mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-27 01:11:14 +00:00
9aaa23ec8b
This Adds fixes for the following security problems based on debians patches: CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms CVE-2017-12163: Server memory information leak over SMB1 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should CVE-2018-1050: Denial of Service Attack on external print server. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
60 lines
2.4 KiB
Diff
60 lines
2.4 KiB
Diff
From: =?utf-8?q?Guido_G=C3=BCnther?= <agx@sigxcpu.org>
|
|
Date: Wed, 28 Dec 2016 19:21:49 +0100
|
|
Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default
|
|
|
|
This is a backport of upstream commits
|
|
|
|
b1a056f77e793efc45df34ab7bf78fbec1bf8a59
|
|
b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy)
|
|
3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy)
|
|
---
|
|
source3/librpc/crypto/gse.c | 1 -
|
|
source3/libsmb/clifsinfo.c | 2 +-
|
|
source4/auth/gensec/gensec_gssapi.c | 2 +-
|
|
source4/scripting/bin/nsupdate-gss | 2 +-
|
|
4 files changed, 3 insertions(+), 4 deletions(-)
|
|
|
|
--- a/source3/librpc/crypto/gse.c
|
|
+++ b/source3/librpc/crypto/gse.c
|
|
@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_
|
|
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
|
|
|
|
gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
|
|
- GSS_C_DELEG_FLAG |
|
|
GSS_C_DELEG_POLICY_FLAG |
|
|
GSS_C_REPLAY_FLAG |
|
|
GSS_C_SEQUENCE_FLAG;
|
|
--- a/source3/libsmb/clifsinfo.c
|
|
+++ b/source3/libsmb/clifsinfo.c
|
|
@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC
|
|
&es->s.gss_state->gss_ctx,
|
|
srv_name,
|
|
GSS_C_NO_OID, /* default OID. */
|
|
- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
|
|
+ GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
|
|
GSS_C_INDEFINITE, /* requested ticket lifetime. */
|
|
NULL, /* no channel bindings */
|
|
p_tok_in,
|
|
--- a/source4/auth/gensec/gensec_gssapi.c
|
|
+++ b/source4/auth/gensec/gensec_gssapi.c
|
|
@@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(stru
|
|
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
|
|
gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
|
|
}
|
|
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
|
|
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
|
|
gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
|
|
}
|
|
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
|
|
--- a/source4/scripting/bin/nsupdate-gss
|
|
+++ b/source4/scripting/bin/nsupdate-gss
|
|
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
|
|
my $flags =
|
|
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
|
|
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
|
|
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
|
|
+ GSS_C_INTEG_FLAG;
|
|
|
|
|
|
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
|