Date: Tue, 25 Oct 2022 23:22:06 GMT From: "Timur I. Bakeyev" <timur@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 1ca07f009bba - main - net/samba413: Backport fix for CVE-2022-3437 Message-ID: <202210252322.29PNM6gM016266@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by timur: URL: https://cgit.FreeBSD.org/ports/commit/?id=1ca07f009bba7efd996f6e60d6449174b8db980f commit 1ca07f009bba7efd996f6e60d6449174b8db980f Author: Timur I. Bakeyev <timur@FreeBSD.org> AuthorDate: 2022-10-25 14:44:01 +0000 Commit: Timur I. Bakeyev <timur@FreeBSD.org> CommitDate: 2022-10-25 23:21:17 +0000 net/samba413: Backport fix for CVE-2022-3437 Also backported dlz_bind module creation for Bind 9.18. Security: CVE-2022-3437 --- net/samba413/Makefile | 6 +- ...-simplify-modules-build-and-config-genera.patch | 704 ++++++++ .../CVE-2022-3437-des3-overflow-v4a-4.12.patch | 1897 ++++++++++++++++++++ net/samba413/files/patch-bind | 274 --- net/samba413/pkg-plist.ad_dc | 3 +- 5 files changed, 2606 insertions(+), 278 deletions(-) diff --git a/net/samba413/Makefile b/net/samba413/Makefile index 1c1df27edb8a..5a3f59c6d26e 100644 --- a/net/samba413/Makefile +++ b/net/samba413/Makefile @@ -1,6 +1,6 @@ PORTNAME= ${SAMBA4_BASENAME}413 PORTVERSION= ${SAMBA4_VERSION} -PORTREVISION= 3 +PORTREVISION= 4 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -17,7 +17,9 @@ CONFLICTS_INSTALL?= samba4* # bin/cifsdd bin/dbwrap_tool bin/dumpmscat bin/find USES= cpe -EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 +EXTRA_PATCHES+= ${PATCHDIR}/0001-Zfs-provision-1.patch:-p1 \ + ${PATCHDIR}/0001-Compact-and-simplify-modules-build-and-config-genera.patch:-p1 \ + ${PATCHDIR}/CVE-2022-3437-des3-overflow-v4a-4.12.patch:-p1 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 diff --git a/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch b/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch new file mode 100644 index 000000000000..a73d038290c0 --- /dev/null +++ b/net/samba413/files/0001-Compact-and-simplify-modules-build-and-config-genera.patch @@ -0,0 +1,704 @@ +From 05e3cc236406680a55e19b204202b63cdaf48ea1 Mon Sep 17 00:00:00 2001 +From: "Timur I. Bakeyev" <timur@FreeBSD.org> +Date: Mon, 1 Aug 2022 04:15:43 +0200 +Subject: [PATCH 01/28] Compact and simplify modules build and config + generation for Bind 9.x AD DLZ. + +Signed-off-by: Timur I. Bakeyev <timur@FreeBSD.org> +--- + python/samba/provision/sambadns.py | 68 ++++++++++++------------------ + source4/dns_server/dlz_minimal.h | 44 +++++++++---------- + source4/dns_server/wscript_build | 62 +++------------------------ + source4/setup/named.conf.dlz | 25 +---------- + source4/torture/dns/wscript_build | 2 +- + 5 files changed, 55 insertions(+), 146 deletions(-) + +diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py +index 404b346a885..8e5a8ba5f25 100644 +--- a/python/samba/provision/sambadns.py ++++ b/python/samba/provision/sambadns.py +@@ -21,6 +21,7 @@ + """DNS-related provisioning""" + + import os ++import re + import uuid + import shutil + import time +@@ -957,48 +958,37 @@ def create_named_conf(paths, realm, dnsdomain, dns_bac + stderr=subprocess.STDOUT, + cwd='.').communicate()[0] + bind_info = get_string(bind_info) +- bind9_8 = '#' +- bind9_9 = '#' +- bind9_10 = '#' +- bind9_11 = '#' +- bind9_12 = '#' +- bind9_14 = '#' +- bind9_16 = '#' +- if bind_info.upper().find('BIND 9.8') != -1: +- bind9_8 = '' +- elif bind_info.upper().find('BIND 9.9') != -1: +- bind9_9 = '' +- elif bind_info.upper().find('BIND 9.10') != -1: +- bind9_10 = '' +- elif bind_info.upper().find('BIND 9.11') != -1: +- bind9_11 = '' +- elif bind_info.upper().find('BIND 9.12') != -1: +- bind9_12 = '' +- elif bind_info.upper().find('BIND 9.14') != -1: +- bind9_14 = '' +- elif bind_info.upper().find('BIND 9.16') != -1: +- bind9_16 = '' +- elif bind_info.upper().find('BIND 9.7') != -1: +- raise ProvisioningError("DLZ option incompatible with BIND 9.7.") +- elif bind_info.upper().find('BIND_9.13') != -1: +- raise ProvisioningError("Only stable/esv releases of BIND are supported.") +- elif bind_info.upper().find('BIND_9.15') != -1: +- raise ProvisioningError("Only stable/esv releases of BIND are supported.") +- elif bind_info.upper().find('BIND_9.17') != -1: +- raise ProvisioningError("Only stable/esv releases of BIND are supported.") ++ bind9_release = re.search('BIND (9)\.