packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0020-CVE-2022-2031-CVE-2022-32744.patch

74 lines
2.2 KiB
Diff
Raw Blame History

From 72afa2641c24bd18a32463f0b0de7e91feb54290 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 24 Nov 2021 20:42:22 +1300
Subject: [PATCH 44/99] kdc: Don't include extra PAC buffers in service tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef)
Conflict: remove selftest/knownfail_heimdal_kdc
---
source4/kdc/wdc-samba4.c | 31 +++++++++++++++++--------
2 files changed, 21 insertions(+), 52 deletions(-)
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 8c3ce71529c..17af76f4edb 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -132,6 +132,7 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
krb5_error_code ret;
NTSTATUS nt_status;
bool is_in_db, is_untrusted;
+ bool is_krbtgt;
size_t num_types = 0;
uint32_t *types = NULL;
uint32_t forced_next_type = 0;
@@ -471,7 +472,9 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
goto out;
}
- if (!is_untrusted && !server_skdc_entry->is_krbtgt) {
+ is_krbtgt = krb5_principal_is_krbtgt(context, server->entry.principal);
+
+ if (!is_untrusted && !is_krbtgt) {
/*
* The client may have requested no PAC when obtaining the
* TGT.
@@ -576,17 +579,25 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
type_blob = data_blob_const(&zero_byte, 1);
break;
case PAC_TYPE_ATTRIBUTES_INFO:
- /* just copy... */
- break;
+ if (is_krbtgt) {
+ /* just copy... */
+ break;
+ } else {
+ continue;
+ }
case PAC_TYPE_REQUESTER_SID:
- /*
- * Replace in the RODC case, otherwise
- * requester_sid_blob is NULL and we just copy.
- */
- if (requester_sid_blob != NULL) {
- type_blob = *requester_sid_blob;
+ if (is_krbtgt) {
+ /*
+ * Replace in the RODC case, otherwise
+ * requester_sid_blob is NULL and we just copy.
+ */
+ if (requester_sid_blob != NULL) {
+ type_blob = *requester_sid_blob;
+ }
+ break;
+ } else {
+ continue;
}
- break;
default:
/* just copy... */
break;
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink