The branch, v4-16-test has been updated
via c2095819c31 VERSION: Bump version up to Samba 4.16.7...
via a9011093133 Merge tag 'samba-4.16.6' into v4-16-test
via dc74e56c03d VERSION: Disable GIT_SNAPSHOT for the 4.16.6 release.
via 620698353ba WHATSNEW: Add release notes for Samba 4.16.6.
via 5c31d5beb3b CVE-2022-3437 third_party/heimdal: Pass correct length
to _gssapi_verify_pad()
via 22dd9072c9f CVE-2022-3437 third_party/heimdal: Check for overflow
in _gsskrb5_get_mech()
via d16ac1f4057 CVE-2022-3437 third_party/heimdal: Check buffer length
against overflow for DES{,3} unwrap
via de77f015987 CVE-2022-3437 third_party/heimdal: Check the result of
_gsskrb5_get_mech()
via e1c2e2836ef CVE-2022-3437 third_party/heimdal: Avoid undefined
behaviour in _gssapi_verify_pad()
via c944773adc4 CVE-2022-3437 third_party/heimdal: Don't pass NULL
pointers to memcpy() in DES unwrap
via 9ca9408c5ed CVE-2022-3437 third_party/heimdal: Use constant-time
memcmp() in unwrap_des3()
via e3c314ed69f CVE-2022-3437 third_party/heimdal: Use constant-time
memcmp() for arcfour unwrap
via 03eefa45d38 CVE-2022-3437 s4/auth/tests: Add unit tests for
unwrap_des3()
via c5dd87f4888 CVE-2022-3437 third_party/heimdal_build: Add
gssapi-subsystem subsystem
via 0eaa68d1935 CVE-2022-3437 third_party/heimdal: Remove __func__
compatibility workaround
from c28d971b12b s4:messaging: let imessaging_client_init() use
imessaging_init_discard_incoming()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test
- Log -----------------------------------------------------------------
commit c2095819c31ca66fa8a0936cca79ff1e7973966b
Author: Jule Anger <jan...@samba.org>
Date: Tue Oct 25 11:56:55 2022 +0200
VERSION: Bump version up to Samba 4.16.7...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <jan...@samba.org>
commit a90110931331ff532d9a7034e258f1c959b6c57d
Merge: c28d971b12b dc74e56c03d
Author: Jule Anger <jan...@samba.org>
Date: Tue Oct 25 11:55:25 2022 +0200
Merge tag 'samba-4.16.6' into v4-16-test
samba: tag release samba-4.16.6
Signed-off-by: Jule Anger <jan...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 46 +-
selftest/tests.py | 5 +
source4/auth/tests/heimdal_unwrap_des.c | 1244 +++++++++++++++++++++
source4/auth/wscript_build | 21 +
third_party/heimdal/lib/gssapi/krb5/arcfour.c | 14 +-
third_party/heimdal/lib/gssapi/krb5/decapsulate.c | 12 +-
third_party/heimdal/lib/gssapi/krb5/unwrap.c | 34 +-
third_party/heimdal/lib/krb5/krb5_locl.h | 4 -
third_party/heimdal_build/wscript_build | 18 +-
10 files changed, 1368 insertions(+), 32 deletions(-)
create mode 100644 source4/auth/tests/heimdal_unwrap_des.c
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index f76d2919c7a..cce829b6414 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=16
-SAMBA_VERSION_RELEASE=6
+SAMBA_VERSION_RELEASE=7
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 08bb7086b27..fc386e8fb05 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,46 @@
+ ==============================
+ Release Notes for Samba 4.16.6
+ October 25, 2022
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2022-3437: There is a limited write heap buffer overflow in the GSSAPI
+ unwrap_des() and unwrap_des3() routines of Heimdal (included
+ in Samba).
+ https://www.samba.org/samba/security/CVE-2022-3437.html
+
+Changes since 4.16.5
+---------------------
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 15134: CVE-2022-3437.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.16.5
September 07, 2022
@@ -60,8 +103,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.4
July 27, 2022
diff --git a/selftest/tests.py b/selftest/tests.py
index 06517f6cfba..4afb0a50ba9 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -47,6 +47,8 @@ with_pam = ("WITH_PAM" in config_hash)
with_elasticsearch_backend = ("HAVE_SPOTLIGHT_BACKEND_ES" in config_hash)
pam_wrapper_so_path = config_hash.get("LIBPAM_WRAPPER_SO_PATH")
pam_set_items_so_path = config_hash.get("PAM_SET_ITEMS_SO_PATH")
+have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash
+using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash
planpythontestsuite("none", "samba.tests.source")
planpythontestsuite("none", "samba.tests.source_chars")
@@ -434,6 +436,9 @@ plantestsuite("samba.unittests.test_oLschema2ldif", "none",
[os.path.join(bindir(),
"default/source4/utils/oLschema2ldif/test_oLschema2ldif")])
plantestsuite("samba.unittests.auth.sam", "none",
[os.path.join(bindir(), "test_auth_sam")])
+if have_heimdal_support and not using_system_gssapi:
+ plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none",
+ [valgrindify(os.path.join(bindir(),
"test_heimdal_gensec_unwrap_des"))])
if with_elasticsearch_backend:
plantestsuite("samba.unittests.mdsparser_es", "none",
[os.path.join(bindir(),
"default/source3/test_mdsparser_es")] + [configuration])
diff --git a/source4/auth/tests/heimdal_unwrap_des.c
b/source4/auth/tests/heimdal_unwrap_des.c
new file mode 100644
index 00000000000..fbfe7782e7e
--- /dev/null
+++ b/source4/auth/tests/heimdal_unwrap_des.c
@@ -0,0 +1,1244 @@
+/*
+ * Unit tests for third_party/heimdal/lib/gssapi/krb5/unwrap.c
+ *
+ * Copyright (C) Catalyst.NET Ltd 2022
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ *
+ */
+
+#include <stdarg.h>
+#include <stddef.h>
+#include <setjmp.h>
+
+#include <cmocka.h>
+
+#include "includes.h"
+#include "replace.h"
+
+#include "../../../third_party/heimdal/lib/gssapi/gssapi/gssapi.h"
+#include "gsskrb5_locl.h"
+
+/******************************************************************************
+ * Helper functions
+
******************************************************************************/
+
+const uint8_t *valid_range_begin;
+const uint8_t *valid_range_end;
+const uint8_t *invalid_range_end;
+
+/*
+ * 'array_len' is the size of the passed in array. 'buffer_len' is the size to
+ * report in the resulting buffer.
+ */
+static const gss_buffer_desc get_input_buffer(TALLOC_CTX *mem_ctx,
+ const uint8_t array[],
+ const size_t array_len,
+ const size_t buffer_len)
+{
+ gss_buffer_desc buf;
+
+ /* Add some padding to catch invalid memory accesses. */
+ const size_t padding = 0x100;
+ const size_t padded_len = array_len + padding;
+
+ uint8_t *data = talloc_size(mem_ctx, padded_len);
+ assert_non_null(data);
+
+ memcpy(data, array, array_len);
+ memset(data + array_len, 0, padding);
+
+ assert_in_range(buffer_len, 0, array_len);
+
+ buf.value = data;
+ buf.length = buffer_len;
+
+ valid_range_begin = buf.value;
+ valid_range_end = valid_range_begin + buf.length;
+ invalid_range_end = valid_range_begin + padded_len;
+
+ return buf;
+}
+
+static void assert_mem_in_valid_range(const uint8_t *ptr, const size_t len)
+{
+ /* Ensure we've set up the range pointers properly. */
+ assert_non_null(valid_range_begin);
+ assert_non_null(valid_range_end);
+ assert_non_null(invalid_range_end);
+
+ /*
+ * Ensure the length isn't excessively large (a symptom of integer
+ * underflow).
+ */
+ assert_in_range(len, 0, 0x1000);
+
+ /* Ensure the memory is in our valid range. */
+ assert_in_range(ptr, valid_range_begin, valid_range_end);
+ assert_in_range(ptr + len, valid_range_begin, valid_range_end);
+}
+
+/*
+ * This function takes a pointer to volatile to allow it to be called from the
+ * ct_memcmp() wrapper.
