packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0004-CVE-2023-0225.patch

68 lines
2.3 KiB
Diff
Raw Blame History

From 0d753cc8f2b072175f994ede8b3a541303a8a2d5 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 9 Jan 2023 11:22:34 +1300
Subject: [PATCH 4/4] CVE-2023-0225 s4-acl: Don't return early if dNSHostName
element has no values
This early return would mistakenly allow an unprivileged user to delete
the dNSHostName attribute by making an LDAP modify request with no
values. We should no longer allow this.
Add or replace operations with no values and no privileges are
disallowed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15276
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17833
---
selftest/knownfail.d/dns-host-name-deletion | 2 --
source4/dsdb/samdb/ldb_modules/acl.c | 12 +++++++-----
2 files changed, 7 insertions(+), 7 deletions(-)
delete mode 100644 selftest/knownfail.d/dns-host-name-deletion
diff --git a/selftest/knownfail.d/dns-host-name-deletion b/selftest/knownfail.d/dns-host-name-deletion
deleted file mode 100644
index ac11619ffc3..00000000000
--- a/selftest/knownfail.d/dns-host-name-deletion
+++ /dev/null
@@ -1,2 +0,0 @@
-^samba4.ldap.acl_modify.python\(.*\).__main__.AclModifyTests.test_modify_delete_dns_host_name_ldif_unspecified\(.*\)
-^samba4.ldap.acl_modify.python\(.*\).__main__.AclModifyTests.test_modify_delete_dns_host_name_unspecified\(.*\)
diff --git a/source4/dsdb/samdb/ldb_modules/acl.c b/source4/dsdb/samdb/ldb_modules/acl.c
index 4098ae2d671..b602520ca2b 100644
--- a/source4/dsdb/samdb/ldb_modules/acl.c
+++ b/source4/dsdb/samdb/ldb_modules/acl.c
@@ -900,11 +900,6 @@ static int acl_check_dns_host_name(TALLOC_CTX *mem_ctx,
NULL
};
- if (el->num_values == 0) {
- return LDB_SUCCESS;
- }
- dnsHostName = &el->values[0];
-
tmp_ctx = talloc_new(mem_ctx);
if (tmp_ctx == NULL) {
return ldb_oom(ldb);
@@ -1050,6 +1045,13 @@ static int acl_check_dns_host_name(TALLOC_CTX *mem_ctx,
--account_name_len;
}
+ /* Check for add or replace requests with no value. */
+ if (el->num_values == 0) {
+ talloc_free(tmp_ctx);
+ return ldb_operr(ldb);
+ }
+ dnsHostName = &el->values[0];
+
dnsHostName_str = (const char *)dnsHostName->data;
dns_host_name_len = dnsHostName->length;
--
2.25.1
Reference in New Issue View Git Blame Copy Permalink