(\d+)\.', bind_info, re.I) ++ if bind9_release: ++ bind9_disabled = '' ++ bind9_version = bind9_release.group(0) + "x" ++ bind9_version_major = int(bind9_release.group(1)) ++ bind9_version_minor = int(bind9_release.group(2)) ++ if bind9_version_minor == 7: ++ raise ProvisioningError("DLZ option incompatible with BIND 9.7.") ++ elif bind9_version_minor == 8: ++ bind9_dlz_version = "9" ++ elif bind9_version_minor in [13, 15, 17]: ++ raise ProvisioningError("Only stable/esv releases of BIND are supported.") ++ else: ++ bind9_dlz_version = "%d_%d" % (bind9_version_major, bind9_version_minor) + else: ++ bind9_disabled = '# ' ++ bind9_version = "BIND z.y.x" ++ bind9_dlz_version = "z_y" + logger.warning("BIND version unknown, please modify %s manually." % paths.namedconf) ++ ++ bind9_dlz = ( ++ ' # For %s\n' ++ ' %sdatabase "dlopen %s/bind9/dlz_bind%s.so";' ++ ) % ( ++ bind9_version, bind9_disabled, samba.param.modules_dir(), bind9_dlz_version ++ ) + setup_file(setup_path("named.conf.dlz"), paths.namedconf, { + "NAMED_CONF": paths.namedconf, + "MODULESDIR": samba.param.modules_dir(), +- "BIND9_8": bind9_8, +- "BIND9_9": bind9_9, +- "BIND9_10": bind9_10, +- "BIND9_11": bind9_11, +- "BIND9_12": bind9_12, +- "BIND9_14": bind9_14, +- "BIND9_16": bind9_16 +- }) ++ "BIND9_DLZ": bind9_dlz ++ }) + + + def create_named_txt(path, realm, dnsdomain, dnsname, binddns_dir, +diff --git a/source4/dns_server/dlz_minimal.h b/source4/dns_server/dlz_minimal.h +index b7e36e7f8e6..bbdb616deb2 100644 +--- a/source4/dns_server/dlz_minimal.h ++++ b/source4/dns_server/dlz_minimal.h +@@ -26,32 +26,31 @@ + #include <stdint.h> + #include <stdbool.h> + +-#if defined (BIND_VERSION_9_8) +-# define DLZ_DLOPEN_VERSION 1 +-#elif defined (BIND_VERSION_9_9) +-# define DLZ_DLOPEN_VERSION 2 +-# define DNS_CLIENTINFO_VERSION 1 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_10) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 1 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_11) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_12) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 +-# define ISC_BOOLEAN_AS_BOOL 0 +-#elif defined (BIND_VERSION_9_14) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 +-#elif defined (BIND_VERSION_9_16) +-# define DLZ_DLOPEN_VERSION 3 +-# define DNS_CLIENTINFO_VERSION 2 ++#if defined (BIND_VERSION) ++# if BIND_VERSION == 908 ++# define DLZ_DLOPEN_VERSION 1 ++# elif BIND_VERSION == 909 ++# define DLZ_DLOPEN_VERSION 2 ++# define DNS_CLIENTINFO_VERSION 1 ++# define ISC_BOOLEAN_AS_BOOL 0 ++# elif BIND_VERSION == 910 ++# define DLZ_DLOPEN_VERSION 3 ++# define DNS_CLIENTINFO_VERSION 1 ++# define ISC_BOOLEAN_AS_BOOL 0 ++# elif BIND_VERSION == 911 || BIND_VERSION == 912 ++# define DLZ_DLOPEN_VERSION 3 ++# define DNS_CLIENTINFO_VERSION 2 ++# define ISC_BOOLEAN_AS_BOOL 0 ++# elif BIND_VERSION >= 914 ++# define DLZ_DLOPEN_VERSION 3 ++# define DNS_CLIENTINFO_VERSION 2 ++# define ISC_BOOLEAN_AS_BOOL 1 ++# else ++# error Unsupported BIND version ++# endif + #else + # error Unsupported BIND version ++# error BIND_VERSION undefined + #endif + + #ifndef ISC_BOOLEAN_AS_BOOL +diff --git a/source4/dns_server/wscript_build b/source4/dns_server/wscript_build +index ab0a241b937..3743753504c 100644 +--- a/source4/dns_server/wscript_build ++++ b/source4/dns_server/wscript_build +@@ -18,79 +18,21 @@ bld.SAMBA_MODULE('service_dns', + ) + + # a bind9 dlz module giving access to the Samba DNS SAM +-bld.SAMBA_LIBRARY('dlz_bind9', ++for bind_version in (910, 911, 912, 914, 916, 918): ++ string_version='%d_%d' % (bind_version // 100, bind_version % 100) ++ bld.SAMBA_LIBRARY('dlz_bind%s' % (string_version), + source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_8', ++ cflags='-DBIND_VERSION=%d' % bind_version, + private_library=True, +- link_name='modules/bind9/dlz_bind9.so', +- realname='dlz_bind9.so', ++ link_name='modules/bind9/dlz_bind%s.so' % (string_version), ++ realname='dlz_bind%s.so' % (string_version), + install_path='${MODULESDIR}/bind9', + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) + +-bld.SAMBA_LIBRARY('dlz_bind9_9', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_9', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_9.so', +- realname='dlz_bind9_9.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_10', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_10', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_10.so', +- realname='dlz_bind9_10.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_11', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_11', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_11.so', +- realname='dlz_bind9_11.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_12', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_12', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_12.so', +- realname='dlz_bind9_12.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_14', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_14', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_14.so', +- realname='dlz_bind9_14.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- +-bld.SAMBA_LIBRARY('dlz_bind9_16', +- source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_16', +- private_library=True, +- link_name='modules/bind9/dlz_bind9_16.so', +- realname='dlz_bind9_16.so', +- install_path='${MODULESDIR}/bind9', +- deps='samba-hostconfig samdb-common gensec popt dnsserver_common', +- enabled=bld.AD_DC_BUILD_IS_ENABLED()) +- + bld.SAMBA_LIBRARY('dlz_bind9_for_torture', + source='dlz_bind9.c', +- cflags='-DBIND_VERSION_9_8', ++ cflags='-DBIND_VERSION=918', + private_library=True, + deps='samba-hostconfig samdb-common gensec popt dnsserver_common', + enabled=bld.AD_DC_BUILD_IS_ENABLED()) +diff --git a/source4/setup/named.conf.dlz b/source4/setup/named.conf.dlz +index cbe7d805f58..32672768af4 100644 +--- a/source4/setup/named.conf.dlz ++++ b/source4/setup/named.conf.dlz +@@ -10,25 +10,6 @@ + # Uncomment only single database line, depending on your BIND version + # + dlz "AD DNS Zone" { +- # For BIND 9.8.x +- ${BIND9_8} database "dlopen ${MODULESDIR}/bind9/dlz_bind9.so"; +- +- # For BIND 9.9.x +- ${BIND9_9} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_9.so"; +- +- # For BIND 9.10.x +- ${BIND9_10} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_10.so"; +- +- # For BIND 9.11.x +- ${BIND9_11} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_11.so"; +- +- # For BIND 9.12.x +- ${BIND9_12} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_12.so"; +- +- # For BIND 9.14.x +- ${BIND9_14} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_14.so"; +- +- # For BIND 9.16.x +- ${BIND9_16} database "dlopen ${MODULESDIR}/bind9/dlz_bind9_16.so"; ++${BIND9_DLZ} + }; + +diff --git a/source4/torture/dns/wscript_build b/source4/torture/dns/wscript_build +index 0b40e03e370..bf7415ff88a 100644 +--- a/source4/torture/dns/wscript_build ++++ b/source4/torture/dns/wscript_build +@@ -5,7 +5,7 @@ if bld.AD_DC_BUILD_IS_ENABLED(): + source='dlz_bind9.c', + subsystem='smbtorture', + init_function='torture_bind_dns_init', +- cflags='-DBIND_VERSION_9_8', ++ cflags='-DBIND_VERSION=918', + deps='torture talloc torturemain dlz_bind9_for_torture', + internal_module=True + ) +--- a/source4/torture/dns/dlz_bind9.c ++++ b/source4/torture/dns/dlz_bind9.c +@@ -19,6 +19,7 @@ + + #include "includes.h" + #include "torture/smbtorture.h" ++#include "system/network.h" + #include "dns_server/dlz_minimal.h" + #include <talloc.h> + #include <ldb.h> +@@ -88,7 +89,8 @@ static bool test_dlz_bind9_create(struct torture_conte + static bool calls_zone_hook = false; + + static isc_result_t dlz_bind9_writeable_zone_hook(dns_view_t *view, +- const char *zone_name) ++ dns_dlzdb_t *dlzdb, ++ const char *zone_name) + { + struct torture_context *tctx = talloc_get_type((void *)view, struct torture_context); + struct ldb_context *samdb = NULL; +@@ -128,7 +130,8 @@ static isc_result_t dlz_bind9_writeable_zone_hook(dns_ + + static bool test_dlz_bind9_configure(struct torture_context *tctx) + { +- void *dbdata; ++ void *dbdata = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -143,7 +146,9 @@ static bool test_dlz_bind9_configure(struct torture_co + "Failed to create samba_dlz"); + + calls_zone_hook = false; +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, ++ dlzdb, ++ dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -167,6 +172,7 @@ static bool configure_multiple_dlzs(struct torture_con + void **dbdata, int count) + { + int i, res; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -183,7 +189,7 @@ static bool configure_multiple_dlzs(struct torture_con + torture_assert_int_equal(tctx, res, ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- res = dlz_configure((void*)tctx, dbdata[i]); ++ res = dlz_configure((void*)tctx, dlzdb, dbdata[i]); + torture_assert_int_equal(tctx, res, ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + } +@@ -195,9 +201,14 @@ static bool test_dlz_bind9_destroy_oldest_first(struct + { + void *dbdata[NUM_DLZS_TO_CONFIGURE]; + int i; ++ bool ret = configure_multiple_dlzs(tctx, ++ dbdata, ++ NUM_DLZS_TO_CONFIGURE); ++ if (ret == false) { ++ /* failure: has already been printed */ ++ return false; ++ } + +- configure_multiple_dlzs(tctx, dbdata, NUM_DLZS_TO_CONFIGURE); +- + /* Reload faults are reported to happen on the first destroy */ + dlz_destroy(dbdata[0]); + +@@ -212,9 +223,14 @@ static bool test_dlz_bind9_destroy_newest_first(struct + { + void *dbdata[NUM_DLZS_TO_CONFIGURE]; + int i; ++ bool ret = configure_multiple_dlzs(tctx, ++ dbdata, ++ NUM_DLZS_TO_CONFIGURE); ++ if (ret == false) { ++ /* failure: has already been printed */ ++ return false; ++ } + +- configure_multiple_dlzs(tctx, dbdata, NUM_DLZS_TO_CONFIGURE); +- + for(i = NUM_DLZS_TO_CONFIGURE - 1; i >= 0; i--) { + dlz_destroy(dbdata[i]); + } +@@ -229,6 +245,7 @@ static bool test_dlz_bind9_destroy_newest_first(struct + static bool test_dlz_bind9_gensec(struct torture_context *tctx, const char *mech) + { + NTSTATUS status; ++ dns_dlzdb_t *dlzdb = NULL; + + struct gensec_security *gensec_client_context; + +@@ -248,7 +265,8 @@ static bool test_dlz_bind9_gensec(struct torture_conte + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, ++ dlzdb, dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -273,6 +291,7 @@ static bool test_dlz_bind9_gensec(struct torture_conte + popt_get_cmdline_credentials()); + torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (client) failed"); + ++ + status = gensec_start_mech_by_sasl_name(gensec_client_context, mech); + torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_sasl_name (client) failed"); + +@@ -414,7 +433,10 @@ static isc_result_t dlz_bind9_putnamedrr_hook(dns_sdlz + static bool test_dlz_bind9_lookup(struct torture_context *tctx) + { + size_t i; +- void *dbdata; ++ void *dbdata = NULL; ++ dns_clientinfomethods_t *methods = NULL; ++ dns_clientinfo_t *clientinfo = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -434,8 +456,9 @@ static bool