OpenWrt – Blame information for rev 1
?pathlinks?
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 1 | office | 1 | From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org> |
| 2 | Date: Wed, 20 Sep 2017 20:01:34 +0200 |
||
| 3 | Subject: CVE-2017-12150 |
||
| 4 | |||
| 5 | These are the three upstream patches |
||
| 6 | |||
| 7 | From: Stefan Metzmacher <metze@samba.org> |
||
| 8 | Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt |
||
| 9 | |||
| 10 | This is an addition to the fixes for CVE-2015-5296. |
||
| 11 | |||
| 12 | It applies to smb2mount -e, smbcacls -e and smbcquotas -e. |
||
| 13 | |||
| 14 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
||
| 15 | |||
| 16 | |||
| 17 | From: Stefan Metzmacher <metze@samba.org> |
||
| 18 | Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server() |
||
| 19 | |||
| 20 | It's important that we use a signed connection to get the GPOs! |
||
| 21 | |||
| 22 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
||
| 23 | |||
| 24 | Signed-off-by: Stefan Metzmacher <metze@samba.org> |
||
| 25 | Backported-by: Andreas Schneider <asn@samba.org> |
||
| 26 | |||
| 27 | |||
| 28 | From: Stefan Metzmacher <metze@samba.org> |
||
| 29 | Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested |
||
| 30 | |||
| 31 | With forced encryption or required signing we should also don't fallback. |
||
| 32 | |||
| 33 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997 |
||
| 34 | |||
| 35 | --- |
||
| 36 | libgpo/gpo_fetch.c | 2 +- |
||
| 37 | source3/lib/util_cmdline.c | 3 +++ |
||
| 38 | source3/libsmb/clidfs.c | 2 ++ |
||
| 39 | 3 files changed, 6 insertions(+), 1 deletion(-) |
||
| 40 | |||
| 41 | --- a/libgpo/gpo_fetch.c |
||
| 42 | +++ b/libgpo/gpo_fetch.c |
||
| 43 | @@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S |
||
| 44 | ads->auth.password, |
||
| 45 | CLI_FULL_CONNECTION_USE_KERBEROS | |
||
| 46 | CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS, |
||
| 47 | - Undefined); |
||
| 48 | + Required); |
||
| 49 | if (!NT_STATUS_IS_OK(result)) { |
||
| 50 | DEBUG(10,("check_refresh_gpo: " |
||
| 51 | "failed to connect: %s\n", |
||
| 52 | --- a/source3/lib/util_cmdline.c |
||
| 53 | +++ b/source3/lib/util_cmdline.c |
||
| 54 | @@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state |
||
| 55 | |||
| 56 | int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info) |
||
| 57 | { |
||
| 58 | + if (auth_info->smb_encrypt) { |
||
| 59 | + return Required; |
||
| 60 | + } |
||
| 61 | return auth_info->signing_state; |
||
| 62 | } |
||
| 63 | |||
| 64 | --- a/source3/libsmb/clidfs.c |
||
| 65 | +++ b/source3/libsmb/clidfs.c |
||
| 66 | @@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL |
||
| 67 | /* If a password was not supplied then |
||
| 68 | * try again with a null username. */ |
||
| 69 | if (password[0] || !username[0] || |
||
| 70 | + force_encrypt || client_is_signing_mandatory(c) || |
||
| 71 | get_cmdline_auth_info_use_kerberos(auth_info) || |
||
| 72 | + get_cmdline_auth_info_use_ccache(auth_info) || |
||
| 73 | !NT_STATUS_IS_OK(cli_session_setup(c, "", |
||
| 74 | "", 0, |
||
| 75 | "", 0, |