packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0008-CVE-2020-25722-Check-all-elements-in-acl_check_spn-n.patch
haochenstar 8378df4821 fix CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2016-2124,CVE-2021-3738 
(cherry picked from commit aee849c6c0708056f62f6445e3b5274d1cec6408)
2022-01-19 11:41:35 +08:00

98 lines
3.2 KiB
Diff
Raw Blame History

From f1c64ed29ea0911beaa1cd3b80915ef5b44085af Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 1 Nov 2021 17:19:29 +1300
Subject: [PATCH 137/266] CVE-2020-25722 Check all elements in acl_check_spn()
not just the first one
Thankfully we are aleady in a loop over all the message elements in
acl_modify() so this is an easy and safe change to make.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14876
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Conflict:remove test
Reference:https://gitlab.com/samba-team/samba/-/commit/f1c64ed29ea0911beaa1cd3b80915ef5b44085af
---
source4/dsdb/samdb/ldb_modules/acl.c | 31 +++++++++++++++++++++-------
1 files changed, 23 insertions(+), 8 deletions(-)
delete mode 100644 selftest/knownfail.d/acl-spn
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 9cae15881de..d0b3da4d9e8 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -653,9 +653,14 @@ success:
return LDB_SUCCESS;
}
+/*
+ * Passing in 'el' is critical, we want to check all the values.
+ *
+ */
static int acl_check_spn(TALLOC_CTX *mem_ctx,
struct ldb_module *module,
struct ldb_request *req,
+ const struct ldb_message_element *el,
struct security_descriptor *sd,
struct dom_sid *sid,
const struct dsdb_attribute *attr,
@@ -667,7 +672,6 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
struct ldb_context *ldb = ldb_module_get_ctx(module);
struct ldb_result *acl_res;
struct ldb_result *netbios_res;
- struct ldb_message_element *el;
struct ldb_dn *partitions_dn = samdb_partitions_dn(ldb, tmp_ctx);
uint32_t userAccountControl;
const char *samAccountName;
@@ -717,6 +721,23 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
return ret;
}
+ /*
+ * If we have "validated write spn", allow delete of any
+ * existing value (this keeps constrained delete to the same
+ * rules as unconstrained)
+ */
+ if (req->operation == LDB_MODIFY) {
+ /*
+ * If not add or replace (eg delete),
+ * return success
+ */
+ if ((el->flags
+ & (LDB_FLAG_MOD_ADD|LDB_FLAG_MOD_REPLACE)) == 0) {
+ talloc_free(tmp_ctx);
+ return LDB_SUCCESS;
+ }
+ }
+
ret = dsdb_module_search_dn(module, tmp_ctx,
&acl_res, req->op.mod.message->dn,
acl_attrs,
@@ -745,13 +766,6 @@ static int acl_check_spn(TALLOC_CTX *mem_ctx,
netbios_name = ldb_msg_find_attr_as_string(netbios_res->msgs[0], "nETBIOSName", NULL);
- el = ldb_msg_find_element(req->op.mod.message, "servicePrincipalName");
- if (!el) {
- talloc_free(tmp_ctx);
- return ldb_error(ldb, LDB_ERR_OPERATIONS_ERROR,
- "Error finding element for servicePrincipalName.");
- }
-
/* NTDSDSA objectGuid of object we are checking SPN for */
if (userAccountControl & (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT)) {
ret = dsdb_module_find_ntdsguid_for_computer(module, tmp_ctx,
@@ -1510,6 +1524,7 @@ static int acl_modify(struct ldb_module *module, struct ldb_request *req)
ret = acl_check_spn(tmp_ctx,
module,
req,
+ el,
sd,
sid,
attr,
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink