diff mbox series

[meta-networking,kirkstone,1/1] samba: fix CVE-2022-41916

Message ID 20230615100658.543762-1-archana.polampalli@windriver.com
State New
Headers show
Series [meta-networking,kirkstone,1/1] samba: fix CVE-2022-41916 | expand

Commit Message

Polampalli, Archana June 15, 2023, 10:06 a.m. UTC 
Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos.
Versions prior to 7.7.1 are vulnerable to a denial of service
vulnerability in Heimdal's PKI certificate validation library,
affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as
any third-party applications using Heimdal's libhx509. Users
should upgrade to Heimdal 7.7.1 or 7.8. There are no known
workarounds for this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41916

Upstream patches:
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
 .../samba/samba/CVE-2022-41916.patch          | 41 +++++++++++++++++++
 .../samba/samba_4.14.14.bb                    |  1 +
 2 files changed, 42 insertions(+)
 create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch

Comments

Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) June 15, 2023, 10:47 a.m. UTC | #1 
Hi Hari,

Regarding format only nothing specific to review of fix,

I saw many developers has contributed to samba package fixes.
I would be great if we can keep common format inside .patch file as following.

----------------------------------------------
CVE: CVE-2022-41916
Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/eb87af0c2d18]

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
----------------------------------------------

Thanks,
Sanjay

-----Original Message-----
From: openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org> On Behalf Of Polampalli, Archana via lists.openembedded.org
Sent: Thursday, June 15, 2023 3:37 PM
To: openembedded-devel@lists.openembedded.org
Cc: Hari.GPillai@windriver.com
Subject: [oe][meta-networking][kirkstone][PATCH 1/1] samba: fix CVE-2022-41916

Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos.
Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41916

Upstream patches:
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
---
Polampalli, Archana June 15, 2023, 11:10 a.m. UTC | #2 
Hi Sanjay,

Thank you for you're review comment on patch format.

Shall I send V2 with updated format?.

Regards,
Archana
DC June 15, 2023, 12:01 p.m. UTC | #3 
Hi Archana,

Thank-you for the patch. I personally don't see the need to send a v2.

All your previous patches are submitted in the same format as this one and there has not been any issue. So, there is no need to change the format as long as your format matches the guidelines.

If there are any changes needed in format or if there is anything that needs to be corrected, maintainers will give you a feedback in anything which they feel is not in accordance with the guidelines.

Thank-you for continous work on the Fixes.

Regards,

DC
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) June 15, 2023, 4:12 p.m. UTC | #4 
Hi Archana,

As I mentioned it will be advisable and good if we can make standard format.
We don't have strict guideline for this, but we always recommend to follow this, specifically for CVE patches.

We would appreciate, If you can consider this point and share the updated patchset.

Thanks,
Sanjay


From: Polampalli, Archana <Archana.Polampalli@windriver.com>
Sent: Thursday, June 15, 2023 4:40 PM
To: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com>; openembedded-devel@lists.openembedded.org
Cc: G Pillai, Hari <Hari.GPillai@windriver.com>
Subject: Re: [oe][meta-networking][kirkstone][PATCH 1/1] samba: fix CVE-2022-41916

Hi Sanjay,

Thank you for you're review comment on patch format.

Shall I send V2 with updated format?.

Regards,
Archana
DC June 15, 2023, 4:55 p.m. UTC | #5 
Hi Sanjay,

Thank-you for your intention to help but i feel the patch is fine and follows all the guidelines and even Khem or Armin will have the same opinion.

I would request you to let maintainers provide feedback if there are any corrections needed on any patchset submitted. Everyone giving feedbacks would make the platform a bit messy.

and rest assured, if there are any mistakes, the maintainers would do point it out.

Thanks,

DC
Martin Jansa June 15, 2023, 5:20 p.m. UTC | #6 
FWIW: I do agree that a link to upstream patch does belong to
Upstream-Status as:
"Upstream-Status: Backport [link]"

When there are many Backported changes I also prefer to add in which tag
they were first included as e.g.
"Upstream-Status: Backport [v1.1 link]"
to make it more clear which patches are expected to be dropped when
upgrading past 1.1 version.

And I think it's better than in separate lines used in the .patch:

Reference to upstream patch:
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c

So I think Sanjay's recommendation is useful one for future patches.

