packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-0922

Browse Source
This commit is contained in:
xinghe 2023-04-07 03:22:22 +00:00
parent c24b46a73b
commit 3bf99eff12
2 changed files with 115 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
backport-CVE-2023-0922.patch Normal file
View File

@ -0,0 +1,107 @@
From 3535a42b8414377db657c336b6a2d21798b14eb4 Mon Sep 17 00:00:00 2001
From: Rob van der Linde <rob@catalyst.net.nz>
Date: Mon, 27 Feb 2023 14:06:23 +1300
Subject: [PATCH] CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17832
---
.../ldap/clientldapsaslwrapping.xml | 27 +++++++++----------
lib/param/loadparm.c | 2 +-
python/samba/tests/auth_log.py | 2 +-
source3/param/loadparm.c | 2 +-
4 files changed, 16 insertions(+), 17 deletions(-)
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
index 3152f0682dd..21bd2090057 100644
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
@@ -18,25 +18,24 @@
</para>
<para>
- This option is needed in the case of Domain Controllers enforcing
- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
- LDAP sign and seal can be controlled with the registry key
- "<literal>HKLM\System\CurrentControlSet\Services\</literal>
- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
- on the Windows server side.
- </para>
+ This option is needed firstly to secure the privacy of
+ administrative connections from <command>samba-tool</command>,
+ including in particular new or reset passwords for users. For
+ this reason the default is <emphasis>seal</emphasis>.</para>
- <para>
- Depending on the used KRB5 library (MIT and older Heimdal versions)
- it is possible that the message "integrity only" is not supported.
- In this case, <emphasis>sign</emphasis> is just an alias for
- <emphasis>seal</emphasis>.
+ <para>Additionally, <command>winbindd</command> and the
+ <command>net</command> tool can use LDAP to communicate with
+ Domain Controllers, so this option also controls the level of
+ privacy for those connections. All supported AD DC versions
+ will enforce the usage of at least signed LDAP connections by
+ default, so a value of at least <emphasis>sign</emphasis> is
+ required in practice.
</para>
<para>
- The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
+ The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
</para>
</description>
-<value type="default">sign</value>
+<value type="default">seal</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d47b37fa632..02dd602de7a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2988,7 +2988,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10");
- lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
+ lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal");
lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios");
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
index 9949b0abe4d..b0f4840563d 100644
--- a/python/samba/tests/auth_log.py
+++ b/python/samba/tests/auth_log.py
@@ -470,7 +470,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
def isLastExpectedMessage(msg):
return (msg["type"] == "Authorization" and
msg["Authorization"]["serviceDescription"] == "LDAP" and
- msg["Authorization"]["transportProtection"] == "SIGN" and
+ msg["Authorization"]["transportProtection"] == "SEAL" and
msg["Authorization"]["authType"] == "krb5")
self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"],
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 1cdfbb70276..39cf3af8dd6 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -753,7 +753,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.ldap_debug_level = 0;
Globals.ldap_debug_threshold = 10;
- Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL;
Globals.ldap_server_require_strong_auth =
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
--
2.25.1

9
samba.spec
View File

@ -49,7 +49,7 @@
Name: samba
Version: 4.11.12
Release: 25
Release: 26
Summary: A suite for Linux to interoperate with Windows
License: GPLv3+ and LGPLv3+
@ -338,6 +338,7 @@ Patch6408: backport-0035-CVE-2022-38023.patch
Patch6409: backport-0036-CVE-2022-38023.patch
Patch6410: backport-0037-CVE-2022-38023.patch
Patch6411: backport-0038-CVE-2022-38023.patch
Patch6412: backport-CVE-2023-0922.patch
BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@ -3396,6 +3397,12 @@ fi
%{_mandir}/man*
%changelog
* Fri Apr 07 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-26
- Type:cves
- CVE:CVE-2023-0922
- SUG:NA
- DESC:fix CVE-2023-0922
* Mon Apr 03 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-25
- Type:cves
- CVE:CVE-2022-38023