All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: <asparmar@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [meta-oe][scarthgap][PATCH 1/2] samba: Fix CVE-2026-3012
Date: Tue, 07 Jul 2026 16:44:22 +0200	[thread overview]
Message-ID: <DJSF3WZIJUES.2JA0ACEULJYDN@smile.fr> (raw)
In-Reply-To: <20260707054105.2419361-1-asparmar@cisco.com>

On Tue Jul 7, 2026 at 7:41 AM CEST, Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Ashishkumar Parmar <asparmar@cisco.com>
>
> This patch applies the upstream Samba security backport for
> CVE-2026-3012. The upstream security bundle is referenced in [1],
> and the public CVE advisory is referenced in [2]. The individual
> backported commit links are recorded in the embedded patch headers.
>
> [1] https://www.samba.org/samba/ftp/patches/security/samba-4.22.9-security-2026-05-25.patch
> [2] https://www.samba.org/samba/security/CVE-2026-3012.html
>
> Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>

Hello,

Wrong list, you want to send this to openembedded-devel@lists.openembedded.org.

Regards,

> ---
>  .../samba/samba/CVE-2026-3012_p1.patch        | 131 ++++++++++++++++++
>  .../samba/samba/CVE-2026-3012_p2.patch        |  51 +++++++
>  .../samba/samba_4.19.9.bb                     |   2 +
>  3 files changed, 184 insertions(+)
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
>
> diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> new file mode 100644
> index 0000000000..ce54b2916f
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> @@ -0,0 +1,131 @@
> +From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Date: Mon, 23 Feb 2026 11:01:57 +1300
> +Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http
> +
> +In the case where a certificate was found via HTTP, it was trusted
> +without verification and put in the global CA store.
> +
> +There is no means to check the certificate other than by comparing it
> +to certificates we may have gathered via LDAP, but in that case there
> +is no advantage over just using the LDAP-derived certificates.
> +
> +Using the LDAP certificates was already the fallback case if HTTP
> +failed, so we just make it the default.
> +
> +The HTTP fetch depends on the NDES service, which is a variant of
> +Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
> +Samba implements none of that protocol other than the HTTP fetch. SCEP
> +is for clients that are not true domain members. Domain members can
> +access to certificates over LDAP. This patch is not reducing SCEP
> +client support because Samba never had it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +Reported-by: Arad Inbar, DREAM Security Research Team
> +Reported-by: Nir Somech, DREAM Security Research Team
> +Reported-by: Ben Grinberg, DREAM Security Research Team
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b]
> +
> +Backport Changes:
> +- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to
> +  Samba 4.19.9 context.
> +- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto
> +  recipe does not run upstream Samba selftest.
> +
> +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
> +(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b)
> +Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
> +---
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index df3b472..31de4b1 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -16,7 +16,6 @@
> +
> + import os
> + import operator
> +-import requests
> + from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
> + from samba import Ldb
> + from ldb import SCOPE_SUBTREE, SCOPE_BASE
> +@@ -200,56 +199,24 @@ def get_supported_templates(server):
> +     return out.strip().split()
> +
> +
> +-def getca(ca, url, trust_dir):
> +-    """Fetch Certificate Chain from the CA."""
> ++def getca(ca, trust_dir):
> ++    """Fetch a certificate from LDAP."""
> +     root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
> +     root_certs = []
> +
> +-    try:
> +-        r = requests.get(url=url, params={'operation': 'GetCACert',
> +-                                          'message': 'CAIdentifier'})
> +-    except requests.exceptions.ConnectionError:
> +-        log.warn('Failed to establish a new connection')
> +-        r = None
> +-    if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
> +-        log.warn('Failed to fetch the root certificate chain.')
> +-        log.warn('The Network Device Enrollment Service is either not' +
> +-                 ' installed or not configured.')
> +-        if 'cACertificate' in ca:
> +-            log.warn('Installing the server certificate only.')
> +-            der_certificate = base64.b64decode(ca['cACertificate'])
> +-            try:
> +-                cert = load_der_x509_certificate(der_certificate)
> +-            except TypeError:
> +-                cert = load_der_x509_certificate(der_certificate,
> +-                                                 default_backend())
> +-            cert_data = cert.public_bytes(Encoding.PEM)
> +-            with open(root_cert, 'wb') as w:
> +-                w.write(cert_data)
> +-            root_certs.append(root_cert)
> +-        return root_certs
> +-
> +-    if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
> ++    if 'cACertificate' in ca:
> ++        log.warn('Installing the server certificate only.')
> ++        der_certificate = base64.b64decode(ca['cACertificate'])
> +         # Older versions of load_der_x509_certificate require a backend param
> +         try:
> +-            cert = load_der_x509_certificate(r.content)
> ++            cert = load_der_x509_certificate(der_certificate)
> +         except TypeError:
> +-            cert = load_der_x509_certificate(r.content, default_backend())
> ++            cert = load_der_x509_certificate(der_certificate,
> ++                                             default_backend())
> +         cert_data = cert.public_bytes(Encoding.PEM)
> +         with open(root_cert, 'wb') as w:
> +             w.write(cert_data)
> +         root_certs.append(root_cert)
> +-    elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert':
> +-        certs = load_der_pkcs7_certificates(r.content)
> +-        for i in range(0, len(certs)):
> +-            cert = certs[i].public_bytes(Encoding.PEM)
> +-            filename, extension = root_cert.rsplit('.', 1)
> +-            dest = '%s.%d.%s' % (filename, i, extension)
> +-            with open(dest, 'wb') as w:
> +-                w.write(cert)
> +-            root_certs.append(dest)
> +-    else:
> +-        log.warn('getca: Wrong (or missing) MIME content type')
> +
> +     return root_certs
> +
> +@@ -273,8 +240,7 @@ def changed(new_data, old_data):
> + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
> +     """Install the root certificate chain."""
> +     data = dict({'files': [], 'templates': []}, **ca)
> +-    url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
> +-    root_certs = getca(ca, url, trust_dir)
> ++    root_certs = getca(ca, trust_dir)
> +     data['files'].extend(root_certs)
> +     global_trust_dir = find_global_trust_dir()
> +     for src in root_certs:
> +--
> +2.43.0
> diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> new file mode 100644
> index 0000000000..e2989dc075
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> @@ -0,0 +1,51 @@
> +From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Date: Thu, 26 Feb 2026 14:21:01 +1300
> +Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in
> + LDAP
> +
> +If a certificate is mentioned in a GPO but is not present as a
> +cACertificate attribute on a pKIEnrollmentService object, we have no way
> +of obtaining it, so we might as well forget it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2]
> +
> +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
> +(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2)
> +Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
> +---
> + python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++
> + 1 file changed, 10 insertions(+)
> +
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index 815436e11e9c..de8b310afd95 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
> +                     # This is a basic configuration.
> +                     cas = fetch_certification_authorities(ldb)
> +                     for _ca in cas:
> ++                        if 'cACertificate' not in _ca:
> ++                            log.warning(f"ignoring CA '{_ca['name']}' with no "
> ++                                        "cACertificate in LDAP.")
> ++                            continue
> ++
> +                         self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir,
> +                                    private_dir)
> +                         ca_names.append(_ca['name'])
> +                 # If EndPoint.URI starts with "HTTPS//":
> +                 elif ca['URL'].lower().startswith('https://'):
> ++                    if 'cACertificate' not in ca:
> ++                        log.warning(f"ignoring CA '{ca['name']}' "
> ++                                    f"({ca['URL']}) with no "
> ++                                    "cACertificate in LDAP.")
> ++                        continue
> +                     self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
> +                                private_dir, auth=ca['auth'])
> +                     ca_names.append(ca['name'])
> +--
> +2.43.0
> diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> index d50d9f5155..055e404bb9 100644
> --- a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> @@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
>             file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \
>             file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \
>             file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \
> +           file://CVE-2026-3012_p1.patch \
> +           file://CVE-2026-3012_p2.patch \
>             "
>  
>  SRC_URI:append:libc-musl = " \


-- 
Yoann Congal
Smile ECS



      parent reply	other threads:[~2026-07-07 14:44 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07  5:41 [meta-oe][scarthgap][PATCH 1/2] samba: Fix CVE-2026-3012 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-07  5:41 ` [meta-oe][scarthgap][PATCH 2/2] samba: Fix CVE-2026-4408 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-07 14:44 ` Yoann Congal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJSF3WZIJUES.2JA0ACEULJYDN@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=asparmar@cisco.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.