]>
Commit | Line | Data |
---|---|---|
0476a657 AF |
1 | From d3198caa7a8910a9ce1eb4104d5b410ef29ac2bb Mon Sep 17 00:00:00 2001 |
2 | From: Stefan Metzmacher <metze@samba.org> | |
3 | Date: Thu, 3 Nov 2016 17:16:43 +0100 | |
4 | Subject: [PATCH 1/3] CVE-2017-12150: s3:lib: | |
5 | get_cmdline_auth_info_signing_state use Required for smb_encrypt | |
6 | ||
7 | This is an addition to the fixes for CVE-2015-5296. | |
8 | ||
9 | It applies to smb2mount -e, smbcacls -e and smbcquotas -e. | |
10 | ||
11 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 | |
12 | ||
13 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
14 | Backported-by: Andreas Schneider <asn@samba.org> | |
15 | --- | |
16 | source3/lib/util_cmdline.c | 3 +++ | |
17 | 1 file changed, 3 insertions(+) | |
18 | ||
19 | diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c | |
20 | index cb0b79a5d30..3178c848b63 100644 | |
21 | --- a/source3/lib/util_cmdline.c | |
22 | +++ b/source3/lib/util_cmdline.c | |
23 | @@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info, | |
24 | ||
25 | int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info) | |
26 | { | |
27 | + if (auth_info->smb_encrypt) { | |
28 | + return Required; | |
29 | + } | |
30 | return auth_info->signing_state; | |
31 | } | |
32 | ||
33 | -- | |
34 | 2.14.1 | |
35 | ||
36 | ||
37 | From bb762a74c81159633f904f8fb67b49bab74a0b9c Mon Sep 17 00:00:00 2001 | |
38 | From: Stefan Metzmacher <metze@samba.org> | |
39 | Date: Mon, 12 Dec 2016 05:49:46 +0100 | |
40 | Subject: [PATCH 2/3] CVE-2017-12150: libgpo: make use of Required for SMB | |
41 | signing in gpo_connect_server() | |
42 | ||
43 | It's important that we use a signed connection to get the GPOs! | |
44 | ||
45 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 | |
46 | ||
47 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
48 | Backported-by: Andreas Schneider <asn@samba.org> | |
49 | --- | |
50 | libgpo/gpo_fetch.c | 2 +- | |
51 | 1 file changed, 1 insertion(+), 1 deletion(-) | |
52 | ||
53 | diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c | |
54 | index 3cfe1d5b942..af012e01336 100644 | |
55 | --- a/libgpo/gpo_fetch.c | |
56 | +++ b/libgpo/gpo_fetch.c | |
57 | @@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, struct loadparm_context *lp_ | |
58 | ads->auth.password, | |
59 | CLI_FULL_CONNECTION_USE_KERBEROS | | |
60 | CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS, | |
61 | - Undefined); | |
62 | + Required); | |
63 | if (!NT_STATUS_IS_OK(result)) { | |
64 | DEBUG(10,("check_refresh_gpo: " | |
65 | "failed to connect: %s\n", | |
66 | -- | |
67 | 2.14.1 | |
68 | ||
69 | ||
70 | From 070b0fb9ebb57cdbc2b82e335de021fb46bc543c Mon Sep 17 00:00:00 2001 | |
71 | From: Stefan Metzmacher <metze@samba.org> | |
72 | Date: Mon, 12 Dec 2016 06:07:56 +0100 | |
73 | Subject: [PATCH 3/3] CVE-2017-12150: s3:libsmb: only fallback to anonymous if | |
74 | authentication was not requested | |
75 | ||
76 | With forced encryption or required signing we should also don't fallback. | |
77 | ||
78 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 | |
79 | ||
80 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
81 | Backported-by: Andreas Schneider <asn@samba.org> | |
82 | --- | |
83 | source3/libsmb/clidfs.c | 2 ++ | |
84 | 1 file changed, 2 insertions(+) | |
85 | ||
86 | diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c | |
87 | index 23e147120f1..120a2c999ce 100644 | |
88 | --- a/source3/libsmb/clidfs.c | |
89 | +++ b/source3/libsmb/clidfs.c | |
90 | @@ -197,7 +197,9 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx, | |
91 | /* If a password was not supplied then | |
92 | * try again with a null username. */ | |
93 | if (password[0] || !username[0] || | |
94 | + force_encrypt || client_is_signing_mandatory(c) || | |
95 | get_cmdline_auth_info_use_kerberos(auth_info) || | |
96 | + get_cmdline_auth_info_use_ccache(auth_info) || | |
97 | !NT_STATUS_IS_OK(cli_session_setup(c, "", | |
98 | "", 0, | |
99 | "", 0, | |
100 | -- | |
101 | 2.14.1 | |
102 |