packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0011-CVE-2022-2031-CVE-2022-32744.patch

68 lines
2.1 KiB
Diff
Raw Blame History

From d15ace2d81783a92474e2dbe6c02f20589aa70f0 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 9 Aug 2021 17:20:31 +0200
Subject: [PATCH] CVE-2020-25719 s4:kdc: Check if the pac is valid before
updating it
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: remove selftest/knownfail_heimdal_kdc selftest/knownfail_mit_kdc
---
source4/kdc/mit_samba.c | 9 +++++++++
source4/kdc/wdc-samba4.c | 17 +++++++++++++++++
4 files changed, 32 insertions(+), 35 deletions(-)
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index d0e68ec8ea4..592f6a3bac4 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -512,6 +512,15 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
client_skdc_entry =
talloc_get_type_abort(client->e_data,
struct samba_kdc_entry);
+
+ /*
+ * Check the objectSID of the client and pac data are the same.
+ * Does a parse and SID check, but no crypto.
+ */
+ code = samba_kdc_validate_pac_blob(context, client_skdc_entry, *pac);
+ if (code != 0) {
+ goto done;
+ }
}
if (server == NULL) {
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index ac9d7d51733..ed6e9fb9b63 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -137,6 +137,23 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
return ENOMEM;
}
+ if (client != NULL) {
+ struct samba_kdc_entry *client_skdc_entry = NULL;
+
+ client_skdc_entry = talloc_get_type_abort(client->ctx,
+ struct samba_kdc_entry);
+
+ /*
+ * Check the objectSID of the client and pac data are the same.
+ * Does a parse and SID check, but no crypto.
+ */
+ ret = samba_kdc_validate_pac_blob(context, client_skdc_entry, *pac);
+ if (ret != 0) {
+ talloc_free(mem_ctx);
+ return ret;
+ }
+ }
+
/* If the krbtgt was generated by an RODC, and we are not that
* RODC, then we need to regenerate the PAC - we can't trust
* it */
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink