OpenWrt – Blame information for rev 1
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org> |
2 | Date: Wed, 28 Dec 2016 19:21:49 +0100 |
||
3 | Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default |
||
4 | |||
5 | This is a backport of upstream commits |
||
6 | |||
7 | b1a056f77e793efc45df34ab7bf78fbec1bf8a59 |
||
8 | b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy) |
||
9 | 3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy) |
||
10 | --- |
||
11 | source3/librpc/crypto/gse.c | 1 - |
||
12 | source3/libsmb/clifsinfo.c | 2 +- |
||
13 | source4/auth/gensec/gensec_gssapi.c | 2 +- |
||
14 | source4/scripting/bin/nsupdate-gss | 2 +- |
||
15 | 4 files changed, 3 insertions(+), 4 deletions(-) |
||
16 | |||
17 | --- a/source3/librpc/crypto/gse.c |
||
18 | +++ b/source3/librpc/crypto/gse.c |
||
19 | @@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_ |
||
20 | memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); |
||
21 | |||
22 | gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG | |
||
23 | - GSS_C_DELEG_FLAG | |
||
24 | GSS_C_DELEG_POLICY_FLAG | |
||
25 | GSS_C_REPLAY_FLAG | |
||
26 | GSS_C_SEQUENCE_FLAG; |
||
27 | --- a/source3/libsmb/clifsinfo.c |
||
28 | +++ b/source3/libsmb/clifsinfo.c |
||
29 | @@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC |
||
30 | &es->s.gss_state->gss_ctx, |
||
31 | srv_name, |
||
32 | GSS_C_NO_OID, /* default OID. */ |
||
33 | - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG, |
||
34 | + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG, |
||
35 | GSS_C_INDEFINITE, /* requested ticket lifetime. */ |
||
36 | NULL, /* no channel bindings */ |
||
37 | p_tok_in, |
||
38 | --- a/source4/auth/gensec/gensec_gssapi.c |
||
39 | +++ b/source4/auth/gensec/gensec_gssapi.c |
||
40 | @@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru |
||
41 | if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { |
||
42 | gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG; |
||
43 | } |
||
44 | - if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { |
||
45 | + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { |
||
46 | gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG; |
||
47 | } |
||
48 | if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { |
||
49 | --- a/source4/scripting/bin/nsupdate-gss |
||
50 | +++ b/source4/scripting/bin/nsupdate-gss |
||
51 | @@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) |
||
52 | my $flags = |
||
53 | GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | |
||
54 | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | |
||
55 | - GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; |
||
56 | + GSS_C_INTEG_FLAG; |
||
57 | |||
58 | |||
59 | $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, |