Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu
This upload will bring the same security changes than 2:4.5.8+dfsg-2+deb9u2.
samba (2:4.5.12+dfsg-2) stretch; urgency=high
* This is a security release in order to address the following defects:
- CVE-2017-12150: Some code path don't enforce smb signing, when they should
- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects
- CVE-2017-12163: Server memory information leak over SMB1
See attached debdiff.
Regards
Mathieu Parent
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.12.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8),
LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
diff -Nru samba-4.5.12+dfsg/debian/changelog samba-4.5.12+dfsg/debian/changelog
--- samba-4.5.12+dfsg/debian/changelog 2017-08-26 17:35:49.0 +0200
+++ samba-4.5.12+dfsg/debian/changelog 2017-09-25 15:19:34.0 +0200
@@ -1,3 +1,12 @@
+samba (2:4.5.12+dfsg-2) stretch; urgency=high
+
+ * This is a security release in order to address the following defects:
+- CVE-2017-12150: Some code path don't enforce smb signing, when they
should
+- CVE-2017-12151: Keep required encryption across SMB3 dfs redirects
+- CVE-2017-12163: Server memory information leak over SMB1
+
+ -- Mathieu Parent Mon, 25 Sep 2017 15:19:34 +0200
+
samba (2:4.5.12+dfsg-1) stretch; urgency=medium
* gbp.conf: change debian-branch to stretch
diff -Nru
samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt
samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt
--- samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt
1970-01-01 01:00:00.0 +0100
+++ samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt
2017-09-25 15:15:46.0 +0200
@@ -0,0 +1,234 @@
+From f14a94b5cd3e9977e8483e8a6ba06f48045edc15 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher
+Date: Thu, 3 Nov 2016 17:16:43 +0100
+Subject: [PATCH 1/6] CVE-2017-12150: s3:lib:
+ get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
+
+This is an addition to the fixes for CVE-2015-5296.
+
+It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher
+---
+ source3/lib/util_cmdline.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
+index 80c3ecd..539fa55 100644
+--- a/source3/lib/util_cmdline.c
b/source3/lib/util_cmdline.c
+@@ -123,6 +123,9 @@ bool set_cmdline_auth_info_signing_state(struct
user_auth_info *auth_info,
+
+ int get_cmdline_auth_info_signing_state(const struct user_auth_info
*auth_info)
+ {
++ if (auth_info->smb_encrypt) {
++ return SMB_SIGNING_REQUIRED;
++ }
+ return auth_info->signing_state;
+ }
+
+--
+1.9.1
+
+
+From f82c235484d03e22ad78a79e9cf2f14c8455df56 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher
+Date: Fri, 9 Dec 2016 09:26:32 +0100
+Subject: [PATCH 2/6] CVE-2017-12150: s3:pylibsmb: make use of
+ SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher
+---
+ source3/libsmb/pylibsmb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
+index 0c5d7e9..97aa39e 100644
+--- a/source3/libsmb/pylibsmb.c
b/source3/libsmb/pylibsmb.c
+@@ -447,7 +447,7 @@ static int py_cli_state_init(struct py_cli_state *self,
PyObject *args,
+ cli_credentials_get_username(cli_creds),
+ cli_credentials_get_domain(cli_creds),
+ cli_credentials_get_password(cli_creds),
+- 0, 0);
++ 0, SMB_SIGNING_DEFAULT);
+ if (!py_tevent_req_wait_exc(self->ev, req)) {
+ return -1;
+ }
+--
+1.9.1
+
+
+From 5d296e6ea32ca2df035dd35e6f21b82390f87f86 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher
+Date: Mon, 12 Dec 2016 05:49:46 +0100
+Subject: [PATCH 3/6] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
+ in gpo_connect_server()
+
+It's important that we use a signed connection to get the GPOs!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher
+---
+ libgpo/gpo_fetch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
+index 836bc23..3740d4e 100644
+--- a/libgpo/gpo_fetch.c
b/libgpo/gpo_fetch.c
+@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
+ ads->auth.password,
+ CLI_FULL_CONNECTION_USE_KERBEROS