test_dlz_bind9_lookup(struct torture_conte + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), +- ISC_R_SUCCESS, ++ torture_assert_int_equal(tctx, ++ dlz_configure((void*)tctx, dlzdb, dbdata), ++ ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + + expected1 = talloc_zero(tctx, struct test_expected_rr); +@@ -478,7 +501,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte + + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Failed to lookup @"); + for (i = 0; i < expected1->num_records; i++) { +@@ -514,7 +538,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte + + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected2->query_name, dbdata, +- (dns_sdlzlookup_t *)expected2), ++ (dns_sdlzlookup_t *)expected2, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Failed to lookup hostname"); + for (i = 0; i < expected2->num_records; i++) { +@@ -539,7 +564,8 @@ static bool test_dlz_bind9_lookup(struct torture_conte + static bool test_dlz_bind9_zonedump(struct torture_context *tctx) + { + size_t i; +- void *dbdata; ++ void *dbdata = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + const char *argv[] = { + "samba_dlz", + "-H", +@@ -558,7 +584,7 @@ static bool test_dlz_bind9_zonedump(struct torture_con + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -650,7 +676,8 @@ static bool test_dlz_bind9_update01(struct torture_con + NTSTATUS status; + struct gensec_security *gensec_client_context; + DATA_BLOB client_to_server, server_to_client; +- void *dbdata; ++ void *dbdata = NULL; ++ dns_dlzdb_t *dlzdb = NULL; + void *version = NULL; + const char *argv[] = { + "samba_dlz", +@@ -664,6 +691,8 @@ static bool test_dlz_bind9_update01(struct torture_con + char *data1 = NULL; + char *data2 = NULL; + bool ret = false; ++ dns_clientinfomethods_t *methods = NULL; ++ dns_clientinfo_t *clientinfo = NULL; + + tctx_static = tctx; + torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, +@@ -675,7 +704,7 @@ static bool test_dlz_bind9_update01(struct torture_con + ISC_R_SUCCESS, + "Failed to create samba_dlz"); + +- torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dbdata), ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), + ISC_R_SUCCESS, + "Failed to configure samba_dlz"); + +@@ -813,7 +842,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_NOTFOUND, + "Found hostname"); + torture_assert_int_equal(tctx, expected1->num_rr, 0, +@@ -863,7 +893,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -892,7 +923,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -926,7 +958,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -960,7 +993,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[1].printed, +@@ -989,7 +1023,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_NOTFOUND, + "Found hostname"); + torture_assert_int_equal(tctx, expected1->num_rr, 0, +@@ -1013,7 +1048,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1042,7 +1078,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1076,7 +1113,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1110,7 +1148,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_SUCCESS, + "Not found hostname"); + torture_assert(tctx, expected1->records[0].printed, +@@ -1146,7 +1185,8 @@ static bool test_dlz_bind9_update01(struct torture_con + expected1->records[1].printed = false; + torture_assert_int_equal(tctx, dlz_lookup(lpcfg_dnsdomain(tctx->lp_ctx), + expected1->query_name, dbdata, +- (dns_sdlzlookup_t *)expected1), ++ (dns_sdlzlookup_t *)expected1, ++ methods, clientinfo), + ISC_R_NOTFOUND, + "Found hostname"); + torture_assert_int_equal(tctx, expected1->num_rr, 0, +@@ -1161,6 +1201,76 @@ cancel_version: + return ret; + } + ++/* ++ * Test zone transfer requests restrictions ++ * ++ * 1: test that zone transfer is denied by default ++ * 2: with an authorized list of IPs set in smb.conf, test that zone transfer ++ * is