From 594b1e6286edb1206d12a8a1c6efb12bc3bdb887 Mon Sep 17 00:00:00 2001 From: xinghe Date: Sat, 17 Dec 2022 07:16:47 +0000 Subject: [PATCH] fix CVE-2022-44640 (cherry picked from commit 6c21bd846be6b0320bae93da9535cf3788b34e4d) --- backport-CVE-2022-44640.patch | 123 ++++++++++++++++++++++++++++++++++ samba.spec | 9 ++- 2 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-44640.patch diff --git a/backport-CVE-2022-44640.patch b/backport-CVE-2022-44640.patch new file mode 100644 index 0000000..e427cc7 --- /dev/null +++ b/backport-CVE-2022-44640.patch @@ -0,0 +1,123 @@ +From 13a2dca744e9b37549b68fcd3f1d44e2fe1e8425 Mon Sep 17 00:00:00 2001 +From: Nicolas Williams +Date: Wed, 10 Mar 2021 16:49:04 -0600 +Subject: [PATCH 2/2] CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec + +Heimdal's ASN.1 compiler generates code that allows specially +crafted DER encodings of CHOICEs to invoke the wrong free function +on the decoded structure upon decode error. This is known to impact +the Heimdal KDC, leading to an invalid free() of an address partly +or wholly under the control of the attacker, in turn leading to a +potential remote code execution (RCE) vulnerability. + +This error affects the DER codec for all CHOICE types used in +Heimdal, though not all cases will be exploitable. We have not +completed a thorough analysis of all the Heimdal components +affected, thus the Kerberos client, the X.509 library, and other +parts, may be affected as well. + +This bug has been in Heimdal since 2005. It was first reported by +Douglas Bagnall, though it had been found independently by the +Heimdal maintainers via fuzzing a few weeks earlier. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 + +(cherry-picked from Heimdal commit 9c9dac2b169255bad9071eea99fa90b980dde767) + +Signed-off-by: Andrew Bartlett +Reviewed-by: Stefan Metzmacher + +Autobuild-User(master): Stefan Metzmacher +Autobuild-Date(master): Tue Dec 6 13:41:05 UTC 2022 on sn-devel-184 + +(cherry picked from commit 68fc909a7f4d69c254d34bec85cf8431bcb6e72f) + +Conflict: remove third_party/heimdal/lib/asn1/krb5.asn1 and .../heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq +Reference: https://attachments.samba.org/attachment.cgi?id=17675 +--- + third_party/heimdal/lib/asn1/gen_decode.c | 12 ++++++------ + third_party/heimdal/lib/asn1/gen_free.c | 7 +++++++ + third_party/heimdal/lib/asn1/gen_template.c | 1 + + 5 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/third_party/heimdal/lib/asn1/gen_decode.c b/third_party/heimdal/lib/asn1/gen_decode.c +index 93d412f63356..fa9d79a8ae5b 100644 +--- a/third_party/heimdal/lib/asn1/gen_decode.c ++++ b/third_party/heimdal/lib/asn1/gen_decode.c +@@ -694,14 +694,14 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, + classname(cl), + ty ? "CONS" : "PRIM", + valuename(cl, tag)); ++ fprintf(codefile, ++ "(%s)->element = %s;\n", ++ name, m->label); + if (asprintf (&s, "%s(%s)->u.%s", m->optional ? "" : "&", + name, m->gen_name) < 0 || s == NULL) + errx(1, "malloc"); + decode_type(s, m->type, m->optional, NULL, forwstr, m->gen_name, + NULL, depth + 1); +- fprintf(codefile, +- "(%s)->element = %s;\n", +- name, m->label); + free(s); + fprintf(codefile, + "}\n"); +@@ -710,23 +710,23 @@ decode_type(const char *name, const Type *t, int optional, struct value *defval, + if (have_ellipsis) { + fprintf(codefile, + "else {\n" ++ "(%s)->element = %s;\n" + "(%s)->u.%s.data = calloc(1, len);\n" + "if ((%s)->u.%s.data == NULL) {\n" + "e = ENOMEM; %s;\n" + "}\n" + "(%s)->u.%s.length = len;\n" + "memcpy((%s)->u.%s.data, p, len);\n" +- "(%s)->element = %s;\n" + "p += len;\n" + "ret += len;\n" + "len = 0;\n" + "}\n", ++ name, have_ellipsis->label, + name, have_ellipsis->gen_name, + name, have_ellipsis->gen_name, + forwstr, + name, have_ellipsis->gen_name, +- name, have_ellipsis->gen_name, +- name, have_ellipsis->label); ++ name, have_ellipsis->gen_name); + } else { + fprintf(codefile, + "else {\n" +diff --git a/third_party/heimdal/lib/asn1/gen_free.c b/third_party/heimdal/lib/asn1/gen_free.c +index 0507d5421803..b6da8ae14dd2 100644 +--- a/third_party/heimdal/lib/asn1/gen_free.c ++++ b/third_party/heimdal/lib/asn1/gen_free.c +@@ -62,6 +62,13 @@ free_type (const char *name, const Type *t, int preserve) + case TNull: + case TGeneralizedTime: + case TUTCTime: ++ /* ++ * This doesn't do much, but it leaves zeros where garbage might ++ * otherwise have been found. Gets us closer to having the equivalent ++ * of a memset()-to-zero data structure after calling the free ++ * functions. ++ */ ++ fprintf(codefile, "*%s = 0;\n", name); + break; + case TBitString: + if (HEIM_TAILQ_EMPTY(t->members)) +diff --git a/third_party/heimdal/lib/asn1/gen_template.c b/third_party/heimdal/lib/asn1/gen_template.c +index e053a8bdd8bc..ad25fcfb29d3 100644 +--- a/third_party/heimdal/lib/asn1/gen_template.c ++++ b/third_party/heimdal/lib/asn1/gen_template.c +@@ -1600,6 +1600,7 @@ generate_template(const Symbol *s) + "int ASN1CALL\n" + "decode_%s(const unsigned char *p, size_t len, %s *data, size_t *size)\n" + "{\n" ++ " memset(data, 0, sizeof(*data));\n" + " return _asn1_decode_top(asn1_%s, 0|%s, p, len, data, size);\n" + "}\n" + "\n", +-- +2.34.1 diff --git a/samba.spec b/samba.spec index db8691c..8e0583f 100644 --- a/samba.spec +++ b/samba.spec @@ -48,7 +48,7 @@ Name: samba Version: 4.17.2 -Release: 3 +Release: 4 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -67,6 +67,7 @@ Source8: usershares.conf.vendor Source201: README.downgrade Patch0001: backport-CVE-2022-42898-third_party-heimdal-PAC-parse-integer.patch +Patch0002: backport-CVE-2022-44640.patch BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel @@ -3478,6 +3479,12 @@ fi %endif %changelog +* Sat Dec 17 2022 xinghe - 4.17.2-4 +- Type:cves +- ID:CVE-2022-44640 +- SUG:NA +- DESC:fix CVE-2022-44640 + * Thu Dec 08 2022 xinghe - 4.17.2-3 - Type:bugfix - ID:NA -- Gitee