projects / librecmc / librecmc.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
update Samba to 3.6.25, based upon 18.06
[librecmc/librecmc.git] / package / network / services / samba36 / patches / 028-CVE-2016-2125-v3.6.patch
1 From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
2 Date: Wed, 28 Dec 2016 19:21:49 +0100
3 Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default
4
5 This is a backport of upstream commits
6
7    b1a056f77e793efc45df34ab7bf78fbec1bf8a59
8    b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy)
9    3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy)
10 ---
11  source3/librpc/crypto/gse.c         | 1 -
12  source3/libsmb/clifsinfo.c          | 2 +-
13  source4/auth/gensec/gensec_gssapi.c | 2 +-
14  source4/scripting/bin/nsupdate-gss  | 2 +-
15  4 files changed, 3 insertions(+), 4 deletions(-)
16
17 --- a/source3/librpc/crypto/gse.c
18 +++ b/source3/librpc/crypto/gse.c
19 @@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_
20         memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
21  
22         gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
23 -                               GSS_C_DELEG_FLAG |
24                                 GSS_C_DELEG_POLICY_FLAG |
25                                 GSS_C_REPLAY_FLAG |
26                                 GSS_C_SEQUENCE_FLAG;
27 --- a/source3/libsmb/clifsinfo.c
28 +++ b/source3/libsmb/clifsinfo.c
29 @@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC
30                                 &es->s.gss_state->gss_ctx,
31                                 srv_name,
32                                 GSS_C_NO_OID, /* default OID. */
33 -                               GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
34 +                               GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
35                                 GSS_C_INDEFINITE,       /* requested ticket lifetime. */
36                                 NULL,   /* no channel bindings */
37                                 p_tok_in,
38 --- a/source4/auth/gensec/gensec_gssapi.c
39 +++ b/source4/auth/gensec/gensec_gssapi.c
40 @@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru
41         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
42                 gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
43         }
44 -       if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
45 +       if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
46                 gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
47         }
48         if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
49 --- a/source4/scripting/bin/nsupdate-gss
50 +++ b/source4/scripting/bin/nsupdate-gss
51 @@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
52      my $flags = 
53         GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
54         GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
55 -       GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
56 +       GSS_C_INTEG_FLAG;
57  
58  
59      $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,