accepted only for selected IPs. ++ */ ++static bool test_dlz_bind9_allowzonexfr(struct torture_context *tctx) ++{ ++ void *dbdata; ++ const char *argv[] = { ++ "samba_dlz", ++ "-H", ++ test_dlz_bind9_binddns_dir(tctx, "dns/sam.ldb"), ++ NULL ++ }; ++ isc_result_t ret; ++ dns_dlzdb_t *dlzdb = NULL; ++ bool ok; ++ ++ tctx_static = tctx; ++ torture_assert_int_equal(tctx, dlz_create("samba_dlz", 3, argv, &dbdata, ++ "log", dlz_bind9_log_wrapper, ++ "writeable_zone", dlz_bind9_writeable_zone_hook, ++ "putrr", dlz_bind9_putrr_hook, ++ "putnamedrr", dlz_bind9_putnamedrr_hook, ++ NULL), ++ ISC_R_SUCCESS, ++ "Failed to create samba_dlz"); ++ ++ torture_assert_int_equal(tctx, dlz_configure((void*)tctx, dlzdb, dbdata), ++ ISC_R_SUCCESS, ++ "Failed to configure samba_dlz"); ++ ++ /* Ask for zone transfer with no specific config => expect denied */ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, ++ "Zone transfer accepted with default settings"); ++ ++ /* Ask for zone transfer with authorizations set */ ++ ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients allow=127.0.0.1,1234:5678::1,192.168.0."); ++ torture_assert(tctx, ok, "Failed to set dns zone transfer clients allow option."); ++ ++ ok = lpcfg_set_option(tctx->lp_ctx, "dns zone transfer clients deny=192.168.0.2"); ++ torture_assert(tctx, ok, "Failed to set dns zone transfer clients deny option."); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "127.0.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, ++ "Zone transfer refused for authorized IPv4 address"); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "1234:5678::1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, ++ "Zone transfer refused for authorized IPv6 address."); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "10.0.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, ++ "Zone transfer accepted for unauthorized IP"); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.1"); ++ torture_assert_int_equal(tctx, ret, ISC_R_SUCCESS, ++ "Zone transfer refused for address in authorized IPv4 subnet."); ++ ++ ret = dlz_allowzonexfr(dbdata, lpcfg_dnsdomain(tctx->lp_ctx), "192.168.0.2"); ++ torture_assert_int_equal(tctx, ret, ISC_R_NOPERM, ++ "Zone transfer allowed for denied client."); ++ ++ dlz_destroy(dbdata); ++ return true; ++} ++ + static struct torture_suite *dlz_bind9_suite(TALLOC_CTX *ctx) + { + struct torture_suite *suite = torture_suite_create(ctx, "dlz_bind9"); +@@ -1182,6 +1292,7 @@ static struct torture_suite *dlz_bind9_suite(TALLOC_CT + torture_suite_add_simple_test(suite, "lookup", test_dlz_bind9_lookup); + torture_suite_add_simple_test(suite, "zonedump", test_dlz_bind9_zonedump); + torture_suite_add_simple_test(suite, "update01", test_dlz_bind9_update01); ++ torture_suite_add_simple_test(suite, "allowzonexfr", test_dlz_bind9_allowzonexfr); + return suite; + } + +-- +2.37.1 + diff --git a/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch b/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch new file mode 100644 index 000000000000..1d1a538a9cbd --- /dev/null +++ b/net/samba413/files/CVE-2022-3437-des3-overflow-v4a-4.12.patch @@ -0,0 +1,1897 @@ +From e63b31932441b6213ace55f4e627d098682965c3 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:56:08 +1300 +Subject: [PATCH 01/11] CVE-2022-3437 source4/heimdal: Remove __func__ + compatibility workaround + +As described by the C standard, __func__ is a variable, not a macro. +Hence this #ifndef check does not work as intended, and only serves to +unconditionally disable __func__. A nonoperating __func__ prevents +cmocka operating correctly, so remove this definition. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +--- + source4/heimdal/lib/krb5/krb5_locl.h | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/source4/heimdal/lib/krb5/krb5_locl.h b/source4/heimdal/lib/krb5/krb5_locl.h +index 49c614d5efe..d3360c556ce 100644 +--- a/source4/heimdal/lib/krb5/krb5_locl.h ++++ b/source4/heimdal/lib/krb5/krb5_locl.h +@@ -188,10 +188,6 @@ struct _krb5_krb_auth_data; + #define ALLOC(X, N) (X) = calloc((N), sizeof(*(X))) + #define ALLOC_SEQ(X, N) do { (X)->len = (N); ALLOC((X)->val, (N)); } while(0) + +-#ifndef __func__ +-#define __func__ "unknown-function" +-#endif +- + #define krb5_einval(context, argnum) _krb5_einval((context), __func__, (argnum)) + + #ifndef PATH_SEP +-- +2.25.1 + + +From f11ebd82b4b6e04433907a8fe15d0a8df11fac8a Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:55:51 +1300 +Subject: [PATCH 02/11] CVE-2022-3437 source4/heimdal_build: Add + gssapi-subsystem subsystem + +This allows us to access (and so test) functions internal to GSSAPI by +depending on this subsystem. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> + +[jsutton@samba.org Adapted to older wscript_build file] +--- + source4/heimdal_build/wscript_build | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/source4/heimdal_build/wscript_build b/source4/heimdal_build/wscript_build +index f151788dcfd..396656e0727 100644 +--- a/source4/heimdal_build/wscript_build ++++ b/source4/heimdal_build/wscript_build +@@ -556,8 +556,8 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"): + HEIMDAL_AUTOPROTO_PRIVATE('lib/gssapi/krb5/gsskrb5-private.h', + HEIMDAL_GSSAPI_KRB5_SOURCE) + +- HEIMDAL_LIBRARY('gssapi', +- HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + ''' ++ HEIMDAL_SUBSYSTEM('gssapi-subsystem', ++ HEIMDAL_GSSAPI_SPNEGO_SOURCE + HEIMDAL_GSSAPI_KRB5_SOURCE + ''' + lib/gssapi/mech/context.c lib/gssapi/mech/gss_krb5.c lib/gssapi/mech/gss_mech_switch.c + lib/gssapi/mech/gss_process_context_token.c lib/gssapi/mech/gss_buffer_set.c + lib/gssapi/mech/gss_aeap.c lib/gssapi/mech/gss_add_cred.c lib/gssapi/mech/gss_cred.c +@@ -582,10 +582,16 @@ if not bld.CONFIG_SET("USING_SYSTEM_GSSAPI"): + lib/gssapi/mech/gss_set_cred_option.c lib/gssapi/mech/gss_pseudo_random.c ../heimdal_build/gssapi-glue.c''', + includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech', + deps='hcrypto asn1 HEIMDAL_SPNEGO_ASN1 HEIMDAL_GSSAPI_ASN1 roken krb5 com_err wind', +- vnum='2.0.0', +- version_script='lib/gssapi/version-script.map', + ) + ++ HEIMDAL_LIBRARY('gssapi', ++ '', ++ includes='../heimdal/lib/gssapi ../heimdal/lib/gssapi/gssapi ../heimdal/lib/gssapi/spnego ../heimdal/lib/gssapi/krb5 ../heimdal/lib/gssapi/mech', ++ deps='gssapi-subsystem', ++ vnum='2.0.0', ++ version_script='lib/gssapi/version-script.map', ++ ) ++ + if not bld.CONFIG_SET("USING_SYSTEM_KRB5"): + # expand_path.c needs some of the install paths + HEIMDAL_SUBSYSTEM('HEIMDAL_CONFIG', +-- +2.25.1 + + +From 04e71e8e5398f42c329db2a9a51c7f76a62a18b0 Mon Sep 17 00:00:00 2001 +From: Joseph Sutton <josephsutton@catalyst.net.nz> +Date: Wed, 12 Oct 2022 13:55:39 +1300 +Subject: [PATCH 03/11] CVE-2022-3437 s4/auth/tests: Add unit tests for + unwrap_des3() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134 + +Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> +Reviewed-by: Andrew Bartlett <abartlet@samba.org> +[jsutton@samba.org Adapted to lack of 'samba.unittests.auth.sam' test, + renamed 'third_party' to 'source4' in paths, defined + HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE to fix compiler + error] +[abartlet@samba.org backported to 4.12 required fixing merge conflicts + in wscript_build subsystem conversion (different deps) and tests.py test addition + (unrelated changes in context)] +--- + selftest/knownfail.d/heimdal-des-overflow | 9 + + selftest/tests.py | 5 + + source4/auth/tests/heimdal_unwrap_des.c | 1247 +++++++++++++++++++++ + source4/auth/wscript_build | 21 + + 4 files changed, 1282 insertions(+) + create mode 100644 selftest/knownfail.d/heimdal-des-overflow + create mode 100644 source4/auth/tests/heimdal_unwrap_des.c + +diff --git a/selftest/knownfail.d/heimdal-des-overflow b/selftest/knownfail.d/heimdal-des-overflow +new file mode 100644 +index 00000000000..23acbb43d31 +--- /dev/null ++++ b/selftest/knownfail.d/heimdal-des-overflow +@@ -0,0 +1,9 @@ ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_missing_payload.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_dce_style_with_seal_missing_payload.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_8_bytes.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_missing_payload.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_0.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_truncated_header_1.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_0.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_padding_truncated_1.none ++^samba.unittests.auth.heimdal_gensec_unwrap_des.test_unwrap_with_seal_missing_payload.none +diff --git a/selftest/tests.py b/selftest/tests.py +index 10648b19155..721c36ae4c3 100644 +--- a/selftest/tests.py ++++ b/selftest/tests.py +@@ -46,6 +46,8 @@ have_man_pages_support = ("XSLTPROC_MANPAGES" in config_hash) + with_pam = ("WITH_PAM" in config_hash) + pam_wrapper_so_path = config_hash["LIBPAM_WRAPPER_SO_PATH"] + pam_set_items_so_path = config_hash["PAM_SET_ITEMS_SO_PATH"] ++have_heimdal_support = "SAMBA4_USES_HEIMDAL" in config_hash ++using_system_gssapi = "USING_SYSTEM_GSSAPI" in config_hash + + planpythontestsuite("none", "samba.tests.source") + if have_man_pages_support: +@@ -409,5 +411,8 @@ plantestsuite("samba.unittests.test_registry_regfio", "none", + [os.path.join(bindir(), "default/source3/test_registry_regfio")]) + plantestsuite("samba.unittests.test_oLschema2ldif", "none", + [os.path.join(bindir(), "default/source4/utils/oLschema2ldif/test_oLschema2ldif")]) ++if have_heimdal_support and not using_system_gssapi: ++ plantestsuite("samba.unittests.auth.heimdal_gensec_unwrap_des", "none", ++ [valgrindify(os.path.join(bindir(), "test_heimdal_gensec_unwrap_des"))]) + plantestsuite("samba.unittests.mdsparser_es", "none", + [os.path.join(bindir(), "default/source3/test_mdsparser_es")] + [configuration]) +diff --git a/source4/auth/tests/heimdal_unwrap_des.c b/source4/auth/tests/heimdal_unwrap_des.c +new file mode 100644 +index 00000000000..dc31e9d0ad1 +--- /dev/null ++++ b/source4/auth/tests/heimdal_unwrap_des.c +@@ -0,0 +1,1247 @@ ++/* ++ * Unit tests for source4/heimdal/lib/gssapi/krb5/unwrap.c ++ * ++ * Copyright (C) Catalyst.NET Ltd 2022 ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program. If not, see <http://www.gnu.org/licenses/>. ++ * ++ */ ++ ++/* ++ * from cmocka.c: ++ * These headers or their equivalents should be included prior to ++ * including ++ * this header file. ++ * ++ * #include <stdarg.h> ++ * #include <stddef.h> ++ * #include <setjmp.h> ++ * ++ * This allows test applications to use custom definitions of C standard ++ * library functions and types. ++ * ++ */ ++ ++#include <stdarg.h> ++#include <stddef.h> ++#include <setjmp.h> ++ ++#include <cmocka.h> ++ ++#include "includes.h" ++#include "replace.h" ++ ++#define HEIMDAL_NORETURN_ATTRIBUTE _NORETURN_ ++#define HEIMDAL_PRINTF_ATTRIBUTE(x) FORMAT_ATTRIBUTE(x) ++ ++#include "../../../source4/heimdal/lib/gssapi/gssapi/gssapi.h" ++#include "gsskrb5_locl.h" ++ ++/****************************************************************************** ++ * Helper functions ++ ******************************************************************************/ ++ ++const uint8_t *valid_range_begin; ++const uint8_t *valid_range_end; ++const uint8_t *invalid_range_end; ++ ++/* ++ * 'array_len' is the size of the passed in array. 'buffer_len' is the size to ++ * report in the resulting buffer. *** 1971 LINES SKIPPED ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202210252322.29PNM6gM016266>