[ipfire-2.x.git] / src / patches / samba / CVE-2016-2125-v3.6.patch

From 7cc3b25f4bf9e89e326d04b83bc7365f3cc29265 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 7 Dec 2016 10:58:35 +0100
Subject: [PATCH] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG

We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
---
 source3/librpc/crypto/gse.c | 1 -
 source3/libsmb/clifsinfo.c  | 2 +-
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 02fb0f6141d..211ca7774be 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
 
 	gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
-				GSS_C_DELEG_FLAG |
 				GSS_C_DELEG_POLICY_FLAG |
 				GSS_C_REPLAY_FLAG |
 				GSS_C_SEQUENCE_FLAG;
diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
index 1d66eb4c6b8..34ebc208db0 100644
--- a/source3/libsmb/clifsinfo.c
+++ b/source3/libsmb/clifsinfo.c
@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
 				&es->s.gss_state->gss_ctx,
 				srv_name,
 				GSS_C_NO_OID, /* default OID. */
-				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
+				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
 				GSS_C_INDEFINITE,	/* requested ticket lifetime. */
 				NULL,   /* no channel bindings */
 				p_tok_in,
-- 
2.11.0
Commit	Line	Data
1d13e637 AF	1	From 7cc3b25f4bf9e89e326d04b83bc7365f3cc29265 Mon Sep 17 00:00:00 2001
	2	From: Stefan Metzmacher <metze@samba.org>
	3	Date: Wed, 7 Dec 2016 10:58:35 +0100
	4	Subject: [PATCH] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
	5
	6	We should only use GSS_C_DELEG_POLICY_FLAG in order to let
	7	the KDC decide if we should send delegated credentials to
	8	a remote server.
	9
	10	BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
	11
	12	Signed-off-by: Stefan Metzmacher <metze@samba.org>
	13	Backported-by: Andreas Schneider <asn@samba.org>
	14	---
	15	source3/librpc/crypto/gse.c \| 1 -
	16	source3/libsmb/clifsinfo.c \| 2 +-
	17	2 files changed, 1 insertion(+), 2 deletions(-)
	18
	19	diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
	20	index 02fb0f6141d..211ca7774be 100644
	21	--- a/source3/librpc/crypto/gse.c
	22	+++ b/source3/librpc/crypto/gse.c
	23	@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
	24	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
	25
	26	gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG \|
	27	- GSS_C_DELEG_FLAG \|
	28	GSS_C_DELEG_POLICY_FLAG \|
	29	GSS_C_REPLAY_FLAG \|
	30	GSS_C_SEQUENCE_FLAG;
	31	diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
	32	index 1d66eb4c6b8..34ebc208db0 100644
	33	--- a/source3/libsmb/clifsinfo.c
	34	+++ b/source3/libsmb/clifsinfo.c
	35	@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
	36	&es->s.gss_state->gss_ctx,
	37	srv_name,
	38	GSS_C_NO_OID, /* default OID. */
	39	- GSS_C_MUTUAL_FLAG \| GSS_C_REPLAY_FLAG \| GSS_C_SEQUENCE_FLAG \| GSS_C_DELEG_FLAG,
	40	+ GSS_C_MUTUAL_FLAG \| GSS_C_REPLAY_FLAG \| GSS_C_SEQUENCE_FLAG \| GSS_C_DELEG_POLICY_FLAG,
	41	GSS_C_INDEFINITE, /* requested ticket lifetime. */
	42	NULL, /* no channel bindings */
	43	p_tok_in,
	44	--
	45	2.11.0
	46