packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0024-CVE-2020-25717-s3-auth-let-auth3_generate_session_in.patch
haochenstar 8378df4821 fix CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2016-2124,CVE-2021-3738 
(cherry picked from commit aee849c6c0708056f62f6445e3b5274d1cec6408)
2022-01-19 11:41:35 +08:00

86 lines
2.8 KiB
Diff
Raw Blame History

From 9f807fdd8d1a148891d389820c329f44f9ffe965 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 5 Oct 2021 18:12:49 +0200
Subject: [PATCH 130/266] CVE-2020-25717: s3:auth: let
auth3_generate_session_info_pac() reject a PAC in standalone mode
We should be strict in standalone mode, that we only support MIT realms
without a PAC in order to keep the code sane.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
source3/auth/auth_generic.c | 29 +++++++++--------------------
1 file changed, 9 insertions(+), 20 deletions(-)
Conflict:NA
Reference:https://git.samba.org/samba.git/?p=samba.git;a=patch;h=9f807fdd8d1a148891d389820c329f44f9ffe965
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 450c358beeb..7d00cfa95c7 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -48,8 +48,6 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
{
enum server_role server_role = lp_server_role();
TALLOC_CTX *tmp_ctx;
- struct PAC_LOGON_INFO *logon_info = NULL;
- struct netr_SamInfo3 *info3_copy = NULL;
bool is_mapped;
bool is_guest;
char *ntuser;
@@ -203,19 +201,20 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
/* This is the standalone legacy code path */
if (pac_blob != NULL) {
-#ifdef HAVE_KRB5
- status = kerberos_pac_logon_info(tmp_ctx, *pac_blob, NULL, NULL,
- NULL, NULL, 0, &logon_info);
-#else
- status = NT_STATUS_ACCESS_DENIED;
-#endif
+ /*
+ * In standalone mode we don't expect a PAC!
+ * we only support MIT realms
+ */
+ status = NT_STATUS_BAD_TOKEN_TYPE;
+ DBG_WARNING("Unexpected PAC for [%s] in standalone mode - %s\n",
+ princ_name, nt_errstr(status));
if (!NT_STATUS_IS_OK(status)) {
goto done;
}
}
status = get_user_from_kerberos_info(tmp_ctx, rhost,
- princ_name, logon_info,
+ princ_name, NULL,
&is_mapped, &is_guest,
&ntuser, &ntdomain,
&username, &pw);
@@ -226,19 +225,9 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
goto done;
}
- /* Get the info3 from the PAC data if we have it */
- if (logon_info) {
- status = create_info3_from_pac_logon_info(tmp_ctx,
- logon_info,
- &info3_copy);
- if (!NT_STATUS_IS_OK(status)) {
- goto done;
- }
- }
-
status = make_session_info_krb5(mem_ctx,
ntuser, ntdomain, username, pw,
- info3_copy, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
+ NULL, is_guest, is_mapped, NULL /* No session key for now, caller will sort it out */,
session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink