package/network/services/samba36/patches/032-CVE-2017-12150-v3.6.patch

   1 From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
   2 Date: Wed, 20 Sep 2017 20:01:34 +0200
   3 Subject: CVE-2017-12150
   4
   5 These are the three upstream patches
   6
   7   From: Stefan Metzmacher <metze@samba.org>
   8   Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt
   9
  10   This is an addition to the fixes for CVE-2015-5296.
  11
  12   It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
  13
  14   BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
  15
  16
  17   From: Stefan Metzmacher <metze@samba.org>
  18   Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()
  19
  20   It's important that we use a signed connection to get the GPOs!
  21
  22   BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
  23
  24   Signed-off-by: Stefan Metzmacher <metze@samba.org>
  25   Backported-by: Andreas Schneider <asn@samba.org>
  26
  27
  28   From: Stefan Metzmacher <metze@samba.org>
  29   Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested
  30
  31   With forced encryption or required signing we should also don't fallback.
  32
  33   BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
  34
  35 ---
  36  libgpo/gpo_fetch.c         | 2 +-
  37  source3/lib/util_cmdline.c | 3 +++
  38  source3/libsmb/clidfs.c    | 2 ++
  39  3 files changed, 6 insertions(+), 1 deletion(-)
  40
  41 --- a/libgpo/gpo_fetch.c
  42 +++ b/libgpo/gpo_fetch.c
  43 @@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S
  44                         ads->auth.password,
  45                         CLI_FULL_CONNECTION_USE_KERBEROS |
  46                         CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
  47 -                       Undefined);
  48 +                       Required);
  49         if (!NT_STATUS_IS_OK(result)) {
  50                 DEBUG(10,("check_refresh_gpo: "
  51                                 "failed to connect: %s\n",
  52 --- a/source3/lib/util_cmdline.c
  53 +++ b/source3/lib/util_cmdline.c
  54 @@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state
  55
  56  int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
  57  {
  58 +       if (auth_info->smb_encrypt) {
  59 +               return Required;
  60 +       }
  61         return auth_info->signing_state;
  62  }
  63
  64 --- a/source3/libsmb/clidfs.c
  65 +++ b/source3/libsmb/clidfs.c
  66 @@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL
  67                 /* If a password was not supplied then
  68                  * try again with a null username. */
  69                 if (password[0] || !username[0] ||
  70 +                       force_encrypt || client_is_signing_mandatory(c) ||
  71                         get_cmdline_auth_info_use_kerberos(auth_info) ||
  72 +                       get_cmdline_auth_info_use_ccache(auth_info) ||
  73                         !NT_STATUS_IS_OK(cli_session_setup(c, "",
  74                                                 "", 0,
  75                                                 "", 0,