Attachment 15539 Details for Bug 14040 – patch for master and v4.11 (to fix behaviour only) v1

[patch] patch for master and v4.11 (to fix behaviour only) v1

CVE-2019-14847-master-01.patch (text/plain), 6.53 KB, created by Andrew Bartlett on 2019-10-15 04:21:14 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2019-10-15 04:21:14 UTC

Size: 6.53 KB

patch

obsolete

>From a783b85bdd46f7088273e621b1e6f592c8f9253b Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Tue, 15 Oct 2019 16:28:46 +1300
>Subject: [PATCH 1/2] CVE-2019-14847 dsdb: Demonstrate the correct interaction
> of ranged_results style attributes and dirsync
>
>Incremental results are provided by a flag on the dirsync control, not
>by changing the attribute name.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> selftest/knownfail.d/dirsync         |  1 +
> source4/dsdb/tests/python/dirsync.py | 26 ++++++++++++++++++++++++++
> 2 files changed, 27 insertions(+)
> create mode 100644 selftest/knownfail.d/dirsync
>
>diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
>new file mode 100644
>index 00000000000..bc49fe0d9bb
>--- /dev/null
>+++ b/selftest/knownfail.d/dirsync
>@@ -0,0 +1 @@
>+^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\(
>\ No newline at end of file
>diff --git a/source4/dsdb/tests/python/dirsync.py b/source4/dsdb/tests/python/dirsync.py
>index 8b46357c670..78117bc364b 100755
>--- a/source4/dsdb/tests/python/dirsync.py
>+++ b/source4/dsdb/tests/python/dirsync.py
>@@ -28,6 +28,7 @@ from samba.tests.subunitrun import TestProgram, SubunitOptions
> import samba.getopt as options
> import base64
> 
>+import ldb
> from ldb import LdbError, SCOPE_BASE
> from ldb import Message, MessageElement, Dn
> from ldb import FLAG_MOD_ADD, FLAG_MOD_DELETE
>@@ -588,6 +589,31 @@ class SimpleDirsyncTests(DirsyncBaseTests):
> 
> class ExtendedDirsyncTests(SimpleDirsyncTests):
> 
>+    def test_dirsync_linkedattributes_range(self):
>+        self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
>+        res = self.ldb_admin.search(self.base_dn,
>+                                    attrs=["member;range=1-1"],
>+                                    expression="(name=Administrators)",
>+                                    controls=["dirsync:1:0:0"])
>+
>+        self.assertTrue(len(res) > 0)
>+        self.assertTrue(res[0].get("member;range=1-1") is None)
>+        self.assertTrue(res[0].get("member") is not None)
>+        self.assertTrue(len(res[0].get("member")) > 0)
>+
>+    def test_dirsync_linkedattributes_range_user(self):
>+        self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
>+        try:
>+            res = self.ldb_simple.search(self.base_dn,
>+                                         attrs=["member;range=1-1"],
>+                                         expression="(name=Administrators)",
>+                                        controls=["dirsync:1:0:0"])
>+        except LdbError as e:
>+            (num, _) = e.args
>+            self.assertEquals(num, ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS)
>+        else:
>+            self.fail()
>+
>     def test_dirsync_linkedattributes(self):
>         flag_incr_linked = 2147483648
>         self.ldb_simple = self.get_ldb_connection(self.simple_user, self.user_pass)
>-- 
>2.11.0
>
>
>From 75ceb35d81d49c957e8b7b734cf50dfb16eb4365 Mon Sep 17 00:00:00 2001
>From: Andrew Bartlett <abartlet@samba.org>
>Date: Tue, 15 Oct 2019 15:44:34 +1300
>Subject: [PATCH 2/2] CVE-2019-14847 dsdb: Correct behaviour of ranged_results
> when combined with dirsync
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=14040
>
>Signed-off-by: Andrew Bartlett <abartlet@samba.org>
>---
> selftest/knownfail.d/dirsync                    |  1 -
> source4/dsdb/samdb/ldb_modules/dirsync.c        | 11 ++++++-----
> source4/dsdb/samdb/ldb_modules/ranged_results.c | 25 ++++++++++++++++++++++---
> 3 files changed, 28 insertions(+), 9 deletions(-)
> delete mode 100644 selftest/knownfail.d/dirsync
>
>diff --git a/selftest/knownfail.d/dirsync b/selftest/knownfail.d/dirsync
>deleted file mode 100644
>index bc49fe0d9bb..00000000000
>--- a/selftest/knownfail.d/dirsync
>+++ /dev/null
>@@ -1 +0,0 @@
>-^samba4.ldap.dirsync.python\(ad_dc_ntvfs\).__main__.ExtendedDirsyncTests.test_dirsync_linkedattributes_range\(
>\ No newline at end of file
>diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
>index 60e8eae4642..c62cf1d4264 100644
>--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
>+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
>@@ -1014,7 +1014,7 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req
> 	}
> 
> 	/*
>-	 * check if there's an extended dn control
>+	 * check if there's a dirsync control
> 	 */
> 	control = ldb_request_get_control(req, LDB_CONTROL_DIRSYNC_OID);
> 	if (control == NULL) {
>@@ -1343,11 +1343,12 @@ static int dirsync_ldb_search(struct ldb_module *module, struct ldb_request *req
> 
> 	}
> 	/*
>-	 * Remove our control from the list of controls
>+	 * Mark dirsync control as uncritical (done)
>+	 *
>+	 * We need this so ranged_results knows how to behave with
>+	 * dirsync
> 	 */
>-	if (!ldb_save_controls(control, req, NULL)) {
>-		return ldb_operr(ldb);
>-	}
>+	control->critical = false;
> 	dsc->schema = dsdb_get_schema(ldb, dsc);
> 	/*
> 	 * At the begining we make the hypothesis that we will return a complete
>diff --git a/source4/dsdb/samdb/ldb_modules/ranged_results.c b/source4/dsdb/samdb/ldb_modules/ranged_results.c
>index 13bf3a2d0a9..98438799997 100644
>--- a/source4/dsdb/samdb/ldb_modules/ranged_results.c
>+++ b/source4/dsdb/samdb/ldb_modules/ranged_results.c
>@@ -35,14 +35,14 @@
> struct rr_context {
> 	struct ldb_module *module;
> 	struct ldb_request *req;
>+	bool dirsync_in_use;
> };
> 
> static struct rr_context *rr_init_context(struct ldb_module *module,
> 					  struct ldb_request *req)
> {
>-	struct rr_context *ac;
>-
>-	ac = talloc_zero(req, struct rr_context);
>+	struct ldb_control *dirsync_control = NULL;
>+	struct rr_context *ac = talloc_zero(req, struct rr_context);
> 	if (ac == NULL) {
> 		ldb_set_errstring(ldb_module_get_ctx(module), "Out of Memory");
> 		return NULL;
>@@ -51,6 +51,16 @@ static struct rr_context *rr_init_context(struct ldb_module *module,
> 	ac->module = module;
> 	ac->req = req;
> 
>+	/*
>+	 * check if there's a dirsync control (as there is an
>+	 * interaction between these modules)
>+	 */
>+	dirsync_control = ldb_request_get_control(req,
>+						  LDB_CONTROL_DIRSYNC_OID);
>+	if (dirsync_control != NULL) {
>+		ac->dirsync_in_use = true;
>+	}
>+
> 	return ac;
> }
> 
>@@ -82,6 +92,15 @@ static int rr_search_callback(struct ldb_request *req, struct ldb_reply *ares)
> 					ares->response, ares->error);
> 	}
> 
>+	if (ac->dirsync_in_use) {
>+		/*
>+		 * We return full attribute values when mixed with
>+		 * dirsync
>+		 */
>+		return ldb_module_send_entry(ac->req,
>+					     ares->message,
>+					     ares->controls);
>+	}
> 	/* LDB_REPLY_ENTRY */
> 
> 	temp_ctx = talloc_new(ac->req);
>-- 
>2.11.0
>

Actions: View

Attachments on bug 14040: 15394 | 15539 | 15540 | 15541 | 15543 | 15544 | 15545