packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0035-CVE-2022-2031-CVE-2022-32744.patch

86 lines
2.9 KiB
Diff
Raw Blame History

From 91a1b0955a053f73e6d531f0f12eaa604aca79d7 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 19 May 2022 16:35:28 +0200
Subject: [PATCH 80/99] CVE-2022-2031 testprogs: Add kadmin/changepw
canonicalization test with MIT kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---
selftest/knownfail.d/kadmin_changepw | 1 +
testprogs/blackbox/test_kpasswd_heimdal.sh | 35 +++++++++++++++++++++-
2 files changed, 35 insertions(+), 1 deletion(-)
create mode 100644 selftest/knownfail.d/kadmin_changepw
diff --git a/selftest/knownfail.d/kadmin_changepw b/selftest/knownfail.d/kadmin_changepw
new file mode 100644
index 00000000000..97c14793ea5
--- /dev/null
+++ b/selftest/knownfail.d/kadmin_changepw
@@ -0,0 +1 @@
+^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password
diff --git a/testprogs/blackbox/test_kpasswd_heimdal.sh b/testprogs/blackbox/test_kpasswd_heimdal.sh
index 1e895daa162..059b7a8e4d1 100755
--- a/testprogs/blackbox/test_kpasswd_heimdal.sh
+++ b/testprogs/blackbox/test_kpasswd_heimdal.sh
@@ -7,7 +7,7 @@
if [ $# -lt 6 ]; then
cat <<EOF
-Usage: test_passwords.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
+Usage: test_kpasswd_heimdal.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT
EOF
exit 1;
fi
@@ -27,6 +27,8 @@ smbclient="$samba_bindir/smbclient"
samba_kinit=$samba_bindir/samba4kinit
samba_kpasswd=$samba_bindir/samba4kpasswd
+mit_kpasswd="$(command -v kpasswd)"
+
samba_tool="$samba_bindir/samba-tool"
net_tool="$samba_bindir/net"
texpect="$samba_bindir/texpect"
@@ -142,6 +144,37 @@ testit "kpasswd change user password" \
TEST_PASSWORD=$TEST_PASSWORD_NEW
TEST_PASSWORD_NEW="testPaSS@03%"
+###########################################################
+### CVE-2022-XXXXX
+###########################################################
+
+if [ -n "${mit_kpasswd}" ]; then
+ cat > "${PREFIX}/tmpkpasswdscript" <<EOF
+expect Password for ${TEST_PRINCIPAL}
+password ${TEST_PASSWORD}\n
+expect Enter new password
+send ${TEST_PASSWORD_NEW}\n
+expect Enter it again
+send ${TEST_PASSWORD_NEW}\n
+expect Password changed.
+EOF
+
+ SAVE_KRB5_CONFIG="${KRB5_CONFIG}"
+ KRB5_CONFIG="${PREFIX}/tmpkrb5.conf"
+ export KRB5_CONFIG
+ sed -e 's/\[libdefaults\]/[libdefaults]\n canonicalize = yes/' \
+ "${SAVE_KRB5_CONFIG}" > "${KRB5_CONFIG}"
+ testit "MIT kpasswd change user password" \
+ "${texpect}" "${PREFIX}/tmpkpasswdscript" "${mit_kpasswd}" \
+ "${TEST_PRINCIPAL}" ||
+ failed=$((failed + 1))
+ KRB5_CONFIG="${SAVE_KRB5_CONFIG}"
+ export KRB5_CONFIG
+fi
+
+TEST_PASSWORD="${TEST_PASSWORD_NEW}"
+TEST_PASSWORD_NEW="testPaSS@03force%"
+
###########################################################
### Force password change at login
###########################################################
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink