Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0040-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0040-CVE-2022-2031-CVE-2022-32744.patch of Package samba
From 531e7b596d35785bee61f3b4289e38ece1530f94 Mon Sep 17 00:00:00 2001 From: Joseph Sutton <josephsutton@catalyst.net.nz> Date: Tue, 24 May 2022 17:53:49 +1200 Subject: [PATCH 85/99] CVE-2022-2031 s4:kdc: Limit kpasswd ticket lifetime to two minutes or less This matches the behaviour of Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Adapted entry to entry_ex->entry; included samba_kdc.h header file] [jsutton@samba.org Fixed conflicts] Conflict: remove selftest/knownfail_heimdal_kdc selftest/knownfail_mit_kdc --- source4/kdc/db-glue.c | 5 +++++ source4/kdc/mit-kdb/kdb_samba_principals.c | 2 +- source4/kdc/samba_kdc.h | 2 ++ 5 files changed, 8 insertions(+), 3 deletions(-) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index d2d7136608e..073ec83c8cf 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1226,6 +1226,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context, kdc_db_ctx->policy.usr_tkt_lifetime); } + if (entry_ex->entry.flags.change_pw) { + /* Limit lifetime of kpasswd tickets to two minutes or less. */ + *entry_ex->entry.max_life = MIN(*entry_ex->entry.max_life, CHANGEPW_LIFETIME); + } + entry_ex->entry.max_renew = malloc(sizeof(*entry_ex->entry.max_life)); if (entry_ex->entry.max_renew == NULL) { ret = ENOMEM; diff --git a/source4/kdc/mit-kdb/kdb_samba_principals.c b/source4/kdc/mit-kdb/kdb_samba_principals.c index cc67c2392be..2059ffa855e 100644 --- a/source4/kdc/mit-kdb/kdb_samba_principals.c +++ b/source4/kdc/mit-kdb/kdb_samba_principals.c @@ -27,11 +27,11 @@ #include <profile.h> #include <kdb.h> +#include "kdc/samba_kdc.h" #include "kdc/mit_samba.h" #include "kdb_samba.h" #define ADMIN_LIFETIME 60*60*3 /* 3 hours */ -#define CHANGEPW_LIFETIME 60*5 /* 5 minutes */ krb5_error_code ks_get_principal(krb5_context context, krb5_const_principal principal, diff --git a/source4/kdc/samba_kdc.h b/source4/kdc/samba_kdc.h index e228a82ce6a..8010d7c35ed 100644 --- a/source4/kdc/samba_kdc.h +++ b/source4/kdc/samba_kdc.h @@ -62,4 +62,6 @@ struct samba_kdc_entry { extern struct hdb_method hdb_samba4_interface; +#define CHANGEPW_LIFETIME 60*2 /* 2 minutes */ + #endif /* _SAMBA_KDC_H_ */ -- 2.25.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.