diff options
Diffstat (limited to 'package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch')
-rw-r--r-- | package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch | 256 |
1 files changed, 256 insertions, 0 deletions
diff --git a/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch b/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch new file mode 100644 index 0000000000..5618fb4eff --- /dev/null +++ b/package/network/services/samba36/patches/026-CVE-2016-2115-v3-6.patch @@ -0,0 +1,256 @@ +From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher <metze@samba.org> +Date: Sat, 27 Feb 2016 03:43:58 +0100 +Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 + +Signed-off-by: Stefan Metzmacher <metze@samba.org> +Reviewed-by: Ralph Boehme <slow@samba.org> +--- + docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++ + docs-xml/smbdotconf/security/clientsigning.xml | 3 +++ + source3/include/proto.h | 1 + + source3/param/loadparm.c | 12 ++++++++++++ + 4 files changed, 39 insertions(+) + create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml + +--- /dev/null ++++ b/docs-xml/smbdotconf/security/clientipcsigning.xml +@@ -0,0 +1,23 @@ ++<samba:parameter name="client ipc signing" ++ context="G" ++ type="enum" ++ enumlist="enum_smb_signing_vals" ++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> ++<description> ++ <para>This controls whether the client is allowed or required to use SMB signing for IPC$ ++ connections as DCERPC transport inside of winbind. Possible values ++ are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> ++ and <emphasis>disabled</emphasis>. ++ </para> ++ ++ <para>When set to auto, SMB signing is offered, but not enforced and if set ++ to disabled, SMB signing is not offered either.</para> ++ ++ <para>Connections from winbindd to Active Directory Domain Controllers ++ always enforce signing.</para> ++</description> ++ ++<related>client signing</related> ++ ++<value type="default">mandatory</value> ++</samba:parameter> +--- a/docs-xml/smbdotconf/security/clientsigning.xml ++++ b/docs-xml/smbdotconf/security/clientsigning.xml +@@ -12,6 +12,9 @@ + <para>When set to auto, SMB signing is offered, but not enforced. + When set to mandatory, SMB signing is required and if set + to disabled, SMB signing is not offered either. ++ ++ <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the ++ <smbconfoption name="client ipc signing"/> option.</para> + </para> + </description> + +--- a/source3/include/proto.h ++++ b/source3/include/proto.h +@@ -1690,9 +1690,11 @@ int lp_winbind_cache_time(void); + int lp_winbind_reconnect_delay(void); + int lp_winbind_max_clients(void); + const char **lp_winbind_nss_info(void); ++bool lp_winbind_sealed_pipes(void); + int lp_algorithmic_rid_base(void); + int lp_name_cache_timeout(void); + int lp_client_signing(void); ++int lp_client_ipc_signing(void); + int lp_server_signing(void); + int lp_client_ldap_sasl_wrapping(void); + char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def); +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -215,6 +215,7 @@ struct global { + int winbind_expand_groups; + bool bWinbindRefreshTickets; + bool bWinbindOfflineLogon; ++ bool bWinbindSealedPipes; + bool bWinbindNormalizeNames; + bool bWinbindRpcOnly; + bool bCreateKrb5Conf; +@@ -366,6 +367,7 @@ struct global { + int restrict_anonymous; + int name_cache_timeout; + int client_signing; ++ int client_ipc_signing; + int server_signing; + int client_ldap_sasl_wrapping; + int iUsershareMaxShares; +@@ -2319,6 +2321,15 @@ static struct parm_struct parm_table[] = + .flags = FLAG_ADVANCED, + }, + { ++ .label = "client ipc signing", ++ .type = P_ENUM, ++ .p_class = P_GLOBAL, ++ .ptr = &Globals.client_ipc_signing, ++ .special = NULL, ++ .enum_list = enum_smb_signing_vals, ++ .flags = FLAG_ADVANCED, ++ }, ++ { + .label = "server signing", + .type = P_ENUM, + .p_class = P_GLOBAL, +@@ -4765,6 +4776,15 @@ static struct parm_struct parm_table[] = + .flags = FLAG_ADVANCED, + }, + { ++ .label = "winbind sealed pipes", ++ .type = P_BOOL, ++ .p_class = P_GLOBAL, ++ .ptr = &Globals.bWinbindSealedPipes, ++ .special = NULL, ++ .enum_list = NULL, ++ .flags = FLAG_ADVANCED, ++ }, ++ { + .label = "winbind normalize names", + .type = P_BOOL, + .p_class = P_GLOBAL, +@@ -5458,6 +5478,7 @@ static void init_globals(bool reinit_glo + Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL); + Globals.bWinbindRefreshTickets = False; + Globals.bWinbindOfflineLogon = False; ++ Globals.bWinbindSealedPipes = True; + + Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */ + Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */ +@@ -5470,6 +5491,7 @@ static void init_globals(bool reinit_glo + Globals.bClientUseSpnego = True; + + Globals.client_signing = Auto; ++ Globals.client_ipc_signing = Required; + Globals.server_signing = False; + + Globals.bDeferSharingViolations = True; +@@ -5736,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, + FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups) + FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) + FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) ++FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes) + FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames) + FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly) + FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf) +@@ -6071,6 +6094,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Glo + FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase) + FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout) + FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing) ++FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing) + FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing) + FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping) + +@@ -9700,6 +9724,20 @@ static bool lp_load_ex(const char *pszFn + lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1"); + } + ++ if (!lp_is_in_client()) { ++ switch (lp_client_ipc_signing()) { ++ case Required: ++ lp_set_cmdline("client signing", "mandatory"); ++ break; ++ case Auto: ++ lp_set_cmdline("client signing", "auto"); ++ break; ++ case False: ++ lp_set_cmdline("client signing", "disabled"); ++ break; ++ } ++ } ++ + init_iconv(); + + bAllowIncludeRegistry = true; +--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c ++++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c +@@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(st + "", /* username */ + "", /* domain */ + "", /* password */ +- 0, lp_client_signing()); ++ 0, False); + + if ( !NT_STATUS_IS_OK( ret ) ) { + DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n", +--- /dev/null ++++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml +@@ -0,0 +1,15 @@ ++<samba:parameter name="winbind sealed pipes" ++ context="G" ++ type="boolean" ++ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> ++<description> ++ <para>This option controls whether any requests from winbindd to domain controllers ++ pipe will be sealed. Disabling sealing can be useful for debugging ++ purposes.</para> ++ ++ <para>The behavior can be controlled per netbios domain ++ by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para> ++</description> ++ ++<value type="default">yes</value> ++</samba:parameter> +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_ + TALLOC_FREE(conn->samr_pipe); + + anonymous: ++ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { ++ status = NT_STATUS_DOWNGRADE_DETECTED; ++ DEBUG(1, ("Unwilling to make SAMR connection to domain %s " ++ "without connection level security, " ++ "must set 'winbind sealed pipes = false' " ++ "to proceed: %s\n", ++ domain->name, nt_errstr(status))); ++ goto done; ++ } + + /* Finally fall back to anonymous. */ + status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id, +@@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_ + + anonymous: + ++ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { ++ result = NT_STATUS_DOWNGRADE_DETECTED; ++ DEBUG(1, ("Unwilling to make LSA connection to domain %s " ++ "without connection level security, " ++ "must set 'winbind sealed pipes = false' " ++ "to proceed: %s\n", ++ domain->name, nt_errstr(result))); ++ goto done; ++ } ++ + result = cli_rpc_pipe_open_noauth(conn->cli, + &ndr_table_lsarpc.syntax_id, + &conn->lsa_pipe); +@@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winb + + no_schannel: + if ((lp_client_schannel() == False) || +- ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { ++ ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { ++ if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { ++ result = NT_STATUS_DOWNGRADE_DETECTED; ++ DEBUG(1, ("Unwilling to make connection to domain %s " ++ "without connection level security, " ++ "must set 'winbind sealed pipes = false' " ++ "to proceed: %s\n", ++ domain->name, nt_errstr(result))); ++ TALLOC_FREE(netlogon_pipe); ++ invalidate_cm_connection(conn); ++ return result; ++ } + /* + * NetSamLogonEx only works for schannel + */ |