When there is more than one message element modifying a specific attribute (such as sAMAccountName), dsdb_get_expected_new_values() uses the wrong value as the limit for the loop (val_count instead of msg->num_elements). This can result in an out-of-bounds read or accessing uninitialised data.
Created attachment 17203 [details] patch for master
Created attachment 17204 [details] patch for master Avoids calling memcpy() with a NULL pointer.
Created attachment 17317 [details] patch for master There was one more issue that I missed. We weren't specifying the correct number of bytes to memcpy(), resulting in half-uninitialised data.
Created attachment 17340 [details] patch for master
Created attachment 17341 [details] advisory
Comment on attachment 17341 [details] advisory Looks good but at least the 4.16.2 version is wrong (that was just released).
Comment on attachment 17340 [details] patch for master Patch for master looks good, thanks!
Comment on attachment 17340 [details] patch for master [PATCH 4/4] CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element This patch needs the BUG: tag added.
Created attachment 17343 [details] patch for master Fixed.
Created attachment 17379 [details] advisory v2 Updated advisory.
Assigning to Jule for the next security release.
Comment on attachment 17343 [details] patch for master Marking this patch as obsolete to avoid confusion as the patches were uplaoded on parent bug 15096 combined with CVE-2022-32745 / bug 15009
Opening security bugs to vendors. Release date is currently proposed to be Wednesday 27 July but bug 15109 will be the authoritative reference on that.
This bug was referenced in samba v4-16-stable (Release samba-4.16.4): 1d7690b000f115ea39fb498d63de46ab6705f927 f2ded77168dbc54b1d0c8ead08701c48af3f3a74 701aef133fd6efb03f8b32dfd5a4d93acf8b9fce e0d25e172c48c1cd083466dc304257698aadf4af
This bug was referenced in samba v4-15-stable (Release samba-4.15.9): c231d424b89ba718262ed376431a982baaeef33f d2dbb3b6818d429b12d54e68510286d033d4abd7 d85bb9f5edc08ce2042be366c720dd027788f5bd 6af497232e4ed24c33a29b77825fa854a73b5427
This bug was referenced in samba v4-14-stable (Release samba-4.14.14): 6237c85565332e0be1890dd57cc7e25fb76571d7 7c8427e5d2f247921ab44996829acfed1f5f2360 4d2d30c21b16a53d5547cb803efe49cb6304ce37 65d96369fa4f915f01e203cfc8b15e48c5b4b440
This bug was referenced in samba v4-14-test: 6237c85565332e0be1890dd57cc7e25fb76571d7 7c8427e5d2f247921ab44996829acfed1f5f2360 4d2d30c21b16a53d5547cb803efe49cb6304ce37 65d96369fa4f915f01e203cfc8b15e48c5b4b440
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public. If you wish to continue to be informed about any changes here please CC individually.
This bug was referenced in samba v4-16-test: 1d7690b000f115ea39fb498d63de46ab6705f927 f2ded77168dbc54b1d0c8ead08701c48af3f3a74 701aef133fd6efb03f8b32dfd5a4d93acf8b9fce e0d25e172c48c1cd083466dc304257698aadf4af
This bug was referenced in samba v4-15-test: c231d424b89ba718262ed376431a982baaeef33f d2dbb3b6818d429b12d54e68510286d033d4abd7 d85bb9f5edc08ce2042be366c720dd027788f5bd 6af497232e4ed24c33a29b77825fa854a73b5427
This bug was referenced in samba master: 4ec784e0a91e572801a47be36a1729b92cb4140b 4a31c48057ec65d9d73b9cf5fbb0abfefeb2c18c aa728dfcc9684748818412231e865fbd9112b565 9881491023eb1ece27bd7a24ed41902bb15dbff2
This bug was referenced in samba v4-17-stable: 4ec784e0a91e572801a47be36a1729b92cb4140b 4a31c48057ec65d9d73b9cf5fbb0abfefeb2c18c aa728dfcc9684748818412231e865fbd9112b565 9881491023eb1ece27bd7a24ed41902bb15dbff2
This bug was referenced in samba v4-17-test: 4ec784e0a91e572801a47be36a1729b92cb4140b 4a31c48057ec65d9d73b9cf5fbb0abfefeb2c18c aa728dfcc9684748818412231e865fbd9112b565 9881491023eb1ece27bd7a24ed41902bb15dbff2
Pushed to all relevant branches. Closing out bug report. Many thanks at all!
This bug was referenced in samba master: 3d935fdcb9c3677dced4fa22d5c8d1a0d48ef6c2