The Samba-Bugzilla – Attachment 15230 Details for
Bug 13951
CVE-2019-12436 [SECURITY] paged_searches crash on LDAP and [homes] access
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for Samba 4.10 (v3)
CVE-2019-12436-4.10-03.patch (text/plain), 4.81 KB, created by
Andrew Bartlett
on 2019-06-08 14:25:37 UTC
(
hide
)
Description:
patch for Samba 4.10 (v3)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-06-08 14:25:37 UTC
Size:
4.81 KB
patch
obsolete
>From e56bd62c64a4785cac919ecbf0773a23761a9b0b Mon Sep 17 00:00:00 2001 >From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Date: Fri, 17 May 2019 14:42:24 +1200 >Subject: [PATCH] CVE-2019-12436 dsdb/paged_results: ignore successful results > without messages > >So that we don't dereference result->msgs[0] when it doesn't exist. >This can happen when the object has changed in such a way that it no >longer matches the original search query. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=13951 > >Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >--- > .../dsdb/samdb/ldb_modules/paged_results.c | 3 +- > source4/dsdb/tests/python/vlv.py | 50 ++++++++++++++++++- > 2 files changed, 51 insertions(+), 2 deletions(-) > >diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c >index 78ad44f6601..5cad398ab61 100644 >--- a/source4/dsdb/samdb/ldb_modules/paged_results.c >+++ b/source4/dsdb/samdb/ldb_modules/paged_results.c >@@ -266,7 +266,8 @@ static int paged_results(struct paged_context *ac) > ret = paged_search_by_dn_guid(ac->module, ac, &result, guid, > ac->req->op.search.attrs, > ac->store->expr); >- if (ret == LDAP_NO_SUCH_OBJECT /* TODO or no result */) { >+ if (ret == LDAP_NO_SUCH_OBJECT || >+ (ret == LDB_SUCCESS && result->count == 0)) { > /* The thing isn't there TODO, which we quietly > ignore and go on to send an extra one > instead. */ >diff --git a/source4/dsdb/tests/python/vlv.py b/source4/dsdb/tests/python/vlv.py >index 8550a38e287..bc07a53d575 100644 >--- a/source4/dsdb/tests/python/vlv.py >+++ b/source4/dsdb/tests/python/vlv.py >@@ -105,6 +105,7 @@ class TestsWithUserOU(samba.tests.TestCase): > 'givenName': "abcdefghijklmnopqrstuvwxyz"[i % 26], > "roomNumber": "%sbc" % (n - i), > "carLicense": "åæ¥ç»", >+ "facsimileTelephoneNumber": name, > "employeeNumber": "%s%sx" % (abs(i * (99 - i)), '\n' * (i & 255)), > "accountExpires": "%s" % (10 ** 9 + 1000000 * i), > "msTSExpireDate4": "19%02d0101010000.0Z" % (i % 100), >@@ -1334,7 +1335,7 @@ class PagedResultsTests(TestsWithUserOU): > > self.assertEqual(results, expected_results) > >- def test_paged_modify_during_search(self): >+ def test_paged_rename_during_search(self): > expr = "(objectClass=*)" > > # Start new search >@@ -1421,6 +1422,53 @@ class PagedResultsTests(TestsWithUserOU): > > self.assertEqual(results, expected_results) > >+ def test_paged_modify_one_during_search(self): >+ prefix = "change_during_search_" >+ num_users = 5 >+ users = [self.create_user(i, num_users, prefix=prefix) >+ for i in range(num_users)] >+ expr = "(&(objectClass=user)(facsimileTelephoneNumber=%s*))" % (prefix) >+ >+ # Get the first page, then change the searched attribute and >+ # try for the second page. >+ results, cookie = self.paged_search(expr, page_size=1) >+ self.assertEqual(len(results), 1) >+ unwalked_users = [u for u in users if u['cn'] != results[0]] >+ self.assertEqual(len(unwalked_users), num_users-1) >+ >+ mod_dn = unwalked_users[0]['dn'] >+ self.ldb.modify_ldif("dn: %s\n" >+ "changetype: modify\n" >+ "replace: facsimileTelephoneNumber\n" >+ "facsimileTelephoneNumber: 123" % mod_dn) >+ >+ results, _ = self.paged_search(expr, cookie=cookie, >+ page_size=len(self.users)) >+ expected_cns = {u['cn'] for u in unwalked_users if u['dn'] != mod_dn} >+ self.assertEqual(set(results), expected_cns) >+ >+ def test_paged_modify_all_during_search(self): >+ prefix = "change_during_search_" >+ num_users = 5 >+ users = [self.create_user(i, num_users, prefix=prefix) >+ for i in range(num_users)] >+ expr = "(&(objectClass=user)(facsimileTelephoneNumber=%s*))" % (prefix) >+ >+ # Get the first page, then change the searched attribute and >+ # try for the second page. >+ results, cookie = self.paged_search(expr, page_size=1) >+ unwalked_users = [u for u in users if u['cn'] != results[0]] >+ >+ for u in users: >+ self.ldb.modify_ldif("dn: %s\n" >+ "changetype: modify\n" >+ "replace: facsimileTelephoneNumber\n" >+ "facsimileTelephoneNumber: 123" % u['dn']) >+ >+ results, _ = self.paged_search(expr, cookie=cookie, >+ page_size=len(self.users)) >+ self.assertEqual(results, []) >+ > def assertPagedSearchRaises(self, err_num, expr, cookie, attrs=None, > extra_ctrls=None): > try: >-- >2.17.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
dbagnall
:
review+
gary
:
review+
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 13951
:
15159
|
15165
|
15166
|
15173
|
15174
|
15175
|
15198
|
15226
|
15227
|
15228
| 15230 |
15231