Project import/samba - Diff 0e8142b4f1...cf91463eb4

... ... --- a/.abf.yml
... ... +++ b/.abf.yml
... ... @@ -1,5 +1,3 @@
1
removed_sources:
2
  samba-4.3.11.tar.gz: 44399fdcbcf5eba5f86548781e8aef490264de6b
3 1
sources:
4
  samba-4.3.11.tar.asc: 8b26d3d6eb0920edc8b3fed0e644464c822b2bb9
5 2
  samba-4.3.13.tar.gz: c6378795fd04715149976d991b8ff90d1e161b7e
3
  samba-4.3.13.tar.asc: 8b14d89d5e1a997bb42e3d8f0ebb78e92f7c27fd
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1050.patch
... ... @@ -0,0 +1,54 @@
1
From a65e49b86f152382710129952000ac36ab77b1dd Mon Sep 17 00:00:00 2001
2
From: Jeremy Allison <jra@samba.org>
3
Date: Tue, 2 Jan 2018 15:56:03 -0800
4
Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
5
 pointer derefs.
6
7
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
8
9
Signed-off-by: Jeremy Allison <jra@samba.org>
10
---
11
 source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
12
 1 file changed, 13 insertions(+)
13
14
diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c
15
index a3c3861202d..fb56e2bf9a6 100644
16
--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
17
+++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
18
@@ -178,6 +178,11 @@ static void prune_printername_cache(void);
19
 static const char *canon_servername(const char *servername)
20
 {
21
 	const char *pservername = servername;
22
+
23
+	if (servername == NULL) {
24
+		return "";
25
+	}
26
+
27
 	while (*pservername == '\\') {
28
 		pservername++;
29
 	}
30
@@ -2073,6 +2078,10 @@ WERROR _spoolss_DeletePrinterDriver(struct pipes_struct *p,
31
 		return WERR_ACCESS_DENIED;
32
 	}
33
 
34
+	if (r->in.architecture == NULL || r->in.driver == NULL) {
35
+		return WERR_INVALID_ENVIRONMENT;
36
+	}
37
+
38
 	/* check that we have a valid driver name first */
39
 
40
 	if ((version = get_version_id(r->in.architecture)) == -1) {
41
@@ -2212,6 +2221,10 @@ WERROR _spoolss_DeletePrinterDriverEx(struct pipes_struct *p,
42
 		return WERR_ACCESS_DENIED;
43
 	}
44
 
45
+	if (r->in.architecture == NULL || r->in.driver == NULL) {
46
+		return WERR_INVALID_ENVIRONMENT;
47
+	}
48
+
49
 	/* check that we have a valid driver name first */
50
 	if (get_version_id(r->in.architecture) == -1) {
51
 		/* this is what NT returns */
52
-- 
53
2.11.0
54
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-1.patch
... ... @@ -0,0 +1,86 @@
1
From f8c5ac98d3edf45624302c70a7f9e56d653e20a2 Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 12:43:09 +0100
4
Subject: [PATCH 01/13] CVE-2018-1057: s4:dsdb/tests: add a test for password
5
 change with empty delete
6
7
Note that the request using the clearTextPassword attribute for the
8
password change is already correctly rejected by the server.
9
10
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
11
12
Signed-off-by: Ralph Boehme <slow@samba.org>
13
Reviewed-by: Stefan Metzmacher <metze@samba.org>
14
---
15
 selftest/knownfail.d/samba4.ldap.passwords.python |  2 +
16
 source4/dsdb/tests/python/passwords.py            | 49 +++++++++++++++++++++++
17
 2 files changed, 51 insertions(+)
18
 create mode 100644 selftest/knownfail.d/samba4.ldap.passwords.python
19
20
Index: samba-4.3.11+dfsg/selftest/knownfail.d/samba4.ldap.passwords.python
21
===================================================================
22
--- /dev/null	1970-01-01 00:00:00.000000000 +0000
23
+++ samba-4.3.11+dfsg/selftest/knownfail.d/samba4.ldap.passwords.python	2018-03-06 16:46:25.741153480 +0100
24
@@ -0,0 +1,2 @@
25
+samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_userPassword
26
+samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_unicodePwd
27
Index: samba-4.3.11+dfsg/source4/dsdb/tests/python/passwords.py
28
===================================================================
29
--- samba-4.3.11+dfsg.orig/source4/dsdb/tests/python/passwords.py	2018-03-06 16:46:25.745153513 +0100
30
+++ samba-4.3.11+dfsg/source4/dsdb/tests/python/passwords.py	2018-03-06 16:46:25.741153480 +0100
31
@@ -931,6 +931,55 @@ userPassword: thatsAcomplPASS4
32
         # Reset the "minPwdLength" as it was before
33
         self.ldb.set_minPwdLength(minPwdLength)
34
 
35
+    def test_pw_change_delete_no_value_userPassword(self):
36
+        """Test password change with userPassword where the delete attribute doesn't have a value"""
37
+
38
+        try:
39
+            self.ldb2.modify_ldif("""
40
+dn: cn=testuser,cn=users,""" + self.base_dn + """
41
+changetype: modify
42
+delete: userPassword
43
+add: userPassword
44
+userPassword: thatsAcomplPASS1
45
+""")
46
+        except LdbError, (num, msg):
47
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
48
+        else:
49
+            self.fail()
50
+
51
+    def test_pw_change_delete_no_value_clearTextPassword(self):
52
+        """Test password change with clearTextPassword where the delete attribute doesn't have a value"""
53
+
54
+        try:
55
+            self.ldb2.modify_ldif("""
56
+dn: cn=testuser,cn=users,""" + self.base_dn + """
57
+changetype: modify
58
+delete: clearTextPassword
59
+add: clearTextPassword
60
+clearTextPassword: thatsAcomplPASS2
61
+""")
62
+        except LdbError, (num, msg):
63
+            self.assertTrue(num == ERR_CONSTRAINT_VIOLATION or
64
+                            num == ERR_NO_SUCH_ATTRIBUTE) # for Windows
65
+        else:
66
+            self.fail()
67
+
68
+    def test_pw_change_delete_no_value_unicodePwd(self):
69
+        """Test password change with unicodePwd where the delete attribute doesn't have a value"""
70
+
71
+        try:
72
+            self.ldb2.modify_ldif("""
73
+dn: cn=testuser,cn=users,""" + self.base_dn + """
74
+changetype: modify
75
+delete: unicodePwd
76
+add: unicodePwd
77
+unicodePwd:: """ + base64.b64encode("\"thatsAcomplPASS3\"".encode('utf-16-le')) + """
78
+""")
79
+        except LdbError, (num, msg):
80
+            self.assertEquals(num, ERR_CONSTRAINT_VIOLATION)
81
+        else:
82
+            self.fail()
83
+
84
     def tearDown(self):
85
         super(PasswordTests, self).tearDown()
86
         delete_force(self.ldb, "cn=testuser,cn=users," + self.base_dn)
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-10.patch
... ... @@ -0,0 +1,48 @@
1
From 727679a6dd1e98d5d5f2732c84bf7a9bc476ce9c Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Wed, 14 Feb 2018 19:15:49 +0100
4
Subject: [PATCH 10/13] CVE-2018-1057: s4:dsdb/acl: run password checking only
5
 once
6
7
This is needed, because a later commit will let the acl module add a
8
control to the change request msg and we must ensure that this is only
9
done once.
10
11
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
12
13
Signed-off-by: Ralph Boehme <slow@samba.org>
14
Reviewed-by: Stefan Metzmacher <metze@samba.org>
15
---
16
 source4/dsdb/samdb/ldb_modules/acl.c | 5 +++++
17
 1 file changed, 5 insertions(+)
18
19
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
20
===================================================================
21
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:20.877609132 +0100
22
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:20.873609099 +0100
23
@@ -1097,6 +1097,7 @@ static int acl_modify(struct ldb_module
24
 	struct ldb_control *as_system;
25
 	struct ldb_control *is_undelete;
26
 	bool userPassword;
27
+	bool password_rights_checked = false;
28
 	TALLOC_CTX *tmp_ctx;
29
 	const struct ldb_message *msg = req->op.mod.message;
30
 	static const char *acl_attrs[] = {
31
@@ -1242,6 +1243,9 @@ static int acl_modify(struct ldb_module
32
 		} else if (ldb_attr_cmp("unicodePwd", el->name) == 0 ||
33
 			   (userPassword && ldb_attr_cmp("userPassword", el->name) == 0) ||
34
 			   ldb_attr_cmp("clearTextPassword", el->name) == 0) {
35
+			if (password_rights_checked) {
36
+				continue;
37
+			}
38
 			ret = acl_check_password_rights(tmp_ctx,
39
 							module,
40
 							req,
41
@@ -1252,6 +1256,7 @@ static int acl_modify(struct ldb_module
42
 			if (ret != LDB_SUCCESS) {
43
 				goto fail;
44
 			}
45
+			password_rights_checked = true;
46
 		} else if (ldb_attr_cmp("servicePrincipalName", el->name) == 0) {
47
 			ret = acl_check_spn(tmp_ctx,
48
 					    module,
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-11.patch
... ... @@ -0,0 +1,66 @@
1
Backport of:
2
3
From 4cdbbd43ca1c508a795ccdcdc6e08fe783286790 Mon Sep 17 00:00:00 2001
4
From: Ralph Boehme <slow@samba.org>
5
Date: Fri, 16 Feb 2018 15:30:13 +0100
6
Subject: [PATCH 11/13] CVE-2018-1057: s4:dsdb/samdb: define
7
 DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control
8
9
Will be used to pass "user password change" vs "password reset" from the
10
ACL to the password_hash module, ensuring both modules treat the request
11
identical.
12
13
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
14
15
Signed-off-by: Ralph Boehme <slow@samba.org>
16
Reviewed-by: Stefan Metzmacher <metze@samba.org>
17
---
18
 source4/dsdb/samdb/samdb.h          | 9 +++++++++
19
 source4/libcli/ldap/ldap_controls.c | 1 +
20
 source4/setup/schema_samba4.ldif    | 2 ++
21
 3 files changed, 12 insertions(+)
22
23
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/samdb.h
24
===================================================================
25
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/samdb.h	2018-03-06 16:47:28.709674414 +0100
26
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/samdb.h	2018-03-06 16:47:28.709674414 +0100
27
@@ -157,6 +157,15 @@ struct dsdb_control_password_change {
28
 */
29
 #define DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID "1.3.6.1.4.1.7165.4.3.25"
30
 
31
+/*
32
+ * Used to pass "user password change" vs "password reset" from the ACL to the
33
+ * password_hash module, ensuring both modules treat the request identical.
34
+ */
35
+#define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID "1.3.6.1.4.1.7165.4.3.33"
36
+struct dsdb_control_password_acl_validation {
37
+	bool pwd_reset;
38
+};
39
+
40
 #define DSDB_EXTENDED_REPLICATED_OBJECTS_OID "1.3.6.1.4.1.7165.4.4.1"
41
 struct dsdb_extended_replicated_object {
42
 	struct ldb_message *msg;
43
Index: samba-4.3.11+dfsg/source4/libcli/ldap/ldap_controls.c
44
===================================================================
45
--- samba-4.3.11+dfsg.orig/source4/libcli/ldap/ldap_controls.c	2018-03-06 16:47:28.709674414 +0100
46
+++ samba-4.3.11+dfsg/source4/libcli/ldap/ldap_controls.c	2018-03-06 16:47:28.709674414 +0100
47
@@ -1280,6 +1280,7 @@ static const struct ldap_control_handler
48
 	{ DSDB_CONTROL_PASSWORD_CHANGE_STATUS_OID, NULL, NULL },
49
 	{ DSDB_CONTROL_PASSWORD_HASH_VALUES_OID, NULL, NULL },
50
 	{ DSDB_CONTROL_PASSWORD_CHANGE_OID, NULL, NULL },
51
+	{ DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, NULL, NULL },
52
 	{ DSDB_CONTROL_APPLY_LINKS, NULL, NULL },
53
 	{ LDB_CONTROL_BYPASS_OPERATIONAL_OID, NULL, NULL },
54
 	{ DSDB_CONTROL_CHANGEREPLMETADATA_OID, NULL, NULL },
55
Index: samba-4.3.11+dfsg/source4/setup/schema_samba4.ldif
56
===================================================================
57
--- samba-4.3.11+dfsg.orig/source4/setup/schema_samba4.ldif	2018-03-06 16:47:28.709674414 +0100
58
+++ samba-4.3.11+dfsg/source4/setup/schema_samba4.ldif	2018-03-06 16:48:17.398083125 +0100
59
@@ -200,6 +200,7 @@
60
 #Allocated: DSDB_CONTROL_PERMIT_INTERDOMAIN_TRUST_UAC_OID 1.3.6.1.4.1.7165.4.3.23
61
 #Allocated: DSDB_CONTROL_RESTORE_TOMBSTONE_OID 1.3.6.1.4.1.7165.4.3.24
62
 #Allocated: DSDB_CONTROL_CHANGEREPLMETADATA_RESORT_OID 1.3.6.1.4.1.7165.4.3.25
63
+#Allocated: DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID 1.3.6.1.4.1.7165.4.3.33
64
 
65
 # Extended 1.3.6.1.4.1.7165.4.4.x
66
 #Allocated: DSDB_EXTENDED_REPLICATED_OBJECTS_OID 1.3.6.1.4.1.7165.4.4.1
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-12.patch
... ... @@ -0,0 +1,173 @@
1
Backport of:
2
3
From 4aeffa6ac2eebc9ad2cbaac5b4894e08076de71f Mon Sep 17 00:00:00 2001
4
From: Ralph Boehme <slow@samba.org>
5
Date: Fri, 16 Feb 2018 15:38:19 +0100
6
Subject: [PATCH 12/13] CVE-2018-1057: s4:dsdb: use
7
 DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
8
9
This is used to pass information about which password change operation (change
10
or reset) the acl module validated, down to the password_hash module.
11
12
It's very important that both modules treat the request identical.
13
14
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
15
16
Signed-off-by: Ralph Boehme <slow@samba.org>
17
Reviewed-by: Stefan Metzmacher <metze@samba.org>
18
---
19
 source4/dsdb/samdb/ldb_modules/acl.c           | 41 ++++++++++++++++++++++++--
20
 source4/dsdb/samdb/ldb_modules/password_hash.c | 30 ++++++++++++++++++-
21
 2 files changed, 67 insertions(+), 4 deletions(-)
22
23
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
24
===================================================================
25
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:48:58.182429083 +0100
26
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:48:58.182429083 +0100
27
@@ -948,13 +948,22 @@ static int acl_check_password_rights(TAL
28
 	const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
29
 					"unicodePwd", "dBCSPwd", NULL }, **l;
30
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
31
+	struct dsdb_control_password_acl_validation *pav = NULL;
32
 
33
 	if (tmp_ctx == NULL) {
34
 		return LDB_ERR_OPERATIONS_ERROR;
35
 	}
36
 
37
+	pav = talloc_zero(req, struct dsdb_control_password_acl_validation);
38
+	if (pav == NULL) {
39
+		talloc_free(tmp_ctx);
40
+		return LDB_ERR_OPERATIONS_ERROR;
41
+	}
42
+
43
 	c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
44
 	if (c != NULL) {
45
+		pav->pwd_reset = false;
46
+
47
 		/*
48
 		 * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
49
 		 * have a user password change and not a set as the message
50
@@ -977,6 +986,8 @@ static int acl_check_password_rights(TAL
51
 
52
 	c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
53
 	if (c != NULL) {
54
+		pav->pwd_reset = true;
55
+
56
 		/*
57
 		 * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without
58
 		 * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
59
@@ -1030,6 +1041,8 @@ static int acl_check_password_rights(TAL
60
 
61
 
62
 	if (rep_attr_cnt > 0) {
63
+		pav->pwd_reset = true;
64
+
65
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
66
 					       GUID_DRS_FORCE_CHANGE_PASSWORD,
67
 					       SEC_ADS_CONTROL_ACCESS,
68
@@ -1038,6 +1051,8 @@ static int acl_check_password_rights(TAL
69
 	}
70
 
71
 	if (add_attr_cnt != del_attr_cnt) {
72
+		pav->pwd_reset = true;
73
+
74
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
75
 					       GUID_DRS_FORCE_CHANGE_PASSWORD,
76
 					       SEC_ADS_CONTROL_ACCESS,
77
@@ -1046,6 +1061,8 @@ static int acl_check_password_rights(TAL
78
 	}
79
 
80
 	if (add_val_cnt == 1 && del_val_cnt == 1) {
81
+		pav->pwd_reset = false;
82
+
83
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
84
 					       GUID_DRS_USER_CHANGE_PASSWORD,
85
 					       SEC_ADS_CONTROL_ACCESS,
86
@@ -1058,6 +1075,8 @@ static int acl_check_password_rights(TAL
87
 	}
88
 
89
 	if (add_val_cnt == 1 && del_val_cnt == 0) {
90
+		pav->pwd_reset = true;
91
+
92
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
93
 					       GUID_DRS_FORCE_CHANGE_PASSWORD,
94
 					       SEC_ADS_CONTROL_ACCESS,
95
@@ -1069,6 +1088,14 @@ static int acl_check_password_rights(TAL
96
 		goto checked;
97
 	}
98
 
99
+	/*
100
+	 * Everything else is handled by the password_hash module where it will
101
+	 * fail, but with the correct error code when the module is again
102
+	 * checking the attributes. As the change request will lack the
103
+	 * DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control, we can be sure that
104
+	 * any modification attempt that went this way will be rejected.
105
+	 */
106
+
107
 	talloc_free(tmp_ctx);
108
 	return LDB_SUCCESS;
109
 
110
@@ -1078,11 +1105,19 @@ checked:
111
 			       req->op.mod.message->dn,
112
 			       true,
113
 			       10);
114
+		talloc_free(tmp_ctx);
115
+		return ret;
116
 	}
117
-	talloc_free(tmp_ctx);
118
-	return ret;
119
-}
120
 
121
+	ret = ldb_request_add_control(req,
122
+		DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID, false, pav);
123
+	if (ret != LDB_SUCCESS) {
124
+		ldb_debug(ldb_module_get_ctx(module), LDB_DEBUG_ERROR,
125
+			  "Unable to register ACL validation control!\n");
126
+		return ret;
127
+	}
128
+	return LDB_SUCCESS;
129
+}
130
 
131
 static int acl_modify(struct ldb_module *module, struct ldb_request *req)
132
 {
133
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c
134
===================================================================
135
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:48:58.182429083 +0100
136
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:48:58.182429083 +0100
137
@@ -2572,7 +2572,35 @@ static int setup_io(struct ph_context *a
138
 		/* On "add" we have only "password reset" */
139
 		ac->pwd_reset = true;
140
 	} else if (ac->req->operation == LDB_MODIFY) {
141
-		if (io->og.cleartext_utf8 || io->og.cleartext_utf16
142
+		struct ldb_control *pav_ctrl = NULL;
143
+		struct dsdb_control_password_acl_validation *pav = NULL;
144
+
145
+		pav_ctrl = ldb_request_get_control(ac->req,
146
+				DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID);
147
+		if (pav_ctrl != NULL) {
148
+			pav = talloc_get_type_abort(pav_ctrl->data,
149
+				struct dsdb_control_password_acl_validation);
150
+		}
151
+
152
+		if (pav == NULL) {
153
+			bool ok;
154
+
155
+			/*
156
+			 * If the DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
157
+			 * control is missing, we require system access!
158
+			 */
159
+			ok = dsdb_module_am_system(ac->module);
160
+			if (!ok) {
161
+				return ldb_module_operr(ac->module);
162
+			}
163
+		}
164
+
165
+		if (pav != NULL) {
166
+			/*
167
+			 * We assume what the acl module has validated.
168
+			 */
169
+			ac->pwd_reset = pav->pwd_reset;
170
+		} else if (io->og.cleartext_utf8 || io->og.cleartext_utf16
171
 		    || io->og.nt_hash || io->og.lm_hash) {
172
 			/* If we have an old password specified then for sure it
173
 			 * is a user "password change" */
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-13.patch
... ... @@ -0,0 +1,46 @@
1
From d868f656617f9343408616a5ee212ebe9a722130 Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 23:11:38 +0100
4
Subject: [PATCH 13/13] CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only
5
 allowed with a control
6
7
This is not strictly needed to fig bug 13272, but it makes sense to also
8
fix this while fixing the overall ACL checking logic.
9
10
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
11
12
Signed-off-by: Ralph Boehme <slow@samba.org>
13
Reviewed-by: Stefan Metzmacher <metze@samba.org>
14
---
15
 source4/dsdb/samdb/ldb_modules/acl.c | 11 ++++++++++-
16
 1 file changed, 10 insertions(+), 1 deletion(-)
17
18
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
19
===================================================================
20
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:49:04.358481740 +0100
21
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:49:04.358481740 +0100
22
@@ -946,7 +946,7 @@ static int acl_check_password_rights(TAL
23
 	struct ldb_message *msg;
24
 	struct ldb_control *c = NULL;
25
 	const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
26
-					"unicodePwd", "dBCSPwd", NULL }, **l;
27
+					"unicodePwd", NULL }, **l;
28
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
29
 	struct dsdb_control_password_acl_validation *pav = NULL;
30
 
31
@@ -1006,6 +1006,15 @@ static int acl_check_password_rights(TAL
32
 		goto checked;
33
 	}
34
 
35
+	el = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
36
+	if (el != NULL) {
37
+		/*
38
+		 * dBCSPwd is only allowed with a control.
39
+		 */
40
+		talloc_free(tmp_ctx);
41
+		return LDB_ERR_UNWILLING_TO_PERFORM;
42
+	}
43
+
44
 	msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
45
 	if (msg == NULL) {
46
 		return ldb_module_oom(module);
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-2.patch
... ... @@ -0,0 +1,53 @@
1
From f59e42f7f9244b18e47a91108cc6993cbe5fd097 Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 10:56:06 +0100
4
Subject: [PATCH 02/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper
5
 variable for LDB_FLAG_MOD_TYPE
6
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
8
9
Signed-off-by: Ralph Boehme <slow@samba.org>
10
Reviewed-by: Stefan Metzmacher <metze@samba.org>
11
---
12
 source4/dsdb/samdb/ldb_modules/password_hash.c | 14 +++++++++-----
13
 1 file changed, 9 insertions(+), 5 deletions(-)
14
15
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c
16
===================================================================
17
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:46:32.477208767 +0100
18
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:46:32.473208733 +0100
19
@@ -3152,17 +3152,20 @@ static int password_hash_modify(struct l
20
 		}
21
 
22
 		while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
23
-			if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE) {
24
+			unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags);
25
+
26
+			if (mtype == LDB_FLAG_MOD_DELETE) {
27
 				++del_attr_cnt;
28
 			}
29
-			if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD) {
30
+			if (mtype == LDB_FLAG_MOD_ADD) {
31
 				++add_attr_cnt;
32
 			}
33
-			if (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_REPLACE) {
34
+			if (mtype == LDB_FLAG_MOD_REPLACE) {
35
 				++rep_attr_cnt;
36
 			}
37
 			if ((passwordAttr->num_values != 1) &&
38
-			    (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_ADD)) {
39
+			    (mtype == LDB_FLAG_MOD_ADD))
40
+			{
41
 				talloc_free(ac);
42
 				ldb_asprintf_errstring(ldb,
43
 						       "'%s' attribute must have exactly one value on add operations!",
44
@@ -3170,7 +3173,8 @@ static int password_hash_modify(struct l
45
 				return LDB_ERR_CONSTRAINT_VIOLATION;
46
 			}
47
 			if ((passwordAttr->num_values > 1) &&
48
-			    (LDB_FLAG_MOD_TYPE(passwordAttr->flags) == LDB_FLAG_MOD_DELETE)) {
49
+			    (mtype == LDB_FLAG_MOD_DELETE))
50
+			{
51
 				talloc_free(ac);
52
 				ldb_asprintf_errstring(ldb,
53
 						       "'%s' attribute must have zero or one value(s) on delete operations!",
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-3.patch
... ... @@ -0,0 +1,47 @@
1
From 783a863a53e31e1a0e7c507fa841c43320ecae75 Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 14:40:59 +0100
4
Subject: [PATCH 03/13] CVE-2018-1057: s4:dsdb/password_hash: add a helper
5
 variable for passwordAttr->num_values
6
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
8
9
Signed-off-by: Ralph Boehme <slow@samba.org>
10
Reviewed-by: Stefan Metzmacher <metze@samba.org>
11
---
12
 source4/dsdb/samdb/ldb_modules/password_hash.c | 9 +++------
13
 1 file changed, 3 insertions(+), 6 deletions(-)
14
15
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c
16
===================================================================
17
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:46:38.333256918 +0100
18
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/password_hash.c	2018-03-06 16:46:38.329256885 +0100
19
@@ -3153,6 +3153,7 @@ static int password_hash_modify(struct l
20
 
21
 		while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
22
 			unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags);
23
+			unsigned int nvalues = passwordAttr->num_values;
24
 
25
 			if (mtype == LDB_FLAG_MOD_DELETE) {
26
 				++del_attr_cnt;
27
@@ -3163,18 +3164,14 @@ static int password_hash_modify(struct l
28
 			if (mtype == LDB_FLAG_MOD_REPLACE) {
29
 				++rep_attr_cnt;
30
 			}
31
-			if ((passwordAttr->num_values != 1) &&
32
-			    (mtype == LDB_FLAG_MOD_ADD))
33
-			{
34
+			if ((nvalues != 1) && (mtype == LDB_FLAG_MOD_ADD)) {
35
 				talloc_free(ac);
36
 				ldb_asprintf_errstring(ldb,
37
 						       "'%s' attribute must have exactly one value on add operations!",
38
 						       *l);
39
 				return LDB_ERR_CONSTRAINT_VIOLATION;
40
 			}
41
-			if ((passwordAttr->num_values > 1) &&
42
-			    (mtype == LDB_FLAG_MOD_DELETE))
43
-			{
44
+			if ((nvalues > 1) && (mtype == LDB_FLAG_MOD_DELETE)) {
45
 				talloc_free(ac);
46
 				ldb_asprintf_errstring(ldb,
47
 						       "'%s' attribute must have zero or one value(s) on delete operations!",
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-4.patch
... ... @@ -0,0 +1,47 @@
1
From 672a4e62b24bfba51d513177c96307f9ba9ccc70 Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 17:38:31 +0100
4
Subject: [PATCH 04/13] CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug()
5
 if we checked the acl in acl_check_password_rights()
6
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
8
9
Signed-off-by: Ralph Boehme <slow@samba.org>
10
Reviewed-by: Stefan Metzmacher <metze@samba.org>
11
---
12
 source4/dsdb/samdb/ldb_modules/acl.c | 8 ++++++++
13
 1 file changed, 8 insertions(+)
14
15
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
16
===================================================================
17
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:44.513307823 +0100
18
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:44.513307823 +0100
19
@@ -989,12 +989,14 @@ static int acl_check_password_rights(TAL
20
 					       GUID_DRS_USER_CHANGE_PASSWORD,
21
 					       SEC_ADS_CONTROL_ACCESS,
22
 					       sid);
23
+		goto checked;
24
 	}
25
 	else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
26
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
27
 					       GUID_DRS_FORCE_CHANGE_PASSWORD,
28
 					       SEC_ADS_CONTROL_ACCESS,
29
 					       sid);
30
+		goto checked;
31
 	}
32
 	else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
33
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
34
@@ -1005,7 +1007,13 @@ static int acl_check_password_rights(TAL
35
 		if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
36
 			ret = LDB_ERR_CONSTRAINT_VIOLATION;
37
 		}
38
+		goto checked;
39
 	}
40
+
41
+	talloc_free(tmp_ctx);
42
+	return LDB_SUCCESS;
43
+
44
+checked:
45
 	if (ret != LDB_SUCCESS) {
46
 		dsdb_acl_debug(sd, acl_user_token(module),
47
 			       req->op.mod.message->dn,
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-5.patch
... ... @@ -0,0 +1,45 @@
1
From 0b6edfbb059e4e823f4c8052af1c702fabcecc0c Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 17:38:31 +0100
4
Subject: [PATCH 05/13] CVE-2018-1057: s4:dsdb/acl: remove unused else branches
5
 in acl_check_password_rights()
6
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
8
9
Signed-off-by: Ralph Boehme <slow@samba.org>
10
Reviewed-by: Stefan Metzmacher <metze@samba.org>
11
---
12
 source4/dsdb/samdb/ldb_modules/acl.c | 14 ++++++++++++--
13
 1 file changed, 12 insertions(+), 2 deletions(-)
14
15
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
16
===================================================================
17
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:50.613358156 +0100
18
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:50.609358122 +0100
19
@@ -991,14 +991,24 @@ static int acl_check_password_rights(TAL
20
 					       sid);
21
 		goto checked;
22
 	}
23
-	else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
24
+
25
+	if (rep_attr_cnt > 0) {
26
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
27
 					       GUID_DRS_FORCE_CHANGE_PASSWORD,
28
 					       SEC_ADS_CONTROL_ACCESS,
29
 					       sid);
30
 		goto checked;
31
 	}
32
-	else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
33
+
34
+	if (add_attr_cnt != del_attr_cnt) {
35
+		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
36
+					       GUID_DRS_FORCE_CHANGE_PASSWORD,
37
+					       SEC_ADS_CONTROL_ACCESS,
38
+					       sid);
39
+		goto checked;
40
+	}
41
+
42
+	if (add_attr_cnt == 1 && del_attr_cnt == 1) {
43
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
44
 					       GUID_DRS_USER_CHANGE_PASSWORD,
45
 					       SEC_ADS_CONTROL_ACCESS,
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-6.patch
... ... @@ -0,0 +1,73 @@
1
From 9b56a152b494f200f1cc2f84b8f9e421d467d1fd Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 22:59:24 +0100
4
Subject: [PATCH 06/13] CVE-2018-1057: s4:dsdb/acl: check for internal controls
5
 before other checks
6
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
8
9
Signed-off-by: Ralph Boehme <slow@samba.org>
10
Reviewed-by: Stefan Metzmacher <metze@samba.org>
11
---
12
 source4/dsdb/samdb/ldb_modules/acl.c | 37 ++++++++++++++++++++++--------------
13
 1 file changed, 23 insertions(+), 14 deletions(-)
14
15
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
16
===================================================================
17
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:56.417406127 +0100
18
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:56.413406094 +0100
19
@@ -943,10 +943,33 @@ static int acl_check_password_rights(TAL
20
 	unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
21
 	struct ldb_message_element *el;
22
 	struct ldb_message *msg;
23
+	struct ldb_control *c = NULL;
24
 	const char *passwordAttrs[] = { "userPassword", "clearTextPassword",
25
 					"unicodePwd", "dBCSPwd", NULL }, **l;
26
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
27
 
28
+	c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
29
+	if (c != NULL) {
30
+		/*
31
+		 * The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
32
+		 * have a user password change and not a set as the message
33
+		 * looks like. In it's value blob it contains the NT and/or LM
34
+		 * hash of the old password specified by the user.  This control
35
+		 * is used by the SAMR and "kpasswd" password change mechanisms.
36
+		 *
37
+		 * This control can't be used by real LDAP clients,
38
+		 * the only caller is samdb_set_password_internal(),
39
+		 * so we don't have to strict verification of the input.
40
+		 */
41
+		ret = acl_check_extended_right(tmp_ctx,
42
+					       sd,
43
+					       acl_user_token(module),
44
+					       GUID_DRS_USER_CHANGE_PASSWORD,
45
+					       SEC_ADS_CONTROL_ACCESS,
46
+					       sid);
47
+		goto checked;
48
+	}
49
+
50
 	msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
51
 	if (msg == NULL) {
52
 		return ldb_module_oom(module);
53
@@ -977,20 +1000,6 @@ static int acl_check_password_rights(TAL
54
 		return LDB_SUCCESS;
55
 	}
56
 
57
-	if (ldb_request_get_control(req,
58
-				    DSDB_CONTROL_PASSWORD_CHANGE_OID) != NULL) {
59
-		/* The "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
60
-		 * have a user password change and not a set as the message
61
-		 * looks like. In it's value blob it contains the NT and/or LM
62
-		 * hash of the old password specified by the user.
63
-		 * This control is used by the SAMR and "kpasswd" password
64
-		 * change mechanisms. */
65
-		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
66
-					       GUID_DRS_USER_CHANGE_PASSWORD,
67
-					       SEC_ADS_CONTROL_ACCESS,
68
-					       sid);
69
-		goto checked;
70
-	}
71
 
72
 	if (rep_attr_cnt > 0) {
73
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-7.patch
... ... @@ -0,0 +1,45 @@
1
From 0b6df46714c954b2e1b2a16f663505bb7ba65e9f Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 15 Feb 2018 17:43:43 +0100
4
Subject: [PATCH 07/13] CVE-2018-1057: s4:dsdb/acl: add check for
5
 DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control
6
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
8
9
Signed-off-by: Ralph Boehme <slow@samba.org>
10
Reviewed-by: Stefan Metzmacher <metze@samba.org>
11
---
12
 source4/dsdb/samdb/ldb_modules/acl.c | 20 ++++++++++++++++++++
13
 1 file changed, 20 insertions(+)
14
15
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
16
===================================================================
17
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:03.773467037 +0100
18
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:03.769467004 +0100
19
@@ -970,6 +970,26 @@ static int acl_check_password_rights(TAL
20
 		goto checked;
21
 	}
22
 
23
+	c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_HASH_VALUES_OID);
24
+	if (c != NULL) {
25
+		/*
26
+		 * The "DSDB_CONTROL_PASSWORD_HASH_VALUES_OID" control, without
27
+		 * "DSDB_CONTROL_PASSWORD_CHANGE_OID" control means that we
28
+		 * have a force password set.
29
+		 * This control is used by the SAMR/NETLOGON/LSA password
30
+		 * reset mechanisms.
31
+		 *
32
+		 * This control can't be used by real LDAP clients,
33
+		 * the only caller is samdb_set_password_internal(),
34
+		 * so we don't have to strict verification of the input.
35
+		 */
36
+		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
37
+					       GUID_DRS_FORCE_CHANGE_PASSWORD,
38
+					       SEC_ADS_CONTROL_ACCESS,
39
+					       sid);
40
+		goto checked;
41
+	}
42
+
43
 	msg = ldb_msg_copy_shallow(tmp_ctx, req->op.mod.message);
44
 	if (msg == NULL) {
45
 		return ldb_module_oom(module);
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-8.patch
... ... @@ -0,0 +1,29 @@
1
From a771b4ddfda633e7cd4d80548979f454cdb55949 Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Fri, 16 Feb 2018 15:17:26 +0100
4
Subject: [PATCH 08/13] CVE-2018-1057: s4:dsdb/acl: add a NULL check for
5
 talloc_new() in acl_check_password_rights()
6
7
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
8
9
Signed-off-by: Ralph Boehme <slow@samba.org>
10
Reviewed-by: Stefan Metzmacher <metze@samba.org>
11
---
12
 source4/dsdb/samdb/ldb_modules/acl.c | 4 ++++
13
 1 file changed, 4 insertions(+)
14
15
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
16
===================================================================
17
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:09.389513621 +0100
18
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:09.389513621 +0100
19
@@ -948,6 +948,10 @@ static int acl_check_password_rights(TAL
20
 					"unicodePwd", "dBCSPwd", NULL }, **l;
21
 	TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
22
 
23
+	if (tmp_ctx == NULL) {
24
+		return LDB_ERR_OPERATIONS_ERROR;
25
+	}
26
+
27
 	c = ldb_request_get_control(req, DSDB_CONTROL_PASSWORD_CHANGE_OID);
28
 	if (c != NULL) {
29
 		/*
view file @ cf91463eb4
... ... --- /dev/null
... ... +++ b/CVE-2018-1057-9.patch
... ... @@ -0,0 +1,93 @@
1
From 8ea0dbcd35dc5c210569036e185c2a863b066709 Mon Sep 17 00:00:00 2001
2
From: Ralph Boehme <slow@samba.org>
3
Date: Thu, 22 Feb 2018 10:54:37 +0100
4
Subject: [PATCH 09/13] CVE-2018-1057: s4/dsdb: correctly detect password
5
 resets
6
7
This change ensures we correctly treat the following LDIF
8
9
  dn: cn=testuser,cn=users,...
10
  changetype: modify
11
  delete: userPassword
12
  add: userPassword
13
  userPassword: thatsAcomplPASS1
14
15
as a password reset. Because delete and add element counts are both
16
one, the ACL module wrongly treated this as a password change
17
request.
18
19
For a password change we need at least one value to delete and one value
20
to add. This patch ensures we correctly check attributes and their
21
values.
22
23
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
24
25
Signed-off-by: Ralph Boehme <slow@samba.org>
26
Reviewed-by: Stefan Metzmacher <metze@samba.org>
27
---
28
 selftest/knownfail.d/samba4.ldap.passwords.python |  2 --
29
 source4/dsdb/samdb/ldb_modules/acl.c              | 18 +++++++++++++++++-
30
 2 files changed, 17 insertions(+), 3 deletions(-)
31
 delete mode 100644 selftest/knownfail.d/samba4.ldap.passwords.python
32
33
Index: samba-4.3.11+dfsg/selftest/knownfail.d/samba4.ldap.passwords.python
34
===================================================================
35
--- samba-4.3.11+dfsg.orig/selftest/knownfail.d/samba4.ldap.passwords.python	2018-03-06 16:47:14.973560010 +0100
36
+++ /dev/null	1970-01-01 00:00:00.000000000 +0000
37
@@ -1,2 +0,0 @@
38
-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_userPassword
39
-samba4.ldap.passwords.python.*.__main__.PasswordTests.test_pw_change_delete_no_value_unicodePwd
40
Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
41
===================================================================
42
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:14.973560010 +0100
43
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:14.973560010 +0100
44
@@ -941,6 +941,7 @@ static int acl_check_password_rights(TAL
45
 {
46
 	int ret = LDB_SUCCESS;
47
 	unsigned int del_attr_cnt = 0, add_attr_cnt = 0, rep_attr_cnt = 0;
48
+	unsigned int del_val_cnt = 0, add_val_cnt = 0, rep_val_cnt = 0;
49
 	struct ldb_message_element *el;
50
 	struct ldb_message *msg;
51
 	struct ldb_control *c = NULL;
52
@@ -1006,12 +1007,15 @@ static int acl_check_password_rights(TAL
53
 		while ((el = ldb_msg_find_element(msg, *l)) != NULL) {
54
 			if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_DELETE) {
55
 				++del_attr_cnt;
56
+				del_val_cnt += el->num_values;
57
 			}
58
 			if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_ADD) {
59
 				++add_attr_cnt;
60
+				add_val_cnt += el->num_values;
61
 			}
62
 			if (LDB_FLAG_MOD_TYPE(el->flags) == LDB_FLAG_MOD_REPLACE) {
63
 				++rep_attr_cnt;
64
+				rep_val_cnt += el->num_values;
65
 			}
66
 			ldb_msg_remove_element(msg, el);
67
 		}
68
@@ -1041,12 +1045,24 @@ static int acl_check_password_rights(TAL
69
 		goto checked;
70
 	}
71
 
72
-	if (add_attr_cnt == 1 && del_attr_cnt == 1) {
73
+	if (add_val_cnt == 1 && del_val_cnt == 1) {
74
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
75
 					       GUID_DRS_USER_CHANGE_PASSWORD,
76
 					       SEC_ADS_CONTROL_ACCESS,
77
 					       sid);
78
 		/* Very strange, but we get constraint violation in this case */
79
+		if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
80
+			ret = LDB_ERR_CONSTRAINT_VIOLATION;
81
+		}
82
+		goto checked;
83
+	}
84
+
85
+	if (add_val_cnt == 1 && del_val_cnt == 0) {
86
+		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
87
+					       GUID_DRS_FORCE_CHANGE_PASSWORD,
88
+					       SEC_ADS_CONTROL_ACCESS,
89
+					       sid);
90
+		/* Very strange, but we get constraint violation in this case */
91
 		if (ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS) {
92
 			ret = LDB_ERR_CONSTRAINT_VIOLATION;
93
 		}
... ... --- a/samba.spec
... ... +++ b/samba.spec
... ... @@ -95,7 +95,7 @@
95 95
Summary:	Samba SMB server
96 96
Name:		samba
97 97
Version:	4.3.13
98
Release:	4
98
Release:	5
99 99
Epoch:		1
100 100
License:	GPLv3+
101 101
Group:		System/Servers
... ... @@ -125,6 +125,21 @@ Patch3: CVE-2017-9461.patch
125 125
Patch4:		CVE-2017-11103.patch
126 126
Patch5:		CVE-2017-7494.patch
127 127
128
Patch6:		CVE-2018-1050.patch
129
Patch7:		CVE-2018-1057-1.patch
130
Patch8:		CVE-2018-1057-2.patch
131
Patch9:		CVE-2018-1057-3.patch
132
Patch10:	CVE-2018-1057-4.patch
133
Patch11:	CVE-2018-1057-5.patch
134
Patch12:	CVE-2018-1057-6.patch
135
Patch13:	CVE-2018-1057-7.patch
136
Patch14:	CVE-2018-1057-8.patch
137
Patch15:	CVE-2018-1057-9.patch
138
Patch16:	CVE-2018-1057-10.patch
139
Patch17:	CVE-2018-1057-11.patch
140
Patch18:	CVE-2018-1057-12.patch
141
Patch19:	CVE-2018-1057-13.patch
142
128 143
# Required for ldb docs
129 144
BuildRequires:	docbook-style-xsl
130 145
# For -fuse-ld
... ... @@ -1464,6 +1479,21 @@ fi
1479 1479
%patch4 -p1 -b .CVE-2017-11103~
1480 1480
%patch5 -p1 -b .CVE-2017-7494~
1481 1481
1482
%patch6 -p1 -b .CVE-2018-1050~
1483
%patch7 -p1 -b .CVE-2018-1057~
1484
%patch8 -p1 -b .CVE-2018-1057~
1485
%patch9 -p1 -b .CVE-2018-1057~
1486
%patch10 -p1 -b .CVE-2018-1057~
1487
%patch11 -p1 -b .CVE-2018-1057~
1488
%patch12 -p1 -b .CVE-2018-1057~
1489
%patch13 -p1 -b .CVE-2018-1057~
1490
%patch14 -p1 -b .CVE-2018-1057~
1491
%patch15 -p1 -b .CVE-2018-1057~
1492
%patch16 -p1 -b .CVE-2018-1057~
1493
%patch17 -p1 -b .CVE-2018-1057~
1494
%patch18 -p1 -b .CVE-2018-1057~
1495
%patch19 -p1 -b .CVE-2018-1057~
1496
1482 1497
%build
1483 1498
CFLAGS=-g buildtools/bin/waf configure --enable-fhs \
1484 1499
	--with-privatelibdir=%{_libdir}/%{name} \