| commit | 43863fcae7751a5646e4d388cbcb0d4758151ca4 | |
| author | Ralph Boehme <slow@samba.org> | |
| Thu, 22 Feb 2018 09:54:37 +0000 (22 10:54 +0100) | ||
| committer | Karolin Seeger <kseeger@samba.org> | |
| Tue, 13 Mar 2018 09:28:56 +0000 (13 10:28 +0100) | ||
| tree | 1d7751bf3aabd1b8ee32868d4bd838b54ef0cfa5 | treesnapshot (tar.gz zip) |
| parent | 0c2ef5f78d3fdf86a3df22293406cdc93c3cc1a9 | commitdiff |
CVE-2018-1057: s4/dsdb: correctly detect password resets
This change ensures we correctly treat the following LDIF
dn: cn=testuser,cn=users,...
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.
For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This change ensures we correctly treat the following LDIF
dn: cn=testuser,cn=users,...
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.
For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| selftest/knownfail.d/samba4.ldap.passwords.python | [deleted file] | blobblamehistory |
| source4/dsdb/samdb/ldb_modules/acl.c | diffblobblamehistory |