aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2020-04-03 07:43:12 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2020-04-03 07:45:32 +0200
commit46ba7ec46d3cb4084489531ce10e71e17963495b (patch)
tree29e2dcba59c49704cc8c5ad3cf777503b33a40ad
parent63b8a5e4b9fad35855bfd733bf2f539cc223c6bc (diff)
downloadalpine_aports-46ba7ec46d3cb4084489531ce10e71e17963495b.tar.bz2
alpine_aports-46ba7ec46d3cb4084489531ce10e71e17963495b.tar.xz
alpine_aports-46ba7ec46d3cb4084489531ce10e71e17963495b.zip
main/samba: fix CVE-2019-14902, CVE-2019-14907
fixes #11155
Diffstat
-rw-r--r--main/samba/APKBUILD7
-rw-r--r--main/samba/samba-4.9.17-security-2020-01-21.patch1662
2 files changed, 1668 insertions, 1 deletions
diff --git a/main/samba/APKBUILD b/main/samba/APKBUILD
index 1319269f8d..0904fb8147 100644
--- a/main/samba/APKBUILD
+++ b/main/samba/APKBUILD
@@ -1,7 +1,7 @@
1# Maintainer: Natanael Copa <ncopa@alpinelinux.org> 1# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
2pkgname=samba 2pkgname=samba
3pkgver=4.8.12 3pkgver=4.8.12
4pkgrel=1 4pkgrel=2
5pkgdesc="Tools to access a server's filespace and printers via SMB" 5pkgdesc="Tools to access a server's filespace and printers via SMB"
6url="https://www.samba.org/" 6url="https://www.samba.org/"
7arch="all" 7arch="all"
@@ -79,6 +79,7 @@ source="
79 bind-9.12.patch 79 bind-9.12.patch
80 missing-headers.patch 80 missing-headers.patch
81 samba-4.9.14-security-2019-10-29.patch 81 samba-4.9.14-security-2019-10-29.patch
82 samba-4.9.17-security-2020-01-21.patch
82 $pkgname.initd 83 $pkgname.initd
83 $pkgname.confd 84 $pkgname.confd
84 $pkgname.logrotate 85 $pkgname.logrotate
@@ -87,6 +88,9 @@ pkggroups="winbind"
87builddir="$srcdir/$pkgname-$pkgver" 88builddir="$srcdir/$pkgname-$pkgver"
88 89
89# secfixes: 90# secfixes:
91# 4.8.12-r2:
92# - CVE-2019-14902
93# - CVE-2019-14907
90# 4.8.12-r1: 94# 4.8.12-r1:
91# - CVE-2019-10218 95# - CVE-2019-10218
92# - CVE-2019-14833 96# - CVE-2019-14833
@@ -576,6 +580,7 @@ a99e771f28d787dc22e832b97aa48a1c5e13ddc0c030c501a3c12819ff6e62800ef084b62930abe8
57627f12c8395be25d9806d232cc30334f2f7c7d175971d2d1944dd886d699e0381a6f222c17e3d7bc087cf7a29bfb3e98cf25ba98f414c4afe0297b9d134a28bd8 bind-9.12.patch 58027f12c8395be25d9806d232cc30334f2f7c7d175971d2d1944dd886d699e0381a6f222c17e3d7bc087cf7a29bfb3e98cf25ba98f414c4afe0297b9d134a28bd8 bind-9.12.patch
577c0afe8b1dfddc5290c9aa611163d20adc3a546f54bba0081f739cda4255829f1a72bae422b6cb049aca82e58d4daf63ad5553f4c5c51671019bfbbc2781460f0 missing-headers.patch 581c0afe8b1dfddc5290c9aa611163d20adc3a546f54bba0081f739cda4255829f1a72bae422b6cb049aca82e58d4daf63ad5553f4c5c51671019bfbbc2781460f0 missing-headers.patch
5788386db1209721fabb6acf52e498082ac3e70cd3a4454c54416b02aaa67b2906212383da7ddc06f77ca29cfbb9033407b1e958bcd9c7cdf369fe501f310a0f973 samba-4.9.14-security-2019-10-29.patch 5828386db1209721fabb6acf52e498082ac3e70cd3a4454c54416b02aaa67b2906212383da7ddc06f77ca29cfbb9033407b1e958bcd9c7cdf369fe501f310a0f973 samba-4.9.14-security-2019-10-29.patch
583b00163634fb262777cc8992192150beb5dc2dc45ace823557f1a35fe2448ab3559b7503db96b07c6a9382ddb62a3bd6f4e68e1849f64ec472dbea8abc6b54572 samba-4.9.17-security-2020-01-21.patch
57996070e2461370437f48571e7de550c13a332fef869480cfe92e7cac73a998f6c2ee85d2580df58211953bebd0e577691aa710c8edddf3ea0f30e9d47d0a2fd44 samba.initd 58496070e2461370437f48571e7de550c13a332fef869480cfe92e7cac73a998f6c2ee85d2580df58211953bebd0e577691aa710c8edddf3ea0f30e9d47d0a2fd44 samba.initd
580e2b49cb394e758447ca97de155a61b4276499983a0a5c00b44ae621c5559b759a766f8d1c8d3ee98ad5560f4064a847a7a20cfa2e14f85c061bec8b80fd649eb samba.confd 585e2b49cb394e758447ca97de155a61b4276499983a0a5c00b44ae621c5559b759a766f8d1c8d3ee98ad5560f4064a847a7a20cfa2e14f85c061bec8b80fd649eb samba.confd
5813458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate" 5863458a4e1f8a8b44c966afb339b2dca51615be049f594c14911fc4d8203623deee416b6fe881436e246fc7d49c97a2b3bf9c5f33ba774302b24190a1103d6b67d samba.logrotate"
diff --git a/main/samba/samba-4.9.17-security-2020-01-21.patch b/main/samba/samba-4.9.17-security-2020-01-21.patch
new file mode 100644
index 0000000000..4847a8660b
--- /dev/null
+++ b/main/samba/samba-4.9.17-security-2020-01-21.patch
@@ -0,0 +1,1662 @@
1From 77d55b64af6acd38a08096b89ee051bc4ce72f43 Mon Sep 17 00:00:00 2001
2From: Andrew Bartlett <abartlet@samba.org>
3Date: Thu, 28 Nov 2019 17:16:16 +1300
4Subject: [PATCH 01/13] CVE-2019-14902 selftest: Add test for replication of
5 inherited security descriptors
6
7BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
8
9Signed-off-by: Andrew Bartlett <abartlet@samba.org>
10---
11 selftest/knownfail.d/repl_secdesc | 2 +
12 source4/selftest/tests.py | 5 +
13 source4/torture/drs/python/repl_secdesc.py | 258 +++++++++++++++++++++
14 3 files changed, 265 insertions(+)
15 create mode 100644 selftest/knownfail.d/repl_secdesc
16 create mode 100644 source4/torture/drs/python/repl_secdesc.py
17
18diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
19new file mode 100644
20index 00000000000..2aa24c61375
21--- /dev/null
22+++ b/selftest/knownfail.d/repl_secdesc
23@@ -0,0 +1,2 @@
24+^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
25+^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object
26diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
27index 2ec0bee923b..7244535791d 100755
28--- a/source4/selftest/tests.py
29+++ b/source4/selftest/tests.py
30@@ -1004,6 +1004,11 @@ for env in ['vampire_dc', 'promoted_dc']:
31 extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
32 environ={'DC1': "$DC_SERVER", 'DC2': '$%s_SERVER' % env.upper()},
33 extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
34+ planoldpythontestsuite(env, "repl_secdesc",
35+ name="samba4.drs.repl_secdesc.python(%s)" % env,
36+ extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
37+ environ={'DC1': "$DC_SERVER", 'DC2': '$SERVER'},
38+ extra_args=['-U$DOMAIN/$DC_USERNAME%$DC_PASSWORD'])
39 planoldpythontestsuite(env, "repl_move",
40 extra_path=[os.path.join(samba4srcdir, 'torture/drs/python')],
41 name="samba4.drs.repl_move.python(%s)" % env,
42diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py
43new file mode 100644
44index 00000000000..4ed449a8a18
45--- /dev/null
46+++ b/source4/torture/drs/python/repl_secdesc.py
47@@ -0,0 +1,258 @@
48+#!/usr/bin/env python3
49+# -*- coding: utf-8 -*-
50+#
51+# Unix SMB/CIFS implementation.
52+# Copyright (C) Catalyst.Net Ltd. 2017
53+# Copyright (C) Andrew Bartlett <abartlet@samba.org> 2019
54+#
55+# This program is free software; you can redistribute it and/or modify
56+# it under the terms of the GNU General Public License as published by
57+# the Free Software Foundation; either version 3 of the License, or
58+# (at your option) any later version.
59+#
60+# This program is distributed in the hope that it will be useful,
61+# but WITHOUT ANY WARRANTY; without even the implied warranty of
62+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
63+# GNU General Public License for more details.
64+#
65+# You should have received a copy of the GNU General Public License
66+# along with this program. If not, see <http://www.gnu.org/licenses/>.
67+#
68+import drs_base
69+import ldb
70+import samba
71+from samba import sd_utils
72+from ldb import LdbError
73+
74+class ReplAclTestCase(drs_base.DrsBaseTestCase):
75+
76+ def setUp(self):
77+ super(ReplAclTestCase, self).setUp()
78+ self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1)
79+ self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2)
80+
81+ self.ou = samba.tests.create_test_ou(self.ldb_dc1,
82+ "test_acl_inherit")
83+
84+ # disable replication for the tests so we can control at what point
85+ # the DCs try to replicate
86+ self._disable_all_repl(self.dnsname_dc1)
87+ self._disable_all_repl(self.dnsname_dc2)
88+
89+ # make sure DCs are synchronized before the test
90+ self._net_drs_replicate(DC=self.dnsname_dc2, fromDC=self.dnsname_dc1, forced=True)
91+ self._net_drs_replicate(DC=self.dnsname_dc1, fromDC=self.dnsname_dc2, forced=True)
92+
93+ def tearDown(self):
94+ self.ldb_dc1.delete(self.ou, ["tree_delete:1"])
95+
96+ # re-enable replication
97+ self._enable_all_repl(self.dnsname_dc1)
98+ self._enable_all_repl(self.dnsname_dc2)
99+
100+ super(ReplAclTestCase, self).tearDown()
101+
102+ def test_acl_inheirt_new_object_1_pass(self):
103+ # Set the inherited ACL on the parent OU
104+ mod = "(A;CIOI;GA;;;SY)"
105+ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
106+
107+ # Make a new object
108+ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
109+ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
110+
111+ self._net_drs_replicate(DC=self.dnsname_dc2,
112+ fromDC=self.dnsname_dc1,
113+ forced=True)
114+
115+ # Confirm inherited ACLs are identical
116+
117+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
118+ self.sd_utils_dc2.get_sd_as_sddl(dn))
119+
120+ def test_acl_inheirt_new_object(self):
121+ # Set the inherited ACL on the parent OU
122+ mod = "(A;CIOI;GA;;;SY)"
123+ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
124+
125+ # Replicate to DC2
126+
127+ self._net_drs_replicate(DC=self.dnsname_dc2,
128+ fromDC=self.dnsname_dc1,
129+ forced=True)
130+
131+ # Make a new object
132+ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
133+ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
134+
135+ self._net_drs_replicate(DC=self.dnsname_dc2,
136+ fromDC=self.dnsname_dc1,
137+ forced=True)
138+
139+ # Confirm inherited ACLs are identical
140+
141+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
142+ self.sd_utils_dc2.get_sd_as_sddl(dn))
143+
144+ def test_acl_inherit_existing_object(self):
145+ # Make a new object
146+ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
147+ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
148+
149+ try:
150+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
151+ base=dn,
152+ attrs=[])
153+ self.fail()
154+ except LdbError as err:
155+ enum = err.args[0]
156+ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
157+
158+ self._net_drs_replicate(DC=self.dnsname_dc2,
159+ fromDC=self.dnsname_dc1,
160+ forced=True)
161+
162+ # Confirm it is now replicated
163+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
164+ base=dn,
165+ attrs=[])
166+
167+ # Set the inherited ACL on the parent OU
168+ mod = "(A;CIOI;GA;;;SY)"
169+ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
170+
171+ # Replicate to DC2
172+
173+ self._net_drs_replicate(DC=self.dnsname_dc2,
174+ fromDC=self.dnsname_dc1,
175+ forced=True)
176+
177+ # Confirm inherited ACLs are identical
178+
179+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
180+ self.sd_utils_dc2.get_sd_as_sddl(dn))
181+
182+ def test_acl_inheirt_existing_object_1_pass(self):
183+ # Make a new object
184+ dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
185+ self.ldb_dc1.add({"dn": dn, "objectclass": "organizationalUnit"})
186+
187+ try:
188+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
189+ base=dn,
190+ attrs=[])
191+ self.fail()
192+ except LdbError as err:
193+ enum = err.args[0]
194+ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
195+
196+ # Set the inherited ACL on the parent OU
197+ mod = "(A;CIOI;GA;;;SY)"
198+ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
199+
200+ # Replicate to DC2
201+
202+ self._net_drs_replicate(DC=self.dnsname_dc2,
203+ fromDC=self.dnsname_dc1,
204+ forced=True)
205+
206+ # Confirm inherited ACLs are identical
207+
208+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
209+ self.sd_utils_dc2.get_sd_as_sddl(dn))
210+
211+ def test_acl_inheirt_renamed_object(self):
212+ # Make a new object
213+ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
214+ "acl_test_l2")
215+
216+ sub_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
217+
218+ try:
219+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
220+ base=new_ou,
221+ attrs=[])
222+ self.fail()
223+ except LdbError as err:
224+ enum = err.args[0]
225+ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
226+
227+ self._net_drs_replicate(DC=self.dnsname_dc2,
228+ fromDC=self.dnsname_dc1,
229+ forced=True)
230+
231+ # Confirm it is now replicated
232+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
233+ base=new_ou,
234+ attrs=[])
235+
236+ # Set the inherited ACL on the parent OU on DC1
237+ mod = "(A;CIOI;GA;;;SY)"
238+ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
239+
240+ # Replicate to DC2
241+
242+ self._net_drs_replicate(DC=self.dnsname_dc2,
243+ fromDC=self.dnsname_dc1,
244+ forced=True)
245+
246+ # Rename to under self.ou
247+
248+ self.ldb_dc1.rename(new_ou, sub_ou_dn)
249+
250+ # Replicate to DC2
251+
252+ self._net_drs_replicate(DC=self.dnsname_dc2,
253+ fromDC=self.dnsname_dc1,
254+ forced=True)
255+
256+ # Confirm inherited ACLs are identical
257+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
258+ self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn))
259+
260+
261+ def test_acl_inheirt_renamed_object_in_conflict(self):
262+ # Make a new object to be renamed under self.ou
263+ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
264+ "acl_test_l2")
265+
266+ # Make a new OU under self.ou (on DC2)
267+ sub_ou_dn = ldb.Dn(self.ldb_dc2, "OU=l2,%s" % self.ou)
268+ self.ldb_dc2.add({"dn": sub_ou_dn,
269+ "objectclass": "organizationalUnit"})
270+
271+ # Set the inherited ACL on the parent OU
272+ mod = "(A;CIOI;GA;;;SY)"
273+ self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
274+
275+ # Replicate to DC2
276+
277+ self._net_drs_replicate(DC=self.dnsname_dc2,
278+ fromDC=self.dnsname_dc1,
279+ forced=True)
280+
281+ # Rename to under self.ou
282+ self.ldb_dc1.rename(new_ou, sub_ou_dn)
283+
284+ # Replicate to DC2 (will cause a conflict, DC1 to win, version
285+ # is higher since named twice)
286+
287+ self._net_drs_replicate(DC=self.dnsname_dc2,
288+ fromDC=self.dnsname_dc1,
289+ forced=True)
290+
291+ children = self.ldb_dc2.search(scope=ldb.SCOPE_ONELEVEL,
292+ base=self.ou,
293+ attrs=[])
294+ for child in children:
295+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
296+ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
297+
298+ # Replicate back
299+ self._net_drs_replicate(DC=self.dnsname_dc1,
300+ fromDC=self.dnsname_dc2,
301+ forced=True)
302+
303+ for child in children:
304+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(child.dn),
305+ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
306--
3072.17.1
308
309
310From c5a005a45389c8d8fc0eae7137eab1904ea92d42 Mon Sep 17 00:00:00 2001
311From: Andrew Bartlett <abartlet@samba.org>
312Date: Tue, 10 Dec 2019 15:16:24 +1300
313Subject: [PATCH 02/13] CVE-2019-14902 selftest: Add test for a special case
314 around replicated renames
315
316It appears Samba is currently string-name based in the ACL inheritence code.
317
318BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
319
320Signed-off-by: Andrew Bartlett <abartlet@samba.org>
321---
322 selftest/knownfail.d/repl_secdesc | 1 +
323 source4/torture/drs/python/repl_secdesc.py | 69 ++++++++++++++++++++++
324 2 files changed, 70 insertions(+)
325
326diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
327index 2aa24c61375..7d554ff237a 100644
328--- a/selftest/knownfail.d/repl_secdesc
329+++ b/selftest/knownfail.d/repl_secdesc
330@@ -1,2 +1,3 @@
331 ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
332 ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object
333+^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
334diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py
335index 4ed449a8a18..58861af3bac 100644
336--- a/source4/torture/drs/python/repl_secdesc.py
337+++ b/source4/torture/drs/python/repl_secdesc.py
338@@ -211,6 +211,75 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
339 self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn))
340
341
342+ def test_acl_inheirt_renamed_child_object(self):
343+ # Make a new OU
344+ new_ou = samba.tests.create_test_ou(self.ldb_dc1,
345+ "acl_test_l2")
346+
347+ # Here is where the new OU will end up at the end.
348+ sub2_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
349+
350+ sub3_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % new_ou)
351+ sub3_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l3,%s" % sub2_ou_dn_final)
352+
353+ self.ldb_dc1.add({"dn": sub3_ou_dn,
354+ "objectclass": "organizationalUnit"})
355+
356+ sub4_ou_dn = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn)
357+ sub4_ou_dn_final = ldb.Dn(self.ldb_dc1, "OU=l4,%s" % sub3_ou_dn_final)
358+
359+ self.ldb_dc1.add({"dn": sub4_ou_dn,
360+ "objectclass": "organizationalUnit"})
361+
362+ try:
363+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
364+ base=new_ou,
365+ attrs=[])
366+ self.fail()
367+ except LdbError as err:
368+ enum = err.args[0]
369+ self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
370+
371+ self._net_drs_replicate(DC=self.dnsname_dc2,
372+ fromDC=self.dnsname_dc1,
373+ forced=True)
374+
375+ # Confirm it is now replicated
376+ self.ldb_dc2.search(scope=ldb.SCOPE_BASE,
377+ base=new_ou,
378+ attrs=[])
379+
380+ #
381+ # Given a tree new_ou -> l3 -> l4
382+ #
383+
384+ # Set the inherited ACL on the grandchild OU (l3) on DC1
385+ mod = "(A;CIOI;GA;;;SY)"
386+ self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, mod)
387+
388+ # Rename new_ou (l2) to under self.ou (this must happen second). If the
389+ # inheritence between l3 and l4 is name-based, this could
390+ # break.
391+
392+ # The tree is now self.ou -> l2 -> l3 -> l4
393+
394+ self.ldb_dc1.rename(new_ou, sub2_ou_dn_final)
395+
396+ # Replicate to DC2
397+
398+ self._net_drs_replicate(DC=self.dnsname_dc2,
399+ fromDC=self.dnsname_dc1,
400+ forced=True)
401+
402+ # Confirm set ACLs (on l3 ) are identical.
403+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final),
404+ self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final))
405+
406+ # Confirm inherited ACLs (from l3 to l4) are identical.
407+ self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final),
408+ self.sd_utils_dc2.get_sd_as_sddl(sub4_ou_dn_final))
409+
410+
411 def test_acl_inheirt_renamed_object_in_conflict(self):
412 # Make a new object to be renamed under self.ou
413 new_ou = samba.tests.create_test_ou(self.ldb_dc1,
414--
4152.17.1
416
417
418From 4afff32debe5ea4bf1219f42c3042eb65c3e1d6b Mon Sep 17 00:00:00 2001
419From: Andrew Bartlett <abartlet@samba.org>
420Date: Mon, 16 Dec 2019 11:29:27 +1300
421Subject: [PATCH 03/13] selftest: Add test to confirm ACL inheritence really
422 happens
423
424While we have a seperate test (sec_descriptor.py) that confirms inheritance in
425general we want to lock in these specific patterns as this test covers
426rename.
427
428Signed-off-by: Andrew Bartlett <abartlet@samba.org>
429---
430 source4/torture/drs/python/repl_secdesc.py | 115 +++++++++++++++++----
431 1 file changed, 94 insertions(+), 21 deletions(-)
432
433diff --git a/source4/torture/drs/python/repl_secdesc.py b/source4/torture/drs/python/repl_secdesc.py
434index 58861af3bac..58212907e23 100644
435--- a/source4/torture/drs/python/repl_secdesc.py
436+++ b/source4/torture/drs/python/repl_secdesc.py
437@@ -28,6 +28,10 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
438
439 def setUp(self):
440 super(ReplAclTestCase, self).setUp()
441+ self.mod = "(A;CIOI;GA;;;SY)"
442+ self.mod_becomes = "(A;OICIIO;GA;;;SY)"
443+ self.mod_inherits_as = "(A;OICIIOID;GA;;;SY)"
444+
445 self.sd_utils_dc1 = sd_utils.SDUtils(self.ldb_dc1)
446 self.sd_utils_dc2 = sd_utils.SDUtils(self.ldb_dc2)
447
448@@ -54,8 +58,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
449
450 def test_acl_inheirt_new_object_1_pass(self):
451 # Set the inherited ACL on the parent OU
452- mod = "(A;CIOI;GA;;;SY)"
453- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
454+ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
455+
456+ # Assert ACL set stuck as expected
457+ self.assertIn(self.mod_becomes,
458+ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
459
460 # Make a new object
461 dn = ldb.Dn(self.ldb_dc1, "OU=l2,%s" % self.ou)
462@@ -65,15 +72,24 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
463 fromDC=self.dnsname_dc1,
464 forced=True)
465
466- # Confirm inherited ACLs are identical
467+ # Assert ACL replicated as expected
468+ self.assertIn(self.mod_becomes,
469+ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
470
471+ # Confirm inherited ACLs are identical and were inherited
472+
473+ self.assertIn(self.mod_inherits_as,
474+ self.sd_utils_dc1.get_sd_as_sddl(dn))
475 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
476 self.sd_utils_dc2.get_sd_as_sddl(dn))
477
478 def test_acl_inheirt_new_object(self):
479 # Set the inherited ACL on the parent OU
480- mod = "(A;CIOI;GA;;;SY)"
481- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
482+ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
483+
484+ # Assert ACL set stuck as expected
485+ self.assertIn(self.mod_becomes,
486+ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
487
488 # Replicate to DC2
489
490@@ -89,8 +105,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
491 fromDC=self.dnsname_dc1,
492 forced=True)
493
494- # Confirm inherited ACLs are identical
495+ # Assert ACL replicated as expected
496+ self.assertIn(self.mod_becomes,
497+ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
498
499+ # Confirm inherited ACLs are identical and were inheritied
500+
501+ self.assertIn(self.mod_inherits_as,
502+ self.sd_utils_dc1.get_sd_as_sddl(dn))
503 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
504 self.sd_utils_dc2.get_sd_as_sddl(dn))
505
506@@ -118,8 +140,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
507 attrs=[])
508
509 # Set the inherited ACL on the parent OU
510- mod = "(A;CIOI;GA;;;SY)"
511- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
512+ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
513+
514+ # Assert ACL set stuck as expected
515+ self.assertIn(self.mod_becomes,
516+ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
517
518 # Replicate to DC2
519
520@@ -127,8 +152,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
521 fromDC=self.dnsname_dc1,
522 forced=True)
523
524- # Confirm inherited ACLs are identical
525+ # Confirm inherited ACLs are identical and were inherited
526
527+ # Assert ACL replicated as expected
528+ self.assertIn(self.mod_becomes,
529+ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
530+
531+ self.assertIn(self.mod_inherits_as,
532+ self.sd_utils_dc1.get_sd_as_sddl(dn))
533 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
534 self.sd_utils_dc2.get_sd_as_sddl(dn))
535
536@@ -147,8 +178,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
537 self.assertEqual(enum, ldb.ERR_NO_SUCH_OBJECT)
538
539 # Set the inherited ACL on the parent OU
540- mod = "(A;CIOI;GA;;;SY)"
541- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
542+ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
543+
544+ # Assert ACL set as expected
545+ self.assertIn(self.mod_becomes,
546+ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
547
548 # Replicate to DC2
549
550@@ -156,8 +190,14 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
551 fromDC=self.dnsname_dc1,
552 forced=True)
553
554- # Confirm inherited ACLs are identical
555+ # Assert ACL replicated as expected
556+ self.assertIn(self.mod_becomes,
557+ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
558
559+ # Confirm inherited ACLs are identical and were inherited
560+
561+ self.assertIn(self.mod_inherits_as,
562+ self.sd_utils_dc1.get_sd_as_sddl(dn))
563 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(dn),
564 self.sd_utils_dc2.get_sd_as_sddl(dn))
565
566@@ -187,8 +227,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
567 attrs=[])
568
569 # Set the inherited ACL on the parent OU on DC1
570- mod = "(A;CIOI;GA;;;SY)"
571- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
572+ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
573+
574+ # Assert ACL set as expected
575+ self.assertIn(self.mod_becomes,
576+ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
577
578 # Replicate to DC2
579
580@@ -196,6 +239,10 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
581 fromDC=self.dnsname_dc1,
582 forced=True)
583
584+ # Assert ACL replicated as expected
585+ self.assertIn(self.mod_becomes,
586+ self.sd_utils_dc2.get_sd_as_sddl(self.ou))
587+
588 # Rename to under self.ou
589
590 self.ldb_dc1.rename(new_ou, sub_ou_dn)
591@@ -206,7 +253,9 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
592 fromDC=self.dnsname_dc1,
593 forced=True)
594
595- # Confirm inherited ACLs are identical
596+ # Confirm inherited ACLs are identical and were inherited
597+ self.assertIn(self.mod_inherits_as,
598+ self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn))
599 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
600 self.sd_utils_dc2.get_sd_as_sddl(sub_ou_dn))
601
602@@ -254,8 +303,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
603 #
604
605 # Set the inherited ACL on the grandchild OU (l3) on DC1
606- mod = "(A;CIOI;GA;;;SY)"
607- self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, mod)
608+ self.sd_utils_dc1.dacl_add_ace(sub3_ou_dn, self.mod)
609+
610+ # Assert ACL set stuck as expected
611+ self.assertIn(self.mod_becomes,
612+ self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn))
613
614 # Rename new_ou (l2) to under self.ou (this must happen second). If the
615 # inheritence between l3 and l4 is name-based, this could
616@@ -265,17 +317,26 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
617
618 self.ldb_dc1.rename(new_ou, sub2_ou_dn_final)
619
620+ # Assert ACL set remained as expected
621+ self.assertIn(self.mod_becomes,
622+ self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final))
623+
624 # Replicate to DC2
625
626 self._net_drs_replicate(DC=self.dnsname_dc2,
627 fromDC=self.dnsname_dc1,
628 forced=True)
629
630- # Confirm set ACLs (on l3 ) are identical.
631+ # Confirm set ACLs (on l3 ) are identical and were inherited
632+ self.assertIn(self.mod_becomes,
633+ self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final))
634 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub3_ou_dn_final),
635 self.sd_utils_dc2.get_sd_as_sddl(sub3_ou_dn_final))
636
637- # Confirm inherited ACLs (from l3 to l4) are identical.
638+ # Confirm inherited ACLs (from l3 to l4) are identical
639+ # and where inherited
640+ self.assertIn(self.mod_inherits_as,
641+ self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final))
642 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub4_ou_dn_final),
643 self.sd_utils_dc2.get_sd_as_sddl(sub4_ou_dn_final))
644
645@@ -291,8 +352,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
646 "objectclass": "organizationalUnit"})
647
648 # Set the inherited ACL on the parent OU
649- mod = "(A;CIOI;GA;;;SY)"
650- self.sd_utils_dc1.dacl_add_ace(self.ou, mod)
651+ self.sd_utils_dc1.dacl_add_ace(self.ou, self.mod)
652+
653+ # Assert ACL set stuck as expected
654+ self.assertIn(self.mod_becomes,
655+ self.sd_utils_dc1.get_sd_as_sddl(self.ou))
656
657 # Replicate to DC2
658
659@@ -302,6 +366,8 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
660
661 # Rename to under self.ou
662 self.ldb_dc1.rename(new_ou, sub_ou_dn)
663+ self.assertIn(self.mod_inherits_as,
664+ self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn))
665
666 # Replicate to DC2 (will cause a conflict, DC1 to win, version
667 # is higher since named twice)
668@@ -314,6 +380,8 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
669 base=self.ou,
670 attrs=[])
671 for child in children:
672+ self.assertIn(self.mod_inherits_as,
673+ self.sd_utils_dc2.get_sd_as_sddl(child.dn))
674 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn),
675 self.sd_utils_dc2.get_sd_as_sddl(child.dn))
676
677@@ -322,6 +390,11 @@ class ReplAclTestCase(drs_base.DrsBaseTestCase):
678 fromDC=self.dnsname_dc2,
679 forced=True)
680
681+ self.assertIn(self.mod_inherits_as,
682+ self.sd_utils_dc1.get_sd_as_sddl(sub_ou_dn))
683+
684 for child in children:
685+ self.assertIn(self.mod_inherits_as,
686+ self.sd_utils_dc1.get_sd_as_sddl(child.dn))
687 self.assertEquals(self.sd_utils_dc1.get_sd_as_sddl(child.dn),
688 self.sd_utils_dc2.get_sd_as_sddl(child.dn))
689--
6902.17.1
691
692
693From 17215b36b22d309a58a3b7bd08123f06e89657c9 Mon Sep 17 00:00:00 2001
694From: Andrew Bartlett <abartlet@samba.org>
695Date: Tue, 26 Nov 2019 15:44:32 +1300
696Subject: [PATCH 04/13] CVE-2019-14902 dsdb: Explain that
697 descriptor_sd_propagation_recursive() is proctected by a transaction
698
699This means we can trust the DB did not change between the two search
700requests.
701
702BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
703
704Signed-off-by: Andrew Bartlett <abartlet@samba.org>
705---
706 source4/dsdb/samdb/ldb_modules/descriptor.c | 3 +++
707 1 file changed, 3 insertions(+)
708
709diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
710index 9018b750ab5..fb2854438e1 100644
711--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
712+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
713@@ -1199,6 +1199,9 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
714 * LDB_SCOPE_SUBTREE searches are expensive.
715 *
716 * Note: that we do not search for deleted/recycled objects
717+ *
718+ * We know this is safe against a rename race as we are in the
719+ * prepare_commit(), so must be in a transaction.
720 */
721 ret = dsdb_module_search(module,
722 change,
723--
7242.17.1
725
726
727From 589d1e4846bbac0e5388af3ef0c6d6c41b5ff991 Mon Sep 17 00:00:00 2001
728From: Andrew Bartlett <abartlet@samba.org>
729Date: Tue, 26 Nov 2019 16:17:32 +1300
730Subject: [PATCH 05/13] CVE-2019-14902 dsdb: Add comments explaining why SD
731 propagation needs to be done here
732
733BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
734
735Signed-off-by: Andrew Bartlett <abartlet@samba.org>
736---
737 source4/dsdb/samdb/ldb_modules/descriptor.c | 7 +++++++
738 1 file changed, 7 insertions(+)
739
740diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
741index fb2854438e1..7070affa645 100644
742--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
743+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
744@@ -876,6 +876,9 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
745 return ldb_oom(ldb);
746 }
747
748+ /*
749+ * Force SD propagation on children of this record
750+ */
751 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
752 dn, false);
753 if (ret != LDB_SUCCESS) {
754@@ -966,6 +969,10 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
755 return ldb_oom(ldb);
756 }
757
758+ /*
759+ * Force SD propagation on this record (get a new
760+ * inherited SD from the potentially new parent
761+ */
762 ret = dsdb_module_schedule_sd_propagation(module, nc_root,
763 newdn, true);
764 if (ret != LDB_SUCCESS) {
765--
7662.17.1
767
768
769From 0fa9a362e55abb289cbf0fe24baa09c45af4837e Mon Sep 17 00:00:00 2001
770From: Andrew Bartlett <abartlet@samba.org>
771Date: Fri, 6 Dec 2019 17:54:23 +1300
772Subject: [PATCH 06/13] CVE-2019-14902 dsdb: Ensure we honour both
773 change->force_self and change->force_children
774
775If we are renaming a DN we can be in a situation where we need to
776
777BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
778
779Signed-off-by: Andrew Bartlett <abartlet@samba.org>
780---
781 source4/dsdb/samdb/ldb_modules/descriptor.c | 7 +++++++
782 1 file changed, 7 insertions(+)
783
784diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
785index 7070affa645..b9f465fc36f 100644
786--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
787+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
788@@ -1291,6 +1291,13 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
789
790 if (cur != NULL) {
791 DLIST_REMOVE(change->children, cur);
792+ } else if (i == 0) {
793+ /*
794+ * in the change->force_self case
795+ * res->msgs[0]->elements was not overwritten,
796+ * so set cur here
797+ */
798+ cur = change;
799 }
800
801 for (c = stopped_stack; c; c = stopped_stack) {
802--
8032.17.1
804
805
806From 9ac2b09fa5a2de44967a0b190918825e7dca8d53 Mon Sep 17 00:00:00 2001
807From: Andrew Bartlett <abartlet@samba.org>
808Date: Fri, 6 Dec 2019 18:05:54 +1300
809Subject: [PATCH 07/13] CVE-2019-14902 repl_meta_data: schedule SD propagation
810 to a renamed DN
811
812We need to check the SD of the parent if we rename, it is not the same as an incoming SD change.
813
814BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
815
816Signed-off-by: Andrew Bartlett <abartlet@samba.org>
817---
818 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 17 ++++++++++++++++-
819 1 file changed, 16 insertions(+), 1 deletion(-)
820
821diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
822index 04a51ecab51..52ff3d75ee2 100644
823--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
824+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
825@@ -6290,7 +6290,22 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
826 ar->index_current, msg->num_elements);
827
828 if (renamed) {
829- sd_updated = true;
830+ /*
831+ * This is an new name for this object, so we must
832+ * inherit from the parent
833+ *
834+ * This is needed because descriptor is above
835+ * repl_meta_data in the module stack, so this will
836+ * not be trigered 'naturally' by the flow of
837+ * operations.
838+ */
839+ ret = dsdb_module_schedule_sd_propagation(ar->module,
840+ ar->objs->partition_dn,
841+ msg->dn,
842+ true);
843+ if (ret != LDB_SUCCESS) {
844+ return ldb_operr(ldb);
845+ }
846 }
847
848 if (sd_updated && !isDeleted) {
849--
8502.17.1
851
852
853From 9e6b09e0fd52c664de7f0589074fef872c753fa2 Mon Sep 17 00:00:00 2001
854From: Andrew Bartlett <abartlet@samba.org>
855Date: Tue, 26 Nov 2019 15:50:35 +1300
856Subject: [PATCH 08/13] CVE-2019-14902 repl_meta_data: Fix issue where
857 inherited Security Descriptors were not replicated.
858
859BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
860
861Signed-off-by: Andrew Bartlett <abartlet@samba.org>
862---
863 selftest/knownfail.d/repl_secdesc | 1 -
864 .../dsdb/samdb/ldb_modules/repl_meta_data.c | 22 ++++++++++++++++++-
865 2 files changed, 21 insertions(+), 2 deletions(-)
866
867diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
868index 7d554ff237a..13a9ce458dd 100644
869--- a/selftest/knownfail.d/repl_secdesc
870+++ b/selftest/knownfail.d/repl_secdesc
871@@ -1,3 +1,2 @@
872 ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
873-^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inherit_existing_object
874 ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
875diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
876index 52ff3d75ee2..9812ded99fb 100644
877--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
878+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
879@@ -5527,6 +5527,15 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
880 replmd_ldb_message_sort(msg, ar->schema);
881
882 if (!remote_isDeleted) {
883+ /*
884+ * Ensure any local ACL inheritence is applied from
885+ * the parent object.
886+ *
887+ * This is needed because descriptor is above
888+ * repl_meta_data in the module stack, so this will
889+ * not be trigered 'naturally' by the flow of
890+ * operations.
891+ */
892 ret = dsdb_module_schedule_sd_propagation(ar->module,
893 ar->objs->partition_dn,
894 msg->dn, true);
895@@ -6309,9 +6318,20 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
896 }
897
898 if (sd_updated && !isDeleted) {
899+ /*
900+ * This is an existing object, so there is no need to
901+ * inherit from the parent, but we must inherit any
902+ * incoming changes to our child objects.
903+ *
904+ * This is needed because descriptor is above
905+ * repl_meta_data in the module stack, so this will
906+ * not be trigered 'naturally' by the flow of
907+ * operations.
908+ */
909 ret = dsdb_module_schedule_sd_propagation(ar->module,
910 ar->objs->partition_dn,
911- msg->dn, true);
912+ msg->dn,
913+ false);
914 if (ret != LDB_SUCCESS) {
915 return ldb_operr(ldb);
916 }
917--
9182.17.1
919
920
921From 7071888d5b556213be79545cac059a8b3f62baee Mon Sep 17 00:00:00 2001
922From: Andrew Bartlett <abartlet@samba.org>
923Date: Fri, 6 Dec 2019 18:26:42 +1300
924Subject: [PATCH 09/13] CVE-2019-14902 repl_meta_data: Set renamed = true (and
925 so do SD inheritance) after any rename
926
927Previously if there was a conflict, but the incoming object would still
928win, this was not marked as a rename, and so inheritence was not done.
929
930BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
931
932Signed-off-by: Andrew Bartlett <abartlet@samba.org>
933---
934 selftest/knownfail.d/repl_secdesc | 1 -
935 source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 13 +++++++++++++
936 2 files changed, 13 insertions(+), 1 deletion(-)
937
938diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
939index 13a9ce458dd..9dd632d99ed 100644
940--- a/selftest/knownfail.d/repl_secdesc
941+++ b/selftest/knownfail.d/repl_secdesc
942@@ -1,2 +1 @@
943-^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_object_in_conflict
944 ^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
945diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
946index 9812ded99fb..e67c3b0281e 100644
947--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
948+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
949@@ -6134,6 +6134,19 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
950 * replmd_replicated_apply_search_callback())
951 */
952 ret = replmd_replicated_handle_rename(ar, msg, ar->req, &renamed);
953+
954+ /*
955+ * This looks strange, but we must set this after any
956+ * rename, otherwise the SD propegation will not
957+ * happen (which might matter if we have a new parent)
958+ *
959+ * The additional case of calling
960+ * replmd_op_name_modify_callback (below) is:
961+ * - a no-op if there was no name change
962+ * and
963+ * - called in the default case regardless.
964+ */
965+ renamed = true;
966 }
967
968 if (ret != LDB_SUCCESS) {
969--
9702.17.1
971
972
973From 16b377276ee82c04d069666e53deaa95a7633dd4 Mon Sep 17 00:00:00 2001
974From: Andrew Bartlett <abartlet@samba.org>
975Date: Thu, 12 Dec 2019 14:44:57 +1300
976Subject: [PATCH 10/13] CVE-2019-14902 dsdb: Change basis of descriptor module
977 deferred processing to be GUIDs
978
979We can not process on the basis of a DN, as the DN may have changed in a rename,
980not only that this module can see, but also from repl_meta_data below.
981
982Therefore remove all the complex tree-based change processing, leaving only
983a tree-based sort of the possible objects to be changed, and a single
984stopped_dn variable containing the DN to stop processing below (after
985a no-op change).
986
987BUG: https://bugzilla.samba.org/show_bug.cgi?id=12497
988
989Signed-off-by: Andrew Bartlett <abartlet@samba.org>
990---
991 selftest/knownfail.d/repl_secdesc | 1 -
992 source4/dsdb/samdb/ldb_modules/acl_util.c | 4 +-
993 source4/dsdb/samdb/ldb_modules/descriptor.c | 296 +++++++++---------
994 .../dsdb/samdb/ldb_modules/repl_meta_data.c | 7 +-
995 source4/dsdb/samdb/samdb.h | 2 +-
996 5 files changed, 156 insertions(+), 154 deletions(-)
997 delete mode 100644 selftest/knownfail.d/repl_secdesc
998
999diff --git a/selftest/knownfail.d/repl_secdesc b/selftest/knownfail.d/repl_secdesc
1000deleted file mode 100644
1001index 9dd632d99ed..00000000000
1002--- a/selftest/knownfail.d/repl_secdesc
1003+++ /dev/null
1004@@ -1 +0,0 @@
1005-^samba4.drs.repl_secdesc.python\(.*\).repl_secdesc.ReplAclTestCase.test_acl_inheirt_renamed_child_object
1006diff --git a/source4/dsdb/samdb/ldb_modules/acl_util.c b/source4/dsdb/samdb/ldb_modules/acl_util.c
1007index 6d645b10fe2..b9931795e19 100644
1008--- a/source4/dsdb/samdb/ldb_modules/acl_util.c
1009+++ b/source4/dsdb/samdb/ldb_modules/acl_util.c
1010@@ -286,7 +286,7 @@ uint32_t dsdb_request_sd_flags(struct ldb_request *req, bool *explicit)
1011
1012 int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
1013 struct ldb_dn *nc_root,
1014- struct ldb_dn *dn,
1015+ struct GUID guid,
1016 bool include_self)
1017 {
1018 struct ldb_context *ldb = ldb_module_get_ctx(module);
1019@@ -299,7 +299,7 @@ int dsdb_module_schedule_sd_propagation(struct ldb_module *module,
1020 }
1021
1022 op->nc_root = nc_root;
1023- op->dn = dn;
1024+ op->guid = guid;
1025 op->include_self = include_self;
1026
1027 ret = dsdb_module_extended(module, op, NULL,
1028diff --git a/source4/dsdb/samdb/ldb_modules/descriptor.c b/source4/dsdb/samdb/ldb_modules/descriptor.c
1029index b9f465fc36f..daa08c2ebc7 100644
1030--- a/source4/dsdb/samdb/ldb_modules/descriptor.c
1031+++ b/source4/dsdb/samdb/ldb_modules/descriptor.c
1032@@ -46,9 +46,8 @@
1033
1034 struct descriptor_changes {
1035 struct descriptor_changes *prev, *next;
1036- struct descriptor_changes *children;
1037 struct ldb_dn *nc_root;
1038- struct ldb_dn *dn;
1039+ struct GUID guid;
1040 bool force_self;
1041 bool force_children;
1042 struct ldb_dn *stopped_dn;
1043@@ -771,7 +770,8 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
1044 current_attrs,
1045 DSDB_FLAG_NEXT_MODULE |
1046 DSDB_FLAG_AS_SYSTEM |
1047- DSDB_SEARCH_SHOW_RECYCLED,
1048+ DSDB_SEARCH_SHOW_RECYCLED |
1049+ DSDB_SEARCH_SHOW_EXTENDED_DN,
1050 req);
1051 if (ret != LDB_SUCCESS) {
1052 ldb_debug(ldb, LDB_DEBUG_ERROR,"descriptor_modify: Could not find %s\n",
1053@@ -832,7 +832,7 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
1054 user_sd = old_sd;
1055 }
1056
1057- sd = get_new_descriptor(module, dn, req,
1058+ sd = get_new_descriptor(module, current_res->msgs[0]->dn, req,
1059 objectclass, parent_sd,
1060 user_sd, old_sd, sd_flags);
1061 if (sd == NULL) {
1062@@ -869,18 +869,32 @@ static int descriptor_modify(struct ldb_module *module, struct ldb_request *req)
1063 return ldb_oom(ldb);
1064 }
1065 } else if (cmp_ret != 0) {
1066+ struct GUID guid;
1067 struct ldb_dn *nc_root;
1068+ NTSTATUS status;
1069
1070- ret = dsdb_find_nc_root(ldb, msg, dn, &nc_root);
1071+ ret = dsdb_find_nc_root(ldb,
1072+ msg,
1073+ current_res->msgs[0]->dn,
1074+ &nc_root);
1075 if (ret != LDB_SUCCESS) {
1076 return ldb_oom(ldb);
1077 }
1078
1079+ status = dsdb_get_extended_dn_guid(current_res->msgs[0]->dn,
1080+ &guid,
1081+ "GUID");
1082+ if (!NT_STATUS_IS_OK(status)) {
1083+ return ldb_operr(ldb);
1084+ }
1085+
1086 /*
1087 * Force SD propagation on children of this record
1088 */
1089- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
1090- dn, false);
1091+ ret = dsdb_module_schedule_sd_propagation(module,
1092+ nc_root,
1093+ guid,
1094+ false);
1095 if (ret != LDB_SUCCESS) {
1096 return ldb_operr(ldb);
1097 }
1098@@ -963,20 +977,31 @@ static int descriptor_rename(struct ldb_module *module, struct ldb_request *req)
1099
1100 if (ldb_dn_compare(olddn, newdn) != 0) {
1101 struct ldb_dn *nc_root;
1102+ struct GUID guid;
1103
1104 ret = dsdb_find_nc_root(ldb, req, newdn, &nc_root);
1105 if (ret != LDB_SUCCESS) {
1106 return ldb_oom(ldb);
1107 }
1108
1109- /*
1110- * Force SD propagation on this record (get a new
1111- * inherited SD from the potentially new parent
1112- */
1113- ret = dsdb_module_schedule_sd_propagation(module, nc_root,
1114- newdn, true);
1115- if (ret != LDB_SUCCESS) {
1116- return ldb_operr(ldb);
1117+ ret = dsdb_module_guid_by_dn(module,
1118+ olddn,
1119+ &guid,
1120+ req);
1121+ if (ret == LDB_SUCCESS) {
1122+ /*
1123+ * Without disturbing any errors if the olddn
1124+ * does not exit, force SD propagation on
1125+ * this record (get a new inherited SD from
1126+ * the potentially new parent
1127+ */
1128+ ret = dsdb_module_schedule_sd_propagation(module,
1129+ nc_root,
1130+ guid,
1131+ true);
1132+ if (ret != LDB_SUCCESS) {
1133+ return ldb_operr(ldb);
1134+ }
1135 }
1136 }
1137
1138@@ -992,9 +1017,7 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
1139 struct ldb_context *ldb = ldb_module_get_ctx(module);
1140 struct dsdb_extended_sec_desc_propagation_op *op;
1141 TALLOC_CTX *parent_mem = NULL;
1142- struct descriptor_changes *parent_change = NULL;
1143 struct descriptor_changes *c;
1144- int ret;
1145
1146 op = talloc_get_type(req->op.extended.data,
1147 struct dsdb_extended_sec_desc_propagation_op);
1148@@ -1011,32 +1034,6 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
1149
1150 parent_mem = descriptor_private->trans_mem;
1151
1152- for (c = descriptor_private->changes; c; c = c->next) {
1153- ret = ldb_dn_compare(c->nc_root, op->nc_root);
1154- if (ret != 0) {
1155- continue;
1156- }
1157-
1158- ret = ldb_dn_compare(c->dn, op->dn);
1159- if (ret == 0) {
1160- if (op->include_self) {
1161- c->force_self = true;
1162- } else {
1163- c->force_children = true;
1164- }
1165- return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1166- }
1167-
1168- ret = ldb_dn_compare_base(c->dn, op->dn);
1169- if (ret != 0) {
1170- continue;
1171- }
1172-
1173- parent_mem = c;
1174- parent_change = c;
1175- break;
1176- }
1177-
1178 c = talloc_zero(parent_mem, struct descriptor_changes);
1179 if (c == NULL) {
1180 return ldb_module_oom(module);
1181@@ -1045,21 +1042,14 @@ static int descriptor_extended_sec_desc_propagation(struct ldb_module *module,
1182 if (c->nc_root == NULL) {
1183 return ldb_module_oom(module);
1184 }
1185- c->dn = ldb_dn_copy(c, op->dn);
1186- if (c->dn == NULL) {
1187- return ldb_module_oom(module);
1188- }
1189+ c->guid = op->guid;
1190 if (op->include_self) {
1191 c->force_self = true;
1192 } else {
1193 c->force_children = true;
1194 }
1195
1196- if (parent_change != NULL) {
1197- DLIST_ADD_END(parent_change->children, c);
1198- } else {
1199- DLIST_ADD_END(descriptor_private->changes, c);
1200- }
1201+ DLIST_ADD_END(descriptor_private->changes, c);
1202
1203 return ldb_module_done(req, NULL, NULL, LDB_SUCCESS);
1204 }
1205@@ -1179,41 +1169,75 @@ static int descriptor_sd_propagation_msg_sort(struct ldb_message **m1,
1206 return ldb_dn_compare(dn2, dn1);
1207 }
1208
1209-static int descriptor_sd_propagation_dn_sort(struct ldb_dn *dn1,
1210- struct ldb_dn *dn2)
1211-{
1212- /*
1213- * This sorts in tree order, parents first
1214- */
1215- return ldb_dn_compare(dn2, dn1);
1216-}
1217-
1218 static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1219 struct descriptor_changes *change)
1220 {
1221- struct ldb_context *ldb = ldb_module_get_ctx(module);
1222+ struct ldb_result *guid_res = NULL;
1223 struct ldb_result *res = NULL;
1224 unsigned int i;
1225 const char * const no_attrs[] = { "@__NONE__", NULL };
1226- struct descriptor_changes *c;
1227- struct descriptor_changes *stopped_stack = NULL;
1228- enum ldb_scope scope;
1229+ struct ldb_dn *stopped_dn = NULL;
1230+ struct GUID_txt_buf guid_buf;
1231 int ret;
1232+ bool stop = false;
1233
1234 /*
1235- * First confirm this object has children, or exists (depending on change->force_self)
1236+ * First confirm this object has children, or exists
1237+ * (depending on change->force_self)
1238 *
1239 * LDB_SCOPE_SUBTREE searches are expensive.
1240 *
1241- * Note: that we do not search for deleted/recycled objects
1242- *
1243 * We know this is safe against a rename race as we are in the
1244 * prepare_commit(), so must be in a transaction.
1245 */
1246+
1247+ /* Find the DN by GUID, as this is stable under rename */
1248+ ret = dsdb_module_search(module,
1249+ change,
1250+ &guid_res,
1251+ change->nc_root,
1252+ LDB_SCOPE_SUBTREE,
1253+ no_attrs,
1254+ DSDB_FLAG_NEXT_MODULE |
1255+ DSDB_FLAG_AS_SYSTEM |
1256+ DSDB_SEARCH_SHOW_DELETED |
1257+ DSDB_SEARCH_SHOW_RECYCLED,
1258+ NULL, /* parent_req */
1259+ "(objectGUID=%s)",
1260+ GUID_buf_string(&change->guid,
1261+ &guid_buf));
1262+
1263+ if (ret != LDB_SUCCESS) {
1264+ return ret;
1265+ }
1266+
1267+ if (guid_res->count != 1) {
1268+ /*
1269+ * We were just given this GUID during the same
1270+ * transaction, if it is missing this is a big
1271+ * problem.
1272+ *
1273+ * Cleanup of tombstones does not trigger this module
1274+ * as it just does a delete.
1275+ */
1276+ ldb_asprintf_errstring(ldb_module_get_ctx(module),
1277+ "failed to find GUID %s under %s "
1278+ "for transaction-end SD inheritance: %d results",
1279+ GUID_buf_string(&change->guid,
1280+ &guid_buf),
1281+ ldb_dn_get_linearized(change->nc_root),
1282+ guid_res->count);
1283+ return LDB_ERR_OPERATIONS_ERROR;
1284+ }
1285+
1286+ /*
1287+ * OK, so there was a parent, are there children? Note: that
1288+ * this time we do not search for deleted/recycled objects
1289+ */
1290 ret = dsdb_module_search(module,
1291 change,
1292 &res,
1293- change->dn,
1294+ guid_res->msgs[0]->dn,
1295 LDB_SCOPE_ONELEVEL,
1296 no_attrs,
1297 DSDB_FLAG_NEXT_MODULE |
1298@@ -1221,26 +1245,55 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1299 NULL, /* parent_req */
1300 "(objectClass=*)");
1301 if (ret != LDB_SUCCESS) {
1302+ /*
1303+ * LDB_ERR_NO_SUCH_OBJECT, say if the DN was a deleted
1304+ * object, is ignored by the caller
1305+ */
1306 return ret;
1307 }
1308
1309 if (res->count == 0 && !change->force_self) {
1310+ /* All done, no children */
1311 TALLOC_FREE(res);
1312 return LDB_SUCCESS;
1313- } else if (res->count == 0 && change->force_self) {
1314- scope = LDB_SCOPE_BASE;
1315- } else {
1316- scope = LDB_SCOPE_SUBTREE;
1317 }
1318
1319 /*
1320+ * First, if we are in force_self mode (eg renamed under new
1321+ * parent) then apply the SD to the top object
1322+ */
1323+ if (change->force_self) {
1324+ ret = descriptor_sd_propagation_object(module,
1325+ guid_res->msgs[0],
1326+ &stop);
1327+ if (ret != LDB_SUCCESS) {
1328+ TALLOC_FREE(guid_res);
1329+ return ret;
1330+ }
1331+
1332+ if (stop == true && !change->force_children) {
1333+ /* There was no change, nothing more to do */
1334+ TALLOC_FREE(guid_res);
1335+ return LDB_SUCCESS;
1336+ }
1337+
1338+ if (res->count == 0) {
1339+ /* All done! */
1340+ TALLOC_FREE(guid_res);
1341+ return LDB_SUCCESS;
1342+ }
1343+ }
1344+
1345+ /*
1346+ * Look for children
1347+ *
1348 * Note: that we do not search for deleted/recycled objects
1349 */
1350 ret = dsdb_module_search(module,
1351 change,
1352 &res,
1353- change->dn,
1354- scope,
1355+ guid_res->msgs[0]->dn,
1356+ LDB_SCOPE_SUBTREE,
1357 no_attrs,
1358 DSDB_FLAG_NEXT_MODULE |
1359 DSDB_FLAG_AS_SYSTEM,
1360@@ -1253,90 +1306,39 @@ static int descriptor_sd_propagation_recursive(struct ldb_module *module,
1361 TYPESAFE_QSORT(res->msgs, res->count,
1362 descriptor_sd_propagation_msg_sort);
1363
1364- for (c = change->children; c; c = c->next) {
1365- struct ldb_message *msg = NULL;
1366-
1367- BINARY_ARRAY_SEARCH_P(res->msgs, res->count, dn, c->dn,
1368- descriptor_sd_propagation_dn_sort,
1369- msg);
1370-
1371- if (msg == NULL) {
1372- ldb_debug(ldb, LDB_DEBUG_WARNING,
1373- "descriptor_sd_propagation_recursive: "
1374- "%s not found under %s",
1375- ldb_dn_get_linearized(c->dn),
1376- ldb_dn_get_linearized(change->dn));
1377- continue;
1378- }
1379-
1380- msg->elements = (struct ldb_message_element *)c;
1381- }
1382-
1383- DLIST_ADD(stopped_stack, change);
1384-
1385- if (change->force_self) {
1386- i = 0;
1387- } else {
1388- i = 1;
1389- }
1390-
1391- for (; i < res->count; i++) {
1392- struct descriptor_changes *cur;
1393- bool stop = false;
1394-
1395- cur = talloc_get_type(res->msgs[i]->elements,
1396- struct descriptor_changes);
1397- res->msgs[i]->elements = NULL;
1398- res->msgs[i]->num_elements = 0;
1399-
1400- if (cur != NULL) {
1401- DLIST_REMOVE(change->children, cur);
1402- } else if (i == 0) {
1403+ /* We start from 1, the top object has been done */
1404+ for (i = 1; i < res->count; i++) {
1405+ /*
1406+ * ldb_dn_compare_base() does not match for NULL but
1407+ * this is clearer
1408+ */
1409+ if (stopped_dn != NULL) {
1410+ ret = ldb_dn_compare_base(stopped_dn,
1411+ res->msgs[i]->dn);
1412 /*
1413- * in the change->force_self case
1414- * res->msgs[0]->elements was not overwritten,
1415- * so set cur here
1416+ * Skip further processing of this
1417+ * sub-subtree
1418 */
1419- cur = change;
1420- }
1421-
1422- for (c = stopped_stack; c; c = stopped_stack) {
1423- ret = ldb_dn_compare_base(c->dn,
1424- res->msgs[i]->dn);
1425- if (ret == 0) {
1426- break;
1427- }
1428-
1429- c->stopped_dn = NULL;
1430- DLIST_REMOVE(stopped_stack, c);
1431- }
1432-
1433- if (cur != NULL) {
1434- DLIST_ADD(stopped_stack, cur);
1435- }
1436-
1437- if (stopped_stack->stopped_dn != NULL) {
1438- ret = ldb_dn_compare_base(stopped_stack->stopped_dn,
1439- res->msgs[i]->dn);
1440 if (ret == 0) {
1441 continue;
1442 }
1443- stopped_stack->stopped_dn = NULL;
1444 }
1445-
1446- ret = descriptor_sd_propagation_object(module, res->msgs[i],
1447+ ret = descriptor_sd_propagation_object(module,
1448+ res->msgs[i],
1449 &stop);
1450 if (ret != LDB_SUCCESS) {
1451 return ret;
1452 }
1453
1454- if (cur != NULL && cur->force_children) {
1455- continue;
1456- }
1457-
1458 if (stop) {
1459- stopped_stack->stopped_dn = res->msgs[i]->dn;
1460- continue;
1461+ /*
1462+ * If this child didn't change, then nothing
1463+ * under it needs to change
1464+ *
1465+ * res has been sorted into tree order so the
1466+ * next few entries can be skipped
1467+ */
1468+ stopped_dn = res->msgs[i]->dn;
1469 }
1470 }
1471
1472diff --git a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
1473index e67c3b0281e..a2a6bcc98f3 100644
1474--- a/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
1475+++ b/source4/dsdb/samdb/ldb_modules/repl_meta_data.c
1476@@ -5538,7 +5538,8 @@ static int replmd_replicated_apply_add(struct replmd_replicated_request *ar)
1477 */
1478 ret = dsdb_module_schedule_sd_propagation(ar->module,
1479 ar->objs->partition_dn,
1480- msg->dn, true);
1481+ ar->objs->objects[ar->index_current].object_guid,
1482+ true);
1483 if (ret != LDB_SUCCESS) {
1484 return replmd_replicated_request_error(ar, ret);
1485 }
1486@@ -6323,7 +6324,7 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
1487 */
1488 ret = dsdb_module_schedule_sd_propagation(ar->module,
1489 ar->objs->partition_dn,
1490- msg->dn,
1491+ ar->objs->objects[ar->index_current].object_guid,
1492 true);
1493 if (ret != LDB_SUCCESS) {
1494 return ldb_operr(ldb);
1495@@ -6343,7 +6344,7 @@ static int replmd_replicated_apply_merge(struct replmd_replicated_request *ar)
1496 */
1497 ret = dsdb_module_schedule_sd_propagation(ar->module,
1498 ar->objs->partition_dn,
1499- msg->dn,
1500+ ar->objs->objects[ar->index_current].object_guid,
1501 false);
1502 if (ret != LDB_SUCCESS) {
1503 return ldb_operr(ldb);
1504diff --git a/source4/dsdb/samdb/samdb.h b/source4/dsdb/samdb/samdb.h
1505index e1b0e4aa4e3..3f47b863a83 100644
1506--- a/source4/dsdb/samdb/samdb.h
1507+++ b/source4/dsdb/samdb/samdb.h
1508@@ -338,7 +338,7 @@ struct dsdb_extended_allocate_rid {
1509 #define DSDB_EXTENDED_SEC_DESC_PROPAGATION_OID "1.3.6.1.4.1.7165.4.4.7"
1510 struct dsdb_extended_sec_desc_propagation_op {
1511 struct ldb_dn *nc_root;
1512- struct ldb_dn *dn;
1513+ struct GUID guid;
1514 bool include_self;
1515 };
1516
1517--
15182.17.1
1519
1520
1521From 030fa9e5455125e30b71c90be80baadb657d8993 Mon Sep 17 00:00:00 2001
1522From: Noel Power <noel.power@suse.com>
1523Date: Fri, 24 May 2019 13:37:00 +0000
1524Subject: [PATCH 11/13] CVE-2019-14907 lib/util/charset: clang: Fix Value
1525 stored to 'reason' is never read warning
1526
1527Fixes:
1528
1529lib/util/charset/convert_string.c:301:5: warning: Value stored to 'reason' is never read <--[clang]
1530
1531BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
1532
1533Signed-off-by: Noel Power <noel.power@suse.com>
1534Reviewed-by: Gary Lockyer gary@catalyst.net.nz
1535(cherry picked from commit add47e288bc80c1bf45765d1588a9fa5998ea677)
1536---
1537 lib/util/charset/convert_string.c | 8 ++++----
1538 1 file changed, 4 insertions(+), 4 deletions(-)
1539
1540diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
1541index 196302aacfd..34facab6fe6 100644
1542--- a/lib/util/charset/convert_string.c
1543+++ b/lib/util/charset/convert_string.c
1544@@ -300,13 +300,13 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
1545 {
1546 reason="No more room";
1547 if (from == CH_UNIX) {
1548- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s'\n",
1549+ DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n",
1550 charset_name(ic, from), charset_name(ic, to),
1551- (unsigned int)srclen, (unsigned int)destlen, (const char *)src));
1552+ (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason));
1553 } else {
1554- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u\n",
1555+ DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
1556 charset_name(ic, from), charset_name(ic, to),
1557- (unsigned int)srclen, (unsigned int)destlen));
1558+ (unsigned int)srclen, (unsigned int)destlen, reason));
1559 }
1560 break;
1561 }
1562--
15632.17.1
1564
1565
1566From ad0e68d354ad33c577dbf146fc4a1b8254857558 Mon Sep 17 00:00:00 2001
1567From: Andrew Bartlett <abartlet@samba.org>
1568Date: Fri, 29 Nov 2019 20:58:47 +1300
1569Subject: [PATCH 12/13] CVE-2019-14907 lib/util: Do not print the failed to
1570 convert string into the logs
1571MIME-Version: 1.0
1572Content-Type: text/plain; charset=UTF-8
1573Content-Transfer-Encoding: 8bit
1574
1575The string may be in another charset, or may be sensitive and
1576certainly may not be terminated. It is not safe to just print.
1577
1578Found by Robert Święcki using a fuzzer he wrote for smbd.
1579
1580BUG: https://bugzilla.samba.org/show_bug.cgi?id=14208
1581Signed-off-by: Andrew Bartlett <abartlet@samba.org>
1582
1583(adapted from master commit)
1584---
1585 lib/util/charset/convert_string.c | 33 +++++++++++++++++--------------
1586 1 file changed, 18 insertions(+), 15 deletions(-)
1587
1588diff --git a/lib/util/charset/convert_string.c b/lib/util/charset/convert_string.c
1589index 34facab6fe6..b546e056953 100644
1590--- a/lib/util/charset/convert_string.c
1591+++ b/lib/util/charset/convert_string.c
1592@@ -293,31 +293,31 @@ bool convert_string_handle(struct smb_iconv_handle *ic,
1593 switch(errno) {
1594 case EINVAL:
1595 reason="Incomplete multibyte sequence";
1596- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
1597- reason, (const char *)src));
1598+ DBG_NOTICE("Conversion error: %s\n",
1599+ reason);
1600 break;
1601 case E2BIG:
1602 {
1603 reason="No more room";
1604 if (from == CH_UNIX) {
1605- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u - '%s' error: %s\n",
1606- charset_name(ic, from), charset_name(ic, to),
1607- (unsigned int)srclen, (unsigned int)destlen, (const char *)src, reason));
1608+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
1609+ charset_name(ic, from), charset_name(ic, to),
1610+ (unsigned int)srclen, (unsigned int)destlen, reason);
1611 } else {
1612- DEBUG(3,("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
1613- charset_name(ic, from), charset_name(ic, to),
1614- (unsigned int)srclen, (unsigned int)destlen, reason));
1615+ DBG_NOTICE("E2BIG: convert_string(%s,%s): srclen=%u destlen=%u error: %s\n",
1616+ charset_name(ic, from), charset_name(ic, to),
1617+ (unsigned int)srclen, (unsigned int)destlen, reason);
1618 }
1619 break;
1620 }
1621 case EILSEQ:
1622 reason="Illegal multibyte sequence";
1623- DEBUG(3,("convert_string_internal: Conversion error: %s(%s)\n",
1624- reason, (const char *)src));
1625+ DBG_NOTICE("convert_string_internal: Conversion error: %s\n",
1626+ reason);
1627 break;
1628 default:
1629- DEBUG(0,("convert_string_internal: Conversion error: %s(%s)\n",
1630- reason, (const char *)src));
1631+ DBG_ERR("convert_string_internal: Conversion error: %s\n",
1632+ reason);
1633 break;
1634 }
1635 /* smb_panic(reason); */
1636@@ -427,16 +427,19 @@ bool convert_string_talloc_handle(TALLOC_CTX *ctx, struct smb_iconv_handle *ic,
1637 switch(errno) {
1638 case EINVAL:
1639 reason="Incomplete multibyte sequence";
1640- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
1641+ DBG_NOTICE("Conversion error: %s\n",
1642+ reason);
1643 break;
1644 case E2BIG:
1645 goto convert;
1646 case EILSEQ:
1647 reason="Illegal multibyte sequence";
1648- DEBUG(3,("convert_string_talloc: Conversion error: %s(%s)\n",reason,inbuf));
1649+ DBG_NOTICE("Conversion error: %s\n",
1650+ reason);
1651 break;
1652 default:
1653- DEBUG(0,("Conversion error: %s(%s)\n",reason,inbuf));
1654+ DBG_ERR("Conversion error: %s\n",
1655+ reason);
1656 break;
1657 }
1658 /* smb_panic(reason); */
1659--
16602.17.1
1661
1662
© 2015 Mike Crute