!221 fix CVE-2023-4091 CVE-2023-42669

From: @yangl777 Reviewed-by: @gebidelidaye Signed-off-by: @gebidelidaye
2023-10-17 03:13:15 +00:00 · 2023-10-17 03:13:15 +00:00 · ebcb666fde
commit ebcb666fde
parent 3e3df83262 945ead6694
4 changed files with 328 additions and 1 deletions
--- a/backport-0001-CVE-2023-4091.patch
+++ b/backport-0001-CVE-2023-4091.patch
@ -0,0 +1,179 @@
+From b08a60160e6ab8d982d31844bcbf7ab67ff3a8de Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 12:30:00 +0200
+Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on
+ read-only file
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Conflict: remove the modification of selftest/knownfail.d/samba3.smb2.acls
+Reference: https://github.com/samba-team/samba/commit/b08a60160e6ab8d982d31844bcbf7ab67ff3a8de
+---
+ source4/torture/smb2/acls.c           | 143 ++++++++++++++++++++++++++
+ 1 files changed, 143 insertions(+)
+
+diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
+index a27d4e079e67..5a892d004ea8 100644
+--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
+@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
+ 	return ret;
+ }
+ 
+static bool test_overwrite_read_only_file(struct torture_context *tctx,
+					  struct smb2_tree *tree)
+{
+	NTSTATUS status;
+	struct smb2_create c;
+	const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
+	struct smb2_handle handle = {{0}};
+	union smb_fileinfo q;
+	union smb_setfileinfo set;
+	struct security_descriptor *sd = NULL, *sd_orig = NULL;
+	const char *owner_sid = NULL;
+	int i;
+	bool ret = true;
+
+	struct tcase {
+		int disposition;
+		const char *disposition_string;
+		NTSTATUS expected_status;
+	} tcases[] = {
+#define TCASE(d, s) {				\
+		.disposition = d,		\
+		.disposition_string = #d,	\
+		.expected_status = s,		\
+	}
+		TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
+		TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
+		TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
+		TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
+	};
+#undef TCASE
+
+	ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+	torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
+
+	c = (struct smb2_create) {
+		.in.desired_access = SEC_STD_READ_CONTROL |
+			SEC_STD_WRITE_DAC |
+			SEC_STD_WRITE_OWNER,
+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+		.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+			NTCREATEX_SHARE_ACCESS_WRITE,
+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+		.in.fname = fname,
+	};
+
+	status = smb2_create(tree, tctx, &c);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_create failed\n");
+	handle = c.out.file.handle;
+
+	torture_comment(tctx, "get the original sd\n");
+
+	ZERO_STRUCT(q);
+	q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+	q.query_secdesc.in.file.handle = handle;
+	q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
+
+	status = smb2_getinfo_file(tree, tctx, &q);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_getinfo_file failed\n");
+	sd_orig = q.query_secdesc.out.sd;
+
+	owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+	sd = security_descriptor_dacl_create(tctx,
+					0, NULL, NULL,
+					owner_sid,
+					SEC_ACE_TYPE_ACCESS_ALLOWED,
+					SEC_FILE_READ_DATA,
+					0,
+					NULL);
+
+	ZERO_STRUCT(set);
+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+	set.set_secdesc.in.file.handle = handle;
+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+	set.set_secdesc.in.sd = sd;
+
+	status = smb2_setinfo_file(tree, &set);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_setinfo_file failed\n");
+
+	smb2_util_close(tree, handle);
+	ZERO_STRUCT(handle);
+
+	for (i = 0; i < ARRAY_SIZE(tcases); i++) {
+		torture_comment(tctx, "Verify open with %s dispostion\n",
+				tcases[i].disposition_string);
+
+		c = (struct smb2_create) {
+			.in.create_disposition = tcases[i].disposition,
+			.in.desired_access = SEC_FILE_READ_DATA,
+			.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+			.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+			.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+			.in.fname = fname,
+		};
+
+		status = smb2_create(tree, tctx, &c);
+		smb2_util_close(tree, c.out.file.handle);
+		torture_assert_ntstatus_equal_goto(
+			tctx, status, tcases[i].expected_status, ret, done,
+			"smb2_create failed\n");
+	};
+
+	torture_comment(tctx, "put back original sd\n");
+
+	c = (struct smb2_create) {
+		.in.desired_access = SEC_STD_WRITE_DAC,
+		.in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+		.in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+		.in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+		.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+		.in.fname = fname,
+	};
+
+	status = smb2_create(tree, tctx, &c);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_create failed\n");
+	handle = c.out.file.handle;
+
+	ZERO_STRUCT(set);
+	set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+	set.set_secdesc.in.file.handle = handle;
+	set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+	set.set_secdesc.in.sd = sd_orig;
+
+	status = smb2_setinfo_file(tree, &set);
+	torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+					"smb2_setinfo_file failed\n");
+
+	smb2_util_close(tree, handle);
+	ZERO_STRUCT(handle);
+
+done:
+	smb2_util_close(tree, handle);
+	smb2_util_unlink(tree, fname);
+	smb2_deltree(tree, BASEDIR);
+	return ret;
+}
+
+ /*
+    basic testing of SMB2 ACLs
+ */
+@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
+ 			test_deny1);
+ 	torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
+ 			test_mxac_not_granted);
+	torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
+ 
+ 	suite->description = talloc_strdup(suite, "SMB2-ACLS tests");
+ 
+-- 
+2.41.0
--- a/backport-0002-CVE-2023-4091.patch
+++ b/backport-0002-CVE-2023-4091.patch
@ -0,0 +1,47 @@
+From 8b26f634372f11edcbea33dfd68a3d57889dfcc5 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Tue, 1 Aug 2023 13:04:36 +0200
+Subject: [PATCH] CVE-2023-4091: smbd: use open_access_mask for access check in
+ open_file()
+
+If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
+FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
+access check we're using access_mask which doesn't contain the additional
+right, which means we can end up truncating a file for which the user has
+only read-only access via an SD.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+
+Conflict: remove the modification of selftest/knownfail.d/samba3.smb2.acls and context adapt
+Reference: https://github.com/samba-team/samba/commit/8b26f634372f11edcbea33dfd68a3d57889dfcc5
+---
+ source3/smbd/open.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 951c8a9..913ca09 100644
+--- a/source3/smbd/open.c
+++ b/source3/smbd/open.c
+@@ -1240,7 +1240,7 @@ static NTSTATUS open_file(files_struct *fsp,
+ 				status = smbd_check_access_rights(conn,
+ 						smb_fname,
+ 						false,
+-						access_mask);
+						open_access_mask);
+ 
+ 				if (!NT_STATUS_IS_OK(status)) {
+ 					DEBUG(10, ("open_file: "
+@@ -1381,7 +1381,7 @@ static NTSTATUS open_file(files_struct *fsp,
+ 		status = smbd_check_access_rights(conn,
+ 				smb_fname,
+ 				false,
+-				access_mask);
+				open_access_mask);
+ 
+ 		if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND) &&
+ 				(fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) &&
+-- 
+2.33.0
+
--- a/backport-CVE-2023-42669.patch
+++ b/backport-CVE-2023-42669.patch
@ -0,0 +1,92 @@
+From a16b210ec651b535b43c21574ca439238e2f8772 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 12 Sep 2023 18:59:44 +1200
+Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
+ default
+
+The rpcecho server is useful in development and testing, but should never
+have been allowed into production, as it includes the facility to
+do a blocking sleep() in the single-threaded rpc worker.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+
+Conflict: NA
+Reference: https://github.com/samba-team/samba/commit/a16b210ec651b535b43c21574ca439238e2f8772
+---
+ docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
+ lib/param/loadparm.c                                   | 2 +-
+ selftest/target/Samba4.pm                              | 2 +-
+ source3/param/loadparm.c                               | 2 +-
+ source4/rpc_server/wscript_build                       | 3 ++-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+index 8a217cc..c6642b7 100644
+--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+@@ -6,6 +6,6 @@
+ 	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
+ </description>
+ 
+-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+ <value type="example">rpcecho</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index 890297d..a6cca16 100644
+--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
+@@ -2669,7 +2669,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+ 	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
+ 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
+ 
+-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ 	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+ 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
+ 	/* the winbind method for domain controllers is for both RODC
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index a599099..fd292a5 100755
+--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
+@@ -785,7 +785,7 @@ sub provision_raw_step1($$)
+ 	wins support = yes
+ 	server role = $ctx->{server_role}
+ 	server services = +echo $services
+-        dcerpc endpoint servers = +winreg +srvsvc
+        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
+ 	notify:inotify = false
+ 	ldb:nosync = true
+ 	ldap server require strong auth = yes
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 2f486e9..9796cb0 100644
+--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
+@@ -879,7 +879,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+ 
+ 	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
+ 
+-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ 
+ 	Globals.tls_enabled = true;
+ 	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
+diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
+index 1c741d2..b710bfa 100644
+--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
+@@ -29,7 +29,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
+ 	source='echo/rpc_echo.c',
+ 	subsystem='dcerpc_server',
+ 	init_function='dcerpc_server_rpcecho_init',
+-	deps='ndr-standard events'
+	deps='ndr-standard events',
+	enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
+ 	)
+ 
+ 
+-- 
+2.33.0
+
--- a/samba.spec
+++ b/samba.spec
@ -49,7 +49,7 @@

 Name:           samba
 Version:        4.11.12
-Release:        30
+Release:        31

 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@ -345,6 +345,9 @@ Patch6415:       backport-0002-CVE-2022-2127.patch
 Patch6416:       backport-0003-CVE-2022-2127.patch
 Patch6417:       backport-CVE-2023-34966.patch
 Patch6418:       backport-CVE-2023-34967.patch
+Patch6419:       backport-0001-CVE-2023-4091.patch
+Patch6420:       backport-0002-CVE-2023-4091.patch
+Patch6421:       backport-CVE-2023-42669.patch


 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@ -3403,6 +3406,12 @@ fi
 %{_mandir}/man*

 %changelog
+* Mon Oct 16 2023 yanglu <yanglu72@h-partners.com> - 4.11.12-31
+- Type:cves
+- CVE:CVE-2023-4091 CVE-2023-42669
+- SUG:NA
+- DESC:fix CVE-2023-4091 CVE-2023-42669
+
 * Mon Jul 24 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-30
 - Type:cves
 - CVE:CVE-2022-2127 CVE-2023-34966 CVE-2023-34967