summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorArchana Polampalli <archana.polampalli@windriver.com>2024-01-16 14:11:25 +0000
committerArmin Kuster <akuster808@gmail.com>2024-02-07 18:41:41 -0500
commitdbb7b798f96ab652628743ceb6c7eaa9b593121d (patch)
tree60fc96a8ee51f5f8fbbd12a1e8edcc882c396217 /meta-networking
parent08d5b4bf9f61c888b1faaf9ee2f60ac7cc2da718 (diff)
downloadmeta-openembedded-dbb7b798f96ab652628743ceb6c7eaa9b593121d.tar.gz
samba: fix CVE-2018-14628
An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store. Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0001.patch147
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0002.patch72
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0003.patch106
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0004.patch64
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0005.patch98
-rw-r--r--meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0006.patch51
-rw-r--r--meta-networking/recipes-connectivity/samba/samba_4.14.14.bb6
7 files changed, 544 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0001.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0001.patch
new file mode 100644
index 0000000000..d938e8cd66
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0001.patch
@@ -0,0 +1,147 @@
1From cbbfc917b9635bc62825ea64a157028297f54fb7 Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Fri, 29 Jan 2016 23:35:31 +0100
4Subject: [PATCH] CVE-2018-14628: python:descriptor: let samba-tool dbcheck fix
5 the nTSecurityDescriptor on CN=Deleted Objects containers
6
7BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
8
9Signed-off-by: Stefan Metzmacher <metze@samba.org>
10Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566)
12
13Autobuild-User(v4-18-test): Jule Anger <janger@samba.org>
14Autobuild-Date(v4-18-test): Mon Oct 23 09:52:22 UTC 2023 on atb-devel-224
15
16CVE: CVE-2018-14628
17
18Upstream-Status: Backport[https://github.com/samba-team/samba/commit/cbbfc917b9635bc62825ea64a157028297f54fb7]
19
20Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
21---
22 python/samba/dbchecker.py | 10 ++++++++--
23 python/samba/descriptor.py | 15 ++++++++++++++-
24 testprogs/blackbox/dbcheck-links.sh | 12 ++++++++++++
25 3 files changed, 34 insertions(+), 3 deletions(-)
26
27diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
28index d10d765..d8c2341 100644
29--- a/python/samba/dbchecker.py
30+++ b/python/samba/dbchecker.py
31@@ -2433,7 +2433,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
32 error_count += 1
33 continue
34
35- if self.reset_well_known_acls:
36+ if dn == deleted_objects_dn or self.reset_well_known_acls:
37 try:
38 well_known_sd = self.get_wellknown_sd(dn)
39 except KeyError:
40@@ -2442,7 +2442,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base)))
41 current_sd = ndr_unpack(security.descriptor,
42 obj[attrname][0])
43
44- diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid()))
45+ ignoreAdditionalACEs = False
46+ if not self.reset_well_known_acls:
47+ ignoreAdditionalACEs = True
48+
49+ diff = get_diff_sds(well_known_sd, current_sd,
50+ security.dom_sid(self.samdb.get_domain_sid()),
51+ ignoreAdditionalACEs=ignoreAdditionalACEs)
52 if diff != "":
53 self.err_wrong_default_sd(dn, well_known_sd, diff)
54 error_count += 1
55diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
56index 0998348..08cfab0 100644
57--- a/python/samba/descriptor.py
58+++ b/python/samba/descriptor.py
59@@ -407,6 +407,7 @@ def get_wellknown_sds(samdb):
60 # Then subcontainers
61 subcontainers = [
62 (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor),
63+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor),
64 (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor),
65 (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor),
66 (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor),
67@@ -417,6 +418,7 @@ def get_wellknown_sds(samdb):
68 (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor),
69
70 (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor),
71+ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor),
72 (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor),
73 (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor),
74 (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor),
75@@ -441,6 +443,9 @@ def get_wellknown_sds(samdb):
76 if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn:
77 c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor)
78 subcontainers.append(c)
79+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)),
80+ get_deletedobjects_descriptor)
81+ subcontainers.append(c)
82 c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)),
83 get_domain_delete_protected1_descriptor)
84 subcontainers.append(c)
85@@ -456,6 +461,9 @@ def get_wellknown_sds(samdb):
86 if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn:
87 c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor)
88 subcontainers.append(c)
89+ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)),
90+ get_deletedobjects_descriptor)
91+ subcontainers.append(c)
92 c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)),
93 get_domain_delete_protected1_descriptor)
94 subcontainers.append(c)
95@@ -548,7 +556,8 @@ def get_clean_sd(sd):
96 return sd_clean
97
98
99-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
100+def get_diff_sds(refsd, cursd, domainsid, checkSacl=True,
101+ ignoreAdditionalACEs=False):
102 """Get the difference between 2 sd
103
104 This function split the textual representation of ACL into smaller
105@@ -603,6 +612,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True):
106 h_ref.remove(k)
107
108 if len(h_cur) + len(h_ref) > 0:
109+ if txt == "" and len(h_ref) == 0:
110+ if ignoreAdditionalACEs:
111+ return ""
112+
113 txt = "%s\tPart %s is different between reference" \
114 " and current here is the detail:\n" % (txt, part)
115
116diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh
117index f00fe46..06b24fb 100755
118--- a/testprogs/blackbox/dbcheck-links.sh
119+++ b/testprogs/blackbox/dbcheck-links.sh
120@@ -58,6 +58,16 @@ dbcheck() {
121 fi
122 }
123
124+dbcheck_acl_reset()
125+{
126+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --fix --yes --attrs=nTSecurityDescriptor
127+}
128+
129+dbcheck_acl_clean()
130+{
131+ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --attrs=nTSecurityDescriptor
132+}
133+
134 dbcheck_dangling() {
135 dbcheck "" "1" "--selftest-check-expired-tombstones"
136 return $?
137@@ -893,6 +903,8 @@ EOF
138 remove_directory $PREFIX_ABS/${RELEASE}
139
140 testit $RELEASE undump || failed=`expr $failed + 1`
141+testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1)
142+testit "dbcheck_acl_clean" dbcheck_acl_clean || failed=$(expr $failed + 1)
143 testit "add_two_more_users" add_two_more_users || failed=`expr $failed + 1`
144 testit "add_four_more_links" add_four_more_links || failed=`expr $failed + 1`
145 testit "remove_one_link" remove_one_link || failed=`expr $failed + 1`
146--
1472.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0002.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0002.patch
new file mode 100644
index 0000000000..e3d45627a5
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0002.patch
@@ -0,0 +1,72 @@
1From f967b91da76f86a9feb4c1469fccfce93be8bc79 Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Wed, 7 Jun 2023 18:18:58 +0200
4Subject: [PATCH] CVE-2018-14628: dbchecker: use get_deletedobjects_descriptor
5 for missing deleted objects container
6
7BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
8
9Signed-off-by: Stefan Metzmacher <metze@samba.org>
10Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db)
12
13CVE: CVE-2018-14628
14
15Upstream-Status: Backport
16[https://github.com/samba-team/samba/commit/f967b91da76f86a9feb4c1469fccfce93be8bc79]
17
18Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
19---
20 python/samba/dbchecker.py | 16 +++++++++++++---
21 1 file changed, 13 insertions(+), 3 deletions(-)
22
23diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
24index d8c2341..35b6eeb 100644
25--- a/python/samba/dbchecker.py
26+++ b/python/samba/dbchecker.py
27@@ -21,7 +21,7 @@ from __future__ import print_function
28 import ldb
29 import samba
30 import time
31-from base64 import b64decode
32+from base64 import b64decode, b64encode
33 from samba import dsdb
34 from samba import common
35 from samba.dcerpc import misc
36@@ -30,7 +30,11 @@ from samba.ndr import ndr_unpack, ndr_pack
37 from samba.dcerpc import drsblobs
38 from samba.samdb import dsdb_Dn
39 from samba.dcerpc import security
40-from samba.descriptor import get_wellknown_sds, get_diff_sds
41+from samba.descriptor import (
42+ get_wellknown_sds,
43+ get_deletedobjects_descriptor,
44+ get_diff_sds
45+)
46 from samba.auth import system_session, admin_session
47 from samba.netcmd import CommandError
48 from samba.netcmd.fsmo import get_fsmo_roleowner
49@@ -340,6 +344,11 @@ class dbcheck(object):
50 wko_prefix = "B:32:%s" % dsdb.DS_GUID_DELETED_OBJECTS_CONTAINER
51 listwko.append('%s:%s' % (wko_prefix, dn))
52 guid_suffix = ""
53+
54+ domain_sid = security.dom_sid(self.samdb.get_domain_sid())
55+ sec_desc = get_deletedobjects_descriptor(domain_sid,
56+ name_map=self.name_map)
57+ sec_desc_b64 = b64encode(sec_desc).decode('utf8')
58
59 # Insert a brand new Deleted Objects container
60 self.samdb.add_ldif("""dn: %s
61@@ -349,7 +358,8 @@ description: Container for deleted objects
62 isDeleted: TRUE
63 isCriticalSystemObject: TRUE
64 showInAdvancedViewOnly: TRUE
65-systemFlags: -1946157056%s""" % (dn, guid_suffix),
66+nTSecurityDescriptor:: %s
67+systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix),
68 controls=["relax:0", "provision:0"])
69
70 delta = ldb.Message()
71--
722.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0003.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0003.patch
new file mode 100644
index 0000000000..df30e0c106
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0003.patch
@@ -0,0 +1,106 @@
1From edac27f5408191567233983562091484ebbbad0a Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Mon, 26 Jun 2023 15:14:24 +0200
4Subject: [PATCH] CVE-2018-14628: s4:dsdb: remove unused code in
5 dirsync_filter_entry()
6
7This makes the next change easier to understand.
8
9BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
10
11Signed-off-by: Stefan Metzmacher <metze@samba.org>
12Reviewed-by: Andrew Bartlett <abartlet@samba.org>
13(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371)
14
15CVE: CVE-2018-14628
16
17Upstream-Status: Backport [https://github.com/samba-team/samba/commit/edac27f5408191567233983562091484ebbbad0a]
18
19Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
20---
21 source4/dsdb/samdb/ldb_modules/dirsync.c | 53 +++---------------------
22 1 file changed, 5 insertions(+), 48 deletions(-)
23
24diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c
25index e61ade8..e7fb27f 100644
26--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
27+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
28@@ -152,10 +152,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
29 * list only the attribute that have been modified since last interogation
30 *
31 */
32- newmsg = ldb_msg_new(dsc->req);
33- if (newmsg == NULL) {
34- return ldb_oom(ldb);
35- }
36 for (i = msg->num_elements - 1; i >= 0; i--) {
37 if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) {
38 int error = 0;
39@@ -202,11 +198,6 @@ static int dirsync_filter_entry(struct ldb_request *req,
40 */
41 return LDB_SUCCESS;
42 }
43- newmsg->dn = ldb_dn_new(newmsg, ldb, "");
44- if (newmsg->dn == NULL) {
45- return ldb_oom(ldb);
46- }
47-
48 el = ldb_msg_find_element(msg, "objectGUID");
49 if ( el != NULL) {
50 guidfound = true;
51@@ -217,48 +208,14 @@ static int dirsync_filter_entry(struct ldb_request *req,
52 * well will uncomment the code bellow
53 */
54 SMB_ASSERT(guidfound == true);
55- /*
56- if (guidfound == false) {
57- struct GUID guid;
58- struct ldb_val *new_val;
59- DATA_BLOB guid_blob;
60-
61- tmp[0] = '\0';
62- txt = strrchr(txt, ':');
63- if (txt == NULL) {
64- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
65- }
66- txt++;
67-
68- status = GUID_from_string(txt, &guid);
69- if (!NT_STATUS_IS_OK(status)) {
70- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
71- }
72-
73- status = GUID_to_ndr_blob(&guid, msg, &guid_blob);
74- if (!NT_STATUS_IS_OK(status)) {
75- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
76- }
77-
78- new_val = talloc(msg, struct ldb_val);
79- if (new_val == NULL) {
80- return ldb_oom(ldb);
81- }
82- new_val->data = talloc_steal(new_val, guid_blob.data);
83- new_val->length = guid_blob.length;
84- if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) {
85- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR);
86- }
87- }
88- */
89- ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD);
90- talloc_steal(newmsg->elements, el->name);
91- talloc_steal(newmsg->elements, el->values);
92-
93- talloc_steal(newmsg->elements, msg);
94 return ldb_module_send_entry(dsc->req, msg, controls);
95 }
96
97+ newmsg = ldb_msg_new(dsc->req);
98+ if (newmsg == NULL) {
99+ return ldb_oom(ldb);
100+ }
101+
102 ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd,
103 (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob);
104 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
105--
1062.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0004.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0004.patch
new file mode 100644
index 0000000000..6fa4ef10dd
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0004.patch
@@ -0,0 +1,64 @@
1From 74a508b39e6fd5036a2adc99d559bd3852f8ce8d Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Fri, 29 Jan 2016 23:34:15 +0100
4Subject: [PATCH] CVE-2018-14628: s4:setup: set the correct
5 nTSecurityDescriptor on the CN=Deleted Objects container
6
7This revealed a bug in our dirsync code, so we mark
8test_search_with_dirsync_deleted_objects as knownfail.
9
10BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
11
12Signed-off-by: Stefan Metzmacher <metze@samba.org>
13Reviewed-by: Andrew Bartlett <abartlet@samba.org>
14(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47)
15
16CVE: CVE-2018-14628
17
18Upstream-Status: Backport [https://github.com/samba-team/samba/commit/74a508b39e6fd5036a2adc99d559bd3852f8ce8d]
19
20Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
21---
22 source4/setup/provision.ldif | 1 +
23 source4/setup/provision_configuration.ldif | 1 +
24 source4/setup/provision_dnszones_add.ldif | 1 +
25 3 files changed, 3 insertions(+)
26
27diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif
28index 5d9eba4..7f966fd 100644
29--- a/source4/setup/provision.ldif
30+++ b/source4/setup/provision.ldif
31@@ -34,6 +34,7 @@ isDeleted: TRUE
32 isCriticalSystemObject: TRUE
33 showInAdvancedViewOnly: TRUE
34 systemFlags: -1946157056
35+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
36
37 # Computers located in "provision_computers*.ldif"
38 # Users/Groups located in "provision_users*.ldif"
39diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif
40index 53c9c85..8fcbddb 100644
41--- a/source4/setup/provision_configuration.ldif
42+++ b/source4/setup/provision_configuration.ldif
43@@ -14,6 +14,7 @@ description: Container for deleted objects
44 isDeleted: TRUE
45 isCriticalSystemObject: TRUE
46 systemFlags: -1946157056
47+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
48
49 # Extended rights
50
51diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif
52index 860aa4b..a2d6b6b 100644
53--- a/source4/setup/provision_dnszones_add.ldif
54+++ b/source4/setup/provision_dnszones_add.ldif
55@@ -8,6 +8,7 @@ description: Deleted objects
56 isDeleted: TRUE
57 isCriticalSystemObject: TRUE
58 systemFlags: -1946157056
59+nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR}
60
61 dn: CN=LostAndFound,${ZONE_DN}
62 objectClass: top
63--
642.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0005.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0005.patch
new file mode 100644
index 0000000000..b0a8ef2535
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0005.patch
@@ -0,0 +1,98 @@
1From 46a168c9a89e82ccaf8d27669d1ae5459f7becb9 Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Fri, 29 Jan 2016 23:33:37 +0100
4Subject: [PATCH] CVE-2018-14628: python:provision: make
5 DELETEDOBJECTS_DESCRIPTOR available in the ldif files
6
7BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
8
9Signed-off-by: Stefan Metzmacher <metze@samba.org>
10Reviewed-by: Andrew Bartlett <abartlet@samba.org>
11(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c)
12
13CVE: CVE-2018-14628
14
15Upstream-Status: Backport
16[https://github.com/samba-team/samba/commit/46a168c9a89e82ccaf8d27669d1ae5459f7becb9]
17
18Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
19---
20 python/samba/provision/__init__.py | 5 +++++
21 python/samba/provision/sambadns.py | 4 ++++
22 2 files changed, 9 insertions(+)
23
24diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
25index e8903ad..0c52cc1 100644
26--- a/python/samba/provision/__init__.py
27+++ b/python/samba/provision/__init__.py
28@@ -79,6 +79,7 @@ from samba.provision.backend import (
29 LDBBackend,
30 )
31 from samba.descriptor import (
32+ get_deletedobjects_descriptor,
33 get_empty_descriptor,
34 get_config_descriptor,
35 get_config_partitions_descriptor,
36@@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
37 msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD,
38 "subRefs")
39
40+ deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8')
41+
42 samdb.invocation_id = invocationid
43
44 # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it
45@@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
46 "FOREST_FUNCTIONALITY": str(forestFunctionality),
47 "DOMAIN_FUNCTIONALITY": str(domainFunctionality),
48 "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr,
49+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
50 "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr,
51 "SERVICES_DESCRIPTOR": protected1_descr,
52 "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr,
53@@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid,
54 "RIDAVAILABLESTART": str(next_rid + 600),
55 "POLICYGUID_DC": policyguid_dc,
56 "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc,
57+ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr,
58 "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc,
59 "SYSTEM_DESCRIPTOR": system_desc,
60 "BUILTIN_DESCRIPTOR": builtin_desc,
61diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py
62index 8a5d8a9..61beb16 100644
63--- a/python/samba/provision/sambadns.py
64+++ b/python/samba/provision/sambadns.py
65@@ -41,6 +41,7 @@ from samba.dsdb import (
66 DS_DOMAIN_FUNCTION_2016
67 )
68 from samba.descriptor import (
69+ get_deletedobjects_descriptor,
70 get_domain_descriptor,
71 get_domain_delete_protected1_descriptor,
72 get_domain_delete_protected2_descriptor,
73@@ -245,6 +246,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
74 domainzone_dn = "DC=DomainDnsZones,%s" % domaindn
75 forestzone_dn = "DC=ForestDnsZones,%s" % forestdn
76 descriptor = get_dns_partition_descriptor(domainsid)
77+ deletedobjects_desc = get_deletedobjects_descriptor(domainsid)
78
79 setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), {
80 "ZONE_DN": domainzone_dn,
81@@ -268,6 +270,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
82 "ZONE_DNS": domainzone_dns,
83 "CONFIGDN": configdn,
84 "SERVERDN": serverdn,
85+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'),
86 "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
87 "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
88 })
89@@ -288,6 +291,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn,
90 "ZONE_DNS": forestzone_dns,
91 "CONFIGDN": configdn,
92 "SERVERDN": serverdn,
93+ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8')
94 "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'),
95 "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'),
96 })
97--
982.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0006.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0006.patch
new file mode 100644
index 0000000000..d92ad41df1
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2018-14628-0006.patch
@@ -0,0 +1,51 @@
1From e884fc791e59bd6ebd41b4a2ab7c9d7dc45415f4 Mon Sep 17 00:00:00 2001
2From: Stefan Metzmacher <metze@samba.org>
3Date: Fri, 29 Jan 2016 23:30:59 +0100
4Subject: [PATCH] CVE-2018-14628: python:descriptor: add
5 get_deletedobjects_descriptor()
6
7samba-tool drs clone-dc-database was quite useful to find
8the true value of nTSecurityDescriptor of the CN=Delete Objects
9containers.
10
11Only the auto inherited SACL is available via a ldap search.
12
13BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595
14
15Signed-off-by: Stefan Metzmacher <metze@samba.org>
16Reviewed-by: Andrew Bartlett <abartlet@samba.org>
17(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8)
18
19CVE: CVE-2018-14628
20
21Upstream-Status: Backport
22[https://github.com/samba-team/samba/commit/e884fc791e59bd6ebd41b4a2ab7c9d7dc45415f4]
23
24Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
25---
26 python/samba/descriptor.py | 10 ++++++++++
27 1 file changed, 10 insertions(+)
28
29diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py
30index 08cfab0..0141f38 100644
31--- a/python/samba/descriptor.py
32+++ b/python/samba/descriptor.py
33@@ -52,6 +52,16 @@ def get_empty_descriptor(domain_sid, name_map={}):
34 # "get_schema_descriptor" is located in "schema.py"
35
36
37+def get_deletedobjects_descriptor(domain_sid, name_map=None):
38+ if name_map is None:
39+ name_map = {}
40+
41+ sddl = "O:SYG:SYD:PAI" \
42+ "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \
43+ "(A;;RPLC;;;BA)"
44+ return sddl2binary(sddl, domain_sid, name_map)
45+
46+
47 def get_config_descriptor(domain_sid, name_map={}):
48 sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
49 "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \
50--
512.40.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
index 17d12e4392..6838ac12f2 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.14.14.bb
@@ -52,6 +52,12 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
52 file://CVE-2023-4091-0001.patch \ 52 file://CVE-2023-4091-0001.patch \
53 file://CVE-2023-4091-0002.patch \ 53 file://CVE-2023-4091-0002.patch \
54 file://CVE-2023-42669.patch \ 54 file://CVE-2023-42669.patch \
55 file://CVE-2018-14628-0001.patch \
56 file://CVE-2018-14628-0002.patch \
57 file://CVE-2018-14628-0003.patch \
58 file://CVE-2018-14628-0004.patch \
59 file://CVE-2018-14628-0005.patch \
60 file://CVE-2018-14628-0006.patch \
55 " 61 "
56 62
57SRC_URI:append:libc-musl = " \ 63SRC_URI:append:libc-musl = " \
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-02-13 20:41:21 +0000