1
0
mirror of https://github.com/samba-team/samba.git synced 2025-03-14 00:58:38 +03:00

107141 Commits

Author SHA1 Message Date
Karolin Seeger
8635c4fb1b VERSION: Bump version up to 4.6.17.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2018-08-14 12:21:06 +02:00
Karolin Seeger
fd60772cd6 samba: tag release samba-4.6.16
-----BEGIN PGP SIGNATURE-----
 
 iEYEABECAAYFAltxMskACgkQbzORW2Vot+q3rQCeJjL/e0+mwbPt+Vy0oqpatpUm
 XqEAnjtVqfcVxtauJa11pYb4+AuYzhSw
 =XzKy
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.6.16' into v4-6-test

samba: tag release samba-4.6.16
2018-08-14 12:20:50 +02:00
Karolin Seeger
18df99ba0b VERSION: Disable GIT_SNAPSHOT for the 4.6.16 release.
o  CVE-2018-10858 (Insufficient input validation on client directory
                   listing in libsmbclient.)
o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
                   server.)

Signed-off-by: Karolin Seeger <kseeger@samba.org>
samba-4.6.16
2018-08-13 09:25:13 +02:00
Karolin Seeger
cd2839a101 WHATSNEW: Add release notes for Samba 4.6.16.
o  CVE-2018-10858 (Insufficient input validation on client directory
                   listing in libsmbclient.)
o  CVE-2018-10919 (Confidential attribute disclosure from the AD LDAP
                   server.)

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2018-08-13 09:24:08 +02:00
Tim Beale
9f166c0222 CVE-2018-10919 tests: Add extra test for dirsync deleted object corner-case
The acl_read.c code contains a special case to allow dirsync to
work-around having insufficient access rights. We had a concern that
the dirsync module could leak sensitive information for deleted objects.
This patch adds a test-case to prove whether or not this is happening.

The new test case is similar to the existing dirsync test except:
- We make the confidential attribute also preserve-on-delete, so it
  hangs around for deleted objcts. Because the attributes now persist
  across test case runs, I've used a different attribute to normal.
  (Technically, the dirsync search expressions are now specific enough
  that the regular attribute could be used, but it would make things
  quite fragile if someone tried to add a new test case).
- To handle searching for deleted objects, the search expressions are
  now more complicated. Currently dirsync adds an extra-filter to the
  '!' searches to exclude deleted objects, i.e. samaccountname matches
  the test-objects AND the object is not deleted. We now extend this to
  include deleted objects with lastKnownParent equal to the test OU.
  The search expression matches either case so that we can use the same
  expression throughout the test (regardless of whether the object is
  deleted yet or not).

This test proves that the dirsync corner-case does not actually leak
sensitive information on Samba. This is due to a bug in the dirsync
code - when the buggy line is removed, this new test promptly fails.
Test also passes against Windows.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:36 +02:00
Tim Beale
246e79f6ed CVE-2018-10919 acl_read: Fix unauthorized attribute access via searches
A user that doesn't have access to view an attribute can still guess the
attribute's value via repeated LDAP searches. This affects confidential
attributes, as well as ACLs applied to an object/attribute to deny
access.

Currently the code will hide objects if the attribute filter contains an
attribute they are not authorized to see. However, the code still
returns objects as results if confidential attribute is in the search
expression itself, but not in the attribute filter.

To fix this problem we have to check the access rights on the attributes
in the search-tree, as well as the attributes returned in the message.

Points of note:
- I've preserved the existing dirsync logic (the dirsync module code
  suppresses the result as long as the replPropertyMetaData attribute is
  removed). However, there doesn't appear to be any test that highlights
  that this functionality is required for dirsync.
- To avoid this fix breaking the acl.py tests, we need to still permit
  searches like 'objectClass=*', even though we don't have Read Property
  access rights for the objectClass attribute. The logic that Windows
  uses does not appear to be clearly documented, so I've made a best
  guess that seems to mirror Windows behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:36 +02:00
Tim Beale
9605ecc7e1 CVE-2018-10919 acl_read: Flip the logic in the dirsync check
This better reflects the special case we're making for dirsync, and gets
rid of a 'if-else' clause.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:36 +02:00
Tim Beale
533106ae9c CVE-2018-10919 acl_read: Small refactor to aclread_callback()
Flip the dirsync check (to avoid a double negative), and use a helper
boolean variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:36 +02:00
Tim Beale
fa7bcea388 CVE-2018-10919 acl_read: Split access_mask logic out into helper function
So we can re-use the same logic laster for checking the search-ops.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:36 +02:00
Tim Beale
f6cbad5f50 CVE-2018-10919 security: Fix checking of object-specific CONTROL_ACCESS rights
An 'Object Access Allowed' ACE that assigned 'Control Access' (CR)
rights to a specific attribute would not actually grant access.

What was happening was the remaining_access mask for the object_tree
nodes would be Read Property (RP) + Control Access (CR). The ACE mapped
to the schemaIDGUID for a given attribute, which would end up being a
child node in the tree. So the CR bit was cleared for a child node, but
not the rest of the tree. We would then check the user had the RP access
right, which it did. However, the RP right was cleared for another node
in the tree, which still had the CR bit set in its remaining_access
bitmap, so Samba would not grant access.

Generally, the remaining_access only ever has one bit set, which means
this isn't a problem normally. However, in the Control Access case there
are 2 separate bits being checked, i.e. RP + CR.

One option to fix this problem would be to clear the remaining_access
for the tree instead of just the node. However, the Windows spec is
actually pretty clear on this: if the ACE has a CR right present, then
you can stop any further access checks.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:36 +02:00
Gary Lockyer
873ccd079f CVE-2018-10919 tests: test ldap searches for non-existent attributes.
It is perfectly legal to search LDAP for an attribute that is not part
of the schema.  That part of the query should simply not match.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2018-08-13 09:13:36 +02:00
Tim Beale
924f87cb74 CVE-2018-10919 tests: Add test case for object visibility with limited rights
Currently Samba is a bit disclosive with LDB_OP_PRESENT (i.e.
attribute=*) searches compared to Windows.

All the acl.py tests are based on objectClass=* searches, where Windows
will happily tell a user about objects they have List Contents rights,
but not Read Property rights for. However, if you change the attribute
being searched for, suddenly the objects are no longer visible on
Windows (whereas they are on Samba).

This is a problem, because Samba can tell you about which objects have
confidential attributes, which in itself could be disclosive.

This patch adds a acl.py test-case that highlights this behaviour. The
test passes against Windows but fails against Samba.

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:36 +02:00
Tim Beale
33887063b0 CVE-2018-10919 tests: Add tests for guessing confidential attributes
Adds tests that assert that a confidential attribute cannot be guessed
by an unprivileged user through wildcard DB searches.

The tests basically consist of a set of DB searches/assertions that
get run for:
- basic searches against a confidential attribute
- confidential attributes that get overridden by giving access to the
  user via an ACE (run against a variety of ACEs)
- protecting a non-confidential attribute via an ACL that denies read-
  access (run against a variety of ACEs)
- querying confidential attributes via the dirsync controls

These tests all pass when run against a Windows Dc and all fail against
a Samba DC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:35 +02:00
Tim Beale
010d1f1810 CVE-2018-10919 security: Add more comments to the object-specific access checks
Reading the spec and then reading the code makes sense, but we could
comment the code more so it makes sense on its own.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:35 +02:00
Tim Beale
2878c22070 CVE-2018-10919 security: Move object-specific access checks into separate function
Object-specific access checks refer to a specific section of the
MS-ADTS, and the code closely matches the spec. We need to extend this
logic to properly handle the Control-Access Right (CR), so it makes
sense to split the logic out into its own function.

This patch just moves the code, and should not alter the logic (apart
from ading in the boolean grant_access return variable.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13434

Signed-off-by: Tim Beale <timbeale@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2018-08-13 09:13:35 +02:00
Jeremy Allison
2711b6600e CVE-2018-10858: libsmb: Harden smbc_readdir_internal() against returns from malicious servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
		listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-08-13 09:13:35 +02:00
Jeremy Allison
6936d3e2f2 CVE-2018-10858: libsmb: Ensure smbc_urlencode() can't overwrite passed in buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13453

CVE-2018-10858: Insufficient input validation on client directory
		listing in libsmbclient.

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2018-08-13 09:13:35 +02:00
Karolin Seeger
30428f36f7 VERSION: Bump version up to 4.6.16...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
(cherry picked from commit 7705a4d471a427041616a9897158474d8a5ff457)
2018-08-13 09:13:35 +02:00
Karolin Seeger
7705a4d471 VERSION: Bump version up to 4.6.16...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2018-04-13 08:55:18 +02:00
Karolin Seeger
c4d44b9a78 VERSION: Disable GIT_SNAPSHOT for the 4.6.15 release.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
samba-4.6.15
2018-04-13 08:55:18 +02:00
Karolin Seeger
46be02065a WHATSNEW: Add release notes for Samba 4.6.15.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2018-04-13 08:55:09 +02:00
Volker Lendecke
c90accf027 torture: Test compound request request counters
This will send an unfixed smbd into the

SMB_ASSERT(op->request_count > 0);

in smbd_smb2_request_reply_update_counts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Apr 12 14:38:39 CEST 2018 on sn-devel-144

(cherry picked from commit 40edd1bc273f664d5567ef5be169033899acee1f)

Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-6-test): Thu Apr 12 21:56:31 CEST 2018 on sn-devel-144
2018-04-12 21:56:31 +02:00
Stefan Metzmacher
fb602bddc4 s3:smb2_server: correctly maintain request counters for compound requests
If a session expires during a compound request chain,
we exit smbd_smb2_request_dispatch() with
'return smbd_smb2_request_error(req, ...)' before
calling smbd_smb2_request_dispatch_update_counts().

As req->request_counters_updated was only reset
within smbd_smb2_request_dispatch_update_counts(),
smbd_smb2_request_reply_update_counts() was called
twice on the same request, which triggers
SMB_ASSERT(op->request_count > 0);

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13215

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit 87e25cd1e45bfe57292b62ffc44ddafc01c61ca0)
2018-04-12 17:26:40 +02:00
Jeremy Allison
e1c58ec4ee s3: smbd: Unix extensions attempts to change wrong field in fchown call.
Cut and paste error.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13375

Reported-by: Rungta, Vandana <vrungta@amazon.com>
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): David Disseldorp <ddiss@samba.org>
Autobuild-Date(master): Tue Apr 10 00:45:56 CEST 2018 on sn-devel-144

(cherry picked from commit 3227b110d065500ed84fc70063da70ab35823a2e)

Autobuild-User(v4-6-test): Karolin Seeger <kseeger@samba.org>
Autobuild-Date(v4-6-test): Wed Apr 11 16:55:21 CEST 2018 on sn-devel-144
2018-04-11 16:55:21 +02:00
Anton Nefedov via samba-technical
b11b0e0f7f s3:smbd: map nterror on smb2_flush errorpath
smbd_smb2_flush_recv() expects nterror in tevent_req, and otherwise
aborts in tevent_req_is_nterror()

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13338

Signed-off-by: Anton Nefedov <anton.nefedov@virtuozzo.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 98623129446672521b7fa41d3457b8ce95db828c)
2018-04-11 12:56:12 +02:00
Poornima G
24354b0fda vfs_glusterfs: Fix the wrong pointer being sent in glfs_fsync_async
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13297

Pair-Programmed-With: Anoop C S <anoopcs@redhat.com>
Signed-off-by: Poornima G <pgurusid@redhat.com>
Reviewed-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Michael Adam <obnox@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Mon Feb 26 20:17:50 CET 2018 on sn-devel-144

(cherry picked from commit 46e6626f73f42c84f254507c3ec2b591e2e732ba)
2018-04-11 12:56:12 +02:00
Jeremy Allison
94d91c9906 s3: smbd: Fix possible directory fd leak if the underlying OS doesn't support fdopendir()
HPUX has this problem.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13270

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Fri Feb 23 22:56:35 CET 2018 on sn-devel-144

(cherry picked from commit 5ad5e7966f555b1d2b39d276646934a2cd2535e6)
2018-04-11 12:56:12 +02:00
Jeremy Allison
8f4202e0d9 s3: ldap: Ensure the ADS_STRUCT pointer doesn't get freed on error, we don't own it here.
Thanks to Isaac Boukris <iboukris@gmail.com> for finding the
issue and testing this fix.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13244

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 26 02:25:20 CET 2018 on sn-devel-144

(cherry picked from commit e7425bd5245ffea68b7e8f794c9b5f864d103769)
2018-04-11 12:56:12 +02:00
Garming Sam
0afb85c28f tests/bind.py: Add a bind test with NTLMSSP with no domain
Confirmed to pass against Windows 2012 R2.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit 2e49a97777ebf5bffbeadca03517b4a21bca24c0)

Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-6-test): Tue Mar 20 21:20:00 CET 2018 on sn-devel-144
2018-03-20 21:20:00 +01:00
Stefan Metzmacher
96d9297a98 s3:cliconnect.c: remove useless ';'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e039e9b0d2a16b21ace019b028e5c8244486b8a3)
2018-03-20 17:12:12 +01:00
Stefan Metzmacher
bb14cec616 s3:libsmb: allow -U"\\administrator" to work
cli_credentials_get_principal() returns NULL in that case.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13206

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 0786a65cabb92a812cf1c692d0d26914f74a6f87)
2018-03-20 17:12:12 +01:00
Stefan Metzmacher
d71e1a2bf4 samba: tag release samba-4.6.14
-----BEGIN PGP SIGNATURE-----
 
 iEYEABECAAYFAlqmRN8ACgkQbzORW2Vot+p/DQCfdzDJfPsIrg8a1cmgTOw6m4/S
 ji4An3CjZ0C99e0MXjMFbNFqx1eGm5Hb
 =92v9
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.6.14' into v4-6-test

samba: tag release samba-4.6.14
2018-03-13 11:11:55 +01:00
Karolin Seeger
2d2fb95a43 VERSION: Bump version up to 4.6.15...
and re-enable GIT_SNAPSHOT.

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2018-03-13 10:40:24 +01:00
Günther Deschner
85fc0d5d01 build: fix libceph-common detection
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13277

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>

Autobuild-User(master): Günther Deschner <gd@samba.org>
Autobuild-Date(master): Thu Feb 22 19:30:12 CET 2018 on sn-devel-144

(cherry picked from commit 6a59619844e0def505a6bfa778c17721c062e0ee)
2018-03-13 10:28:56 +01:00
Karolin Seeger
903cccc9d7 VERSION: Disable GIT_SNAPSHOT for the 4.6.14 release.
CVE-2018-1050 (Denial of Service Attack on external print server.)
CVE-2018-1057 (Authenticated users can change other users' password.)

Signed-off-by: Karolin Seeger <kseeger@samba.org>
2018-03-13 10:28:56 +01:00
Karolin Seeger
5cabac80fa WHATSNEW: Add release notes for Samba 4.6.14.
Signed-off-by: Karolin Seeger <kseeger@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
58c241844a CVE-2018-1057: s4:dsdb/acl: changing dBCSPwd is only allowed with a control
This is not strictly needed to fig bug 13272, but it makes sense to also
fix this while fixing the overall ACL checking logic.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
03b1513711 CVE-2018-1057: s4:dsdb: use DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID
This is used to pass information about which password change operation (change
or reset) the acl module validated, down to the password_hash module.

It's very important that both modules treat the request identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
96261a040e CVE-2018-1057: s4:dsdb/samdb: define DSDB_CONTROL_PASSWORD_ACL_VALIDATION_OID control
Will be used to pass "user password change" vs "password reset" from the
ACL to the password_hash module, ensuring both modules treat the request
identical.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
9e03a09a14 CVE-2018-1057: s4:dsdb/acl: run password checking only once
This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
43863fcae7 CVE-2018-1057: s4/dsdb: correctly detect password resets
This change ensures we correctly treat the following LDIF

  dn: cn=testuser,cn=users,...
  changetype: modify
  delete: userPassword
  add: userPassword
  userPassword: thatsAcomplPASS1

as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.

For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
0c2ef5f78d CVE-2018-1057: s4:dsdb/acl: add a NULL check for talloc_new() in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
2cce162c9e CVE-2018-1057: s4:dsdb/acl: add check for DSDB_CONTROL_PASSWORD_HASH_VALUES_OID control
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
a0e418af62 CVE-2018-1057: s4:dsdb/acl: check for internal controls before other checks
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
4a8b22c1eb CVE-2018-1057: s4:dsdb/acl: remove unused else branches in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
ed471f372c CVE-2018-1057: s4:dsdb/acl: only call dsdb_acl_debug() if we checked the acl in acl_check_password_rights()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
a976076b9e CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
4b932370bd CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for LDB_FLAG_MOD_TYPE
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Ralph Boehme
1610632613 CVE-2018-1057: s4:dsdb/tests: add a test for password change with empty delete
Note that the request using the clearTextPassword attribute for the
password change is already correctly rejected by the server.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2018-03-13 10:28:56 +01:00
Jeremy Allison
53651412c1 CVE-2018-1050: s3: RPC: spoolss server. Protect against null pointer derefs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343

Signed-off-by: Jeremy Allison <jra@samba.org>
2018-03-13 10:28:56 +01:00