/[smeserver]/rpms/samba/sme10/CVE-2017-12150.patch
ViewVC logotype

Annotation of /rpms/samba/sme10/CVE-2017-12150.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Wed Aug 9 04:48:43 2023 UTC (14 months, 3 weeks ago) by jpp
Branch: MAIN
CVS Tags: HEAD
Changes since 1.1: +0 -0 lines
FILE REMOVED
Initial import

1 jpp 1.1 From 9fb528332f48de59d70d48686e3af4df70206635 Mon Sep 17 00:00:00 2001
2     From: Stefan Metzmacher <metze@samba.org>
3     Date: Tue, 29 Aug 2017 17:06:21 +0200
4     Subject: [PATCH 1/7] CVE-2017-12150: s3:popt_common: don't turn a guessed
5     username into a specified one
6    
7     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
8    
9     Signed-off-by: Stefan Metzmacher <metze@samba.org>
10     ---
11     source3/include/auth_info.h | 1 +
12     source3/lib/popt_common.c | 6 +-----
13     source3/lib/util_cmdline.c | 29 +++++++++++++++++++++++++++++
14     3 files changed, 31 insertions(+), 5 deletions(-)
15    
16     diff --git a/source3/include/auth_info.h b/source3/include/auth_info.h
17     index c6f71ad..8212c27 100644
18     --- a/source3/include/auth_info.h
19     +++ b/source3/include/auth_info.h
20     @@ -29,6 +29,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
21     const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info);
22     void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
23     const char *username);
24     +void reset_cmdline_auth_info_username(struct user_auth_info *auth_info);
25     const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info);
26     void set_cmdline_auth_info_domain(struct user_auth_info *auth_info,
27     const char *domain);
28     diff --git a/source3/lib/popt_common.c b/source3/lib/popt_common.c
29     index 9928c70..36b5e92 100644
30     --- a/source3/lib/popt_common.c
31     +++ b/source3/lib/popt_common.c
32     @@ -238,7 +238,6 @@ void popt_common_credentials_set_delay_post(void)
33     void popt_common_credentials_post(void)
34     {
35     struct user_auth_info *auth_info = cmdline_auth_info;
36     - const char *username = NULL;
37    
38     if (get_cmdline_auth_info_use_machine_account(auth_info) &&
39     !set_cmdline_auth_info_machine_account_creds(auth_info))
40     @@ -259,10 +258,7 @@ void popt_common_credentials_post(void)
41     * correctly parsed yet. If we have a username we need to set it again
42     * to run the string parser for the username correctly.
43     */
44     - username = get_cmdline_auth_info_username(auth_info);
45     - if (username != NULL && username[0] != '\0') {
46     - set_cmdline_auth_info_username(auth_info, username);
47     - }
48     + reset_cmdline_auth_info_username(auth_info);
49     }
50    
51     static void popt_common_credentials_callback(poptContext con,
52     diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
53     index ad51a4f..80142e2 100644
54     --- a/source3/lib/util_cmdline.c
55     +++ b/source3/lib/util_cmdline.c
56     @@ -37,6 +37,7 @@
57     struct user_auth_info {
58     struct cli_credentials *creds;
59     struct loadparm_context *lp_ctx;
60     + bool got_username;
61     bool got_pass;
62     int signing_state;
63     bool smb_encrypt;
64     @@ -93,6 +94,7 @@ void set_cmdline_auth_info_from_file(struct user_auth_info *auth_info,
65     if (!ok) {
66     exit(EIO);
67     }
68     + auth_info->got_username = true;
69     }
70    
71     const char *get_cmdline_auth_info_username(const struct user_auth_info *auth_info)
72     @@ -123,11 +125,38 @@ void set_cmdline_auth_info_username(struct user_auth_info *auth_info,
73     exit(ENOMEM);
74     }
75    
76     + auth_info->got_username = true;
77     if (strchr_m(username, '%') != NULL) {
78     auth_info->got_pass = true;
79     }
80     }
81    
82     +void reset_cmdline_auth_info_username(struct user_auth_info *auth_info)
83     +{
84     + const char *username = NULL;
85     + const char *new_val = NULL;
86     +
87     + if (!auth_info->got_username) {
88     + return;
89     + }
90     +
91     + username = cli_credentials_get_username(auth_info->creds);
92     + if (username == NULL) {
93     + return;
94     + }
95     + if (username[0] == '\0') {
96     + return;
97     + }
98     +
99     + cli_credentials_parse_string(auth_info->creds,
100     + username,
101     + CRED_SPECIFIED);
102     + new_val = cli_credentials_get_username(auth_info->creds);
103     + if (new_val == NULL) {
104     + exit(ENOMEM);
105     + }
106     +}
107     +
108     const char *get_cmdline_auth_info_domain(const struct user_auth_info *auth_info)
109     {
110     const char *domain = NULL;
111     --
112     1.9.1
113    
114    
115     From 97a7ddff5d327bf5bcc27c8a88b000b3a187a827 Mon Sep 17 00:00:00 2001
116     From: Stefan Metzmacher <metze@samba.org>
117     Date: Thu, 3 Nov 2016 17:16:43 +0100
118     Subject: [PATCH 2/7] CVE-2017-12150: s3:lib:
119     get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
120    
121     This is an addition to the fixes for CVE-2015-5296.
122    
123     It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
124    
125     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
126    
127     Signed-off-by: Stefan Metzmacher <metze@samba.org>
128     ---
129     source3/lib/util_cmdline.c | 3 +++
130     1 file changed, 3 insertions(+)
131    
132     diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
133     index 80142e2..90ee67c 100644
134     --- a/source3/lib/util_cmdline.c
135     +++ b/source3/lib/util_cmdline.c
136     @@ -265,6 +265,9 @@ void set_cmdline_auth_info_signing_state_raw(struct user_auth_info *auth_info,
137    
138     int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
139     {
140     + if (auth_info->smb_encrypt) {
141     + return SMB_SIGNING_REQUIRED;
142     + }
143     return auth_info->signing_state;
144     }
145    
146     --
147     1.9.1
148    
149    
150     From b760a464ee3d94edeff6eb10a0b08359d6e98099 Mon Sep 17 00:00:00 2001
151     From: Stefan Metzmacher <metze@samba.org>
152     Date: Fri, 9 Dec 2016 09:26:32 +0100
153     Subject: [PATCH 3/7] CVE-2017-12150: s3:pylibsmb: make use of
154     SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
155    
156     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
157    
158     Signed-off-by: Stefan Metzmacher <metze@samba.org>
159     ---
160     source3/libsmb/pylibsmb.c | 2 +-
161     1 file changed, 1 insertion(+), 1 deletion(-)
162    
163     diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
164     index 59c0998..350c6d4 100644
165     --- a/source3/libsmb/pylibsmb.c
166     +++ b/source3/libsmb/pylibsmb.c
167     @@ -444,7 +444,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
168    
169     req = cli_full_connection_creds_send(
170     NULL, self->ev, "myname", host, NULL, 0, share, "?????",
171     - cli_creds, 0, 0);
172     + cli_creds, 0, SMB_SIGNING_DEFAULT);
173     if (!py_tevent_req_wait_exc(self->ev, req)) {
174     return -1;
175     }
176     --
177     1.9.1
178    
179    
180     From f42ffde214c3be1d6ba3afd8fe88a3e04470c4bd Mon Sep 17 00:00:00 2001
181     From: Stefan Metzmacher <metze@samba.org>
182     Date: Mon, 12 Dec 2016 05:49:46 +0100
183     Subject: [PATCH 4/7] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
184     in gpo_connect_server()
185    
186     It's important that we use a signed connection to get the GPOs!
187    
188     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
189    
190     Signed-off-by: Stefan Metzmacher <metze@samba.org>
191     ---
192     libgpo/gpo_fetch.c | 2 +-
193     1 file changed, 1 insertion(+), 1 deletion(-)
194    
195     diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
196     index 836bc23..3740d4e 100644
197     --- a/libgpo/gpo_fetch.c
198     +++ b/libgpo/gpo_fetch.c
199     @@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
200     ads->auth.password,
201     CLI_FULL_CONNECTION_USE_KERBEROS |
202     CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
203     - Undefined);
204     + SMB_SIGNING_REQUIRED);
205     if (!NT_STATUS_IS_OK(result)) {
206     DEBUG(10,("check_refresh_gpo: "
207     "failed to connect: %s\n",
208     --
209     1.9.1
210    
211    
212     From d8c6aceb94ab72991eb538ab5dc388686a177052 Mon Sep 17 00:00:00 2001
213     From: Stefan Metzmacher <metze@samba.org>
214     Date: Tue, 29 Aug 2017 15:24:14 +0200
215     Subject: [PATCH 5/7] CVE-2017-12150: auth/credentials:
216     cli_credentials_authentication_requested() should check for
217     NTLM_CCACHE/SIGN/SEAL
218    
219     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
220    
221     Signed-off-by: Stefan Metzmacher <metze@samba.org>
222     ---
223     auth/credentials/credentials.c | 16 ++++++++++++++++
224     1 file changed, 16 insertions(+)
225    
226     diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
227     index 06648c7..5e3b5e8 100644
228     --- a/auth/credentials/credentials.c
229     +++ b/auth/credentials/credentials.c
230     @@ -25,6 +25,7 @@
231     #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
232     #include "auth/credentials/credentials.h"
233     #include "auth/credentials/credentials_internal.h"
234     +#include "auth/gensec/gensec.h"
235     #include "libcli/auth/libcli_auth.h"
236     #include "tevent.h"
237     #include "param/param.h"
238     @@ -300,6 +301,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
239    
240     _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred)
241     {
242     + uint32_t gensec_features = 0;
243     +
244     if (cred->bind_dn) {
245     return true;
246     }
