diff --git a/SOURCES/CVE-2016-2125-v4-4.patch b/SOURCES/CVE-2016-2125-v4-4.patch
new file mode 100644
index 0000000..20a98a8
--- /dev/null
+++ b/SOURCES/CVE-2016-2125-v4-4.patch
@@ -0,0 +1,104 @@
+From f775874f1c9e388d51fe04cb9df849c66bc6e8b6 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:41:10 +0100
+Subject: [PATCH 1/3] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
+ in nsupdate-gss
+
+This is just an example script that's not directly used by samba,
+but we should avoid sending delegated credentials to dns servers.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/scripting/bin/nsupdate-gss | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
+index dec5916..509220d 100755
+--- a/source4/scripting/bin/nsupdate-gss
++++ b/source4/scripting/bin/nsupdate-gss
+@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
+ my $flags =
+ GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
+ GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
+- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
++ GSS_C_INTEG_FLAG;
+
+
+ $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
+--
+1.9.1
+
+
+From 1bee1eb5d75191e142c503cf9c5dc36df2453307 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:42:59 +0100
+Subject: [PATCH 2/3] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
+
+We should only use GSS_C_DELEG_POLICY_FLAG in order to let
+the KDC decide if we should send delegated credentials to
+a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source3/librpc/crypto/gse.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
+index 963c98a..c4c4bbc 100644
+--- a/source3/librpc/crypto/gse.c
++++ b/source3/librpc/crypto/gse.c
+@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
+ memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
+
+ gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
+- GSS_C_DELEG_FLAG |
+ GSS_C_DELEG_POLICY_FLAG |
+ GSS_C_REPLAY_FLAG |
+ GSS_C_SEQUENCE_FLAG;
+--
+1.9.1
+
+
+From 2c9d1648745ddc9facaf5b9cc84ea7f1117d7710 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Wed, 23 Nov 2016 11:44:22 +0100
+Subject: [PATCH 3/3] CVE-2016-2125: s4:gensec_gssapi: don't use
+ GSS_C_DELEG_FLAG by default
+
+This disabled the usage of GSS_C_DELEG_FLAG by default, as
+GSS_C_DELEG_POLICY_FLAG is still used by default we let the
+KDC decide if we should send delegated credentials to a remote server.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: Alexander Bokovoy <ab@samba.org>
+Reviewed-by: Simo Sorce <idra@samba.org>
+---
+ source4/auth/gensec/gensec_gssapi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
+index e0b2bf2..e2994f6 100644
+--- a/source4/auth/gensec/gensec_gssapi.c
++++ b/source4/auth/gensec/gensec_gssapi.c
+@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
+ gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
+ }
+- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
++ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
+ gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
+ }
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
+--
+1.9.1
+
diff --git a/SOURCES/CVE-2016-2126-v4-4.patch b/SOURCES/CVE-2016-2126-v4-4.patch
new file mode 100644
index 0000000..fd854ba
--- /dev/null
+++ b/SOURCES/CVE-2016-2126-v4-4.patch
@@ -0,0 +1,99 @@
+From 77631ca7c747796bf3d4dc347afb3f0cb5e4be78 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 22 Nov 2016 17:08:46 +0100
+Subject: [PATCH] CVE-2016-2126: auth/kerberos: only allow known checksum types
+ in check_pac_checksum()
+
+aes based checksums can only be checked with the
+corresponding aes based keytype.
+
+Otherwise we may trigger an undefined code path
+deep in the kerberos libraries, which can leed to
+segmentation faults.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12446
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+---
+ auth/kerberos/kerberos_pac.c | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/auth/kerberos/kerberos_pac.c b/auth/kerberos/kerberos_pac.c
+index 32d9d7f..7b6efdc 100644
+--- a/auth/kerberos/kerberos_pac.c
++++ b/auth/kerberos/kerberos_pac.c
+@@ -39,6 +39,28 @@ krb5_error_code check_pac_checksum(DATA_BLOB pac_data,
+ krb5_boolean checksum_valid = false;
+ krb5_data input;
+
++ switch (sig->type) {
++ case CKSUMTYPE_HMAC_MD5:
++ /* ignores the key type */
++ break;
++ case CKSUMTYPE_HMAC_SHA1_96_AES_256:
++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES256_CTS_HMAC_SHA1_96) {
++ return EINVAL;
++ }
++ /* ok */
++ break;
++ case CKSUMTYPE_HMAC_SHA1_96_AES_128:
++ if (KRB5_KEY_TYPE(keyblock) != ENCTYPE_AES128_CTS_HMAC_SHA1_96) {
++ return EINVAL;
++ }
++ /* ok */
++ break;
++ default:
++ DEBUG(2,("check_pac_checksum: Checksum Type %d is not supported\n",
++ (int)sig->type));
++ return EINVAL;
++ }
++
+ #ifdef HAVE_CHECKSUM_IN_KRB5_CHECKSUM /* Heimdal */
+ cksum.cksumtype = (krb5_cksumtype)sig->type;
+ cksum.checksum.length = sig->signature.length;
+--
+1.9.1
+
+From b6da00dee93b832e271040d80d4f6b6165b51f08 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Tue, 19 Jul 2016 16:31:01 +0200
+Subject: [PATCH] krb5_wrap: provide CKSUMTYPE_HMAC_SHA1_96_AES_*
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+MIT only defined this as CKSUMTYPE_HMAC_SHA1_96_AES128,
+while Heimdal has CKSUMTYPE_HMAC_SHA1_96_AES_128.
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: G端nther Deschner <gd@samba.org>
+(cherry picked from commit bb64c550ae19b08ad4e6d8d26f68c2474cb251e6)
+---
+ lib/krb5_wrap/krb5_samba.h | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
+index cef9144..20ef6a3 100644
+--- a/lib/krb5_wrap/krb5_samba.h
++++ b/lib/krb5_wrap/krb5_samba.h
+@@ -74,6 +74,17 @@
+ #define CKSUMTYPE_HMAC_MD5 CKSUMTYPE_HMAC_MD5_ARCFOUR
+ #endif
+
++/*
++ * CKSUMTYPE_HMAC_SHA1_96_AES_* in Heimdal
++ * CKSUMTYPE_HMAC_SHA1_96_AES* in MIT
++ */
++#if defined(CKSUMTYPE_HMAC_SHA1_96_AES128) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_128)
++#define CKSUMTYPE_HMAC_SHA1_96_AES_128 CKSUMTYPE_HMAC_SHA1_96_AES128
++#endif
++#if defined(CKSUMTYPE_HMAC_SHA1_96_AES256) && !defined(CKSUMTYPE_HMAC_SHA1_96_AES_256)
++#define CKSUMTYPE_HMAC_SHA1_96_AES_256 CKSUMTYPE_HMAC_SHA1_96_AES256
++#endif
++
+ typedef struct {
+ #if defined(HAVE_MAGIC_IN_KRB5_ADDRESS) && defined(HAVE_ADDRTYPE_IN_KRB5_ADDRESS) /* MIT */
+ krb5_address **addrs;
+--
+1.9.1
+
diff --git a/SOURCES/CVE-2017-2619-v4-4.patch b/SOURCES/CVE-2017-2619-v4-4.patch
new file mode 100644
index 0000000..9d07941
--- /dev/null
+++ b/SOURCES/CVE-2017-2619-v4-4.patch
@@ -0,0 +1,986 @@
+From 72e7e7b7d378e7ba3afe18ea41802aac5366b094 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sun, 19 Mar 2017 15:58:17 +0100
+Subject: [PATCH 01/13] CVE-2017-2619: s3/smbd: re-open directory after
+ dptr_CloseDir()
+
+dptr_CloseDir() will close and invalidate the fsp's file descriptor, we
+have to reopen it.
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/smb2_query_directory.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/source3/smbd/smb2_query_directory.c b/source3/smbd/smb2_query_directory.c
+index 4b6ca1b..1703310 100644
+--- a/source3/smbd/smb2_query_directory.c
++++ b/source3/smbd/smb2_query_directory.c
+@@ -24,6 +24,7 @@
+ #include "../libcli/smb/smb_common.h"
+ #include "trans2.h"
+ #include "../lib/util/tevent_ntstatus.h"
++#include "system/filesys.h"
+
+ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+@@ -322,7 +323,23 @@ static struct tevent_req *smbd_smb2_query_directory_send(TALLOC_CTX *mem_ctx,
+ }
+
+ if (in_flags & SMB2_CONTINUE_FLAG_REOPEN) {
++ int flags;
++
+ dptr_CloseDir(fsp);
++
++ /*
++ * dptr_CloseDir() will close and invalidate the fsp's file
++ * descriptor, we have to reopen it.
++ */
++
++ flags = O_RDONLY;
++#ifdef O_DIRECTORY
++ flags |= O_DIRECTORY;
++#endif
++ status = fd_open(conn, fsp, flags, 0);
++ if (tevent_req_nterror(req, status)) {
++ return tevent_req_post(req, ev);
++ }
+ }
+
+ if (!smbreq->posix_pathnames) {
+--
+2.9.3
+
+
+From f9a9e7ed2f11c8eb9f8f9f40ec054e9735614e91 Mon Sep 17 00:00:00 2001
+From: Ralph Boehme <slow@samba.org>
+Date: Sun, 19 Mar 2017 18:52:10 +0100
+Subject: [PATCH 02/13] CVE-2017-2619: s4/torture: add SMB2_FIND tests with
+ SMB2_CONTINUE_FLAG_REOPEN flag
+
+Bug: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Ralph Boehme <slow@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source4/torture/smb2/dir.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/source4/torture/smb2/dir.c b/source4/torture/smb2/dir.c
+index 98844b4..db8e456 100644
+--- a/source4/torture/smb2/dir.c
++++ b/source4/torture/smb2/dir.c
+@@ -674,7 +674,7 @@ bool fill_result(void *private_data,
+ return true;
+ }
+
+-enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART};
++enum continue_type {CONT_SINGLE, CONT_INDEX, CONT_RESTART, CONT_REOPEN};
+
+ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
+ TALLOC_CTX *tctx,
+@@ -700,6 +700,9 @@ static NTSTATUS multiple_smb2_search(struct smb2_tree *tree,
+
+ /* The search should start from the beginning everytime */
+ f.in.continue_flags = SMB2_CONTINUE_FLAG_RESTART;
++ if (cont_type == CONT_REOPEN) {
++ f.in.continue_flags = SMB2_CONTINUE_FLAG_REOPEN;
++ }
+
+ do {
+ status = smb2_find_level(tree, tree, &f, &count, &d);
+@@ -803,18 +806,23 @@ static bool test_many_files(struct torture_context *tctx,
+ {"SMB2_FIND_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_SINGLE},
+ {"SMB2_FIND_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_INDEX},
+ {"SMB2_FIND_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_RESTART},
++ {"SMB2_FIND_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_BOTH_DIRECTORY_INFO, CONT_REOPEN},
+ {"SMB2_FIND_DIRECTORY_INFO", "SINGLE", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_SINGLE},
+ {"SMB2_FIND_DIRECTORY_INFO", "INDEX", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_INDEX},
+ {"SMB2_FIND_DIRECTORY_INFO", "RESTART", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_RESTART},
++ {"SMB2_FIND_DIRECTORY_INFO", "REOPEN", SMB2_FIND_DIRECTORY_INFO, RAW_SEARCH_DATA_DIRECTORY_INFO, CONT_REOPEN},
+ {"SMB2_FIND_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_SINGLE},
+ {"SMB2_FIND_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_INDEX},
+ {"SMB2_FIND_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_RESTART},
++ {"SMB2_FIND_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_FULL_DIRECTORY_INFO, CONT_REOPEN},
+ {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_SINGLE},
+ {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_INDEX},
+ {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_RESTART},
++ {"SMB2_FIND_ID_FULL_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_FULL_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_FULL_DIRECTORY_INFO, CONT_REOPEN},
+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "SINGLE", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_SINGLE},
+ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "INDEX", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_INDEX},
+- {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART}
++ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "RESTART", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_RESTART},
++ {"SMB2_FIND_ID_BOTH_DIRECTORY_INFO", "REOPEN", SMB2_FIND_ID_BOTH_DIRECTORY_INFO, RAW_SEARCH_DATA_ID_BOTH_DIRECTORY_INFO, CONT_REOPEN},
+ };
+
+ smb2_deltree(tree, DNAME);
+--
+2.9.3
+
+
+From d329035b5bda87ab95a33b8d4af1936079db6fd1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 11:55:56 -0800
+Subject: [PATCH 03/13] CVE-2017-2619: s3: smbd: Create wrapper function for
+ OpenDir in preparation for making robust.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 3805915..cbd32e3 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1588,7 +1588,8 @@ static int smb_Dir_destructor(struct smb_Dir *dirp)
+ Open a directory.
+ ********************************************************************/
+
+-struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
++static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
++ connection_struct *conn,
+ const char *name,
+ const char *mask,
+ uint32_t attr)
+@@ -1628,6 +1629,18 @@ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ return NULL;
+ }
+
++struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
++ const char *name,
++ const char *mask,
++ uint32_t attr)
++{
++ return OpenDir_internal(mem_ctx,
++ conn,
++ name,
++ mask,
++ attr);
++}
++
+ /*******************************************************************
+ Open a directory from an fsp.
+ ********************************************************************/
+--
+2.9.3
+
+
+From 484dda03a69f5c687b6ec6db1332bcc51e72e0c2 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 16:25:26 -0800
+Subject: [PATCH 04/13] CVE-2017-2619: s3: smbd: Opendir_internal() early
+ return if SMB_VFS_OPENDIR failed.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index cbd32e3..ea4b301 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1601,20 +1601,12 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
+- dirp->conn = conn;
+- dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
+-
+ dirp->dir_path = talloc_strdup(dirp, name);
+ if (!dirp->dir_path) {
+ errno = ENOMEM;
+ goto fail;
+ }
+
+- if (sconn && !sconn->using_smb2) {
+- sconn->searches.dirhandles_open++;
+- }
+- talloc_set_destructor(dirp, smb_Dir_destructor);
+-
+ dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
+ if (!dirp->dir) {
+ DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
+@@ -1622,6 +1614,14 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ goto fail;
+ }
+
++ dirp->conn = conn;
++ dirp->name_cache_size = lp_directory_name_cache_size(SNUM(conn));
++
++ if (sconn && !sconn->using_smb2) {
++ sconn->searches.dirhandles_open++;
++ }
++ talloc_set_destructor(dirp, smb_Dir_destructor);
++
+ return dirp;
+
+ fail:
+--
+2.9.3
+
+
+From 84d4bbde7c1682e4c8daf680f930a14e3444f659 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 16:35:00 -0800
+Subject: [PATCH 05/13] CVE-2017-2619: s3: smbd: Create and use
+ open_dir_safely(). Use from OpenDir().
+
+Hardens OpenDir against TOC/TOU races.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 70 +++++++++++++++++++++++++++++++++++++++++++++++-------
+ 1 file changed, 61 insertions(+), 9 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index ea4b301..39a6e67 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1601,15 +1601,9 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
+- dirp->dir_path = talloc_strdup(dirp, name);
+- if (!dirp->dir_path) {
+- errno = ENOMEM;
+- goto fail;
+- }
+-
+- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
++ dirp->dir = SMB_VFS_OPENDIR(conn, name, mask, attr);
+ if (!dirp->dir) {
+- DEBUG(5,("OpenDir: Can't open %s. %s\n", dirp->dir_path,
++ DEBUG(5,("OpenDir: Can't open %s. %s\n", name,
+ strerror(errno) ));
+ goto fail;
+ }
+@@ -1629,12 +1623,70 @@ static struct smb_Dir *OpenDir_internal(TALLOC_CTX *mem_ctx,
+ return NULL;
+ }
+
++/****************************************************************************
++ Open a directory handle by pathname, ensuring it's under the share path.
++****************************************************************************/
++
++static struct smb_Dir *open_dir_safely(TALLOC_CTX *ctx,
++ connection_struct *conn,
++ const char *name,
++ const char *wcard,
++ uint32_t attr)
++{
++ struct smb_Dir *dir_hnd = NULL;
++ char *saved_dir = vfs_GetWd(ctx, conn);
++ NTSTATUS status;
++
++ if (saved_dir == NULL) {
++ return NULL;
++ }
++
++ if (vfs_ChDir(conn, name) == -1) {
++ goto out;
++ }
++
++ /*
++ * Now the directory is pinned, use
++ * REALPATH to ensure we can access it.
++ */
++ status = check_name(conn, ".");
++ if (!NT_STATUS_IS_OK(status)) {
++ goto out;
++ }
++
++ dir_hnd = OpenDir_internal(ctx,
++ conn,
++ ".",
++ wcard,
++ attr);
++
++ if (dir_hnd == NULL) {
++ goto out;
++ }
++
++ /*
++ * OpenDir_internal only gets "." as the dir name.
++ * Store the real dir name here.
++ */
++
++ dir_hnd->dir_path = talloc_strdup(dir_hnd, name);
++ if (!dir_hnd->dir_path) {
++ errno = ENOMEM;
++ }
++
++ out:
++
++ vfs_ChDir(conn, saved_dir);
++ TALLOC_FREE(saved_dir);
++ return dir_hnd;
++}
++
+ struct smb_Dir *OpenDir(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ const char *name,
+ const char *mask,
+ uint32_t attr)
+ {
+- return OpenDir_internal(mem_ctx,
++ return open_dir_safely(mem_ctx,
+ conn,
+ name,
+ mask,
+--
+2.9.3
+
+
+From 8aece1e0d15bf059daf70259142e8ad35a7658ed Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:13:20 -0800
+Subject: [PATCH 06/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() use early
+ returns.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 34 +++++++++++++++++++++-------------
+ 1 file changed, 21 insertions(+), 13 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 39a6e67..ea4f1ab 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1706,7 +1706,17 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ struct smbd_server_connection *sconn = conn->sconn;
+
+ if (!dirp) {
+- return NULL;
++ goto fail;
++ }
++
++ if (!fsp->is_directory) {
++ errno = EBADF;
++ goto fail;
++ }
++
++ if (fsp->fh->fd == -1) {
++ errno = EBADF;
++ goto fail;
+ }
+
+ dirp->conn = conn;
+@@ -1723,18 +1733,16 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ }
+ talloc_set_destructor(dirp, smb_Dir_destructor);
+
+- if (fsp->is_directory && fsp->fh->fd != -1) {
+- dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+- if (dirp->dir != NULL) {
+- dirp->fsp = fsp;
+- } else {
+- DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
+- "NULL (%s)\n",
+- dirp->dir_path,
+- strerror(errno)));
+- if (errno != ENOSYS) {
+- return NULL;
+- }
++ dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
++ if (dirp->dir != NULL) {
++ dirp->fsp = fsp;
++ } else {
++ DEBUG(10,("OpenDir_fsp: SMB_VFS_FDOPENDIR on %s returned "
++ "NULL (%s)\n",
++ dirp->dir_path,
++ strerror(errno)));
++ if (errno != ENOSYS) {
++ return NULL;
+ }
+ }
+
+--
+2.9.3
+
+
+From 16fa5af1a491c410d4579434b7e9f6e388ea319b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:15:59 -0800
+Subject: [PATCH 07/13] CVE-2017-2619: s3: smbd: OpenDir_fsp() - Fix memory
+ leak on error.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index ea4f1ab..b8034be 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1742,7 +1742,7 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ dirp->dir_path,
+ strerror(errno)));
+ if (errno != ENOSYS) {
+- return NULL;
++ goto fail;
+ }
+ }
+
+--
+2.9.3
+
+
+From 2c1830915b0b59646503ee4d043fd9176090627f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:32:07 -0800
+Subject: [PATCH 08/13] CVE-2017-2619: s3: smbd: Move the reference counting
+ and destructor setup to just before retuning success.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index b8034be..6b62f14 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1728,11 +1728,6 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ goto fail;
+ }
+
+- if (sconn && !sconn->using_smb2) {
+- sconn->searches.dirhandles_open++;
+- }
+- talloc_set_destructor(dirp, smb_Dir_destructor);
+-
+ dirp->dir = SMB_VFS_FDOPENDIR(fsp, mask, attr);
+ if (dirp->dir != NULL) {
+ dirp->fsp = fsp;
+@@ -1757,6 +1752,11 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ goto fail;
+ }
+
++ if (sconn && !sconn->using_smb2) {
++ sconn->searches.dirhandles_open++;
++ }
++ talloc_set_destructor(dirp, smb_Dir_destructor);
++
+ return dirp;
+
+ fail:
+--
+2.9.3
+
+
+From 72bf8c2c2b2c4aff1ac4da52aa087c060ea5eef1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Mon, 19 Dec 2016 12:35:32 -0800
+Subject: [PATCH 09/13] CVE-2017-2619: s3: smbd: Correctly fallback to
+ open_dir_safely if FDOPENDIR not supported on system.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/dir.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/source3/smbd/dir.c b/source3/smbd/dir.c
+index 6b62f14..3432788 100644
+--- a/source3/smbd/dir.c
++++ b/source3/smbd/dir.c
+@@ -1742,14 +1742,13 @@ static struct smb_Dir *OpenDir_fsp(TALLOC_CTX *mem_ctx, connection_struct *conn,
+ }
+
+ if (dirp->dir == NULL) {
+- /* FDOPENDIR didn't work. Use OPENDIR instead. */
+- dirp->dir = SMB_VFS_OPENDIR(conn, dirp->dir_path, mask, attr);
+- }
+-
+- if (!dirp->dir) {
+- DEBUG(5,("OpenDir_fsp: Can't open %s. %s\n", dirp->dir_path,
+- strerror(errno) ));
+- goto fail;
++ /* FDOPENDIR is not supported. Use OPENDIR instead. */
++ TALLOC_FREE(dirp);
++ return open_dir_safely(mem_ctx,
++ conn,
++ fsp->fsp_name->base_name,
++ mask,
++ attr);
+ }
+
+ if (sconn && !sconn->using_smb2) {
+--
+2.9.3
+
+
+From 015e488ce39e097944acdad7a88a801386d9935b Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 12:52:13 -0800
+Subject: [PATCH 10/13] CVE-2017-2619: s3: smbd: Remove O_NOFOLLOW guards. We
+ insist on O_NOFOLLOW existing.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index 1c67684..a014b5e 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -363,8 +363,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ struct smb_filename *smb_fname = fsp->fsp_name;
+ NTSTATUS status = NT_STATUS_OK;
+
+-#ifdef O_NOFOLLOW
+- /*
++ /*
+ * Never follow symlinks on a POSIX client. The
+ * client should be doing this.
+ */
+@@ -372,12 +371,10 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ if ((fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) || !lp_follow_symlinks(SNUM(conn))) {
+ flags |= O_NOFOLLOW;
+ }
+-#endif
+
+ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+ if (fsp->fh->fd == -1) {
+ int posix_errno = errno;
+-#ifdef O_NOFOLLOW
+ #if defined(ENOTSUP) && defined(OSF1)
+ /* handle special Tru64 errno */
+ if (errno == ENOTSUP) {
+@@ -394,7 +391,6 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ if (errno == EMLINK) {
+ posix_errno = ELOOP;
+ }
+-#endif /* O_NOFOLLOW */
+ status = map_nt_error_from_unix(posix_errno);
+ if (errno == EMFILE) {
+ static time_t last_warned = 0L;
+--
+2.9.3
+
+
+From b7199aaa0a4d10dd6b3d2a040e345a209ec0c42f Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 12:56:08 -0800
+Subject: [PATCH 11/13] CVE-2017-2619: s3: smbd: Move special handling of
+ symlink errno's into a utility function.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 43 ++++++++++++++++++++++++++-----------------
+ 1 file changed, 26 insertions(+), 17 deletions(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index a014b5e..b4b77cd 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -352,6 +352,31 @@ static NTSTATUS check_base_file_access(struct connection_struct *conn,
+ }
+
+ /****************************************************************************
++ Handle differing symlink errno's
++****************************************************************************/
++
++static int link_errno_convert(int err)
++{
++#if defined(ENOTSUP) && defined(OSF1)
++ /* handle special Tru64 errno */
++ if (err == ENOTSUP) {
++ err = ELOOP;
++ }
++#endif /* ENOTSUP */
++#ifdef EFTYPE
++ /* fix broken NetBSD errno */
++ if (err == EFTYPE) {
++ err = ELOOP;
++ }
++#endif /* EFTYPE */
++ /* fix broken FreeBSD errno */
++ if (err == EMLINK) {
++ err = ELOOP;
++ }
++ return err;
++}
++
++/****************************************************************************
+ fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+
+@@ -374,23 +399,7 @@ NTSTATUS fd_open(struct connection_struct *conn,
+
+ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
+ if (fsp->fh->fd == -1) {
+- int posix_errno = errno;
+-#if defined(ENOTSUP) && defined(OSF1)
+- /* handle special Tru64 errno */
+- if (errno == ENOTSUP) {
+- posix_errno = ELOOP;
+- }
+-#endif /* ENOTSUP */
+-#ifdef EFTYPE
+- /* fix broken NetBSD errno */
+- if (errno == EFTYPE) {
+- posix_errno = ELOOP;
+- }
+-#endif /* EFTYPE */
+- /* fix broken FreeBSD errno */
+- if (errno == EMLINK) {
+- posix_errno = ELOOP;
+- }
++ int posix_errno = link_errno_convert(errno);
+ status = map_nt_error_from_unix(posix_errno);
+ if (errno == EMFILE) {
+ static time_t last_warned = 0L;
+--
+2.9.3
+
+
+From eda8d6ed343b32efb7055778b13252842b8c4f61 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 13:04:46 -0800
+Subject: [PATCH 12/13] CVE-2017-2619: s3: smbd: Add the core functions to
+ prevent symlink open races.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 237 ++++++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 237 insertions(+)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index b4b77cd..aa5df2c 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -376,6 +376,243 @@ static int link_errno_convert(int err)
+ return err;
+ }
+
++static int non_widelink_open(struct connection_struct *conn,
++ const char *conn_rootdir,
++ files_struct *fsp,
++ struct smb_filename *smb_fname,
++ int flags,
++ mode_t mode,
++ unsigned int link_depth);
++
++/****************************************************************************
++ Follow a symlink in userspace.
++****************************************************************************/
++
++static int process_symlink_open(struct connection_struct *conn,
++ const char *conn_rootdir,
++ files_struct *fsp,
++ struct smb_filename *smb_fname,
++ int flags,
++ mode_t mode,
++ unsigned int link_depth)
++{
++ int fd = -1;
++ char *link_target = NULL;
++ int link_len = -1;
++ char *oldwd = NULL;
++ size_t rootdir_len = 0;
++ char *resolved_name = NULL;
++ bool matched = false;
++ int saved_errno = 0;
++
++ /*
++ * Ensure we don't get stuck in a symlink loop.
++ */
++ link_depth++;
++ if (link_depth >= 20) {
++ errno = ELOOP;
++ goto out;
++ }
++
++ /* Allocate space for the link target. */
++ link_target = talloc_array(talloc_tos(), char, PATH_MAX);
++ if (link_target == NULL) {
++ errno = ENOMEM;
++ goto out;
++ }
++
++ /* Read the link target. */
++ link_len = SMB_VFS_READLINK(conn,
++ smb_fname->base_name,
++ link_target,
++ PATH_MAX - 1);
++ if (link_len == -1) {
++ goto out;
++ }
++
++ /* Ensure it's at least null terminated. */
++ link_target[link_len] = '\0';
++
++ /* Convert to an absolute path. */
++ resolved_name = SMB_VFS_REALPATH(conn, link_target);
++ if (resolved_name == NULL) {
++ goto out;
++ }
++
++ /*
++ * We know conn_rootdir starts with '/' and
++ * does not end in '/'. FIXME ! Should we
++ * smb_assert this ?
++ */
++ rootdir_len = strlen(conn_rootdir);
++
++ matched = (strncmp(conn_rootdir, resolved_name, rootdir_len) == 0);
++ if (!matched) {
++ errno = EACCES;
++ goto out;
++ }
++
++ /*
++ * Turn into a path relative to the share root.
++ */
++ if (resolved_name[rootdir_len] == '\0') {
++ /* Link to the root of the share. */
++ smb_fname->base_name = talloc_strdup(talloc_tos(), ".");
++ if (smb_fname->base_name == NULL) {
++ errno = ENOMEM;
++ goto out;
++ }
++ } else if (resolved_name[rootdir_len] == '/') {
++ smb_fname->base_name = &resolved_name[rootdir_len+1];
++ } else {
++ errno = EACCES;
++ goto out;
++ }
++
++ oldwd = vfs_GetWd(talloc_tos(), conn);
++ if (oldwd == NULL) {
++ goto out;
++ }
++
++ /* Ensure we operate from the root of the share. */
++ if (vfs_ChDir(conn, conn_rootdir) == -1) {
++ goto out;
++ }
++
++ /* And do it all again.. */
++ fd = non_widelink_open(conn,
++ conn_rootdir,
++ fsp,
++ smb_fname,
++ flags,
++ mode,
++ link_depth);
++ if (fd == -1) {
++ saved_errno = errno;
++ }
++
++ out:
++
++ SAFE_FREE(resolved_name);
++ TALLOC_FREE(link_target);
++ if (oldwd != NULL) {
++ int ret = vfs_ChDir(conn, oldwd);
++ if (ret == -1) {
++ smb_panic("unable to get back to old directory\n");
++ }
++ TALLOC_FREE(oldwd);
++ }
++ if (saved_errno != 0) {
++ errno = saved_errno;
++ }
++ return fd;
++}
++
++/****************************************************************************
++ Non-widelink open.
++****************************************************************************/
++
++static int non_widelink_open(struct connection_struct *conn,
++ const char *conn_rootdir,
++ files_struct *fsp,
++ struct smb_filename *smb_fname,
++ int flags,
++ mode_t mode,
++ unsigned int link_depth)
++{
++ NTSTATUS status;
++ int fd = -1;
++ struct smb_filename *smb_fname_rel = NULL;
++ int saved_errno = 0;
++ char *oldwd = NULL;
++ char *parent_dir = NULL;
++ const char *final_component = NULL;
++
++ if (!parent_dirname(talloc_tos(),
++ smb_fname->base_name,
++ &parent_dir,
++ &final_component)) {
++ goto out;
++ }
++
++ oldwd = vfs_GetWd(talloc_tos(), conn);
++ if (oldwd == NULL) {
++ goto out;
++ }
++
++ /* Pin parent directory in place. */
++ if (vfs_ChDir(conn, parent_dir) == -1) {
++ goto out;
++ }
++
++ /* Ensure the relative path is below the share. */
++ status = check_reduced_name(conn, final_component);
++ if (!NT_STATUS_IS_OK(status)) {
++ saved_errno = map_errno_from_nt_status(status);
++ goto out;
++ }
++
++ smb_fname_rel = synthetic_smb_fname(talloc_tos(),
++ final_component,
++ smb_fname->stream_name,
++ &smb_fname->st);
++
++ flags |= O_NOFOLLOW;
++
++ {
++ struct smb_filename *tmp_name = fsp->fsp_name;
++ fsp->fsp_name = smb_fname_rel;
++ fd = SMB_VFS_OPEN(conn, smb_fname_rel, fsp, flags, mode);
++ fsp->fsp_name = tmp_name;
++ }
++
++ if (fd == -1) {
++ saved_errno = link_errno_convert(errno);
++ if (saved_errno == ELOOP) {
++ if (fsp->posix_flags & FSP_POSIX_FLAGS_OPEN) {
++ /* Never follow symlinks on posix open. */
++ goto out;
++ }
++ if (!lp_follow_symlinks(SNUM(conn))) {
++ /* Explicitly no symlinks. */
++ goto out;
++ }
++ /*
++ * We have a symlink. Follow in userspace
++ * to ensure it's under the share definition.
++ */
++ fd = process_symlink_open(conn,
++ conn_rootdir,
++ fsp,
++ smb_fname_rel,
++ flags,
++ mode,
++ link_depth);
++ if (fd == -1) {
++ saved_errno =
++ link_errno_convert(errno);
++ }
++ }
++ }
++
++ out:
++
++ TALLOC_FREE(parent_dir);
++ TALLOC_FREE(smb_fname_rel);
++
++ if (oldwd != NULL) {
++ int ret = vfs_ChDir(conn, oldwd);
++ if (ret == -1) {
++ smb_panic("unable to get back to old directory\n");
++ }
++ TALLOC_FREE(oldwd);
++ }
++ if (saved_errno != 0) {
++ errno = saved_errno;
++ }
++ return fd;
++}
++
+ /****************************************************************************
+ fd support routines - attempt to do a dos_open.
+ ****************************************************************************/
+--
+2.9.3
+
+
+From 81094d0c7519936b08d22efc22ba78e5bab24cd1 Mon Sep 17 00:00:00 2001
+From: Jeremy Allison <jra@samba.org>
+Date: Thu, 15 Dec 2016 13:06:31 -0800
+Subject: [PATCH 13/13] CVE-2017-2619: s3: smbd: Use the new
+ non_widelink_open() function.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12496
+
+Signed-off-by: Jeremy Allison <jra@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+---
+ source3/smbd/open.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/source3/smbd/open.c b/source3/smbd/open.c
+index aa5df2c..0b66487 100644
+--- a/source3/smbd/open.c
++++ b/source3/smbd/open.c
+@@ -634,7 +634,28 @@ NTSTATUS fd_open(struct connection_struct *conn,
+ flags |= O_NOFOLLOW;
+ }
+
+- fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
++ /* Ensure path is below share definition. */
++ if (!lp_widelinks(SNUM(conn))) {
++ const char *conn_rootdir = SMB_VFS_CONNECTPATH(conn,
++ smb_fname->base_name);
++ if (conn_rootdir == NULL) {
++ return NT_STATUS_NO_MEMORY;
++ }
++ /*
++ * Only follow symlinks within a share
++ * definition.
++ */
++ fsp->fh->fd = non_widelink_open(conn,
++ conn_rootdir,
++ fsp,
++ smb_fname,
++ flags,
++ mode,
++ 0);
++ } else {
++ fsp->fh->fd = SMB_VFS_OPEN(conn, smb_fname, fsp, flags, mode);
++ }
++
+ if (fsp->fh->fd == -1) {
+ int posix_errno = link_errno_convert(errno);
+ status = map_nt_error_from_unix(posix_errno);
+--
+2.9.3
+
diff --git a/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch b/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch
new file mode 100644
index 0000000..0802eb5
--- /dev/null
+++ b/SOURCES/samba-4.4.x-fix_libads_krb5_memcache.patch
@@ -0,0 +1,206 @@
+From 66668deb267d63f17c70aaea6f720a7c440bb71c Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 10 Oct 2016 15:53:26 +0200
+Subject: [PATCH 1/3] HEIMDAL:lib/krb5: destroy a memory ccache on reinit
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: G端nther Deschner <gd@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+(cherry picked from commit 2abc3710a8a63327a769ba0482c553ed274b2113)
+---
+ source4/heimdal/lib/krb5/mcache.c | 52 ++++++++++++++++++++++++++-------------
+ 1 file changed, 35 insertions(+), 17 deletions(-)
+
+diff --git a/source4/heimdal/lib/krb5/mcache.c b/source4/heimdal/lib/krb5/mcache.c
+index e4b90c1..dc79b87 100644
+--- a/source4/heimdal/lib/krb5/mcache.c
++++ b/source4/heimdal/lib/krb5/mcache.c
+@@ -155,13 +155,47 @@ mcc_gen_new(krb5_context context, krb5_ccache *id)
+ return 0;
+ }
+
++static void KRB5_CALLCONV
++mcc_destroy_internal(krb5_context context,
++ krb5_mcache *m)
++{
++ struct link *l;
++
++ if (m->primary_principal != NULL) {
++ krb5_free_principal (context, m->primary_principal);
++ m->primary_principal = NULL;
++ }
++ m->dead = 1;
++
++ l = m->creds;
++ while (l != NULL) {
++ struct link *old;
++
++ krb5_free_cred_contents (context, &l->cred);
++ old = l;
++ l = l->next;
++ free (old);
++ }
++
++ m->creds = NULL;
++ return;
++}
++
+ static krb5_error_code KRB5_CALLCONV
+ mcc_initialize(krb5_context context,
+ krb5_ccache id,
+ krb5_principal primary_principal)
+ {
+ krb5_mcache *m = MCACHE(id);
++ /*
++ * It's important to destroy any existing
++ * creds here, that matches the baheviour
++ * of all other backends and also the
++ * MEMORY: backend in MIT.
++ */
++ mcc_destroy_internal(context, m);
+ m->dead = 0;
++ m->kdc_offset = 0;
+ m->mtime = time(NULL);
+ return krb5_copy_principal (context,
+ primary_principal,
+@@ -195,7 +229,6 @@ mcc_destroy(krb5_context context,
+ krb5_ccache id)
+ {
+ krb5_mcache **n, *m = MCACHE(id);
+- struct link *l;
+
+ if (m->refcnt == 0)
+ krb5_abortx(context, "mcc_destroy: refcnt already 0");
+@@ -211,22 +244,7 @@ mcc_destroy(krb5_context context,
+ }
+ }
+ HEIMDAL_MUTEX_unlock(&mcc_mutex);
+- if (m->primary_principal != NULL) {
+- krb5_free_principal (context, m->primary_principal);
+- m->primary_principal = NULL;
+- }
+- m->dead = 1;
+-
+- l = m->creds;
+- while (l != NULL) {
+- struct link *old;
+-
+- krb5_free_cred_contents (context, &l->cred);
+- old = l;
+- l = l->next;
+- free (old);
+- }
+- m->creds = NULL;
++ mcc_destroy_internal(context, m);
+ }
+ return 0;
+ }
+--
+1.9.1
+
+
+From 5484f6cb0d812d11234347f592dff1a15ef5ef50 Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 10 Oct 2016 17:07:12 +0200
+Subject: [PATCH 2/3] s3:libads: don't use MEMORY:ads_sasl_gssapi_do_bind nor
+ set "KRB5CCNAME"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: G端nther Deschner <gd@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+(cherry picked from commit 890b1bbdb8e965c4ff6e35214acc96ffbbff5dfd)
+---
+ source3/libads/sasl.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 85a2eb0..4e4486f 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -1027,7 +1027,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
+ {
+ ADS_STATUS status;
+ struct ads_service_principal p;
+- const char *ccache_name = "MEMORY:ads_sasl_gssapi_do_bind";
+
+ status = ads_generate_service_principal(ads, &p);
+ if (!ADS_ERR_OK(status)) {
+@@ -1046,10 +1045,6 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
+ "calling kinit\n", ads_errstr(status)));
+ }
+
+- if (ads->auth.ccache_name != NULL) {
+- ccache_name = ads->auth.ccache_name;
+- }
+- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+
+ if (ADS_ERR_OK(status)) {
+--
+1.9.1
+
+
+From 012e763219f42071ced497fcc0ecd387789efd4f Mon Sep 17 00:00:00 2001
+From: Stefan Metzmacher <metze@samba.org>
+Date: Mon, 10 Oct 2016 17:07:12 +0200
+Subject: [PATCH 3/3] s3:libads: don't use MEMORY:ads_sasl_spnego_bind nor set
+ "KRB5CCNAME"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Most callers just set "KRB5CCNAME", but leave ads->auth.ccache_name = NULL.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=12369
+
+Signed-off-by: Stefan Metzmacher <metze@samba.org>
+Reviewed-by: G端nther Deschner <gd@samba.org>
+Reviewed-by: Uri Simchoni <uri@samba.org>
+
+Autobuild-User(master): Jeremy Allison <jra@samba.org>
+Autobuild-Date(master): Thu Oct 13 00:35:21 CEST 2016 on sn-devel-144
+
+(cherry picked from commit a5f895a53016af71db53967062728fec5bc307ca)
+---
+ source3/libads/sasl.c | 6 ------
+ 1 file changed, 6 deletions(-)
+
+diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
+index 4e4486f..39c60c3 100644
+--- a/source3/libads/sasl.c
++++ b/source3/libads/sasl.c
+@@ -749,11 +749,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) &&
+ got_kerberos_mechanism)
+ {
+- const char *ccache_name = "MEMORY:ads_sasl_spnego_bind";
+- if (ads->auth.ccache_name != NULL) {
+- ccache_name = ads->auth.ccache_name;
+- }
+-
+ if (ads->auth.password == NULL ||
+ ads->auth.password[0] == '\0')
+ {
+@@ -771,7 +766,6 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads)
+ "calling kinit\n", ads_errstr(status)));
+ }
+
+- setenv(KRB5_ENV_CCNAME, ccache_name, 1);
+ status = ADS_ERROR_KRB5(ads_kinit_password(ads));
+
+ if (ADS_ERR_OK(status)) {
+--
+1.9.1
+
diff --git a/SPECS/samba.spec b/SPECS/samba.spec
index fa05aee..177a601 100644
--- a/SPECS/samba.spec
+++ b/SPECS/samba.spec
@@ -6,7 +6,7 @@
# ctdb is enabled by default, you can disable it with: --without clustering
%bcond_without clustering
-%define main_release 12
+%define main_release 13
%define samba_version 4.4.4
%define talloc_version 2.1.6
@@ -120,6 +120,10 @@ Patch9: samba-4.4.7-fix_smget_auth_callback.patch
Patch10: samba-4.4.6-fix_nss_wins.patch
Patch11: samba-4.4.7-fix_group_substituion_with_ad.patch
Patch12: samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
+Patch13: samba-4.4.x-fix_libads_krb5_memcache.patch
+Patch14: CVE-2016-2125-v4-4.patch
+Patch15: CVE-2016-2126-v4-4.patch
+Patch16: CVE-2017-2619-v4-4.patch
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
@@ -717,6 +721,10 @@ and use CTDB instead.
%patch10 -p1 -b .samba-4.4.6-fix_nss_wins.patch
%patch11 -p1 -b .samba-4.4.7-fix_group_substituion_with_ad.patch
%patch12 -p1 -b .samba-4.4.6-fix_smbclient_against_apple_and_azure.patch
+%patch13 -p1 -b .samba-4.4.x-fix_libads_krb5_memcache.patch
+%patch14 -p1 -b .CVE-2016-2125-v4-4.patch
+%patch15 -p1 -b .CVE-2016-2126-v4-4.patch
+%patch16 -p1 -b .CVE-2017-2619-v4-4.patch
%build
%global _talloc_lib ,talloc,pytalloc,pytalloc-util
@@ -2025,7 +2033,11 @@ rm -rf %{buildroot}
%endif # with_clustering_support
%changelog
-* Tue Nov 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11
+* Wed Apr 05 2017 Andreas Schneider <asn@redhat.com> - 4.4.4-13
+- resolves: #1437816 - Fix krb5 memory cache in libads sasl code
+- resolves: #1437741 - Fix CVE-2016-2125, CVE-2016-2126 and CVE-2017-2619
+
+* Tue Nov 15 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-12
- related: #1393051 - Fix return code if ip not defined in gethostbyname
* Wed Nov 09 2016 Andreas Schneider <asn@redhat.com> - 4.4.4-11