git.ipfire.org Git - thirdparty/samba.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Tue, 19 Oct 2021 22:36:58 +0000 (11:36 +1300)
committer	Jule Anger <janger@samba.org>
	Mon, 8 Nov 2021 09:52:12 +0000 (10:52 +0100)
commit	8513fe9e30a65060fc8908f42756e44550176d7f
tree	f56917c7aaeeb5e1f5f57aea8e1274844172bebc	tree
parent	c59f5762ead77bcf9add3994a88a6d2b8e383869	commit \| diff

CVE-2020-25722 Ensure the structural objectclass cannot be changed

If the structural objectclass is allowed to change, then the restrictions
locking an object to remaining a user or computer will not be enforcable.

Likewise other LDAP inheritance rules, which allow only certain
child objects can be bypassed, which can in turn allow creation of
(unprivileged) users where only DNS objects were expected.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14889

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

selftest/knownfail.d/ldap		diff \| blob \| blame \| history
selftest/knownfail.d/modify-order		diff \| blob \| blame \| history
selftest/knownfail.d/uac_mod_lock	[deleted file]	blob \| blame \| history
selftest/knownfail.d/uac_objectclass_restrict		diff \| blob \| blame \| history
source4/dsdb/samdb/ldb_modules/objectclass.c		diff \| blob \| blame \| history