fix CVE-2022-2127 CVE-2023-34966 CVE-2023-34967

2023-07-24 18:36:51 +08:00 · 2023-07-24 18:36:51 +08:00 · 8f6a91ff30
commit 8f6a91ff30
parent 9ee6fd85f7
6 changed files with 395 additions and 1 deletions
--- a/backport-0001-CVE-2022-2127.patch
+++ b/backport-0001-CVE-2022-2127.patch
@ -0,0 +1,69 @@
+From 1dd3ae281b9d9260859822bbf6891e94c2f86882 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@samba.org>
+Date: Thu, 24 Feb 2022 17:48:27 +0100
+Subject: [PATCH 01/25] CVE-2022-2127: s3:winbind: Move big NTLMv2 blob checks
+ to parent process
+
+The winbindd_dual_pam_auth_crap() function will be converted to a local
+RPC call handler and it won't receive a winbindd_cli_state struct. Move
+the checks accessing this struct to the parent.
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+(cherry picked from commit 74a511a8eab72cc82940738a1e20e63e12b81374)
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch
+---
+ source3/winbindd/winbindd_pam.c           | 12 ------------
+ source3/winbindd/winbindd_pam_auth_crap.c | 12 ++++++++++++
+ 2 files changed, 12 insertions(+), 12 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
+index e600ad27e54..e77673bf173 100644
+--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
+@@ -2671,18 +2671,6 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
+ 	DEBUG(3, ("[%5lu]: pam auth crap domain: %s user: %s\n", (unsigned long)state->pid,
+ 		  name_domain, name_user));
+ 
+-	if (state->request->data.auth_crap.lm_resp_len > sizeof(state->request->data.auth_crap.lm_resp)
+-		|| state->request->data.auth_crap.nt_resp_len > sizeof(state->request->data.auth_crap.nt_resp)) {
+-		if (!(state->request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
+-		     state->request->extra_len != state->request->data.auth_crap.nt_resp_len) {
+-			DEBUG(0, ("winbindd_pam_auth_crap: invalid password length %u/%u\n",
+-				  state->request->data.auth_crap.lm_resp_len,
+-				  state->request->data.auth_crap.nt_resp_len));
+-			result = NT_STATUS_INVALID_PARAMETER;
+-			goto done;
+-		}
+-	}
+-
+ 	lm_resp = data_blob_talloc(state->mem_ctx, state->request->data.auth_crap.lm_resp,
+ 					state->request->data.auth_crap.lm_resp_len);
+ 
+diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
+index a6f13806df9..fdb8120a6fe 100644
+--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
+@@ -140,6 +140,18 @@ struct tevent_req *winbindd_pam_auth_crap_send(
+ 		fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
+ 	}
+ 
+	if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
+		|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
+		if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
+		     request->extra_len != request->data.auth_crap.nt_resp_len) {
+			DBG_ERR("Invalid password length %u/%u\n",
+				request->data.auth_crap.lm_resp_len,
+				request->data.auth_crap.nt_resp_len);
+			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+			return tevent_req_post(req, ev);
+		}
+	}
+
+ 	subreq = wb_domain_request_send(state, global_event_context(), domain,
+ 					request);
+ 	if (tevent_req_nomem(subreq, req)) {
+-- 
+2.34.1
--- a/backport-0002-CVE-2022-2127.patch
+++ b/backport-0002-CVE-2022-2127.patch
@ -0,0 +1,73 @@
+From 5c6fe5a491b16bb658c191cfafb5edc0beb5fab2 Mon Sep 17 00:00:00 2001
+From: Volker Lendecke <vl@samba.org>
+Date: Fri, 20 May 2022 10:55:23 +0200
+Subject: [PATCH 02/25] CVE-2022-2127: winbindd: Fix WINBINDD_PAM_AUTH_CRAP
+ length checks
+
+With WBFLAG_BIG_NTLMV2_BLOB being set plus lm_resp_len too large you
+can crash winbind. We don't independently check lm_resp_len
+sufficiently.
+
+Discovered via Coverity ID 1504444 Out-of-bounds access
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
+
+Signed-off-by: Volker Lendecke <vl@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch
+---
+ source3/winbindd/winbindd_pam_auth_crap.c | 31 +++++++++++++++--------
+ 1 file changed, 21 insertions(+), 10 deletions(-)
+
+diff --git a/source3/winbindd/winbindd_pam_auth_crap.c b/source3/winbindd/winbindd_pam_auth_crap.c
+index fdb8120a6fe..651d54b01d3 100644
+--- a/source3/winbindd/winbindd_pam_auth_crap.c
+++ b/source3/winbindd/winbindd_pam_auth_crap.c
+@@ -42,6 +42,9 @@ struct tevent_req *winbindd_pam_auth_crap_send(
+ 	struct winbindd_pam_auth_crap_state *state;
+ 	struct winbindd_domain *domain;
+ 	const char *auth_domain = NULL;
+	bool lmlength_ok = false;
+	bool ntlength_ok = false;
+	bool pwlength_ok = false;
+ 
+ 	req = tevent_req_create(mem_ctx, &state,
+ 				struct winbindd_pam_auth_crap_state);
+@@ -140,16 +143,24 @@ struct tevent_req *winbindd_pam_auth_crap_send(
+ 		fstrcpy(request->data.auth_crap.workstation, lp_netbios_name());
+ 	}
+ 
+-	if (request->data.auth_crap.lm_resp_len > sizeof(request->data.auth_crap.lm_resp)
+-		|| request->data.auth_crap.nt_resp_len > sizeof(request->data.auth_crap.nt_resp)) {
+-		if (!(request->flags & WBFLAG_BIG_NTLMV2_BLOB) ||
+-		     request->extra_len != request->data.auth_crap.nt_resp_len) {
+-			DBG_ERR("Invalid password length %u/%u\n",
+-				request->data.auth_crap.lm_resp_len,
+-				request->data.auth_crap.nt_resp_len);
+-			tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+-			return tevent_req_post(req, ev);
+-		}
+	lmlength_ok = (request->data.auth_crap.lm_resp_len <=
+		       sizeof(request->data.auth_crap.lm_resp));
+
+	ntlength_ok = (request->data.auth_crap.nt_resp_len <=
+		       sizeof(request->data.auth_crap.nt_resp));
+
+	ntlength_ok |=
+		((request->flags & WBFLAG_BIG_NTLMV2_BLOB) &&
+		 (request->extra_len == request->data.auth_crap.nt_resp_len));
+
+	pwlength_ok = lmlength_ok && ntlength_ok;
+
+	if (!pwlength_ok) {
+		DBG_ERR("Invalid password length %u/%u\n",
+			request->data.auth_crap.lm_resp_len,
+			request->data.auth_crap.nt_resp_len);
+		tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
+		return tevent_req_post(req, ev);
+ 	}
+ 
+ 	subreq = wb_domain_request_send(state, global_event_context(), domain,
+-- 
+2.34.1
--- a/backport-0003-CVE-2022-2127.patch
+++ b/backport-0003-CVE-2022-2127.patch
@ -0,0 +1,43 @@
+From 2eabbe31f64a8456813a502afb05907beb46ffad Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 16 Jun 2023 12:28:47 +0200
+Subject: [PATCH 03/25] CVE-2022-2127: ntlm_auth: cap lanman response length
+ value
+
+We already copy at most sizeof(request.data.auth_crap.lm_resp) bytes to the
+lm_resp buffer, but we don't cap the length indicator.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15072
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch
+---
+ source3/utils/ntlm_auth.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
+index 52a1840..f363f25 100644
+--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
+@@ -570,10 +570,14 @@ NTSTATUS contact_winbind_auth_crap(const char *username,
+ 	memcpy(request.data.auth_crap.chal, challenge->data, MIN(challenge->length, 8));
+ 
+ 	if (lm_response && lm_response->length) {
+		size_t capped_lm_response_len = MIN(
+			lm_response->length,
+			sizeof(request.data.auth_crap.lm_resp));
+
+ 		memcpy(request.data.auth_crap.lm_resp, 
+ 		       lm_response->data, 
+-		       MIN(lm_response->length, sizeof(request.data.auth_crap.lm_resp)));
+-		request.data.auth_crap.lm_resp_len = lm_response->length;
+		       capped_lm_response_len);
+		request.data.auth_crap.lm_resp_len = capped_lm_response_len;
+ 	}
+ 
+ 	if (nt_response && nt_response->length) {
+-- 
+2.27.0
+
--- a/backport-CVE-2023-34966.patch
+++ b/backport-CVE-2023-34966.patch
@ -0,0 +1,75 @@
+From cb6f3e2202473eeccf81e34ebcdb4bc4f726548a Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 May 2023 13:06:19 +0200