Regards,

On Thu, Jun 15, 2023 at 12:48 PM Sanjaykumar kantibhai Chitroda -X
(schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org <schitrod=
cisco.com@lists.openembedded.org> wrote:

> Hi Hari,
>
> Regarding format only nothing specific to review of fix,
>
> I saw many developers has contributed to samba package fixes.
> I would be great if we can keep common format inside .patch file as
> following.
>
> ----------------------------------------------
> CVE: CVE-2022-41916
> Upstream-Status: Backport [
> https://github.com/heimdal/heimdal/commit/eb87af0c2d18]
>
> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> ----------------------------------------------
>
> Thanks,
> Sanjay
>
> -----Original Message-----
> From: openembedded-devel@lists.openembedded.org <
> openembedded-devel@lists.openembedded.org> On Behalf Of Polampalli,
> Archana via lists.openembedded.org
> Sent: Thursday, June 15, 2023 3:37 PM
> To: openembedded-devel@lists.openembedded.org
> Cc: Hari.GPillai@windriver.com
> Subject: [oe][meta-networking][kirkstone][PATCH 1/1] samba: fix
> CVE-2022-41916
>
> Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos.
> Versions prior to 7.7.1 are vulnerable to a denial of service
> vulnerability in Heimdal's PKI certificate validation library, affecting
> the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party
> applications using Heimdal's libhx509. Users should upgrade to Heimdal
> 7.7.1 or 7.8. There are no known workarounds for this issue.
>
> References:
> https://nvd.nist.gov/vuln/detail/CVE-2022-41916
>
> Upstream patches:
>
> https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c
>
> Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
> ---
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#103297):
> https://lists.openembedded.org/g/openembedded-devel/message/103297
> Mute This Topic: https://lists.openembedded.org/mt/99545598/3617156
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [
> Martin.Jansa@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Polampalli, Archana June 15, 2023, 5:24 p.m. UTC | #7 
Thank You,

I will send V2.

Regards,
Archana
________________________________
From: Martin Jansa <martin.jansa@gmail.com>
Sent: Thursday, June 15, 2023 10:50 PM
To: schitrod@cisco.com <schitrod@cisco.com>
Cc: Polampalli, Archana <Archana.Polampalli@windriver.com>; openembedded-devel@lists.openembedded.org <openembedded-devel@lists.openembedded.org>; G Pillai, Hari <Hari.GPillai@windriver.com>
Subject: Re: [oe][meta-networking][kirkstone][PATCH 1/1] samba: fix CVE-2022-41916

CAUTION: This email comes from a non Wind River email account!
Do not click links or open attachments unless you recognize the sender and know the content is safe.
FWIW: I do agree that a link to upstream patch does belong to Upstream-Status as:
"Upstream-Status: Backport [link]"

When there are many Backported changes I also prefer to add in which tag they were first included as e.g.
"Upstream-Status: Backport [v1.1 link]"
to make it more clear which patches are expected to be dropped when upgrading past 1.1 version.

And I think it's better than in separate lines used in the .patch:

Reference to upstream patch:
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c<https://urldefense.com/v3/__https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZX4p_ZVvA$>

So I think Sanjay's recommendation is useful one for future patches.

Regards,

On Thu, Jun 15, 2023 at 12:48 PM Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZXkqqIrdg$> <schitrod=cisco.com@lists.openembedded.org<mailto:cisco.com@lists.openembedded.org>> wrote:
Hi Hari,

Regarding format only nothing specific to review of fix,

I saw many developers has contributed to samba package fixes.
I would be great if we can keep common format inside .patch file as following.

----------------------------------------------
CVE: CVE-2022-41916
Upstream-Status: Backport [https://github.com/heimdal/heimdal/commit/eb87af0c2d18<https://urldefense.com/v3/__https://github.com/heimdal/heimdal/commit/eb87af0c2d18__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZX5ns6WB8$>]

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com<mailto:archana.polampalli@windriver.com>>
----------------------------------------------

Thanks,
Sanjay

-----Original Message-----
From: openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org> <openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>> On Behalf Of Polampalli, Archana via lists.openembedded.org<https://urldefense.com/v3/__http://lists.openembedded.org__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZXkqqIrdg$>
Sent: Thursday, June 15, 2023 3:37 PM
To: openembedded-devel@lists.openembedded.org<mailto:openembedded-devel@lists.openembedded.org>
Cc: Hari.GPillai@windriver.com<mailto:Hari.GPillai@windriver.com>
Subject: [oe][meta-networking][kirkstone][PATCH 1/1] samba: fix CVE-2022-41916

Heimdal is an implementation of ASN.1/DER, PKIX, and Kerberos.
Versions prior to 7.7.1 are vulnerable to a denial of service vulnerability in Heimdal's PKI certificate validation library, affecting the KDC (via PKINIT) and kinit (via PKINIT), as well as any third-party applications using Heimdal's libhx509. Users should upgrade to Heimdal 7.7.1 or 7.8. There are no known workarounds for this issue.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-41916<https://urldefense.com/v3/__https://nvd.nist.gov/vuln/detail/CVE-2022-41916__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZX4oqHbF8$>

Upstream patches:
https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c<https://urldefense.com/v3/__https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZX4p_ZVvA$>

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com<mailto:archana.polampalli@windriver.com>>
---


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#103297): https://lists.openembedded.org/g/openembedded-devel/message/103297<https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-devel/message/103297__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZXXm_jU_4$>
Mute This Topic: https://lists.openembedded.org/mt/99545598/3617156<https://urldefense.com/v3/__https://lists.openembedded.org/mt/99545598/3617156__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZXEAgYcfw$>
Group Owner: openembedded-devel+owner@lists.openembedded.org<mailto:openembedded-devel%2Bowner@lists.openembedded.org>
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub<https://urldefense.com/v3/__https://lists.openembedded.org/g/openembedded-devel/unsub__;!!AjveYdw8EvQ!aXghoif6kxXOB1JeT_tpJfR1xIOLXbMovNRhA7X1aIsLT3EF5r21eke8x4umKY8UaiJ1WuneHFGA44mWbtI8IWZXQo6uWyE$> [Martin.Jansa@gmail.com<mailto:Martin.Jansa@gmail.com>]
-=-=-=-=-=-=-=-=-=-=-=-
diff mbox series

Patch

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch
new file mode 100644
index 000000000..055e4060e
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2022-41916.patch
@@ -0,0 +1,41 @@ 
+From eb87af0c2d189c25294c7daf483a47b03af80c2c Mon Sep 17 00:00:00 2001
+From: Jeffrey Altman <jaltman@secure-endpoints.com>
+Date: Wed, 17 Nov 2021 20:00:29 -0500
+Subject: [PATCH] lib/wind: find_normalize read past end of array
+
+find_normalize() can under some circumstances read one element
+beyond the input array.  The contents are discarded immediately
+without further use.
+
+This change prevents the unintended read.
+
+(cherry picked from commit 357a38fc7fb582ae73f4b7f4a90a4b0b871b149e)
+
+Change-Id: Ia2759a5632d64f7fa6553f879b5bbbf43ba3513e
+
+Upstream-Status: Backport
+CVE: CVE-2022-41916
+
+Reference to upstream patch:
+https://github.com/heimdal/heimdal/commit/eb87af0c2d189c25294c7daf483a47b03af80c2c
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ lib/wind/normalize.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/wind/normalize.c b/lib/wind/normalize.c
+index 20e8a4a04b..8f3991d10e 100644
+--- a/lib/wind/normalize.c
++++ b/lib/wind/normalize.c
+@@ -227,9 +227,9 @@ find_composition(const uint32_t *in, unsigned in_len)
+	unsigned i;
+
+	if (n % 5 == 0) {
+-	    cur = *in++;
+	    if (in_len-- == 0)
+		return c->val;
++	    cur = *in++;
+	}
+
+	i = cur >> 16;
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index cc07d51dc..fcec63752 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -31,6 +31,7 @@  SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://CVE-2022-3437-0007.patch;patchdir=source4/heimdal \
            file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
            file://CVE-2022-45142.patch;patchdir=source4/heimdal \
+           file://CVE-2022-41916.patch;patchdir=source4/heimdal \
            "
 
 SRC_URI:append:libc-musl = " \