samba/CVE-2018-1057-10.patch

From 727679a6dd1e98d5d5f2732c84bf7a9bc476ce9c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Wed, 14 Feb 2018 19:15:49 +0100
Subject: [PATCH 10/13] CVE-2018-1057: s4:dsdb/acl: run password checking only
 once

This is needed, because a later commit will let the acl module add a
control to the change request msg and we must ensure that this is only
done once.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---
 source4/dsdb/samdb/ldb_modules/acl.c | 5 +++++
 1 file changed, 5 insertions(+)

Index: samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c
===================================================================
--- samba-4.3.11+dfsg.orig/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:20.877609132 +0100
+++ samba-4.3.11+dfsg/source4/dsdb/samdb/ldb_modules/acl.c	2018-03-06 16:47:20.873609099 +0100
@@ -1097,6 +1097,7 @@ static int acl_modify(struct ldb_module
 	struct ldb_control *as_system;
 	struct ldb_control *is_undelete;
 	bool userPassword;
+	bool password_rights_checked = false;
 	TALLOC_CTX *tmp_ctx;
 	const struct ldb_message *msg = req->op.mod.message;
 	static const char *acl_attrs[] = {
@@ -1242,6 +1243,9 @@ static int acl_modify(struct ldb_module
 		} else if (ldb_attr_cmp("unicodePwd", el->name) == 0 ||
 			   (userPassword && ldb_attr_cmp("userPassword", el->name) == 0) ||
 			   ldb_attr_cmp("clearTextPassword", el->name) == 0) {
+			if (password_rights_checked) {
+				continue;
+			}
 			ret = acl_check_password_rights(tmp_ctx,
 							module,
 							req,
@@ -1252,6 +1256,7 @@ static int acl_modify(struct ldb_module
 			if (ret != LDB_SUCCESS) {
 				goto fail;
 			}
+			password_rights_checked = true;
 		} else if (ldb_attr_cmp("servicePrincipalName", el->name) == 0) {
 			ret = acl_check_spn(tmp_ctx,
 					    module,