On Tue Jul 7, 2026 at 7:41 AM CEST, Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote: > From: Ashishkumar Parmar <[email protected]> > > This patch applies the upstream Samba security backport for > CVE-2026-3012. The upstream security bundle is referenced in [1], > and the public CVE advisory is referenced in [2]. The individual > backported commit links are recorded in the embedded patch headers. > > [1] > https://www.samba.org/samba/ftp/patches/security/samba-4.22.9-security-2026-05-25.patch > [2] https://www.samba.org/samba/security/CVE-2026-3012.html > > Signed-off-by: Ashishkumar Parmar <[email protected]>
Hello, Wrong list, you want to send this to [email protected]. Regards, > --- > .../samba/samba/CVE-2026-3012_p1.patch | 131 ++++++++++++++++++ > .../samba/samba/CVE-2026-3012_p2.patch | 51 +++++++ > .../samba/samba_4.19.9.bb | 2 + > 3 files changed, 184 insertions(+) > create mode 100644 > meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch > create mode 100644 > meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch > > diff --git > a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch > b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch > new file mode 100644 > index 0000000000..ce54b2916f > --- /dev/null > +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch > @@ -0,0 +1,131 @@ > +From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001 > +From: Douglas Bagnall <[email protected]> > +Date: Mon, 23 Feb 2026 11:01:57 +1300 > +Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http > + > +In the case where a certificate was found via HTTP, it was trusted > +without verification and put in the global CA store. > + > +There is no means to check the certificate other than by comparing it > +to certificates we may have gathered via LDAP, but in that case there > +is no advantage over just using the LDAP-derived certificates. > + > +Using the LDAP certificates was already the fallback case if HTTP > +failed, so we just make it the default. > + > +The HTTP fetch depends on the NDES service, which is a variant of > +Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact > +Samba implements none of that protocol other than the HTTP fetch. SCEP > +is for clients that are not true domain members. Domain members can > +access to certificates over LDAP. This patch is not reducing SCEP > +client support because Samba never had it. > + > +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003 > + > +Reported-by: Arad Inbar, DREAM Security Research Team > +Reported-by: Nir Somech, DREAM Security Research Team > +Reported-by: Ben Grinberg, DREAM Security Research Team > + > +CVE: CVE-2026-3012 > +Upstream-Status: Backport > [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b] > + > +Backport Changes: > +- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to > + Samba 4.19.9 context. > +- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto > + recipe does not run upstream Samba selftest. > + > +Signed-off-by: Douglas Bagnall <[email protected]> > +Reviewed-by: Jennifer Sutton <[email protected]> > +(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b) > +Signed-off-by: Ashishkumar Parmar <[email protected]> > +--- > +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py > b/python/samba/gp/gp_cert_auto_enroll_ext.py > +index df3b472..31de4b1 100644 > +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py > ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py > +@@ -16,7 +16,6 @@ > + > + import os > + import operator > +-import requests > + from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE > + from samba import Ldb > + from ldb import SCOPE_SUBTREE, SCOPE_BASE > +@@ -200,56 +199,24 @@ def get_supported_templates(server): > + return out.strip().split() > + > + > +-def getca(ca, url, trust_dir): > +- """Fetch Certificate Chain from the CA.""" > ++def getca(ca, trust_dir): > ++ """Fetch a certificate from LDAP.""" > + root_cert = os.path.join(trust_dir, '%s.crt' % ca['name']) > + root_certs = [] > + > +- try: > +- r = requests.get(url=url, params={'operation': 'GetCACert', > +- 'message': 'CAIdentifier'}) > +- except requests.exceptions.ConnectionError: > +- log.warn('Failed to establish a new connection') > +- r = None > +- if r is None or r.content == b'' or r.headers['Content-Type'] == > 'text/html': > +- log.warn('Failed to fetch the root certificate chain.') > +- log.warn('The Network Device Enrollment Service is either not' + > +- ' installed or not configured.') > +- if 'cACertificate' in ca: > +- log.warn('Installing the server certificate only.') > +- der_certificate = base64.b64decode(ca['cACertificate']) > +- try: > +- cert = load_der_x509_certificate(der_certificate) > +- except TypeError: > +- cert = load_der_x509_certificate(der_certificate, > +- default_backend()) > +- cert_data = cert.public_bytes(Encoding.PEM) > +- with open(root_cert, 'wb') as w: > +- w.write(cert_data) > +- root_certs.append(root_cert) > +- return root_certs > +- > +- if r.headers['Content-Type'] == 'application/x-x509-ca-cert': > ++ if 'cACertificate' in ca: > ++ log.warn('Installing the server certificate only.') > ++ der_certificate = base64.b64decode(ca['cACertificate']) > + # Older versions of load_der_x509_certificate require a backend > param > + try: > +- cert = load_der_x509_certificate(r.content) > ++ cert = load_der_x509_certificate(der_certificate) > + except TypeError: > +- cert = load_der_x509_certificate(r.content, default_backend()) > ++ cert = load_der_x509_certificate(der_certificate, > ++ default_backend()) > + cert_data = cert.public_bytes(Encoding.PEM) > + with open(root_cert, 'wb') as w: > + w.write(cert_data) > + root_certs.append(root_cert) > +- elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert': > +- certs = load_der_pkcs7_certificates(r.content) > +- for i in range(0, len(certs)): > +- cert = certs[i].public_bytes(Encoding.PEM) > +- filename, extension = root_cert.rsplit('.', 1) > +- dest = '%s.%d.%s' % (filename, i, extension) > +- with open(dest, 'wb') as w: > +- w.write(cert) > +- root_certs.append(dest) > +- else: > +- log.warn('getca: Wrong (or missing) MIME content type') > + > + return root_certs > + > +@@ -273,8 +240,7 @@ def changed(new_data, old_data): > + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): > + """Install the root certificate chain.""" > + data = dict({'files': [], 'templates': []}, **ca) > +- url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % > ca['hostname'] > +- root_certs = getca(ca, url, trust_dir) > ++ root_certs = getca(ca, trust_dir) > + data['files'].extend(root_certs) > + global_trust_dir = find_global_trust_dir() > + for src in root_certs: > +-- > +2.43.0 > diff --git > a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch > b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch > new file mode 100644 > index 0000000000..e2989dc075 > --- /dev/null > +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch > @@ -0,0 +1,51 @@ > +From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001 > +From: Douglas Bagnall <[email protected]> > +Date: Thu, 26 Feb 2026 14:21:01 +1300 > +Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in > + LDAP > + > +If a certificate is mentioned in a GPO but is not present as a > +cACertificate attribute on a pKIEnrollmentService object, we have no way > +of obtaining it, so we might as well forget it. > + > +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003 > + > +CVE: CVE-2026-3012 > +Upstream-Status: Backport > [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2] > + > +Signed-off-by: Douglas Bagnall <[email protected]> > +Reviewed-by: Jennifer Sutton <[email protected]> > +(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2) > +Signed-off-by: Ashishkumar Parmar <[email protected]> > +--- > + python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++ > + 1 file changed, 10 insertions(+) > + > +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py > b/python/samba/gp/gp_cert_auto_enroll_ext.py > +index 815436e11e9c..de8b310afd95 100644 > +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py > ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py > +@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): > + # This is a basic configuration. > + cas = fetch_certification_authorities(ldb) > + for _ca in cas: > ++ if 'cACertificate' not in _ca: > ++ log.warning(f"ignoring CA '{_ca['name']}' with > no " > ++ "cACertificate in LDAP.") > ++ continue > ++ > + self.apply(guid, _ca, cert_enroll, _ca, ldb, > trust_dir, > + private_dir) > + ca_names.append(_ca['name']) > + # If EndPoint.URI starts with "HTTPS//": > + elif ca['URL'].lower().startswith('https://'): > ++ if 'cACertificate' not in ca: > ++ log.warning(f"ignoring CA '{ca['name']}' " > ++ f"({ca['URL']}) with no " > ++ "cACertificate in LDAP.") > ++ continue > + self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir, > + private_dir, auth=ca['auth']) > + ca_names.append(ca['name']) > +-- > +2.43.0 > diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb > b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb > index d50d9f5155..055e404bb9 100644 > --- a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb > +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb > @@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ > file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \ > file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \ > > file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \ > + file://CVE-2026-3012_p1.patch \ > + file://CVE-2026-3012_p2.patch \ > " > > SRC_URI:append:libc-musl = " \ -- Yoann Congal Smile ECS
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#240400): https://lists.openembedded.org/g/openembedded-core/message/240400 Mute This Topic: https://lists.openembedded.org/mt/120152508/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
