The Samba-Bugzilla – Attachment 17100 Details for
Bug 14950
CVE-2022-0336 [SECURITY] Re-adding an SPN skips subsequent SPN conflict checks
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master
spn-re-add_master.patch (text/plain), 3.58 KB, created by
Jo Sutton
on 2022-01-18 01:21:23 UTC
(
hide
)
Description:
Patch for master
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2022-01-18 01:21:23 UTC
Size:
3.58 KB
patch
obsolete
>From fde53f0af8f6adb334b2c4ef30d39b1fa8fb8ac7 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 18 Jan 2022 11:56:38 +1300 >Subject: [PATCH 1/2] pytest: Add a test for an SPN conflict with a re-added > SPN > >This test currently fails, as re-adding an SPN means that later checks >do not run. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > python/samba/tests/ldap_spn.py | 7 +++++++ > selftest/knownfail.d/ldap_spn | 1 + > 2 files changed, 8 insertions(+) > >diff --git a/python/samba/tests/ldap_spn.py b/python/samba/tests/ldap_spn.py >index 8a398ffaa49..6ebdf8f9a32 100644 >--- a/python/samba/tests/ldap_spn.py >+++ b/python/samba/tests/ldap_spn.py >@@ -268,6 +268,8 @@ class LdapSpnTestBase(TestCase): > for k in ('dNSHostName', 'servicePrincipalName'): > if isinstance(m.get(k), str): > m[k] = m[k].format(dnsname=f"x.{REALM}") >+ elif isinstance(m.get(k), list): >+ m[k] = [x.format(dnsname=f"x.{REALM}") for x in m[k]] > > msg = ldb.Message.from_dict(samdb, m, op) > >@@ -727,6 +729,11 @@ class LdapSpnSambaOnlyTest(LdapSpnTestBase): > ('user:C', 'host/{dnsname}', '*', ok), > ('user:D', 'www/{dnsname}', 'D', denied), > ), >+ ("add a conflict, along with a re-added SPN", >+ ('A', 'cifs/{dnsname}', '*', ok), >+ ('B', 'cifs/heeble.example.net', 'B', ok), >+ ('B', ['cifs/heeble.example.net', 'host/{dnsname}'], 'B', constraint), >+ ), > > ("changing dNSHostName after host", > ('A', {'dNSHostName': '{dnsname}'}, '*', ok), >diff --git a/selftest/knownfail.d/ldap_spn b/selftest/knownfail.d/ldap_spn >index 63f9fe02ef7..16dafa91b66 100644 >--- a/selftest/knownfail.d/ldap_spn >+++ b/selftest/knownfail.d/ldap_spn >@@ -1 +1,2 @@ > samba.tests.ldap_spn.+LdapSpnTest.test_spn_dodgy_spns >+samba.tests.ldap_spn.+LdapSpnSambaOnlyTest.test_spn_add_a_conflict_along_with_a_re_added_SPN >-- >2.31.1.362.g311531c9de > > >From 1c9da2b2e2ed266f63b615389ac686765ea60aad Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 18 Jan 2022 12:02:45 +1300 >Subject: [PATCH 2/2] s4/dsdb/samldb: Don't return early when an SPN is > re-added to an object > >If an added SPN already exists on an object, we still want to check the >rest of the element values for conflicts. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > selftest/knownfail.d/ldap_spn | 1 - > source4/dsdb/samdb/ldb_modules/samldb.c | 3 +-- > 2 files changed, 1 insertion(+), 3 deletions(-) > >diff --git a/selftest/knownfail.d/ldap_spn b/selftest/knownfail.d/ldap_spn >index 16dafa91b66..63f9fe02ef7 100644 >--- a/selftest/knownfail.d/ldap_spn >+++ b/selftest/knownfail.d/ldap_spn >@@ -1,2 +1 @@ > samba.tests.ldap_spn.+LdapSpnTest.test_spn_dodgy_spns >-samba.tests.ldap_spn.+LdapSpnSambaOnlyTest.test_spn_add_a_conflict_along_with_a_re_added_SPN >diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c >index db3883eb527..24971d521aa 100644 >--- a/source4/dsdb/samdb/ldb_modules/samldb.c >+++ b/source4/dsdb/samdb/ldb_modules/samldb.c >@@ -4006,8 +4006,7 @@ static int samldb_spn_uniqueness_check(struct samldb_ctx *ac, > ac->msg->dn); > if (ret == LDB_ERR_COMPARE_TRUE) { > DBG_INFO("SPN %s re-added to the same object\n", spn); >- talloc_free(tmp_ctx); >- return LDB_SUCCESS; >+ continue; > } > if (ret != LDB_SUCCESS) { > DBG_ERR("SPN %s failed direct uniqueness check\n", spn); >-- >2.31.1.362.g311531c9de >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
dbagnall
:
review+
Actions:
View
Attachments on
bug 14950
:
17100
|
17101
|
17102
|
17103
|
17105
|
17106
|
17108
|
17109
|
17110
|
17111
|
17112
|
17113
|
17114