From c0119cfb3733d2bab481dcf65880cc3f08703d61 Mon Sep 17 00:00:00 2001 From: Arne Fitzenreiter Date: Thu, 28 Apr 2016 17:04:58 +0200 Subject: [PATCH] samba: import rpc server and client fixes. should fix: #11110 Signed-off-by: Arne Fitzenreiter --- lfs/samba | 6 +- ...625540abf8b8ec23d43c41e2ca906a9928a5.patch | 39 +++++++++++++ ...f6992dc342d443137f8a2ac6c01f490cecee.patch | 40 +++++++++++++ ...24e7bb2c30bf9049529b207c73b55370dfc8.patch | 58 +++++++++++++++++++ 4 files changed, 142 insertions(+), 1 deletion(-) create mode 100644 src/patches/samba/1-samba.git-82fa625540abf8b8ec23d43c41e2ca906a9928a5.patch create mode 100644 src/patches/samba/2-samba.git-0abef6992dc342d443137f8a2ac6c01f490cecee.patch create mode 100644 src/patches/samba/3-samba.git-2d0424e7bb2c30bf9049529b207c73b55370dfc8.patch diff --git a/lfs/samba b/lfs/samba index b58bf79ab2..f771986354 100644 --- a/lfs/samba +++ b/lfs/samba @@ -32,7 +32,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = samba -PAK_VER = 61 +PAK_VER = 62 DEPS = "cups krb5" @@ -88,6 +88,10 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2016-2118-v3-6.patch cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/CVE-2015-5370-v3-6.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/1-samba.git-82fa625540abf8b8ec23d43c41e2ca906a9928a5.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/2-samba.git-0abef6992dc342d443137f8a2ac6c01f490cecee.patch + cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/samba/3-samba.git-2d0424e7bb2c30bf9049529b207c73b55370dfc8.patch + cd $(DIR_APP)/source3 && ./autogen.sh cd $(DIR_APP)/source3 && ./configure \ --prefix=/usr \ diff --git a/src/patches/samba/1-samba.git-82fa625540abf8b8ec23d43c41e2ca906a9928a5.patch b/src/patches/samba/1-samba.git-82fa625540abf8b8ec23d43c41e2ca906a9928a5.patch new file mode 100644 index 0000000000..ec449c3315 --- /dev/null +++ b/src/patches/samba/1-samba.git-82fa625540abf8b8ec23d43c41e2ca906a9928a5.patch @@ -0,0 +1,39 @@ +From 82fa625540abf8b8ec23d43c41e2ca906a9928a5 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Fri, 15 Apr 2016 11:56:08 +0200 +Subject: [PATCH] s3:rpc_server: Fix a regression verifying the security + trailer + +We do not support header signing so we should not check verify it if a +client sends the flag. + +Signed-off-by: Andreas Schneider +Reviewed-by: Guenther Deschner +--- + source3/rpc_server/srv_pipe.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c +index d659705..fa354a6 100644 +--- a/source3/rpc_server/srv_pipe.c ++++ b/source3/rpc_server/srv_pipe.c +@@ -1552,7 +1552,6 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p, + { + TALLOC_CTX *frame = talloc_stackframe(); + struct dcerpc_sec_verification_trailer *vt = NULL; +- const uint32_t bitmask1 = 0; + const struct dcerpc_sec_vt_pcontext pcontext = { + .abstract_syntax = pipe_fns->syntax, + .transfer_syntax = ndr_transfer_syntax, +@@ -1573,7 +1572,7 @@ static bool srv_pipe_check_verification_trailer(struct pipes_struct *p, + goto done; + } + +- ret = dcerpc_sec_verification_trailer_check(vt, &bitmask1, ++ ret = dcerpc_sec_verification_trailer_check(vt, NULL, + &pcontext, &header2); + done: + TALLOC_FREE(frame); +-- +1.9.1 + diff --git a/src/patches/samba/2-samba.git-0abef6992dc342d443137f8a2ac6c01f490cecee.patch b/src/patches/samba/2-samba.git-0abef6992dc342d443137f8a2ac6c01f490cecee.patch new file mode 100644 index 0000000000..074653c439 --- /dev/null +++ b/src/patches/samba/2-samba.git-0abef6992dc342d443137f8a2ac6c01f490cecee.patch @@ -0,0 +1,40 @@ +From 0abef6992dc342d443137f8a2ac6c01f490cecee Mon Sep 17 00:00:00 2001 +From: Christian Ambach +Date: Wed, 20 Feb 2013 16:59:05 +0100 +Subject: [PATCH] s3:rpc_client fix a crash + +state->cli->dc does not have to be set (e.g. when running +net rpc join against an older Samba PDC), so check it before dereferencing it + +This fixes Bug 9669 - net rpc join crashes against a Samba 3.0.33 PDC + +Bug: https://bugzilla.samba.org/show_bug.cgi?id=9669 + +Signed-off-by: Christian Ambach +Reviewed-by: Andreas Schneider + +Autobuild-User(master): Christian Ambach +Autobuild-Date(master): Wed Feb 20 19:00:52 CET 2013 on sn-devel-104 +(cherry picked from commit 3d29bb2d37b02909ecb500e864f3c13e06957a86) + +(cherry picked from commit ff658bb36c28c9db91fc80a68725e893ffe300aa) +--- + source3/rpc_client/cli_pipe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c +index 5ddabb7..a211d92 100644 +--- a/source3/rpc_client/cli_pipe.c ++++ b/source3/rpc_client/cli_pipe.c +@@ -2136,7 +2136,7 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq) + status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos()); + TALLOC_FREE(subreq); + if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { +- if (state->cli->dc->negotiate_flags & ++ if (state->cli->dc && state->cli->dc->negotiate_flags & + NETLOGON_NEG_SUPPORTS_AES) { + DEBUG(5, ("AES is not supported and the error was %s\n", + nt_errstr(status))); +-- +1.9.1 + diff --git a/src/patches/samba/3-samba.git-2d0424e7bb2c30bf9049529b207c73b55370dfc8.patch b/src/patches/samba/3-samba.git-2d0424e7bb2c30bf9049529b207c73b55370dfc8.patch new file mode 100644 index 0000000000..75aedd80e4 --- /dev/null +++ b/src/patches/samba/3-samba.git-2d0424e7bb2c30bf9049529b207c73b55370dfc8.patch @@ -0,0 +1,58 @@ +From 2d0424e7bb2c30bf9049529b207c73b55370dfc8 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Tue, 10 Jan 2012 16:38:16 +0100 +Subject: [PATCH] s3-rpc_client: Fix updating netlogon credentials. +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +Signed-off-by: Günther Deschner +(cherry picked from commit 33206b1e240e55acedad606aed4f1952f7496b35) +--- + source3/rpc_client/cli_pipe.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c +index a211d92..92ca494 100644 +--- a/source3/rpc_client/cli_pipe.c ++++ b/source3/rpc_client/cli_pipe.c +@@ -2128,9 +2128,6 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq) + struct rpc_pipe_bind_state *state = + tevent_req_data(req, + struct rpc_pipe_bind_state); +- struct schannel_state *schannel_auth = +- talloc_get_type_abort(state->cli->auth->auth_ctx, +- struct schannel_state); + NTSTATUS status; + + status = dcerpc_netr_LogonGetCapabilities_r_recv(subreq, talloc_tos()); +@@ -2188,8 +2185,8 @@ static void rpc_pipe_bind_step_two_done(struct tevent_req *subreq) + return; + } + +- TALLOC_FREE(schannel_auth->creds); +- schannel_auth->creds = talloc_steal(state->cli, state->creds); ++ TALLOC_FREE(state->cli->dc); ++ state->cli->dc = talloc_steal(state->cli, state->creds); + + if (!NT_STATUS_IS_OK(state->r.out.result)) { + DEBUG(0, ("dcerpc_netr_LogonGetCapabilities_r_recv failed with %s\n", +@@ -3385,10 +3382,12 @@ NTSTATUS cli_rpc_pipe_open_schannel_with_key(struct cli_state *cli, + * The credentials on a new netlogon pipe are the ones we are passed + * in - copy them over + */ +- result->dc = netlogon_creds_copy(result, *pdc); + if (result->dc == NULL) { +- TALLOC_FREE(result); +- return NT_STATUS_NO_MEMORY; ++ result->dc = netlogon_creds_copy(result, *pdc); ++ if (result->dc == NULL) { ++ TALLOC_FREE(result); ++ return NT_STATUS_NO_MEMORY; ++ } + } + + DEBUG(10,("cli_rpc_pipe_open_schannel_with_key: opened pipe %s to machine %s " +-- +1.9.1 + -- 2.39.5