The Samba-Bugzilla – Attachment 15539 Details for
Bug 14040
[SECURITY] CVE-2019-14847 dirsync / ranged_results crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for master and v4.11 (to fix behaviour only) v1
CVE-2019-14847-master-01.patch (text/plain), 6.53 KB, created by
Andrew Bartlett
on 2019-10-15 04:21:14 UTC
(
hide
)
Description:
patch for master and v4.11 (to fix behaviour only) v1
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-10-15 04:21:14 UTC
Size:
6.53 KB
patch
obsolete
>From a783b85bdd46f7088273e621b1e6f592c8f9253b Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 15 Oct 2019 16:28:46 +1300 >Subject: [PATCH 1/2] CVE-2019-14847 dsdb: Demonstrate the correct interaction > of ranged_results style attributes and dirsync > >Incremental results are provided by a flag on the dirsync control, not >by changing the attribute name. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/knownfail.d/dirsync | 1 + > source4/dsdb/tests/python/dirsync.py | 26 ++++++++++++++++++++++++++ > 2 files changed, 27 insertions(+) > create mode 100644 selftest/knownfail.d/dirsync > >diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync >new file mode 100644 >index 00000000000..bc49fe0d9bb >--- /dev/null >+++ b/selftest/knownfail.d/dirsync >@@ -0,0 +1 @@ >+^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\( >\ No newline at end of file >diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py >index 8b46357c670..78117bc364b 100755 >--- a/source4/dsdb/tests/python/dirsync.py >+++ b/source4/dsdb/tests/python/dirsync.py >@@ -28,6 +28,7 @@ from samba.tests.subunitrun import TestProgram, SubunitOptions > import samba.getopt as options > import base64 > >+import ldb > from ldb import LdbError, SCOPE_BASE > from ldb import Message, MessageElement, Dn > from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE >@@ -588,6 +589,31 @@ class SimpleDirsyncTests(DirsyncBaseTests): > > class ExtendedDirsyncTests(SimpleDirsyncTests): > >+ def test_dirsync_linkedattributes_range(self): >+ self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) >+ res = self.ldb_admin.search(self.base_dn, >+ attrs=["member;range=1-1"], >+ expression="(name=Administrators)", >+ controls=["dirsync:1:0:0"]) >+ >+ self.assertTrue(len(res) > 0) >+ self.assertTrue(res[0].get("member;range=1-1") is None) >+ self.assertTrue(res[0].get("member") is not None) >+ self.assertTrue(len(res[0].get("member")) > 0) >+ >+ def test_dirsync_linkedattributes_range_user(self): >+ self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) >+ try: >+ res = self.ldb_simple.search(self.base_dn, >+ attrs=["member;range=1-1"], >+ expression="(name=Administrators)", >+ controls=["dirsync:1:0:0"]) >+ except LdbError as e: >+ (num, _) = e.args >+ self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS) >+ else: >+ self.fail() >+ > def test_dirsync_linkedattributes(self): > flag_incr_linked = 2147483648 > self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass) >-- >2.11.0 > > >From 75ceb35d81d49c957e8b7b734cf50dfb16eb4365 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Tue, 15 Oct 2019 15:44:34 +1300 >Subject: [PATCH 2/2] CVE-2019-14847 dsdb: Correct behaviour of ranged_results > when combined with dirsync > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040 > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > selftest/knownfail.d/dirsync | 1 - > source4/dsdb/samdb/ldb_modules/dirsync.c | 11 ++++++----- > source4/dsdb/samdb/ldb_modules/ranged_results.c | 25 ++++++++++++++++++++++--- > 3 files changed, 28 insertions(+), 9 deletions(-) > delete mode 100644 selftest/knownfail.d/dirsync > >diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync >deleted file mode 100644 >index bc49fe0d9bb..00000000000 >--- a/selftest/knownfail.d/dirsync >+++ /dev/null >@@ -1 +0,0 @@ >-^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\( >\ No newline at end of file >diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c >index 60e8eae4642..c62cf1d4264 100644 >--- a/source4/dsdb/samdb/ldb_modules/dirsync.c >+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c >@@ -1014,7 +1014,7 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req > } > > /* >- * check if there's an extended dn control >+ * check if there's a dirsync control > */ > control = ldb_request_get_control(req, LDB_CONTROL_DIRSYNC_OID); > if (control == NULL) { >@@ -1343,11 +1343,12 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req > > } > /* >- * Remove our control from the list of controls >+ * Mark dirsync control as uncritical (done) >+ * >+ * We need this so ranged_results knows how to behave with >+ * dirsync > */ >- if (!ldb_save_controls(control, req, NULL)) { >- return ldb_operr(ldb); >- } >+ control->critical = false; > dsc->schema = dsdb_get_schema(ldb, dsc); > /* > * At the begining we make the hypothesis that we will return a complete >diff --git a/source4/dsdb/samdb/ldb_modules/ranged_results.c b/source4/dsdb/samdb/ldb_modules/ranged_results.c >index 13bf3a2d0a9..98438799997 100644 >--- a/source4/dsdb/samdb/ldb_modules/ranged_results.c >+++ b/source4/dsdb/samdb/ldb_modules/ranged_results.c >@@ -35,14 +35,14 @@ > struct rr_context { > struct ldb_module *module; > struct ldb_request *req; >+ bool dirsync_in_use; > }; > > static struct rr_context *rr_init_context(struct ldb_module *module, > struct ldb_request *req) > { >- struct rr_context *ac; >- >- ac = talloc_zero(req, struct rr_context); >+ struct ldb_control *dirsync_control = NULL; >+ struct rr_context *ac = talloc_zero(req, struct rr_context); > if (ac == NULL) { > ldb_set_errstring(ldb_module_get_ctx(module), "Out of Memory"); > return NULL; >@@ -51,6 +51,16 @@ static struct rr_context *rr_init_context(struct ldb_module *module, > ac->module = module; > ac->req = req; > >+ /* >+ * check if there's a dirsync control (as there is an >+ * interaction between these modules) >+ */ >+ dirsync_control = ldb_request_get_control(req, >+ LDB_CONTROL_DIRSYNC_OID); >+ if (dirsync_control != NULL) { >+ ac->dirsync_in_use = true; >+ } >+ > return ac; > } > >@@ -82,6 +92,15 @@ static int rr_search_callback(struct ldb_request *req, struct ldb_reply *ares) > ares->response, ares->error); > } > >+ if (ac->dirsync_in_use) { >+ /* >+ * We return full attribute values when mixed with >+ * dirsync >+ */ >+ return ldb_module_send_entry(ac->req, >+ ares->message, >+ ares->controls); >+ } > /* LDB_REPLY_ENTRY */ > > temp_ctx = talloc_new(ac->req); >-- >2.11.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14040
:
15394
| 15539 |
15540
|
15541
|
15543
|
15544
|
15545