samba/CVE-2018-1057-5.patch

From 0b6edfbb059e4e823f4c8052af1c702fabcecc0c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Thu, 15 Feb 2018 17:38:31 +0100
Subject: [PATCH 05/13] CVE-2018-1057: s4:dsdb/acl: remove unused else branches
 in acl_check_password_rights()

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dsdb/samdb/ldb_modules/acl.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
===================================================================
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:50.613358156 +0100
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:46:50.609358122 +0100
@@ -991,14 +991,24 @@ static int acl_check_password_rights(TAL
 					       sid);
 		goto checked;
 	}
-	else if (rep_attr_cnt > 0 || (add_attr_cnt != del_attr_cnt)) {
+
+	if (rep_attr_cnt > 0) {
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
 					       GUID_DRS_FORCE_CHANGE_PASSWORD,
 					       SEC_ADS_CONTROL_ACCESS,
 					       sid);
 		goto checked;
 	}
-	else if (add_attr_cnt == 1 && del_attr_cnt == 1) {
+
+	if (add_attr_cnt != del_attr_cnt) {
+		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
+					       GUID_DRS_FORCE_CHANGE_PASSWORD,
+					       SEC_ADS_CONTROL_ACCESS,
+					       sid);
+		goto checked;
+	}
+
+	if (add_attr_cnt == 1 && del_attr_cnt == 1) {
 		ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),
 					       GUID_DRS_USER_CHANGE_PASSWORD,
 					       SEC_ADS_CONTROL_ACCESS,
Add patches to fix CVE-2018-1050 and CVE-2018-1057 2018-03-14 20:04:05 +10:00			`From 0b6edfbb059e4e823f4c8052af1c702fabcecc0c Mon Sep 17 00:00:00 2001`
			`From: Ralph Boehme <slow@samba.org>`
			`Date: Thu, 15 Feb 2018 17:38:31 +0100`
			`Subject: [PATCH 05/13] CVE-2018-1057: s4:dsdb/acl: remove unused else branches`
			`in acl_check_password_rights()`

			`Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272`

			`Signed-off-by: Ralph Boehme <slow@samba.org>`
			`Reviewed-by: Stefan Metzmacher <metze@samba.org>`
			`---`
			`source4/dsdb/samdb/ldb_modules/acl.c \| 14 ++++++++++++--`
			`1 file changed, 12 insertions(+), 2 deletions(-)`

			`Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c`
			`===================================================================`
			`--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c 2018-03-06 16:46:50.613358156 +0100`
			`+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c 2018-03-06 16:46:50.609358122 +0100`
			`@@ -991,14 +991,24 @@ static int acl_check_password_rights(TAL`
			`sid);`
			`goto checked;`
			`}`
			`- else if (rep_attr_cnt > 0 \|\| (add_attr_cnt != del_attr_cnt)) {`
			`+`
			`+ if (rep_attr_cnt > 0) {`
			`ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),`
			`GUID_DRS_FORCE_CHANGE_PASSWORD,`
			`SEC_ADS_CONTROL_ACCESS,`
			`sid);`
			`goto checked;`
			`}`
			`- else if (add_attr_cnt == 1 && del_attr_cnt == 1) {`
			`+`
			`+ if (add_attr_cnt != del_attr_cnt) {`
			`+ ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),`
			`+ GUID_DRS_FORCE_CHANGE_PASSWORD,`
			`+ SEC_ADS_CONTROL_ACCESS,`
			`+ sid);`
			`+ goto checked;`
			`+ }`
			`+`
			`+ if (add_attr_cnt == 1 && del_attr_cnt == 1) {`
			`ret = acl_check_extended_right(tmp_ctx, sd, acl_user_token(module),`
			`GUID_DRS_USER_CHANGE_PASSWORD,`
			`SEC_ADS_CONTROL_ACCESS,`