The Samba-Bugzilla – Attachment 14451 Details for
Bug 13571
[SECURITY] CVE-2018-16853 S4U2Self crash with MIT KDC build
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master
bso13571.patch01.txt (text/plain), 6.24 KB, created by
Andreas Schneider
on 2018-08-28 12:38:30 UTC
(
hide
)
Description:
patch for master
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2018-08-28 12:38:30 UTC
Size:
6.24 KB
patch
obsolete
>From 7fd0fcb28d9e69893f92038d66cb73cb719f6e5c Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 18 Aug 2018 15:32:43 +0300 >Subject: [PATCH 1/4] mit-kdc: Fix kinit test on system lacking ldbsearch > >By fixing bindir variable name. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >--- > testprogs/blackbox/test_kinit_mit.sh | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > >diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh >index dabf9915ed1..370542536e1 100755 >--- a/testprogs/blackbox/test_kinit_mit.sh >+++ b/testprogs/blackbox/test_kinit_mit.sh >@@ -32,13 +32,13 @@ samba_enableaccount="$samba_tool user enable" > machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache" > > ldbmodify="ldbmodify" >-if [ -x "$samba4bindir/ldbmodify" ]; then >- ldbmodify="$samba4bindir/ldbmodify" >+if [ -x "$samba_bindir/ldbmodify" ]; then >+ ldbmodify="$samba_bindir/ldbmodify" > fi > > ldbsearch="ldbsearch" >-if [ -x "$samba4bindir/ldbsearch" ]; then >- ldbsearch="$samba4bindir/ldbsearch" >+if [ -x "$samba_bindir/ldbsearch" ]; then >+ ldbsearch="$samba_bindir/ldbsearch" > fi > > . `dirname $0`/subunit.sh >-- >2.18.0 > > >From 09ee329432b343391ed198966e55d9f4caf656bb Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 18 Aug 2018 00:40:30 +0300 >Subject: [PATCH 2/4] mit-kdc: The ticket in check_policy_as can actually be a > TGS > >This happens when we are called from S4U2Self flow, and in that case >kdcreq->client is NULL. Use the name from client entry instead. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >--- > source4/kdc/mit-kdb/kdb_samba_policies.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index de5813bde2f..81ac73582e0 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -81,6 +81,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > char *netbios_name = NULL; > char *realm = NULL; > bool password_change = false; >+ krb5_const_principal client_princ; > DATA_BLOB int_data = { NULL, 0 }; > krb5_data d; > krb5_pa_data **e_data; >@@ -90,7 +91,10 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > return KRB5_KDB_DBNOTINITED; > } > >- if (ks_is_kadmin(context, kdcreq->client)) { >+ /* Prefer canonicalised name from client entry */ >+ client_princ = client ? client->princ : kdcreq->client; >+ >+ if (client_princ == NULL || ks_is_kadmin(context, client_princ)) { > return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; > } > >@@ -111,7 +115,7 @@ krb5_error_code kdb_samba_db_check_policy_as(krb5_context context, > goto done; > } > >- code = krb5_unparse_name(context, kdcreq->client, &client_name); >+ code = krb5_unparse_name(context, client_princ, &client_name); > if (code) { > goto done; > } >-- >2.18.0 > > >From acf8bb263ce3d65f51a5ad065574778cf3abeac7 Mon Sep 17 00:00:00 2001 >From: Isaac Boukris <iboukris@gmail.com> >Date: Sat, 18 Aug 2018 16:01:59 +0300 >Subject: [PATCH 3/4] mit-kdc: Add a test to verify s4u2self doesn't crash > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Isaac Boukris <iboukris@gmail.com> >--- > testprogs/blackbox/test_kinit_mit.sh | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh >index 370542536e1..f691b0f15d7 100755 >--- a/testprogs/blackbox/test_kinit_mit.sh >+++ b/testprogs/blackbox/test_kinit_mit.sh >@@ -24,6 +24,7 @@ samba_srcdir="$SRCDIR/source4" > samba_kinit=kinit > samba_kdestroy=kdestroy > samba_kpasswd=kpasswd >+samba_kvno=kvno > > samba_tool="$samba_bindir/samba-tool" > samba_texpect="$samba_bindir/texpect" >@@ -299,6 +300,17 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes || > > testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1` > >+########################################################### >+### Test basic s4u2self request >+########################################################### >+ >+# Use previous acquired machine creds to request a ticket for self. >+# We expect it to fail for now. >+MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM" >+$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT >+# But we expect the KDC to be up and running still >+testit "kinit with machineaccountccache after s4u2self" $machineaccountccache $CONFIGURATION $KRB5CCNAME || failed=`expr $failed + 1` >+ > ### Cleanup > > $samba_kdestroy >-- >2.18.0 > > >From dcc22f047a9bed15ac93aa446721915d378a73fa Mon Sep 17 00:00:00 2001 >From: Andreas Schneider <asn@samba.org> >Date: Wed, 28 Sep 2016 07:22:32 +0200 >Subject: [PATCH 4/4] mit-kdc: Do not segfault if client is not set > >This can be triggered with FAST but we don't support this yet. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13571 > >Signed-off-by: Andreas Schneider <asn@samba.org> >--- > source4/kdc/mit-kdb/kdb_samba_policies.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) > >diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c >index 81ac73582e0..fc80329f221 100644 >--- a/source4/kdc/mit-kdb/kdb_samba_policies.c >+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c >@@ -461,6 +461,14 @@ void kdb_samba_db_audit_as_req(krb5_context context, > krb5_timestamp authtime, > krb5_error_code error_code) > { >+ /* >+ * FIXME: This segfaulted with a FAST test >+ * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0 >+ */ >+ if (client == NULL) { >+ return; >+ } >+ > samba_bad_password_count(client, error_code); > > /* TODO: perform proper audit logging for addresses */ >@@ -473,6 +481,14 @@ void kdb_samba_db_audit_as_req(krb5_context context, > krb5_timestamp authtime, > krb5_error_code error_code) > { >+ /* >+ * FIXME: This segfaulted with a FAST test >+ * FIND_FAST: <unknown client> for <unknown server>, Unknown FAST armor type 0 >+ */ >+ if (client == NULL) { >+ return; >+ } >+ > samba_bad_password_count(client, error_code); > } > #endif >-- >2.18.0 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=14451">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13571
:
14431
|
14432
|
14451
|
14626
|
14676
|
14677
|
14678
|
14679