[meta-networking,kirkstone,2/2] samba: fix CVE-2023-42669

diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch
new file mode 100644
index 000000000..dfa6aeb02
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2023-42669.patch
@@ -0,0 +1,94 @@ 
+From 9989568b20c8f804140c22f51548d766a18ed887 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 12 Sep 2023 18:59:44 +1200
+Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
+ default
+
+The rpcecho server is useful in development and testing, but should never
+have been allowed into production, as it includes the facility to
+do a blocking sleep() in the single-threaded rpc worker.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+
+CVE: CVE-2023-42669
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/9989568b20c8f804140c22f51548d766a18ed887]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
+ lib/param/loadparm.c                                   | 2 +-
+ selftest/target/Samba4.pm                              | 2 +-
+ source3/param/loadparm.c                               | 2 +-
+ source4/rpc_server/wscript_build                       | 3 ++-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+index 8a217cc..c6642b7 100644
+--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
++++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+@@ -6,6 +6,6 @@
+	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
+ </description>
+
+-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
++<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+ <value type="example">rpcecho</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index eedfa00..75687f5 100644
+--- a/lib/param/loadparm.c
++++ b/lib/param/loadparm.c
+@@ -2717,7 +2717,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
+	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
+
+-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
++	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc  samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
+	/* the winbind method for domain controllers is for both RODC
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index 651faa7..c7b33d2 100755
+--- a/selftest/target/Samba4.pm
++++ b/selftest/target/Samba4.pm
+@@ -773,7 +773,7 @@ sub provision_raw_step1($$)
+	wins support = yes
+	server role = $ctx->{server_role}
+	server services = +echo $services
+-        dcerpc endpoint servers = +winreg +srvsvc
++        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
+	notify:inotify = false
+	ldb:nosync = true
+	ldap server require strong auth = yes
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 8bcd35f..a99ab35 100644
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -879,7 +879,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+
+	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
+
+-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
++	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc  samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+
+	Globals.tls_enabled = true;
+	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
+diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
+index 8c75672..a2520da 100644
+--- a/source4/rpc_server/wscript_build
++++ b/source4/rpc_server/wscript_build
+@@ -29,7 +29,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
+	source='echo/rpc_echo.c',
+	subsystem='dcerpc_server',
+	init_function='dcerpc_server_rpcecho_init',
+-	deps='ndr-standard events'
++    deps='ndr-standard events',
++    enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
+	)
+
+
+--
+2.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index dcb4d8137..17d12e439 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -51,6 +51,7 @@  SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://CVE-2023-34968_0011.patch \
            file://CVE-2023-4091-0001.patch \
            file://CVE-2023-4091-0002.patch \
+           file://CVE-2023-42669.patch \
            "
 
 SRC_URI:append:libc-musl = " \