From: Ashishkumar Parmar <[email protected]> This patch applies the upstream Samba security backport for CVE-2026-3012. The upstream security bundle is referenced in [1], and the public CVE advisory is referenced in [2]. The individual backported commit links are recorded in the embedded patch headers.
[1] https://www.samba.org/samba/ftp/patches/security/samba-4.22.9-security-2026-05-25.patch [2] https://www.samba.org/samba/security/CVE-2026-3012.html Signed-off-by: Ashishkumar Parmar <[email protected]> --- .../samba/samba/CVE-2026-3012_p1.patch | 131 ++++++++++++++++++ .../samba/samba/CVE-2026-3012_p2.patch | 51 +++++++ .../samba/samba_4.19.9.bb | 2 + 3 files changed, 184 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch new file mode 100644 index 0000000000..ce54b2916f --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch @@ -0,0 +1,131 @@ +From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall <[email protected]> +Date: Mon, 23 Feb 2026 11:01:57 +1300 +Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http + +In the case where a certificate was found via HTTP, it was trusted +without verification and put in the global CA store. + +There is no means to check the certificate other than by comparing it +to certificates we may have gathered via LDAP, but in that case there +is no advantage over just using the LDAP-derived certificates. + +Using the LDAP certificates was already the fallback case if HTTP +failed, so we just make it the default. + +The HTTP fetch depends on the NDES service, which is a variant of +Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact +Samba implements none of that protocol other than the HTTP fetch. SCEP +is for clients that are not true domain members. Domain members can +access to certificates over LDAP. This patch is not reducing SCEP +client support because Samba never had it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003 + +Reported-by: Arad Inbar, DREAM Security Research Team +Reported-by: Nir Somech, DREAM Security Research Team +Reported-by: Ben Grinberg, DREAM Security Research Team + +CVE: CVE-2026-3012 +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b] + +Backport Changes: +- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to + Samba 4.19.9 context. +- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto + recipe does not run upstream Samba selftest. + +Signed-off-by: Douglas Bagnall <[email protected]> +Reviewed-by: Jennifer Sutton <[email protected]> +(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b) +Signed-off-by: Ashishkumar Parmar <[email protected]> +--- +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index df3b472..31de4b1 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -16,7 +16,6 @@ + + import os + import operator +-import requests + from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE + from samba import Ldb + from ldb import SCOPE_SUBTREE, SCOPE_BASE +@@ -200,56 +199,24 @@ def get_supported_templates(server): + return out.strip().split() + + +-def getca(ca, url, trust_dir): +- """Fetch Certificate Chain from the CA.""" ++def getca(ca, trust_dir): ++ """Fetch a certificate from LDAP.""" + root_cert = os.path.join(trust_dir, '%s.crt' % ca['name']) + root_certs = [] + +- try: +- r = requests.get(url=url, params={'operation': 'GetCACert', +- 'message': 'CAIdentifier'}) +- except requests.exceptions.ConnectionError: +- log.warn('Failed to establish a new connection') +- r = None +- if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html': +- log.warn('Failed to fetch the root certificate chain.') +- log.warn('The Network Device Enrollment Service is either not' + +- ' installed or not configured.') +- if 'cACertificate' in ca: +- log.warn('Installing the server certificate only.') +- der_certificate = base64.b64decode(ca['cACertificate']) +- try: +- cert = load_der_x509_certificate(der_certificate) +- except TypeError: +- cert = load_der_x509_certificate(der_certificate, +- default_backend()) +- cert_data = cert.public_bytes(Encoding.PEM) +- with open(root_cert, 'wb') as w: +- w.write(cert_data) +- root_certs.append(root_cert) +- return root_certs +- +- if r.headers['Content-Type'] == 'application/x-x509-ca-cert': ++ if 'cACertificate' in ca: ++ log.warn('Installing the server certificate only.') ++ der_certificate = base64.b64decode(ca['cACertificate']) + # Older versions of load_der_x509_certificate require a backend param + try: +- cert = load_der_x509_certificate(r.content) ++ cert = load_der_x509_certificate(der_certificate) + except TypeError: +- cert = load_der_x509_certificate(r.content, default_backend()) ++ cert = load_der_x509_certificate(der_certificate, ++ default_backend()) + cert_data = cert.public_bytes(Encoding.PEM) + with open(root_cert, 'wb') as w: + w.write(cert_data) + root_certs.append(root_cert) +- elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert': +- certs = load_der_pkcs7_certificates(r.content) +- for i in range(0, len(certs)): +- cert = certs[i].public_bytes(Encoding.PEM) +- filename, extension = root_cert.rsplit('.', 1) +- dest = '%s.%d.%s' % (filename, i, extension) +- with open(dest, 'wb') as w: +- w.write(cert) +- root_certs.append(dest) +- else: +- log.warn('getca: Wrong (or missing) MIME content type') + + return root_certs + +@@ -273,8 +240,7 @@ def changed(new_data, old_data): + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'): + """Install the root certificate chain.""" + data = dict({'files': [], 'templates': []}, **ca) +- url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname'] +- root_certs = getca(ca, url, trust_dir) ++ root_certs = getca(ca, trust_dir) + data['files'].extend(root_certs) + global_trust_dir = find_global_trust_dir() + for src in root_certs: +-- +2.43.0 diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch new file mode 100644 index 0000000000..e2989dc075 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch @@ -0,0 +1,51 @@ +From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001 +From: Douglas Bagnall <[email protected]> +Date: Thu, 26 Feb 2026 14:21:01 +1300 +Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in + LDAP + +If a certificate is mentioned in a GPO but is not present as a +cACertificate attribute on a pKIEnrollmentService object, we have no way +of obtaining it, so we might as well forget it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003 + +CVE: CVE-2026-3012 +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2] + +Signed-off-by: Douglas Bagnall <[email protected]> +Reviewed-by: Jennifer Sutton <[email protected]> +(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2) +Signed-off-by: Ashishkumar Parmar <[email protected]> +--- + python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py +index 815436e11e9c..de8b310afd95 100644 +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py +@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier): + # This is a basic configuration. + cas = fetch_certification_authorities(ldb) + for _ca in cas: ++ if 'cACertificate' not in _ca: ++ log.warning(f"ignoring CA '{_ca['name']}' with no " ++ "cACertificate in LDAP.") ++ continue ++ + self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir, + private_dir) + ca_names.append(_ca['name']) + # If EndPoint.URI starts with "HTTPS//": + elif ca['URL'].lower().startswith('https://'): ++ if 'cACertificate' not in ca: ++ log.warning(f"ignoring CA '{ca['name']}' " ++ f"({ca['URL']}) with no " ++ "cACertificate in LDAP.") ++ continue + self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir, + private_dir, auth=ca['auth']) + ca_names.append(ca['name']) +-- +2.43.0 diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb index d50d9f5155..055e404bb9 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb @@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \ file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \ file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \ file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \ + file://CVE-2026-3012_p1.patch \ + file://CVE-2026-3012_p2.patch \ " SRC_URI:append:libc-musl = " \ -- 2.35.6
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#128070): https://lists.openembedded.org/g/openembedded-devel/message/128070 Mute This Topic: https://lists.openembedded.org/mt/120170173/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
