2 files changed, 113 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
new file mode 100644
index 0000000000..3341b80a38
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
@@ -0,0 +1,112 @@
+From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001
+From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+Date: Fri, 11 Dec 2020 14:34:31 +0900
+Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with 
+ NULL. do not crash when additional data not found
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Found by Francis Brosnan BlÃ¡zquez <francis@aspl.es>.
+Based on patches from Francis Brosnan BlÃ¡zquez <francis@aspl.es>
+and Jeremy Allison <jra@samba.org>
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jeremy Allison <jra@samba.org>
+Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
+Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
+(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)
+(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e
+Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
+---
+ .../rpc_server/dnsserver/dcerpc_dnsserver.c   | 31 ++++++++++---------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+index 910de9a1..618c7096 100644
+--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
+@@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+        TALLOC_CTX *tmp_ctx;
+        char *name;
+        const char * const attrs[] = { "name", "dnsRecord", NULL };
+-       struct ldb_result *res;
+-       struct DNS_RPC_RECORDS_ARRAY *recs;
+       struct ldb_result *res = NULL;
+       struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
+        char **add_names = NULL;
+-       char *rname;
+       char *rname = NULL;
+        const char *preference_name = NULL;
+        int add_count = 0;
+        int i, ret, len;
+        WERROR status;
+-       struct dns_tree *tree, *base, *node;
+       struct dns_tree *tree = NULL;
+       struct dns_tree *base = NULL;
+       struct dns_tree *node = NULL;
+ 
+        tmp_ctx = talloc_new(mem_ctx);
+        W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
+@@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+                }
+        }
+ 
+-       talloc_free(res);
+-       talloc_free(tree);
+-       talloc_free(name);
+       TALLOC_FREE(res);
+       TALLOC_FREE(tree);
+       TALLOC_FREE(name);
+ 
+        /* Add any additional records */
+        if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
+                for (i=0; i<add_count; i++) {
+-                       struct dnsserver_zone *z2;
+-
+                       struct dnsserver_zone *z2 = NULL;
+                       struct ldb_message *msg = NULL;
+                        /* Search all the available zones for additional name */
+                        for (z2 = dsstate->zones; z2; z2 = z2->next) {
+                                char *encoded_name;
+@@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+                                                LDB_SCOPE_ONELEVEL, attrs,
+                                                "(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
+                                                encoded_name);
+-                               talloc_free(name);
+                               TALLOC_FREE(name);
+                                if (ret != LDB_SUCCESS) {
+                                        continue;
+                                }
+                                if (res->count == 1) {
+                                       msg = res->msgs[0];
+                                        break;
+                                } else {
+-                                       talloc_free(res);
+                                       TALLOC_FREE(res);
+                                        continue;
+                                }
+                        }
+@@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
+                        }
+                        status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
+                                                        select_flag, rname,
+-                                                       res->msgs[0], 0, recs,
+                                                       msg, 0, recs,
+                                                        NULL, NULL);
+-                       talloc_free(rname);
+-                       talloc_free(res);
+                       TALLOC_FREE(rname);
+                       TALLOC_FREE(res);
+                }
+        }
+ 
+-- 
+2.25.1
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
index 923b2ddf16..1a982368ec 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -29,6 +29,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
           file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
           file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
           file://CVE-2020-14318.patch \
+           file://CVE-2020-14383.patch \
           "
 SRC_URI_append_libc-musl = " \
           file://samba-pam.patch \

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch new file mode 100644 index 0000000000..3341b80a38 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2020-14383.patch
@@ -0,0 +1,112 @@
		1	From ff17443fe761eda864d13957bec45f5bac478fe3 Mon Sep 17 00:00:00 2001
		2	From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
		3	Date: Fri, 11 Dec 2020 14:34:31 +0900
		4	Subject: [PATCH] CVE-2020-14383: s4/dns: Ensure variable initialization with
		5	NULL. do not crash when additional data not found
		6	MIME-Version: 1.0
		7	Content-Type: text/plain; charset=UTF-8
		8	Content-Transfer-Encoding: 8bit
		9
		10	Found by Francis Brosnan BlÃ¡zquez <francis@aspl.es>.
		11	Based on patches from Francis Brosnan BlÃ¡zquez <francis@aspl.es>
		12	and Jeremy Allison <jra@samba.org>
		13
		14	BUG: https://bugzilla.samba.org/show_bug.cgi?id=14472
		15	BUG: https://bugzilla.samba.org/show_bug.cgi?id=12795
		16
		17	Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
		18	Reviewed-by: Jeremy Allison <jra@samba.org>
		19
		20	Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org>
		21	Autobuild-Date(master): Mon Aug 24 00:21:41 UTC 2020 on sn-devel-184
		22
		23	(based on commit df98e7db04c901259dd089e20cd557bdbdeaf379)
		24	(based on commit 7afe449e7201be92bed8e53cbb37b74af720ef4e
		25
		26	Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com>
		27	---
		28	.../rpc_server/dnsserver/dcerpc_dnsserver.c \| 31 ++++++++++---------
		29	1 file changed, 17 insertions(+), 14 deletions(-)
		30
		31	diff --git a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
		32	index 910de9a1..618c7096 100644
		33	--- a/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
		34	+++ b/source4/rpc_server/dnsserver/dcerpc_dnsserver.c
		35	@@ -1754,15 +1754,17 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
		36	TALLOC_CTX *tmp_ctx;
		37	char *name;
		38	const char * const attrs[] = { "name", "dnsRecord", NULL };
		39	- struct ldb_result *res;
		40	- struct DNS_RPC_RECORDS_ARRAY *recs;
		41	+ struct ldb_result *res = NULL;
		42	+ struct DNS_RPC_RECORDS_ARRAY *recs = NULL;
		43	char **add_names = NULL;
		44	- char *rname;
		45	+ char *rname = NULL;
		46	const char *preference_name = NULL;
		47	int add_count = 0;
		48	int i, ret, len;
		49	WERROR status;
		50	- struct dns_tree tree, base, *node;
		51	+ struct dns_tree *tree = NULL;
		52	+ struct dns_tree *base = NULL;
		53	+ struct dns_tree *node = NULL;
		54
		55	tmp_ctx = talloc_new(mem_ctx);
		56	W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
		57	@@ -1845,15 +1847,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
		58	}
		59	}
		60
		61	- talloc_free(res);
		62	- talloc_free(tree);
		63	- talloc_free(name);
		64	+ TALLOC_FREE(res);
		65	+ TALLOC_FREE(tree);
		66	+ TALLOC_FREE(name);
		67
		68	/* Add any additional records */
		69	if (select_flag & DNS_RPC_VIEW_ADDITIONAL_DATA) {
		70	for (i=0; i<add_count; i++) {
		71	- struct dnsserver_zone *z2;
		72	-
		73	+ struct dnsserver_zone *z2 = NULL;
		74	+ struct ldb_message *msg = NULL;
		75	/* Search all the available zones for additional name */
		76	for (z2 = dsstate->zones; z2; z2 = z2->next) {
		77	char *encoded_name;
		78	@@ -1865,14 +1867,15 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
		79	LDB_SCOPE_ONELEVEL, attrs,
		80	"(&(objectClass=dnsNode)(name=%s)(!(dNSTombstoned=TRUE)))",
		81	encoded_name);
		82	- talloc_free(name);
		83	+ TALLOC_FREE(name);
		84	if (ret != LDB_SUCCESS) {
		85	continue;
		86	}
		87	if (res->count == 1) {
		88	+ msg = res->msgs[0];
		89	break;
		90	} else {
		91	- talloc_free(res);
		92	+ TALLOC_FREE(res);
		93	continue;
		94	}
		95	}
		96	@@ -1885,10 +1888,10 @@ static WERROR dnsserver_enumerate_records(struct dnsserver_state *dsstate,
		97	}
		98	status = dns_fill_records_array(tmp_ctx, NULL, DNS_TYPE_A,
		99	select_flag, rname,
		100	- res->msgs[0], 0, recs,
		101	+ msg, 0, recs,
		102	NULL, NULL);
		103	- talloc_free(rname);
		104	- talloc_free(res);
		105	+ TALLOC_FREE(rname);
		106	+ TALLOC_FREE(res);
		107	}
		108	}
		109
		110	--
		111	2.25.1
		112


diff --git a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb index 923b2ddf16..1a982368ec 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.10.18.bb
@@ -29,6 +29,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
29	file://0001-Add-options-to-configure-the-use-of-libbsd.patch \	29	file://0001-Add-options-to-configure-the-use-of-libbsd.patch \
30	file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \	30	file://0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch \
31	file://CVE-2020-14318.patch \	31	file://CVE-2020-14318.patch \
		32	file://CVE-2020-14383.patch \
32	"	33	"
33	SRC_URI_append_libc-musl = " \	34	SRC_URI_append_libc-musl = " \
34	file://samba-pam.patch \	35	file://samba-pam.patch \