From 755fdfd22afea51a65037f07ee35d186ea4aa3ab Mon Sep 17 00:00:00 2001 From: xh Date: Thu, 28 Dec 2023 16:45:03 +0800 Subject: [PATCH] fix CVE-2018-14628 (cherry picked from commit f06d993486c17be08385eb30f3f00f8f6e5e7ca1) --- backport-0001-CVE-2018-14628.patch | 49 ++++++++++ backport-0002-CVE-2018-14628.patch | 96 +++++++++++++++++++ backport-0003-CVE-2018-14628.patch | 72 ++++++++++++++ backport-0004-CVE-2018-14628.patch | 105 ++++++++++++++++++++ backport-0005-CVE-2018-14628.patch | 71 ++++++++++++++ backport-0006-CVE-2018-14628.patch | 149 +++++++++++++++++++++++++++++ samba.spec | 14 ++- 7 files changed, 555 insertions(+), 1 deletion(-) create mode 100644 backport-0001-CVE-2018-14628.patch create mode 100644 backport-0002-CVE-2018-14628.patch create mode 100644 backport-0003-CVE-2018-14628.patch create mode 100644 backport-0004-CVE-2018-14628.patch create mode 100644 backport-0005-CVE-2018-14628.patch create mode 100644 backport-0006-CVE-2018-14628.patch diff --git a/backport-0001-CVE-2018-14628.patch b/backport-0001-CVE-2018-14628.patch new file mode 100644 index 0000000..51e7857 --- /dev/null +++ b/backport-0001-CVE-2018-14628.patch @@ -0,0 +1,49 @@ +From 890cf42b13b0debea20751a230dd45363523944a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 29 Jan 2016 23:30:59 +0100 +Subject: [PATCH 1/6] CVE-2018-14628: python:descriptor: add + get_deletedobjects_descriptor() + +samba-tool drs clone-dc-database was quite useful to find +the true value of nTSecurityDescriptor of the CN=Delete Objects +containers. + +Only the auto inherited SACL is available via a ldap search. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 3be190dcf7153e479383f7f3d29ddca43fe121b8) + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=18168 +[PATCH 1/6] CVE-2018-14628: python:descriptor: add + get_deletedobjects_descriptor() +--- + python/samba/descriptor.py | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py +index ac4c7e3273de..08c7518f56ab 100644 +--- a/python/samba/descriptor.py ++++ b/python/samba/descriptor.py +@@ -52,6 +52,16 @@ def get_empty_descriptor(domain_sid, name_map={}): + # "get_schema_descriptor" is located in "schema.py" + + ++def get_deletedobjects_descriptor(domain_sid, name_map=None): ++ if name_map is None: ++ name_map = {} ++ ++ sddl = "O:SYG:SYD:PAI" \ ++ "(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)" \ ++ "(A;;RPLC;;;BA)" ++ return sddl2binary(sddl, domain_sid, name_map) ++ ++ + def get_config_descriptor(domain_sid, name_map={}): + sddl = "O:EAG:EAD:(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ + "(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)" \ +-- +2.34.1 diff --git a/backport-0002-CVE-2018-14628.patch b/backport-0002-CVE-2018-14628.patch new file mode 100644 index 0000000..acb0b2a --- /dev/null +++ b/backport-0002-CVE-2018-14628.patch @@ -0,0 +1,96 @@ +From 2ee9129c6fe36cb0e363677dee43a2940aa81810 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 29 Jan 2016 23:33:37 +0100 +Subject: [PATCH 2/6] CVE-2018-14628: python:provision: make + DELETEDOBJECTS_DESCRIPTOR available in the ldif files + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 0c329a0fda37d87ed737e4b579b6d04ec907604c) + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=18168 +[PATCH 2/6] CVE-2018-14628: python:provision: make + DELETEDOBJECTS_DESCRIPTOR available in the ldif files +--- + python/samba/provision/__init__.py | 5 +++++ + python/samba/provision/sambadns.py | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py +index ff9b8fac916a..f7d7468e4faf 100644 +--- a/python/samba/provision/__init__.py ++++ b/python/samba/provision/__init__.py +@@ -78,6 +78,7 @@ from samba.provision.backend import ( + LDBBackend, + ) + from samba.descriptor import ( ++ get_deletedobjects_descriptor, + get_empty_descriptor, + get_config_descriptor, + get_config_partitions_descriptor, +@@ -1441,6 +1442,8 @@ def fill_samdb(samdb, lp, names, logger, policyguid, + msg["subRefs"] = ldb.MessageElement(names.configdn, ldb.FLAG_MOD_ADD, + "subRefs") + ++ deletedobjects_descr = b64encode(get_deletedobjects_descriptor(names.domainsid)).decode('utf8') ++ + samdb.invocation_id = invocationid + + # If we are setting up a subdomain, then this has been replicated in, so we don't need to add it +@@ -1472,6 +1475,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, + "FOREST_FUNCTIONALITY": str(forestFunctionality), + "DOMAIN_FUNCTIONALITY": str(domainFunctionality), + "NTDSQUOTAS_DESCRIPTOR": ntdsquotas_descr, ++ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, + "LOSTANDFOUND_DESCRIPTOR": protected1wd_descr, + "SERVICES_DESCRIPTOR": protected1_descr, + "PHYSICALLOCATIONS_DESCRIPTOR": protected1wd_descr, +@@ -1536,6 +1540,7 @@ def fill_samdb(samdb, lp, names, logger, policyguid, + "RIDAVAILABLESTART": str(next_rid + 600), + "POLICYGUID_DC": policyguid_dc, + "INFRASTRUCTURE_DESCRIPTOR": infrastructure_desc, ++ "DELETEDOBJECTS_DESCRIPTOR": deletedobjects_descr, + "LOSTANDFOUND_DESCRIPTOR": lostandfound_desc, + "SYSTEM_DESCRIPTOR": system_desc, + "BUILTIN_DESCRIPTOR": builtin_desc, +diff --git a/python/samba/provision/sambadns.py b/python/samba/provision/sambadns.py +index 9184711a7645..d057b7830ada 100644 +--- a/python/samba/provision/sambadns.py ++++ b/python/samba/provision/sambadns.py +@@ -42,6 +42,7 @@ from samba.dsdb import ( + DS_GUID_USERS_CONTAINER + ) + from samba.descriptor import ( ++ get_deletedobjects_descriptor, + get_domain_descriptor, + get_domain_delete_protected1_descriptor, + get_domain_delete_protected2_descriptor, +@@ -256,6 +257,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, + domainzone_dn = "DC=DomainDnsZones,%s" % domaindn + forestzone_dn = "DC=ForestDnsZones,%s" % forestdn + descriptor = get_dns_partition_descriptor(domainsid) ++ deletedobjects_desc = get_deletedobjects_descriptor(domainsid) + + setup_add_ldif(samdb, setup_path("provision_dnszones_partitions.ldif"), { + "ZONE_DN": domainzone_dn, +@@ -278,6 +280,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, + "ZONE_DNS": domainzone_dns, + "CONFIGDN": configdn, + "SERVERDN": serverdn, ++ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), + "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), + "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), + }) +@@ -297,6 +300,7 @@ def setup_dns_partitions(samdb, domainsid, domaindn, forestdn, configdn, + "ZONE_DNS": forestzone_dns, + "CONFIGDN": configdn, + "SERVERDN": serverdn, ++ "DELETEDOBJECTS_DESCRIPTOR": b64encode(deletedobjects_desc).decode('utf8'), + "LOSTANDFOUND_DESCRIPTOR": b64encode(protected2_desc).decode('utf8'), + "INFRASTRUCTURE_DESCRIPTOR": b64encode(protected1_desc).decode('utf8'), + }) +-- +2.34.1 diff --git a/backport-0003-CVE-2018-14628.patch b/backport-0003-CVE-2018-14628.patch new file mode 100644 index 0000000..94948c8 --- /dev/null +++ b/backport-0003-CVE-2018-14628.patch @@ -0,0 +1,72 @@ +From 96d787c0a5182c24ea51591342b37eb041798afb Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 29 Jan 2016 23:34:15 +0100 +Subject: [PATCH 3/6] CVE-2018-14628: s4:setup: set the correct + nTSecurityDescriptor on the CN=Deleted Objects container + +This revealed a bug in our dirsync code, so we mark +test_search_with_dirsync_deleted_objects as knownfail. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 7f8b15faa76d05023c987fac2c4c31f9ac61bb47) + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=18168 +[PATCH 3/6] CVE-2018-14628: s4:setup: set the correct + nTSecurityDescriptor on the CN=Deleted Objects container +--- + selftest/knownfail.d/samba4.ldap.confidential_attr | 1 + + source4/setup/provision.ldif | 1 + + source4/setup/provision_configuration.ldif | 1 + + source4/setup/provision_dnszones_add.ldif | 1 + + 4 files changed, 4 insertions(+) + create mode 100644 selftest/knownfail.d/samba4.ldap.confidential_attr + +diff --git a/selftest/knownfail.d/samba4.ldap.confidential_attr b/selftest/knownfail.d/samba4.ldap.confidential_attr +new file mode 100644 +index 000000000000..46a75ce928b0 +--- /dev/null ++++ b/selftest/knownfail.d/samba4.ldap.confidential_attr +@@ -0,0 +1 @@ ++^samba4.ldap.confidential_attr.python.*.__main__.*.test_search_with_dirsync_deleted_objects +diff --git a/source4/setup/provision.ldif b/source4/setup/provision.ldif +index 5d9eba49f86f..7f966fd57f81 100644 +--- a/source4/setup/provision.ldif ++++ b/source4/setup/provision.ldif +@@ -34,6 +34,7 @@ isDeleted: TRUE + isCriticalSystemObject: TRUE + showInAdvancedViewOnly: TRUE + systemFlags: -1946157056 ++nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} + + # Computers located in "provision_computers*.ldif" + # Users/Groups located in "provision_users*.ldif" +diff --git a/source4/setup/provision_configuration.ldif b/source4/setup/provision_configuration.ldif +index 53c9c8536de4..8fcbddbdae48 100644 +--- a/source4/setup/provision_configuration.ldif ++++ b/source4/setup/provision_configuration.ldif +@@ -14,6 +14,7 @@ description: Container for deleted objects + isDeleted: TRUE + isCriticalSystemObject: TRUE + systemFlags: -1946157056 ++nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} + + # Extended rights + +diff --git a/source4/setup/provision_dnszones_add.ldif b/source4/setup/provision_dnszones_add.ldif +index 860aa4b72b30..a2d6b6bab8f2 100644 +--- a/source4/setup/provision_dnszones_add.ldif ++++ b/source4/setup/provision_dnszones_add.ldif +@@ -8,6 +8,7 @@ description: Deleted objects + isDeleted: TRUE + isCriticalSystemObject: TRUE + systemFlags: -1946157056 ++nTSecurityDescriptor:: ${DELETEDOBJECTS_DESCRIPTOR} + + dn: CN=LostAndFound,${ZONE_DN} + objectClass: top +-- +2.34.1 diff --git a/backport-0004-CVE-2018-14628.patch b/backport-0004-CVE-2018-14628.patch new file mode 100644 index 0000000..0ad8083 --- /dev/null +++ b/backport-0004-CVE-2018-14628.patch @@ -0,0 +1,105 @@ +From a561ec6ebc3676a9f785ddd8d916e1e220a25e35 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 26 Jun 2023 15:14:24 +0200 +Subject: [PATCH 4/6] CVE-2018-14628: s4:dsdb: remove unused code in + dirsync_filter_entry() + +This makes the next change easier to understand. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 498542be0bbf4f26558573c1f87b77b8e3509371) + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=18168 +[PATCH 4/6] CVE-2018-14628: s4:dsdb: remove unused code in + dirsync_filter_entry() +--- + source4/dsdb/samdb/ldb_modules/dirsync.c | 53 +++--------------------- + 1 file changed, 5 insertions(+), 48 deletions(-) + +diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c b/source4/dsdb/samdb/ldb_modules/dirsync.c +index fbb75790095b..124cff25e397 100644 +--- a/source4/dsdb/samdb/ldb_modules/dirsync.c ++++ b/source4/dsdb/samdb/ldb_modules/dirsync.c +@@ -151,10 +151,6 @@ static int dirsync_filter_entry(struct ldb_request *req, + * list only the attribute that have been modified since last interogation + * + */ +- newmsg = ldb_msg_new(dsc->req); +- if (newmsg == NULL) { +- return ldb_oom(ldb); +- } + for (i = msg->num_elements - 1; i >= 0; i--) { + if (ldb_attr_cmp(msg->elements[i].name, "uSNChanged") == 0) { + int error = 0; +@@ -201,11 +197,6 @@ static int dirsync_filter_entry(struct ldb_request *req, + */ + return LDB_SUCCESS; + } +- newmsg->dn = ldb_dn_new(newmsg, ldb, ""); +- if (newmsg->dn == NULL) { +- return ldb_oom(ldb); +- } +- + el = ldb_msg_find_element(msg, "objectGUID"); + if ( el != NULL) { + guidfound = true; +@@ -216,48 +207,14 @@ static int dirsync_filter_entry(struct ldb_request *req, + * well will uncomment the code bellow + */ + SMB_ASSERT(guidfound == true); +- /* +- if (guidfound == false) { +- struct GUID guid; +- struct ldb_val *new_val; +- DATA_BLOB guid_blob; +- +- tmp[0] = '\0'; +- txt = strrchr(txt, ':'); +- if (txt == NULL) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- txt++; +- +- status = GUID_from_string(txt, &guid); +- if (!NT_STATUS_IS_OK(status)) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- +- status = GUID_to_ndr_blob(&guid, msg, &guid_blob); +- if (!NT_STATUS_IS_OK(status)) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- +- new_val = talloc(msg, struct ldb_val); +- if (new_val == NULL) { +- return ldb_oom(ldb); +- } +- new_val->data = talloc_steal(new_val, guid_blob.data); +- new_val->length = guid_blob.length; +- if (ldb_msg_add_value(msg, "objectGUID", new_val, NULL) != 0) { +- return ldb_module_done(dsc->req, NULL, NULL, LDB_ERR_OPERATIONS_ERROR); +- } +- } +- */ +- ldb_msg_add(newmsg, el, LDB_FLAG_MOD_ADD); +- talloc_steal(newmsg->elements, el->name); +- talloc_steal(newmsg->elements, el->values); +- +- talloc_steal(newmsg->elements, msg); + return ldb_module_send_entry(dsc->req, msg, controls); + } + ++ newmsg = ldb_msg_new(dsc->req); ++ if (newmsg == NULL) { ++ return ldb_oom(ldb); ++ } ++ + ndr_err = ndr_pull_struct_blob(replMetaData, dsc, &rmd, + (ndr_pull_flags_fn_t)ndr_pull_replPropertyMetaDataBlob); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { +-- +2.34.1 diff --git a/backport-0005-CVE-2018-14628.patch b/backport-0005-CVE-2018-14628.patch new file mode 100644 index 0000000..a4b51f4 --- /dev/null +++ b/backport-0005-CVE-2018-14628.patch @@ -0,0 +1,71 @@ +From 83dbd0c922640bb1ac244d2855c00d6984625963 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 7 Jun 2023 18:18:58 +0200 +Subject: [PATCH 5/6] CVE-2018-14628: dbchecker: use + get_deletedobjects_descriptor for missing deleted objects container + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 70586061128f90afa33f25e104d4570a1cf778db) + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=18168 +[PATCH 5/6] CVE-2018-14628: dbchecker: use + get_deletedobjects_descriptor for missing deleted objects container +--- + python/samba/dbchecker.py | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py +index 449b0a7d985c..e124b1a0d671 100644 +--- a/python/samba/dbchecker.py ++++ b/python/samba/dbchecker.py +@@ -20,7 +20,7 @@ + import ldb + import samba + import time +-from base64 import b64decode ++from base64 import b64decode, b64encode + from samba import dsdb + from samba import common + from samba.dcerpc import misc +@@ -29,7 +29,11 @@ from samba.ndr import ndr_unpack, ndr_pack + from samba.dcerpc import drsblobs + from samba.samdb import dsdb_Dn + from samba.dcerpc import security +-from samba.descriptor import get_wellknown_sds, get_diff_sds ++from samba.descriptor import ( ++ get_wellknown_sds, ++ get_deletedobjects_descriptor, ++ get_diff_sds ++) + from samba.auth import system_session, admin_session + from samba.netcmd import CommandError + from samba.netcmd.fsmo import get_fsmo_roleowner +@@ -341,6 +345,12 @@ class dbcheck(object): + listwko.append('%s:%s' % (wko_prefix, dn)) + guid_suffix = "" + ++ ++ domain_sid = security.dom_sid(self.samdb.get_domain_sid()) ++ sec_desc = get_deletedobjects_descriptor(domain_sid, ++ name_map=self.name_map) ++ sec_desc_b64 = b64encode(sec_desc).decode('utf8') ++ + # Insert a brand new Deleted Objects container + self.samdb.add_ldif("""dn: %s + objectClass: top +@@ -349,7 +359,8 @@ description: Container for deleted objects + isDeleted: TRUE + isCriticalSystemObject: TRUE + showInAdvancedViewOnly: TRUE +-systemFlags: -1946157056%s""" % (dn, guid_suffix), ++nTSecurityDescriptor:: %s ++systemFlags: -1946157056%s""" % (dn, sec_desc_b64, guid_suffix), + controls=["relax:0", "provision:0"]) + + delta = ldb.Message() +-- +2.34.1 diff --git a/backport-0006-CVE-2018-14628.patch b/backport-0006-CVE-2018-14628.patch new file mode 100644 index 0000000..3ce66fa --- /dev/null +++ b/backport-0006-CVE-2018-14628.patch @@ -0,0 +1,149 @@ +From c0c380a017eb465b41105d1ea84da92c8edfe8e3 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 29 Jan 2016 23:35:31 +0100 +Subject: [PATCH 6/6] CVE-2018-14628: python:descriptor: let samba-tool dbcheck + fix the nTSecurityDescriptor on CN=Deleted Objects containers + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=13595 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 97e4aab1a6e2feda7c6c6fdeaa7c3e1818c55566) + +Conflict: remove selftest file +source4/selftest/provisions/release-4-5-0-pre1/rootdse-version.final.txt +source4/selftest/provisions/release-4-5-0-pre1/expected-links-after-dbcheck.ldif +source4/selftest/provisions/release-4-5-0-pre1/expected-dbcheck-link-output-missing-link-sid-corruption.txt +Reference: https://attachments.samba.org/attachment.cgi?id=18168 +[PATCH 6/6] CVE-2018-14628: python:descriptor: let samba-tool dbcheck + fix the nTSecurityDescriptor on CN=Deleted Objects containers +--- + python/samba/dbchecker.py | 10 ++++++++-- + python/samba/descriptor.py | 15 ++++++++++++++- + ...ck-link-output-missing-link-sid-corruption.txt | 8 ++++---- + .../expected-links-after-dbcheck.ldif | 2 +- + .../release-4-5-0-pre1/rootdse-version.final.txt | 2 +- + testprogs/blackbox/dbcheck-links.sh | 12 ++++++++++++ + 6 files changed, 40 insertions(+), 9 deletions(-) + +diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py +index e124b1a0d671..28d99c01d044 100644 +--- a/python/samba/dbchecker.py ++++ b/python/samba/dbchecker.py +@@ -2444,7 +2444,7 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) + error_count += 1 + continue + +- if self.reset_well_known_acls: ++ if dn == deleted_objects_dn or self.reset_well_known_acls: + try: + well_known_sd = self.get_wellknown_sd(dn) + except KeyError: +@@ -2453,7 +2453,13 @@ newSuperior: %s""" % (str(from_dn), str(to_rdn), str(to_base))) + current_sd = ndr_unpack(security.descriptor, + obj[attrname][0]) + +- diff = get_diff_sds(well_known_sd, current_sd, security.dom_sid(self.samdb.get_domain_sid())) ++ ignoreAdditionalACEs = False ++ if not self.reset_well_known_acls: ++ ignoreAdditionalACEs = True ++ ++ diff = get_diff_sds(well_known_sd, current_sd, ++ security.dom_sid(self.samdb.get_domain_sid()), ++ ignoreAdditionalACEs=ignoreAdditionalACEs) + if diff != "": + self.err_wrong_default_sd(dn, well_known_sd, diff) + error_count += 1 +diff --git a/python/samba/descriptor.py b/python/samba/descriptor.py +index 08c7518f56ab..34877fa4814a 100644 +--- a/python/samba/descriptor.py ++++ b/python/samba/descriptor.py +@@ -417,6 +417,7 @@ def get_wellknown_sds(samdb): + # Then subcontainers + subcontainers = [ + (ldb.Dn(samdb, "%s" % str(samdb.domain_dn())), get_domain_descriptor), ++ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.domain_dn())), get_deletedobjects_descriptor), + (ldb.Dn(samdb, "CN=LostAndFound,%s" % str(samdb.domain_dn())), get_domain_delete_protected2_descriptor), + (ldb.Dn(samdb, "CN=System,%s" % str(samdb.domain_dn())), get_domain_delete_protected1_descriptor), + (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(samdb.domain_dn())), get_domain_infrastructure_descriptor), +@@ -427,6 +428,7 @@ def get_wellknown_sds(samdb): + (ldb.Dn(samdb, "CN=MicrosoftDNS,CN=System,%s" % str(samdb.domain_dn())), get_dns_domain_microsoft_dns_descriptor), + + (ldb.Dn(samdb, "%s" % str(samdb.get_config_basedn())), get_config_descriptor), ++ (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(samdb.get_config_basedn())), get_deletedobjects_descriptor), + (ldb.Dn(samdb, "CN=NTDS Quotas,%s" % str(samdb.get_config_basedn())), get_config_ntds_quotas_descriptor), + (ldb.Dn(samdb, "CN=LostAndFoundConfig,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1wd_descriptor), + (ldb.Dn(samdb, "CN=Services,%s" % str(samdb.get_config_basedn())), get_config_delete_protected1_descriptor), +@@ -451,6 +453,9 @@ def get_wellknown_sds(samdb): + if ldb.Dn(samdb, nc.decode('utf8')) == dnsforestdn: + c = (ldb.Dn(samdb, "%s" % str(dnsforestdn)), get_dns_partition_descriptor) + subcontainers.append(c) ++ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsforestdn)), ++ get_deletedobjects_descriptor) ++ subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsforestdn)), + get_domain_delete_protected1_descriptor) + subcontainers.append(c) +@@ -466,6 +471,9 @@ def get_wellknown_sds(samdb): + if ldb.Dn(samdb, nc.decode('utf8')) == dnsdomaindn: + c = (ldb.Dn(samdb, "%s" % str(dnsdomaindn)), get_dns_partition_descriptor) + subcontainers.append(c) ++ c = (ldb.Dn(samdb, "CN=Deleted Objects,%s" % str(dnsdomaindn)), ++ get_deletedobjects_descriptor) ++ subcontainers.append(c) + c = (ldb.Dn(samdb, "CN=Infrastructure,%s" % str(dnsdomaindn)), + get_domain_delete_protected1_descriptor) + subcontainers.append(c) +@@ -558,7 +566,8 @@ def get_clean_sd(sd): + return sd_clean + + +-def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): ++def get_diff_sds(refsd, cursd, domainsid, checkSacl=True, ++ ignoreAdditionalACEs=False): + """Get the difference between 2 sd + + This function split the textual representation of ACL into smaller +@@ -613,6 +622,10 @@ def get_diff_sds(refsd, cursd, domainsid, checkSacl=True): + h_ref.remove(k) + + if len(h_cur) + len(h_ref) > 0: ++ if txt == "" and len(h_ref) == 0: ++ if ignoreAdditionalACEs: ++ return "" ++ + txt = "%s\tPart %s is different between reference" \ + " and current here is the detail:\n" % (txt, part) + +diff --git a/testprogs/blackbox/dbcheck-links.sh b/testprogs/blackbox/dbcheck-links.sh +index 29fb5b85abcc..a91ed00fb0f7 100755 +--- a/testprogs/blackbox/dbcheck-links.sh ++++ b/testprogs/blackbox/dbcheck-links.sh +@@ -59,6 +59,16 @@ dbcheck() + fi + } + ++dbcheck_acl_reset() ++{ ++ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --fix --yes --attrs=nTSecurityDescriptor ++} ++ ++dbcheck_acl_clean() ++{ ++ $PYTHON $BINDIR/samba-tool dbcheck -H tdb://$PREFIX_ABS/${RELEASE}/private/sam.ldb --cross-ncs --attrs=nTSecurityDescriptor ++} ++ + dbcheck_dangling() + { + dbcheck "" "1" "--selftest-check-expired-tombstones" +@@ -925,6 +935,8 @@ EOF + remove_directory $PREFIX_ABS/${RELEASE} + + testit $RELEASE undump || failed=$(expr $failed + 1) ++testit_expect_failure "dbcheck_acl_reset" dbcheck_acl_reset || failed=$(expr $failed + 1) ++testit "dbcheck_acl_clean" dbcheck_acl_clean || failed=$(expr $failed + 1) + testit "add_two_more_users" add_two_more_users || failed=$(expr $failed + 1) + testit "add_four_more_links" add_four_more_links || failed=$(expr $failed + 1) + testit "remove_one_link" remove_one_link || failed=$(expr $failed + 1) +-- +2.34.1 diff --git a/samba.spec b/samba.spec index 73b6a34..39d4867 100644 --- a/samba.spec +++ b/samba.spec @@ -48,7 +48,7 @@ Name: samba Version: 4.17.5 -Release: 9 +Release: 10 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -158,6 +158,12 @@ Patch0089: backport-0001-CVE-2023-42669.patch Patch0090: backport-0002-CVE-2023-42669.patch Patch0091: backport-0001-CVE-2023-42670.patch Patch0092: backport-0002-CVE-2023-42670.patch +Patch0093: backport-0001-CVE-2018-14628.patch +Patch0094: backport-0002-CVE-2018-14628.patch +Patch0095: backport-0003-CVE-2018-14628.patch +Patch0096: backport-0004-CVE-2018-14628.patch +Patch0097: backport-0005-CVE-2018-14628.patch +Patch0098: backport-0006-CVE-2018-14628.patch BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel @@ -3609,6 +3615,12 @@ fi %endif %changelog +* Thu Dec 28 2023 xinghe - 4.17.5-10 +- Type:cves +- ID:CVE-2018-14628 +- SUG:NA +- DESC:fix CVE-2018-14628 + * Thu Oct 12 2023 xinghe - 4.17.5-9 - Type:cves - ID:CVE-2023-3961 CVE-2023-4091 CVE-2023-4154 CVE-2023-42669 CVE-2023-42670 -- Gitee