samba: fix CVE-2022-3437

A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. References: https://nvd.nist.gov/vuln/detail/CVE-2022-3437 Upstream patches: https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3 https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49 https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696 https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2 https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
author: Polampalli, Archana A <archana.polampalli@windriver.com> 2023-06-16 12:18:34 +0000
committer: Armin Kuster <akuster808@gmail.com> 2023-06-17 14:21:38 -0400
commit: 9d203efe8f01fa7d433a52ae1098cb27ede07119 (patch)
tree: bc6db03a2ead95960d7c347e33e37fc0525d6991
parent: 25dcf4d65b7d84ba24d0090d6283801ecae16546 (diff)
download: meta-openembedded-9d203efe8f01fa7d433a52ae1098cb27ede07119.tar.gz
9 files changed, 416 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
new file mode 100644
index 0000000000..abc778b731
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
+From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:13 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
+ unwrap
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/arcfour.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
+index a61f768..4fc46ce 100644
+--- a/lib/gssapi/krb5/arcfour.c
+++ b/lib/gssapi/krb5/arcfour.c
+@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+        return GSS_S_FAILURE;
+     }
+-    cmp = ct_memcmp(cksum_data, p + 8, 8);
+    cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
+     if (cmp) {
+        *minor_status = 0;
+        return GSS_S_BAD_MIC;
+@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
+     _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
+     if (context_handle->more_flags & LOCAL)
+-       cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+       cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+     else
+-       cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+       cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+     memset(SND_SEQ, 0, sizeof(SND_SEQ));
+     if (cmp != 0) {
+@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+     _gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
+     if (context_handle->more_flags & LOCAL)
+-       cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
+       cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
+     else
+-       cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
+       cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
+     if (cmp != 0) {
+        *minor_status = 0;
+@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
+        return GSS_S_FAILURE;
+     }
+-    cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
+    cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
+     if (cmp) {
+        _gsskrb5_release_buffer(minor_status, output_message_buffer);
+        *minor_status = 0;
+@@ -1266,9 +1266,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
+     _gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
+     if (ctx->more_flags & LOCAL) {
+-       cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
+       cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
+     } else {
+-       cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
+       cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
+     }
+     if (cmp != 0) {
+        *minor_status = 0;
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
new file mode 100644
index 0000000000..5686df78e1
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
@@ -0,0 +1,35 @@
+From c9cc34334bd64b08fe91a2f720262462e9f6bb49 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:55 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() in
+ unwrap_des3()
+The surrounding checks all use ct_memcmp(), so this one was presumably
+meant to as well.
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/unwrap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
+index da939c0529..61a341ee43 100644
+--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
+@@ -227,7 +227,7 @@ unwrap_des3
+   if (ret)
+       return ret;
+-  if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+  if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+     return GSS_S_BAD_SIG;
+   p += 2;
+   if (ct_memcmp (p, "\x02\x00", 2) == 0) {
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
new file mode 100644
index 0000000000..55239356e4
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
@@ -0,0 +1,50 @@
+From a587a4bcb28d5b9047f332573b1e7c8f89ca3edd Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:42 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Don't pass NULL pointers to memcpy()
+ in DES unwrap
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/unwrap.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
+index 61a341ee43..d3987240dd 100644
+--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
+@@ -180,9 +180,10 @@ unwrap_des
+   output_message_buffer->value  = malloc(output_message_buffer->length);
+   if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+       return GSS_S_FAILURE;
+-  memcpy (output_message_buffer->value,
+-         p + 24,
+-         output_message_buffer->length);
+  if (output_message_buffer->value != NULL)
+      memcpy (output_message_buffer->value,
+             p + 24,
+             output_message_buffer->length);
+   return GSS_S_COMPLETE;
+ }
+ #endif
+@@ -374,9 +375,10 @@ unwrap_des3
+   output_message_buffer->value  = malloc(output_message_buffer->length);
+   if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
+       return GSS_S_FAILURE;
+-  memcpy (output_message_buffer->value,
+-         p + 36,
+-         output_message_buffer->length);
+  if (output_message_buffer->value != NULL)
+      memcpy (output_message_buffer->value,
+             p + 36,
+             output_message_buffer->length);
+   return GSS_S_COMPLETE;
+ }
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
new file mode 100644
index 0000000000..4e750f0dc6
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
@@ -0,0 +1,57 @@
+From c758910eaad3c0de2cfb68830a661c4739675a7d Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 15 Aug 2022 16:53:45 +1200
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Avoid undefined behaviour in
+ _gssapi_verify_pad()
+By decrementing 'pad' only when we know it's safe, we ensure we can't
+stray backwards past the start of a buffer, which would be undefined
+behaviour.
