Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 176061 Details for
Bug 253315
CVE-2007-3843 CIFS signing sec= mount options don't work correctly
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch -- upstream patch backported to 2.6.18
linux-2.6.18-cifs-sign-option-fix.patch (text/plain), 4.17 KB, created by
Jeff Layton
on 2007-08-28 12:16:27 UTC
(
hide
)
Description:
patch -- upstream patch backported to 2.6.18
Filename:
MIME Type:
Creator:
Jeff Layton
Created:
2007-08-28 12:16:27 UTC
Size:
4.17 KB
patch
obsolete
>--- linux-2.6.18.noarch/fs/cifs/cifs_debug.c.~1~ >+++ linux-2.6.18.noarch/fs/cifs/cifs_debug.c >@@ -895,90 +895,14 @@ security_flags_write(struct file *file, > } > /* flags look ok - update the global security flags for cifs module */ > extended_security = flags; >+ if (extended_security & CIFSSEC_MUST_SIGN) { >+ /* requiring signing implies signing is allowed */ >+ extended_security |= CIFSSEC_MAY_SIGN; >+ cFYI(1, ("packet signing now required")); >+ } else if ((extended_security & CIFSSEC_MAY_SIGN) == 0) { >+ cFYI(1, ("packet signing disabled")); >+ } >+ /* BB should we turn on MAY flags for other MUST options? */ > return count; > } >- >-/* static int >-ntlmv2_enabled_read(char *page, char **start, off_t off, >- int count, int *eof, void *data) >-{ >- int len; >- >- len = sprintf(page, "%d\n", ntlmv2_support); >- >- len -= off; >- *start = page + off; >- >- if (len > count) >- len = count; >- else >- *eof = 1; >- >- if (len < 0) >- len = 0; >- >- return len; >-} >-static int >-ntlmv2_enabled_write(struct file *file, const char __user *buffer, >- unsigned long count, void *data) >-{ >- char c; >- int rc; >- >- rc = get_user(c, buffer); >- if (rc) >- return rc; >- if (c == '0' || c == 'n' || c == 'N') >- ntlmv2_support = 0; >- else if (c == '1' || c == 'y' || c == 'Y') >- ntlmv2_support = 1; >- else if (c == '2') >- ntlmv2_support = 2; >- >- return count; >-} >- >-static int >-packet_signing_enabled_read(char *page, char **start, off_t off, >- int count, int *eof, void *data) >-{ >- int len; >- >- len = sprintf(page, "%d\n", sign_CIFS_PDUs); >- >- len -= off; >- *start = page + off; >- >- if (len > count) >- len = count; >- else >- *eof = 1; >- >- if (len < 0) >- len = 0; >- >- return len; >-} >-static int >-packet_signing_enabled_write(struct file *file, const char __user *buffer, >- unsigned long count, void *data) >-{ >- char c; >- int rc; >- >- rc = get_user(c, buffer); >- if (rc) >- return rc; >- if (c == '0' || c == 'n' || c == 'N') >- sign_CIFS_PDUs = 0; >- else if (c == '1' || c == 'y' || c == 'Y') >- sign_CIFS_PDUs = 1; >- else if (c == '2') >- sign_CIFS_PDUs = 2; >- >- return count; >-} */ >- >- > #endif >--- linux-2.6.18.noarch/fs/cifs/cifssmb.c.~1~ >+++ linux-2.6.18.noarch/fs/cifs/cifssmb.c >@@ -411,11 +411,11 @@ CIFSSMBNegotiate(unsigned int xid, struc > > /* if any of auth flags (ie not sign or seal) are overriden use them */ > if(ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL))) >- secFlags = ses->overrideSecFlg; >+ secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */ > else /* if override flags set only sign/seal OR them with global auth */ > secFlags = extended_security | ses->overrideSecFlg; > >- cFYI(1,("secFlags 0x%x",secFlags)); >+ cFYI(1, ("secFlags 0x%x", secFlags)); > > pSMB->hdr.Mid = GetNextMid(server); > pSMB->hdr.Flags2 |= SMBFLG2_UNICODE; >@@ -582,22 +582,32 @@ CIFSSMBNegotiate(unsigned int xid, struc > #ifdef CONFIG_CIFS_WEAK_PW_HASH > signing_check: > #endif >- if(sign_CIFS_PDUs == FALSE) { >+ if ((secFlags & CIFSSEC_MAY_SIGN) == 0) { >+ /* MUST_SIGN already includes the MAY_SIGN FLAG >+ so if this is zero it means that signing is disabled */ >+ cFYI(1, ("Signing disabled")); > if(server->secMode & SECMODE_SIGN_REQUIRED) >- cERROR(1,("Server requires " >- "/proc/fs/cifs/PacketSigningEnabled to be on")); >+ cERROR(1, ("Server requires " >+ "/proc/fs/cifs/PacketSigningEnabled " >+ "to be on")); > server->secMode &= > ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED); >- } else if(sign_CIFS_PDUs == 1) { >+ } else if ((secFlags & CIFSSEC_MUST_SIGN) == CIFSSEC_MUST_SIGN) { >+ /* signing required */ >+ cFYI(1, ("Must sign - segFlags 0x%x", secFlags)); >+ if ((server->secMode & >+ (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) { >+ cERROR(1, >+ ("signing required but server lacks support")); >+ } else >+ server->secMode |= SECMODE_SIGN_REQUIRED; >+ } else { >+ /* signing optional ie CIFSSEC_MAY_SIGN */ > if((server->secMode & SECMODE_SIGN_REQUIRED) == 0) > server->secMode &= > ~(SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED); >- } else if(sign_CIFS_PDUs == 2) { >- if((server->secMode & >- (SECMODE_SIGN_ENABLED | SECMODE_SIGN_REQUIRED)) == 0) { >- cERROR(1,("signing required but server lacks support")); >- } > } >+ > neg_err_exit: > cifs_buf_release(pSMB); >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=176061">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 253315
:
176061
|
176601