This is the bug described in comment 1 of bug 14655, which is not a security issue in itself, but cannot easily be fixed separately. I'm putting it here to track it. When bug 14655 is public, this one can be public. See attachment 16501 [details] ldb_handler_fold() makes mistakes when collapsing multiple internal spaces down to a single space. When trying to add a test asserting that "1 0" would match "*1 0" (because all those spaces shrink to one, and "*X" matches "X"), I found that instead "1 0" was being converted to "1 0 0": the internal spaces were shrunk, but the terminating '\0' was not added and the ldb_val length was not adjusted. That's because here: /* check middle spaces */ while ((t = strchr(s, ' ')) != NULL) { for (s = t; *s == ' '; s++) ; if ((s - t) > 1) { l = strlen(s); /* remove all spaces but one by moving down the string */ memmove(t + 1, s, l); } } let's label our four spaces a, b, c, d and assume a terminated string. We have the 7 bytes {'1', a, b, c, d, '0', '\0'}. The strchr() points t to space a. The for loop walks s along the spaces until it hits '0'. `s - t` is 4, so we set l to strlen(s) which is 1. Then we memmove(b, s, 1). That copies the '0' to position b. Next strchr hits the '\0' and we're done, leaving us with "1 0 0". The proposed fix is to walk though the whole string simply and carefully in a single loop, stepping over extra spaces as we find them. This patch is written to go on top of attachment 16500 [details].
https://gitlab.com/samba-team/samba/-/merge_requests/1865 Removing the embargo, which was blocked by CVE-2021-20277 (bug #14655).
This bug was referenced in samba master: 24ddc1ca9cad95673bdd8023d99867707b37085f
Let's not backport. There is more pressing work, and people don't seem to hit often this in practice (presumably because they use a single space).
This bug was referenced in samba v4-14-test: 4548760ee8e85f089a39a83acc8e6fdb5863d023
This bug was referenced in samba v4-13-test: 0c32ab5f61af06061e6ba18dbe636f62da037f1f
This bug was referenced in samba v4-13-stable (Release samba-4.13.14): 0c32ab5f61af06061e6ba18dbe636f62da037f1f
This bug was referenced in samba v4-14-stable (Release samba-4.14.10): 4548760ee8e85f089a39a83acc8e6fdb5863d023
This bug was referenced in samba master: f621317e3b25a8925ab6e448068264488a0a47c7
This bug was referenced in samba v4-15-test: cd9783148b8bdbbf9b1e43d2a7a7e3d5a6a0420e
This bug was referenced in samba v4-14-test: ce1186e06ed2581a29af794eb66405a4efe26b71
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): cd9783148b8bdbbf9b1e43d2a7a7e3d5a6a0420e
This bug was referenced in samba v4-13-test: dd679ce7f4450765274b085bbee97d1fa8e0f2a0
This bug was referenced in samba v4-13-stable (Release samba-4.13.15): dd679ce7f4450765274b085bbee97d1fa8e0f2a0
This bug was referenced in samba v4-14-stable (Release samba-4.14.11): ce1186e06ed2581a29af794eb66405a4efe26b71