Bug 15010 - Sensitive data comparisons use memcmp()
Summary: Sensitive data comparisons use memcmp()
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.11.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2022-03-11 01:57 UTC by Jo Sutton
Modified: 2022-08-24 23:22 UTC (History)
0 users

See Also:

patch for master (29.17 KB, patch)
2022-03-11 01:59 UTC, Jo Sutton
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jo Sutton 2022-03-11 01:57:45 UTC
To avoid being susceptible to timing attacks, we should use a constant time comparison function.
Comment 1 Jo Sutton 2022-03-11 01:59:52 UTC
Created attachment 17207 [details]
patch for master

This patch does not address uses of memcmp() in Heimdal; as it is a third-party library it must be patched separately.
Comment 2 Andrew Bartlett 2022-03-11 19:30:30 UTC
The password_hash.c code should use this also, lots of password hash comparisons there.  (hard to exploit because the input is not a hash, but should be fixed for consistency).

Our next step should be to confirm if we think this raises to the standard for a CVE, otherwise to just fix in public.
Comment 3 Andrew Bartlett 2022-04-13 23:18:09 UTC
I've removed the embargo, this is an important thing to fix, but we wouldn't issue a security advisory for this.
Comment 4 Samba QA Contact 2022-06-09 23:49:03 UTC
This bug was referenced in samba master: