samba/backport-0027-CVE-2023-0614.patch

From 976b0c37d82daf1269664a1fce8dfcca5770456b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 27 Feb 2023 13:31:44 +1300
Subject: [PATCH 25/34] CVE-2023-0614 s4-acl: Avoid calling
 dsdb_module_am_system() if we can help it

If the AS_SYSTEM control is present, we know we have system privileges,
and have no need to call dsdb_module_am_system().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17821
---
 source4/dsdb/samdb/ldb_modules/acl_read.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c
index 8ca8607b925..6dcc3c9b36e 100644
--- a/source4/dsdb/samdb/ldb_modules/acl_read.c
+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c
@@ -860,7 +860,7 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	int ret;
 	struct aclread_context *ac;
 	struct ldb_request *down_req;
-	struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);
+	bool am_system;
 	struct ldb_result *res;
 	struct aclread_private *p;
 	bool need_sd = false;
@@ -877,11 +877,16 @@ static int aclread_search(struct ldb_module *module, struct ldb_request *req)
 	ldb = ldb_module_get_ctx(module);
 	p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);
 
+	am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL;
+	if (!am_system) {
+		am_system = dsdb_module_am_system(module);
+	}
+
 	/* skip access checks if we are system or system control is supplied
 	 * or this is not LDAP server request */
 	if (!p || !p->enabled ||
-	    dsdb_module_am_system(module)
-	    || as_system || !is_untrusted) {
+	    am_system ||
+	    !is_untrusted) {
 		return ldb_next_request(module, req);
 	}
 	/* no checks on special dn */
-- 
2.25.1
fix CVE-2023-0225 CVE-2023-0614 CVE-2023-0922 2023-04-01 06:13:02 +00:00			`From 976b0c37d82daf1269664a1fce8dfcca5770456b Mon Sep 17 00:00:00 2001`
			`From: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Date: Mon, 27 Feb 2023 13:31:44 +1300`
			`Subject: [PATCH 25/34] CVE-2023-0614 s4-acl: Avoid calling`
			`dsdb_module_am_system() if we can help it`

			`If the AS_SYSTEM control is present, we know we have system privileges,`
			`and have no need to call dsdb_module_am_system().`

			`BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270`

			`Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>`
			`Reviewed-by: Andrew Bartlett <abartlet@samba.org>`

			`Conflict: NA`
			`Reference: https://attachments.samba.org/attachment.cgi?id=17821`
			`---`
			`source4/dsdb/samdb/ldb_modules/acl_read.c \| 11 ++++++++---`
			`1 file changed, 8 insertions(+), 3 deletions(-)`

			`diff --git a/source4/dsdb/samdb/ldb_modules/acl_read.c b/source4/dsdb/samdb/ldb_modules/acl_read.c`
			`index 8ca8607b925..6dcc3c9b36e 100644`
			`--- a/source4/dsdb/samdb/ldb_modules/acl_read.c`
			`+++ b/source4/dsdb/samdb/ldb_modules/acl_read.c`
			`@@ -860,7 +860,7 @@ static int aclread_search(struct ldb_module module, struct ldb_request req)`
			`int ret;`
			`struct aclread_context *ac;`
			`struct ldb_request *down_req;`
			`- struct ldb_control *as_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID);`
			`+ bool am_system;`
			`struct ldb_result *res;`
			`struct aclread_private *p;`
			`bool need_sd = false;`
			`@@ -877,11 +877,16 @@ static int aclread_search(struct ldb_module module, struct ldb_request req)`
			`ldb = ldb_module_get_ctx(module);`
			`p = talloc_get_type(ldb_module_get_private(module), struct aclread_private);`

			`+ am_system = ldb_request_get_control(req, LDB_CONTROL_AS_SYSTEM_OID) != NULL;`
			`+ if (!am_system) {`
			`+ am_system = dsdb_module_am_system(module);`
			`+ }`
			`+`
			`/* skip access checks if we are system or system control is supplied`
			`* or this is not LDAP server request */`
			`if (!p \|\| !p->enabled \|\|`
			`- dsdb_module_am_system(module)`
			`- \|\| as_system \|\| !is_untrusted) {`
			`+ am_system \|\|`
			`+ !is_untrusted) {`
			`return ldb_next_request(module, req);`
			`}`
			`/* no checks on special dn */`
			`--`
			`2.25.1`