webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-21 08:22:59 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/next' into kernel-4.14

Browse Source
This commit is contained in:
Arne Fitzenreiter
2017-11-29 17:37:51 +01:00
parent f952832418 a679c56367
commit 5b117ef49a
131 changed files with 9827 additions and 13353 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
src/initscripts/packages/pound
View File

@@ -1,39 +0,0 @@
#!/bin/sh
########################################################################
# Begin $rc_base/init.d/pound
#
# Description : pound reverse-proxy
#
########################################################################
. /etc/sysconfig/rc
. ${rc_functions}
case "${1}" in
start)
boot_mesg "Starting pound reverse-proxy..."
loadproc /usr/sbin/pound
;;
stop)
boot_mesg "Stopping pound reverse-proxy..."
killproc /usr/sbin/pound
;;
restart)
${0} stop
sleep 1
${0} start
;;
status)
statusproc /usr/sbin/pound
;;
*)
echo "Usage: ${0} {start|stop|restart|status}"
exit 1
;;
esac
# End $rc_base/init.d/pound

45
src/initscripts/packages/vsftpd
View File

@@ -1,45 +0,0 @@
#!/bin/sh
# Begin $rc_base/init.d/vsftpd
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
#$LastChangedBy: bdubbs $
#$Date: 2005-08-01 14:29:19 -0500 (Mon, 01 Aug 2005) $
. /etc/sysconfig/rc
. $rc_functions
case "$1" in
start)
boot_mesg "Starting vsFTPD Server..."
loadproc /usr/sbin/vsftpd
;;
stop)
boot_mesg "Stopping vsFTPD Server..."
killproc /usr/sbin/vsftpd
;;
reload)
boot_mesg "Reloading vsFTPD Server..."
reloadproc /usr/sbin/vsftpd
;;
restart)
$0 stop
sleep 1
$0 start
;;
status)
statusproc /usr/sbin/vsftpd
;;
*)
echo "Usage: $0 {start|stop|reload|restart|status}"
exit 1
;;
esac
# End $rc_base/init.d/vsftpd

4
src/initscripts/system/apache
View File

@@ -11,6 +11,7 @@ generate_certificates() {
if [ ! -f "/etc/httpd/server.key" ]; then
boot_mesg "Generating HTTPS RSA server key (this will take a moment)..."
openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
chmod 600 /etc/httpd/server.key
evaluate_retval
fi
@@ -18,6 +19,7 @@ generate_certificates() {
boot_mesg "Generating HTTPS ECDSA server key..."
openssl ecparam -genkey -name secp384r1 -noout \
-out /etc/httpd/server-ecdsa.key &>/dev/null
chmod 600 /etc/httpd/server-ecdsa.key
evaluate_retval
fi
@@ -66,7 +68,7 @@ case "$1" in
stop)
boot_mesg "Stopping Apache daemon..."
/usr/sbin/apachectl -k stop
killproc /usr/sbin/httpd
evaluate_retval
;;

8
src/initscripts/system/firewall
View File

@@ -310,6 +310,10 @@ iptables_init() {
iptables -t nat -N NAT_SOURCE
iptables -t nat -A POSTROUTING -j NAT_SOURCE
# Captive Portal
iptables -t nat -N CAPTIVE_PORTAL
iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL
# Custom prerouting chains (for transparent proxy)
iptables -t nat -N SQUID
iptables -t nat -A PREROUTING -j SQUID
@@ -344,10 +348,6 @@ iptables_init() {
iptables -N UPNPFW
iptables -A FORWARD -m conntrack --ctstate NEW -j UPNPFW
# Captive Portal
iptables -t nat -N CAPTIVE_PORTAL
iptables -t nat -A PREROUTING -j CAPTIVE_PORTAL
# RED chain, used for the red interface
iptables -N REDINPUT
iptables -A INPUT -j REDINPUT

2
src/initscripts/system/unbound
View File

@@ -61,7 +61,7 @@ read_name_servers() {
local i
for i in 1 2; do
echo "$(</var/ipfire/red/dns${i})"
done | xargs echo
done 2>/dev/null | xargs echo
}
config_header() {

28
src/misc-progs/syslogdctrl.c
View File

@@ -27,18 +27,19 @@
#define ERR_ANY 1
#define ERR_SETTINGS 2 /* error in settings file */
#define ERR_ETC 3 /* error with /etc permissions */
#define ERR_CONFIG 4 /* error updated sshd_config */
#define ERR_CONFIG 4 /* error updating syslogd config */
#define ERR_SYSLOG 5 /* error restarting syslogd */
int main(void)
{
char buffer[STRING_SIZE], command[STRING_SIZE], hostname[STRING_SIZE];
char buffer[STRING_SIZE], command[STRING_SIZE], hostname[STRING_SIZE], protocol[STRING_SIZE];
char varmessages[STRING_SIZE], asynclog[STRING_SIZE];
int config_fd,rc,fd,pid;
struct stat st;
struct keyvalue *kv = NULL;
memset(buffer, 0, STRING_SIZE);
memset(hostname, 0, STRING_SIZE);
memset(protocol, 0, STRING_SIZE);
memset(varmessages, 0, STRING_SIZE);
memset(asynclog, 0, STRING_SIZE);
@@ -67,6 +68,12 @@ int main(void)
exit(ERR_SETTINGS);
}
if (!findkey(kv, "REMOTELOG_PROTOCOL", protocol))
{
/* fall back to UDP if no protocol was given */
protocol = "udp";
}
if (strspn(hostname, VALID_FQDN) != strlen(hostname))
{
fprintf(stderr, "Bad REMOTELOG_ADDR: %s\n", hostname);
@@ -106,9 +113,24 @@ int main(void)
}
if (!strcmp(buffer,"on"))
snprintf(buffer, STRING_SIZE - 1, "/bin/sed -e 's/^#\\?\\(\\*\\.\\*[[:blank:]]\\+@\\).\\+$/\\1%s/' /etc/syslog.conf >&%d", hostname, config_fd );
{
/* check which transmission protocol was given */
if (strcmp(protocol, "tcp") == 0)
{
/* write line for TCP */
snprintf(buffer, STRING_SIZE - 1, "/bin/sed -e 's/^#\\?\\(\\*\\.\\*[[:blank:]]\\+@@\\).\\+$/\\1%s/' /etc/syslog.conf >&%d", hostname, config_fd );
}
else
{
/* write line for UDP */
snprintf(buffer, STRING_SIZE - 1, "/bin/sed -e 's/^#\\?\\(\\*\\.\\*[[:blank:]]\\+@\\).\\+$/\\1%s/' /etc/syslog.conf >&%d", hostname, config_fd );
}
}
else
{
/* if remote syslog has been disabled */
snprintf(buffer, STRING_SIZE - 1, "/bin/sed -e 's/^#\\?\\(\\*\\.\\*[[:blank:]]\\+@.\\+\\)$/#\\1/' /etc/syslog.conf >&%d", config_fd );
}
/* if the return code isn't 0 failsafe */
if ((rc = unpriv_system(buffer,99,99)) != 0)

4
src/pakfire/lib/functions.pl
View File

@@ -34,8 +34,8 @@ use Net::Ping;
package Pakfire;
# GPG Keys
my $myid = "64D96617"; # Our own gpg-key paks@ipfire.org
my $trustid = "65D0FD58"; # gpg-key of CaCert
my $myid = "179740DC4D8C47DC63C099C74BDE364C64D96617"; # Our own gpg-key paks@ipfire.org
my $trustid = "A31D4F81EF4EBD07B456FA04D2BB0D0165D0FD58"; # gpg-key of CaCert
# A small color-hash :D
my %color;

32
src/paks/pound/install.sh
View File

@@ -1,32 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
extract_files
restore_backup ${NAME}
ln -svf ../init.d/pound /etc/rc.d/rc0.d/K20pound
ln -svf ../init.d/pound /etc/rc.d/rc3.d/S40pound
ln -svf ../init.d/pound /etc/rc.d/rc6.d/K20pound
start_service --background ${NAME}

29
src/paks/pound/uninstall.sh
View File

@@ -1,29 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
stop_service ${NAME}
make_backup ${NAME}
remove_files
rm -rf /etc/rc.d/rc*.d/*pound

26
src/paks/pound/update.sh
View File

@@ -1,26 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
./uninstall.sh
./install.sh

29
src/paks/vsftpd/install.sh
View File

@@ -1,29 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
extract_files
restore_backup ${NAME}
# Disable vsftpd by default due to lack of configuration file
mkdir -p /etc/rc.d/rc3.d/off
mv -f /etc/rc.d/rc3.d/S??${NAME} /etc/rc.d/rc3.d/off

41
src/paks/vsftpd/uninstall.sh
View File

@@ -1,41 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
stop_service ${NAME}
#Create a backupinclude if it not exist
if [ ! -e "/var/ipfire/backup/addons/includes/vsftpd" ]; then
echo /etc/vsftpd.conf > /var/ipfire/backup/addons/includes/vsftpd
echo /etc/vsftpd.user_list >> /var/ipfire/backup/addons/includes/vsftpd
fi
#Fix wrong backupinclude
sed -i 's|^etc|/etc|g' /var/ipfire/backup/addons/includes/vsftpd
make_backup ${NAME}
#Remove userdate from rootfile
cat /opt/pakfire/db/rootfiles/vsftpd | \
grep -v "home/ftp" | \
grep -v "var/ftp" > /opt/pakfire/db/rootfiles/vsftpd.tmp
mv /opt/pakfire/db/rootfiles/vsftpd.tmp /opt/pakfire/db/rootfiles/vsftpd
remove_files

28
src/paks/vsftpd/update.sh
View File

@@ -1,28 +0,0 @@
#!/bin/bash
############################################################################
# #
# This file is part of the IPFire Firewall. #
# #
# IPFire is free software; you can redistribute it and/or modify #
# it under the terms of the GNU General Public License as published by #
# the Free Software Foundation; either version 2 of the License, or #
# (at your option) any later version. #
# #
# IPFire is distributed in the hope that it will be useful, #
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
# GNU General Public License for more details. #
# #
# You should have received a copy of the GNU General Public License #
# along with IPFire; if not, write to the Free Software #
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA #
# #
# Copyright (C) 2007 IPFire-Team <info@ipfire.org>. #
# #
############################################################################
#
. /opt/pakfire/lib/functions.sh
./uninstall.sh
extract_files
restore_backup ${NAME}
start_service --background ${NAME}

102
src/patches/samba/CVE-2017-12150-v3-6.patch Normal file
View File

@@ -0,0 +1,102 @@
From d3198caa7a8910a9ce1eb4104d5b410ef29ac2bb Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 3 Nov 2016 17:16:43 +0100
Subject: [PATCH 1/3] CVE-2017-12150: s3:lib:
get_cmdline_auth_info_signing_state use Required for smb_encrypt
This is an addition to the fixes for CVE-2015-5296.
It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
---
source3/lib/util_cmdline.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
index cb0b79a5d30..3178c848b63 100644
--- a/source3/lib/util_cmdline.c
+++ b/source3/lib/util_cmdline.c
@@ -122,6 +122,9 @@ bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
{
+ if (auth_info->smb_encrypt) {
+ return Required;
+ }
return auth_info->signing_state;
}
--
2.14.1
From bb762a74c81159633f904f8fb67b49bab74a0b9c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 05:49:46 +0100
Subject: [PATCH 2/3] CVE-2017-12150: libgpo: make use of Required for SMB
signing in gpo_connect_server()
It's important that we use a signed connection to get the GPOs!
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
---
libgpo/gpo_fetch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
index 3cfe1d5b942..af012e01336 100644
--- a/libgpo/gpo_fetch.c
+++ b/libgpo/gpo_fetch.c
@@ -151,7 +151,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads, struct loadparm_context *lp_
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS |
CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
- Undefined);
+ Required);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
--
2.14.1
From 070b0fb9ebb57cdbc2b82e335de021fb46bc543c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2016 06:07:56 +0100
Subject: [PATCH 3/3] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
authentication was not requested
With forced encryption or required signing we should also don't fallback.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Backported-by: Andreas Schneider <asn@samba.org>
---
source3/libsmb/clidfs.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index 23e147120f1..120a2c999ce 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -197,7 +197,9 @@ static struct cli_state *do_connect(TALLOC_CTX *ctx,
/* If a password was not supplied then
* try again with a null username. */
if (password[0] || !username[0] ||
+ force_encrypt || client_is_signing_mandatory(c) ||
get_cmdline_auth_info_use_kerberos(auth_info) ||
+ get_cmdline_auth_info_use_ccache(auth_info) ||
!NT_STATUS_IS_OK(cli_session_setup(c, "",
"", 0,
"", 0,
--
2.14.1

141
src/patches/samba/CVE-2017-12163.patch Normal file
View File

@@ -0,0 +1,141 @@
From 9f1a51917649795123bedbefdea678317d392b48 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 8 Sep 2017 10:13:14 -0700
Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
writing server memory to file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 50 insertions(+)
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 1583c2358bb..9625670d653 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -3977,6 +3977,9 @@ void reply_writebraw(struct smb_request *req)
}
/* Ensure we don't write bytes past the end of this packet. */
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
error_to_writebrawerr(req);
@@ -4078,6 +4081,11 @@ void reply_writebraw(struct smb_request *req)
exit_server_cleanly("secondary writebraw failed");
}
+ /*
+ * We are not vulnerable to CVE-2017-12163
+ * here as we are guarenteed to have numtowrite
+ * bytes available - we just read from the client.
+ */
nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
if (nwritten == -1) {
TALLOC_FREE(buf);
@@ -4159,6 +4167,7 @@ void reply_writeunlock(struct smb_request *req)
connection_struct *conn = req->conn;
ssize_t nwritten = -1;
size_t numtowrite;
+ size_t remaining;
SMB_OFF_T startpos;
const char *data;
NTSTATUS status = NT_STATUS_OK;
@@ -4191,6 +4200,17 @@ void reply_writeunlock(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteunlock);
+ return;
+ }
+
if (!fsp->print_file && numtowrite > 0) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4272,6 +4292,7 @@ void reply_write(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
SMB_OFF_T startpos;
const char *data;
@@ -4312,6 +4333,17 @@ void reply_write(struct smb_request *req)
startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
data = (const char *)req->buf + 3;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwrite);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -4523,6 +4555,9 @@ void reply_write_and_X(struct smb_request *req)
return;
}
} else {
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
smb_doff + numtowrite > smblen) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
@@ -4892,6 +4927,7 @@ void reply_writeclose(struct smb_request *req)
{
connection_struct *conn = req->conn;
size_t numtowrite;
+ size_t remaining;
ssize_t nwritten = -1;
NTSTATUS close_status = NT_STATUS_OK;
SMB_OFF_T startpos;
@@ -4925,6 +4961,17 @@ void reply_writeclose(struct smb_request *req)
mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
data = (const char *)req->buf + 1;
+ /*
+ * Ensure client isn't asking us to write more than
+ * they sent. CVE-2017-12163.
+ */
+ remaining = smbreq_bufrem(req, data);
+ if (numtowrite > remaining) {
+ reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ END_PROFILE(SMBwriteclose);
+ return;
+ }
+
if (!fsp->print_file) {
init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
@@ -5495,6 +5542,9 @@ void reply_printwrite(struct smb_request *req)
numtowrite = SVAL(req->buf, 1);
+ /*
+ * This already protects us against CVE-2017-12163.
+ */
if (req->buflen < numtowrite + 3) {
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBsplwr);
--
2.13.5

45
src/patches/samba/CVE-2017-15275.patch Normal file
View File

@@ -0,0 +1,45 @@
From c1a22e59f87783d88dfbaeeb132b89be166b2754 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Wed, 20 Sep 2017 11:04:50 -0700
Subject: [PATCH 2/2] s3: smbd: Chain code can return uninitialized memory when
talloc buffer is grown.
Ensure we zero out unused grown area.
CVE-2017-15275
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13077
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/smbd/srvstr.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/source3/smbd/srvstr.c b/source3/smbd/srvstr.c
index 56dceba8c6c..c2d70b32c32 100644
--- a/source3/smbd/srvstr.c
+++ b/source3/smbd/srvstr.c
@@ -110,6 +110,20 @@ ssize_t message_push_string(uint8_t **outbuf, const char *str, int flags)
DEBUG(0, ("srvstr_push failed\n"));
return -1;
}
+
+ /*
+ * Ensure we clear out the extra data we have
+ * grown the buffer by, but not written to.
+ */
+ if (buf_size + result < buf_size) {
+ return -1;
+ }
+ if (grow_size < result) {
+ return -1;
+ }
+
+ memset(tmp + buf_size + result, '\0', grow_size - result);
+
set_message_bcc((char *)tmp, smb_buflen(tmp) + result);
*outbuf = tmp;
--
2.11.0

1328
src/patches/samba/CVE-2017-2619.patch Normal file
View File

File diff suppressed because it is too large Load Diff

432
src/patches/samba/samba-3.6.99-winbind_fix_trusted_domain_handling.patch Normal file
View File

@@ -0,0 +1,432 @@
From a280f61d71d5ea7e2212d253b84ac5b25810b88e Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri@samba.org>
Date: Wed, 10 Feb 2016 00:26:45 +0200
Subject: [PATCH 1/4] winbindd: introduce add_trusted_domain_from_tdc()
This is purely a refactoring patch -
Add a routine that adds a winbindd domain object based on
domain trust cache entry. add_trusted_domain() becomes
a wrapper for this new routine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/winbindd/winbindd_util.c | 76 +++++++++++++++++++++++++---------------
1 file changed, 48 insertions(+), 28 deletions(-)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 353722e..70a9041 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -30,6 +30,10 @@
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
+static struct winbindd_domain *
+add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
+ struct winbindd_methods *methods);
+
extern struct winbindd_methods cache_methods;
/**
@@ -91,11 +95,31 @@ static bool is_in_internal_domain(const struct dom_sid *sid)
/* Add a trusted domain to our list of domains.
If the domain already exists in the list,
- return it and don't re-initialize.
- */
-static struct winbindd_domain *add_trusted_domain(const char *domain_name, const char *alt_name,
- struct winbindd_methods *methods,
- const struct dom_sid *sid)
+ return it and don't re-initialize. */
+
+static struct winbindd_domain *
+add_trusted_domain(const char *domain_name, const char *alt_name,
+ struct winbindd_methods *methods, const struct dom_sid *sid)
+{
+ struct winbindd_tdc_domain tdc;
+
+ ZERO_STRUCT(tdc);
+
+ tdc.domain_name = domain_name;
+ tdc.dns_name = alt_name;
+ if (sid) {
+ sid_copy(&tdc.sid, sid);
+ }
+
+ return add_trusted_domain_from_tdc(&tdc, methods);
+}
+
+/* Add a trusted domain out of a trusted domain cache
+ entry
+*/
+static struct winbindd_domain *
+add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
+ struct winbindd_methods *methods)
{
struct winbindd_domain *domain;
const char *alternative_name = NULL;
@@ -103,6 +127,12 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
const char *param;
const char **ignored_domains, **dom;
int role = lp_server_role();
+ const char *domain_name = tdc->domain_name;
+ const struct dom_sid *sid = &tdc->sid;
+
+ if (is_null_sid(sid)) {
+ sid = NULL;
+ }
ignored_domains = lp_parm_string_list(-1, "winbind", "ignore domains", NULL);
for (dom=ignored_domains; dom && *dom; dom++) {
@@ -114,8 +144,8 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
/* ignore alt_name if we are not in an AD domain */
- if ( (lp_security() == SEC_ADS) && alt_name && *alt_name) {
- alternative_name = alt_name;
+ if (tdc->dns_name && *tdc->dns_name) {
+ alternative_name = tdc->dns_name;
}
/* We can't call domain_list() as this function is called from
@@ -127,8 +157,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
break;
}
- if (alternative_name && *alternative_name)
- {
+ if (alternative_name) {
if (strequal(alternative_name, domain->name) ||
strequal(alternative_name, domain->alt_name))
{
@@ -136,12 +165,7 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
}
}
- if (sid)
- {
- if (is_null_sid(sid)) {
- continue;
- }
-
+ if (sid != NULL) {
if (dom_sid_equal(sid, &domain->sid)) {
break;
}
@@ -191,11 +215,11 @@ static struct winbindd_domain *add_trusted_domain(const char *domain_name, const
domain->internal = is_internal_domain(sid);
domain->sequence_number = DOM_SEQUENCE_NONE;
domain->last_seq_check = 0;
- domain->initialized = False;
+ domain->initialized = false;
domain->online = is_internal_domain(sid);
domain->check_online_timeout = 0;
domain->dc_probe_pid = (pid_t)-1;
- if (sid) {
+ if (sid != NULL) {
sid_copy(&domain->sid, sid);
}
@@ -246,9 +270,9 @@ done:
setup_domain_child(domain);
- DEBUG(2,("Added domain %s %s %s\n",
- domain->name, domain->alt_name,
- &domain->sid?sid_string_dbg(&domain->sid):""));
+ DEBUG(2,
+ ("Added domain %s %s %s\n", domain->name, domain->alt_name,
+ !is_null_sid(&domain->sid) ? sid_string_dbg(&domain->sid) : ""));
return domain;
}
@@ -432,10 +456,8 @@ static void rescan_forest_root_trusts( void )
d = find_domain_from_name_noinit( dom_list[i].domain_name );
if ( !d ) {
- (void)add_trusted_domain( dom_list[i].domain_name,
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid);
+ d = add_trusted_domain_from_tdc(&dom_list[i],
+ &cache_methods);
}
if (d == NULL) {
@@ -501,10 +523,8 @@ static void rescan_forest_trusts( void )
about it */
if ( !d ) {
- (void)add_trusted_domain( dom_list[i].domain_name,
- dom_list[i].dns_name,
- &cache_methods,
- &dom_list[i].sid);
+ d = add_trusted_domain_from_tdc(&dom_list[i],
+ &cache_methods);
}
if (d == NULL) {
--
2.9.4
From 153f173eea81ffa1caa4768589a08bb20a6a1950 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 23 Dec 2014 09:43:03 +0000
Subject: [PATCH 2/4] s3:winbindd: mark our primary as active_directory if
possible
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
---
source3/winbindd/winbindd_util.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 70a9041..700076a 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -232,6 +232,12 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
domain->primary = true;
}
+ if (domain->primary) {
+ if (lp_security() == SEC_ADS) {
+ domain->active_directory = true;
+ }
+ }
+
/* Link to domain list */
DLIST_ADD_END(_domain_list, domain, struct winbindd_domain *);
--
2.9.4
From 5d741ee3d1dafbb32c106fed817840892b69598d Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri@samba.org>
Date: Wed, 10 Feb 2016 00:32:23 +0200
Subject: [PATCH 3/4] winbindd: initialize foreign domain as AD based on trust
Based on trust parameters, initialize the active_directory
member of domain object to true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
source3/winbindd/winbindd_util.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index 700076a..aaa9ee8 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -222,6 +222,9 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
if (sid != NULL) {
sid_copy(&domain->sid, sid);
}
+ domain->domain_flags = tdc->trust_flags;
+ domain->domain_type = tdc->trust_type;
+ domain->domain_trust_attribs = tdc->trust_attribs;
/* Is this our primary domain ? */
if (strequal(domain_name, get_global_sam_name()) &&
@@ -236,6 +239,10 @@ add_trusted_domain_from_tdc(const struct winbindd_tdc_domain *tdc,
if (lp_security() == SEC_ADS) {
domain->active_directory = true;
}
+ } else if (!domain->internal) {
+ if (domain->domain_type == LSA_TRUST_TYPE_UPLEVEL) {
+ domain->active_directory = true;
+ }
}
/* Link to domain list */
--
2.9.4
From a8ac7dcae2e3b00362ea9d91b5ef7f149bc734a0 Mon Sep 17 00:00:00 2001
From: Uri Simchoni <uri@samba.org>
Date: Wed, 10 Feb 2016 00:38:11 +0200
Subject: [PATCH 4/4] winbindd: return trust parameters when listing trusts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When asking a child domain process to list trusts on that domain,
return (along with trust domain names and SID) the trust properties -
flags, type, and attributes.
Use those attributes to initialize domain object.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11691
Signed-off-by: Uri Simchoni <uri@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Feb 23 22:02:16 CET 2016 on sn-devel-144
---
source3/winbindd/winbindd_misc.c | 11 +++---
source3/winbindd/winbindd_util.c | 82 +++++++++++++++++++++++++++++-----------
2 files changed, 65 insertions(+), 28 deletions(-)
diff --git a/source3/winbindd/winbindd_misc.c b/source3/winbindd/winbindd_misc.c
index 7d25167..5335ad9 100644
--- a/source3/winbindd/winbindd_misc.c
+++ b/source3/winbindd/winbindd_misc.c
@@ -172,11 +172,12 @@ enum winbindd_result winbindd_dual_list_trusted_domains(struct winbindd_domain *
for (i=0; i<trusts.count; i++) {
extra_data = talloc_asprintf_append_buffer(
- extra_data, "%s\\%s\\%s\n",
- trusts.array[i].netbios_name,
- trusts.array[i].dns_name,
- sid_string_talloc(state->mem_ctx,
- trusts.array[i].sid));
+ extra_data, "%s\\%s\\%s\\%u\\%u\\%u\n",
+ trusts.array[i].netbios_name, trusts.array[i].dns_name,
+ sid_string_talloc(state->mem_ctx, trusts.array[i].sid),
+ trusts.array[i].trust_flags,
+ (uint32_t)trusts.array[i].trust_type,
+ trusts.array[i].trust_attributes);
}
/* add our primary domain */
diff --git a/source3/winbindd/winbindd_util.c b/source3/winbindd/winbindd_util.c
index aaa9ee8..b99fac4 100644
--- a/source3/winbindd/winbindd_util.c
+++ b/source3/winbindd/winbindd_util.c
@@ -343,6 +343,8 @@ static void trustdom_list_done(struct tevent_req *req)
struct winbindd_response *response;
int res, err;
char *p;
+ struct winbindd_tdc_domain trust_params = {0};
+ ptrdiff_t extra_len;
res = wb_domain_request_recv(req, state, &response, &err);
if ((res == -1) || (response->result != WINBINDD_OK)) {
@@ -351,17 +353,27 @@ static void trustdom_list_done(struct tevent_req *req)
return;
}
+ if (response->length < sizeof(struct winbindd_response)) {
+ DEBUG(0, ("ill-formed trustdom response - short length\n"));
+ TALLOC_FREE(state);
+ return;
+ }
+
+ extra_len = response->length - sizeof(struct winbindd_response);
+
p = (char *)response->extra_data.data;
- while ((p != NULL) && (*p != '\0')) {
+ while ((p - (char *)response->extra_data.data) < extra_len) {
char *q, *sidstr, *alt_name;
- struct dom_sid sid;
- struct winbindd_domain *domain;
- char *alternate_name = NULL;
+
+ DEBUG(10, ("parsing response line '%s'\n", p));
+
+ ZERO_STRUCT(trust_params);
+ trust_params.domain_name = p;
alt_name = strchr(p, '\\');
if (alt_name == NULL) {
- DEBUG(0, ("Got invalid trustdom response\n"));
+ DEBUG(10, ("Got invalid trustdom response\n"));
break;
}
@@ -370,39 +382,63 @@ static void trustdom_list_done(struct tevent_req *req)
sidstr = strchr(alt_name, '\\');
if (sidstr == NULL) {
- DEBUG(0, ("Got invalid trustdom response\n"));
+ DEBUG(10, ("Got invalid trustdom response\n"));
break;
}
*sidstr = '\0';
sidstr += 1;
- q = strchr(sidstr, '\n');
- if (q != NULL)
- *q = '\0';
+ /* use the real alt_name if we have one, else pass in NULL */
+ if (!strequal(alt_name, "(null)")) {
+ trust_params.dns_name = alt_name;
+ }
+
+ q = strtok(sidstr, "\\");
+ if (q == NULL) {
+ DEBUG(10, ("Got invalid trustdom response\n"));
+ break;
+ }
+
+ if (!string_to_sid(&trust_params.sid, sidstr)) {
+ DEBUG(0, ("Got invalid trustdom response\n"));
+ break;
+ }
- if (!string_to_sid(&sid, sidstr)) {
+ q = strtok(NULL, "\\");
+ if (q == NULL) {
DEBUG(0, ("Got invalid trustdom response\n"));
break;
}
- /* use the real alt_name if we have one, else pass in NULL */
+ trust_params.trust_flags = (uint32_t)strtoul(q, NULL, 10);
- if ( !strequal( alt_name, "(null)" ) )
- alternate_name = alt_name;
+ q = strtok(NULL, "\\");
+ if (q == NULL) {
+ DEBUG(0, ("Got invalid trustdom response\n"));
+ break;
+ }
+
+ trust_params.trust_type = (uint32_t)strtoul(q, NULL, 10);
- /* If we have an existing domain structure, calling
- add_trusted_domain() will update the SID if
- necessary. This is important because we need the
- SID for sibling domains */
+ q = strtok(NULL, "\n");
+ if (q == NULL) {
+ DEBUG(10, ("Got invalid trustdom response\n"));
+ break;
+ }
- (void)add_trusted_domain(p, alternate_name,
- &cache_methods,
- &sid);
+ trust_params.trust_attribs = (uint32_t)strtoul(q, NULL, 10);
+
+ /*
+ * We always call add_trusted_domain() cause on an existing
+ * domain structure, it will update the SID if necessary.
+ * This is important because we need the SID for sibling
+ * domains.
+ */
+ (void)add_trusted_domain_from_tdc(&trust_params,
+ &cache_methods);
- p=q;
- if (p != NULL)
- p += 1;
+ p = q + strlen(q) + 1;
}
/*
--
2.9.4

2
src/stripper
View File

@@ -1,4 +1,4 @@
#!/tools/bin/bash
#!/usr/bin/env bash
dirs=""
excludes="/dev /proc /sys /run"