packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0040-CVE-2022-2031-CVE-2022-32744.patch

71 lines
2.4 KiB
Diff
Raw Blame History

From 531e7b596d35785bee61f3b4289e38ece1530f94 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 24 May 2022 17:53:49 +1200
Subject: [PATCH 85/99] CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to
two minutes or less
This matches the behaviour of Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Adapted entry to entry_ex->entry; included
samba_kdc.h header file]
[jsutton@samba.org Fixed conflicts]
Conflict: remove selftest/knownfail_heimdal_kdc selftest/knownfail_mit_kdc
---
source4/kdc/db-glue.c | 5 +++++
source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +-
source4/kdc/samba_kdc.h | 2 ++
5 files changed, 8 insertions(+), 3 deletions(-)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index d2d7136608e..073ec83c8cf 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1226,6 +1226,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
kdc_db_ctx->policy.usr_tkt_lifetime);
}
+ if (entry_ex->entry.flags.change_pw) {
+ /* Limit lifetime of kpasswd tickets to two minutes or less. */
+ *entry_ex->entry.max_life = MIN(*entry_ex->entry.max_life, CHANGEPW_LIFETIME);
+ }
+
entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life));
if (entry_ex->entry.max_renew == NULL) {
ret = ENOMEM;
diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c
index cc67c2392be..2059ffa855e 100644
--- a/source4/kdc/mit-kdb/kdb_samba_principals.c
+++ b/source4/kdc/mit-kdb/kdb_samba_principals.c
@@ -27,11 +27,11 @@
#include <profile.h>
#include <kdb.h>
+#include "kdc/samba_kdc.h"
#include "kdc/mit_samba.h"
#include "kdb_samba.h"
#define ADMIN_LIFETIME 60*60*3 /* 3 hours */
-#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */
krb5_error_code ks_get_principal(krb5_context context,
krb5_const_principal principal,
diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h
index e228a82ce6a..8010d7c35ed 100644
--- a/source4/kdc/samba_kdc.h
+++ b/source4/kdc/samba_kdc.h
@@ -62,4 +62,6 @@ struct samba_kdc_entry {
extern struct hdb_method hdb_samba4_interface;
+#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */
+
#endif /* _SAMBA_KDC_H_ */
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink