OpenWrt – Rev 1

Subversion Repositories:
?pathlinks?
Blame – Last modification – View Log – Download
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
Date: Wed, 20 Sep 2017 20:01:34 +0200
Subject: CVE-2017-12150

These are the three upstream patches

  From: Stefan Metzmacher <metze@samba.org>
  Subject: CVE-2017-12150: s3:lib: get_cmdline_auth_info_signing_state use Required for smb_encrypt

  This is an addition to the fixes for CVE-2015-5296.

  It applies to smb2mount -e, smbcacls -e and smbcquotas -e.

  BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997


  From: Stefan Metzmacher <metze@samba.org>
  Subject: CVE-2017-12150: libgpo: make use of Required for SMB signing in gpo_connect_server()

  It's important that we use a signed connection to get the GPOs!

  BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

  Signed-off-by: Stefan Metzmacher <metze@samba.org>
  Backported-by: Andreas Schneider <asn@samba.org>


  From: Stefan Metzmacher <metze@samba.org>
  Subject: CVE-2017-12150: s3:libsmb: only fallback to anonymous if authentication was not requested

  With forced encryption or required signing we should also don't fallback.

  BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997

---
 libgpo/gpo_fetch.c         | 2 +-
 source3/lib/util_cmdline.c | 3 +++
 source3/libsmb/clidfs.c    | 2 ++
 3 files changed, 6 insertions(+), 1 deletion(-)

--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_S
                        ads->auth.password,
                        CLI_FULL_CONNECTION_USE_KERBEROS |
                        CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
-                       Undefined);
+                       Required);
        if (!NT_STATUS_IS_OK(result)) {
                DEBUG(10,("check_refresh_gpo: "
                                "failed to connect: %s\n",
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state
 
 int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
 {
+       if (auth_info->smb_encrypt) {
+               return Required;
+       }
        return auth_info->signing_state;
 }
 
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -202,7 +202,9 @@ static struct cli_state *do_connect(TALL
                /* If a password was not supplied then
                 * try again with a null username. */
                if (password[0] || !username[0] ||
+                       force_encrypt || client_is_signing_mandatory(c) ||
                        get_cmdline_auth_info_use_kerberos(auth_info) ||
+                       get_cmdline_auth_info_use_ccache(auth_info) ||
                        !NT_STATUS_IS_OK(cli_session_setup(c, "",
                                                "", 0,
                                                "", 0,