OpenWrt – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org> |
| 2 | Date: Wed, 28 Dec 2016 19:21:49 +0100 |
||
| 3 | Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default |
||
| 4 | |||
| 5 | This is a backport of upstream commits |
||
| 6 | |||
| 7 | b1a056f77e793efc45df34ab7bf78fbec1bf8a59 |
||
| 8 | b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy) |
||
| 9 | 3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy) |
||
| 10 | --- |
||
| 11 | source3/librpc/crypto/gse.c | 1 - |
||
| 12 | source3/libsmb/clifsinfo.c | 2 +- |
||
| 13 | source4/auth/gensec/gensec_gssapi.c | 2 +- |
||
| 14 | source4/scripting/bin/nsupdate-gss | 2 +- |
||
| 15 | 4 files changed, 3 insertions(+), 4 deletions(-) |
||
| 16 | |||
| 17 | --- a/source3/librpc/crypto/gse.c |
||
| 18 | +++ b/source3/librpc/crypto/gse.c |
||
| 19 | @@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_ |
||
| 20 | memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); |
||
| 21 | |||
| 22 | gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG | |
||
| 23 | - GSS_C_DELEG_FLAG | |
||
| 24 | GSS_C_DELEG_POLICY_FLAG | |
||
| 25 | GSS_C_REPLAY_FLAG | |
||
| 26 | GSS_C_SEQUENCE_FLAG; |
||
| 27 | --- a/source3/libsmb/clifsinfo.c |
||
| 28 | +++ b/source3/libsmb/clifsinfo.c |
||
| 29 | @@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC |
||
| 30 | &es->s.gss_state->gss_ctx, |
||
| 31 | srv_name, |
||
| 32 | GSS_C_NO_OID, /* default OID. */ |
||
| 33 | - GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG, |
||
| 34 | + GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG, |
||
| 35 | GSS_C_INDEFINITE, /* requested ticket lifetime. */ |
||
| 36 | NULL, /* no channel bindings */ |
||
| 37 | p_tok_in, |
||
| 38 | --- a/source4/auth/gensec/gensec_gssapi.c |
||
| 39 | +++ b/source4/auth/gensec/gensec_gssapi.c |
||
| 40 | @@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru |
||
| 41 | if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { |
||
| 42 | gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG; |
||
| 43 | } |
||
| 44 | - if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { |
||
| 45 | + if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { |
||
| 46 | gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG; |
||
| 47 | } |
||
| 48 | if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { |
||
| 49 | --- a/source4/scripting/bin/nsupdate-gss |
||
| 50 | +++ b/source4/scripting/bin/nsupdate-gss |
||
| 51 | @@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) |
||
| 52 | my $flags = |
||
| 53 | GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | |
||
| 54 | GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | |
||
| 55 | - GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; |
||
| 56 | + GSS_C_INTEG_FLAG; |
||
| 57 | |||
| 58 | |||
| 59 | $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, |