The branch, v4-18-stable has been updated
via 50a9b496556 VERSION: Disable GIT_SNAPSHOT for the 4.18.5 release.
via bd5d7de1da4 WHATSNEW: Add release notes for Samba 4.18.5.
via be141a1c14b s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for
invalid netr_LogonGetCapabilities levels
via 7818b00d13d s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for
invalid netr_LogonGetCapabilities levels
via 30c3fa71a17 s4:torture/rpc: let rpc.schannel also check
netr_LogonGetCapabilities with different levels
via 0d7376cac69 netlogon.idl: add support for netr_LogonGetCapabilities
response level 2
via 0815d401937 CVE-2023-3347: smbd: fix "server signing = mandatory"
via 24157fb3be5 CVE-2023-3347: smbd: remove comment in
smbd_smb2_request_process_negprot()
via 6be7bd40f0a CVE-2023-3347: smbd: inline smb2_srv_init_signing()
code in srv_init_signing()
via 5f39da85276 CVE-2023-3347: smbd: pass lp_ctx to
smb[1|2]_srv_init_signing()
via 69cbb0414a3 CVE-2023-3347: CI: add a test for server-side mandatory
signing
via 7a4ed01ea6c CVE-2023-34968: mdssvc: return a fake share path
via a84244705de CVE-2023-34968: mdscli: return share relative paths
via fdae8c00a6e CVE-2023-34968: mdssvc: introduce an allocating wrapper
to sl_pack()
via beeac1e0925 CVE-2023-34968: mdssvc: switch to doing an early return
via e58d0339305 CVE-2023-34968: mdssvc: remove response blob allocation
via de611ccaa89 CVE-2023-34968: rpcclient: remove response blob
allocation
via 783dbdd2530 CVE-2023-34968: smbtorture: remove response blob
allocation in mdssvc.c
via a6e05b4bccb CVE-2023-34968: mdscli: remove response blob allocation
via 921a9925909 CVE-2023-34968: mdscli: use correct TALLOC memory
context when allocating spotlight_blob
via a75be03b23c CVE-2023-34968: mdssvc: add missing
"kMDSStoreMetaScopes" dict key in slrpc_fetch_properties()
via 3815bb8a70c CVE-2023-34968: mdssvc: cache and reuse stat info in
struct sl_inode_path_map
via f4aa2147125 CVE-2023-34967: mdssvc: add type checking to
dalloc_value_for_key()
via 4cb78124227 CVE-2023-34967: CI: add a test for type checking of
dalloc_value_for_key()
via 207489b6b92 CVE-2023-34966: mdssvc: harden sl_unpack_loop()
via 1a208f258aa CVE-2023-34966: CI: test for sl_unpack_loop()
via b09567397c2 CVE-2022-2127: ntlm_auth: cap lanman response length
value
via 19dcb036cb8 CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP
length checks
via f2c18045a57 VERSION: Bump version up to Samba 4.18.5...
from 273696dc5d4 VERSION: Disable GIT_SNAPSHOT for the 4.18.4 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-stable
- Log -----------------------------------------------------------------
commit 50a9b496556c08a451d8f18707fa709de69942ec
Author: Jule Anger <jan...@samba.org>
Date: Mon Jul 17 22:07:02 2023 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.18.5 release.
Signed-off-by: Jule Anger <jan...@samba.org>
commit bd5d7de1da4ea60ecd12890a2cda30e341d3f7c8
Author: Jule Anger <jan...@samba.org>
Date: Mon Jul 17 22:06:31 2023 +0200
WHATSNEW: Add release notes for Samba 4.18.5.
Signed-off-by: Jule Anger <jan...@samba.org>
commit be141a1c14b41c55e47db4b7265890afec2c0c09
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 16:11:48 2023 +0200
s3:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid
netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Mon Jul 17 07:35:09 UTC 2023 on atb-devel-224
(cherry picked from commit dfeabce44fbb78083fbbb2aa634fc4172cf83db9)
commit 7818b00d13df1816363d513e9d5ecc7147b53792
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 16:11:48 2023 +0200
s4:rpc_server:netlogon: generate FAULT_INVALID_TAG for invalid
netr_LogonGetCapabilities levels
This is important as Windows clients with KB5028166 seem to
call netr_LogonGetCapabilities with query_level=2 after
a call with query_level=1.
An unpatched Windows Server returns DCERPC_NCA_S_FAULT_INVALID_TAG
for query_level values other than 1.
While Samba tries to return NT_STATUS_NOT_SUPPORTED, but
later fails to marshall the response, which results
in DCERPC_FAULT_BAD_STUB_DATA instead.
Because we don't have any documentation for level 2 yet,
we just try to behave like an unpatched server and
generate DCERPC_NCA_S_FAULT_INVALID_TAG instead of
DCERPC_FAULT_BAD_STUB_DATA.
Which allows patched Windows clients to keep working
against a Samba DC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit d5f1097b6220676d56ed5fc6707acf667b704518)
commit 30c3fa71a17ce2ef3fde4325d4fc24556c3023e5
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 17:25:05 2023 +0200
s4:torture/rpc: let rpc.schannel also check netr_LogonGetCapabilities with
different levels
The important change it that we expect DCERPC_NCA_S_FAULT_INVALID_TAG
for unsupported query_levels, we allow it to work with servers
with or without support for query_level=2.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 404ce08e9088968311c714e756f5d58ce2cef715)
commit 0d7376cac6921e07a2c0722c64ec467c48ef1166
Author: Stefan Metzmacher <me...@samba.org>
Date: Sat Jul 15 17:20:32 2023 +0200
netlogon.idl: add support for netr_LogonGetCapabilities response level 2
We don't have any documentation about this yet, but tests against
a Windows Server 2022 patched with KB5028166 revealed that
the response for query_level=2 is exactly the same as
for querey_level=1.
Until we know the reason for query_level=2 we won't
use it as client nor support it in the server, but
we want ndrdump to work.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15418
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 5f87888ed53320538cf773d64868390d8641a40e)
commit 0815d4019378dffc8e8e993b6a42a18425937a50
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 20 15:33:02 2023 +0200
CVE-2023-3347: smbd: fix "server signing = mandatory"
This was broken by commit 1f3f6e20dc086a36de52bffd0bc36e15fb19e1c6 because
when
calling srv_init_signing() very early after accepting the connection in
smbd_add_connection(), conn->protocol is still PROTOCOL_NONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 24157fb3be56ba88eb581e5c559a11887a486e82
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 20 18:13:23 2023 +0200
CVE-2023-3347: smbd: remove comment in smbd_smb2_request_process_negprot()
This is just going to bitrot. Anyone who's interested can just grep for
"signing_mandatory" and look up what it does.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 6be7bd40f0afb0fc5dd53f89120b867a72dd484f
Author: Ralph Boehme <s...@samba.org>
Date: Wed Jun 21 15:10:58 2023 +0200
CVE-2023-3347: smbd: inline smb2_srv_init_signing() code in
srv_init_signing()
It's now a one-line function, imho the overall code is simpler if that code
is
just inlined.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 5f39da852762ee0106d6a51e2ab533876533ec39
Author: Ralph Boehme <s...@samba.org>
Date: Wed Jun 21 15:06:12 2023 +0200
CVE-2023-3347: smbd: pass lp_ctx to smb[1|2]_srv_init_signing()
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 69cbb0414a3e44c7c3c2c798ab5a39e18a1633ce
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 20 12:46:31 2023 +0200
CVE-2023-3347: CI: add a test for server-side mandatory signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15397
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 7a4ed01ea6c352543a4937cafc7a4a7825e38d9b
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jun 5 18:02:20 2023 +0200
CVE-2023-34968: mdssvc: return a fake share path
Instead of returning the real server-side absolute path of shares and search
results, return a fake absolute path replacing the path of the share with
the
share name, iow for a share "test" with a server-side path of "/foo/bar", we
previously returned
/foo/bar and
/foo/bar/search/result
and now return
/test and
/test/search/result
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit a84244705de1ec98cfaf4f608e0cbe7fe3c1eafe
Author: Ralph Boehme <s...@samba.org>
Date: Sat Jun 17 13:53:27 2023 +0200
CVE-2023-34968: mdscli: return share relative paths
The next commit will change the Samba Spotlight server to return absolute
paths
that start with the sharename as "/SHARENAME/..." followed by the share path
relative appended.
So given a share
[spotlight]
path = /foo/bar
spotlight = yes
and a file inside this share with a full path of
/foo/bar/dir/file
previously a search that matched this file would returns the absolute
server-side pato of the file, ie
/foo/bar/dir/file
This will be change to
/spotlight/dir/file
As currently the mdscli library and hence the mdsearch tool print out these
paths returned from the server, we have to change the output to accomodate
these
fake paths. The only way to do this sensibly is by makeing the paths
relative to
the containing share, so just
dir/file
in the example above.
The client learns about the share root path prefix – real server-side of
fake in
the future – in an initial handshake in the "share_path" out argument of the
mdssvc_open() RPC call, so the client can use this path to convert the
absolute
path to relative.
There is however an additional twist: the macOS Spotlight server prefixes
this
absolute path with another prefix, typically "/System/Volumes/Data", so in
the
example above the full path for the same search would be
/System/Volumes/Data/foo/bar/dir/file
So macOS does return the full server-side path too, just prefixed with an
additional path. This path prefixed can be queried by the client in the
mdssvc_cmd() RPC call with an Spotlight command of
"fetchPropertiesForContext:"
and the path is returned in a dictionary with key "kMDSStorePathScopes".
Samba
just returns "/" for this.
Currently the mdscli library doesn't issue this Spotlight RPC
request (fetchPropertiesForContext), so this is added in this commit. In the
end, all search result paths are stripped of the combined prefix
kMDSStorePathScopes + share_path (from mdssvc_open).
eg
kMDSStorePathScopes = /System/Volumes/Data
share_path = /foo/bar
search result = /System/Volumes/Data/foo/bar/dir/file
relative path returned by mdscli = dir/file
Makes sense? :)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit fdae8c00a6e2826c6b1a2a270434701dcaf85bb9
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jun 19 18:16:57 2023 +0200
CVE-2023-34968: mdssvc: introduce an allocating wrapper to sl_pack()
sl_pack_alloc() does the buffer allocation that previously all callers of
sl_pack() did themselves.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit beeac1e092517cf25df11e9fe9d2fb26b7262179
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 20 11:05:22 2023 +0200
CVE-2023-34968: mdssvc: switch to doing an early return
Just reduce indentation of the code handling the success case. No change in
behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit e58d033930592378d24520648b2bb2c46ac1890d
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 20 11:42:10 2023 +0200
CVE-2023-34968: mdssvc: remove response blob allocation
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit de611ccaa8903d46c7a572289a3c0fc708f0aa43
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 20 11:35:41 2023 +0200
CVE-2023-34968: rpcclient: remove response blob allocation
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 783dbdd25308c33f160ed50ed4ee13d1d66e6cfa
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 20 11:28:47 2023 +0200
CVE-2023-34968: smbtorture: remove response blob allocation in mdssvc.c
This is alreay done by NDR for us.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit a6e05b4bccb599ce51bc3c023a8e352c735f5486
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jun 19 18:28:41 2023 +0200
CVE-2023-34968: mdscli: remove response blob allocation
This is handled by the NDR code transparently.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 921a99259090eb33937dabf62717b77fbd95885b
Author: Ralph Boehme <s...@samba.org>
Date: Mon Jun 19 17:14:38 2023 +0200
CVE-2023-34968: mdscli: use correct TALLOC memory context when allocating
spotlight_blob
d is talloc_free()d at the end of the functions and the buffer was later
used
after beeing freed in the DCERPC layer when sending the packet.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit a75be03b23c0c38bf525efb54c393befccdf3d00
Author: Ralph Boehme <s...@samba.org>
Date: Sat Jun 17 13:39:55 2023 +0200
CVE-2023-34968: mdssvc: add missing "kMDSStoreMetaScopes" dict key in
slrpc_fetch_properties()
We were adding the value, but not the key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 3815bb8a70c758b4278850bd145e865429216bc8
Author: Ralph Boehme <s...@samba.org>
Date: Tue Jun 6 15:17:26 2023 +0200
CVE-2023-34968: mdssvc: cache and reuse stat info in struct
sl_inode_path_map
Prepare for the "path" being a fake path and not the real server-side
path where we won't be able to vfs_stat_fsp() this fake path. Luckily we
already
got stat info for the object in mds_add_result() so we can just pass stat
info
from there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15388
Signed-off-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit f4aa21471254ff47a87ed1f3ea9cbc82d64d549b
Author: Ralph Boehme <s...@samba.org>
Date: Fri May 26 15:06:38 2023 +0200
CVE-2023-34967: mdssvc: add type checking to dalloc_value_for_key()
Change the dalloc_value_for_key() function to require an additional final
argument which denotes the expected type of the value associated with a
key. If
the types don't match, return NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 4cb781242274f95e9a56e7e80599d6beaf8ca36a
Author: Ralph Boehme <s...@samba.org>
Date: Wed May 31 16:26:14 2023 +0200
CVE-2023-34967: CI: add a test for type checking of dalloc_value_for_key()
Sends a maliciously crafted packet where the value in a key/value style
dictionary for the "scope" key is a simple string object whereas the server
expects an array. As the server doesn't perform type validation on the
value, it
crashes when trying to use the "simple" object as a "complex" one.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 207489b6b922cddf945227b20ae8543a4e01b686
Author: Ralph Boehme <s...@samba.org>
Date: Fri May 26 13:06:19 2023 +0200
CVE-2023-34966: mdssvc: harden sl_unpack_loop()
A malicious client could send a packet where subcount is zero, leading to a
busy
loop because
count -= subcount
=> count -= 0
=> while (count > 0)
loops forever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 1a208f258aa80ddbfb135e54d3d5c5d07dc0fdea
Author: Ralph Boehme <s...@samba.org>
Date: Wed May 31 15:34:26 2023 +0200
CVE-2023-34966: CI: test for sl_unpack_loop()
Send a maliciously crafted packet where a nil type has a subcount of 0. This
triggers an endless loop in mdssvc sl_unpack_loop().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
Signed-off-by: Ralph Boehme <s...@samba.org>
commit b09567397c2f394ca224c189cfbb1bee9688a96f
Author: Ralph Boehme <s...@samba.org>
Date: Fri Jun 16 12:28:47 2023 +0200
CVE-2022-2127: ntlm_auth: cap lanman response length value
We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
lm_resp buffer, but we don't cap the length indicator.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
Signed-off-by: Ralph Boehme <s...@samba.org>
commit 19dcb036cb8d21bf4e3e30d81eee3c79e54d3eff
Author: Volker Lendecke <v...@samba.org>
Date: Fri May 20 10:55:23 2022 +0200
CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP length checks
With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
can crash winbind. We don't independently check lm_resp_len
sufficiently.
Discovered via Coverity ID 1504444 Out-of-bounds access
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
Signed-off-by: Volker Lendecke <v...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 77 +++++++-
librpc/idl/netlogon.idl | 1 +
python/samba/tests/blackbox/mdsearch.py | 8 +-
python/samba/tests/dcerpc/mdssvc.py | 26 +--
selftest/target/Samba3.pm | 1 +
source3/rpc_client/cli_mdssvc.c | 191 ++++++++++++++++----
source3/rpc_client/cli_mdssvc_private.h | 4 +
source3/rpc_client/cli_mdssvc_util.c | 148 ++++++++-------
source3/rpc_client/cli_mdssvc_util.h | 4 +
source3/rpc_server/mdssvc/dalloc.c | 14 +-
source3/rpc_server/mdssvc/marshalling.c | 45 +++--
source3/rpc_server/mdssvc/marshalling.h | 9 +-
source3/rpc_server/mdssvc/mdssvc.c | 142 ++++++++++-----
source3/rpc_server/mdssvc/mdssvc.h | 7 +-
source3/rpc_server/mdssvc/srv_mdssvc_nt.c | 32 ++--
source3/rpc_server/netlogon/srv_netlog_nt.c | 29 ++-
source3/rpcclient/cmd_spotlight.c | 48 +----
source3/selftest/tests.py | 2 +
source3/smbd/proto.h | 1 -
source3/smbd/smb1_signing.c | 10 +-
source3/smbd/smb1_signing.h | 3 +-
source3/smbd/smb2_negprot.c | 6 -
source3/smbd/smb2_signing.c | 23 +--
source3/utils/ntlm_auth.c | 8 +-
source3/winbindd/winbindd_pam_auth_crap.c | 31 ++--
source4/rpc_server/netlogon/dcerpc_netlogon.c | 28 ++-
source4/torture/rpc/mdssvc.c | 250 +++++++++++++++++++++++---
source4/torture/rpc/netlogon.c | 77 +++++++-
source4/torture/smb2/session.c | 64 +++++++
source4/torture/smb2/smb2.c | 1 +
31 files changed, 971 insertions(+), 321 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 35e338ed4d5..2f3d9198c1c 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=18
-SAMBA_VERSION_RELEASE=4
+SAMBA_VERSION_RELEASE=5
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index c5dbc985f28..2ad4ab1a0ee 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,77 @@
+ ==============================
+ Release Notes for Samba 4.18.5
+ July 19, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2127: When winbind is used for NTLM authentication, a maliciously
+ crafted request can trigger an out-of-bounds read in winbind
+ and possibly crash it.
+ https://www.samba.org/samba/security/CVE-2022-2127.html
+
+o CVE-2023-3347: SMB2 packet signing is not enforced if an admin configured
+ "server signing = required" or for SMB2 connections to Domain
+ Controllers where SMB2 packet signing is mandatory.
+ https://www.samba.org/samba/security/CVE-2023-3347.html
+
+o CVE-2023-34966: An infinite loop bug in Samba's mdssvc RPC service for
+ Spotlight can be triggered by an unauthenticated attacker by
+ issuing a malformed RPC request.
+ https://www.samba.org/samba/security/CVE-2023-34966.html
+
+o CVE-2023-34967: Missing type validation in Samba's mdssvc RPC service for
+ Spotlight can be used by an unauthenticated attacker to
+ trigger a process crash in a shared RPC mdssvc worker
process.
+ https://www.samba.org/samba/security/CVE-2023-34967.html
+
+o CVE-2023-34968: As part of the Spotlight protocol Samba discloses the server-
+ side absolute path of shares and files and directories in
+ search results.
+ https://www.samba.org/samba/security/CVE-2023-34968.html
+
+
+Changes since 4.18.4
+--------------------
+
+o Ralph Boehme <s...@samba.org>
+ * BUG 15072: CVE-2022-2127.
+ * BUG 15340: CVE-2023-34966.
+ * BUG 15341: CVE-2023-34967.
+ * BUG 15388: CVE-2023-34968.
+ * BUG 15397: CVE-2023-3347.
+
+o Volker Lendecke <v...@samba.org>
+ * BUG 15072: CVE-2022-2127.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 15418: Secure channel faulty since Windows 10/11 update 07/2023.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.18.4
July 05, 2023
@@ -66,8 +140,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.18.3
May 31, 2023
diff --git a/librpc/idl/netlogon.idl b/librpc/idl/netlogon.idl
index e563e114900..c77151af26b 100644
--- a/librpc/idl/netlogon.idl
+++ b/librpc/idl/netlogon.idl
@@ -1241,6 +1241,7 @@ interface netlogon
/* Function 0x15 */
typedef [switch_type(uint32)] union {
[case(1)] netr_NegotiateFlags server_capabilities;
+ [case(2)] netr_NegotiateFlags server_capabilities;
} netr_Capabilities;
NTSTATUS netr_LogonGetCapabilities(
diff --git a/python/samba/tests/blackbox/mdsearch.py
b/python/samba/tests/blackbox/mdsearch.py
index c9156ae6e0e..c8e75661f15 100644
--- a/python/samba/tests/blackbox/mdsearch.py
+++ b/python/samba/tests/blackbox/mdsearch.py
@@ -76,10 +76,7 @@ class MdfindBlackboxTests(BlackboxTestCase):
self.t.start()
time.sleep(1)
- pipe = mdssvc.mdssvc('ncacn_np:fileserver[/pipe/mdssvc]',
self.get_loadparm())
- conn = mdscli.conn(pipe, 'spotlight', '/foo')
- self.sharepath = conn.sharepath()
- conn.disconnect(pipe)
+ self.sharepath = os.environ["LOCAL_PATH"]
for file in testfiles:
f = open("%s/%s" % (self.sharepath, file), "w")
@@ -126,5 +123,4 @@ class MdfindBlackboxTests(BlackboxTestCase):
output = self.check_output("mdsearch --configfile=%s -U %s%%%s
fileserver spotlight '*==\"samba*\"'" % (config, username, password))
actual = output.decode('utf-8').splitlines()
- expected = ["%s/%s" % (self.sharepath, file) for file in testfiles]
- self.assertEqual(expected, actual)
+ self.assertEqual(testfiles, actual)
diff --git a/python/samba/tests/dcerpc/mdssvc.py
b/python/samba/tests/dcerpc/mdssvc.py
index b0df509ddc7..5002e5d26d6 100644
--- a/python/samba/tests/dcerpc/mdssvc.py
+++ b/python/samba/tests/dcerpc/mdssvc.py
@@ -84,10 +84,11 @@ class MdssvcTests(RpcInterfaceTestCase):
self.t = threading.Thread(target=MdssvcTests.http_server, args=(self,))
self.t.setDaemon(True)
self.t.start()
+ self.sharepath = os.environ["LOCAL_PATH"]
time.sleep(1)
conn = mdscli.conn(self.pipe, 'spotlight', '/foo')
- self.sharepath = conn.sharepath()
+ self.fakepath = conn.sharepath()
conn.disconnect(self.pipe)
for file in testfiles:
@@ -105,12 +106,11 @@ class MdssvcTests(RpcInterfaceTestCase):
self.server.serve_forever()
def run_test(self, query, expect, json_in, json_out):
- expect = [s.replace("%BASEPATH%", self.sharepath) for s in expect]
self.server.json_in = json_in.replace("%BASEPATH%", self.sharepath)
self.server.json_out = json_out.replace("%BASEPATH%", self.sharepath)
self.conn = mdscli.conn(self.pipe, 'spotlight', '/foo')
- search = self.conn.search(self.pipe, query, self.sharepath)
+ search = self.conn.search(self.pipe, query, self.fakepath)
# Give it some time, the get_results() below returns immediately
# what's available, so if we ask to soon, we might get back no results
@@ -141,7 +141,7 @@ class MdssvcTests(RpcInterfaceTestCase):
]
}
}'''
- exp_results = ["%BASEPATH%/foo", "%BASEPATH%/bar"]
+ exp_results = ["foo", "bar"]
self.run_test('*=="samba*"', exp_results, exp_json_query,
fake_json_response)
def test_mdscli_search_escapes(self):
@@ -181,14 +181,14 @@ class MdssvcTests(RpcInterfaceTestCase):
}
}'''
exp_results = [
- r"%BASEPATH%/x+x",
- r"%BASEPATH%/x*x",
- r"%BASEPATH%/x=x",
- r"%BASEPATH%/x'x",
- r"%BASEPATH%/x?x",
- r"%BASEPATH%/x x",
- r"%BASEPATH%/x(x",
- "%BASEPATH%/x\"x",
- r"%BASEPATH%/x\x",
+ r"x+x",
+ r"x*x",
+ r"x=x",
+ r"x'x",
+ r"x?x",
+ r"x x",
+ r"x(x",
+ "x\"x",
+ r"x\x",
]
self.run_test(sl_query, exp_results, exp_json_query,
fake_json_response)
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index ba3268f147c..d3ee7388026 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -1294,6 +1294,7 @@ sub setup_ad_member_idmap_rid
# values required for tests to succeed
create krb5 conf = no
map to guest = bad user
+ server signing = required
";
my $ret = $self->provision(
diff --git a/source3/rpc_client/cli_mdssvc.c b/source3/rpc_client/cli_mdssvc.c
index 046d37135cb..753bc2e52ed 100644
--- a/source3/rpc_client/cli_mdssvc.c
+++ b/source3/rpc_client/cli_mdssvc.c
@@ -43,10 +43,12 @@ char *mdscli_get_basepath(TALLOC_CTX *mem_ctx,
struct mdscli_connect_state {
struct tevent_context *ev;
struct mdscli_ctx *mdscli_ctx;
+ struct mdssvc_blob response_blob;
};
static void mdscli_connect_open_done(struct tevent_req *subreq);
static void mdscli_connect_unknown1_done(struct tevent_req *subreq);
+static void mdscli_connect_fetch_props_done(struct tevent_req *subreq);
struct tevent_req *mdscli_connect_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -111,6 +113,7 @@ static void mdscli_connect_open_done(struct tevent_req
*subreq)
struct mdscli_connect_state *state = tevent_req_data(
req, struct mdscli_connect_state);
struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
+ size_t share_path_len;
NTSTATUS status;
status = dcerpc_mdssvc_open_recv(subreq, state);
@@ -120,6 +123,18 @@ static void mdscli_connect_open_done(struct tevent_req
*subreq)
return;
}
+ share_path_len = strlen(mdscli_ctx->mdscmd_open.share_path);
+ if (share_path_len < 1 || share_path_len > UINT16_MAX) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+ mdscli_ctx->mdscmd_open.share_path_len = share_path_len;
+
+ if (mdscli_ctx->mdscmd_open.share_path[share_path_len-1] == '/') {
+ mdscli_ctx->mdscmd_open.share_path[share_path_len-1] = '\0';
+ mdscli_ctx->mdscmd_open.share_path_len--;
+ }
+
subreq = dcerpc_mdssvc_unknown1_send(
state,
state->ev,
@@ -146,6 +161,8 @@ static void mdscli_connect_unknown1_done(struct tevent_req
*subreq)
subreq, struct tevent_req);
struct mdscli_connect_state *state = tevent_req_data(
req, struct mdscli_connect_state);
+ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
+ struct mdssvc_blob request_blob;
NTSTATUS status;
status = dcerpc_mdssvc_unknown1_recv(subreq, state);
@@ -154,6 +171,108 @@ static void mdscli_connect_unknown1_done(struct
tevent_req *subreq)
return;
}
+ status = mdscli_blob_fetch_props(state,
+ state->mdscli_ctx,
+ &request_blob);
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ subreq = dcerpc_mdssvc_cmd_send(state,
+ state->ev,
+ mdscli_ctx->bh,
+ &mdscli_ctx->ph,
+ 0,
+ mdscli_ctx->dev,
+ mdscli_ctx->mdscmd_open.unkn2,
+ 0,
+ mdscli_ctx->flags,
+ request_blob,
+ 0,
+ mdscli_ctx->max_fragment_size,
+ 1,
+ mdscli_ctx->max_fragment_size,
+ 0,
+ 0,
+ &mdscli_ctx->mdscmd_cmd.fragment,
+ &state->response_blob,
+ &mdscli_ctx->mdscmd_cmd.unkn9);
+ if (tevent_req_nomem(subreq, req)) {
+ return;
+ }
+ tevent_req_set_callback(subreq, mdscli_connect_fetch_props_done, req);
+ mdscli_ctx->async_pending++;
+ return;
+}
+
+static void mdscli_connect_fetch_props_done(struct tevent_req *subreq)
+{
+ struct tevent_req *req = tevent_req_callback_data(
+ subreq, struct tevent_req);
+ struct mdscli_connect_state *state = tevent_req_data(
+ req, struct mdscli_connect_state);
+ struct mdscli_ctx *mdscli_ctx = state->mdscli_ctx;
+ DALLOC_CTX *d = NULL;
+ sl_array_t *path_scope_array = NULL;
+ char *path_scope = NULL;
+ NTSTATUS status;
+ bool ok;
+
+ status = dcerpc_mdssvc_cmd_recv(subreq, state);
+ TALLOC_FREE(subreq);
+ state->mdscli_ctx->async_pending--;
+ if (tevent_req_nterror(req, status)) {
+ return;
+ }
+
+ d = dalloc_new(state);
+ if (tevent_req_nomem(d, req)) {
+ return;
+ }
+
+ ok = sl_unpack(d,
+ (char *)state->response_blob.spotlight_blob,
+ state->response_blob.length);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ path_scope_array = dalloc_value_for_key(d,
+ "DALLOC_CTX", 0,
+ "kMDSStorePathScopes",
+ "sl_array_t");
+ if (path_scope_array == NULL) {
+ DBG_ERR("Missing kMDSStorePathScopes\n");
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ path_scope = dalloc_get(path_scope_array, "char *", 0);
+ if (path_scope == NULL) {
+ DBG_ERR("Missing path in kMDSStorePathScopes\n");
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+
+ mdscli_ctx->path_scope_len = strlen(path_scope);
+ if (mdscli_ctx->path_scope_len < 1 ||
+ mdscli_ctx->path_scope_len > UINT16_MAX)
+ {
+ DBG_ERR("Bad path_scope: %s\n", path_scope);
+ tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
+ return;
+ }
+ mdscli_ctx->path_scope = talloc_strdup(mdscli_ctx, path_scope);
+ if (tevent_req_nomem(mdscli_ctx->path_scope, req)) {
+ return;
+ }
+
+ if (mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] == '/') {
+ mdscli_ctx->path_scope[mdscli_ctx->path_scope_len-1] = '\0';
+ mdscli_ctx->path_scope_len--;
+ }
+
tevent_req_done(req);
}
@@ -276,15 +395,6 @@ struct tevent_req *mdscli_search_send(TALLOC_CTX *mem_ctx,
return tevent_req_post(req, ev);
}
- state->response_blob.spotlight_blob = talloc_array(
- state,
- uint8_t,
- mdscli_ctx->max_fragment_size);
- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
- return tevent_req_post(req, ev);
- }
- state->response_blob.size = mdscli_ctx->max_fragment_size;
-
subreq = dcerpc_mdssvc_cmd_send(state,
ev,
mdscli_ctx->bh,
@@ -457,15 +567,6 @@ struct tevent_req *mdscli_get_results_send(
return tevent_req_post(req, ev);
}
- state->response_blob.spotlight_blob = talloc_array(
- state,
- uint8_t,
- mdscli_ctx->max_fragment_size);
- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
- return tevent_req_post(req, ev);
- }
- state->response_blob.size = mdscli_ctx->max_fragment_size;
-
subreq = dcerpc_mdssvc_cmd_send(state,
ev,
mdscli_ctx->bh,
@@ -681,15 +782,6 @@ struct tevent_req *mdscli_get_path_send(TALLOC_CTX
*mem_ctx,
return tevent_req_post(req, ev);
}
- state->response_blob.spotlight_blob = talloc_array(
- state,
- uint8_t,
- mdscli_ctx->max_fragment_size);
- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
- return tevent_req_post(req, ev);
- }
- state->response_blob.size = mdscli_ctx->max_fragment_size;
-
subreq = dcerpc_mdssvc_cmd_send(state,
ev,
mdscli_ctx->bh,
@@ -724,7 +816,10 @@ static void mdscli_get_path_done(struct tevent_req *subreq)
struct mdscli_get_path_state *state = tevent_req_data(
req, struct mdscli_get_path_state);
DALLOC_CTX *d = NULL;
+ size_t pathlen;
+ size_t prefixlen;
char *path = NULL;
+ const char *p = NULL;
NTSTATUS status;
bool ok;
@@ -759,7 +854,38 @@ static void mdscli_get_path_done(struct tevent_req *subreq)
tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
return;
}
- state->path = talloc_move(state, &path);
+
+ /* Path is prefixed by /PATHSCOPE/SHARENAME/, strip it */
+ pathlen = strlen(path);
+
+ /*
+ * path_scope_len and share_path_len are already checked to be smaller
+ * then UINT16_MAX so this can't overflow
+ */
+ prefixlen = state->mdscli_ctx->path_scope_len
+ + state->mdscli_ctx->mdscmd_open.share_path_len;
+
+ if (pathlen < prefixlen) {
+ DBG_DEBUG("Bad path: %s\n", path);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
+ p = path + prefixlen;
+ while (*p == '/') {
+ p++;
+ }
+ if (*p == '\0') {
+ DBG_DEBUG("Bad path: %s\n", path);
+ tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ return;
+ }
+
+ state->path = talloc_strdup(state, p);
+ if (state->path == NULL) {
+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+ return;
+ }
DBG_DEBUG("path: %s\n", state->path);
tevent_req_done(req);
@@ -852,15 +978,6 @@ struct tevent_req *mdscli_close_search_send(TALLOC_CTX
*mem_ctx,
return tevent_req_post(req, ev);
}
- state->response_blob.spotlight_blob = talloc_array(
- state,
- uint8_t,
- mdscli_ctx->max_fragment_size);
- if (tevent_req_nomem(state->response_blob.spotlight_blob, req)) {
- return tevent_req_post(req, ev);
- }
- state->response_blob.size = mdscli_ctx->max_fragment_size;
-
subreq = dcerpc_mdssvc_cmd_send(state,
ev,
mdscli_ctx->bh,
diff --git a/source3/rpc_client/cli_mdssvc_private.h
b/source3/rpc_client/cli_mdssvc_private.h
index 031af85bf58..77f300c09cc 100644
--- a/source3/rpc_client/cli_mdssvc_private.h
+++ b/source3/rpc_client/cli_mdssvc_private.h
@@ -42,6 +42,7 @@ struct mdscli_ctx {
/* cmd specific or unknown fields */
struct {
--
Samba Shared Repository
