An information leak vulnerability was discovered in Samba's LDAP server.
Due to missing access control checks, an authenticated but unprivileged
attacker could discover the names and preserved attributes of deleted
objects in the LDAP store.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows
RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems
from an RPC function that can be blocked indefinitely. The issue arises because
the "rpcecho" service operates with only one worker in the main RPC task, allowing
calls to the "rpcecho" server to be blocked for a specified time, causing service
disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()"
function under specific conditions. Authenticated users or attackers can exploit this
vulnerability to make calls to the "rpcecho" server, requesting it to block for a
specified duration, effectively disrupting most services and leading to a complete
denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs
in the main RPC task.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-42669
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A vulnerability was discovered in Samba, where the flaw allows SMB clients to
truncate files, even with read-only permissions when the Samba VFS module
"acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB
protocol allows opening files when the client requests read-only access but
then implicitly truncates the opened file to 0 bytes if the client specifies
a separate OVERWRITE create disposition request. The issue arises in configurations
that bypass kernel file system permissions checks, relying solely on Samba's permissions.
References:
https://nvd.nist.gov/vuln/detail/CVE-2023-4091
Fix is patched to the function call smbd_check_access_rights_fsp() of open_file(),
But in samba_4.14.14 smbd_check_access_rights() is used, from samba_4.15.0 onwards
smbd_check_access_rights() was replaced with smbd_check_access_rights_fsp() and
samba_4.14.14 is still vulnerable through smbd_check_access_rights().
Ref:
https://github.com/samba-team/samba/commit/3f61369d153419158c0f223e6f81c0bb07275833https://github.com/samba-team/samba/commit/26dc10bdb2cff3eece4a2874931b4058f9f87d68
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol,
Samba discloses the server-side absolute path of shares, files, and directories in the
results for search queries. This flaw allows a malicious client or an attacker with a
targeted RPC request to view the information that is part of the disclosed path.
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
The test case tfork_cmd_send in smbtorture fails on target as it
requries a script located in the source directory:
$ smbtorture ncalrpc:localhost local.tfork.tfork_cmd_send
test: tfork_cmd_send
/buildarea/build/tmp/work/core2-64-poky-linux/samba/4.14.14-r0/samba-4.14.14/testprogs/blackbox/tfork.sh:
Failed to exec child - No such file or directory
This also triggers the buildpaths warning:
QA Issue: File /usr/bin/smbtorture in package samba-testsuite contains reference to TMPDIR [buildpaths]
Skip this test case in smbtorture to avoid the warning.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 2b8b5dbe03)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Patch for CVE-2018-1050 is applied in version 4.5.15, 4.6.13, 4.7.5.
Patch for CVE-2018-1057 is applied in version 4.3.13, 4.4.16.
Signed-off-by: matsunaga-shinji <shin.matsunaga@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Changelog:
============
There have been a few regressions in the security release 4.14.10:
o CVE-2020-25717: A user on the domain can become root on domain members.
https://www.samba.org/samba/security/CVE-2020-25717.html
PLEASE [RE-]READ!
The instructions have been updated and some workarounds
initially adviced for 4.14.10 are no longer required and
should be reverted in most cases.
o BUG-14902: User with multiple spaces (eg Fred<space><space>Nurk) become
un-deletable. While this release should fix this bug, it is
adviced to have a look at the bug report for more detailed
information, see https://bugzilla.samba.org/show_bug.cgi?id=14902.
Changes since 4.14.10
---------------------
* BUG 14878: Recursive directory delete with veto files is broken.
* BUG 14879: A directory containing dangling symlinks cannot be deleted by
SMB2 alone when they are the only entry in the directory.
* BUG 14656: Spaces incorrectly collapsed in ldb attributes.
* BUG 14694: Ensure that the LDB request has not timed out during filter
processing as the LDAP server MaxQueryDuration is otherwise not honoured.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
* BUG 14902: User with multiple spaces (eg Fred<space><space>Nurk) become un-
deletable.
* BUG 14127: Avoid storing NTTIME_THAW (-2) as value on disk
* BUG 14922: Kerberos authentication on standalone server in MIT realm
broken.
* BUG 14923: Segmentation fault when joining the domain.
* BUG 14903: Support for ROLE_IPA_DC is incomplete.
* BUG 14788: Memory leak if ioctl(FSCTL_VALIDATE_NEGOTIATE_INFO) fails before
smbd_smb2_ioctl_send.
* BUG 14899: winbindd doesn't start when "allow trusted domains" is off.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
* BUG 14694: Ensure that the LDB request has not timed out during filter
processing as the LDAP server MaxQueryDuration is otherwise not honoured.
* BUG 14901: The CVE-2020-25717 username map [script] advice has undesired
side effects for the local nt token.
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@fujitsu.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Replace the configure tests UNKNOWN answers with the correct answers.
Then drop the related patches.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The pyext_PATTERN will add native arch as suffix when cross compiling.
For example, on qemuarm64, it is expanded to:
pyext_PATTERN ='%s.cpython-310-x86_64-linux-gnu.so'
which will result in the incorrect library name.
root@qemuarm64:~# find /usr/lib -name \*cpython\*
/usr/lib/pkgconfig/samba-policy.cpython-310-x86_64-linux-gnu.pc
/usr/lib/libsamba-policy.cpython-310-x86-64-linux-gnu.so
/usr/lib/samba/libsamba-python.cpython-310-x86-64-linux-gnu-samba4.so
/usr/lib/samba/libsamba-net.cpython-310-x86-64-linux-gnu-samba4.so
/usr/lib/libsamba-policy.cpython-310-x86-64-linux-gnu.so.0
/usr/lib/libsamba-policy.cpython-310-x86-64-linux-gnu.so.0.0.1
/usr/lib/python3.10/site-packages/samba/dsdb_dns.cpython-310-x86_64-linux-gnu.so
/usr/lib/python3.10/site-packages/samba/dsdb.cpython-310-x86_64-linux-gnu.so
/usr/lib/python3.10/site-packages/samba/xattr_tdb.cpython-310-x86_64-linux-gnu.so
/usr/lib/python3.10/site-packages/samba/_ldb.cpython-310-x86_64-linux-gnu.so
/usr/lib/python3.10/site-packages/samba/gensec.cpython-310-x86_64-linux-gnu.so
[snip]
Set pyext_PATTERN to '%s.so' to remove the suffix.
After the patch:
root@qemuarm64:~# find /usr/lib/
/usr/lib/pkgconfig/samba-policy.pc
/usr/lib/libsamba-policy.so
/usr/lib/samba/libsamba-python-samba4.so
/usr/lib/samba/libsamba-net-samba4.so
/usr/lib/libsamba-policy.so.0
/usr/lib/libsamba-policy.so.0.0.1
/usr/lib/python3.10/site-packages/samba/dsdb_dns.so
/usr/lib/python3.10/site-packages/samba/dsdb.so
/usr/lib/python3.10/site-packages/samba/xattr_tdb.so
/usr/lib/python3.10/site-packages/samba/_ldb.so
/usr/lib/python3.10/site-packages/samba/gensec.so
[snip]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is the result of automated script (0.9.1) conversion:
oe-core/scripts/contrib/convert-overrides.py .
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Add libparse-yapp-perl to RDEPENDS for pidl.
Fixes:
$ pidl
Can't locate Parse/Yapp/Driver.pm in @INC (you may need to install the Parse::Yapp::Driver module)
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The shebang in pidl points to wrong location:
$ pidl
-sh: /usr/bin/pidl: /buildarea/build/tmp-glibc/hosttools/env: bad interpreter: No such file or directory
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
We're not living in a perfect world so avoid build failures like:
ERROR: samba-4.14.5-r0 do_package_qa: QA Issue: samba-pidl contains perllocal.pod (/usr/lib/perl5/5.34.0/x86_64-linux/perllocal.pod), should not be installed [perllocalpod]
ERROR: samba-4.14.5-r0 do_package_qa: QA run found fatal errors. Please consider fixing them.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
There are some options are deprecated in smb.conf.
Refer to
https://salsa.debian.org/samba-team/samba/-/blob/master/debian/smb.conf
to update it.
* Remove the deprecated "syslog only" and "syslog" global options and
replace them with the "logging" statement.
* Remove wins support and wins server comments since WINS protocol is
outdated.
* Improve idmap config
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The 4.10.x is EOL: https://wiki.samba.org/index.php/Samba_Release_Planning
Upgrade to latest 4.14.x.
Remove PACKAGECONFIG[gnutls] since the gnutls is now the mandatory
requirement for samba. See:
https://wiki.samba.org/index.php/Package_Dependencies_Required_to_Build_Samba#Mandatory
Refresh patches:
16-do-not-check-xsltproc-manpages.patch
20-do-not-import-target-module-while-cross-compile.patch
21-add-config-option-without-valgrind.patch
0001-Add-options-to-configure-the-use-of-libbsd.patch
dnsserver-4.7.0.patch
iconv-4.7.0.patch
0001-samba-fix-musl-lib-without-innetgr.patch
Drop patches:
0001-lib-replace-wscript-Avoid-generating-nested-main-fun.patch
0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch
0001-waf-add-support-of-cross_compile.patch
0002-util_sec.c-Move-__thread-variable-to-global-scope.patch
CVE-2020-14318.patch
CVE-2020-14383.patch
glibc_only.patch
smb_conf-4.7.0.patch
Add new patches:
0007-wscript_configure_system_gnutls-disable-check-gnutls.patch
0008-source3-wscript-disable-check-fcntl-F_OWNER_EX.patch
source3-wscript-disable-check-fcntl-RW_HINTS.patch
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
The licenses were renamed to match their SPDX names, fix the
references in LIC_FILES_CHKSUM
Correct the checksums where they were wrong
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a security release in order to address the following defects:
CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD
DC LDAP Server with ASQ, VLV and paged_results.
CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume
excessive CPU
CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with
paged_results and VLV.
CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd.
Also backport 3 patches to fix build error with musl.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This is a security release in order to address the following defects:
CVE-2020-10700: Use-after-free in Samba AD DC LDAP Server with ASQ
CVE-2020-10704: LDAP Denial of Service (stack overflow) in Samba AD DC
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
It is unnecessary, and libbsd uses the "BSD-4-Clause" license, which can
be problematic.
To make it deterministic, a patch is introduced to allow libbsd support
to be disabled. It resembles similar patches in, e.g., libldb,
libtalloc, libtdb and libtevent.
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Guest accounts for Samba are a known potential vulnerability
(see https://www.tenable.com/plugins/nessus/26919) where info
about the host can be obtained without proper access. The option
"map to guest = bad user" allows login attempts with usernames
that don't exist to map to the guest account, while the
"restrict anonymous" value (implicitly set to 0 before this patch)
would allow any queries to obtain user and group list information.
Raise the default security level by setting "restrict anonymous"
to "1" and "map to guest" to "never" to avoid providing user/group
info to unauthenticated users and reject login attempts with an
invalid password, respectively.
Signed-off-by: Trevor Gamblin <trevor.gamblin@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Archana Polampalli
Yi Zhao
Matsunaga-Shinji
Khem Raj
Martin Jansa
zhengruoqin
Persian Prince
wangmy
Sekine Shigeki
Zheng Ruoqin
Peter Kjellerstedt
Trevor Gamblin
Changqing Li