X-Git-Url: http://git.ipfire.org/?p=ipfire-2.x.git;a=blobdiff_plain;f=src%2Fpatches%2Fsamba%2FCVE-2016-2112-v3-6.patch;fp=src%2Fpatches%2Fsamba%2FCVE-2016-2112-v3-6.patch;h=0000000000000000000000000000000000000000;hp=57c6f680aad03ec72313ba9fce1cddb855e9c0dc;hb=201ad7ff80eb8870aab2b903be6eb7aea2adf563;hpb=f29f169735ff3b431c6dc7cb50b36d0fe644163b

diff --git a/src/patches/samba/CVE-2016-2112-v3-6.patch b/src/patches/samba/CVE-2016-2112-v3-6.patch
deleted file mode 100644
index 57c6f680aa..0000000000
--- a/src/patches/samba/CVE-2016-2112-v3-6.patch
+++ /dev/null
@@ -1,184 +0,0 @@
-From 126e3e992bed7174d60ee19212db9b717647ab2e Mon Sep 17 00:00:00 2001
-From: Andreas Schneider <asn@cryptomilk.org>
-Date: Wed, 30 Mar 2016 16:55:44 +0200
-Subject: [PATCH 1/3] CVE-2016-2112: s3:ntlmssp: Implement missing
- ntlmssp_have_feature()
-
-Signed-off-by: Andreas Schneider <asn@samba.org>
----
- source3/include/proto.h  |  1 +
- source3/libsmb/ntlmssp.c | 30 ++++++++++++++++++++++++++++++
- 2 files changed, 31 insertions(+)
-
-diff --git a/source3/include/proto.h b/source3/include/proto.h
-index 32b4e3d..43008ea 100644
---- a/source3/include/proto.h
-+++ b/source3/include/proto.h
-@@ -1260,6 +1260,7 @@ NTSTATUS ntlmssp_set_password(struct ntlmssp_state *ntlmssp_state, const char *p
- NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *domain) ;
- void ntlmssp_want_feature_list(struct ntlmssp_state *ntlmssp_state, char *feature_list);
- void ntlmssp_want_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
-+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state, uint32_t feature);
- NTSTATUS ntlmssp_update(struct ntlmssp_state *ntlmssp_state,
- 			const DATA_BLOB in, DATA_BLOB *out) ;
- NTSTATUS ntlmssp_server_start(TALLOC_CTX *mem_ctx,
-diff --git a/source3/libsmb/ntlmssp.c b/source3/libsmb/ntlmssp.c
-index 045dc87..7e58990 100644
---- a/source3/libsmb/ntlmssp.c
-+++ b/source3/libsmb/ntlmssp.c
-@@ -162,6 +162,36 @@ NTSTATUS ntlmssp_set_domain(struct ntlmssp_state *ntlmssp_state, const char *dom
- 	return NT_STATUS_OK;
- }
- 
-+bool ntlmssp_have_feature(struct ntlmssp_state *ntlmssp_state,
-+			  uint32_t feature)
-+{
-+	if (feature & NTLMSSP_FEATURE_SIGN) {
-+		if (ntlmssp_state->session_key.length == 0) {
-+			return false;
-+		}
-+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SIGN) {
-+			return true;
-+		}
-+	}
-+
-+	if (feature & NTLMSSP_FEATURE_SEAL) {
-+		if (ntlmssp_state->session_key.length == 0) {
-+			return false;
-+		}
-+		if (ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL) {
-+			return true;
-+		}
-+	}
-+
-+	if (feature & NTLMSSP_FEATURE_SESSION_KEY) {
-+		if (ntlmssp_state->session_key.length > 0) {
-+			return true;
-+		}
-+	}
-+
-+	return false;
-+}
-+
- /**
-  * Request features for the NTLMSSP negotiation
-  *
--- 
-2.8.1
-
-
-From 15338742e0c7304aeecce0e8368f0dad85e8075b Mon Sep 17 00:00:00 2001
-From: Ralph Boehme <slow@samba.org>
-Date: Thu, 24 Mar 2016 16:22:36 +0100
-Subject: [PATCH 2/3] CVE-2016-2112: s3:libads: make sure we detect downgrade
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Pair-programmed-with: Ralph Boehme <slow@samba.org>
-
-Signed-off-by: Stefan Metzmacher <metze@samba.org>
-Signed-off-by: Ralph Boehme <slow@samba.org>
----
- source3/libads/sasl.c | 31 +++++++++++++++++++++++++++++++
- 1 file changed, 31 insertions(+)
-
-diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
-index e7daa8a..6690f83 100644
---- a/source3/libads/sasl.c
-+++ b/source3/libads/sasl.c
-@@ -261,6 +261,37 @@ static ADS_STATUS ads_sasl_spnego_ntlmssp_bind(ADS_STRUCT *ads)
- 	/* we have a reference conter on ntlmssp_state, if we are signing
- 	   then the state will be kept by the signing engine */
- 
-+	if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
-+		bool ok;
-+
-+		ok = ntlmssp_have_feature(ntlmssp_state,
-+					  NTLMSSP_FEATURE_SEAL);
-+		if (!ok) {
-+			DEBUG(0,("The ntlmssp feature sealing request, but unavailable\n"));
-+			TALLOC_FREE(ntlmssp_state);
-+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
-+		}
-+
-+		ok = ntlmssp_have_feature(ntlmssp_state,
-+					  NTLMSSP_FEATURE_SIGN);
-+		if (!ok) {
-+			DEBUG(0,("The ntlmssp feature signing request, but unavailable\n"));
-+			TALLOC_FREE(ntlmssp_state);
-+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
-+		}
-+
-+	} else if (ads->ldap.wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
-+		bool ok;
-+
-+		ok = ntlmssp_have_feature(ntlmssp_state,
-+					  NTLMSSP_FEATURE_SIGN);
-+		if (!ok) {
-+			DEBUG(0,("The gensec feature signing request, but unavailable\n"));
-+			TALLOC_FREE(ntlmssp_state);
-+			return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
-+		}
-+	}
-+
- 	if (ads->ldap.wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
- 		ads->ldap.out.max_unwrapped = ADS_SASL_WRAPPING_OUT_MAX_WRAPPED - NTLMSSP_SIG_SIZE;
- 		ads->ldap.out.sig_size = NTLMSSP_SIG_SIZE;
--- 
-2.8.1
-
-
-From b020ae88f9024bcc868ed2d85879d14901db32e5 Mon Sep 17 00:00:00 2001
-From: Andrew Bartlett <abartlet@samba.org>
-Date: Fri, 5 Sep 2014 17:38:38 +1200
-Subject: [PATCH 3/3] CVE-2016-2112: winbindd: Change value of "ldap sasl
- wrapping" to sign
-
-This is to disrupt MITM attacks between us and our DC
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=11644
-
-Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
-Signed-off-by: Garming Sam <garming@catalyst.net.nz>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-(backported from commit afe02d12f444ad9a6abf31a61f578320520263a9)
----
- docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 8 +++-----
- source3/param/loadparm.c                            | 2 ++
- 2 files changed, 5 insertions(+), 5 deletions(-)
-
-diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
-index a926cec..a7c4395 100644
---- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
-+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
-@@ -34,11 +34,9 @@
- 	</para>
- 
- 	<para>
--	The default value is <emphasis>plain</emphasis> which is not irritable 
--	to KRB5 clock skew errors. That implies synchronizing the time
--	with the KDC in the case of using <emphasis>sign</emphasis> or 
--	<emphasis>seal</emphasis>.
-+	The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
-+	with the KDC in the case of using <emphasis>Kerberos</emphasis>.
- 	</para>
- </description>
--<value type="default">plain</value>
-+<value type="default">sign</value>
- </samba:parameter>
-diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
-index 7065cf6..c5249b7 100644
---- a/source3/param/loadparm.c
-+++ b/source3/param/loadparm.c
-@@ -5392,6 +5392,8 @@ static void init_globals(bool reinit_globals)
- 	Globals.ldap_debug_level = 0;
- 	Globals.ldap_debug_threshold = 10;
- 
-+	Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
-+
- 	/* This is what we tell the afs client. in reality we set the token 
- 	 * to never expire, though, when this runs out the afs client will 
- 	 * forget the token. Set to 0 to get NEVERDATE.*/
--- 
-2.8.1
-