[Pkg-samba-maint] [samba] 02/03: Imported Debian patch 2:3.6.6-6+deb7u11

Roberto C. Sanchez roberto at moszumanska.debian.org
Sat May 20 20:32:00 UTC 2017 

This is an automated email from the git hooks/post-receive script.

roberto pushed a commit to branch wheezy
in repository samba.

commit 715d2801fb4d9327c3f911e50e28b19a6e49fa6f
Author: Guido Günther <agx at sigxcpu.org>
Date:   Fri Dec 30 18:27:10 2016 +0100

    Imported Debian patch 2:3.6.6-6+deb7u11
---
 debian/changelog                                   |  8 +++
 ...6-2125-Don-t-pass-GSS_C_DELEG_FLAG-by-def.patch | 67 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 76 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 62dfeda..b9b8b2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+samba (2:3.6.6-6+deb7u11) wheezy-security; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2016-2125: Unconditional privilege delegation to Kerberos servers in
+    trusted realms
+
+ -- Guido Günther <agx at sigxcpu.org>  Fri, 30 Dec 2016 18:27:10 +0100
+
 samba (2:3.6.6-6+deb7u10) wheezy-security; urgency=high
 
   [ Andrew Bartlett ]
diff --git a/debian/patches/security-CVE-2016-2125-Don-t-pass-GSS_C_DELEG_FLAG-by-def.patch b/debian/patches/security-CVE-2016-2125-Don-t-pass-GSS_C_DELEG_FLAG-by-def.patch
new file mode 100644
index 0000000..0f221bd
--- /dev/null
+++ b/debian/patches/security-CVE-2016-2125-Don-t-pass-GSS_C_DELEG_FLAG-by-def.patch
@@ -0,0 +1,67 @@
+From: =?utf-8?q?Guido_G=C3=BCnther?= <agx at sigxcpu.org>
+Date: Wed, 28 Dec 2016 19:21:49 +0100
+Subject: security-CVE-2016-2125: Don't pass GSS_C_DELEG_FLAG by default
+
+This is a backport of upstream commits
+
+   b1a056f77e793efc45df34ab7bf78fbec1bf8a59
+   b83897ae49fdee1fda73c10c7fe73362bfaba690 (code not used in wheezy)
+   3106964a640ddf6a3c08c634ff586a814f94dff8 (code not used in wheezy)
+---
+ source3/librpc/crypto/gse.c         | 1 -
+ source3/libsmb/clifsinfo.c          | 2 +-
+ source4/auth/gensec/gensec_gssapi.c | 2 +-
+ source4/scripting/bin/nsupdate-gss  | 2 +-
+ 4 files changed, 3 insertions(+), 4 deletions(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 02fb0f6..211ca77 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -162,7 +162,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ 	memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
+ 
+ 	gse_ctx->gss_c_flags = GSS_C_MUTUAL_FLAG |
+-				GSS_C_DELEG_FLAG |
+ 				GSS_C_DELEG_POLICY_FLAG |
+ 				GSS_C_REPLAY_FLAG |
+ 				GSS_C_SEQUENCE_FLAG;
+diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c
+index 1d66eb4..34ebc20 100644
+--- a/source3/libsmb/clifsinfo.c
++++ b/source3/libsmb/clifsinfo.c
+@@ -726,7 +726,7 @@ static NTSTATUS make_cli_gss_blob(TALLOC_CTX *ctx,
+ 				&es->s.gss_state->gss_ctx,
+ 				srv_name,
+ 				GSS_C_NO_OID, /* default OID. */
+-				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_FLAG,
++				GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG | GSS_C_DELEG_POLICY_FLAG,
+ 				GSS_C_INDEFINITE,	/* requested ticket lifetime. */
+ 				NULL,   /* no channel bindings */
+ 				p_tok_in,
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index 307a507..0875a67 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -172,7 +172,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
+ 		gensec_gssapi_state->want_flags |= GSS_C_MUTUAL_FLAG;
+ 	}
+-	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
++	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
+ 		gensec_gssapi_state->want_flags |= GSS_C_DELEG_FLAG;
+ 	}
+ 	if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
+diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
+index dec5916..509220d 100755
+--- a/source4/scripting/bin/nsupdate-gss
++++ b/source4/scripting/bin/nsupdate-gss
+@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
+     my $flags = 
+ 	GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | 
+ 	GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | 
+-	GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
++	GSS_C_INTEG_FLAG;
+ 
+ 
+     $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
diff --git a/debian/patches/series b/debian/patches/series
index 22a24a2..e576e83 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -52,3 +52,4 @@ CVE-2015-5370-v3-6.patch
 netlogon_credentials_regression.patch
 bug9669_regression.patch
 fix_netapp.patch
+security-CVE-2016-2125-Don-t-pass-GSS_C_DELEG_FLAG-by-def.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-samba/samba.git

More information about the Pkg-samba-maint mailing list