diff --git a/backport-0001-CVE-2021-44142.patch b/backport-0001-CVE-2021-44142.patch new file mode 100644 index 0000000000000000000000000000000000000000..8d44ee3a11b5c5d786d5778fb6a8f41e8cd66475 --- /dev/null +++ b/backport-0001-CVE-2021-44142.patch @@ -0,0 +1,25 @@ +From 592aca7ac48947ff264ff2f24980a22863c644fb Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 13 Jan 2022 16:48:01 +0100 +Subject: [PATCH 1/6] CVE-2021-44142: libadouble: add defines for icon lengths + +From https://www.ietf.org/rfc/rfc1740.txt + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +--- + source3/modules/vfs_fruit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -279,6 +279,8 @@ typedef enum {ADOUBLE_META, ADOUBLE_RSRC + #define ADEDLEN_MACFILEI 4 + #define ADEDLEN_PRODOSFILEI 8 + #define ADEDLEN_MSDOSFILEI 2 ++#define ADEDLEN_ICONBW 128 ++#define ADEDLEN_ICONCOL 1024 + #define ADEDLEN_DID 4 + #define ADEDLEN_PRIVDEV 8 + #define ADEDLEN_PRIVINO 8 diff --git a/backport-0002-CVE-2021-44142.patch b/backport-0002-CVE-2021-44142.patch new file mode 100644 index 0000000000000000000000000000000000000000..c05a3637842535acb5fa2741d641838b61110777 --- /dev/null +++ b/backport-0002-CVE-2021-44142.patch @@ -0,0 +1,43 @@ +From 0c9e24ea2abb1882d74cf705dd4c692eb1705adb Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Sat, 20 Nov 2021 16:36:42 +0100 +Subject: [PATCH 2/6] CVE-2021-44142: smbd: add Netatalk xattr used by + vfs_fruit to the list of private Samba xattrs + +This is an internal xattr that should not be user visible. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +[slow@samba.org: conflict due to changed includes in source3/smbd/trans2.c] +--- + source3/smbd/trans2.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/source3/smbd/trans2.c ++++ b/source3/smbd/trans2.c +@@ -176,6 +176,16 @@ void aapl_force_zero_file_id(struct smbd + Refuse to allow clients to overwrite our private xattrs. + ****************************************************************************/ + ++/* ++ * Taken from vfs_fruit.c ++ */ ++#define NETATALK_META_XATTR "org.netatalk.Metadata" ++#if defined(HAVE_ATTROPEN) ++#define AFPINFO_EA_NETATALK NETATALK_META_XATTR ++#else ++#define AFPINFO_EA_NETATALK "user." NETATALK_META_XATTR ++#endif ++ + bool samba_private_attr_name(const char *unix_ea_name) + { + static const char * const prohibited_ea_names[] = { +@@ -183,6 +193,7 @@ bool samba_private_attr_name(const char + SAMBA_XATTR_DOS_ATTRIB, + SAMBA_XATTR_MARKER, + XATTR_NTACL_NAME, ++ AFPINFO_EA_NETATALK, + NULL + }; + diff --git a/backport-0003-CVE-2021-44142.patch b/backport-0003-CVE-2021-44142.patch new file mode 100644 index 0000000000000000000000000000000000000000..58c6da48bb772819c6abaa42c8f22090975551b9 --- /dev/null +++ b/backport-0003-CVE-2021-44142.patch @@ -0,0 +1,64 @@ +From d9cfe712fed17e0f031e3955a04a712a12a31c26 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Fri, 26 Nov 2021 07:19:32 +0100 +Subject: [PATCH 3/6] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() + +This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC, +which is used for parsing ._ AppleDouble sidecar files, and the buffer +ad->ad_data is AD_XATTR_MAX_HDR_SIZE bytes large which is a prerequisite for all +buffer out-of-bounds access checks in ad_unpack_xattrs(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +--- + source3/modules/vfs_fruit.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -675,14 +675,27 @@ static bool ad_pack(struct adouble *ad) + static bool ad_unpack_xattrs(struct adouble *ad) + { + struct ad_xattr_header *h = &ad->adx_header; ++ size_t bufsize = talloc_get_size(ad->ad_data); + const char *p = ad->ad_data; + uint32_t hoff; + uint32_t i; + ++ if (ad->ad_type != ADOUBLE_RSRC) { ++ return false; ++ } ++ + if (ad_getentrylen(ad, ADEID_FINDERI) <= ADEDLEN_FINDERI) { + return true; + } + ++ /* ++ * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an ++ * ADOUBLE_RSRC type (._ AppleDouble file on-disk). ++ */ ++ if (bufsize != AD_XATTR_MAX_HDR_SIZE) { ++ return false; ++ } ++ + /* 2 bytes padding */ + hoff = ad_getentryoff(ad, ADEID_FINDERI) + ADEDLEN_FINDERI + 2; + +@@ -930,11 +943,12 @@ static bool ad_unpack(struct adouble *ad + ad->ad_eid[eid].ade_len = len; + } + +- ok = ad_unpack_xattrs(ad); +- if (!ok) { +- return false; ++ if (ad->ad_type == ADOUBLE_RSRC) { ++ ok = ad_unpack_xattrs(ad); ++ if (!ok) { ++ return false; ++ } + } +- + return true; + } + diff --git a/backport-0004-CVE-2021-44142.patch b/backport-0004-CVE-2021-44142.patch new file mode 100644 index 0000000000000000000000000000000000000000..5007165762766092e6e7298a9d63a6b8056a1cfe --- /dev/null +++ b/backport-0004-CVE-2021-44142.patch @@ -0,0 +1,20 @@ +From d5f8a6f423f6bfba706d57459d78046920d61ce5 Mon Sep 17 00:00:00 2001 +From: Noel Power +Date: Fri, 21 Jan 2022 14:52:53 +0000 +Subject: [PATCH 4/6] vfs_fruit: CVE-2021-44142 tweak buffer size check + +--- + source3/modules/vfs_fruit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -692,7 +692,7 @@ static bool ad_unpack_xattrs(struct adou + * Ensure the buffer ad->ad_data was allocated by ad_alloc() for an + * ADOUBLE_RSRC type (._ AppleDouble file on-disk). + */ +- if (bufsize != AD_XATTR_MAX_HDR_SIZE) { ++ if (bufsize < AD_DATASZ_DOT_UND || bufsize > AD_XATTR_MAX_HDR_SIZE) { + return false; + } + diff --git a/backport-0005-CVE-2021-44142.patch b/backport-0005-CVE-2021-44142.patch new file mode 100644 index 0000000000000000000000000000000000000000..9af4f7ec516a65238935f7726093d3cf7c4f1ac9 --- /dev/null +++ b/backport-0005-CVE-2021-44142.patch @@ -0,0 +1,161 @@ +From 6dd0f863108cab92e97de2e4d283cd07a3c07caf Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Thu, 13 Jan 2022 17:03:02 +0100 +Subject: [PATCH 6/6] CVE-2021-44142: libadouble: harden parsing code + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 + +Signed-off-by: Ralph Boehme +--- + source3/modules/vfs_fruit.c | 116 ++++++++++++++++--- + 2 files changed, 101 insertions(+), 18 deletions(-) + delete mode 100644 selftest/knownfail.d/samba.unittests.adouble + +--- a/source3/modules/vfs_fruit.c ++++ b/source3/modules/vfs_fruit.c +@@ -488,6 +488,95 @@ static ssize_t afpinfo_pack(const AfpInf + static AfpInfo *afpinfo_unpack(TALLOC_CTX *ctx, const void *data); + + ++/* ++ * All entries besides FinderInfo and resource fork must fit into the ++ * buffer. FinderInfo is special as it may be larger then the default 32 bytes ++ * if it contains marshalled xattrs, which we will fixup that in ++ * ad_convert(). The first 32 bytes however must also be part of the buffer. ++ * ++ * The resource fork is never accessed directly by the ad_data buf. ++ */ ++static bool ad_entry_check_size(uint32_t eid, ++ size_t bufsize, ++ uint32_t off, ++ uint32_t got_len) ++{ ++ struct { ++ off_t expected_len; ++ bool fixed_size; ++ bool minimum_size; ++ } ad_checks[] = { ++ [ADEID_DFORK] = {-1, false, false}, /* not applicable */ ++ [ADEID_RFORK] = {-1, false, false}, /* no limit */ ++ [ADEID_NAME] = {ADEDLEN_NAME, false, false}, ++ [ADEID_COMMENT] = {ADEDLEN_COMMENT, false, false}, ++ [ADEID_ICONBW] = {ADEDLEN_ICONBW, true, false}, ++ [ADEID_ICONCOL] = {ADEDLEN_ICONCOL, false, false}, ++ [ADEID_FILEI] = {ADEDLEN_FILEI, true, false}, ++ [ADEID_FILEDATESI] = {ADEDLEN_FILEDATESI, true, false}, ++ [ADEID_FINDERI] = {ADEDLEN_FINDERI, false, true}, ++ [ADEID_MACFILEI] = {ADEDLEN_MACFILEI, true, false}, ++ [ADEID_PRODOSFILEI] = {ADEDLEN_PRODOSFILEI, true, false}, ++ [ADEID_MSDOSFILEI] = {ADEDLEN_MSDOSFILEI, true, false}, ++ [ADEID_SHORTNAME] = {ADEDLEN_SHORTNAME, false, false}, ++ [ADEID_AFPFILEI] = {ADEDLEN_AFPFILEI, true, false}, ++ [ADEID_DID] = {ADEDLEN_DID, true, false}, ++ [ADEID_PRIVDEV] = {ADEDLEN_PRIVDEV, true, false}, ++ [ADEID_PRIVINO] = {ADEDLEN_PRIVINO, true, false}, ++ [ADEID_PRIVSYN] = {ADEDLEN_PRIVSYN, true, false}, ++ [ADEID_PRIVID] = {ADEDLEN_PRIVID, true, false}, ++ }; ++ ++ if (eid >= ADEID_MAX) { ++ return false; ++ } ++ if (got_len == 0) { ++ /* Entry present, but empty, allow */ ++ return true; ++ } ++ if (ad_checks[eid].expected_len == 0) { ++ /* ++ * Shouldn't happen: implicitly initialized to zero because ++ * explicit initializer missing. ++ */ ++ return false; ++ } ++ if (ad_checks[eid].expected_len == -1) { ++ /* Unused or no limit */ ++ return true; ++ } ++ if (ad_checks[eid].fixed_size) { ++ if (ad_checks[eid].expected_len != got_len) { ++ /* Wrong size fo fixed size entry. */ ++ return false; ++ } ++ } else { ++ if (ad_checks[eid].minimum_size) { ++ if (got_len < ad_checks[eid].expected_len) { ++ /* ++ * Too small for variable sized entry with ++ * minimum size. ++ */ ++ return false; ++ } ++ } else { ++ if (got_len > ad_checks[eid].expected_len) { ++ /* Too big for variable sized entry. */ ++ return false; ++ } ++ } ++ } ++ if (off + got_len < off) { ++ /* wrap around */ ++ return false; ++ } ++ if (off + got_len > bufsize) { ++ /* overflow */ ++ return false; ++ } ++ return true; ++} ++ + /** + * Return a pointer to an AppleDouble entry + * +@@ -495,8 +584,15 @@ static AfpInfo *afpinfo_unpack(TALLOC_CT + **/ + static char *ad_get_entry(const struct adouble *ad, int eid) + { ++ size_t bufsize = talloc_get_size(ad->ad_data); + off_t off = ad_getentryoff(ad, eid); + size_t len = ad_getentrylen(ad, eid); ++ bool valid; ++ ++ valid = ad_entry_check_size(eid, bufsize, off, len); ++ if (!valid) { ++ return NULL; ++ } + + if (off == 0 || len == 0) { + return NULL; +@@ -560,7 +656,6 @@ static int ad_setdate(struct adouble *ad + return 0; + } + +- + /** + * Map on-disk AppleDouble id to enumerated id + **/ +@@ -880,20 +975,11 @@ static bool ad_unpack(struct adouble *ad + return false; + } + +- /* +- * All entries besides FinderInfo and resource fork +- * must fit into the buffer. FinderInfo is special as +- * it may be larger then the default 32 bytes (if it +- * contains marshalled xattrs), but we will fixup that +- * in ad_convert(). And the resource fork is never +- * accessed directly by the ad_data buf (also see +- * comment above) anyway. +- */ +- if ((eid != ADEID_RFORK) && +- (eid != ADEID_FINDERI) && +- ((off + len) > bufsize)) { +- DEBUG(1, ("bogus eid %d: off: %" PRIu32 ", len: %" PRIu32 "\n", +- eid, off, len)); ++ ok = ad_entry_check_size(eid, bufsize, off, len); ++ if (!ok) { ++ DBG_ERR("bogus eid [%"PRIu32"] bufsize [%zu] " ++ "off [%"PRIu32"] len [%"PRIu32"]\n", ++ eid, bufsize, off, len); + return false; + } + diff --git a/samba.spec b/samba.spec index 3f91bf24cb6e5d76c36daff8beaa91d6916c1609..3e71b4c9f8ec746981e82c672ffaa17f591c9e8b 100644 --- a/samba.spec +++ b/samba.spec @@ -49,7 +49,7 @@ Name: samba Version: 4.11.12 -Release: 9 +Release: 10 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -177,6 +177,11 @@ Patch6248: backport-s3-VFS-change-connection_struct-cwd_fname-to-cwd_fsp.p Patch6249: backport-s3-smbd-Change-mkdir_internal-to-call-SMB_VFS_MKDIRAT.patch Patch6250: backport-smbd-use-parent_smb_fname-in-mkdir_internal.patch Patch6251: backport-CVE-2021-43566.patch +Patch6252: backport-0001-CVE-2021-44142.patch +Patch6253: backport-0002-CVE-2021-44142.patch +Patch6254: backport-0003-CVE-2021-44142.patch +Patch6255: backport-0004-CVE-2021-44142.patch +Patch6256: backport-0005-CVE-2021-44142.patch BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel @@ -3164,6 +3169,12 @@ fi %{_mandir}/man* %changelog +* Tue Feb 08 2022 gaihuiying - 4.11.12-10 +- Type:cves +- ID:CVE-2021-44142 +- SUG:NA +- DESC:backport to fix CVE-2021-44142 + * Wed Jan 19 2022 gaihuiying - 4.11.12-9 - Type:cves - ID:CVE-2021-43566