The branch, v4-15-stable has been updated
via c8fc01ca364 VERSION: Disable GIT_SNAPSHOT for the 4.15.9 release.
via ed0c58449ec WHATSNEW: Add release notes for Samba 4.15.9.
via a4707e4a955 CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem()
macro.
via d6aef6838a6 CVE-2022-32742: s4: torture: Add raw.write.bad-write
test.
via 185a6d12935 CVE-2022-2031 testprogs: Add test for short-lived
ticket across an incoming trust
via 63d353e7b5e CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd
tickets
via b7e3cb83005 CVE-2022-2031 s4:auth: Use PAC to determine whether
ticket is a TGT
via be9945a4d8e CVE-2022-2031 auth: Add ticket type field to
auth_user_info_dc and auth_session_info
via 22bd1bc2d73 CVE-2022-2031 tests/krb5: Add test that we cannot
provide a TGT to kpasswd
via b64e1b4a510 CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd
server principal into krb5_rd_req_ctx()
via e21efbabccb CVE-2022-32744 s4:kdc: Modify HDB plugin to only look
up kpasswd principal
via faa0a83813d s4:kdc: Remove kadmin mode from HDB plugin
via 4b0304ab670 CVE-2022-32744 s4:kdc: Rename keytab_name ->
kpasswd_keytab_name
via 959ed604ee1 CVE-2022-2031 s4:kdc: Don't use strncmp to compare
principal components
via 389a5523485 CVE-2022-2031 tests/krb5: Test truncated forms of
server principals
via c7408dd944e CVE-2022-2031 s4:kdc: Reject tickets during the last
two minutes of their life
via a46d0ac59f0 CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to
two minutes or less
via 04e452890ad CVE-2022-2031 s4:kdc: Fix canonicalisation of
kadmin/changepw principal
via 8b9fe095b91 CVE-2022-2031 s4:kdc: Refactor
samba_kdc_get_entry_principal()
via 5e7d75d8754 CVE-2022-2031 s4:kdc: Split out a
samba_kdc_get_entry_principal() function
via 3fd067c7d63 CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw()
helper function
via 5dd0ef19919 CVE-2022-2031 testprogs: Add kadmin/changepw
canonicalization test with MIT kpasswd
via 981948677c8 CVE-2022-2031 testprogs: Fix auth with smbclient and
krb5 ccache
via a1df5b86e96 s4:kpasswd: Restructure code for clarity
via 298884abb35 CVE-2022-2031 s4:kpasswd: Require an initial ticket
via 9da789c73dd CVE-2022-2031 gensec_krb5: Add helper function to check
if client sent an initial ticket
via 481a70c3746 CVE-2022-2031 s4:kpasswd: Return a kpasswd error code
in KRB-ERROR
via 38c83abffd3 CVE-2022-2031 lib:krb5_wrap: Generate valid error codes
in smb_krb5_mk_error()
via b1003099c20 CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
via 2ee46c16d2a CVE-2022-2031 s4:kpasswd: Correctly generate error
strings
via 6fc3d93b4fe CVE-2022-2031 tests/krb5: Add tests for kpasswd service
via b2c3b060bae CVE-2022-32744 selftest: Specify Administrator kvno for
Python krb5 tests
via e56d66f729b CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
via 2815de0510e CVE-2022-2031 tests/krb5: Allow requesting a TGT to a
different sname and realm
via e44b70b862e tests/krb5: Add option for creating accounts with
expired passwords
via 57edd8e2e04 tests/krb5: Fix enum typo
via b9e880b3d9c CVE-2022-2031 tests/krb5: Add methods to send and
receive generic messages
via 3852adddff6 CVE-2022-2031 tests/krb5: Add 'port' parameter to
connect()
via 39db18962f5 CVE-2022-2031 tests/krb5: Add methods to create ASN1
kpasswd structures
via 3bbb7bc57f0 CVE-2022-2031 tests/krb5: Add new definitions for
kpasswd
via efb69ab420f CVE-2022-32744 tests/krb5: Correctly calculate salt for
pre-existing accounts
via 440aa37cc46 CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
via f4ea2a80d84 CVE-2022-32744 tests/krb5: Correctly handle specifying
account kvno
via e21702d20b6 CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding
setpw structure
via b0d3fd37a88 CVE-2022-2031 s4:kpasswd: Account for missing target
principal
via 6199a076350 heimdal:kdc: Accommodate NULL data parameter in
krb5_pac_get_buffer()
via 8f4b78907bb CVE-2022-2031 s4:kdc: Add MIT support for
ATTRIBUTES_INFO and REQUESTER_SID PAC buffers
via 19d76f10310 selftest: Simplify krb5 test environments
via 9a1bee7c95d tests/krb5: Add helper function to modify ticket flags
via 3ac74c8b94d tests/krb5: Correctly determine whether tickets are
service tickets
via d34d201773a kdc: Canonicalize realm for enterprise principals
via 2eef0f950bc kdc: Require that PAC_REQUESTER_SID buffer is present
for TGTs
via 0426d20aeab heimdal:kdc: Do not generate extra PAC buffers for
S4U2Self service ticket
via 612c769ab70 selftest: Properly check extra PAC buffers with Heimdal
via 5e6c25f1ed0 heimdal:kdc: Always generate a PAC for S4U2Self
via 992a924dfa4 tests/krb5: Add a test for S4U2Self with no
authorization data required
via 081d6b571a8 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued
tickets
via 88b71db4bb8 kdc: Don't include extra PAC buffers in service tickets
via 81a6fa876fd Revert "CVE-2020-25719 s4/torture: Expect additional
PAC buffers"
via 2903a913bf3 tests/krb5: Add tests for renewal and validation of
RODC TGTs with PAC requests
via 0368939b7d6 kdc: Always add the PAC if the header TGT is from an
RODC
via daef3c8a360 kdc: Match Windows error code for mismatching sname
via 99a11ec7e78 tests/krb5: Add test for S4U2Self with wrong sname
via 1bd26a254f2 kdc: Adjust SID mismatch error code to match Windows
via 37f9d30cbda heimdal:kdc: Adjust no-PAC error code to match Windows
via 9b5612a88c0 s4:torture: Fix typo
via 78a82907caa heimdal:kdc: Fix error message for user-to-user
via 79ba192a73f tests/krb5: Add comments for tests that fail against
Windows
via 17e724b5bbf tests/krb5: Add tests for validation with requester SID
PAC buffer
via 42f09fdbdbd tests/krb5: Align PAC buffer checking to more closely
match Windows with PacRequestorEnforcement=2
via e24898c41c5 tests/krb5: Add TGS-REQ tests with FAST
via 7197641eda7 tests/krb5: Add tests for TGS requests with a non-TGT
via a696ddc90a9 tests/krb5: Add tests for invalid TGTs
via 011a468c786 tests/krb5: Remove unnecessary expect_pac arguments
via 9d8786faa9f tests/krb5: Adjust error codes to better match Windows
with PacRequestorEnforcement=2
via 9fbb213304e tests/krb5: Split out methods to create renewable or
invalid tickets
via b797f398711 tests/krb5: Allow PasswordKey_create() to use s2kparams
via 083a777e3d2 tests/krb5: Run test_rpc against member server
via 3059417db81 tests/krb5: Deduplicate AS-REQ tests
via bc1e71396ad tests/krb5: Remove unused variable
via 8373345853a selftest: Check received LDB error code when
STRICT_CHECKING=0
via f40a974045a s4:kdc: Also cannoicalize krbtgt principals when
enforcing canonicalization
via c8ef1ef980a s4:mit-kdb: Force canonicalization for looking up
principals
via 6af497232e4 CVE-2022-32745 s4/dsdb/util: Correctly copy values into
message element
via d85bb9f5edc CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a
NULL pointer
via d2dbb3b6818 CVE-2022-32745 s4/dsdb/util: Use correct value for loop
count limit
via c231d424b89 CVE-2022-32745 s4/dsdb/samldb: Check for empty values
array
via b686ef00da4 CVE-2022-32746 ldb: Release LDB 2.4.4
via 0446581bcce CVE-2022-32746 ldb: Make use of functions for appending
to an ldb_message
via a25b97d0540 CVE-2022-32746 ldb: Add functions for appending to an
ldb_message
via 3a68efe1bbb CVE-2022-32746 ldb: Ensure shallow copy modifications
do not affect original message
via 1294192b821 CVE-2022-32746 ldb: Add flag to mark message element
values as shared
via ba27d18c2e8 CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for
flags equality check
via f2b821f24e9 CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use
LDB_FLAG_MOD_TYPE() for flags equality check
via 47e2b1080e6 CVE-2022-32746 s4/dsdb/repl_meta_data: Use
LDB_FLAG_MOD_TYPE() for flags equality check
via 7c4439c7b7f CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE()
for flags equality check
via 27efd19085d CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
via 39371352d8f CVE-2022-32746 s4:torture: Fix LDB flags comparison
via 6bc5e73000a CVE-2022-32746 s4/dsdb/partition: Fix LDB flags
comparison
via e2ef0f299ae CVE-2022-32746 s4:dsdb:tests: Add test for deleting a
disallowed SPN
via a258b3c0636 CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
via e76643e5131 VERSION: Bump version up to Samba 4.15.9...
from 7a04f5e4ffc VERSION: Disable GIT_SNAPSHOT for the 4.15.8 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
commit c8fc01ca36445e87c3e503026a446416d66cd1bf
Author: Jule Anger <jan...@samba.org>
Date: Sun Jul 24 11:47:09 2022 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.15.9 release.
Signed-off-by: Jule Anger <jan...@samba.org>
commit ed0c58449ec3000249a826b2aaa854a0a58d70af
Author: Jule Anger <jan...@samba.org>
Date: Sun Jul 24 11:18:25 2022 +0200
WHATSNEW: Add release notes for Samba 4.15.9.
Signed-off-by: Jule Anger <jan...@samba.org>
commit a4707e4a955d01edf493cd0d7ab8b1ecb4ca7991
Author: Jeremy Allison <j...@samba.org>
Date: Wed Jun 8 13:50:51 2022 -0700
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Fixes the raw.write.bad-write test.
NB. We need the two (==0) changes in source3/smbd/reply.c
as the gcc optimizer now knows that the return from
smbreq_bufrem() can never be less than zero.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
Remove knownfail.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: David Disseldorp <dd...@samba.org>
commit d6aef6838a674ab95ff9172f4ac67707667f9e00
Author: Jeremy Allison <j...@samba.org>
Date: Tue Jun 7 09:40:45 2022 -0700
CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
Reproduces the test code in:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
Add knownfail.
Signed-off-by: Jeremy Allison <j...@samba.org>
Reviewed-by: David Disseldorp <dd...@samba.org>
commit 185a6d12935f55ad996de502e416114cc1f5aba0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Jun 23 13:59:11 2022 +1200
CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming
trust
We ensure that the KDC does not reject a TGS-REQ with our short-lived
TGT over an incoming trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 63d353e7b5ef235a86bf6df595951dc831108234
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jun 10 19:18:53 2022 +1200
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.
Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed knownfail conflicts]
[jsut...@samba.org Fixed knownfail conflicts]
commit b7e3cb83005ef28c70dc8d64cd0a57ba80ae9f4e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jun 10 19:18:35 2022 +1200
CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
We use the presence or absence of a REQUESTER_SID PAC buffer to
determine whether the ticket is a TGT. We will later use this to reject
TGTs where a service ticket is expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit be9945a4d8e774e8255dd9ae0ed29c9a953ce3ff
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jun 10 19:18:07 2022 +1200
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and
auth_session_info
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 22bd1bc2d7308167ea316c6b48f130d378ab4c8b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jun 10 19:17:11 2022 +1200
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
The kpasswd service should require a kpasswd service ticket, and
disallow TGTs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed knownfail conflicts]
[jsut...@samba.org Fixed knownfail conflicts]
commit b64e1b4a510c81628feeb68af75afd3275ea75c3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon May 30 19:16:02 2022 +1200
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into
krb5_rd_req_ctx()
To ensure that, when decrypting the kpasswd ticket, we look up the
correct principal and don't trust the sname from the ticket, we should
pass the principal name of the kpasswd service into krb5_rd_req_ctx().
However, gensec_krb5_update_internal() will pass in NULL unless the
principal in our credentials is CRED_SPECIFIED.
At present, our principal will be considered obtained as CRED_SMB_CONF
(from the cli_credentials_set_conf() a few lines up), so we explicitly
set the realm again, but this time as CRED_SPECIFIED. Now the value of
server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Removed knownfail as KDC no longer panics]
commit e21efbabccbf9c422347e9e94b3f217186556ee7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu May 26 16:39:20 2022 +1200
CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
This plugin is now only used by the kpasswd service. Thus, ensuring we
only look up the kadmin/changepw principal means we can't be fooled into
accepting tickets for other service principals. We make sure not to
specify a specific kvno, to ensure that we do not accept RODC-issued
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed knownfail conflicts]
[jsut...@samba.org Renamed entry to entry_ex; fixed knownfail conflicts;
retained knownfail for test_kpasswd_from_rodc which now causes the KDC
to panic]
commit faa0a83813d7e24016381da5a4b8c7f664d95acc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jun 8 13:53:29 2022 +1200
s4:kdc: Remove kadmin mode from HDB plugin
It appears we no longer require it.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4b0304ab670a5dc3819f93633c190f722e3906d7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu May 26 16:36:30 2022 +1200
CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
This makes explicitly clear the purpose of this keytab.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed conflicts due to lacking HDBGET support]
commit 959ed604ee1588f9a92c269a014fbf12b72fb8a4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 25 20:00:55 2022 +1200
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
We would only compare the first 'n' characters, where 'n' is the length
of the principal component string, so 'k@REALM' would erroneously be
considered equal to 'krbtgt@REALM'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 389a5523485dfbd48e87b6ee9c39c6c2e16294a0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 14 15:23:55 2022 +1200
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb@REALM instead of krbtgt@REALM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed conflicts due to having older version of
_run_as_req_enc_timestamp()]
commit c7408dd944ee5a0de5f04079d158f4575fb9036a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon May 30 19:18:17 2022 +1200
CVE-2022-2031 s4:kdc: Reject tickets during the last two minutes of their
life
For Heimdal, this now matches the behaviour of Windows. The object of
this requirement is to ensure we don't allow kpasswd tickets, not having
a lifetime of more than two minutes, to be passed off as TGTs.
An existing requirement for TGTs to contain a REQUESTER_SID PAC buffer
suffices to prevent kpasswd ticket misuse, so this is just an additional
precaution on top.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org As we don't have access to the ticket or the request
in the plugin, rewrote check directly in Heimdal KDC]
commit a46d0ac59f074f999217586f18ba8772a645b246
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 17:53:49 2022 +1200
CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less
This matches the behaviour of Windows.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Adapted entry to entry_ex->entry; included
samba_kdc.h header file]
commit 04e452890ada8390828aa4c5c87ceefe44daa50f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 18 16:56:01 2022 +1200
CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
Since this principal goes through the samba_kdc_fetch_server() path,
setting the canonicalisation flag would cause the principal to be
replaced with the sAMAccountName; this meant requests to
kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we
properly handle canonicalisation for the kadmin/changepw principal.
View with 'git show -b'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Adapted entry to entry_ex->entry; removed MIT KDC
1.20-specific knownfails]
commit 8b9fe095b91ce62338829a6ac7012170e6af8898
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 25 17:19:58 2022 +1200
CVE-2022-2031 s4:kdc: Refactor samba_kdc_get_entry_principal()
This eliminates some duplicate branches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 5e7d75d8754d157d10e3e7d730445bddd91e5b9e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 18 16:56:01 2022 +1200
CVE-2022-2031 s4:kdc: Split out a samba_kdc_get_entry_principal() function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Adapted entry to entry_ex->entry]
[jsut...@samba.org Fixed conflicts caused by superfluous whitespace]
commit 3fd067c7d63e132a84bfc155769012e4261a9f07
Author: Andreas Schneider <a...@samba.org>
Date: Tue May 24 09:54:18 2022 +0200
CVE-2022-2031 s4:kdc: Implement is_kadmin_changepw() helper function
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
[jsut...@samba.org Adapted entry to entry_ex->entry]
commit 5dd0ef1991944a740b1d0107487d25d1acf5ebef
Author: Andreas Schneider <a...@samba.org>
Date: Thu May 19 16:35:28 2022 +0200
CVE-2022-2031 testprogs: Add kadmin/changepw canonicalization test with MIT
kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 981948677c895e4e1d3b074f8a1a9c82fd65a80a
Author: Andreas Schneider <a...@samba.org>
Date: Tue May 24 10:17:00 2022 +0200
CVE-2022-2031 testprogs: Fix auth with smbclient and krb5 ccache
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit a1df5b86e967dc190af5ba2ba07d8ef8b400b4b1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 18 17:11:49 2022 +1200
s4:kpasswd: Restructure code for clarity
View with 'git show -b'.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 298884abb35db7b6a8c6100dfd7bb8b57b1117fd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 18 16:52:41 2022 +1200
CVE-2022-2031 s4:kpasswd: Require an initial ticket
Ensure that for password changes the client uses an AS-REQ to get the
ticket to kpasswd, and not a TGS-REQ.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Removed MIT KDC 1.20-specific knownfails]
commit 9da789c73dd6675789b93fc0df0dfc8b274a86c3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 18 16:06:31 2022 +1200
CVE-2022-2031 gensec_krb5: Add helper function to check if client sent an
initial ticket
This will be used in the kpasswd service to ensure that the client has
an initial ticket to kadmin/changepw, and not a service ticket.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 481a70c37464d356f60a30c5f51ffae755c4e6f0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 18 16:49:43 2022 +1200
CVE-2022-2031 s4:kpasswd: Return a kpasswd error code in KRB-ERROR
If we attempt to return an error code outside of Heimdal's allowed range
[KRB5KDC_ERR_NONE, KRB5_ERR_RCSID), it will be replaced with a GENERIC
error, and the error text will be set to the meaningless result of
krb5_get_error_message(). Avoid this by ensuring the error code is in
the correct range.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 38c83abffd325ee23649c190b8ffb3d27a2bdb68
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri May 27 19:29:34 2022 +1200
CVE-2022-2031 lib:krb5_wrap: Generate valid error codes in
smb_krb5_mk_error()
The error code passed in will be an offset from ERROR_TABLE_BASE_krb5,
so we need to subtract that before creating the error. Heimdal does this
internally, so it isn't needed there.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b1003099c202d05b7d3f570fe313039aebdec3f9
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed May 18 16:48:59 2022 +1200
CVE-2022-2031 s4:kpasswd: Don't return AP-REP on failure
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Removed MIT KDC 1.20-specific knownfails]
commit 2ee46c16d2aa706b686b50ccb66a2a3ad9852c50
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri May 27 19:21:06 2022 +1200
CVE-2022-2031 s4:kpasswd: Correctly generate error strings
The error_data we create already has an explicit length, and should not
be zero-terminated, so we omit the trailing null byte. Previously,
Heimdal builds would leave a superfluous trailing null byte on error
strings, while MIT builds would omit the final character.
The two bytes added to the string's length are for the prepended error
code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Removed MIT KDC 1.20-specific knownfails]
commit 6fc3d93b4fe81be8e8f134c46d461d5815edda91
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:59:16 2022 +1200
CVE-2022-2031 tests/krb5: Add tests for kpasswd service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed conflicts in usage.py and knownfails; removed
MIT KDC 1.20-specific knownfails as it's not supported]
[jsut...@samba.org Fixed conflicts in usage.py, knownfails, and
tests.py]
commit b2c3b060baedf638d7b8ee7f3b2bc1c7f9b695ac
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu May 26 16:35:03 2022 +1200
CVE-2022-32744 selftest: Specify Administrator kvno for Python krb5 tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e56d66f729ba1713e59b2fb938cc09e69831ac0e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:57:57 2022 +1200
CVE-2022-2031 tests/krb5: Add kpasswd_exchange() method
Now we can test the kpasswd service from Python.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed conflicts in imports]
commit 2815de0510e222bc93f5b602b2cdd5c51f8adeb4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:34:59 2022 +1200
CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and
realm
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed conflict due to lacking rc4_support parameter]
[jsut...@samba.org Fixed conflicts due to lacking client_name_type and
expected_cname parameters]
commit e44b70b862e93fb9a8139a7188ed7021d705d223
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:30:12 2022 +1200
tests/krb5: Add option for creating accounts with expired passwords
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 57edd8e2e043bd226c91ab0791297c1d98549ff1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:26:56 2022 +1200
tests/krb5: Fix enum typo
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b9e880b3d9cf5666947cae60adc0846385b04f54
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:20:28 2022 +1200
CVE-2022-2031 tests/krb5: Add methods to send and receive generic messages
This allows us to send and receive kpasswd messages, while avoiding the
existing logic for encoding and decoding other Kerberos message types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 3852adddff6df4d9f6f4cc1add11b06c272d29ef
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:21:37 2022 +1200
CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()
This allows us to use the kpasswd port, 464.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 39db18962f5368957293cf678e4e7249a8b81ca8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:17:45 2022 +1200
CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 3bbb7bc57f0de9dfe8fa979b7e122cafc4f9c139
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:13:54 2022 +1200
CVE-2022-2031 tests/krb5: Add new definitions for kpasswd
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit efb69ab420f2c5a3074fff6192fbc9a1cd387870
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue May 24 19:06:53 2022 +1200
CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing
accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 440aa37cc462ac9a230636e6758152c3a520fed4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu May 26 20:52:04 2022 +1200
CVE-2022-2031 tests/krb5: Split out _make_tgs_request()
This allows us to make use of it in other tests.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
[jsut...@samba.org Fixed conflicts due to having older version of
_make_tgs_request()]
commit f4ea2a80d8440c4c7261229bd9285bce97226094
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu May 26 16:34:01 2022 +1200
CVE-2022-32744 tests/krb5: Correctly handle specifying account kvno
The environment variable is a string, but we expect an integer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e21702d20b6d4507708791c5a6a674b8bdadaab0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon May 30 19:17:41 2022 +1200
CVE-2022-2031 s4:kpasswd: Add MIT fallback for decoding setpw structure
The target principal and realm fields of the setpw structure are
supposed to be optional, but in MIT Kerberos they are mandatory. For
better compatibility and ease of testing, fall back to parsing the
simpler (containing only the new password) structure if the MIT function
fails to decode it.
Although the target principal and realm fields should be optional, one
is not supposed to specified without the other, so we don't have to deal
with the case where only one is specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit b0d3fd37a8884cf18f9c2bffc416035747d49977
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri May 27 19:17:02 2022 +1200
CVE-2022-2031 s4:kpasswd: Account for missing target principal
This field is supposed to be optional.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 6199a0763507ae96aad8d6b6dff50245d505404d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Jun 16 10:33:29 2022 +1200
heimdal:kdc: Accommodate NULL data parameter in krb5_pac_get_buffer()
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 8f4b78907bbfe915988d52724c66dae0e2eefa9b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Jun 15 19:37:39 2022 +1200
CVE-2022-2031 s4:kdc: Add MIT support for ATTRIBUTES_INFO and REQUESTER_SID
PAC buffers
So that we do not confuse TGTs and kpasswd tickets, it is critical to
check that the REQUESTER_SID buffer exists in TGTs, and to ensure that
it is not propagated to service tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
[jsut...@samba.org Brought in changes to add ATTRIBUTES_INFO and
REQUESTER_SID buffers to new PACs, and updated knownfails]
commit 19d76f103100f1a915486eb0bad2264dd203e71e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Mar 4 16:57:27 2022 +1300
selftest: Simplify krb5 test environments
It's not necessary to repeat the required environment variables for
every test.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andreas Schneider <a...@samba.org>
(cherry picked from commit e729606631b5bfaf7c4ad8c1e70697adf8274777)
[jsut...@samba.org Fixed conflicts caused by missing check_cname,
check_padata and fast_support variables]
commit 9a1bee7c95d04577ce129f86c0b23f4f73cd9aae
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Feb 8 12:15:36 2022 +1300
tests/krb5: Add helper function to modify ticket flags
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit ded5115f73dff5b8b2f3212988e03f9dbe0c2aa3)
commit 3ac74c8b94d6c2d109ee07712f55be01190a6816
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Dec 14 19:16:00 2021 +1300
tests/krb5: Correctly determine whether tickets are service tickets
Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 100be7eb8e70ba270a8e92957a5e47466160a901)
commit d34d201773ae9c05e424a5c5d568c94483f1be69
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Dec 7 13:15:38 2021 +1300
kdc: Canonicalize realm for enterprise principals
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Dec 7 04:54:35 UTC 2021 on sn-devel-184
(cherry picked from commit 8bd7b316bd61ef35f6e0baa0b65f0ef00910112c)
commit 2eef0f950bc8c2ed2309798a75d88823a81eefff
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 20:41:54 2021 +1300
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184
(cherry picked from commit 38c5bad4a853b19fe9a51fb059e150b153c4632a)
commit 0426d20aeabba4dbd76bffbadd97a5c8afe2091e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 23 19:38:35 2021 +1300
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but
when generating a service ticket for S4U2Self, we want to avoid adding
the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 9bd26804852d957f81cb311e5142f9190f9afa65)
commit 612c769ab7061906f2089e7af15c3745be610201
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 25 09:29:42 2021 +1300
selftest: Properly check extra PAC buffers with Heimdal
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit ee4aa21c487fa80082a548b2e4f115a791e30340)
commit 5e6c25f1ed08045f5341e425621e32a75e84ff27
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 23 17:30:50 2021 +1300
heimdal:kdc: Always generate a PAC for S4U2Self
If we decided not to put a PAC into the ticket, mspac would be NULL
here, and the resulting ticket would not contain a PAC. This could
happen if there was a request to omit the PAC or the service did not
require authorization data. Ensure that we always generate a PAC.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1)
commit 992a924dfa401daa630931c5dbec2fe9537c7ea9
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 25 12:46:40 2021 +1300
tests/krb5: Add a test for S4U2Self with no authorization data required
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3)
commit 081d6b571a81266b39b0efb70c1de492e3d60ae0
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 25 10:53:49 2021 +1300
kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
presented with an RODC-issued TGT. By removing this PAC buffer from
RODC-issued tickets, we ensure that an RODC-issued ticket will still
result in a PAC if it is first renewed or validated by the main DC.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 4b60e9516497c2e7f1545fe50887d0336b9893f2)
commit 88b71db4bb8315c6d53c820bfc7b680bf04114a9
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 20:42:22 2021 +1300
kdc: Don't include extra PAC buffers in service tickets
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef)
commit 81a6fa876fd48af9998ee209d96e3cde1511e9f5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 25 13:24:57 2021 +1300
Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f.
We should not be generating these additional PAC buffers for service
tickets, only for TGTs.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit e61983c7f2c4daade83b237efb990d0c0645b3a3)
commit 2903a913bf3ca96b9dd3f636b05530adc6e7994f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 25 10:32:44 2021 +1300
tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC
requests
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 73a48063469205099f02efdf3b8f0f1040dc7a3d)
commit 0368939b7d60c08aa8f84dbb53a88d5c9ec96058
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 23 20:15:41 2021 +1300
kdc: Always add the PAC if the header TGT is from an RODC
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8)
commit daef3c8a3607575e077c2eff55a06867201d6f2b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 23 20:00:07 2021 +1300
kdc: Match Windows error code for mismatching sname
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit b6a25f5f016aef39c3b1d7be8b3ecfe021c03c83)
commit 99a11ec7e78aa8bc477de18253f068f3a0c84c19
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 25 10:05:17 2021 +1300
tests/krb5: Add test for S4U2Self with wrong sname
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit bac5f75059450898937be891e863826e1350b62c)
commit 1bd26a254f2b7861852142e256c6d3bf7f718857
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 20:41:45 2021 +1300
kdc: Adjust SID mismatch error code to match Windows
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit d5d22bf84a71492342287e54b555c9f024e7e71c)
commit 37f9d30cbdaeb082382304d5cd6442ffcdca331e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 20:41:34 2021 +1300
heimdal:kdc: Adjust no-PAC error code to match Windows
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a)
commit 9b5612a88c0a56b0a08595d21c87d1dff00e495a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 18 16:22:34 2021 +1300
s4:torture: Fix typo
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 9cfb88ba04818b5e9cec3c96422e8e4a3080d490)
commit 78a82907caa55f9e6118fc2f7aa01509257fa166
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Nov 18 13:14:51 2021 +1300
heimdal:kdc: Fix error message for user-to-user
We were checking the wrong variable to see whether a PAC was found or not.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 11fb9476ad3c09415d12b3cdf7934c293cbefcb2)
commit 79ba192a73f601a86a59ef16aaf47c649790a980
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 15:32:32 2021 +1300
tests/krb5: Add comments for tests that fail against Windows
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 749349efab9b401d33a4fc286473a924364a41c9)
commit 17e724b5bbfcaa96f2d4f4d9be790a0f7effe877
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 13:10:52 2021 +1300
tests/krb5: Add tests for validation with requester SID PAC buffer
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit ca80c47406e0f2b6fac2c55229306e21ccef9745)
commit 42f09fdbdbdc1c2a6fc6c29e8df9c54c345c8fbf
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 12:37:08 2021 +1300
tests/krb5: Align PAC buffer checking to more closely match Windows with
PacRequestorEnforcement=2
We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1)
commit e24898c41c572dc8ec1374e67a4e029207b21ee2
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 12:09:18 2021 +1300
tests/krb5: Add TGS-REQ tests with FAST
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit ec823c2a83c639f1d7c422153a53d366750e5f2a)
commit 7197641eda7ba738cfcce40d43314588c6474251
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 12:10:45 2021 +1300
tests/krb5: Add tests for TGS requests with a non-TGT
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d)
commit a696ddc90a9f31997478620807c7a4991fc851ab
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Nov 30 09:26:40 2021 +1300
tests/krb5: Add tests for invalid TGTs
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 7574ba9f580fca552b80532a49d00e657fbdf4fd)
commit 011a468c786bac72ce8ad40544ffa7798fa38a97
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 12:04:36 2021 +1300
tests/krb5: Remove unnecessary expect_pac arguments
The value of expect_pac is not considered if we are expecting an error.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 28d501875a98fa2817262eb8ec68bf91528428c2)
commit 9d8786faa9fa6ca1182ec2b382882361a588f54d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 11:52:31 2021 +1300
tests/krb5: Adjust error codes to better match Windows with
PacRequestorEnforcement=2
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit d95705172bcf6fe24817800a4c0009e9cc8be595)
commit 9fbb213304ecebac5b7620b8f183a5baddeb287d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 11:40:35 2021 +1300
tests/krb5: Split out methods to create renewable or invalid tickets
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit e930274aa43810d6485c3c8a7c82958ecb409630)
commit b797f39871100c8d33900af72608d2dc6ec9f435
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 11:37:35 2021 +1300
tests/krb5: Allow PasswordKey_create() to use s2kparams
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit a560c2e9ad8abb824d1805c86c656943745f81eb)
commit 083a777e3d2b18d2e59ee4e04a4387c8db7ec185
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 16:02:00 2021 +1300
tests/krb5: Run test_rpc against member server
We were instead always running against the DC.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579)
commit 3059417db81edb174da640eb78d4dd6dab5f3120
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 11:34:11 2021 +1300
tests/krb5: Deduplicate AS-REQ tests
salt_tests was running the tests defined in the base class as well as
its own tests.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5)
commit bc1e71396ad41c37f5fa2101cb5e5e44dc221364
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 11:53:18 2021 +1300
tests/krb5: Remove unused variable
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf)
commit 8373345853a59265a9e6d2a826983aa8a4b7a4ea
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Nov 24 11:30:38 2021 +1300
selftest: Check received LDB error code when STRICT_CHECKING=0
We were instead only checking the expected error.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
(cherry picked from commit ad4d6fb01fd8083e68f07c427af8932574810cdc)
commit f40a974045a34c40f378dd9d96a4d401c3bb9a72
Author: Andreas Schneider <a...@samba.org>
Date: Tue Dec 21 12:17:11 2021 +0100
s4:kdc: Also cannoicalize krbtgt principals when enforcing canonicalization
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
(cherry picked from commit f1ec950aeb47283a504018bafa21f54c3282e70c)
commit c8ef1ef980a1281ec7edd1788dad9e22889d995a
Author: Isaac Boukris <ibouk...@gmail.com>
Date: Sat Sep 19 14:16:20 2020 +0200
s4:mit-kdb: Force canonicalization for looking up principals
See also
https://github.com/krb5/krb5/commit/ac8865a22138ab0c657208c41be8fd6bc7968148
Pair-Programmed-With: Andreas Schneider <a...@samba.org>
Signed-off-by: Isaac Boukris <ibouk...@gmail.com>
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Alexander Bokovoy <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Mon Nov 29 09:32:26 UTC 2021 on sn-devel-184
(cherry picked from commit 90febd2a33b88af49af595fe0e995d6ba0f33a1b)
commit 6af497232e4ed24c33a29b77825fa854a73b5427
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Jun 3 16:16:31 2022 +1200
CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
To use memcpy(), we need to specify the number of bytes to copy, rather
than the number of ldb_val structures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit d85bb9f5edc08ce2042be366c720dd027788f5bd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Feb 17 11:13:38 2022 +1300
CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
Doing so is undefined behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit d2dbb3b6818d429b12d54e68510286d033d4abd7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Feb 17 11:11:53 2022 +1300
CVE-2022-32745 s4/dsdb/util: Use correct value for loop count limit
Currently, we can crash the server by sending a large number of values
of a specific attribute (such as sAMAccountName) spread across a few
message elements. If val_count is larger than the total number of
elements, we get an access beyond the elements array.
Similarly, we can include unrelated message elements prior to the
message elements of the attribute in question, so that not all of the
attribute's values are copied into the returned elements values array.
This can cause the server to access uninitialised data, likely resulting
in a crash or unexpected behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit c231d424b89ba718262ed376431a982baaeef33f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 16 17:03:10 2022 +1300
CVE-2022-32745 s4/dsdb/samldb: Check for empty values array
This avoids potentially trying to access the first element of an empty
array.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit b686ef00da46d4a0c0aba0c61b1866cbc9b462b6
Author: Andrew Bartlett <abart...@samba.org>
Date: Tue Jun 14 15:43:26 2022 +1200
CVE-2022-32746 ldb: Release LDB 2.4.4
* CVE-2022-32746 Use-after-free occurring in database audit logging module
(bug 15009)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Andrew Bartlett <abart...@samba.org>
commit 0446581bcce7c2d7f5ec22d8510a6e2069463d39
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 21 16:27:37 2022 +1300
CVE-2022-32746 ldb: Make use of functions for appending to an ldb_message
This aims to minimise usage of the error-prone pattern of searching for
a just-added message element in order to make modifications to it (and
potentially finding the wrong element).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit a25b97d0540fdb5a4a75fd85807d8963f14b607d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 16 16:30:03 2022 +1300
CVE-2022-32746 ldb: Add functions for appending to an ldb_message
Currently, there are many places where we use ldb_msg_add_empty() to add
an empty element to a message, and then call ldb_msg_add_value() or
similar to add values to that element. However, this performs an
unnecessary search of the message's elements to locate the new element.
Moreover, if an element with the same attribute name already exists
earlier in the message, the values will be added to that element,
instead of to the intended newly added element.
A similar pattern exists where we add values to a message, and then call
ldb_msg_find_element() to locate that message element and sets its flags
to (e.g.) LDB_FLAG_MOD_REPLACE. This also performs an unnecessary
search, and may locate the wrong message element for setting the flags.
To avoid these problems, add functions for appending a value to a
message, so that a particular value can be added to the end of a message
in a single operation.
For ADD requests, it is important that no two message elements share the
same attribute name, otherwise things will break. (Normally,
ldb_msg_normalize() is called before processing the request to help
ensure this.) Thus, we must be careful not to append an attribute to an
ADD message, unless we are sure (e.g. through ldb_msg_find_element())
that an existing element for that attribute is not present.
These functions will be used in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 3a68efe1bbba4923f02b89a7f675398fbd73265e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 16 12:35:13 2022 +1300
CVE-2022-32746 ldb: Ensure shallow copy modifications do not affect
original message
Using the newly added ldb flag, we can now detect when a message has
been shallow-copied so that its elements share their values with the
original message elements. Then when adding values to the copied
message, we now make a copy of the shared values array first.
This should prevent a use-after-free that occurred in LDB modules when
new values were added to a shallow copy of a message by calling
talloc_realloc() on the original values array, invalidating the 'values'
pointer in the original message element. The original values pointer can
later be used in the database audit logging module which logs database
requests, and potentially cause a crash.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 1294192b821d2d3af444b750baa75924042f1162
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Feb 21 16:10:32 2022 +1300
CVE-2022-32746 ldb: Add flag to mark message element values as shared
When making a shallow copy of an ldb message, mark the message elements
of the copy as sharing their values with the message elements in the
original message.
This flag value will be heeded in the next commit.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit ba27d18c2e8e1d0cf1828bb6d072489e5c6c9159
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 14 21:12:39 2022 +1200
CVE-2022-32746 s4/registry: Use LDB_FLAG_MOD_TYPE() for flags equality check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit f2b821f24e9b144c2cb1a9ec85f3bf1fdd2c2a8e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 14 21:11:33 2022 +1200
CVE-2022-32746 s4/dsdb/tombstone_reanimate: Use LDB_FLAG_MOD_TYPE() for
flags equality check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 47e2b1080e603b36b5d54a3e00f005983e6911e2
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 14 19:49:19 2022 +1200
CVE-2022-32746 s4/dsdb/repl_meta_data: Use LDB_FLAG_MOD_TYPE() for flags
equality check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 7c4439c7b7ff4caa7152f810ec9e83732fa70c3c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Feb 16 12:43:52 2022 +1300
CVE-2022-32746 ldb:rdn_name: Use LDB_FLAG_MOD_TYPE() for flags equality
check
Now unrelated flags will no longer affect the result.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 27efd19085d01e1e3702afb5dfd82eaf72c13bf9
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 21 15:22:47 2022 +1200
CVE-2022-32746 s4/dsdb/acl: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(el->flags & LDB_FLAG_MOD_MASK) == 0
which is only true if none of the LDB_FLAG_MOD_* values are set, so we
would not successfully return if the element was a DELETE. Correct the
expression to what it was intended to be.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 39371352d8fc1d3ab0dd2baeacebd9ce48b4ef02
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 21 14:49:51 2022 +1200
CVE-2022-32746 s4:torture: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(el->flags & LDB_FLAG_MOD_MASK) == 0
which is only true if none of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit 6bc5e73000a639bab3c3d6789bdf879d5395bf9c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 21 14:41:02 2022 +1200
CVE-2022-32746 s4/dsdb/partition: Fix LDB flags comparison
LDB_FLAG_MOD_* values are not actually flags, and the previous
comparison was equivalent to
(req_msg->elements[el_idx].flags & LDB_FLAG_MOD_MASK) != 0
which is true whenever any of the LDB_FLAG_MOD_* values are set. Correct
the expression to what it was probably intended to be.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit e2ef0f299aed8c0f9660f1d7912472d23e81fee8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 21 15:37:15 2022 +1200
CVE-2022-32746 s4:dsdb:tests: Add test for deleting a disallowed SPN
If an account has an SPN that requires Write Property to set, we should
still be able to delete it with just Validated Write.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
commit a258b3c0636b208de699b1e693d86f5ee9985cfd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Jun 14 21:09:53 2022 +1200
CVE-2022-32746 s4/dsdb/objectclass_attrs: Fix typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15009
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 74 +-
auth/auth_sam_reply.c | 2 +-
auth/auth_util.c | 2 +-
lib/krb5_wrap/krb5_samba.c | 2 +-
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.4.sigs} | 8 +
...pyldb-util-2.1.0.sigs => pyldb-util-2.4.4.sigs} | 0
lib/ldb/common/ldb_msg.c | 260 ++++-
lib/ldb/include/ldb.h | 30 +
lib/ldb/include/ldb_module.h | 6 +
lib/ldb/ldb_map/ldb_map.c | 5 +-
lib/ldb/ldb_map/ldb_map_inbound.c | 9 +-
lib/ldb/modules/rdn_name.c | 24 +-
lib/ldb/wscript | 2 +-
librpc/idl/auth.idl | 23 +
python/samba/tests/krb5/alias_tests.py | 7 +-
python/samba/tests/krb5/as_req_tests.py | 199 ++--
python/samba/tests/krb5/compatability_tests.py | 10 +-
python/samba/tests/krb5/kdc_base_test.py | 129 ++-
python/samba/tests/krb5/kdc_tgs_tests.py | 795 +++++++++++----
python/samba/tests/krb5/kpasswd_tests.py | 1049 ++++++++++++++++++++
.../krb5/ms_kile_client_principal_lookup_tests.py | 39 +-
python/samba/tests/krb5/raw_testcase.py | 491 +++++++--
python/samba/tests/krb5/rfc4120.asn1 | 6 +
python/samba/tests/krb5/rfc4120_constants.py | 14 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 13 +-
python/samba/tests/krb5/rodc_tests.py | 4 +-
python/samba/tests/krb5/s4u_tests.py | 140 ++-
python/samba/tests/krb5/salt_tests.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 17 +-
python/samba/tests/usage.py | 1 +
selftest/knownfail.d/kdc-enterprise | 63 --
selftest/knownfail_heimdal_kdc | 20 +-
selftest/knownfail_mit_kdc | 100 +-
source3/include/smb_macros.h | 2 +-
source3/passdb/pdb_samba_dsdb.c | 14 +-
source3/smbd/reply.c | 4 +-
source4/auth/gensec/gensec_krb5.c | 20 +-
source4/auth/gensec/gensec_krb5_helpers.c | 72 ++
.../auth/gensec/gensec_krb5_helpers.h | 25 +-
.../auth/gensec/gensec_krb5_internal.h | 37 +-
source4/auth/gensec/wscript_build | 4 +
source4/auth/kerberos/kerberos_pac.c | 44 +
source4/auth/ntlm/auth_developer.c | 2 +-
source4/auth/sam.c | 2 +-
source4/auth/session.c | 2 +
source4/auth/system_session.c | 6 +-
source4/dns_server/dnsserver_common.c | 12 +-
source4/dsdb/common/util.c | 134 ++-
source4/dsdb/samdb/ldb_modules/acl.c | 5 +-
source4/dsdb/samdb/ldb_modules/descriptor.c | 10 +-
source4/dsdb/samdb/ldb_modules/objectclass_attrs.c | 2 +-
source4/dsdb/samdb/ldb_modules/objectguid.c | 20 +-
source4/dsdb/samdb/ldb_modules/partition.c | 4 +-
source4/dsdb/samdb/ldb_modules/partition_init.c | 14 +-
source4/dsdb/samdb/ldb_modules/repl_meta_data.c | 32 +-
source4/dsdb/samdb/ldb_modules/samldb.c | 82 +-
.../dsdb/samdb/ldb_modules/tombstone_reanimate.c | 16 +-
source4/dsdb/samdb/ldb_modules/util.c | 14 +-
source4/dsdb/tests/python/acl.py | 26 +
source4/dsdb/tests/python/priv_attrs.py | 2 +-
source4/heimdal/kdc/kerberos5.c | 2 +-
source4/heimdal/kdc/krb5tgs.c | 37 +-
source4/heimdal/kdc/windc.c | 5 +-
source4/heimdal/kdc/windc_plugin.h | 2 +
source4/heimdal/lib/hdb/hdb.h | 1 +
source4/heimdal/lib/krb5/pac.c | 10 +-
source4/kdc/db-glue.c | 241 +++--
source4/kdc/hdb-samba4-plugin.c | 37 +-
source4/kdc/hdb-samba4.c | 66 ++
source4/kdc/kdc-glue.h | 3 +
source4/kdc/kdc-heimdal.c | 4 +-
source4/kdc/kdc-server.h | 2 +-
source4/kdc/kdc-service-mit.c | 4 +-
source4/kdc/kpasswd-helper.c | 33 +-
source4/kdc/kpasswd-helper.h | 2 +
source4/kdc/kpasswd-service-heimdal.c | 76 +-
source4/kdc/kpasswd-service-mit.c | 146 ++-
source4/kdc/kpasswd-service.c | 36 +-
source4/kdc/mit-kdb/kdb_samba_policies.c | 5 +-
source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +-
source4/kdc/mit_samba.c | 101 +-
source4/kdc/mit_samba.h | 1 +
source4/kdc/pac-glue.c | 6 +-
source4/kdc/samba_kdc.h | 2 +
source4/kdc/sdb.h | 1 +
source4/kdc/wdc-samba4.c | 48 +-
source4/kdc/wscript_build | 1 +
source4/lib/registry/ldb.c | 2 +-
source4/nbt_server/wins/winsdb.c | 13 +-
source4/rpc_server/lsa/dcesrv_lsa.c | 55 +-
source4/selftest/tests.py | 178 +---
source4/torture/drs/rpc/dssync.c | 4 +-
source4/torture/krb5/kdc-canon-heimdal.c | 2 +-
source4/torture/raw/write.c | 89 ++
source4/torture/rpc/remote_pac.c | 24 +-
source4/winbind/idmap.c | 10 +-
testprogs/blackbox/test_kinit_trusts_heimdal.sh | 6 +-
testprogs/blackbox/test_kpasswd_heimdal.sh | 39 +-
99 files changed, 4180 insertions(+), 1273 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.4.4.sigs} (96%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.4.4.sigs} (100%)
create mode 100755 python/samba/tests/krb5/kpasswd_tests.py
delete mode 100644 selftest/knownfail.d/kdc-enterprise
create mode 100644 source4/auth/gensec/gensec_krb5_helpers.c
copy source3/include/srvstr.h => source4/auth/gensec/gensec_krb5_helpers.h
(65%)
copy libcli/smbreadline/smbreadline.h =>
source4/auth/gensec/gensec_krb5_internal.h (51%)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 727996cc49b..fdfc7634929 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=8
+SAMBA_VERSION_RELEASE=9
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4061131cd79..c663534b63e 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,74 @@
+ ==============================
+ Release Notes for Samba 4.15.9
+ July 27, 2022
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2022-2031: Samba AD users can bypass certain restrictions associated
with
+ changing passwords.
+ https://www.samba.org/samba/security/CVE-2022-2031.html
+
+o CVE-2022-32744: Samba AD users can forge password change requests for any
user.
+ https://www.samba.org/samba/security/CVE-2022-32744.html
+
+o CVE-2022-32745: Samba AD users can crash the server process with an LDAP add
+ or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32745.html
+
+o CVE-2022-32746: Samba AD users can induce a use-after-free in the server
+ process with an LDAP add or modify request.
+ https://www.samba.org/samba/security/CVE-2022-32746.html
+
+o CVE-2022-32742: Server memory information leak via SMB1.
+ https://www.samba.org/samba/security/CVE-2022-32742.html
+
+Changes since 4.15.8
+--------------------
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 15085: CVE-2022-32742.
+
+o Andrew Bartlett <abart...@samba.org>
+ * BUG 15009: CVE-2022-32746.
+
+o Isaac Boukris <ibouk...@gmail.com>
+ * BUG 15047: CVE-2022-2031.
+
+o Andreas Schneider <a...@samba.org>
+ * BUG 15047: CVE-2022-2031.
+
+o Joseph Sutton <josephsut...@catalyst.net.nz>
+ * BUG 15008: CVE-2022-32745.
+ * BUG 15009: CVE-2022-32746.
+ * BUG 15047: CVE-2022-2031.
+ * BUG 15074: CVE-2022-32744.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.15.8
June 28, 2022
@@ -74,8 +145,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.15.7
April 26, 2022
diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index b5b6362dc93..2e27e5715d1 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -416,7 +416,7 @@ NTSTATUS make_user_info_dc_netlogon_validation(TALLOC_CTX
*mem_ctx,
return NT_STATUS_INVALID_LEVEL;
}
- user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
+ user_info_dc = talloc_zero(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
/*
diff --git a/auth/auth_util.c b/auth/auth_util.c
index fe01babd107..ec9094d0f15 100644
--- a/auth/auth_util.c
+++ b/auth/auth_util.c
@@ -44,7 +44,7 @@ struct auth_session_info *copy_session_info(TALLOC_CTX
*mem_ctx,
return NULL;
}
- dst = talloc(mem_ctx, struct auth_session_info);
+ dst = talloc_zero(mem_ctx, struct auth_session_info);
if (dst == NULL) {
DBG_ERR("talloc failed\n");
TALLOC_FREE(frame);
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 76c2dcd2126..610efcc9b87 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -237,7 +237,7 @@ krb5_error_code smb_krb5_mk_error(krb5_context context,
return code;
}
- errpkt.error = error_code;
+ errpkt.error = error_code - ERROR_TABLE_BASE_krb5;
errpkt.text.length = 0;
if (e_text != NULL) {
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.4.4.sigs
similarity index 96%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.4.4.sigs
index 5049dc64ce1..40388d9e330 100644
--- a/lib/ldb/ABI/ldb-2.0.5.sigs
+++ b/lib/ldb/ABI/ldb-2.4.4.sigs
@@ -155,7 +155,14 @@ ldb_msg_add_linearized_dn: int (struct ldb_message *,
const char *, struct ldb_d
ldb_msg_add_steal_string: int (struct ldb_message *, const char *, char *)
ldb_msg_add_steal_value: int (struct ldb_message *, const char *, struct
ldb_val *)
ldb_msg_add_string: int (struct ldb_message *, const char *, const char *)
+ldb_msg_add_string_flags: int (struct ldb_message *, const char *, const char
*, int)
ldb_msg_add_value: int (struct ldb_message *, const char *, const struct
ldb_val *, struct ldb_message_element **)
+ldb_msg_append_fmt: int (struct ldb_message *, int, const char *, const char
*, ...)
+ldb_msg_append_linearized_dn: int (struct ldb_message *, const char *, struct
ldb_dn *, int)
+ldb_msg_append_steal_string: int (struct ldb_message *, const char *, char *,
int)
+ldb_msg_append_steal_value: int (struct ldb_message *, const char *, struct
ldb_val *, int)
+ldb_msg_append_string: int (struct ldb_message *, const char *, const char *,
int)
+ldb_msg_append_value: int (struct ldb_message *, const char *, const struct
ldb_val *, int)
ldb_msg_canonicalize: struct ldb_message *(struct ldb_context *, const struct
ldb_message *)
ldb_msg_check_string_attribute: int (const struct ldb_message *, const char *,
const char *)
ldb_msg_copy: struct ldb_message *(TALLOC_CTX *, const struct ldb_message *)
@@ -163,6 +170,7 @@ ldb_msg_copy_attr: int (struct ldb_message *, const char *,
const char *)
ldb_msg_copy_shallow: struct ldb_message *(TALLOC_CTX *, const struct
ldb_message *)
ldb_msg_diff: struct ldb_message *(struct ldb_context *, struct ldb_message *,
struct ldb_message *)
ldb_msg_difference: int (struct ldb_context *, TALLOC_CTX *, struct
ldb_message *, struct ldb_message *, struct ldb_message **)
+ldb_msg_element_add_value: int (TALLOC_CTX *, struct ldb_message_element *,
const struct ldb_val *)
ldb_msg_element_compare: int (struct ldb_message_element *, struct
ldb_message_element *)
ldb_msg_element_compare_name: int (struct ldb_message_element *, struct
ldb_message_element *)
ldb_msg_element_equal_ordered: bool (const struct ldb_message_element *, const
struct ldb_message_element *)
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs
b/lib/ldb/ABI/pyldb-util-2.4.4.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.4.4.sigs
diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index 57dfc5a04c2..9cd7998e21c 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -417,6 +417,47 @@ int ldb_msg_add(struct ldb_message *msg,
return LDB_SUCCESS;
}
+/*
+ * add a value to a message element
+ */
+int ldb_msg_element_add_value(TALLOC_CTX *mem_ctx,
+ struct ldb_message_element *el,
+ const struct ldb_val *val)
+{
+ struct ldb_val *vals;
+
+ if (el->flags & LDB_FLAG_INTERNAL_SHARED_VALUES) {
+ /*
+ * Another message is using this message element's values array,
+ * so we don't want to make any modifications to the original
+ * message, or potentially invalidate its own values by calling
+ * talloc_realloc(). Make a copy instead.
+ */
+ el->flags &= ~LDB_FLAG_INTERNAL_SHARED_VALUES;
+
+ vals = talloc_array(mem_ctx, struct ldb_val,
+ el->num_values + 1);
+ if (vals == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ if (el->values != NULL) {
+ memcpy(vals, el->values, el->num_values * sizeof(struct
ldb_val));
+ }
+ } else {
+ vals = talloc_realloc(mem_ctx, el->values, struct ldb_val,
+ el->num_values + 1);
+ if (vals == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+ }
+ el->values = vals;
+ el->values[el->num_values] = *val;
+ el->num_values++;
+
+ return LDB_SUCCESS;
+}
+
/*
add a value to a message
*/
@@ -426,7 +467,6 @@ int ldb_msg_add_value(struct ldb_message *msg,
struct ldb_message_element **return_el)
{
struct ldb_message_element *el;
- struct ldb_val *vals;
int ret;
el = ldb_msg_find_element(msg, attr_name);
@@ -437,14 +477,10 @@ int ldb_msg_add_value(struct ldb_message *msg,
}
}
- vals = talloc_realloc(msg->elements, el->values, struct ldb_val,
- el->num_values+1);
- if (!vals) {
- return LDB_ERR_OPERATIONS_ERROR;
+ ret = ldb_msg_element_add_value(msg->elements, el, val);
+ if (ret != LDB_SUCCESS) {
+ return ret;
}
- el->values = vals;
- el->values[el->num_values] = *val;
- el->num_values++;
if (return_el) {
*return_el = el;
@@ -473,12 +509,15 @@ int ldb_msg_add_steal_value(struct ldb_message *msg,
/*
- add a string element to a message
+ add a string element to a message, specifying flags
*/
-int ldb_msg_add_string(struct ldb_message *msg,
- const char *attr_name, const char *str)
+int ldb_msg_add_string_flags(struct ldb_message *msg,
+ const char *attr_name, const char *str,
+ int flags)
{
struct ldb_val val;
+ int ret;
+ struct ldb_message_element *el = NULL;
val.data = discard_const_p(uint8_t, str);
val.length = strlen(str);
@@ -488,7 +527,25 @@ int ldb_msg_add_string(struct ldb_message *msg,
return LDB_SUCCESS;
}
- return ldb_msg_add_value(msg, attr_name, &val, NULL);
+ ret = ldb_msg_add_value(msg, attr_name, &val, &el);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (flags != 0) {
+ el->flags = flags;
+ }
+
+ return LDB_SUCCESS;
+}
+
+/*
+ add a string element to a message
+*/
+int ldb_msg_add_string(struct ldb_message *msg,
+ const char *attr_name, const char *str)
+{
+ return ldb_msg_add_string_flags(msg, attr_name, str, 0);
}
/*
@@ -550,6 +607,142 @@ int ldb_msg_add_fmt(struct ldb_message *msg,
return ldb_msg_add_steal_value(msg, attr_name, &val);
}
+static int ldb_msg_append_value_impl(struct ldb_message *msg,
+ const char *attr_name,
+ const struct ldb_val *val,
+ int flags,
+ struct ldb_message_element **return_el)
+{
+ struct ldb_message_element *el = NULL;
+ int ret;
+
+ ret = ldb_msg_add_empty(msg, attr_name, flags, &el);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ ret = ldb_msg_element_add_value(msg->elements, el, val);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
+ if (return_el != NULL) {
+ *return_el = el;
+ }
+
+ return LDB_SUCCESS;
+}
+
+/*
+ append a value to a message
+*/
+int ldb_msg_append_value(struct ldb_message *msg,
+ const char *attr_name,
+ const struct ldb_val *val,
+ int flags)
+{
+ return ldb_msg_append_value_impl(msg, attr_name, val, flags, NULL);
+}
+
+/*
+ append a value to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_value(struct ldb_message *msg,
+ const char *attr_name,
+ struct ldb_val *val,
+ int flags)
+{
+ int ret;
+ struct ldb_message_element *el = NULL;
+
+ ret = ldb_msg_append_value_impl(msg, attr_name, val, flags, &el);
+ if (ret == LDB_SUCCESS) {
+ talloc_steal(el->values, val->data);
+ }
+ return ret;
+}
+
+/*
+ append a string element to a message, stealing it into the 'right' place
+*/
+int ldb_msg_append_steal_string(struct ldb_message *msg,
+ const char *attr_name, char *str,
+ int flags)
+{
+ struct ldb_val val;
+
+ val.data = (uint8_t *)str;
+ val.length = strlen(str);
+
+ if (val.length == 0) {
+ /* allow empty strings as non-existent attributes */
+ return LDB_SUCCESS;
+ }
+
+ return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
+/*
+ append a string element to a message
+*/
+int ldb_msg_append_string(struct ldb_message *msg,
+ const char *attr_name, const char *str, int flags)
+{
+ struct ldb_val val;
+
+ val.data = discard_const_p(uint8_t, str);
+ val.length = strlen(str);
+
+ if (val.length == 0) {
+ /* allow empty strings as non-existent attributes */
+ return LDB_SUCCESS;
+ }
+
+ return ldb_msg_append_value(msg, attr_name, &val, flags);
+}
+
+/*
+ append a DN element to a message
+ WARNING: this uses the linearized string from the dn, and does not
+ copy the string.
+*/
+int ldb_msg_append_linearized_dn(struct ldb_message *msg, const char
*attr_name,
+ struct ldb_dn *dn, int flags)
+{
+ char *str = ldb_dn_alloc_linearized(msg, dn);
+
+ if (str == NULL) {
+ /* we don't want to have unknown DNs added */
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ return ldb_msg_append_steal_string(msg, attr_name, str, flags);
+}
+
+/*
+ append a printf formatted element to a message
+*/
+int ldb_msg_append_fmt(struct ldb_message *msg, int flags,
+ const char *attr_name, const char *fmt, ...)
+{
+ struct ldb_val val;
+ va_list ap;
+ char *str = NULL;
+
+ va_start(ap, fmt);
+ str = talloc_vasprintf(msg, fmt, ap);
+ va_end(ap);
+
+ if (str == NULL) {
+ return LDB_ERR_OPERATIONS_ERROR;
+ }
+
+ val.data = (uint8_t *)str;
+ val.length = strlen(str);
+
+ return ldb_msg_append_steal_value(msg, attr_name, &val, flags);
+}
+
/*
compare two ldb_message_element structures
assumes case sensitive comparison
@@ -833,11 +1026,7 @@ void ldb_msg_sort_elements(struct ldb_message *msg)
ldb_msg_element_compare_name);
}
-/*
- shallow copy a message - copying only the elements array so that the caller
- can safely add new elements without changing the message
-*/
-struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+static struct ldb_message *ldb_msg_copy_shallow_impl(TALLOC_CTX *mem_ctx,
const struct ldb_message *msg)
{
struct ldb_message *msg2;
@@ -863,6 +1052,35 @@ failed:
return NULL;
}
+/*
+ shallow copy a message - copying only the elements array so that the caller
+ can safely add new elements without changing the message
+*/
+struct ldb_message *ldb_msg_copy_shallow(TALLOC_CTX *mem_ctx,
+ const struct ldb_message *msg)
+{
+ struct ldb_message *msg2;
+ unsigned int i;
+
+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
+ if (msg2 == NULL) {
+ return NULL;
+ }
+
+ for (i = 0; i < msg2->num_elements; ++i) {
+ /*
+ * Mark this message's elements as sharing their values with the
+ * original message, so that we don't inadvertently modify or
+ * free them. We don't mark the original message element as
+ * shared, so the original message element should not be
+ * modified or freed while the shallow copy lives.
+ */
+ struct ldb_message_element *el = &msg2->elements[i];
+ el->flags |= LDB_FLAG_INTERNAL_SHARED_VALUES;
+ }
+
+ return msg2;
+}
/*
copy a message, allocating new memory for all parts
@@ -873,7 +1091,7 @@ struct ldb_message *ldb_msg_copy(TALLOC_CTX *mem_ctx,
struct ldb_message *msg2;
unsigned int i, j;
- msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
+ msg2 = ldb_msg_copy_shallow_impl(mem_ctx, msg);
if (msg2 == NULL) return NULL;
if (msg2->dn != NULL) {
--
Samba Shared Repository