247     @@ -327,6 +330,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
248     return true;
249     }
250    
251     + gensec_features = cli_credentials_get_gensec_features(cred);
252     + if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
253     + return true;
254     + }
255     +
256     + if (gensec_features & GENSEC_FEATURE_SIGN) {
257     + return true;
258     + }
259     +
260     + if (gensec_features & GENSEC_FEATURE_SEAL) {
261     + return true;
262     + }
263     +
264     return false;
265     }
266    
267     --
268     1.9.1
269    
270    
271     From 28f4a8dbd2b82bb8fb9f6224e1641d935766e62a Mon Sep 17 00:00:00 2001
272     From: Stefan Metzmacher <metze@samba.org>
273     Date: Tue, 29 Aug 2017 15:35:49 +0200
274     Subject: [PATCH 6/7] CVE-2017-12150: libcli/smb: add
275     smbXcli_conn_signing_mandatory()
276    
277     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
278    
279     Signed-off-by: Stefan Metzmacher <metze@samba.org>
280     ---
281     libcli/smb/smbXcli_base.c | 5 +++++
282     libcli/smb/smbXcli_base.h | 1 +
283     2 files changed, 6 insertions(+)
284    
285     diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
286     index b21d796..239e5eb 100644
287     --- a/libcli/smb/smbXcli_base.c
288     +++ b/libcli/smb/smbXcli_base.c
289     @@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
290     return false;
291     }
292    
293     +bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
294     +{
295     + return conn->mandatory_signing;
296     +}
297     +
298     void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
299     {
300     set_socket_options(conn->sock_fd, options);
301     diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
302     index e48fc35..2594f07 100644
303     --- a/libcli/smb/smbXcli_base.h
304     +++ b/libcli/smb/smbXcli_base.h
305     @@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
306    
307     enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
308     bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
309     +bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
310    
311     void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
312     const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
313     --
314     1.9.1
315    
316    
317     From 28506663282a1457708c38c58437e9eb9c0002bf Mon Sep 17 00:00:00 2001
318     From: Stefan Metzmacher <metze@samba.org>
319     Date: Mon, 12 Dec 2016 06:07:56 +0100
320     Subject: [PATCH 7/7] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
321     authentication was not requested
322    
323     With forced encryption or required signing we should also don't fallback.
324    
325     BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
326    
327     Signed-off-by: Stefan Metzmacher <metze@samba.org>
328     ---
329     source3/libsmb/clidfs.c | 16 ++++------------
330     1 file changed, 4 insertions(+), 12 deletions(-)
331    
332     diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
333     index 75012b2..fdcd665 100644
334     --- a/source3/libsmb/clidfs.c
335     +++ b/source3/libsmb/clidfs.c
336     @@ -26,6 +26,7 @@
337     #include "trans2.h"
338     #include "libsmb/nmblib.h"
339     #include "../libcli/smb/smbXcli_base.h"
340     +#include "auth/credentials/credentials.h"
341    
342     /********************************************************************
343     Important point.
344     @@ -145,9 +146,6 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
345     char *servicename;
346     char *sharename;
347     char *newserver, *newshare;
348     - const char *username;
349     - const char *password;
350     - const char *domain;
351     NTSTATUS status;
352     int flags = 0;
353     int signing_state = get_cmdline_auth_info_signing_state(auth_info);
354     @@ -225,21 +223,15 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
355     smb2cli_conn_set_max_credits(c->conn, DEFAULT_SMB2_MAX_CREDITS);
356     }
357    
358     - username = get_cmdline_auth_info_username(auth_info);
359     - password = get_cmdline_auth_info_password(auth_info);
360     - domain = get_cmdline_auth_info_domain(auth_info);
361     - if ((domain == NULL) || (domain[0] == '\0')) {
362     - domain = lp_workgroup();
363     - }
364     -
365     creds = get_cmdline_auth_info_creds(auth_info);
366    
367     status = cli_session_setup_creds(c, creds);
368     if (!NT_STATUS_IS_OK(status)) {
369     /* If a password was not supplied then
370     * try again with a null username. */
371     - if (password[0] || !username[0] ||
372     - get_cmdline_auth_info_use_kerberos(auth_info) ||
373     + if (force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
374     + cli_credentials_authentication_requested(creds) ||
375     + cli_credentials_is_anonymous(creds) ||
376     !NT_STATUS_IS_OK(status = cli_session_setup_anon(c)))
377     {
378     d_printf("session setup failed: %s\n",
379     --
380     1.9.1
381    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed