diff options
author | Tiziano Müller <dev-zero@gentoo.org> | 2008-05-29 06:37:20 +0000 |
---|---|---|
committer | Tiziano Müller <dev-zero@gentoo.org> | 2008-05-29 06:37:20 +0000 |
commit | 75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f (patch) | |
tree | 736c5d09c21e8ee341c00000488d9266cda5687b | |
parent | Removing Lars Weiler (Pylon) from metadata.xml (as per #215644). (diff) | |
download | gentoo-2-75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f.tar.gz gentoo-2-75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f.tar.bz2 gentoo-2-75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f.zip |
Revision bump for security bug #222299
(Portage version: 2.1.5_rc7, RepoMan options: --force)
-rw-r--r-- | net-fs/samba/ChangeLog | 8 | ||||
-rw-r--r-- | net-fs/samba/files/3.0.28a-CVE-2008-1105.patch | 168 | ||||
-rw-r--r-- | net-fs/samba/samba-3.0.28a-r1.ebuild | 322 |
3 files changed, 497 insertions, 1 deletions
diff --git a/net-fs/samba/ChangeLog b/net-fs/samba/ChangeLog index b597b3039a7d..c4a9c09939d6 100644 --- a/net-fs/samba/ChangeLog +++ b/net-fs/samba/ChangeLog @@ -1,6 +1,12 @@ # ChangeLog for net-fs/samba # Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/ChangeLog,v 1.333 2008/05/17 12:33:00 dev-zero Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/ChangeLog,v 1.334 2008/05/29 06:37:19 dev-zero Exp $ + +*samba-3.0.28a-r1 (29 May 2008) + + 29 May 2008; Tiziano Müller <dev-zero@gentoo.org> + +files/3.0.28a-CVE-2008-1105.patch, +samba-3.0.28a-r1.ebuild: + Revision bump for security bug #222299 17 May 2008; Tiziano Müller <dev-zero@gentoo.org> +files/3.0.28a-wrong_python_ldflags.patch, samba-3.0.28a.ebuild: diff --git a/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch b/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch new file mode 100644 index 000000000000..20712d844fa8 --- /dev/null +++ b/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch @@ -0,0 +1,168 @@ +diff --git a/source/client/client.c b/source/client/client.c +index 3f96f63..e87623a 100644 +--- a/source/client/client.c ++++ b/source/client/client.c +@@ -3626,7 +3626,7 @@ static void readline_callback(void) + session keepalives and then drop them here. + */ + if (FD_ISSET(cli->fd,&fds)) { +- if (!receive_smb(cli->fd,cli->inbuf,0)) { ++ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) { + DEBUG(0, ("Read from server failed, maybe it closed the " + "connection\n")); + return; +diff --git a/source/client/smbctool.c b/source/client/smbctool.c +index 2063418..a18505b 100644 +--- a/source/client/smbctool.c ++++ b/source/client/smbctool.c +@@ -3304,7 +3304,7 @@ static void readline_callback(void) + session keepalives and then drop them here. + */ + if (FD_ISSET(cli->fd,&fds)) { +- receive_smb(cli->fd,cli->inbuf,0); ++ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0); + goto again; + } + +diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c +index 94c5e82..4715ca7 100644 +--- a/source/lib/util_sock.c ++++ b/source/lib/util_sock.c +@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout) + } + + /**************************************************************************** +- Read an smb from a fd. Note that the buffer *MUST* be of size +- BUFFER_SIZE+SAFETY_MARGIN. ++ Read an smb from a fd. + The timeout is in milliseconds. + This function will return on receipt of a session keepalive packet. + Doesn't check the MAC on signed packets. + ****************************************************************************/ + +-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) ++BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout) + { + ssize_t len,ret; + +@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) + return False; + } + +- /* +- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes +- * of header. Don't print the error if this fits.... JRA. +- */ +- +- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { ++ if (len > buflen) { + DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len)); +- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) { + +- /* +- * Correct fix. smb_read_error may have already been +- * set. Only set it here if not already set. Global +- * variables still suck :-). JRA. +- */ ++ /* ++ * smb_read_error may have already been ++ * set. Only set it here if not already set. Global ++ * variables still suck :-). JRA. ++ */ + +- if (smb_read_error == 0) +- smb_read_error = READ_ERROR; +- return False; +- } ++ if (smb_read_error == 0) ++ smb_read_error = READ_ERROR; ++ return False; + } + + if(len > 0) { +@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout) + Checks the MAC on signed packets. + ****************************************************************************/ + +-BOOL receive_smb(int fd, char *buffer, unsigned int timeout) ++BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout) + { +- if (!receive_smb_raw(fd, buffer, timeout)) { ++ if (!receive_smb_raw(fd, buffer, buflen, timeout)) { + return False; + } + +diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c +index c6cef08..7d7ab9e 100644 +--- a/source/libsmb/clientgen.c ++++ b/source/libsmb/clientgen.c +@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port) + } + + /**************************************************************************** +- Read an smb from a fd ignoring all keepalive packets. Note that the buffer +- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN. ++ Read an smb from a fd ignoring all keepalive packets. + The timeout is in milliseconds + + This is exactly the same as receive_smb except that it never returns +@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port) + should never go into a blocking read. + ****************************************************************************/ + +-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout) ++static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout) + { + BOOL ret; + + for(;;) { +- ret = receive_smb_raw(fd, buffer, timeout); ++ ret = receive_smb_raw(fd, buffer, bufsize, timeout); + + if (!ret) { + DEBUG(10,("client_receive_smb failed\n")); +@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli) + return False; + + again: +- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout); ++ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout); + + if (ret) { + /* it might be an oplock break request */ +diff --git a/source/smbd/process.c b/source/smbd/process.c +index 8dec719..3d31c29 100644 +--- a/source/smbd/process.c ++++ b/source/smbd/process.c +@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout) + goto again; + } + +- return receive_smb(smbd_server_fd(), buffer, 0); ++ return receive_smb(smbd_server_fd(), buffer, ++ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0); + } + + /* +diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c +index 97d2223..2152e53 100644 +--- a/source/utils/smbfilter.c ++++ b/source/utils/smbfilter.c +@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip) + if (num <= 0) continue; + + if (c != -1 && FD_ISSET(c, &fds)) { +- if (!receive_smb(c, packet, 0)) { ++ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) { + d_printf("client closed connection\n"); + exit(0); + } +@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip) + } + } + if (s != -1 && FD_ISSET(s, &fds)) { +- if (!receive_smb(s, packet, 0)) { ++ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) { + d_printf("server closed connection\n"); + exit(0); + } diff --git a/net-fs/samba/samba-3.0.28a-r1.ebuild b/net-fs/samba/samba-3.0.28a-r1.ebuild new file mode 100644 index 000000000000..b549eafffd83 --- /dev/null +++ b/net-fs/samba/samba-3.0.28a-r1.ebuild @@ -0,0 +1,322 @@ +# Copyright 1999-2008 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/samba-3.0.28a-r1.ebuild,v 1.1 2008/05/29 06:37:19 dev-zero Exp $ + +inherit autotools eutils pam python multilib versionator confutils + +MY_P=${PN}-${PV/_/} + +DESCRIPTION="A suite of SMB and CIFS client/server programs for UNIX" +HOMEPAGE="http://www.samba.org/" +SRC_URI="mirror://samba/${MY_P}.tar.gz + mirror://samba/old-versions/${MY_P}.tar.gz" +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="alpha amd64 ~arm hppa ~ia64 ~mips ppc ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd" +IUSE_LINGUAS="linguas_ja linguas_pl" +IUSE="${IUSE_LINGUAS} acl ads async automount caps cups doc examples ipv6 kernel_linux ldap fam + pam python quotas readline selinux swat syslog winbind" + +RDEPEND="dev-libs/popt + virtual/libiconv + acl? ( kernel_linux? ( sys-apps/acl ) ) + cups? ( net-print/cups ) + ipv6? ( sys-apps/xinetd ) + ads? ( virtual/krb5 ) + ldap? ( net-nds/openldap ) + pam? ( virtual/pam ) + python? ( dev-lang/python ) + readline? ( sys-libs/readline ) + selinux? ( sec-policy/selinux-samba ) + swat? ( sys-apps/xinetd ) + syslog? ( virtual/logger ) + fam? ( virtual/fam ) + caps? ( sys-libs/libcap )" +DEPEND="${RDEPEND}" + +# Tests are broken now :-( +RESTRICT="test" + +S=${WORKDIR}/${MY_P} +CONFDIR=${FILESDIR}/config +PRIVATE_DST=/var/lib/samba/private + +pkg_setup() { + confutils_use_depend_all ads ldap +} + +src_unpack() { + unpack ${A} + cd "${S}/source" + + # lazyldflags.patch: adds "-Wl,-z,now" to smb{mnt,umount} + # invalid-free-fix.patch: Bug #196015 (upstream: #5021) + + epatch \ + "${FILESDIR}/3.0.26a-lazyldflags.patch" \ + "${FILESDIR}/3.0.26a-invalid-free-fix.patch" \ + "${FILESDIR}/3.0.28-libcap_detection.patch" \ + "${FILESDIR}/3.0.28-fix_broken_readdir_detection.patch" \ + "${FILESDIR}/3.0.28-autoconf-2.62-fix.patch" \ + "${FILESDIR}/${PV}-wrong_python_ldflags.patch" \ + "${FILESDIR}/${PV}-CVE-2008-1105.patch" + + eautoconf -I. -Ilib/replace + + # Ok, agreed, this is ugly. But it avoids a patch we + # need for every samba version and we don't need autotools + sed -i \ + -e 's|"lib32" ||' \ + -e 's|if test -d "$i/$l" ;|if test -d "$i/$l" -o -L "$i/$l";|' \ + configure || die "sed failed" + + rm "${S}/docs/manpages"/{mount,umount}.cifs.8 + +} + +src_compile() { + cd "${S}/source" + + local myconf + local mylangs + local mymod_shared + + python_version + myconf="--with-python=no" + use python && myconf="--with-python=${python}" + + mylangs="--with-manpages-langs=en" + use linguas_ja && mylangs="${mylangs},ja" + use linguas_pl && mylangs="${mylangs},pl" + + use winbind && mymod_shared="--with-shared-modules=idmap_rid" + if use ldap ; then + myconf="${myconf} $(use_with ads)" + use winbind && mymod_shared="${mymod_shared},idmap_ad" + fi + + [[ ${CHOST} == *-*bsd* ]] && myconf="${myconf} --disable-pie" + use hppa && myconf="${myconf} --disable-pie" + + use caps && export ac_cv_header_sys_capability_h=yes || export ac_cv_header_sys_capability_h=no + + # Otherwise we get the whole swat stuff installed + if ! use swat ; then + sed -i \ + -e 's/^\(install:.*\)installswat \(.*\)/\1\2/' \ + Makefile.in || die "sed failed" + fi + + econf \ + --with-fhs \ + --sysconfdir=/etc/samba \ + --localstatedir=/var \ + --with-configdir=/etc/samba \ + --with-libdir=/usr/$(get_libdir)/samba \ + --with-pammodulesdir=$(getpam_mod_dir) \ + --with-swatdir=/usr/share/doc/${PF}/swat \ + --with-piddir=/var/run/samba \ + --with-lockdir=/var/cache/samba \ + --with-logfilebase=/var/log/samba \ + --with-privatedir=${PRIVATE_DST} \ + --with-libsmbclient \ + --without-spinlocks \ + --enable-socket-wrapper \ + --with-cifsmount=no \ + $(use_with acl acl-support) \ + $(use_with async aio-support) \ + $(use_with automount) \ + $(use_enable cups) \ + $(use_enable fam) \ + $(use_with ads krb5) \ + $(use_with ldap) \ + $(use_with pam) $(use_with pam pam_smbpass) \ + $(use_with quotas) $(use_with quotas sys-quotas) \ + $(use_with readline) \ + $(use_with kernel_linux smbmount) \ + $(use_with syslog) \ + $(use_with winbind) \ + ${myconf} ${mylangs} ${mymod_shared} || die "econf failed" + + emake proto || die "emake proto failed" + emake everything || die "emake everything failed" + + if use python ; then + emake python_ext || die "emake python_ext failed" + fi +} + +src_test() { + cd "${S}/source" + emake test || die "tests failed" +} + +src_install() { + cd "${S}/source" + + emake DESTDIR="${D}" install-everything || die "emake install-everything failed" + + # Extra rpctorture progs + local extra_bins="rpctorture" + for i in ${extra_bins} ; do + [[ -x "${S}/bin/${i}" ]] && dobin "${S}/bin/${i}" + done + + # remove .old stuff from /usr/bin: + rm -f "${D}"/usr/bin/*.old + + # Removing executable bits from header-files + fperms 644 /usr/include/lib{msrpc,smbclient}.h + + # Nsswitch extensions. Make link for wins and winbind resolvers + if use winbind ; then + dolib.so nsswitch/libnss_wins.so + dosym libnss_wins.so /usr/$(get_libdir)/libnss_wins.so.2 + dolib.so nsswitch/libnss_winbind.so + dosym libnss_winbind.so /usr/$(get_libdir)/libnss_winbind.so.2 + fi + + if use kernel_linux ; then + # Warning: this can byte you if /usr is + # on a separate volume and