aboutsummaryrefslogtreecommitdiffstats
path: root/package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch
diff options
context:
space:
mode:
authorHauke Mehrtens <hauke@hauke-m.de>2018-04-01 15:48:47 +0200
committerHauke Mehrtens <hauke@hauke-m.de>2018-04-03 23:26:45 +0200
commit9aaa23ec8baa50b63d33466f3f353e43c473952a (patch)
tree4c25fb285469828b15d8f07a117ee5578da9a7e4 /package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch
parentd6d3db05436952f68f47d35df58ad5050b1f2d66 (diff)
downloadupstream-9aaa23ec8baa50b63d33466f3f353e43c473952a.tar.gz
upstream-9aaa23ec8baa50b63d33466f3f353e43c473952a.tar.bz2
upstream-9aaa23ec8baa50b63d33466f3f353e43c473952a.zip
samba36: fix some security problems
This Adds fixes for the following security problems based on debians patches: CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms CVE-2017-12163: Server memory information leak over SMB1 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should CVE-2018-1050: Denial of Service Attack on external print server. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Diffstat (limited to 'package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch')
-rw-r--r--package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch49
1 files changed, 49 insertions, 0 deletions
diff --git a/package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch b/package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch
new file mode 100644
index 0000000000..4c44243a63
--- /dev/null
+++ b/package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch
@@ -0,0 +1,49 @@
+From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Tue, 2 Jan 2018 15:56:03 -0800
+Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null
+ pointer derefs.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+---
+ source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
++++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+@@ -176,6 +176,11 @@ static void prune_printername_cache(void
+ static const char *canon_servername(const char *servername)
+ {
+ const char *pservername = servername;
++
++ if (servername == NULL) {
++ return "";
++ }
++
+ while (*pservername == '\\') {
+ pservername++;
+ }
+@@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru
+ return WERR_ACCESS_DENIED;
+ }
+
++ if (r->in.architecture == NULL || r->in.driver == NULL) {
++ return WERR_INVALID_ENVIRONMENT;
++ }
++
+ /* check that we have a valid driver name first */
+
+ if ((version = get_version_id(r->in.architecture)) == -1)
+@@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st
+ return WERR_ACCESS_DENIED;
+ }
+
++ if (r->in.architecture == NULL || r->in.driver == NULL) {
++ return WERR_INVALID_ENVIRONMENT;
++ }
++
+ /* check that we have a valid driver name first */
+ if (get_version_id(r->in.architecture) == -1) {
+ /* this is what NT returns */