!159 fix CVE-2022-45141

From: @xinghe_1 
Reviewed-by: @seuzw 
Signed-off-by: @seuzw

backport-0001-CVE-2022-45141.patch

@@ -0,0 +1,55 @@
+From 2be27ec1d7f3bfcdcac65bca1db53772535fe7bf Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Tue, 11 Oct 2011 23:57:58 -0500
+Subject: [PATCH 1/2] CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part
+ key selection
+
+    When I added support for configuring how the KDC selects session,
+    reply, and ticket enc-part keys I accidentally had the KDC use the
+    session key selection algorithm for selecting the ticket enc-part
+    key.  This becomes a problem when using a Heimdal KDC with an MIT
+    KDB as the HDB backend and when the krbtgt keys are not in
+    strongest-to-weakest order, in which case forwardable tickets minted
+    by the Heimdal KDC will not be accepted by MIT KDCs with the same
+    KDB.
+
+(cherry picked from Heimdal commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae)
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17680
+---
+ source4/heimdal/kdc/krb5tgs.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
+index 15be136496fa..7391393e4b64 100644
+--- a/source4/heimdal/kdc/krb5tgs.c
++++ b/source4/heimdal/kdc/krb5tgs.c
+@@ -1665,17 +1665,14 @@ server_lookup:
+ 	} else {
+ 	    Key *skey;
+ 
+-	    ret = _kdc_find_etype(context,
+-				  config->tgs_use_strongest_session_key, FALSE,
+-				  server, b->etype.val, b->etype.len, NULL,
+-				  &skey);
++	    ret = _kdc_get_preferred_key(context, config, server, spn,
++					 &etype, &skey);
+ 	    if(ret) {
+ 		kdc_log(context, config, 0,
+ 			"Server (%s) has no support for etypes", spn);
+ 		goto out;
+ 	    }
+ 	    ekey = &skey->key;
+-	    etype = skey->key.keytype;
+ 	    kvno = server->entry.kvno;
+ 	}
+ 
+-- 
+2.34.1

backport-0002-CVE-2022-45141.patch

@@ -0,0 +1,69 @@
+From 2ea3f2db8087e0a2c4a18c633b039c722cb6f829 Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@cryptonector.com>
+Date: Wed, 12 Oct 2011 01:15:13 -0500
+Subject: [PATCH 2/2] CVE-2022-45141 source4/heimdal: Fix check-des
+
+    The previous fix was incomplete.  But it also finally uncovered an
+    old check-des problem that I'd had once and which may have gotten
+    papered over by changing the default of one of the *strongest* KDC
+    parameters.  The old problem is that we were passing the wrong
+    enctype to _kdc_encode_reply(): we were passing the session key
+    enctype where the ticket enc-part key's enctype was expected.
+
+    The whole enctype being passed in is superfluous anyways.  Let's
+    clean that up next.
+
+(cherry picked from Heimdal commit 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71)
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
+
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Stefan Metzmacher <metze@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17680
+---
+ source4/heimdal/kdc/krb5tgs.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
+index 7391393e4b64..609649003ea5 100644
+--- a/source4/heimdal/kdc/krb5tgs.c
++++ b/source4/heimdal/kdc/krb5tgs.c
+@@ -747,7 +747,7 @@ tgs_make_reply(krb5_context context,
+        etype list, even if we don't want a session key with
+        DES3? */
+     ret = _kdc_encode_reply(context, config,
+-			    &rep, &et, &ek, et.key.keytype,
++			    &rep, &et, &ek, serverkey->keytype,
+ 			    kvno,
+ 			    serverkey, 0, replykey, rk_is_subkey,
+ 			    e_text, reply);
+@@ -1665,13 +1665,22 @@ server_lookup:
+ 	} else {
+ 	    Key *skey;
+ 
+-	    ret = _kdc_get_preferred_key(context, config, server, spn,
+-					 &etype, &skey);
++	    ret = _kdc_find_etype(context,
++				  config->tgs_use_strongest_session_key, FALSE,
++				  server, b->etype.val, b->etype.len, &etype,
++				  NULL);
+ 	    if(ret) {
+ 		kdc_log(context, config, 0,
+ 			"Server (%s) has no support for etypes", spn);
+ 		goto out;
+ 	    }
++	    ret = _kdc_get_preferred_key(context, config, server, spn,
++					 NULL, &skey);
++	    if(ret) {
++		kdc_log(context, config, 0,
++			"Server (%s) has no supported etypes", spn);
++		goto out;
++	    }
+ 	    ekey = &skey->key;
+ 	    kvno = server->entry.kvno;
+ 	}
+-- 
+2.34.1

samba.spec

@@ -49,7 +49,7 @@
 
 Name:           samba
 Version:        4.11.12
-Release:        22
+Release:        23
 
 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@@ -298,6 +298,8 @@ Patch6368:       backport-s3waf-Fix-version-number-of-public-libsmbconf.patch
 Patch6369:       backport-waf-Fix-SO-version-number-of-libsamba-errors.patch
 Patch6370:       backport-0001-CVE-2022-44640.patch
 Patch6371:       backport-0002-CVE-2022-44640.patch
+Patch6372:       backport-0001-CVE-2022-45141.patch
+Patch6373:       backport-0002-CVE-2022-45141.patch
 
 
 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@@ -3356,6 +3358,12 @@ fi
 %{_mandir}/man*
 
 %changelog
+* Wed Dec 28 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-23
+- Type:cves
+- CVE:CVE-2022-45141
+- SUG:NA
+- DESC:fix CVE-2022-45141
+
 * Sat Dec 17 2022 xinghe <xinghe2@h-partners.com> - 4.11.12-22
 - Type:cves
 - CVE:CVE-2022-44640