packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!105 fix CVE-2022-32745

Browse Source 
From: @xinghe_1 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw
This commit is contained in:
openeuler-ci-bot 2022-08-15 07:49:51 +00:00 committed by Gitee
commit 2bad2e90a4
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 166 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
backport-0001-CVE-2022-32745.patch Normal file
View File

@ -0,0 +1,40 @@
From f1995ad41d01134a5169bd24b67881e69ec28ece Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 16 Feb 2022 17:03:10 +1300
Subject: [PATCH 15/18] CVE-2022-32745 s4/dsdb/samldb: Check for empty values
array
This avoids potentially trying to access the first element of an empty
array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
source4/dsdb/samdb/ldb_modules/samldb.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c
index abb96d3bef8..5649a301cd4 100644
--- a/source4/dsdb/samdb/ldb_modules/samldb.c
+++ b/source4/dsdb/samdb/ldb_modules/samldb.c
@@ -748,7 +748,7 @@ static int samldb_schema_add_handle_linkid(struct samldb_ctx *ac)
return ret;
}
- if (el == NULL) {
+ if (el == NULL || el->num_values == 0) {
return LDB_SUCCESS;
}
@@ -916,7 +916,7 @@ static int samldb_schema_add_handle_mapiid(struct samldb_ctx *ac)
return ret;
}
- if (el == NULL) {
+ if (el == NULL || el->num_values == 0) {
return LDB_SUCCESS;
}
--
2.35.0

39
backport-0002-CVE-2022-32745.patch Normal file
View File

@ -0,0 +1,39 @@
From d9faf142495e1211620779bbedbefe7726d1099b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 17 Feb 2022 11:11:53 +1300
Subject: [PATCH 16/18] CVE-2022-32745 s4/dsdb/util: Use correct value for loop
count limit
Currently, we can crash the server by sending a large number of values
of a specific attribute (such as sAMAccountName) spread across a few
message elements. If val_count is larger than the total number of
elements, we get an access beyond the elements array.
Similarly, we can include unrelated message elements prior to the
message elements of the attribute in question, so that not all of the
attribute's values are copied into the returned elements values array.
This can cause the server to access uninitialised data, likely resulting
in a crash or unexpected behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
source4/dsdb/samdb/ldb_modules/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 4c67873643a..5d418efcd52 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1544,7 +1544,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
v = _el->values;
- for (i = 0; i < val_count; i++) {
+ for (i = 0; i < msg->num_elements; i++) {
if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
if ((operation == LDB_MODIFY) &&
(LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
--
2.35.0

45
backport-0003-CVE-2022-32745.patch Normal file
View File

@ -0,0 +1,45 @@
From 0b958460c108542eba1765c9438c8f5a8361a509 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 17 Feb 2022 11:13:38 +1300
Subject: [PATCH 17/18] CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a
NULL pointer
Doing so is undefined behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
source4/dsdb/samdb/ldb_modules/util.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 5d418efcd52..af412f55f98 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1546,15 +1546,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
for (i = 0; i < msg->num_elements; i++) {
if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+ const struct ldb_message_element *tmp_el = &msg->elements[i];
if ((operation == LDB_MODIFY) &&
- (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
+ (LDB_FLAG_MOD_TYPE(tmp_el->flags)
== LDB_FLAG_MOD_DELETE)) {
continue;
}
+ if (tmp_el->values == NULL || tmp_el->num_values == 0) {
+ continue;
+ }
memcpy(v,
- msg->elements[i].values,
- msg->elements[i].num_values);
- v += msg->elements[i].num_values;
+ tmp_el->values,
+ tmp_el->num_values);
+ v += tmp_el->num_values;
}
}
--
2.35.0

31
backport-0004-CVE-2022-32745.patch Normal file
View File

@ -0,0 +1,31 @@
From aa38d5314de216597df6233c2aaa4f7680de4dcb Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 3 Jun 2022 16:16:31 +1200
Subject: [PATCH 18/18] CVE-2022-32745 s4/dsdb/util: Correctly copy values into
message element
To use memcpy(), we need to specify the number of bytes to copy, rather
than the number of ldb_val structures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
source4/dsdb/samdb/ldb_modules/util.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index af412f55f98..5ccbb1b4360 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1557,7 +1557,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
}
memcpy(v,
tmp_el->values,
- tmp_el->num_values);
+ tmp_el->num_values * sizeof(*v));
v += tmp_el->num_values;
}
}
--
2.35.0

12
samba.spec
View File

@ -49,7 +49,7 @@
Name: samba Name: samba
Version: 4.11.12 Version: 4.11.12
Release: 13 Release: 14
Summary: A suite for Linux to interoperate with Windows Summary: A suite for Linux to interoperate with Windows
License: GPLv3+ and LGPLv3+ License: GPLv3+ and LGPLv3+
@ -260,6 +260,10 @@ Patch6330: backport-0053-CVE-2022-2031-CVE-2022-32744.patch
Patch6331: backport-0054-CVE-2022-2031-CVE-2022-32744.patch Patch6331: backport-0054-CVE-2022-2031-CVE-2022-32744.patch
Patch6332: backport-0055-CVE-2022-2031-CVE-2022-32744.patch Patch6332: backport-0055-CVE-2022-2031-CVE-2022-32744.patch
Patch6333: backport-CVE-2022-32742.patch Patch6333: backport-CVE-2022-32742.patch
Patch6334: backport-0001-CVE-2022-32745.patch
Patch6335: backport-0002-CVE-2022-32745.patch
Patch6336: backport-0003-CVE-2022-32745.patch
Patch6337: backport-0004-CVE-2022-32745.patch
BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@ -3249,6 +3253,12 @@ fi
%{_mandir}/man* %{_mandir}/man*
%changelog %changelog
* Mon Aug 15 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-14
- Type:cves
- CVE:CVE-2022-32745
- SUG:NA
- DESC:fix CVE-2022-32745
* Fri Aug 12 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-13 * Fri Aug 12 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-13
- Type:bugfix - Type:bugfix
- ID:NA - ID:NA