samba/backport-0003-CVE-2023-0614.patch

From e7aa14a5405735234b989bdeba384c7c9249257a Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 3 Mar 2023 10:31:40 +1300
Subject: [PATCH 01/34] CVE-2023-0614 dsdb: Alter timeout test in large_ldap.py
 to be slower by matching on large objects

This changes the slow aspect to be the object matching not the filter parsing.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17821
---
 source4/dsdb/tests/python/large_ldap.py | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/tests/python/large_ldap.py b/source4/dsdb/tests/python/large_ldap.py
index 0805119a700..f7569607cb2 100644
--- a/source4/dsdb/tests/python/large_ldap.py
+++ b/source4/dsdb/tests/python/large_ldap.py
@@ -32,7 +32,7 @@ from samba.tests.subunitrun import SubunitOptions, TestProgram
 import samba.getopt as options
 
 from samba.auth import system_session
-from samba import ldb
+from samba import ldb, sd_utils
 from samba.samdb import SamDB
 from samba.ndr import ndr_unpack
 from samba import gensec
@@ -123,10 +123,13 @@ class LargeLDAPTest(samba.tests.TestCase):
     def setUpClass(cls):
         cls.ldb = SamDB(url, credentials=creds, session_info=system_session(lp), lp=lp)
         cls.base_dn = cls.ldb.domain_dn()
+
+        cls.sd_utils = sd_utils.SDUtils(cls.ldb)
         cls.USER_NAME = "large_user" + format(random.randint(0, 99999), "05") + "-"
         cls.OU_NAME="large_user_ou" + format(random.randint(0, 99999), "05")
         cls.ou_dn = ldb.Dn(cls.ldb, "ou=" + cls.OU_NAME + "," + str(cls.base_dn))
 
+
         samba.tests.delete_force(cls.ldb, cls.ou_dn,
                                  controls=['tree_delete:1'])
 
@@ -249,6 +252,7 @@ class LargeLDAPTest(samba.tests.TestCase):
         self.assertGreater(count, count_jpeg)
 
     def test_timeout(self):
+
         policy_dn = ldb.Dn(self.ldb,
                            'CN=Default Query Policy,CN=Query-Policies,'
                            'CN=Directory Service,CN=Windows NT,CN=Services,'
@@ -283,9 +286,19 @@ class LargeLDAPTest(samba.tests.TestCase):
                       session_info=system_session(lp),
                       lp=lp)
 
+        for x in range(200):
+            user_name = self.USER_NAME + format(x, "03")
+            ace = "(OD;;RP;{6bc69afa-7bd9-4184-88f5-28762137eb6a};;S-1-%d)" % x
+            dn = ldb.Dn(self.ldb, "cn=" + user_name + "," + str(self.ou_dn))
+
+            # add an ACE that denies access to the above random attr
+            # for a not-existing user.  This makes each SD distinct
+            # and so will slow SD parsing.
+            self.sd_utils.dacl_add_ace(dn, ace)
+
         # Create a large search expression that will take a long time to
         # evaluate.
-        expression = '(anr=l)' * 10000
+        expression = f'(jpegPhoto=*X*)' * 1000
         expression = f'(|{expression})'
 
         # Perform the LDAP search.
-- 
2.25.1