new file mode 100644
@@ -0,0 +1,69 @@
+From f9ec7002cdd526ae84fbacbf153162e118f22580 Mon Sep 17 00:00:00 2001
+From: Nicolas Williams <nico@twosigma.com>
+Date: Wed Mar 9 10:18:52 2022 -0600
+Subject: [PATCH] spnego: CVE-2021-44758 send_reject when no mech selected
+
+ This fixes a DoS where an initial SPNEGO token that has no acceptable
+ mechanisms causes a NULL dereference in acceptors.
+
+ send_accept() when called with a non-zero 'initial_response' did
+ not handle the case of gssspnego_ctx.preferred_mech_type equal
+ to GSS_C_NO_OID.
+
+ The failure to handle GSS_C_NO_OID has been present since the
+ initial revision of gssapi/spnego,
+ 2baa7e7d613c26b2b037b368931519a84baec53d but might not have
+ been exercised until later revisions.
+
+ The introduction of opportunistic token handling in
+ gss_accept_sec_context(), 3c9d3266f47f594a29068c9d629908e7000ac663,
+ introduced two bugs:
+
+ 1. The optional mechToken field is used unconditionally
+ possibly resulting in a segmentation fault.
+
+ 2. If use of the opportunistic token is unsuccessful and the
+ mech type list length is one, send_accept() can be called
+ with 'initial_response' true and preferred mech set to
+ GSS_C_NO_OID.
+
+ b53c90da0890a9cce6f95c552f094ff6d69027bf ("Make error reporting
+ somewhat more correct for SPNEGO") attempted to fix the first
+ issue and increased the likelihood of the second.
+
+ This change alters the behavior of acceptor_start() so it calls
+ send_reject() when no mechanism was selected.
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ .../heimdal/lib/gssapi/spnego/accept_sec_context.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c
+index 3a51dd3..b60dc19 100644
+--- a/lib/gssapi/spnego/accept_sec_context.c
++++ b/lib/gssapi/spnego/accept_sec_context.c
+@@ -619,13 +619,15 @@ acceptor_start
+ if (ret == 0)
+ break;
+ }
+- if (preferred_mech_type == GSS_C_NO_OID) {
+- HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
+- free_NegotiationToken(&nt);
+- return ret;
+- }
++ }
++
++ ctx->preferred_mech_type = preferred_mech_type;
+
+- ctx->preferred_mech_type = preferred_mech_type;
++ if (preferred_mech_type == GSS_C_NO_OID) {
++ send_reject(minor_status, output_token);
++ HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
++ free_NegotiationToken(&nt);
++ return ret;
+ }
+
+ /*
+--
+2.40.0
@@ -32,6 +32,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
file://CVE-2022-3437-0008.patch;patchdir=source4/heimdal \
file://CVE-2022-45142.patch;patchdir=source4/heimdal \
file://CVE-2022-41916.patch;patchdir=source4/heimdal \
+ file://CVE-2021-44758.patch;patchdir=source4/heimdal \
"
SRC_URI:append:libc-musl = " \
Heimdal before 7.7.1 allows attackers to cause a NULL pointer dereference in a SPNEGO acceptor via a preferred_mech_type of GSS_C_NO_OID and a nonzero initial_response value to send_accept. References: https://nvd.nist.gov/vuln/detail/CVE-2021-44758 Upstream patches: https://github.com/heimdal/heimdal/commit/f9ec7002cdd526ae84fbacbf153162e118f22580 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> --- .../samba/samba/CVE-2021-44758.patch | 69 +++++++++++++++++++ .../samba/samba_4.14.14.bb | 1 + 2 files changed, 70 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2021-44758.patch