+Subject: [PATCH 05/25] CVE-2023-34966: mdssvc: harden sl_unpack_loop()
+
+A malicious client could send a packet where subcount is zero, leading to a busy
+loop because
+
+    count -= subcount
+=>  count -= 0
+=>  while (count > 0)
+
+loops forever.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15340
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch
+---
+ source3/rpc_server/mdssvc/marshalling.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/marshalling.c b/source3/rpc_server/mdssvc/marshalling.c
+index 1aa750413cd..441d41160f1 100644
+--- a/source3/rpc_server/mdssvc/marshalling.c
+++ b/source3/rpc_server/mdssvc/marshalling.c
+@@ -1119,7 +1119,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+ 			sl_nil_t nil = 0;
+ 
+ 			subcount = tag.count;
+-			if (subcount > count) {
+			if (subcount < 1 || subcount > count) {
+ 				return -1;
+ 			}
+ 			for (i = 0; i < subcount; i++) {
+@@ -1147,7 +1147,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+ 
+ 		case SQ_TYPE_INT64:
+ 			subcount = sl_unpack_ints(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
+			if (subcount < 1 || subcount > count) {
+ 				return -1;
+ 			}
+ 			offset += tag.size;
+@@ -1156,7 +1156,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+ 
+ 		case SQ_TYPE_UUID:
+ 			subcount = sl_unpack_uuid(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
+			if (subcount < 1 || subcount > count) {
+ 				return -1;
+ 			}
+ 			offset += tag.size;
+@@ -1165,7 +1165,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+ 
+ 		case SQ_TYPE_FLOAT:
+ 			subcount = sl_unpack_floats(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
+			if (subcount < 1 || subcount > count) {
+ 				return -1;
+ 			}
+ 			offset += tag.size;
+@@ -1174,7 +1174,7 @@ static ssize_t sl_unpack_loop(DALLOC_CTX *query,
+ 
+ 		case SQ_TYPE_DATE:
+ 			subcount = sl_unpack_date(query, buf, offset, bufsize, encoding);
+-			if (subcount == -1 || subcount > count) {
+			if (subcount < 1 || subcount > count) {
+ 				return -1;
+ 			}
+ 			offset += tag.size;
+-- 
+2.34.1
--- a/backport-CVE-2023-34967.patch
+++ b/backport-CVE-2023-34967.patch
@ -0,0 +1,123 @@
+From 5b4353cc60b75610f0aa12b1cced36d35a4d04d4 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Fri, 26 May 2023 15:06:38 +0200
+Subject: [PATCH 07/25] CVE-2023-34967: mdssvc: add type checking to
+ dalloc_value_for_key()
+
+Change the dalloc_value_for_key() function to require an additional final
+argument which denotes the expected type of the value associated with a key. If
+the types don't match, return NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15341
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Conflict: NA
+Reference: https://download.samba.org/pub/samba/patches/security/samba-4.16.11-security-2023-07-19.patch
+---
+ source3/rpc_server/mdssvc/dalloc.c | 14 ++++++++++----
+ source3/rpc_server/mdssvc/mdssvc.c | 17 +++++++++++++----
+ 2 files changed, 23 insertions(+), 8 deletions(-)
+
+diff --git a/source3/rpc_server/mdssvc/dalloc.c b/source3/rpc_server/mdssvc/dalloc.c
+index 28944b8..908d54b 100644
+--- a/source3/rpc_server/mdssvc/dalloc.c
+++ b/source3/rpc_server/mdssvc/dalloc.c
+@@ -160,7 +160,7 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ 	int result = 0;
+ 	void *p = NULL;
+ 	va_list args;
+-	const char *type;
+	const char *type = NULL;
+ 	int elem;
+ 	size_t array_len;
+ 
+@@ -171,7 +171,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ 		array_len = talloc_array_length(d->dd_talloc_array);
+ 		elem = va_arg(args, int);
+ 		if (elem >= array_len) {
+-			va_end(args);
+ 			result = -1;
+ 			goto done;
+ 		}
+@@ -179,8 +178,6 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ 		type = va_arg(args, const char *);
+ 	}
+ 
+-	va_end(args);
+-
+ 	array_len = talloc_array_length(d->dd_talloc_array);
+ 
+ 	for (elem = 0; elem + 1 < array_len; elem += 2) {
+@@ -193,8 +190,17 @@ void *dalloc_value_for_key(const DALLOC_CTX *d, ...)
+ 			break;
+ 		}
+ 	}
+	if (p == NULL) {
+		goto done;
+	}
+
+	type = va_arg(args, const char *);
+	if (strcmp(talloc_get_name(p), type) != 0) {
+		p = NULL;
+	}
+ 
+ done:
+	va_end(args);
+ 	if (result != 0) {
+ 		p = NULL;
+ 	}
+diff --git a/source3/rpc_server/mdssvc/mdssvc.c b/source3/rpc_server/mdssvc/mdssvc.c
+index 58a219b..dba7c3c 100644
+--- a/source3/rpc_server/mdssvc/mdssvc.c
+++ b/source3/rpc_server/mdssvc/mdssvc.c
+@@ -1198,7 +1198,8 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ 
+ 	querystring = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+ 					   "DALLOC_CTX", 1,
+-					   "kMDQueryString");
+					   "kMDQueryString",
+					   "char *");
+ 	if (querystring == NULL) {
+ 		DEBUG(1, ("missing kMDQueryString\n"));
+ 		goto error;
+@@ -1228,8 +1229,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ 	slq->ctx2 = *uint64p;
+ 
+ 	path_scope = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+-					  "DALLOC_CTX", 1, "kMDScopeArray");
+					  "DALLOC_CTX", 1,
+					  "kMDScopeArray",
+					  "sl_array_t");
+ 	if (path_scope == NULL) {
+		DBG_ERR("missing kMDScopeArray\n");
+ 		goto error;
+ 	}
+ 
+@@ -1253,8 +1257,11 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ 
+ 
+ 	reqinfo = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+-				       "DALLOC_CTX", 1, "kMDAttributeArray");
+				       "DALLOC_CTX", 1,
+				       "kMDAttributeArray",
+				       "sl_array_t");
+ 	if (reqinfo == NULL) {
+		DBG_ERR("missing kMDAttributeArray\n");
+ 		goto error;
+ 	}
+ 
+@@ -1262,7 +1269,9 @@ static bool slrpc_open_query(struct mds_ctx *mds_ctx,
+ 	DEBUG(10, ("requested attributes: %s", mds_dalloc_dump(reqinfo, 0)));
+ 
+ 	cnids = dalloc_value_for_key(query, "DALLOC_CTX", 0,
+-				     "DALLOC_CTX", 1, "kMDQueryItemArray");
+				     "DALLOC_CTX", 1,
+				     "kMDQueryItemArray",
+				     "sl_array_t");
+ 	if (cnids) {
+ 		ok = sort_cnids(slq, cnids->ca_cnids);
+ 		if (!ok) {
+-- 
+2.27.0
+
--- a/samba.spec
+++ b/samba.spec
@ -49,7 +49,7 @@

 Name:           samba
 Version:        4.11.12
-Release:        29
+Release:        30

 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@ -340,6 +340,11 @@ Patch6410:       backport-0037-CVE-2022-38023.patch
 Patch6411:       backport-0038-CVE-2022-38023.patch
 Patch6412:       backport-CVE-2023-0922.patch
 Patch6413:       backport-Adapt-sign_authdata-in-our-KDB-module-for-krb5-v1.18.patch
+Patch6414:       backport-0001-CVE-2022-2127.patch
+Patch6415:       backport-0002-CVE-2022-2127.patch
+Patch6416:       backport-0003-CVE-2022-2127.patch
+Patch6417:       backport-CVE-2023-34966.patch
+Patch6418:       backport-CVE-2023-34967.patch


 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@ -3398,6 +3403,12 @@ fi
 %{_mandir}/man*

 %changelog
+* Mon Jul 24 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-30
+- Type:cves
+- CVE:CVE-2022-2127 CVE-2023-34966 CVE-2023-34967
+- SUG:NA
+- DESC:fix CVE-2022-2127 CVE-2023-34966 CVE-2023-34967
+
 * Mon Jun 26 2023 yanglu <yanglu72@h-partners.com> - 4.11.12-29
 - Type:bugfix
 - CVE:NA