+ */
+static void assert_mem_outside_invalid_range(const volatile uint8_t *ptr,
+ const size_t len)
+{
+ const LargestIntegralType _valid_range_end
+ = cast_ptr_to_largest_integral_type(valid_range_end);
+ const LargestIntegralType _invalid_range_end
+ = cast_ptr_to_largest_integral_type(invalid_range_end);
+ const LargestIntegralType _ptr = cast_ptr_to_largest_integral_type(ptr);
+ const LargestIntegralType _len = cast_to_largest_integral_type(len);
+
+ /* Ensure we've set up the range pointers properly. */
+ assert_non_null(valid_range_begin);
+ assert_non_null(valid_range_end);
+ assert_non_null(invalid_range_end);
+
+ /*
+ * Ensure the length isn't excessively large (a symptom of integer
+ * underflow).
+ */
+ assert_in_range(len, 0, 0x1000);
+
+ /* Ensure the memory is outside the invalid range. */
+ if (_ptr < _invalid_range_end && _ptr + _len > _valid_range_end) {
+ fail();
+ }
+}
+
+/*****************************************************************************
+ * wrapped functions
+ *****************************************************************************/
+
+krb5_keyblock dummy_key;
+
+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context,
+ krb5_auth_context
auth_context,
+ krb5_keyblock **keyblock);
+krb5_error_code __wrap_krb5_auth_con_getlocalsubkey(krb5_context context,
+ krb5_auth_context
auth_context,
+ krb5_keyblock **keyblock)
+{
+ *keyblock = &dummy_key;
+ return 0;
+}
+
+void __wrap_krb5_free_keyblock(krb5_context context,
+ krb5_keyblock *keyblock);
+void __wrap_krb5_free_keyblock(krb5_context context,
+ krb5_keyblock *keyblock)
+{
+ assert_ptr_equal(&dummy_key, keyblock);
+}
+
+struct krb5_crypto_data dummy_crypto;
+
+krb5_error_code __wrap_krb5_crypto_init(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_enctype etype,
+ krb5_crypto *crypto);
+krb5_error_code __wrap_krb5_crypto_init(krb5_context context,
+ const krb5_keyblock *key,
+ krb5_enctype etype,
+ krb5_crypto *crypto)
+{
+ static const LargestIntegralType etypes[] = {ETYPE_DES3_CBC_NONE, 0};
+
+ assert_ptr_equal(&dummy_key, key);
+ assert_in_set(etype, etypes, ARRAY_SIZE(etypes));
+
+ *crypto = &dummy_crypto;
+
+ return 0;
+}
+
+krb5_error_code __wrap_krb5_decrypt(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result);
+krb5_error_code __wrap_krb5_decrypt(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result)
+{
+ assert_ptr_equal(&dummy_crypto, crypto);
+ assert_int_equal(KRB5_KU_USAGE_SEAL, usage);
+
+ assert_mem_in_valid_range(data, len);
+
+ check_expected(len);
+ check_expected_ptr(data);
+
+ result->data = malloc(len);
+ assert_non_null(result->data);
+ result->length = len;
+
+ memcpy(result->data, data, len);
+
+ return 0;
+}
+
+krb5_error_code __wrap_krb5_decrypt_ivec(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result,
+ void *ivec);
+krb5_error_code __wrap_krb5_decrypt_ivec(krb5_context context,
+ krb5_crypto crypto,
+ unsigned usage,
+ void *data,
+ size_t len,
+ krb5_data *result,
+ void *ivec)
+{
+ assert_ptr_equal(&dummy_crypto, crypto);
+ assert_int_equal(KRB5_KU_USAGE_SEQ, usage);
+
+ assert_mem_in_valid_range(data, len);
+
+ assert_int_equal(8, len);
+ check_expected_ptr(data);
+ check_expected_ptr(ivec);
+
+ result->data = malloc(len);
+ assert_non_null(result->data);
+ result->length = len;
+
+ memcpy(result->data, data, len);
+
+ return 0;
+}
+
+krb5_error_code __wrap_krb5_verify_checksum(krb5_context context,
+ krb5_crypto crypto,
+ krb5_key_usage usage,
+ void *data,
+ size_t len,
+ Checksum *cksum);
+krb5_error_code __wrap_krb5_verify_checksum(krb5_context context,