you have to mount + # a smb volume before the local mount + dosym ../usr/bin/smbmount /sbin/mount.smbfs + fperms 4755 /usr/bin/smbmnt + fperms 4755 /usr/bin/smbumount + fi + + # bug #46389: samba doesn't create symlink anymore + # beaviour seems to be changed in 3.0.6, see bug #61046 + dosym samba/libsmbclient.so /usr/$(get_libdir)/libsmbclient.so.0 + dosym samba/libsmbclient.so /usr/$(get_libdir)/libsmbclient.so + + # make the smb backend symlink for cups printing support (bug #133133) + if use cups ; then + dodir $(cups-config --serverbin)/backend + dosym /usr/bin/smbspool $(cups-config --serverbin)/backend/smb + fi + + if use python ; then + emake DESTDIR="${D}" python_install || die "emake installpython failed" + # We're doing that manually + find "${D}/usr/$(get_libdir)/python${PYVER}/site-packages" -iname "*.pyc" -delete + fi + + cd "${S}/source" + + # General config files + insinto /etc/samba + doins "${CONFDIR}"/{smbusers,lmhosts} + newins "${CONFDIR}/smb.conf.example-samba3" smb.conf.example + + newpamd "${CONFDIR}/samba.pam" samba + use winbind && dopamd "${CONFDIR}/system-auth-winbind" + if use swat ; then + insinto /etc/xinetd.d + newins "${CONFDIR}/swat.xinetd" swat + else + rm -f "${D}/usr/sbin/swat" + rm -f "${D}/usr/share/man/man8/swat.8" + fi + + newinitd "${FILESDIR}/samba-init" samba + newconfd "${FILESDIR}/samba-conf" samba + + if use ldap ; then + insinto /etc/openldap/schema + doins "${S}/examples/LDAP/samba.schema" + fi + + if use ipv6 ; then + insinto /etc/xinetd.d + newins "${FILESDIR}/samba-xinetd" smb + fi + + # dirs + diropts -m0700 ; keepdir "${PRIVATE_DST}" + diropts -m1777 ; keepdir /var/spool/samba + + diropts -m0755 + keepdir /var/{log,run,cache}/samba + keepdir /var/lib/samba/{netlogon,profiles} + keepdir /var/lib/samba/printers/{W32X86,WIN40,W32ALPHA,W32MIPS,W32PPC,X64,IA64,COLOR} + keepdir /usr/$(get_libdir)/samba/{rpc,idmap,auth} + + # docs + dodoc "${FILESDIR}/README.gentoo" + dodoc "${S}"/{MAINTAINERS,README,Roadmap,WHATSNEW.txt} + dodoc "${CONFDIR}/nsswitch.conf-wins" + use winbind && dodoc "${CONFDIR}/nsswitch.conf-winbind" + + if use examples ; then + insinto /usr/share/doc/${PF} + doins -r "${S}/examples/" + find "${D}/usr/share/doc/${PF}" -type d -print0 | xargs -0 chmod 755 + find "${D}/usr/share/doc/${PF}/examples" ! -type d -print0 | xargs -0 chmod 644 + if use python ; then + insinto /usr/share/doc/${PF}/python + doins -r "${S}/source/python/examples" + fi + fi + + if ! use doc ; then + if ! use swat ; then + rm -rf "${D}/usr/share/doc/${PF}/swat" + else + rm -rf "${D}/usr/share/doc/${PF}/swat/help"/{guide,howto,devel} + rm -rf "${D}/usr/share/doc/${PF}/swat/using_samba" + fi + fi + +} + +pkg_preinst() { + local PRIVATE_SRC=/etc/samba/private + if [[ ! -r "${ROOT}/${PRIVATE_DST}/secrets.tdb" \ + && -r "${ROOT}/${PRIVATE_SRC}/secrets.tdb" ]] ; then + ebegin "Copying ${ROOT}/${PRIVATE_SRC}/* to ${ROOT}/${PRIVATE_DST}/" + mkdir -p "${D}/${PRIVATE_DST}" + cp -pPRf "${ROOT}/${PRIVATE_SRC}"/* "${D}/${PRIVATE_DST}/" + eend $? + fi + + if [[ ! -f "${ROOT}/etc/samba/smb.conf" ]] ; then + touch "${D}/etc/samba/smb.conf" + fi +} + +pkg_postinst() { + if use python ; then + python_version + python_mod_optimize /usr/$(get_libdir)/python${PYVER}/site-packages/samba + fi + + if use swat ; then + einfo "swat must be enabled by xinetd:" + einfo " change the /etc/xinetd.d/swat configuration" + fi + + if use ipv6 ; then + einfo "ipv6 support must be enabled by xinetd:" + einfo " change the /etc/xinetd.d/smb configuration" + fi + + elog "It is possible to start/stop daemons separately:" + elog " Create a symlink from /etc/init.d/samba.{smbd,nmbd,winbind} to" + elog " /etc/init.d/samba. Calling /etc/init.d/samba directly will start" + elog " the daemons configured in /etc/conf.d/samba" + + elog "The mount/umount.cifs helper applications are not included anymore." + elog "Please install net-fs/mount-cifs instead." + + ewarn "If you're upgrading from 3.0.24 or earlier, please make sure to" + ewarn "restart your clients to clear any cached information about the server." + ewarn "Otherwise they might not be able to connect to the volumes." +} + +pkg_postrm() { + if use python ; then + python_version + python_mod_cleanup /usr/$(get_libdir)/python${PYVER}/site-packages/samba + fi +} |