9aaa23ec8b
This Adds fixes for the following security problems based on debians patches: CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms CVE-2017-12163: Server memory information leak over SMB1 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should CVE-2018-1050: Denial of Service Attack on external print server. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
75 lines
2.4 KiB
Diff
75 lines
2.4 KiB
Diff
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
|
|
Date: Wed, 20 Sep 2017 20:01:34 +0200
|
|
Subject: CVE-2017-12150
|
|
|
|
These are the three upstream patches
|
|
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt
|
|
|
|
This is an addition to the fixes for CVE-2015-5296.
|
|
|
|
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
|
|
|
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()
|
|
|
|
It's important that we use a signed connection to get the GPOs!
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Backported-by: Andreas Schneider <asn@samba.org>
|
|
|
|
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
|
|
|
|
With forced encryption or required signing we should also don't fallback.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
|
|
|
|
---
|
|
libgpo/gpo_fetch.c | 2 +-
|
|
source3/lib/util_cmdline.c | 3 +++
|
|
source3/libsmb/clidfs.c | 2 ++
|
|
3 files changed, 6 insertions(+), 1 deletion(-)
|
|
|
|
--- a/libgpo/gpo_fetch.c
|
|
+++ b/libgpo/gpo_fetch.c
|
|
@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S
|
|
ads->auth.password,
|
|
CLI_FULL_CONNECTION_USE_KERBEROS |
|
|
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
|
|
- Undefined);
|
|
+ Required);
|
|
if (!NT_STATUS_IS_OK(result)) {
|
|
DEBUG(10,("check_refresh_gpo: "
|
|
"failed to connect: %s\n",
|
|
--- a/source3/lib/util_cmdline.c
|
|
+++ b/source3/lib/util_cmdline.c
|
|
@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state
|
|
|
|
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
|
|
{
|
|
+ if (auth_info->smb_encrypt) {
|
|
+ return Required;
|
|
+ }
|
|
return auth_info->signing_state;
|
|
}
|
|
|
|
--- a/source3/libsmb/clidfs.c
|
|
+++ b/source3/libsmb/clidfs.c
|
|
@@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL
|
|
/* If a password was not supplied then
|
|
* try again with a null username. */
|
|
if (password[0] || !username[0] ||
|
|
+ force_encrypt || client_is_signing_mandatory(c) ||
|
|
get_cmdline_auth_info_use_kerberos(auth_info) ||
|
|
+ get_cmdline_auth_info_use_ccache(auth_info) ||
|
|
!NT_STATUS_IS_OK(cli_session_setup(c, "",
|
|
"", 0,
|
|
"", 0,
|