| commit | 4e30547371cf9e38cd7a219dd43c9bc5c7a2a7fb | |
| author | Ralph Boehme <slow@samba.org> | |
| Thu, 22 Feb 2018 09:54:37 +0000 (22 10:54 +0100) | ||
| committer | Stefan Metzmacher <metze@samba.org> | |
| Tue, 13 Mar 2018 09:23:10 +0000 (13 10:23 +0100) | ||
| tree | 1fad303ab7f600af8fc5419834520b83644ea021 | treesnapshot (tar.gz zip) |
| parent | bd3960888e1f8ef89b35e2075fc17a6ae525cb9e | commitdiff |
CVE-2018-1057: s4/dsdb: correctly detect password resets
This change ensures we correctly treat the following LDIF
dn: cn=testuser,cn=users,...
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.
For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This change ensures we correctly treat the following LDIF
dn: cn=testuser,cn=users,...
changetype: modify
delete: userPassword
add: userPassword
userPassword: thatsAcomplPASS1
as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.
For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| selftest/knownfail.d/samba4.ldap.passwords.python | [deleted file] | blobblamehistory |
| source4/dsdb/samdb/ldb_modules/acl.c | diffblobblamehistory |