On Tue Jul 7, 2026 at 7:41 AM CEST, Ashishkumar Parmar X (asparmar - E 
INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Ashishkumar Parmar <[email protected]>
>
> This patch applies the upstream Samba security backport for
> CVE-2026-3012. The upstream security bundle is referenced in [1],
> and the public CVE advisory is referenced in [2]. The individual
> backported commit links are recorded in the embedded patch headers.
>
> [1] 
> https://www.samba.org/samba/ftp/patches/security/samba-4.22.9-security-2026-05-25.patch
> [2] https://www.samba.org/samba/security/CVE-2026-3012.html
>
> Signed-off-by: Ashishkumar Parmar <[email protected]>

Hello,

Wrong list, you want to send this to [email protected].

Regards,

> ---
>  .../samba/samba/CVE-2026-3012_p1.patch        | 131 ++++++++++++++++++
>  .../samba/samba/CVE-2026-3012_p2.patch        |  51 +++++++
>  .../samba/samba_4.19.9.bb                     |   2 +
>  3 files changed, 184 insertions(+)
>  create mode 100644 
> meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
>  create mode 100644 
> meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
>
> diff --git 
> a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch 
> b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> new file mode 100644
> index 0000000000..ce54b2916f
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> @@ -0,0 +1,131 @@
> +From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <[email protected]>
> +Date: Mon, 23 Feb 2026 11:01:57 +1300
> +Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http
> +
> +In the case where a certificate was found via HTTP, it was trusted
> +without verification and put in the global CA store.
> +
> +There is no means to check the certificate other than by comparing it
> +to certificates we may have gathered via LDAP, but in that case there
> +is no advantage over just using the LDAP-derived certificates.
> +
> +Using the LDAP certificates was already the fallback case if HTTP
> +failed, so we just make it the default.
> +
> +The HTTP fetch depends on the NDES service, which is a variant of
> +Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
> +Samba implements none of that protocol other than the HTTP fetch. SCEP
> +is for clients that are not true domain members. Domain members can
> +access to certificates over LDAP. This patch is not reducing SCEP
> +client support because Samba never had it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +Reported-by: Arad Inbar, DREAM Security Research Team
> +Reported-by: Nir Somech, DREAM Security Research Team
> +Reported-by: Ben Grinberg, DREAM Security Research Team
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport 
> [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b]
> +
> +Backport Changes:
> +- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to
> +  Samba 4.19.9 context.
> +- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto
> +  recipe does not run upstream Samba selftest.
> +
> +Signed-off-by: Douglas Bagnall <[email protected]>
> +Reviewed-by: Jennifer Sutton <[email protected]>
> +(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b)
> +Signed-off-by: Ashishkumar Parmar <[email protected]>
> +---
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py 
> b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index df3b472..31de4b1 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -16,7 +16,6 @@
> +
> + import os
> + import operator
> +-import requests
> + from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
> + from samba import Ldb
> + from ldb import SCOPE_SUBTREE, SCOPE_BASE
> +@@ -200,56 +199,24 @@ def get_supported_templates(server):
> +     return out.strip().split()
> +
> +
> +-def getca(ca, url, trust_dir):
> +-    """Fetch Certificate Chain from the CA."""
> ++def getca(ca, trust_dir):
> ++    """Fetch a certificate from LDAP."""
> +     root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
> +     root_certs = []
> +
> +-    try:
> +-        r = requests.get(url=url, params={'operation': 'GetCACert',
> +-                                          'message': 'CAIdentifier'})
> +-    except requests.exceptions.ConnectionError:
> +-        log.warn('Failed to establish a new connection')
> +-        r = None
> +-    if r is None or r.content == b'' or r.headers['Content-Type'] == 
> 'text/html':
> +-        log.warn('Failed to fetch the root certificate chain.')
> +-        log.warn('The Network Device Enrollment Service is either not' +
> +-                 ' installed or not configured.')
> +-        if 'cACertificate' in ca:
> +-            log.warn('Installing the server certificate only.')
> +-            der_certificate = base64.b64decode(ca['cACertificate'])
> +-            try:
> +-                cert = load_der_x509_certificate(der_certificate)
> +-            except TypeError:
> +-                cert = load_der_x509_certificate(der_certificate,
> +-                                                 default_backend())
> +-            cert_data = cert.public_bytes(Encoding.PEM)
> +-            with open(root_cert, 'wb') as w:
> +-                w.write(cert_data)
> +-            root_certs.append(root_cert)
> +-        return root_certs
> +-
> +-    if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
> ++    if 'cACertificate' in ca:
> ++        log.warn('Installing the server certificate only.')
> ++        der_certificate = base64.b64decode(ca['cACertificate'])
> +         # Older versions of load_der_x509_certificate require a backend 
> param
> +         try:
> +-            cert = load_der_x509_certificate(r.content)
> ++            cert = load_der_x509_certificate(der_certificate)
> +         except TypeError:
> +-            cert = load_der_x509_certificate(r.content, default_backend())
> ++            cert = load_der_x509_certificate(der_certificate,
> ++                                             default_backend())
> +         cert_data = cert.public_bytes(Encoding.PEM)
> +         with open(root_cert, 'wb') as w:
> +             w.write(cert_data)
> +         root_certs.append(root_cert)
> +-    elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert':
> +-        certs = load_der_pkcs7_certificates(r.content)
> +-        for i in range(0, len(certs)):
> +-            cert = certs[i].public_bytes(Encoding.PEM)
> +-            filename, extension = root_cert.rsplit('.', 1)
> +-            dest = '%s.%d.%s' % (filename, i, extension)
> +-            with open(dest, 'wb') as w:
> +-                w.write(cert)
> +-            root_certs.append(dest)
> +-    else:
> +-        log.warn('getca: Wrong (or missing) MIME content type')
> +
> +     return root_certs
> +
> +@@ -273,8 +240,7 @@ def changed(new_data, old_data):
> + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
> +     """Install the root certificate chain."""
> +     data = dict({'files': [], 'templates': []}, **ca)
> +-    url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % 
> ca['hostname']
> +-    root_certs = getca(ca, url, trust_dir)
> ++    root_certs = getca(ca, trust_dir)
> +     data['files'].extend(root_certs)
> +     global_trust_dir = find_global_trust_dir()
> +     for src in root_certs:
> +--
> +2.43.0
> diff --git 
> a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch 
> b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> new file mode 100644
> index 0000000000..e2989dc075
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> @@ -0,0 +1,51 @@
> +From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <[email protected]>
> +Date: Thu, 26 Feb 2026 14:21:01 +1300
> +Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in
> + LDAP
> +
> +If a certificate is mentioned in a GPO but is not present as a
> +cACertificate attribute on a pKIEnrollmentService object, we have no way
> +of obtaining it, so we might as well forget it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport 
> [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2]
> +
> +Signed-off-by: Douglas Bagnall <[email protected]>
> +Reviewed-by: Jennifer Sutton <[email protected]>
> +(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2)
> +Signed-off-by: Ashishkumar Parmar <[email protected]>
> +---
> + python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++
> + 1 file changed, 10 insertions(+)
> +
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py 
> b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index 815436e11e9c..de8b310afd95 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
> +                     # This is a basic configuration.
> +                     cas = fetch_certification_authorities(ldb)
> +                     for _ca in cas:
> ++                        if 'cACertificate' not in _ca:
> ++                            log.warning(f"ignoring CA '{_ca['name']}' with 
> no "
> ++                                        "cACertificate in LDAP.")
> ++                            continue
> ++
> +                         self.apply(guid, _ca, cert_enroll, _ca, ldb, 
> trust_dir,
> +                                    private_dir)
> +                         ca_names.append(_ca['name'])
> +                 # If EndPoint.URI starts with "HTTPS//":
> +                 elif ca['URL'].lower().startswith('https://'):
> ++                    if 'cACertificate' not in ca:
> ++                        log.warning(f"ignoring CA '{ca['name']}' "
> ++                                    f"({ca['URL']}) with no "
> ++                                    "cACertificate in LDAP.")
> ++                        continue
> +                     self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
> +                                private_dir, auth=ca['auth'])
> +                     ca_names.append(ca['name'])
> +--
> +2.43.0
> diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb 
> b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> index d50d9f5155..055e404bb9 100644
> --- a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> @@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
>             file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \
>             file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \
>             
> file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \
> +           file://CVE-2026-3012_p1.patch \
> +           file://CVE-2026-3012_p2.patch \
>             "
>  
>  SRC_URI:append:libc-musl = " \


-- 
Yoann Congal
Smile ECS

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#240400): 
https://lists.openembedded.org/g/openembedded-core/message/240400
Mute This Topic: https://lists.openembedded.org/mt/120152508/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

  • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org
    • ... Yoann Congal via lists.openembedded.org

Reply via email to