samba/backport-0002-CVE-2023-0225.patch

From 47f8a529885d321c4f787832d5934757656e8094 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 6 Sep 2022 19:23:13 +1200
Subject: [PATCH 2/4] CVE-2023-0225 CVE-2020-25720 pydsdb: Add dsHeuristics
 constant definitions

We want to be able to use these values in Python tests.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cc709077822a39227174b91ed2345c2bd603f61f)

[abartlet@samba.org This patch is needed for a clean backport of
 CVE-2023-0225 as these constants are used in the acl_modify test
 even when this behaviour is not itself used.]

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17833
---
 source4/dsdb/pydsdb.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index bcfc7e95478..626d849a561 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -1665,6 +1665,36 @@ MODULE_INIT_FUNC(dsdb)
 	ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_NTDSCONN_XLATE);
 	ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_SPN_REGISTRATION);
 
+	/* dsHeuristics character indexes (see MS-ADTS 7.1.1.2.4.1.2) */
+	ADD_DSDB_FLAG(DS_HR_SUPFIRSTLASTANR);
+	ADD_DSDB_FLAG(DS_HR_SUPLASTFIRSTANR);
+	ADD_DSDB_FLAG(DS_HR_DOLISTOBJECT);
+	ADD_DSDB_FLAG(DS_HR_DONICKRES);
+	ADD_DSDB_FLAG(DS_HR_LDAP_USEPERMMOD);
+	ADD_DSDB_FLAG(DS_HR_HIDEDSID);
+	ADD_DSDB_FLAG(DS_HR_BLOCK_ANONYMOUS_OPS);
+	ADD_DSDB_FLAG(DS_HR_ALLOW_ANON_NSPI);
+	ADD_DSDB_FLAG(DS_HR_USER_PASSWORD_SUPPORT);
+	ADD_DSDB_FLAG(DS_HR_TENTH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_SPECIFY_GUID_ON_ADD);
+	ADD_DSDB_FLAG(DS_HR_NO_STANDARD_SD);
+	ADD_DSDB_FLAG(DS_HR_ALLOW_NONSECURE_PWD_OPS);
+	ADD_DSDB_FLAG(DS_HR_NO_PROPAGATE_ON_NOCHANGE);
+	ADD_DSDB_FLAG(DS_HR_COMPUTE_ANR_STATS);
+	ADD_DSDB_FLAG(DS_HR_ADMINSDEXMASK);
+	ADD_DSDB_FLAG(DS_HR_KVNOEMUW2K);
+
+	ADD_DSDB_FLAG(DS_HR_TWENTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_ATTR_AUTHZ_ON_LDAP_ADD);
+	ADD_DSDB_FLAG(DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS);
+	ADD_DSDB_FLAG(DS_HR_THIRTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_FOURTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_FIFTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_SIXTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_SEVENTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_EIGHTIETH_CHAR);
+	ADD_DSDB_FLAG(DS_HR_NINETIETH_CHAR);
+
 	ADD_DSDB_FLAG(NTDSCONN_KCC_GC_TOPOLOGY);
 	ADD_DSDB_FLAG(NTDSCONN_KCC_RING_TOPOLOGY);
 	ADD_DSDB_FLAG(NTDSCONN_KCC_MINIMIZE_HOPS_TOPOLOGY);
-- 
2.25.1
fix CVE-2023-0225 CVE-2023-0614 CVE-2023-0922 2023-04-01 06:13:02 +00:00			`From 47f8a529885d321c4f787832d5934757656e8094 Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Tue, 6 Sep 2022 19:23:13 +1200`
			`Subject: [PATCH 2/4] CVE-2023-0225 CVE-2020-25720 pydsdb: Add dsHeuristics`
			`constant definitions`

			`We want to be able to use these values in Python tests.`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=14810`
			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`
			`(cherry picked from commit cc709077822a39227174b91ed2345c2bd603f61f)`

			`[abartlet@samba.org This patch is needed for a clean backport of`
			`CVE-2023-0225 as these constants are used in the acl_modify test`
			`even when this behaviour is not itself used.]`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17833`
			`---`
			`source4/dsdb/pydsdb.c \| 30 ++++++++++++++++++++++++++++++`
			`1 file changed, 30 insertions(+)`

			`diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c`
			`index bcfc7e95478..626d849a561 100644`
			`--- a/source4/dsdb/pydsdb.c`
			`+++ b/source4/dsdb/pydsdb.c`
			`@@ -1665,6 +1665,36 @@ MODULE_INIT_FUNC(dsdb)`
			`ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_NTDSCONN_XLATE);`
			`ADD_DSDB_FLAG(DS_NTDSDSA_OPT_DISABLE_SPN_REGISTRATION);`

			`+ /* dsHeuristics character indexes (see MS-ADTS 7.1.1.2.4.1.2) */`
			`+ ADD_DSDB_FLAG(DS_HR_SUPFIRSTLASTANR);`
			`+ ADD_DSDB_FLAG(DS_HR_SUPLASTFIRSTANR);`
			`+ ADD_DSDB_FLAG(DS_HR_DOLISTOBJECT);`
			`+ ADD_DSDB_FLAG(DS_HR_DONICKRES);`
			`+ ADD_DSDB_FLAG(DS_HR_LDAP_USEPERMMOD);`
			`+ ADD_DSDB_FLAG(DS_HR_HIDEDSID);`
			`+ ADD_DSDB_FLAG(DS_HR_BLOCK_ANONYMOUS_OPS);`
			`+ ADD_DSDB_FLAG(DS_HR_ALLOW_ANON_NSPI);`
			`+ ADD_DSDB_FLAG(DS_HR_USER_PASSWORD_SUPPORT);`
			`+ ADD_DSDB_FLAG(DS_HR_TENTH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_SPECIFY_GUID_ON_ADD);`
			`+ ADD_DSDB_FLAG(DS_HR_NO_STANDARD_SD);`
			`+ ADD_DSDB_FLAG(DS_HR_ALLOW_NONSECURE_PWD_OPS);`
			`+ ADD_DSDB_FLAG(DS_HR_NO_PROPAGATE_ON_NOCHANGE);`
			`+ ADD_DSDB_FLAG(DS_HR_COMPUTE_ANR_STATS);`
			`+ ADD_DSDB_FLAG(DS_HR_ADMINSDEXMASK);`
			`+ ADD_DSDB_FLAG(DS_HR_KVNOEMUW2K);`
			`+`
			`+ ADD_DSDB_FLAG(DS_HR_TWENTIETH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_ATTR_AUTHZ_ON_LDAP_ADD);`
			`+ ADD_DSDB_FLAG(DS_HR_BLOCK_OWNER_IMPLICIT_RIGHTS);`
			`+ ADD_DSDB_FLAG(DS_HR_THIRTIETH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_FOURTIETH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_FIFTIETH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_SIXTIETH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_SEVENTIETH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_EIGHTIETH_CHAR);`
			`+ ADD_DSDB_FLAG(DS_HR_NINETIETH_CHAR);`
			`+`
			`ADD_DSDB_FLAG(NTDSCONN_KCC_GC_TOPOLOGY);`
			`ADD_DSDB_FLAG(NTDSCONN_KCC_RING_TOPOLOGY);`
			`ADD_DSDB_FLAG(NTDSCONN_KCC_MINIMIZE_HOPS_TOPOLOGY);`
			`--`
			`2.25.1`