15010 – Sensitive data comparisons use memcmp()

Bug 15010 - Sensitive data comparisons use memcmp()

Summary: Sensitive data comparisons use memcmp()

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.11.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-03-11 01:57 UTC by Jo Sutton
Modified:	2022-08-24 23:22 UTC (History)
CC List:	0 users

See Also:

Attachments
patch for master (29.17 KB, patch) 2022-03-11 01:59 UTC, Jo Sutton	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jo Sutton 2022-03-11 01:57:45 UTC

To avoid being susceptible to timing attacks, we should use a constant time comparison function.

Comment 1 Jo Sutton 2022-03-11 01:59:52 UTC

Created attachment 17207 [details]
patch for master

This patch does not address uses of memcmp() in Heimdal; as it is a third-party library it must be patched separately.

Comment 2 Andrew Bartlett 2022-03-11 19:30:30 UTC

The password_hash.c code should use this also, lots of password hash comparisons there.  (hard to exploit because the input is not a hash, but should be fixed for consistency).

Our next step should be to confirm if we think this raises to the standard for a CVE, otherwise to just fix in public.

Comment 3 Andrew Bartlett 2022-04-13 23:18:09 UTC

I've removed the embargo, this is an important thing to fix, but we wouldn't issue a security advisory for this.

Comment 4 Samba QA Contact 2022-06-09 23:49:03 UTC

This bug was referenced in samba master:

ae6634c78774d2368e815dea650ba71650dd1861