Openembedded Core Discussions
 help / color / mirror / Atom feed
From: "Yoann Congal" <yoann.congal@smile.fr>
To: <asparmar@cisco.com>, <openembedded-core@lists.openembedded.org>
Cc: <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [meta-oe][scarthgap][PATCH 1/2] samba: Fix CVE-2026-3012
Date: Tue, 07 Jul 2026 16:44:22 +0200	[thread overview]
Message-ID: <DJSF3WZIJUES.2JA0ACEULJYDN@smile.fr> (raw)
In-Reply-To: <20260707054105.2419361-1-asparmar@cisco.com>

On Tue Jul 7, 2026 at 7:41 AM CEST, Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco) via lists.openembedded.org wrote:
> From: Ashishkumar Parmar <asparmar@cisco.com>
>
> This patch applies the upstream Samba security backport for
> CVE-2026-3012. The upstream security bundle is referenced in [1],
> and the public CVE advisory is referenced in [2]. The individual
> backported commit links are recorded in the embedded patch headers.
>
> [1] https://www.samba.org/samba/ftp/patches/security/samba-4.22.9-security-2026-05-25.patch
> [2] https://www.samba.org/samba/security/CVE-2026-3012.html
>
> Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>

Hello,

Wrong list, you want to send this to openembedded-devel@lists.openembedded.org.

Regards,

> ---
>  .../samba/samba/CVE-2026-3012_p1.patch        | 131 ++++++++++++++++++
>  .../samba/samba/CVE-2026-3012_p2.patch        |  51 +++++++
>  .../samba/samba_4.19.9.bb                     |   2 +
>  3 files changed, 184 insertions(+)
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
>  create mode 100644 meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
>
> diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> new file mode 100644
> index 0000000000..ce54b2916f
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
> @@ -0,0 +1,131 @@
> +From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Date: Mon, 23 Feb 2026 11:01:57 +1300
> +Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http
> +
> +In the case where a certificate was found via HTTP, it was trusted
> +without verification and put in the global CA store.
> +
> +There is no means to check the certificate other than by comparing it
> +to certificates we may have gathered via LDAP, but in that case there
> +is no advantage over just using the LDAP-derived certificates.
> +
> +Using the LDAP certificates was already the fallback case if HTTP
> +failed, so we just make it the default.
> +
> +The HTTP fetch depends on the NDES service, which is a variant of
> +Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
> +Samba implements none of that protocol other than the HTTP fetch. SCEP
> +is for clients that are not true domain members. Domain members can
> +access to certificates over LDAP. This patch is not reducing SCEP
> +client support because Samba never had it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +Reported-by: Arad Inbar, DREAM Security Research Team
> +Reported-by: Nir Somech, DREAM Security Research Team
> +Reported-by: Ben Grinberg, DREAM Security Research Team
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b]
> +
> +Backport Changes:
> +- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to
> +  Samba 4.19.9 context.
> +- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto
> +  recipe does not run upstream Samba selftest.
> +
> +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
> +(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b)
> +Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
> +---
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index df3b472..31de4b1 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -16,7 +16,6 @@
> +
> + import os
> + import operator
> +-import requests
> + from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
> + from samba import Ldb
> + from ldb import SCOPE_SUBTREE, SCOPE_BASE
> +@@ -200,56 +199,24 @@ def get_supported_templates(server):
> +     return out.strip().split()
> +
> +
> +-def getca(ca, url, trust_dir):
> +-    """Fetch Certificate Chain from the CA."""
> ++def getca(ca, trust_dir):
> ++    """Fetch a certificate from LDAP."""
> +     root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
> +     root_certs = []
> +
> +-    try:
> +-        r = requests.get(url=url, params={'operation': 'GetCACert',
> +-                                          'message': 'CAIdentifier'})
> +-    except requests.exceptions.ConnectionError:
> +-        log.warn('Failed to establish a new connection')
> +-        r = None
> +-    if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
> +-        log.warn('Failed to fetch the root certificate chain.')
> +-        log.warn('The Network Device Enrollment Service is either not' +
> +-                 ' installed or not configured.')
> +-        if 'cACertificate' in ca:
> +-            log.warn('Installing the server certificate only.')
> +-            der_certificate = base64.b64decode(ca['cACertificate'])
> +-            try:
> +-                cert = load_der_x509_certificate(der_certificate)
> +-            except TypeError:
> +-                cert = load_der_x509_certificate(der_certificate,
> +-                                                 default_backend())
> +-            cert_data = cert.public_bytes(Encoding.PEM)
> +-            with open(root_cert, 'wb') as w:
> +-                w.write(cert_data)
> +-            root_certs.append(root_cert)
> +-        return root_certs
> +-
> +-    if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
> ++    if 'cACertificate' in ca:
> ++        log.warn('Installing the server certificate only.')
> ++        der_certificate = base64.b64decode(ca['cACertificate'])
> +         # Older versions of load_der_x509_certificate require a backend param
> +         try:
> +-            cert = load_der_x509_certificate(r.content)
> ++            cert = load_der_x509_certificate(der_certificate)
> +         except TypeError:
> +-            cert = load_der_x509_certificate(r.content, default_backend())
> ++            cert = load_der_x509_certificate(der_certificate,
> ++                                             default_backend())
> +         cert_data = cert.public_bytes(Encoding.PEM)
> +         with open(root_cert, 'wb') as w:
> +             w.write(cert_data)
> +         root_certs.append(root_cert)
> +-    elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert':
> +-        certs = load_der_pkcs7_certificates(r.content)
> +-        for i in range(0, len(certs)):
> +-            cert = certs[i].public_bytes(Encoding.PEM)
> +-            filename, extension = root_cert.rsplit('.', 1)
> +-            dest = '%s.%d.%s' % (filename, i, extension)
> +-            with open(dest, 'wb') as w:
> +-                w.write(cert)
> +-            root_certs.append(dest)
> +-    else:
> +-        log.warn('getca: Wrong (or missing) MIME content type')
> +
> +     return root_certs
> +
> +@@ -273,8 +240,7 @@ def changed(new_data, old_data):
> + def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
> +     """Install the root certificate chain."""
> +     data = dict({'files': [], 'templates': []}, **ca)
> +-    url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
> +-    root_certs = getca(ca, url, trust_dir)
> ++    root_certs = getca(ca, trust_dir)
> +     data['files'].extend(root_certs)
> +     global_trust_dir = find_global_trust_dir()
> +     for src in root_certs:
> +--
> +2.43.0
> diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> new file mode 100644
> index 0000000000..e2989dc075
> --- /dev/null
> +++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
> @@ -0,0 +1,51 @@
> +From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001
> +From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Date: Thu, 26 Feb 2026 14:21:01 +1300
> +Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in
> + LDAP
> +
> +If a certificate is mentioned in a GPO but is not present as a
> +cACertificate attribute on a pKIEnrollmentService object, we have no way
> +of obtaining it, so we might as well forget it.
> +
> +BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
> +
> +CVE: CVE-2026-3012
> +Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2]
> +
> +Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
> +Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
> +(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2)
> +Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
> +---
> + python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++
> + 1 file changed, 10 insertions(+)
> +
> +diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +index 815436e11e9c..de8b310afd95 100644
> +--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
> ++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
> +@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
> +                     # This is a basic configuration.
> +                     cas = fetch_certification_authorities(ldb)
> +                     for _ca in cas:
> ++                        if 'cACertificate' not in _ca:
> ++                            log.warning(f"ignoring CA '{_ca['name']}' with no "
> ++                                        "cACertificate in LDAP.")
> ++                            continue
> ++
> +                         self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir,
> +                                    private_dir)
> +                         ca_names.append(_ca['name'])
> +                 # If EndPoint.URI starts with "HTTPS//":
> +                 elif ca['URL'].lower().startswith('https://'):
> ++                    if 'cACertificate' not in ca:
> ++                        log.warning(f"ignoring CA '{ca['name']}' "
> ++                                    f"({ca['URL']}) with no "
> ++                                    "cACertificate in LDAP.")
> ++                        continue
> +                     self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
> +                                private_dir, auth=ca['auth'])
> +                     ca_names.append(ca['name'])
> +--
> +2.43.0
> diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> index d50d9f5155..055e404bb9 100644
> --- a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> +++ b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
> @@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
>             file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \
>             file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \
>             file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \
> +           file://CVE-2026-3012_p1.patch \
> +           file://CVE-2026-3012_p2.patch \
>             "
>  
>  SRC_URI:append:libc-musl = " \


-- 
Yoann Congal
Smile ECS



      parent reply	other threads:[~2026-07-07 14:44 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07  5:41 [meta-oe][scarthgap][PATCH 1/2] samba: Fix CVE-2026-3012 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-07  5:41 ` [meta-oe][scarthgap][PATCH 2/2] samba: Fix CVE-2026-4408 Ashishkumar Parmar X (asparmar - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-07-07 14:44 ` Yoann Congal [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJSF3WZIJUES.2JA0ACEULJYDN@smile.fr \
    --to=yoann.congal@smile.fr \
    --cc=asparmar@cisco.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox