packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0004-CVE-2022-37966.patch

70 lines
2.6 KiB
Diff
Raw Blame History

From 9c05b1bbae715c6a59d62fd3798f7c062e74ed9b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 20 Oct 2022 12:36:44 +1300
Subject: [PATCH 04/54] CVE-2022-37966 tests/krb5: Add test requesting a TGT
expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
(cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 6a573947067f..6b3b5ad4a226 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -47,7 +47,7 @@ class AsReqBaseTest(KDCBaseTest):
expected_cname=None, sname=None,
name_type=NT_PRINCIPAL, etypes=None,
expected_error=None, expect_edata=None,
- kdc_options=None):
+ kdc_options=None, till=None):
user_name = client_creds.get_username()
if client_account is None:
client_account = user_name
@@ -71,7 +71,8 @@ class AsReqBaseTest(KDCBaseTest):
expected_sname = sname
expected_salt = client_creds.get_salt()
- till = self.get_KerberosTime(offset=36000)
+ if till is None:
+ till = self.get_KerberosTime(offset=36000)
if etypes is None:
etypes = client_as_etypes
@@ -516,6 +517,14 @@ class AsReqKerberosTests(AsReqBaseTest):
sname=wrong_krbtgt_princ,
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
+ # Test that we can make a request for a ticket expiring post-2038.
+ def test_future_till(self):
+ client_creds = self.get_client_creds()
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ till='99990913024805Z')
+
if __name__ == "__main__":
global_asn1_print = False
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink