[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#876909: marked as done (stretch-pu: package samba/2:4.5.12+dfsg-2)

Your message dated Sat, 07 Oct 2017 11:33:55 +0100
with message-id <1507372435.18586.64.camel@adam-barratt.org.uk>
and subject line Closing bugs for 9.2 point release
has caused the Debian Bug report #876909,
regarding stretch-pu: package samba/2:4.5.12+dfsg-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
876909: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=876909
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

This upload will bring the same security changes than 2:4.5.8+dfsg-2+deb9u2.

samba (2:4.5.12+dfsg-2) stretch; urgency=high
  * This is a security release in order to address the following defects:
    - CVE-2017-12150: Some code path don't enforce smb signing, when they should
    - CVE-2017-12151: Keep required encryption across SMB3 dfs redirects
    - CVE-2017-12163: Server memory information leak over SMB1

See attached debdiff.

Regards

Mathieu Parent

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.12.0-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru samba-4.5.12+dfsg/debian/changelog samba-4.5.12+dfsg/debian/changelog
--- samba-4.5.12+dfsg/debian/changelog	2017-08-26 17:35:49.000000000 +0200
+++ samba-4.5.12+dfsg/debian/changelog	2017-09-25 15:19:34.000000000 +0200
@@ -1,3 +1,12 @@
+samba (2:4.5.12+dfsg-2) stretch; urgency=high
+
+  * This is a security release in order to address the following defects:
+    - CVE-2017-12150: Some code path don't enforce smb signing, when they should
+    - CVE-2017-12151: Keep required encryption across SMB3 dfs redirects
+    - CVE-2017-12163: Server memory information leak over SMB1
+
+ -- Mathieu Parent <sathieu@debian.org>  Mon, 25 Sep 2017 15:19:34 +0200
+
 samba (2:4.5.12+dfsg-1) stretch; urgency=medium
 
   * gbp.conf: change debian-branch to stretch
diff -Nru samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt
--- samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt	1970-01-01 01:00:00.000000000 +0100
+++ samba-4.5.12+dfsg/debian/patches/CVE-2017-12150-v4-5.patches.metze02.txt	2017-09-25 15:15:46.000000000 +0200
@@ -0,0 +1,234 @@
+From f14a94b5cd3e9977e8483e8a6ba06f48045edc15 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Thu, 3 Nov 2016 17:16:43 +0100
+Subject: [PATCH 1/6] CVE-2017-12150: s3:lib:
+ get_cmdline_auth_info_signing_state smb_encrypt SMB_SIGNING_REQUIRED
+
+This is an addition to the fixes for CVE-2015-5296.
+
+It applies to smb2mount -e, smbcacls -e and smbcquotas -e.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/lib/util_cmdline.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/source3/lib/util_cmdline.c b/source3/lib/util_cmdline.c
+index 80c3ecd..539fa55 100644
+--- a/source3/lib/util_cmdline.c
++++ b/source3/lib/util_cmdline.c
+@@ -123,6 +123,9 @@ bool set_cmdline_auth_info_signing_state(struct user_auth_info *auth_info,
+ 
+ int get_cmdline_auth_info_signing_state(const struct user_auth_info *auth_info)
+ {
++	if (auth_info->smb_encrypt) {
++		return SMB_SIGNING_REQUIRED;
++	}
+ 	return auth_info->signing_state;
+ }
+ 
+-- 
+1.9.1
+
+
+From f82c235484d03e22ad78a79e9cf2f14c8455df56 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Fri, 9 Dec 2016 09:26:32 +0100
+Subject: [PATCH 2/6] CVE-2017-12150: s3:pylibsmb: make use of
+ SMB_SIGNING_DEFAULT for 'samba.samba3.libsmb_samba_internal'
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/pylibsmb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
+index 0c5d7e9..97aa39e 100644
+--- a/source3/libsmb/pylibsmb.c
++++ b/source3/libsmb/pylibsmb.c
+@@ -447,7 +447,7 @@ static int py_cli_state_init(struct py_cli_state *self, PyObject *args,
+ 		cli_credentials_get_username(cli_creds),
+ 		cli_credentials_get_domain(cli_creds),
+ 		cli_credentials_get_password(cli_creds),
+-		0, 0);
++		0, SMB_SIGNING_DEFAULT);
+ 	if (!py_tevent_req_wait_exc(self->ev, req)) {
+ 		return -1;
+ 	}
+-- 
+1.9.1
+
+
+From 5d296e6ea32ca2df035dd35e6f21b82390f87f86 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 05:49:46 +0100
+Subject: [PATCH 3/6] CVE-2017-12150: libgpo: make use of SMB_SIGNING_REQUIRED
+ in gpo_connect_server()
+
+It's important that we use a signed connection to get the GPOs!
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libgpo/gpo_fetch.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/libgpo/gpo_fetch.c b/libgpo/gpo_fetch.c
+index 836bc23..3740d4e 100644
+--- a/libgpo/gpo_fetch.c
++++ b/libgpo/gpo_fetch.c
+@@ -133,7 +133,7 @@ static NTSTATUS gpo_connect_server(ADS_STRUCT *ads,
+ 			ads->auth.password,
+ 			CLI_FULL_CONNECTION_USE_KERBEROS |
+ 			CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
+-			Undefined);
++			SMB_SIGNING_REQUIRED);
+ 	if (!NT_STATUS_IS_OK(result)) {
+ 		DEBUG(10,("check_refresh_gpo: "
+ 				"failed to connect: %s\n",
+-- 
+1.9.1
+
+
+From dc24ef0fc4292a365900270d6b9b66c9cfc0609e Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 15:24:14 +0200
+Subject: [PATCH 4/6] CVE-2017-12150: auth/credentials:
+ cli_credentials_authentication_requested() should check for
+ NTLM_CCACHE/SIGN/SEAL
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/credentials/credentials.c | 16 ++++++++++++++++
+ 1 file changed, 16 insertions(+)
+
+diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
+index bfa397c..194b5c2 100644
+--- a/auth/credentials/credentials.c
++++ b/auth/credentials/credentials.c
+@@ -25,6 +25,7 @@
+ #include "librpc/gen_ndr/samr.h" /* for struct samrPassword */
+ #include "auth/credentials/credentials.h"
+ #include "auth/credentials/credentials_internal.h"
++#include "auth/gensec/gensec.h"
+ #include "libcli/auth/libcli_auth.h"
+ #include "tevent.h"
+ #include "param/param.h"
+@@ -347,6 +348,8 @@ _PUBLIC_ bool cli_credentials_set_principal_callback(struct cli_credentials *cre
+ 
+ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *cred) 
+ {
++	uint32_t gensec_features = 0;
++
+ 	if (cred->bind_dn) {
+ 		return true;
+ 	}
+@@ -374,6 +377,19 @@ _PUBLIC_ bool cli_credentials_authentication_requested(struct cli_credentials *c
+ 		return true;
+ 	}
+ 
++	gensec_features = cli_credentials_get_gensec_features(cred);
++	if (gensec_features & GENSEC_FEATURE_NTLM_CCACHE) {
++		return true;
++	}
++
++	if (gensec_features & GENSEC_FEATURE_SIGN) {
++		return true;
++	}
++
++	if (gensec_features & GENSEC_FEATURE_SEAL) {
++		return true;
++	}
++
+ 	return false;
+ }
+ 
+-- 
+1.9.1
+
+
+From f30ea84489e9ee6ab65279bc3ea62ce4f954f965 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 29 Aug 2017 15:35:49 +0200
+Subject: [PATCH 5/6] CVE-2017-12150: libcli/smb: add
+ smbXcli_conn_signing_mandatory()
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ libcli/smb/smbXcli_base.c | 5 +++++
+ libcli/smb/smbXcli_base.h | 1 +
+ 2 files changed, 6 insertions(+)
+
+diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
+index 43294be..9d801c9 100644
+--- a/libcli/smb/smbXcli_base.c
++++ b/libcli/smb/smbXcli_base.c
+@@ -468,6 +468,11 @@ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn)
+ 	return false;
+ }
+ 
++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn)
++{
++	return conn->mandatory_signing;
++}
++
+ void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options)
+ {
+ 	set_socket_options(conn->sock_fd, options);
+diff --git a/libcli/smb/smbXcli_base.h b/libcli/smb/smbXcli_base.h
+index 55d3f78..f320500 100644
+--- a/libcli/smb/smbXcli_base.h
++++ b/libcli/smb/smbXcli_base.h
+@@ -47,6 +47,7 @@ bool smbXcli_conn_dfs_supported(struct smbXcli_conn *conn);
+ 
+ enum protocol_types smbXcli_conn_protocol(struct smbXcli_conn *conn);
+ bool smbXcli_conn_use_unicode(struct smbXcli_conn *conn);
++bool smbXcli_conn_signing_mandatory(struct smbXcli_conn *conn);
+ 
+ void smbXcli_conn_set_sockopt(struct smbXcli_conn *conn, const char *options);
+ const struct sockaddr_storage *smbXcli_conn_local_sockaddr(struct smbXcli_conn *conn);
+-- 
+1.9.1
+
+
+From 609e6b09feb4b00ee52db4a9df258cb9061f4ad8 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 12 Dec 2016 06:07:56 +0100
+Subject: [PATCH 6/6] CVE-2017-12150: s3:libsmb: only fallback to anonymous if
+ authentication was not requested
+
+With forced encryption or required signing we should also don't fallback.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12997
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clidfs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 16b21bd..0b7c281 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -203,7 +203,9 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
+ 		/* If a password was not supplied then
+ 		 * try again with a null username. */
+ 		if (password[0] || !username[0] ||
++			force_encrypt || smbXcli_conn_signing_mandatory(c->conn) ||
+ 			get_cmdline_auth_info_use_kerberos(auth_info) ||
++			get_cmdline_auth_info_use_ccache(auth_info) ||
+ 			!NT_STATUS_IS_OK(status = cli_session_setup(c, "",
+ 				    		"", 0,
+ 						"", 0,
+-- 
+1.9.1
+
diff -Nru samba-4.5.12+dfsg/debian/patches/CVE-2017-12151-v4-5.patches.metze02.txt samba-4.5.12+dfsg/debian/patches/CVE-2017-12151-v4-5.patches.metze02.txt
--- samba-4.5.12+dfsg/debian/patches/CVE-2017-12151-v4-5.patches.metze02.txt	1970-01-01 01:00:00.000000000 +0100
+++ samba-4.5.12+dfsg/debian/patches/CVE-2017-12151-v4-5.patches.metze02.txt	2017-09-25 15:19:34.000000000 +0200
@@ -0,0 +1,111 @@
+From 282a1d122f9861b0521fa5a389ad467f8da93bd1 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 14 Aug 2017 12:13:18 +0200
+Subject: [PATCH 1/2] CVE-2017-12151: s3:libsmb: add
+ cli_state_is_encryption_on() helper function
+
+This allows to check if the current cli_state uses encryption
+(either via unix extentions or via SMB3).
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clientgen.c | 13 +++++++++++++
+ source3/libsmb/proto.h     |  1 +
+ 2 files changed, 14 insertions(+)
+
+diff --git a/source3/libsmb/clientgen.c b/source3/libsmb/clientgen.c
+index 2b53a93..e675f95 100644
+--- a/source3/libsmb/clientgen.c
++++ b/source3/libsmb/clientgen.c
+@@ -334,6 +334,19 @@ uint32_t cli_getpid(struct cli_state *cli)
+ 	return cli->smb1.pid;
+ }
+ 
++bool cli_state_is_encryption_on(struct cli_state *cli)
++{
++	if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_SMB2_02) {
++		return smb1cli_conn_encryption_on(cli->conn);
++	}
++
++	if (cli->smb2.tcon == NULL) {
++		return false;
++	}
++
++	return smb2cli_tcon_is_encryption_on(cli->smb2.tcon);
++}
++
+ bool cli_state_has_tcon(struct cli_state *cli)
+ {
+ 	uint32_t tid;
+diff --git a/source3/libsmb/proto.h b/source3/libsmb/proto.h
+index 340cd22..f276b74 100644
+--- a/source3/libsmb/proto.h
++++ b/source3/libsmb/proto.h
+@@ -174,6 +174,7 @@ const char *cli_state_remote_realm(struct cli_state *cli);
+ uint16_t cli_state_get_vc_num(struct cli_state *cli);
+ uint32_t cli_setpid(struct cli_state *cli, uint32_t pid);
+ uint32_t cli_getpid(struct cli_state *cli);
++bool cli_state_is_encryption_on(struct cli_state *cli);
+ bool cli_state_has_tcon(struct cli_state *cli);
+ uint32_t cli_state_get_tid(struct cli_state *cli);
+ uint32_t cli_state_set_tid(struct cli_state *cli, uint32_t tid);
+-- 
+1.9.1
+
+
+From 157f2a703bcaca9495d50cbd4d48c24b1ceed80d Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Sat, 17 Dec 2016 10:36:49 +0100
+Subject: [PATCH 2/2] CVE-2017-12151: s3:libsmb: make use of
+ cli_state_is_encryption_on()
+
+This will keep enforced encryption across dfs referrals.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12996
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/libsmb/clidfs.c         | 4 ++--
+ source3/libsmb/libsmb_context.c | 2 +-
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
+index 0b7c281..d9c9e27 100644
+--- a/source3/libsmb/clidfs.c
++++ b/source3/libsmb/clidfs.c
+@@ -954,7 +954,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
+ 			     "IPC$",
+ 			     dfs_auth_info,
+ 			     false,
+-			     smb1cli_conn_encryption_on(rootcli->conn),
++			     cli_state_is_encryption_on(rootcli),
+ 			     smbXcli_conn_protocol(rootcli->conn),
+ 			     0,
+ 			     0x20,
+@@ -1012,7 +1012,7 @@ NTSTATUS cli_resolve_path(TALLOC_CTX *ctx,
+ 				dfs_refs[count].share,
+ 				dfs_auth_info,
+ 				false,
+-				smb1cli_conn_encryption_on(rootcli->conn),
++				cli_state_is_encryption_on(rootcli),
+ 				smbXcli_conn_protocol(rootcli->conn),
+ 				0,
+ 				0x20,
+diff --git a/source3/libsmb/libsmb_context.c b/source3/libsmb/libsmb_context.c
+index a956058..74adade 100644
+--- a/source3/libsmb/libsmb_context.c
++++ b/source3/libsmb/libsmb_context.c
+@@ -486,7 +486,7 @@ smbc_option_get(SMBCCTX *context,
+ 
+                 for (s = context->internal->servers; s; s = s->next) {
+                         num_servers++;
+-                        if (!smb1cli_conn_encryption_on(s->cli->conn)) {
++                        if (!cli_state_is_encryption_on(s->cli)) {
+                                 return (void *)false;
+                         }
+                 }
+-- 
+1.9.1
+
diff -Nru samba-4.5.12+dfsg/debian/patches/CVE-2017-12163-all-metze01.patch.txt samba-4.5.12+dfsg/debian/patches/CVE-2017-12163-all-metze01.patch.txt
--- samba-4.5.12+dfsg/debian/patches/CVE-2017-12163-all-metze01.patch.txt	1970-01-01 01:00:00.000000000 +0100
+++ samba-4.5.12+dfsg/debian/patches/CVE-2017-12163-all-metze01.patch.txt	2017-09-25 15:15:46.000000000 +0200
@@ -0,0 +1,141 @@
+From 364275d1ae8c55242497e7c8804fb28aa3b73465 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Fri, 8 Sep 2017 10:13:14 -0700
+Subject: [PATCH] CVE-2017-12163: s3:smbd: Prevent client short SMB1 write from
+ writing server memory to file.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=13020
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ source3/smbd/reply.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 50 insertions(+)
+
+diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
+index 317143f..7b07078 100644
+--- a/source3/smbd/reply.c
++++ b/source3/smbd/reply.c
+@@ -4474,6 +4474,9 @@ void reply_writebraw(struct smb_request *req)
+ 	}
+ 
+ 	/* Ensure we don't write bytes past the end of this packet. */
++	/*
++	 * This already protects us against CVE-2017-12163.
++	 */
+ 	if (data + numtowrite > smb_base(req->inbuf) + smb_len(req->inbuf)) {
+ 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ 		error_to_writebrawerr(req);
+@@ -4574,6 +4577,11 @@ void reply_writebraw(struct smb_request *req)
+ 			exit_server_cleanly("secondary writebraw failed");
+ 		}
+ 
++		/*
++		 * We are not vulnerable to CVE-2017-12163
++		 * here as we are guarenteed to have numtowrite
++		 * bytes available - we just read from the client.
++		 */
+ 		nwritten = write_file(req,fsp,buf+4,startpos+nwritten,numtowrite);
+ 		if (nwritten == -1) {
+ 			TALLOC_FREE(buf);
+@@ -4647,6 +4655,7 @@ void reply_writeunlock(struct smb_request *req)
+ 	connection_struct *conn = req->conn;
+ 	ssize_t nwritten = -1;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	off_t startpos;
+ 	const char *data;
+ 	NTSTATUS status = NT_STATUS_OK;
+@@ -4679,6 +4688,17 @@ void reply_writeunlock(struct smb_request *req)
+ 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ 	data = (const char *)req->buf + 3;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwriteunlock);
++		return;
++	}
++
+ 	if (!fsp->print_file && numtowrite > 0) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -4756,6 +4776,7 @@ void reply_write(struct smb_request *req)
+ {
+ 	connection_struct *conn = req->conn;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	ssize_t nwritten = -1;
+ 	off_t startpos;
+ 	const char *data;
+@@ -4796,6 +4817,17 @@ void reply_write(struct smb_request *req)
+ 	startpos = IVAL_TO_SMB_OFF_T(req->vwv+2, 0);
+ 	data = (const char *)req->buf + 3;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwrite);
++		return;
++	}
++
+ 	if (!fsp->print_file) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 			(uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -5018,6 +5050,9 @@ void reply_write_and_X(struct smb_request *req)
+ 			goto out;
+ 		}
+ 	} else {
++		/*
++		 * This already protects us against CVE-2017-12163.
++		 */
+ 		if (smb_doff > smblen || smb_doff + numtowrite < numtowrite ||
+ 				smb_doff + numtowrite > smblen) {
+ 			reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+@@ -5444,6 +5479,7 @@ void reply_writeclose(struct smb_request *req)
+ {
+ 	connection_struct *conn = req->conn;
+ 	size_t numtowrite;
++	size_t remaining;
+ 	ssize_t nwritten = -1;
+ 	NTSTATUS close_status = NT_STATUS_OK;
+ 	off_t startpos;
+@@ -5477,6 +5513,17 @@ void reply_writeclose(struct smb_request *req)
+ 	mtime = convert_time_t_to_timespec(srv_make_unix_date3(req->vwv+4));
+ 	data = (const char *)req->buf + 1;
+ 
++	/*
++	 * Ensure client isn't asking us to write more than
++	 * they sent. CVE-2017-12163.
++	 */
++	remaining = smbreq_bufrem(req, data);
++	if (numtowrite > remaining) {
++		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
++		END_PROFILE(SMBwriteclose);
++		return;
++	}
++
+ 	if (fsp->print_file == NULL) {
+ 		init_strict_lock_struct(fsp, (uint64_t)req->smbpid,
+ 		    (uint64_t)startpos, (uint64_t)numtowrite, WRITE_LOCK,
+@@ -6069,6 +6116,9 @@ void reply_printwrite(struct smb_request *req)
+ 
+ 	numtowrite = SVAL(req->buf, 1);
+ 
++	/*
++	 * This already protects us against CVE-2017-12163.
++	 */
+ 	if (req->buflen < numtowrite + 3) {
+ 		reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
+ 		END_PROFILE(SMBsplwr);
+-- 
+1.9.1
+
diff -Nru samba-4.5.12+dfsg/debian/patches/series samba-4.5.12+dfsg/debian/patches/series
--- samba-4.5.12+dfsg/debian/patches/series	2017-08-26 17:32:47.000000000 +0200
+++ samba-4.5.12+dfsg/debian/patches/series	2017-09-25 15:17:46.000000000 +0200
@@ -16,3 +16,6 @@
 fix_kill_path_in_units.patch
 nmbd-requires-a-working-network.patch
 provision-Update-root-DNS-servers-list.patch
+CVE-2017-12150-v4-5.patches.metze02.txt
+CVE-2017-12151-v4-5.patches.metze02.txt
+CVE-2017-12163-all-metze01.patch.txt

--- End Message ---
--- Begin Message --- 
Version: 9.2

Hi.

The updates referenced by each of these bugs was included in today's
point release of stretch.

Regards,

Adam

--- End Message ---
Reply to: