From a55a46ea70119954974f943d02f51b25223e4c25 Mon Sep 17 00:00:00 2001 From: xinghe Date: Wed, 28 Dec 2022 06:49:31 +0000 Subject: [PATCH] fix CVE-2022-45141 --- backport-0001-CVE-2022-45141.patch | 55 ++++++++++++++++++++++++ backport-0002-CVE-2022-45141.patch | 69 ++++++++++++++++++++++++++++++ samba.spec | 10 ++++- 3 files changed, 133 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2022-45141.patch create mode 100644 backport-0002-CVE-2022-45141.patch diff --git a/backport-0001-CVE-2022-45141.patch b/backport-0001-CVE-2022-45141.patch new file mode 100644 index 0000000..dbe1476 --- /dev/null +++ b/backport-0001-CVE-2022-45141.patch @@ -0,0 +1,55 @@ +From 2be27ec1d7f3bfcdcac65bca1db53772535fe7bf Mon Sep 17 00:00:00 2001 +From: Nicolas Williams +Date: Tue, 11 Oct 2011 23:57:58 -0500 +Subject: [PATCH 1/2] CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part + key selection + + When I added support for configuring how the KDC selects session, + reply, and ticket enc-part keys I accidentally had the KDC use the + session key selection algorithm for selecting the ticket enc-part + key. This becomes a problem when using a Heimdal KDC with an MIT + KDB as the HDB backend and when the krbtgt keys are not in + strongest-to-weakest order, in which case forwardable tickets minted + by the Heimdal KDC will not be accepted by MIT KDCs with the same + KDB. + +(cherry picked from Heimdal commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae) + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 + +Signed-off-by: Joseph Sutton +Reviewed-by: Stefan Metzmacher + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17680 +--- + source4/heimdal/kdc/krb5tgs.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c +index 15be136496fa..7391393e4b64 100644 +--- a/source4/heimdal/kdc/krb5tgs.c ++++ b/source4/heimdal/kdc/krb5tgs.c +@@ -1665,17 +1665,14 @@ server_lookup: + } else { + Key *skey; + +- ret = _kdc_find_etype(context, +- config->tgs_use_strongest_session_key, FALSE, +- server, b->etype.val, b->etype.len, NULL, +- &skey); ++ ret = _kdc_get_preferred_key(context, config, server, spn, ++ &etype, &skey); + if(ret) { + kdc_log(context, config, 0, + "Server (%s) has no support for etypes", spn); + goto out; + } + ekey = &skey->key; +- etype = skey->key.keytype; + kvno = server->entry.kvno; + } + +-- +2.34.1 diff --git a/backport-0002-CVE-2022-45141.patch b/backport-0002-CVE-2022-45141.patch new file mode 100644 index 0000000..89eeac5 --- /dev/null +++ b/backport-0002-CVE-2022-45141.patch @@ -0,0 +1,69 @@ +From 2ea3f2db8087e0a2c4a18c633b039c722cb6f829 Mon Sep 17 00:00:00 2001 +From: Nicolas Williams +Date: Wed, 12 Oct 2011 01:15:13 -0500 +Subject: [PATCH 2/2] CVE-2022-45141 source4/heimdal: Fix check-des + + The previous fix was incomplete. But it also finally uncovered an + old check-des problem that I'd had once and which may have gotten + papered over by changing the default of one of the *strongest* KDC + parameters. The old problem is that we were passing the wrong + enctype to _kdc_encode_reply(): we were passing the session key + enctype where the ticket enc-part key's enctype was expected. + + The whole enctype being passed in is superfluous anyways. Let's + clean that up next. + +(cherry picked from Heimdal commit 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71) + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214 +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 + +Signed-off-by: Joseph Sutton +Reviewed-by: Stefan Metzmacher + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17680 +--- + source4/heimdal/kdc/krb5tgs.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c +index 7391393e4b64..609649003ea5 100644 +--- a/source4/heimdal/kdc/krb5tgs.c ++++ b/source4/heimdal/kdc/krb5tgs.c +@@ -747,7 +747,7 @@ tgs_make_reply(krb5_context context, + etype list, even if we don't want a session key with + DES3? */ + ret = _kdc_encode_reply(context, config, +- &rep, &et, &ek, et.key.keytype, ++ &rep, &et, &ek, serverkey->keytype, + kvno, + serverkey, 0, replykey, rk_is_subkey, + e_text, reply); +@@ -1665,13 +1665,22 @@ server_lookup: + } else { + Key *skey; + +- ret = _kdc_get_preferred_key(context, config, server, spn, +- &etype, &skey); ++ ret = _kdc_find_etype(context, ++ config->tgs_use_strongest_session_key, FALSE, ++ server, b->etype.val, b->etype.len, &etype, ++ NULL); + if(ret) { + kdc_log(context, config, 0, + "Server (%s) has no support for etypes", spn); + goto out; + } ++ ret = _kdc_get_preferred_key(context, config, server, spn, ++ NULL, &skey); ++ if(ret) { ++ kdc_log(context, config, 0, ++ "Server (%s) has no supported etypes", spn); ++ goto out; ++ } + ekey = &skey->key; + kvno = server->entry.kvno; + } +-- +2.34.1 diff --git a/samba.spec b/samba.spec index 8d166a2..178af06 100644 --- a/samba.spec +++ b/samba.spec @@ -48,7 +48,7 @@ Name: samba Version: 4.15.3 -Release: 16 +Release: 17 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -113,6 +113,8 @@ Patch44: backport-s3waf-Fix-version-number-of-public-libsmbconf.patch Patch45: backport-waf-Fix-SO-version-number-of-libsamba-errors.patch Patch46: backport-0001-CVE-2022-44640.patch Patch47: backport-0002-CVE-2022-44640.patch +Patch48: backport-0001-CVE-2022-45141.patch +Patch49: backport-0002-CVE-2022-45141.patch BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel @@ -3442,6 +3444,12 @@ fi %endif %changelog +* Wed Dec 28 2022 xinghe - 4.15.3-17 +- Type:cves +- ID:CVE-2022-45141 +- SUG:NA +- DESC:fix CVE-2022-45141 + * Sat Dec 17 2022 xinghe - 4.15.3-16 - Type:cves - ID:CVE-2022-44640 -- Gitee