git.samba.org - kai/samba-autobuild/.git/commit

author	Ralph Boehme <slow@samba.org>
	Thu, 22 Feb 2018 09:54:37 +0000 (10:54 +0100)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 13 Mar 2018 09:24:27 +0000 (10:24 +0100)
commit	3e6621fe58014f19477633b1c0b54288550f0e87
tree	3f72e9a2a960ead8c169d4605c72215395da7b5b	tree
parent	9dd7dd9ebba8d449feea66695fab3cbbb22d00e8	commit \| diff

CVE-2018-1057: s4/dsdb: correctly detect password resets

This change ensures we correctly treat the following LDIF

  dn: cn=testuser,cn=users,...
  changetype: modify
  delete: userPassword
  add: userPassword
  userPassword: thatsAcomplPASS1

as a password reset. Because delete and add element counts are both
one, the ACL module wrongly treated this as a password change
request.

For a password change we need at least one value to delete and one value
to add. This patch ensures we correctly check attributes and their
values.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

selftest/knownfail.d/samba4.ldap.passwords.python	[deleted file]	blob \| history
source4/dsdb/samdb/ldb_modules/acl.c		diff \| blob \| history