+In the previous version of the loop, 'i' is the number of bytes left to
+check, and 'pad' is the current byte we're checking. 'pad' was
+decremented at the end of each loop iteration. If 'i' was 1 (so we
+checked the final byte), 'pad' could potentially be pointing to the
+first byte of the input buffer, and the decrement would put it one
+byte behind the buffer.
+That would be undefined behaviour.
+The patch changes it so that 'pad' is the byte we previously checked,
+which allows us to ensure that we only decrement it when we know we
+have a byte to check.
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/decapsulate.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
+index 86085f5695..4e3fcd659e 100644
+--- a/lib/gssapi/krb5/decapsulate.c
+++ b/lib/gssapi/krb5/decapsulate.c
+@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
+     if (wrapped_token->length < 1)
+        return GSS_S_BAD_MECH;
+-    pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
+-    padlength = *pad;
+    pad = (u_char *)wrapped_token->value + wrapped_token->length;
+    padlength = pad[-1];
+     if (padlength > datalen)
+        return GSS_S_BAD_MECH;
+-    for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
+    for (i = padlength; i > 0 && *--pad == padlength; i--)
+        ;
+     if (i != 0)
+        return GSS_S_BAD_MIC;
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
new file mode 100644
index 0000000000..d6ea22e3df
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
@@ -0,0 +1,37 @@
+From 414b2a77fd61c26d64562e3800dc5578d9d0f15d Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 15 Aug 2022 16:53:55 +1200
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Check the result of
+ _gsskrb5_get_mech()
+We should make sure that the result of 'total_len - mech_len' won't
+overflow, and that we don't memcmp() past the end of the buffer.
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/decapsulate.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
+index 4e3fcd659e..031a621eab 100644
+--- a/lib/gssapi/krb5/decapsulate.c
+++ b/lib/gssapi/krb5/decapsulate.c
+@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
+     if (mech_len != mech->length)
+        return GSS_S_BAD_MECH;
+    if (mech_len > total_len)
+       return GSS_S_BAD_MECH;
+    if (p - *str > total_len - mech_len)
+       return GSS_S_BAD_MECH;
+     if (ct_memcmp(p,
+                  mech->elements,
+                  mech->length) != 0)
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
new file mode 100644
index 0000000000..9fa59c29b0
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
@@ -0,0 +1,65 @@
+From be9bbd93ed8f204b4bc1b92d1bc3c16aac194696 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 15 Aug 2022 16:54:23 +1200
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Check buffer length against overflow
+ for DES{,3} unwrap
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/unwrap.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
+index d3987240dd..fddb64bc53 100644
+--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
+@@ -64,6 +64,8 @@ unwrap_des
+   if (IS_DCE_STYLE(context_handle)) {
+      token_len = 22 + 8 + 15; /* 45 */
+     if (input_message_buffer->length < token_len)
+         return GSS_S_BAD_MECH;
+   } else {
+      token_len = input_message_buffer->length;
+   }
+@@ -76,6 +78,11 @@ unwrap_des
+   if (ret)
+       return ret;
+  len = (p - (u_char *)input_message_buffer->value)
+      + 22 + 8;
+  if (input_message_buffer->length < len)
+      return GSS_S_BAD_MECH;
+
+   if (memcmp (p, "\x00\x00", 2) != 0)
+     return GSS_S_BAD_SIG;
+   p += 2;
+@@ -216,6 +223,8 @@ unwrap_des3
+   if (IS_DCE_STYLE(context_handle)) {
+      token_len = 34 + 8 + 15; /* 57 */
+     if (input_message_buffer->length < token_len)
+         return GSS_S_BAD_MECH;
+   } else {
+      token_len = input_message_buffer->length;
+   }
+@@ -228,6 +237,11 @@ unwrap_des3
+   if (ret)
+       return ret;
+  len = (p - (u_char *)input_message_buffer->value)
+      + 34 + 8;
+  if (input_message_buffer->length < len)
+      return GSS_S_BAD_MECH;
+
+   if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
+     return GSS_S_BAD_SIG;
+   p += 2;
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
new file mode 100644
index 0000000000..b3197afc34
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
@@ -0,0 +1,39 @@
+From c8407ca079294d76a5ed140ba5b546f870d23ed2 Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Mon, 10 Oct 2022 20:33:09 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Check for overflow in
+ _gsskrb5_get_mech()
+If len_len is equal to total_len - 1 (i.e. the input consists only of a
+0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
+used as the 'len' parameter to der_get_length(), will overflow to
+SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
+whatever data follows in memory. Add a check to ensure that doesn't
+happen.
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/decapsulate.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
+index 031a621eab..d7b75a6422 100644
+--- a/lib/gssapi/krb5/decapsulate.c
+++ b/lib/gssapi/krb5/decapsulate.c
+@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
+     e = der_get_length (p, total_len - 1, &len, &len_len);
+     if (e || 1 + len_len + len != total_len)
+        return -1;
+    if (total_len < 1 + len_len + 1)
+       return -1;
+     p += len_len;
+     if (*p++ != 0x06)
+        return -1;
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch
new file mode 100644
index 0000000000..6d64312211
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch
@@ -0,0 +1,48 @@
+From 8fb508a25a6a47289c73e3f4339352a73a396eef Mon Sep 17 00:00:00 2001
+From: Joseph Sutton <josephsutton@catalyst.net.nz>
+Date: Wed, 12 Oct 2022 13:57:33 +1300
+Subject: [PATCH] gsskrb5: CVE-2022-3437 Pass correct length to
+ _gssapi_verify_pad()
+We later subtract 8 when calculating the length of the output message
+buffer. If padlength is excessively high, this calculation can underflow
+and result in a very large positive value.
+Now we properly constrain the value of padlength so underflow shouldn't
+be possible.
+Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
+Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
+Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef]
+CVE: CVE-2022-3437
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/gssapi/krb5/unwrap.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
+index fddb64bc53..bab30f4501 100644
+--- a/lib/gssapi/krb5/unwrap.c
+++ b/lib/gssapi/krb5/unwrap.c
+@@ -124,7 +124,7 @@ unwrap_des
+   } else {
+     /* check pad */
+     ret = _gssapi_verify_pad(input_message_buffer,
+-                            input_message_buffer->length - len,
+                            input_message_buffer->length - len - 8,
+                             &padlength);
+     if (ret)
+         return ret;
+@@ -289,7 +289,7 @@ unwrap_des3
+   } else {
+     /* check pad */
+     ret = _gssapi_verify_pad(input_message_buffer,
+-                            input_message_buffer->length - len,
+                            input_message_buffer->length - len - 8,
+                             &padlength);
+     if (ret)
+         return ret;
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 53526a26b6..39ba851942 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -22,6 +22,14 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
           file://0005-samba-build-dnsserver_common-code.patch \
           file://0001-Fix-pyext_PATTERN-for-cross-compilation.patch \
           file://0001-smbtorture-skip-test-case-tfork_cmd_send.patch \
+           file://CVE-2022-3437-0001.patch;patchdir=source4/heimdal \
+           file://CVE-2022-3437-0002.patch;patchdir=source4/heimdal \
+           file://CVE-2022-3437-0003.patch;patchdir=source4/heimdal \
+           file://CVE-2022-3437-0004.patch;patchdir=source4/heimdal \
+           file://CVE-2022-3437-0005.patch;patchdir=source4/heimdal \
+           file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
+           file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
+           file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
           "
 SRC_URI:append:libc-musl = " \
author	Polampalli, Archana A <archana.polampalli@windriver.com>	2023-06-16 12:18:34 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-06-17 14:21:38 -0400
commit	9d203efe8f01fa7d433a52ae1098cb27ede07119 (patch)
tree	bc6db03a2ead95960d7c347e33e37fc0525d6991
parent	25dcf4d65b7d84ba24d0090d6283801ecae16546 (diff)
download	meta-openembedded-9d203efe8f01fa7d433a52ae1098cb27ede07119.tar.gz

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch new file mode 100644 index 0000000000..abc778b731 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0001.patch
@@ -0,0 +1,77 @@
		1	From f6edaafcfefd843ca1b1a041f942a853d85ee7c3 Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Wed, 12 Oct 2022 13:57:13 +1300
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() for arcfour
		5	unwrap
		6
		7	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		8
		9	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		10	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		11
		12	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/f6edaafcfefd843ca1b1a041f942a853d85ee7c3]
		13	CVE: CVE-2022-3437
		14
		15	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		16	---
		17	lib/gssapi/krb5/arcfour.c \| 16 ++++++++--------
		18	1 file changed, 8 insertions(+), 8 deletions(-)
		19
		20	diff --git a/lib/gssapi/krb5/arcfour.c b/lib/gssapi/krb5/arcfour.c
		21	index a61f768..4fc46ce 100644
		22	--- a/lib/gssapi/krb5/arcfour.c
		23	+++ b/lib/gssapi/krb5/arcfour.c
		24	@@ -365,7 +365,7 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
		25	return GSS_S_FAILURE;
		26	}
		27
		28	- cmp = ct_memcmp(cksum_data, p + 8, 8);
		29	+ cmp = (ct_memcmp(cksum_data, p + 8, 8) == 0);
		30	if (cmp) {
		31	*minor_status = 0;
		32	return GSS_S_BAD_MIC;
		33	@@ -385,9 +385,9 @@ _gssapi_verify_mic_arcfour(OM_uint32 * minor_status,
		34	_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
		35
		36	if (context_handle->more_flags & LOCAL)
		37	- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
		38	+ cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
		39	else
		40	- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
		41	+ cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
		42
		43	memset(SND_SEQ, 0, sizeof(SND_SEQ));
		44	if (cmp != 0) {
		45	@@ -656,9 +656,9 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
		46	_gsskrb5_decode_be_om_uint32(SND_SEQ, &seq_number);
		47
		48	if (context_handle->more_flags & LOCAL)
		49	- cmp = memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4);
		50	+ cmp = (ct_memcmp(&SND_SEQ[4], "\xff\xff\xff\xff", 4) != 0);
		51	else
		52	- cmp = memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4);
		53	+ cmp = (ct_memcmp(&SND_SEQ[4], "\x00\x00\x00\x00", 4) != 0);
		54
		55	if (cmp != 0) {
		56	*minor_status = 0;
		57	@@ -730,7 +730,7 @@ OM_uint32 _gssapi_unwrap_arcfour(OM_uint32 *minor_status,
		58	return GSS_S_FAILURE;
		59	}
		60
		61	- cmp = ct_memcmp(cksum_data, p0 + 16, 8); /* SGN_CKSUM */
		62	+ cmp = (ct_memcmp(cksum_data, p0 + 16, 8) == 0); /* SGN_CKSUM */
		63	if (cmp) {
		64	_gsskrb5_release_buffer(minor_status, output_message_buffer);
		65	*minor_status = 0;
		66	@@ -1266,9 +1266,9 @@ _gssapi_unwrap_iov_arcfour(OM_uint32 *minor_status,
		67	_gsskrb5_decode_be_om_uint32(snd_seq, &seq_number);
		68
		69	if (ctx->more_flags & LOCAL) {
		70	- cmp = memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4);
		71	+ cmp = (ct_memcmp(&snd_seq[4], "\xff\xff\xff\xff", 4) != 0);
		72	} else {
		73	- cmp = memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4);
		74	+ cmp = (ct_memcmp(&snd_seq[4], "\x00\x00\x00\x00", 4) != 0);
		75	}
		76	if (cmp != 0) {
		77	*minor_status = 0;


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch new file mode 100644 index 0000000000..5686df78e1 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0002.patch
@@ -0,0 +1,35 @@
		1	From c9cc34334bd64b08fe91a2f720262462e9f6bb49 Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Wed, 12 Oct 2022 13:57:55 +1300
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Use constant-time memcmp() in
		5	unwrap_des3()
		6
		7	The surrounding checks all use ct_memcmp(), so this one was presumably
		8	meant to as well.
		9
		10	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		11
		12	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		13	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		14
		15	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c9cc34334bd64b08fe91a2f720262462e9f6bb49]
		16	CVE: CVE-2022-3437
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	lib/gssapi/krb5/unwrap.c \| 2 +-
		21	1 file changed, 1 insertion(+), 1 deletion(-)
		22
		23	diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
		24	index da939c0529..61a341ee43 100644
		25	--- a/lib/gssapi/krb5/unwrap.c
		26	+++ b/lib/gssapi/krb5/unwrap.c
		27	@@ -227,7 +227,7 @@ unwrap_des3
		28	if (ret)
		29	return ret;
		30
		31	- if (memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
		32	+ if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
		33	return GSS_S_BAD_SIG;
		34	p += 2;
		35	if (ct_memcmp (p, "\x02\x00", 2) == 0) {


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch new file mode 100644 index 0000000000..55239356e4 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0003.patch
@@ -0,0 +1,50 @@
		1	From a587a4bcb28d5b9047f332573b1e7c8f89ca3edd Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Wed, 12 Oct 2022 13:57:42 +1300
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Don't pass NULL pointers to memcpy()
		5	in DES unwrap
		6
		7	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		8
		9	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		10	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		11
		12	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/a587a4bcb28d5b9047f332573b1e7c8f89ca3edd]
		13	CVE: CVE-2022-3437
		14
		15	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		16	---
		17	lib/gssapi/krb5/unwrap.c \| 14 ++++++++------
		18	1 file changed, 8 insertions(+), 6 deletions(-)
		19
		20	diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
		21	index 61a341ee43..d3987240dd 100644
		22	--- a/lib/gssapi/krb5/unwrap.c
		23	+++ b/lib/gssapi/krb5/unwrap.c
		24	@@ -180,9 +180,10 @@ unwrap_des
		25	output_message_buffer->value = malloc(output_message_buffer->length);
		26	if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
		27	return GSS_S_FAILURE;
		28	- memcpy (output_message_buffer->value,
		29	- p + 24,
		30	- output_message_buffer->length);
		31	+ if (output_message_buffer->value != NULL)
		32	+ memcpy (output_message_buffer->value,
		33	+ p + 24,
		34	+ output_message_buffer->length);
		35	return GSS_S_COMPLETE;
		36	}
		37	#endif
		38	@@ -374,9 +375,10 @@ unwrap_des3
		39	output_message_buffer->value = malloc(output_message_buffer->length);
		40	if(output_message_buffer->length != 0 && output_message_buffer->value == NULL)
		41	return GSS_S_FAILURE;
		42	- memcpy (output_message_buffer->value,
		43	- p + 36,
		44	- output_message_buffer->length);
		45	+ if (output_message_buffer->value != NULL)
		46	+ memcpy (output_message_buffer->value,
		47	+ p + 36,
		48	+ output_message_buffer->length);
		49	return GSS_S_COMPLETE;
		50	}


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch new file mode 100644 index 0000000000..4e750f0dc6 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0004.patch
@@ -0,0 +1,57 @@
		1	From c758910eaad3c0de2cfb68830a661c4739675a7d Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Mon, 15 Aug 2022 16:53:45 +1200
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Avoid undefined behaviour in
		5	_gssapi_verify_pad()
		6
		7	By decrementing 'pad' only when we know it's safe, we ensure we can't
		8	stray backwards past the start of a buffer, which would be undefined
		9	behaviour.
		10
		11	In the previous version of the loop, 'i' is the number of bytes left to
		12	check, and 'pad' is the current byte we're checking. 'pad' was
		13	decremented at the end of each loop iteration. If 'i' was 1 (so we
		14	checked the final byte), 'pad' could potentially be pointing to the
		15	first byte of the input buffer, and the decrement would put it one
		16	byte behind the buffer.
		17
		18	That would be undefined behaviour.
		19
		20	The patch changes it so that 'pad' is the byte we previously checked,
		21	which allows us to ensure that we only decrement it when we know we
		22	have a byte to check.
		23
		24	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		25
		26	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		27	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		28
		29	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c758910eaad3c0de2cfb68830a661c4739675a7d]
		30	CVE: CVE-2022-3437
		31
		32	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		33	---
		34	lib/gssapi/krb5/decapsulate.c \| 6 +++---
		35	1 file changed, 3 insertions(+), 3 deletions(-)
		36
		37	diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
		38	index 86085f5695..4e3fcd659e 100644
		39	--- a/lib/gssapi/krb5/decapsulate.c
		40	+++ b/lib/gssapi/krb5/decapsulate.c
		41	@@ -193,13 +193,13 @@ _gssapi_verify_pad(gss_buffer_t wrapped_token,
		42	if (wrapped_token->length < 1)
		43	return GSS_S_BAD_MECH;
		44
		45	- pad = (u_char *)wrapped_token->value + wrapped_token->length - 1;
		46	- padlength = *pad;
		47	+ pad = (u_char *)wrapped_token->value + wrapped_token->length;
		48	+ padlength = pad[-1];
		49
		50	if (padlength > datalen)
		51	return GSS_S_BAD_MECH;
		52
		53	- for (i = padlength; i > 0 && *pad == padlength; i--, pad--)
		54	+ for (i = padlength; i > 0 && *--pad == padlength; i--)
		55	;
		56	if (i != 0)
		57	return GSS_S_BAD_MIC;


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch new file mode 100644 index 0000000000..d6ea22e3df --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0005.patch
@@ -0,0 +1,37 @@
		1	From 414b2a77fd61c26d64562e3800dc5578d9d0f15d Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Mon, 15 Aug 2022 16:53:55 +1200
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Check the result of
		5	_gsskrb5_get_mech()
		6
		7	We should make sure that the result of 'total_len - mech_len' won't
		8	overflow, and that we don't memcmp() past the end of the buffer.
		9
		10	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		11
		12	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		13	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		14
		15	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/414b2a77fd61c26d64562e3800dc5578d9d0f15d]
		16	CVE: CVE-2022-3437
		17
		18	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		19	---
		20	lib/gssapi/krb5/decapsulate.c \| 4 ++++
		21	1 file changed, 4 insertions(+)
		22
		23	diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
		24	index 4e3fcd659e..031a621eab 100644
		25	--- a/lib/gssapi/krb5/decapsulate.c
		26	+++ b/lib/gssapi/krb5/decapsulate.c
		27	@@ -80,6 +80,10 @@ _gssapi_verify_mech_header(u_char **str,
		28
		29	if (mech_len != mech->length)
		30	return GSS_S_BAD_MECH;
		31	+ if (mech_len > total_len)
		32	+ return GSS_S_BAD_MECH;
		33	+ if (p - *str > total_len - mech_len)
		34	+ return GSS_S_BAD_MECH;
		35	if (ct_memcmp(p,
		36	mech->elements,
		37	mech->length) != 0)


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch new file mode 100644 index 0000000000..9fa59c29b0 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0006.patch
@@ -0,0 +1,65 @@
		1	From be9bbd93ed8f204b4bc1b92d1bc3c16aac194696 Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Mon, 15 Aug 2022 16:54:23 +1200
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Check buffer length against overflow
		5	for DES{,3} unwrap
		6
		7	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		8
		9	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		10	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		11
		12	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/be9bbd93ed8f204b4bc1b92d1bc3c16aac194696]
		13	CVE: CVE-2022-3437
		14
		15	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		16	---
		17	lib/gssapi/krb5/unwrap.c \| 14 ++++++++++++++
		18	1 file changed, 14 insertions(+)
		19
		20	diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
		21	index d3987240dd..fddb64bc53 100644
		22	--- a/lib/gssapi/krb5/unwrap.c
		23	+++ b/lib/gssapi/krb5/unwrap.c
		24	@@ -64,6 +64,8 @@ unwrap_des
		25
		26	if (IS_DCE_STYLE(context_handle)) {
		27	token_len = 22 + 8 + 15; /* 45 */
		28	+ if (input_message_buffer->length < token_len)
		29	+ return GSS_S_BAD_MECH;
		30	} else {
		31	token_len = input_message_buffer->length;
		32	}
		33	@@ -76,6 +78,11 @@ unwrap_des
		34	if (ret)
		35	return ret;
		36
		37	+ len = (p - (u_char *)input_message_buffer->value)
		38	+ + 22 + 8;
		39	+ if (input_message_buffer->length < len)
		40	+ return GSS_S_BAD_MECH;
		41	+
		42	if (memcmp (p, "\x00\x00", 2) != 0)
		43	return GSS_S_BAD_SIG;
		44	p += 2;
		45	@@ -216,6 +223,8 @@ unwrap_des3
		46
		47	if (IS_DCE_STYLE(context_handle)) {
		48	token_len = 34 + 8 + 15; /* 57 */
		49	+ if (input_message_buffer->length < token_len)
		50	+ return GSS_S_BAD_MECH;
		51	} else {
		52	token_len = input_message_buffer->length;
		53	}
		54	@@ -228,6 +237,11 @@ unwrap_des3
		55	if (ret)
		56	return ret;
		57
		58	+ len = (p - (u_char *)input_message_buffer->value)
		59	+ + 34 + 8;
		60	+ if (input_message_buffer->length < len)
		61	+ return GSS_S_BAD_MECH;
		62	+
		63	if (ct_memcmp (p, "\x04\x00", 2) != 0) /* HMAC SHA1 DES3_KD */
		64	return GSS_S_BAD_SIG;
		65	p += 2;


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch new file mode 100644 index 0000000000..b3197afc34 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0007.patch
@@ -0,0 +1,39 @@
		1	From c8407ca079294d76a5ed140ba5b546f870d23ed2 Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Mon, 10 Oct 2022 20:33:09 +1300
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Check for overflow in
		5	_gsskrb5_get_mech()
		6
		7	If len_len is equal to total_len - 1 (i.e. the input consists only of a
		8	0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
		9	used as the 'len' parameter to der_get_length(), will overflow to
		10	SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
		11	whatever data follows in memory. Add a check to ensure that doesn't
		12	happen.
		13
		14	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		15
		16	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		17	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		18
		19	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/c8407ca079294d76a5ed140ba5b546f870d23ed2]
		20	CVE: CVE-2022-3437
		21
		22	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		23	---
		24	lib/gssapi/krb5/decapsulate.c \| 2 ++
		25	1 file changed, 2 insertions(+)
		26
		27	diff --git a/lib/gssapi/krb5/decapsulate.c b/lib/gssapi/krb5/decapsulate.c
		28	index 031a621eab..d7b75a6422 100644
		29	--- a/lib/gssapi/krb5/decapsulate.c
		30	+++ b/lib/gssapi/krb5/decapsulate.c
		31	@@ -54,6 +54,8 @@ _gsskrb5_get_mech (const u_char *ptr,
		32	e = der_get_length (p, total_len - 1, &len, &len_len);
		33	if (e \|\| 1 + len_len + len != total_len)
		34	return -1;
		35	+ if (total_len < 1 + len_len + 1)
		36	+ return -1;
		37	p += len_len;
		38	if (*p++ != 0x06)
		39	return -1;


diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch new file mode 100644 index 0000000000..6d64312211 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-3437-0008.patch
@@ -0,0 +1,48 @@
		1	From 8fb508a25a6a47289c73e3f4339352a73a396eef Mon Sep 17 00:00:00 2001
		2	From: Joseph Sutton <josephsutton@catalyst.net.nz>
		3	Date: Wed, 12 Oct 2022 13:57:33 +1300
		4	Subject: [PATCH] gsskrb5: CVE-2022-3437 Pass correct length to
		5	_gssapi_verify_pad()
		6
		7	We later subtract 8 when calculating the length of the output message
		8	buffer. If padlength is excessively high, this calculation can underflow
		9	and result in a very large positive value.
		10
		11	Now we properly constrain the value of padlength so underflow shouldn't
		12	be possible.
		13
		14	Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
		15
		16	Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
		17	Reviewed-by: Andrew Bartlett <abartlet@samba.org>
		18
		19	Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/8fb508a25a6a47289c73e3f4339352a73a396eef]
		20	CVE: CVE-2022-3437
		21
		22	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		23	---
		24	lib/gssapi/krb5/unwrap.c \| 4 ++--
		25	1 file changed, 2 insertions(+), 2 deletions(-)
		26
		27	diff --git a/lib/gssapi/krb5/unwrap.c b/lib/gssapi/krb5/unwrap.c
		28	index fddb64bc53..bab30f4501 100644
		29	--- a/lib/gssapi/krb5/unwrap.c
		30	+++ b/lib/gssapi/krb5/unwrap.c
		31	@@ -124,7 +124,7 @@ unwrap_des
		32	} else {
		33	/* check pad */
		34	ret = _gssapi_verify_pad(input_message_buffer,
		35	- input_message_buffer->length - len,
		36	+ input_message_buffer->length - len - 8,
		37	&padlength);
		38	if (ret)
		39	return ret;
		40	@@ -289,7 +289,7 @@ unwrap_des3
		41	} else {
		42	/* check pad */
		43	ret = _gssapi_verify_pad(input_message_buffer,
		44	- input_message_buffer->length - len,
		45	+ input_message_buffer->length - len - 8,
		46	&padlength);
		47	if (ret)
		48	return ret;


diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb index 53526a26b6..39ba851942 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -22,6 +22,14 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
22	file://0005-samba-build-dnsserver_common-code.patch \	22	file://0005-samba-build-dnsserver_common-code.patch \
23	file://0001-Fix-pyext_PATTERN-for-cross-compilation.patch \	23	file://0001-Fix-pyext_PATTERN-for-cross-compilation.patch \
24	file://0001-smbtorture-skip-test-case-tfork_cmd_send.patch \	24	file://0001-smbtorture-skip-test-case-tfork_cmd_send.patch \
		25	file://CVE-2022-3437-0001.patch;patchdir=source4/heimdal \
		26	file://CVE-2022-3437-0002.patch;patchdir=source4/heimdal \
		27	file://CVE-2022-3437-0003.patch;patchdir=source4/heimdal \
		28	file://CVE-2022-3437-0004.patch;patchdir=source4/heimdal \
		29	file://CVE-2022-3437-0005.patch;patchdir=source4/heimdal \
		30	file://CVE-2022-3437-0006.patch;patchdir=source4/heimdal \
		31	file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
		32	file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
25	"	33	"
26		34
27	SRC_URI:append:libc-musl = " \	35	SRC_URI:append:libc-musl = " \