++ ++ ad = parse_adouble(frame, ++ ad_finderinfo1, ++ sizeof(ad_finderinfo1), ++ 0xffffff52); ++ assert_non_null(ad); ++ ++ p = ad_get_entry(ad, ADEID_FINDERI); ++ assert_null(p); ++ ++ return; ++} ++ ++static void parse_abouble_finderinfo2(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ struct adouble *ad = NULL; ++ ++ ad = parse_adouble(frame, ++ ad_finderinfo2, ++ sizeof(ad_finderinfo2), ++ 0xffffff52); ++ assert_null(ad); ++ ++ return; ++} ++ ++static void parse_abouble_finderinfo3(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ struct adouble *ad = NULL; ++ ++ ad = parse_adouble(frame, ++ ad_finderinfo3, ++ sizeof(ad_finderinfo3), ++ 0xffffff52); ++ assert_null(ad); ++ ++ return; ++} ++ ++static void parse_abouble_name(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ struct adouble *ad = NULL; ++ ++ ad = parse_adouble(frame, ad_name, sizeof(ad_name), 0x52); ++ assert_null(ad); ++ ++ return; ++} ++ ++static void parse_abouble_date1(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ struct adouble *ad = NULL; ++ char *p = NULL; ++ ++ ad = parse_adouble(frame, ad_date1, sizeof(ad_date1), 0x52); ++ assert_non_null(ad); ++ ++ p = ad_get_entry(ad, ADEID_FILEDATESI); ++ assert_null(p); ++ ++ return; ++} ++ ++static void parse_abouble_date2(void **state) ++{ ++ TALLOC_CTX *frame = *state; ++ struct adouble *ad = NULL; ++ ++ ad = parse_adouble(frame, ad_date2, sizeof(ad_date2), 0x52); ++ assert_null(ad); ++ ++ return; ++} ++ ++int main(int argc, char *argv[]) ++{ ++ int rc; ++ const struct CMUnitTest tests[] = { ++ cmocka_unit_test(parse_abouble_basic), ++ cmocka_unit_test(parse_abouble_finderinfo1), ++ cmocka_unit_test(parse_abouble_finderinfo2), ++ cmocka_unit_test(parse_abouble_finderinfo3), ++ cmocka_unit_test(parse_abouble_name), ++ cmocka_unit_test(parse_abouble_date1), ++ cmocka_unit_test(parse_abouble_date2), ++ }; ++ ++ cmocka_set_message_output(CM_OUTPUT_SUBUNIT); ++ ++ rc = cmocka_run_group_tests(tests, ++ setup_talloc_context, ++ teardown_talloc_context); ++ ++ return rc; ++} +--- a/source3/wscript_build ++++ b/source3/wscript_build +@@ -1085,6 +1085,11 @@ bld.SAMBA3_SUBSYSTEM('SPOOLSSD', + ''') + + ########################## BINARIES ################################# ++if bld.CONFIG_SET('HAVE_CMOCKA'): ++ bld.SAMBA3_BINARY('test_adouble', ++ source='lib/test_adouble.c', ++ deps='smbd_base STRING_REPLACE cmocka', ++ install=False) + + bld.SAMBA3_BINARY('smbd/smbd', + source='smbd/server.c smbd/smbd_cleanupd.c', diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-6.patch samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-6.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-6.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/CVE-2021-44142-6.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,168 @@ +From 6dd0f863108cab92e97de2e4d283cd07a3c07caf Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 13 Jan 2022 17:03:02 +0100 +Subject: [PATCH 6/6] CVE-2021-44142: libadouble: harden parsing code + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +--- + selftest/knownfail.d/samba.unittests.adouble | 3 - + source3/modules/vfs_fruit.c | 116 ++++++++++++++++--- + 2 files changed, 101 insertions(+), 18 deletions(-) + delete mode 100644 selftest/knownfail.d/samba.unittests.adouble + +--- a/selftest/knownfail.d/samba.unittests.adouble ++++ /dev/null +@@ -1,3 +0,0 @@ +-^samba.unittests.adouble.parse_abouble_finderinfo2\(none\) +-^samba.unittests.adouble.parse_abouble_finderinfo3\(none\) +-^samba.unittests.adouble.parse_abouble_date2\(none\) +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -488,6 +488,95 @@ static ssize_t afpinfo_pack(const AfpInf + static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data); + + ++/* ++ * All entries besides FinderInfo and resource fork must fit into the ++ * buffer. FinderInfo is special as it may be larger then the default 32 bytes ++ * if it contains marshalled xattrs, which we will fixup that in ++ * ad_convert(). The first 32 bytes however must also be part of the buffer. ++ * ++ * The resource fork is never accessed directly by the ad_data buf. ++ */ ++static bool ad_entry_check_size(uint32_t eid, ++ size_t bufsize, ++ uint32_t off, ++ uint32_t got_len) ++{ ++ struct { ++ off_t expected_len; ++ bool fixed_size; ++ bool minimum_size; ++ } ad_checks[] = { ++ [ADEID_DFORK] = {-1, false, false}, /* not applicable */ ++ [ADEID_RFORK] = {-1, false, false}, /* no limit */ ++ [ADEID_NAME] = {ADEDLEN_NAME, false, false}, ++ [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false}, ++ [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false}, ++ [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false}, ++ [ADEID_FILEI] = {ADEDLEN_FILEI, true, false}, ++ [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false}, ++ [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true}, ++ [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false}, ++ [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false}, ++ [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false}, ++ [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false}, ++ [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false}, ++ [ADEID_DID] = {ADEDLEN_DID, true, false}, ++ [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false}, ++ [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false}, ++ [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false}, ++ [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false}, ++ }; ++ ++ if (eid >= ADEID_MAX) { ++ return false; ++ } ++ if (got_len == 0) { ++ /* Entry present, but empty, allow */ ++ return true; ++ } ++ if (ad_checks[eid].expected_len == 0) { ++ /* ++ * Shouldn't happen: implicitly initialized to zero because ++ * explicit initializer missing. ++ */ ++ return false; ++ } ++ if (ad_checks[eid].expected_len == -1) { ++ /* Unused or no limit */ ++ return true; ++ } ++ if (ad_checks[eid].fixed_size) { ++ if (ad_checks[eid].expected_len != got_len) { ++ /* Wrong size fo fixed size entry. */ ++ return false; ++ } ++ } else { ++ if (ad_checks[eid].minimum_size) { ++ if (got_len < ad_checks[eid].expected_len) { ++ /* ++ * Too small for variable sized entry with ++ * minimum size. ++ */ ++ return false; ++ } ++ } else { ++ if (got_len > ad_checks[eid].expected_len) { ++ /* Too big for variable sized entry. */ ++ return false; ++ } ++ } ++ } ++ if (off + got_len < off) { ++ /* wrap around */ ++ return false; ++ } ++ if (off + got_len > bufsize) { ++ /* overflow */ ++ return false; ++ } ++ return true; ++} ++ + /** + * Return a pointer to an AppleDouble entry + * +@@ -495,8 +584,15 @@ static AfpInfo *afpinfo_unpack(TALLOC_CT + **/ + static char *ad_get_entry(const struct adouble *ad, int eid) + { ++ size_t bufsize = talloc_get_size(ad->ad_data); + off_t off = ad_getentryoff(ad, eid); + size_t len = ad_getentrylen(ad, eid); ++ bool valid; ++ ++ valid = ad_entry_check_size(eid, bufsize, off, len); ++ if (!valid) { ++ return NULL; ++ } + + if (off == 0 || len == 0) { + return NULL; +@@ -560,7 +656,6 @@ static int ad_setdate(struct adouble *ad + return 0; + } + +- + /** + * Map on-disk AppleDouble id to enumerated id + **/ +@@ -880,20 +975,11 @@ static bool ad_unpack(struct adouble *ad + return false; + } + +- /* +- * All entries besides FinderInfo and resource fork +- * must fit into the buffer. FinderInfo is special as +- * it may be larger then the default 32 bytes (if it +- * contains marshalled xattrs), but we will fixup that +- * in ad_convert(). And the resource fork is never +- * accessed directly by the ad_data buf (also see +- * comment above) anyway. +- */ +- if ((eid != ADEID_RFORK) && +- (eid != ADEID_FINDERI) && +- ((off + len) > bufsize)) { +- DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n", +- eid, off, len)); ++ ok = ad_entry_check_size(eid, bufsize, off, len); ++ if (!ok) { ++ DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] " ++ "off [%"PRIu32"] len [%"PRIu32"]\n", ++ eid, bufsize, off, len); + return false; + } + diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/series samba-4.7.6+dfsg~ubuntu/debian/patches/series --- samba-4.7.6+dfsg~ubuntu/debian/patches/series 2021-11-10 14:29:48.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/series 2022-11-09 14:42:14.000000000 +0000 @@ -126,3 +126,49 @@ CVE-2020-14383-2.patch CVE-2020-14383-3.patch CVE-2021-20254.patch +CVE-2016-2124-1.patch +CVE-2016-2124-2.patch +CVE-2020-25717-01.patch +CVE-2020-25717-02.patch +CVE-2020-25717-03.patch +CVE-2020-25717-04.patch +CVE-2020-25717-05.patch +CVE-2020-25717-06.patch +CVE-2020-25717-07.patch +CVE-2020-25717-08.patch +CVE-2020-25717-09.patch +CVE-2020-25717-10.patch +CVE-2020-25717-11.patch +CVE-2020-25717-12.patch +CVE-2020-25717-13.patch +CVE-2020-25717-14.patch +CVE-2020-25717-15.patch +CVE-2020-25717-16.patch +CVE-2020-25717-17.patch +CVE-2020-25717-18.patch +CVE-2020-25717-19.patch +CVE-2020-25717-20.patch +CVE-2020-25717-21.patch +CVE-2020-25717-22.patch +CVE-2020-25717-23.patch +CVE-2020-25717-24.patch +CVE-2020-25717-25.patch +CVE-2020-25717-26.patch +CVE-2020-25717-27.patch +CVE-2020-25717-28.patch +CVE-2020-25717-29.patch +CVE-2020-25717-30.patch +CVE-2020-25722-1.patch +CVE-2020-25722-2.patch +CVE-2021-3671.patch +bug14901-1.patch +bug14901-2.patch +bug14901-3.patch +bug14922.patch +CVE-2021-44142-1.patch +CVE-2021-44142-2.patch +CVE-2021-44142-3.patch +CVE-2021-44142-4.patch +CVE-2021-44142-5.patch +CVE-2021-44142-6.patch +win-22H2-fix.patch diff -Nru samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch --- samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch 1970-01-01 00:00:00.000000000 +0000 +++ samba-4.7.6+dfsg~ubuntu/debian/patches/win-22H2-fix.patch 2022-11-09 14:42:14.000000000 +0000 @@ -0,0 +1,138 @@ +From 56c949d2764b69050bc441bec68008f4a046f1d3 Mon Sep 17 00:00:00 2001 +From: Luke Howard +Date: Thu, 20 Oct 2022 13:27:31 +1300 +Subject: [PATCH 3/3] kdc: avoid re-encoding KDC-REQ-BODY + +Use --preserve-binary=KDC-REQ-BODY option to ASN.1 compiler to avoid +re-encoding KDC-REQ-BODYs for verification in GSS preauth, TGS and PKINIT. + +[abartlet@samba.org adapted from Heimdal commit + ebfd48e40a1b61bf5a6b8d00fe5c581e24652b6e + by removing references to FAST and GSS-pre-auth. + + This fixes the Windows 11 22H2 issue with TGS-REQ + as seen at https://github.com/heimdal/heimdal/issues/1011 and so + removes the knownfail file for this test] + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 + +Signed-off-by: Andrew Bartlett + +Ubuntu backport note: removed diff for files that do not exist in this version + +Origin: backport, https://bugzilla.samba.org/attachment.cgi?id=17596 +Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1993934 +Last-Update: 2022-11-09 +--- + selftest/knownfail.d/windows11-22h2 | 2 -- + source4/heimdal/kdc/krb5tgs.c | 24 ++---------------------- + source4/heimdal/kdc/pkinit.c | 16 ++-------------- + source4/heimdal/lib/asn1/krb5.opt | 1 + + 4 files changed, 5 insertions(+), 38 deletions(-) + delete mode 100644 selftest/knownfail.d/windows11-22h2 + +diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c +index 13996f96b4a..f1393fa87a1 100644 +--- a/source4/heimdal/kdc/krb5tgs.c ++++ b/source4/heimdal/kdc/krb5tgs.c +@@ -780,9 +780,6 @@ tgs_check_authenticator(krb5_context context, + krb5_keyblock *key) + { + krb5_authenticator auth; +- size_t len = 0; +- unsigned char *buf; +- size_t buf_size; + krb5_error_code ret; + krb5_crypto crypto; + +@@ -808,25 +805,9 @@ tgs_check_authenticator(krb5_context context, + goto out; + } + +- /* XXX should not re-encode this */ +- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, b, &len, ret); +- if(ret){ +- const char *msg = krb5_get_error_message(context, ret); +- kdc_log(context, config, 0, "Failed to encode KDC-REQ-BODY: %s", msg); +- krb5_free_error_message(context, msg); +- goto out; +- } +- if(buf_size != len) { +- free(buf); +- kdc_log(context, config, 0, "Internal error in ASN.1 encoder"); +- *e_text = "KDC internal error"; +- ret = KRB5KRB_ERR_GENERIC; +- goto out; +- } + ret = krb5_crypto_init(context, key, 0, &crypto); + if (ret) { + const char *msg = krb5_get_error_message(context, ret); +- free(buf); + kdc_log(context, config, 0, "krb5_crypto_init failed: %s", msg); + krb5_free_error_message(context, msg); + goto out; +@@ -834,10 +815,9 @@ tgs_check_authenticator(krb5_context context, + ret = krb5_verify_checksum(context, + crypto, + KRB5_KU_TGS_REQ_AUTH_CKSUM, +- buf, +- len, ++ b->_save.data, ++ b->_save.length, + auth->cksum); +- free(buf); + krb5_crypto_destroy(context, crypto); + if(ret){ + const char *msg = krb5_get_error_message(context, ret); +diff --git a/source4/heimdal/kdc/pkinit.c b/source4/heimdal/kdc/pkinit.c +index ad7f3efc10a..64ea4c00e41 100644 +--- a/source4/heimdal/kdc/pkinit.c ++++ b/source4/heimdal/kdc/pkinit.c +@@ -113,10 +113,7 @@ pk_check_pkauthenticator(krb5_context context, + PKAuthenticator *a, + const KDC_REQ *req) + { +- u_char *buf = NULL; +- size_t buf_size; + krb5_error_code ret; +- size_t len = 0; + krb5_timestamp now; + Checksum checksum; + +@@ -128,22 +125,13 @@ pk_check_pkauthenticator(krb5_context context, + return KRB5KRB_AP_ERR_SKEW; + } + +- ASN1_MALLOC_ENCODE(KDC_REQ_BODY, buf, buf_size, &req->req_body, &len, ret); +- if (ret) { +- krb5_clear_error_message(context); +- return ret; +- } +- if (buf_size != len) +- krb5_abortx(context, "Internal error in ASN.1 encoder"); +- + ret = krb5_create_checksum(context, + NULL, + 0, + CKSUMTYPE_SHA1, +- buf, +- len, ++ req->req_body._save.data, ++ req->req_body._save.length, + &checksum); +- free(buf); + if (ret) { + krb5_clear_error_message(context); + return ret; +diff --git a/source4/heimdal/lib/asn1/krb5.opt b/source4/heimdal/lib/asn1/krb5.opt +index 1d6d5e8989f..5acc596d39c 100644 +--- a/source4/heimdal/lib/asn1/krb5.opt ++++ b/source4/heimdal/lib/asn1/krb5.opt +@@ -4,3 +4,4 @@ + --sequence=METHOD-DATA + --sequence=ETYPE-INFO + --sequence=ETYPE-INFO2 ++--preserve-binary=KDC-REQ-BODY +-- +2.25.1 +