+ krb5_crypto crypto,
+ krb5_key_usage usage,
+ void *data,
+ size_t len,
+ Checksum *cksum)
+{
+ assert_ptr_equal(&dummy_crypto, crypto);
+ assert_int_equal(KRB5_KU_USAGE_SIGN, usage);
+
+ assert_mem_in_valid_range(data, len);
+
+ check_expected(len);
+ check_expected_ptr(data);
+
+ assert_non_null(cksum);
+ assert_int_equal(CKSUMTYPE_HMAC_SHA1_DES3, cksum->cksumtype);
+ assert_int_equal(20, cksum->checksum.length);
+ check_expected_ptr(cksum->checksum.data);
+
+ return 0;
+}
+
+krb5_error_code __wrap_krb5_crypto_destroy(krb5_context context,
+ krb5_crypto crypto);
+krb5_error_code __wrap_krb5_crypto_destroy(krb5_context context,
+ krb5_crypto crypto)
+{
+ assert_ptr_equal(&dummy_crypto, crypto);
+
+ return 0;
+}
+
+
+int __wrap_der_get_length(const unsigned char *p,
+ size_t len,
+ size_t *val,
+ size_t *size);
+int __real_der_get_length(const unsigned char *p,
+ size_t len,
+ size_t *val,
+ size_t *size);
+int __wrap_der_get_length(const unsigned char *p,
+ size_t len,
+ size_t *val,
+ size_t *size)
+{
+ assert_mem_in_valid_range(p, len);
+
+ return __real_der_get_length(p, len, val, size);
+}
+
+int __wrap_ct_memcmp(const volatile void * volatile p1,
+ const volatile void * volatile p2,
+ size_t len);
+int __real_ct_memcmp(const volatile void * volatile p1,
+ const volatile void * volatile p2,
+ size_t len);
+int __wrap_ct_memcmp(const volatile void * volatile p1,
+ const volatile void * volatile p2,
+ size_t len)
+{
+ assert_mem_outside_invalid_range(p1, len);
+ assert_mem_outside_invalid_range(p2, len);
+
+ return __real_ct_memcmp(p1, p2, len);
+}
+
+void *__wrap_malloc(size_t size);
+void *__real_malloc(size_t size);
+void *__wrap_malloc(size_t size)
+{
+ /*
+ * Ensure the length isn't excessively large (a symptom of integer
+ * underflow).
+ */
+ assert_in_range(size, 0, 0x10000);
+
+ return __real_malloc(size);
+}
+
+/*****************************************************************************
+ * Mock implementations
+ *****************************************************************************/
+
+/*
+ * Set the globals used by the mocked functions to a known and consistent state
+ *
+ */
+static void init_mock_results(TALLOC_CTX *mem_ctx)
+{
+ dummy_key.keytype = KRB5_ENCTYPE_DES3_CBC_MD5;
+ dummy_key.keyvalue.data = NULL;
+ dummy_key.keyvalue.length = 0;
+
+ dummy_crypto = (struct krb5_crypto_data) {0};
+
+ valid_range_begin = NULL;
+ valid_range_end = NULL;
+ invalid_range_end = NULL;
+}
+
+/*****************************************************************************
+ * Unit test set up and tear down
+ *****************************************************************************/
+
+struct context {
+ gss_ctx_id_t context_handle;
+};
+
+static int setup(void **state) {
+ struct context *ctx = NULL;
+ krb5_context context = NULL;
+ OM_uint32 major_status;
+ OM_uint32 minor_status;
+ krb5_error_code code;
+
+ ctx = talloc_zero(NULL, struct context);
+ assert_non_null(ctx);
+
+ init_mock_results(ctx);
+
+ code = _gsskrb5_init(&context);
+ assert_int_equal(0, code);
+
+ major_status = _gsskrb5_create_ctx(&minor_status,
+ &ctx->context_handle,
+ context,
+ GSS_C_NO_CHANNEL_BINDINGS,
+ ACCEPTOR_START);
+ assert_int_equal(GSS_S_COMPLETE, major_status);
+
+ *state = ctx;
+ return 0;
+}
+
+static int teardown(void **state) {
+ struct context *ctx = *state;
+ OM_uint32 major_status;
+ OM_uint32 minor_status;
+
+ major_status = _gsskrb5_delete_sec_context(&minor_status,
+ &ctx->context_handle,
+ GSS_C_NO_BUFFER);
+ assert_int_equal(GSS_S_COMPLETE, major_status);
--
Samba Shared Repository
