From 9aaa23ec8baa50b63d33466f3f353e43c473952a Mon Sep 17 00:00:00 2001 From: Hauke Mehrtens Date: Sun, 1 Apr 2018 15:48:47 +0200 Subject: samba36: fix some security problems This Adds fixes for the following security problems based on debians patches: CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in trusted realms CVE-2017-12163: Server memory information leak over SMB1 CVE-2017-12150: SMB1/2/3 connections may not require signing where they should CVE-2018-1050: Denial of Service Attack on external print server. Signed-off-by: Hauke Mehrtens --- .../samba36/patches/032-CVE-2018-1050-v3-6.patch | 49 ++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch (limited to 'package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch') diff --git a/package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch b/package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch new file mode 100644 index 0000000000..4c44243a63 --- /dev/null +++ b/package/network/services/samba36/patches/032-CVE-2018-1050-v3-6.patch @@ -0,0 +1,49 @@ +From 6cc45e3452194f312e04109cfdae047eb0719c7c Mon Sep 17 00:00:00 2001 +From: Jeremy Allison +Date: Tue, 2 Jan 2018 15:56:03 -0800 +Subject: [PATCH] CVE-2018-1050: s3: RPC: spoolss server. Protect against null + pointer derefs. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=11343 + +Signed-off-by: Jeremy Allison +--- + source3/rpc_server/spoolss/srv_spoolss_nt.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/source3/rpc_server/spoolss/srv_spoolss_nt.c ++++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c +@@ -176,6 +176,11 @@ static void prune_printername_cache(void + static const char *canon_servername(const char *servername) + { + const char *pservername = servername; ++ ++ if (servername == NULL) { ++ return ""; ++ } ++ + while (*pservername == '\\') { + pservername++; + } +@@ -2080,6 +2085,10 @@ WERROR _spoolss_DeletePrinterDriver(stru + return WERR_ACCESS_DENIED; + } + ++ if (r->in.architecture == NULL || r->in.driver == NULL) { ++ return WERR_INVALID_ENVIRONMENT; ++ } ++ + /* check that we have a valid driver name first */ + + if ((version = get_version_id(r->in.architecture)) == -1) +@@ -2225,6 +2234,10 @@ WERROR _spoolss_DeletePrinterDriverEx(st + return WERR_ACCESS_DENIED; + } + ++ if (r->in.architecture == NULL || r->in.driver == NULL) { ++ return WERR_INVALID_ENVIRONMENT; ++ } ++ + /* check that we have a valid driver name first */ + if (get_version_id(r->in.architecture) == -1) { + /* this is what NT returns */ -- cgit v1.2.3