From: "Yoann Congal" <yoann.congal@smile.fr>
To: <asparmar@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [meta-oe][scarthgap][PATCH 1/2] samba: Fix CVE-2026-3012
Date: Tue, 07 Jul 2026 16:44:22 +0200 [thread overview]
Message-ID: <DJSF3WZIJUES.2JA0ACEULJYDN@smile.fr> (raw)
In-Reply-To: <20260707054105.2419361-1-asparmar@cisco.com>
On Tue Jul 7, 2026 at 7:41 AM CEST, Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Ashishkumar Parmar <asparmar@cisco.com>
>
> This patch applies the upstream Samba security backport for
> CVE-2026-3012. The upstream security bundle is referenced in [1],
> and the public CVE advisory is referenced in [2]. The individual
> backported commit links are recorded in the embedded patch headers.
>
> [1] https://www.samba.org/samba/ftp/patches/security/samba-4.22.9-security-2026-05-25.patch
> [2] https://www.samba.org/samba/security/CVE-2026-3012.html
>
> Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
Hello,
Wrong list, you want to send this to openembedded-devel@lists.openembedded.org.
Regards,
> ---
> .../samba/samba/CVE-2026-3012_p1.patch | 131 ++++++++++++++++++
> .../samba/samba/CVE-2026-3012_p2.patch | 51 +++++++
> .../samba/samba_4.19.9.bb | 2 +
> 3 files changed, 184 insertions(+)
> create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
>
> diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> new file mode 100644
> index 0000000000..ce54b2916f
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> @@ -0,0 +1,131 @@
> +From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Date: Mon, 23 Feb 2026 11:01:57 +1300
> +Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http
> +
> +In the case where a certificate was found via HTTP, it was trusted
> +without verification and put in the global CA store.
> +
> +There is no means to check the certificate other than by comparing it
> +to certificates we may have gathered via LDAP, but in that case there
> +is no advantage over just using the LDAP-derived certificates.
> +
> +Using the LDAP certificates was already the fallback case if HTTP
> +failed, so we just make it the default.
> +
> +The HTTP fetch depends on the NDES service, which is a variant of
> +Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
> +Samba implements none of that protocol other than the HTTP fetch. SCEP
> +is for clients that are not true domain members. Domain members can
> +access to certificates over LDAP. This patch is not reducing SCEP
> +client support because Samba never had it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +Reported-by: Arad Inbar, DREAM Security Research Team
> +Reported-by: Nir Somech, DREAM Security Research Team
> +Reported-by: Ben Grinberg, DREAM Security Research Team
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b]
> +
> +Backport Changes:
> +- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to
> + Samba 4.19.9 context.
> +- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto
> + recipe does not run upstream Samba selftest.
> +
> +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
> +(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b)
> +Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
> +---
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index df3b472..31de4b1 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -16,7 +16,6 @@
> +
> + import os
> + import operator
> +-import requests
> + from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
> + from samba import Ldb
> + from ldb import SCOPE_SUBTREE, SCOPE_BASE
> +@@ -200,56 +199,24 @@ def get_supported_templates(server):
> + return out.strip().split()
> +
> +
> +-def getca(ca, url, trust_dir):
> +- """Fetch Certificate Chain from the CA."""
> ++def getca(ca, trust_dir):
> ++ """Fetch a certificate from LDAP."""
> + root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
> + root_certs = []
> +
> +- try:
> +- r = requests.get(url=url, params={'operation': 'GetCACert',
> +- 'message': 'CAIdentifier'})
> +- except requests.exceptions.ConnectionError:
> +- log.warn('Failed to establish a new connection')
> +- r = None
> +- if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
> +- log.warn('Failed to fetch the root certificate chain.')
> +- log.warn('The Network Device Enrollment Service is either not' +
> +- ' installed or not configured.')
> +- if 'cACertificate' in ca:
> +- log.warn('Installing the server certificate only.')
> +- der_certificate = base64.b64decode(ca['cACertificate'])
> +- try:
> +- cert = load_der_x509_certificate(der_certificate)
> +- except TypeError:
> +- cert = load_der_x509_certificate(der_certificate,
> +- default_backend())
> +- cert_data = cert.public_bytes(Encoding.PEM)
> +- with open(root_cert, 'wb') as w:
> +- w.write(cert_data)
> +- root_certs.append(root_cert)
> +- return root_certs
> +-
> +- if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
> ++ if 'cACertificate' in ca:
> ++ log.warn('Installing the server certificate only.')
> ++ der_certificate = base64.b64decode(ca['cACertificate'])
> + # Older versions of load_der_x509_certificate require a backend param
> + try:
> +- cert = load_der_x509_certificate(r.content)
> ++ cert = load_der_x509_certificate(der_certificate)
> + except TypeError:
> +- cert = load_der_x509_certificate(r.content, default_backend())
> ++ cert = load_der_x509_certificate(der_certificate,
> ++ default_backend())
> + cert_data = cert.public_bytes(Encoding.PEM)
> + with open(root_cert, 'wb') as w:
> + w.write(cert_data)
> + root_certs.append(root_cert)
> +- elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert':
> +- certs = load_der_pkcs7_certificates(r.content)
> +- for i in range(0, len(certs)):
> +- cert = certs[i].public_bytes(Encoding.PEM)
> +- filename, extension = root_cert.rsplit('.', 1)
> +- dest = '%s.%d.%s' % (filename, i, extension)
> +- with open(dest, 'wb') as w:
> +- w.write(cert)
> +- root_certs.append(dest)
> +- else:
> +- log.warn('getca: Wrong (or missing) MIME content type')
> +
> + return root_certs
> +
> +@@ -273,8 +240,7 @@ def changed(new_data, old_data):
> + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
> + """Install the root certificate chain."""
> + data = dict({'files': [], 'templates': []}, **ca)
> +- url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
> +- root_certs = getca(ca, url, trust_dir)
> ++ root_certs = getca(ca, trust_dir)
> + data['files'].extend(root_certs)
> + global_trust_dir = find_global_trust_dir()
> + for src in root_certs:
> +--
> +2.43.0
> diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> new file mode 100644
> index 0000000000..e2989dc075
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> @@ -0,0 +1,51 @@
> +From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Date: Thu, 26 Feb 2026 14:21:01 +1300
> +Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in
> + LDAP
> +
> +If a certificate is mentioned in a GPO but is not present as a
> +cACertificate attribute on a pKIEnrollmentService object, we have no way
> +of obtaining it, so we might as well forget it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2]
> +
> +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
> +(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2)
> +Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
> +---
> + python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++
> + 1 file changed, 10 insertions(+)
> +
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index 815436e11e9c..de8b310afd95 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
> + # This is a basic configuration.
> + cas = fetch_certification_authorities(ldb)
> + for _ca in cas:
> ++ if 'cACertificate' not in _ca:
> ++ log.warning(f"ignoring CA '{_ca['name']}' with no "
> ++ "cACertificate in LDAP.")
> ++ continue
> ++
> + self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir,
> + private_dir)
> + ca_names.append(_ca['name'])
> + # If EndPoint.URI starts with "HTTPS//":
> + elif ca['URL'].lower().startswith('https://'):
> ++ if 'cACertificate' not in ca:
> ++ log.warning(f"ignoring CA '{ca['name']}' "
> ++ f"({ca['URL']}) with no "
> ++ "cACertificate in LDAP.")
> ++ continue
> + self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
> + private_dir, auth=ca['auth'])
> + ca_names.append(ca['name'])
> +--
> +2.43.0
> diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> index d50d9f5155..055e404bb9 100644
> --- a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> @@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
> file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \
> file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \
> file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \
> + file://CVE-2026-3012_p1.patch \
> + file://CVE-2026-3012_p2.patch \
> "
>
> SRC_URI:append:libc-musl = " \
--
Yoann Congal
Smile ECS
prev parent reply other threads:[~2026-07-07 14:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-07 5:41 [meta-oe][scarthgap][PATCH 1/2] samba: Fix CVE-2026-3012 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-07 5:41 ` [meta-oe][scarthgap][PATCH 2/2] samba: Fix CVE-2026-4408 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-07 14:44 ` Yoann Congal [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJSF3WZIJUES.2JA0ACEULJYDN@smile.fr \
--to=yoann.congal@smile.fr \
--cc=asparmar@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox