The Samba-Bugzilla – Attachment 17110 Details for
Bug 14950
CVE-2022-0336 [SECURITY] Re-adding an SPN skips subsequent SPN conflict checks
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
4-13 patch v2
CVE-2022-0336-v4-13.patch (text/plain), 3.70 KB, created by
Douglas Bagnall
on 2022-01-22 00:03:10 UTC
(
hide
)
Description:
4-13 patch v2
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2022-01-22 00:03:10 UTC
Size:
3.70 KB
patch
obsolete
>From f9f1e4c7e15409ccd06214f6f53dd8b9494c8f1e Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 18 Jan 2022 11:56:38 +1300 >Subject: [PATCH 1/2] CVE-2022-0336: pytest: Add a test for an SPN conflict > with a re-added SPN > >This test currently fails, as re-adding an SPN means that later checks >do not run. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > python/samba/tests/ldap_spn.py | 7 +++++++ > selftest/knownfail.d/ldap_spn | 1 + > 2 files changed, 8 insertions(+) > >diff --git a/python/samba/tests/ldap_spn.py b/python/samba/tests/ldap_spn.py >index 8a398ffaa49..6ebdf8f9a32 100644 >--- a/python/samba/tests/ldap_spn.py >+++ b/python/samba/tests/ldap_spn.py >@@ -268,6 +268,8 @@ class LdapSpnTestBase(TestCase): > for k in ('dNSHostName', 'servicePrincipalName'): > if isinstance(m.get(k), str): > m[k] = m[k].format(dnsname=f"x.{REALM}") >+ elif isinstance(m.get(k), list): >+ m[k] = [x.format(dnsname=f"x.{REALM}") for x in m[k]] > > msg = ldb.Message.from_dict(samdb, m, op) > >@@ -727,6 +729,11 @@ class LdapSpnSambaOnlyTest(LdapSpnTestBase): > ('user:C', 'host/{dnsname}', '*', ok), > ('user:D', 'www/{dnsname}', 'D', denied), > ), >+ ("add a conflict, along with a re-added SPN", >+ ('A', 'cifs/{dnsname}', '*', ok), >+ ('B', 'cifs/heeble.example.net', 'B', ok), >+ ('B', ['cifs/heeble.example.net', 'host/{dnsname}'], 'B', constraint), >+ ), > > ("changing dNSHostName after host", > ('A', {'dNSHostName': '{dnsname}'}, '*', ok), >diff --git a/selftest/knownfail.d/ldap_spn b/selftest/knownfail.d/ldap_spn >index 63f9fe02ef7..16dafa91b66 100644 >--- a/selftest/knownfail.d/ldap_spn >+++ b/selftest/knownfail.d/ldap_spn >@@ -1 +1,2 @@ > samba.tests.ldap_spn.+LdapSpnTest.test_spn_dodgy_spns >+samba.tests.ldap_spn.+LdapSpnSambaOnlyTest.test_spn_add_a_conflict_along_with_a_re_added_SPN >-- >2.30.2 > > >From a4d77f368a4dcdda5502b5cf197b413dc11b49a9 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Tue, 18 Jan 2022 12:02:45 +1300 >Subject: [PATCH 2/2] CVE-2022-0336: s4/dsdb/samldb: Don't return early when an > SPN is re-added to an object > >If an added SPN already exists on an object, we still want to check the >rest of the element values for conflicts. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> >--- > selftest/knownfail.d/ldap_spn | 1 - > source4/dsdb/samdb/ldb_modules/samldb.c | 3 +-- > 2 files changed, 1 insertion(+), 3 deletions(-) > >diff --git a/selftest/knownfail.d/ldap_spn b/selftest/knownfail.d/ldap_spn >index 16dafa91b66..63f9fe02ef7 100644 >--- a/selftest/knownfail.d/ldap_spn >+++ b/selftest/knownfail.d/ldap_spn >@@ -1,2 +1 @@ > samba.tests.ldap_spn.+LdapSpnTest.test_spn_dodgy_spns >-samba.tests.ldap_spn.+LdapSpnSambaOnlyTest.test_spn_add_a_conflict_along_with_a_re_added_SPN >diff --git a/source4/dsdb/samdb/ldb_modules/samldb.c b/source4/dsdb/samdb/ldb_modules/samldb.c >index f0227411ccd..a219446bba7 100644 >--- a/source4/dsdb/samdb/ldb_modules/samldb.c >+++ b/source4/dsdb/samdb/ldb_modules/samldb.c >@@ -4001,8 +4001,7 @@ static int samldb_spn_uniqueness_check(struct samldb_ctx *ac, > ac->msg->dn); > if (ret == LDB_ERR_COMPARE_TRUE) { > DBG_INFO("SPN %s re-added to the same object\n", spn); >- talloc_free(tmp_ctx); >- return LDB_SUCCESS; >+ continue; > } > if (ret != LDB_SUCCESS) { > DBG_ERR("SPN %s failed direct uniqueness check\n", spn); >-- >2.30.2 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jsutton
:
review+
jsutton
:
ci-passed+
Actions:
View
Attachments on
bug 14950
:
17100
|
17101
|
17102
|
17103
|
17105
|
17106
|
17108
|
17109
| 17110 |
17111
|
17112
|
17113
|
17114