1 files changed, 256 insertions, 0 deletions

diff --git a/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch b/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch
new file mode 100644
index 0000000000..5618fb4eff
--- /dev/null
+++ b/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch
@@ -0,0 +1,256 @@
+From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 27 Feb 2016 03:43:58 +0100
+Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Ralph Boehme <slow@samba.org>
+---
+ docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++
+ docs-xml/smbdotconf/security/clientsigning.xml    |  3 +++
+ source3/include/proto.h                           |  1 +
+ source3/param/loadparm.c                          | 12 ++++++++++++
+ 4 files changed, 39 insertions(+)
+ create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml
+
+--- /dev/null
++++ b/docs-xml/smbdotconf/security/clientipcsigning.xml
+@@ -0,0 +1,23 @@
++<samba:parameter name="client ipc signing"
++                 context="G"
++                 type="enum"
++                 enumlist="enum_smb_signing_vals"
++                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++    <para>This controls whether the client is allowed or required to use SMB signing for IPC$
++    connections as DCERPC transport inside of winbind. Possible values
++    are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis>
++    and <emphasis>disabled</emphasis>.
++    </para>
++
++    <para>When set to auto, SMB signing is offered, but not enforced and if set
++    to disabled, SMB signing is not offered either.</para>
++
++    <para>Connections from winbindd to Active Directory Domain Controllers
++    always enforce signing.</para>
++</description>
++
++<related>client signing</related>
++
++<value type="default">mandatory</value>
++</samba:parameter>
+--- a/docs-xml/smbdotconf/security/clientsigning.xml
++++ b/docs-xml/smbdotconf/security/clientsigning.xml
+@@ -12,6 +12,9 @@
+     <para>When set to auto, SMB signing is offered, but not enforced. 
+     When set to mandatory, SMB signing is required and if set 
+ 	to disabled, SMB signing is not offered either.
++
++    <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the
++    <smbconfoption name="client ipc signing"/> option.</para>
+ </para>
+ </description>
+ 
+--- a/source3/include/proto.h
++++ b/source3/include/proto.h
+@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void);
+ int lp_winbind_reconnect_delay(void);
+ int lp_winbind_max_clients(void);
+ const char **lp_winbind_nss_info(void);
++bool lp_winbind_sealed_pipes(void);
+ int lp_algorithmic_rid_base(void);
+ int lp_name_cache_timeout(void);
+ int lp_client_signing(void);
++int lp_client_ipc_signing(void);
+ int lp_server_signing(void);
+ int lp_client_ldap_sasl_wrapping(void);
+ char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def);
+--- a/source3/param/loadparm.c
++++ b/source3/param/loadparm.c
+@@ -215,6 +215,7 @@ struct global {
+ 	int  winbind_expand_groups;
+ 	bool bWinbindRefreshTickets;
+ 	bool bWinbindOfflineLogon;
++	bool bWinbindSealedPipes;
+ 	bool bWinbindNormalizeNames;
+ 	bool bWinbindRpcOnly;
+ 	bool bCreateKrb5Conf;
+@@ -366,6 +367,7 @@ struct global {
+ 	int restrict_anonymous;
+ 	int name_cache_timeout;
+ 	int client_signing;
++	int client_ipc_signing;
+ 	int server_signing;
+ 	int client_ldap_sasl_wrapping;
+ 	int iUsershareMaxShares;
+@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] =
+ 		.flags		= FLAG_ADVANCED,
+ 	},
+ 	{
++		.label		= "client ipc signing",
++		.type		= P_ENUM,
++		.p_class	= P_GLOBAL,
++		.ptr		= &Globals.client_ipc_signing,
++		.special	= NULL,
++		.enum_list	= enum_smb_signing_vals,
++		.flags		= FLAG_ADVANCED,
++	},
++	{
+ 		.label		= "server signing",
+ 		.type		= P_ENUM,
+ 		.p_class	= P_GLOBAL,
+@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] =
+ 		.flags		= FLAG_ADVANCED,
+ 	},
+ 	{
++		.label		= "winbind sealed pipes",
++		.type		= P_BOOL,
++		.p_class	= P_GLOBAL,
++		.ptr		= &Globals.bWinbindSealedPipes,
++		.special	= NULL,
++		.enum_list	= NULL,
++		.flags		= FLAG_ADVANCED,
++	},
++	{
+ 		.label		= "winbind normalize names",
+ 		.type		= P_BOOL,
+ 		.p_class	= P_GLOBAL,
+@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo
+ 	Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL);
+ 	Globals.bWinbindRefreshTickets = False;
+ 	Globals.bWinbindOfflineLogon = False;
++	Globals.bWinbindSealedPipes = True;
+ 
+ 	Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */
+ 	Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */
+@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo
+ 	Globals.bClientUseSpnego = True;
+ 
+ 	Globals.client_signing = Auto;
++	Globals.client_ipc_signing = Required;
+ 	Globals.server_signing = False;
+ 
+ 	Globals.bDeferSharingViolations = True;
+@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups,
+ FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups)
+ FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets)
+ FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon)
++FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes)
+ FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames)
+ FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly)
+ FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf)
+@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo
+ FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase)
+ FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout)
+ FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing)
++FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing)
+ FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing)
+ FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping)
+ 
+@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn
+ 		lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1");
+ 	}
+ 
++	if (!lp_is_in_client()) {
++		switch (lp_client_ipc_signing()) {
++		case Required:
++			lp_set_cmdline("client signing", "mandatory");
++			break;
++		case Auto:
++			lp_set_cmdline("client signing", "auto");
++			break;
++		case False:
++			lp_set_cmdline("client signing", "disabled");
++			break;
++		}
++	}
++
+ 	init_iconv();
+ 
+ 	bAllowIncludeRegistry = true;
+--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c
++++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c
+@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st
+ 		"", /* username */
+ 		"", /* domain */
+ 		"", /* password */
+-		0, lp_client_signing());
++		0, False);
+ 
+ 	if ( !NT_STATUS_IS_OK( ret ) ) {
+ 		DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n",
+--- /dev/null
++++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml
+@@ -0,0 +1,15 @@
++<samba:parameter name="winbind sealed pipes"
++                 context="G"
++                 type="boolean"
++                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
++<description>
++	<para>This option controls whether any requests from winbindd to domain controllers
++		pipe will be sealed. Disabling sealing can be useful for debugging
++		purposes.</para>
++
++	<para>The behavior can be controlled per netbios domain
++	by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para>
++</description>
++
++<value type="default">yes</value>
++</samba:parameter>
+--- a/source3/winbindd/winbindd_cm.c
++++ b/source3/winbindd/winbindd_cm.c
+@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_
+ 	TALLOC_FREE(conn->samr_pipe);
+ 
+  anonymous:
++	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
++		status = NT_STATUS_DOWNGRADE_DETECTED;
++		DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
++			  "without connection level security, "
++			  "must set 'winbind sealed pipes = false' "
++			  "to proceed: %s\n",
++			  domain->name, nt_errstr(status)));
++		goto done;
++	}
+ 
+ 	/* Finally fall back to anonymous. */
+ 	status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id,
+@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_
+ 
+  anonymous:
+ 
++	if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
++		result = NT_STATUS_DOWNGRADE_DETECTED;
++		DEBUG(1, ("Unwilling to make LSA connection to domain %s "
++			  "without connection level security, "
++			  "must set 'winbind sealed pipes = false' "
++			  "to proceed: %s\n",
++			  domain->name, nt_errstr(result)));
++		goto done;
++	}
++
+ 	result = cli_rpc_pipe_open_noauth(conn->cli,
+ 					  &ndr_table_lsarpc.syntax_id,
+ 					  &conn->lsa_pipe);
+@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb
+ 
+  no_schannel:
+ 	if ((lp_client_schannel() == False) ||
+-			((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
++		((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) {
++		if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) {
++			result = NT_STATUS_DOWNGRADE_DETECTED;
++			DEBUG(1, ("Unwilling to make connection to domain %s "
++				  "without connection level security, "
++				  "must set 'winbind sealed pipes = false' "
++				  "to proceed: %s\n",
++				  domain->name, nt_errstr(result)));
++			TALLOC_FREE(netlogon_pipe);
++			invalidate_cm_connection(conn);
++			return result;
++		}
+ 		/*
+ 		 * NetSamLogonEx only works for schannel
+ 		 */