]> git.ipfire.org Git - ipfire-2.x.git/blob - src/patches/samba/CVE-2017-12150-v3-6.patch
projects / ipfire-2.x.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
samba: import security updates from redhead
[ipfire-2.x.git] / src / patches / samba / CVE-2017-12150-v3-6.patch
1 From d3198caa7a8910a9ce1eb4104d5b410ef29ac2bb Mon Sep 17 00:00:00 2001
2 From: Stefan Metzmacher <metze@samba.org>
3 Date: Thu, 3 Nov 2016 17:16:43 +0100
4 Subject: [PATCH 1/3] CVE-2017-12150: s3:lib:
5 get_cmdline_auth_info_signing_state use Required for smb_encrypt
6
7 This is an addition to the fixes for CVE-2015-5296.
8
9 It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
10
11 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
12
13 Signed-off-by: Stefan Metzmacher <metze@samba.org>
14 Backported-by: Andreas Schneider <asn@samba.org>
15 ---
16 source3/lib/util_cmdline.c | 3 +++
17 1 file changed, 3 insertions(+)
18
19 diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
20 index cb0b79a5d30..3178c848b63 100644
21 --- a/source3/lib/util_cmdline.c
22 +++ b/source3/lib/util_cmdline.c
23 @@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
24
25 int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
26 {
27 + if (auth_info->smb_encrypt) {
28 + return Required;
29 + }
30 return auth_info->signing_state;
31 }
32
33 --
34 2.14.1
35
36
37 From bb762a74c81159633f904f8fb67b49bab74a0b9c Mon Sep 17 00:00:00 2001
38 From: Stefan Metzmacher <metze@samba.org>
39 Date: Mon, 12 Dec 2016 05:49:46 +0100
40 Subject: [PATCH 2/3] CVE-2017-12150: libgpo: make use of Required for SMB
41 signing in gpo_connect_server()
42
43 It's important that we use a signed connection to get the GPOs!
44
45 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
46
47 Signed-off-by: Stefan Metzmacher <metze@samba.org>
48 Backported-by: Andreas Schneider <asn@samba.org>
49 ---
50 libgpo/gpo_fetch.c | 2 +-
51 1 file changed, 1 insertion(+), 1 deletion(-)
52
53 diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
54 index 3cfe1d5b942..af012e01336 100644
55 --- a/libgpo/gpo_fetch.c
56 +++ b/libgpo/gpo_fetch.c
57 @@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, struct loadparm_context *lp_
58 ads->auth.password,
59 CLI_FULL_CONNECTION_USE_KERBEROS |
60 CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
61 - Undefined);
62 + Required);
63 if (!NT_STATUS_IS_OK(result)) {
64 DEBUG(10,("check_refresh_gpo: "
65 "failed to connect: %s\n",
66 --
67 2.14.1
68
69
70 From 070b0fb9ebb57cdbc2b82e335de021fb46bc543c Mon Sep 17 00:00:00 2001
71 From: Stefan Metzmacher <metze@samba.org>
72 Date: Mon, 12 Dec 2016 06:07:56 +0100
73 Subject: [PATCH 3/3] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
74 authentication was not requested
75
76 With forced encryption or required signing we should also don't fallback.
77
78 BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
79
80 Signed-off-by: Stefan Metzmacher <metze@samba.org>
81 Backported-by: Andreas Schneider <asn@samba.org>
82 ---
83 source3/libsmb/clidfs.c | 2 ++
84 1 file changed, 2 insertions(+)
85
86 diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
87 index 23e147120f1..120a2c999ce 100644
88 --- a/source3/libsmb/clidfs.c
89 +++ b/source3/libsmb/clidfs.c
90 @@ -197,7 +197,9 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
91 /* If a password was not supplied then
92 * try again with a null username. */
93 if (password[0] || !username[0] ||
94 + force_encrypt || client_is_signing_mandatory(c) ||
95 get_cmdline_auth_info_use_kerberos(auth_info) ||
96 + get_cmdline_auth_info_use_ccache(auth_info) ||
97 !NT_STATUS_IS_OK(cli_session_setup(c, "",
98 "", 0,
99 "", 0,
100 --
101 2.14.1
102
IPFire 2.x development tree