summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTiziano Müller <dev-zero@gentoo.org>2008-05-29 06:37:20 +0000
committerTiziano Müller <dev-zero@gentoo.org>2008-05-29 06:37:20 +0000
commit75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f (patch)
tree736c5d09c21e8ee341c00000488d9266cda5687b
parentRemoving Lars Weiler (Pylon) from metadata.xml (as per #215644). (diff)
downloadgentoo-2-75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f.tar.gz
gentoo-2-75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f.tar.bz2
gentoo-2-75a7b642d968b7fbec77a8c4fafc3f6d64e76e3f.zip
Revision bump for security bug #222299
(Portage version: 2.1.5_rc7, RepoMan options: --force)
-rw-r--r--net-fs/samba/ChangeLog8
-rw-r--r--net-fs/samba/files/3.0.28a-CVE-2008-1105.patch168
-rw-r--r--net-fs/samba/samba-3.0.28a-r1.ebuild322
3 files changed, 497 insertions, 1 deletions
diff --git a/net-fs/samba/ChangeLog b/net-fs/samba/ChangeLog
index b597b3039a7d..c4a9c09939d6 100644
--- a/net-fs/samba/ChangeLog
+++ b/net-fs/samba/ChangeLog
@@ -1,6 +1,12 @@
# ChangeLog for net-fs/samba
# Copyright 1999-2008 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/ChangeLog,v 1.333 2008/05/17 12:33:00 dev-zero Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/ChangeLog,v 1.334 2008/05/29 06:37:19 dev-zero Exp $
+
+*samba-3.0.28a-r1 (29 May 2008)
+
+ 29 May 2008; Tiziano Müller <dev-zero@gentoo.org>
+ +files/3.0.28a-CVE-2008-1105.patch, +samba-3.0.28a-r1.ebuild:
+ Revision bump for security bug #222299
17 May 2008; Tiziano Müller <dev-zero@gentoo.org>
+files/3.0.28a-wrong_python_ldflags.patch, samba-3.0.28a.ebuild:
diff --git a/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch b/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch
new file mode 100644
index 000000000000..20712d844fa8
--- /dev/null
+++ b/net-fs/samba/files/3.0.28a-CVE-2008-1105.patch
@@ -0,0 +1,168 @@
+diff --git a/source/client/client.c b/source/client/client.c
+index 3f96f63..e87623a 100644
+--- a/source/client/client.c
++++ b/source/client/client.c
+@@ -3626,7 +3626,7 @@ static void readline_callback(void)
+ session keepalives and then drop them here.
+ */
+ if (FD_ISSET(cli->fd,&fds)) {
+- if (!receive_smb(cli->fd,cli->inbuf,0)) {
++ if (!receive_smb(cli->fd,cli->inbuf,cli->bufsize,0)) {
+ DEBUG(0, ("Read from server failed, maybe it closed the "
+ "connection\n"));
+ return;
+diff --git a/source/client/smbctool.c b/source/client/smbctool.c
+index 2063418..a18505b 100644
+--- a/source/client/smbctool.c
++++ b/source/client/smbctool.c
+@@ -3304,7 +3304,7 @@ static void readline_callback(void)
+ session keepalives and then drop them here.
+ */
+ if (FD_ISSET(cli->fd,&fds)) {
+- receive_smb(cli->fd,cli->inbuf,0);
++ receive_smb(cli->fd,cli->inbuf,cli->bufsize,0);
+ goto again;
+ }
+
+diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
+index 94c5e82..4715ca7 100644
+--- a/source/lib/util_sock.c
++++ b/source/lib/util_sock.c
+@@ -654,14 +654,13 @@ ssize_t read_smb_length(int fd, char *inbuf, unsigned int timeout)
+ }
+
+ /****************************************************************************
+- Read an smb from a fd. Note that the buffer *MUST* be of size
+- BUFFER_SIZE+SAFETY_MARGIN.
++ Read an smb from a fd.
+ The timeout is in milliseconds.
+ This function will return on receipt of a session keepalive packet.
+ Doesn't check the MAC on signed packets.
+ ****************************************************************************/
+
+-BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
++BOOL receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout)
+ {
+ ssize_t len,ret;
+
+@@ -682,25 +681,18 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
+ return False;
+ }
+
+- /*
+- * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
+- * of header. Don't print the error if this fits.... JRA.
+- */
+-
+- if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
++ if (len > buflen) {
+ DEBUG(0,("Invalid packet length! (%lu bytes).\n",(unsigned long)len));
+- if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
+
+- /*
+- * Correct fix. smb_read_error may have already been
+- * set. Only set it here if not already set. Global
+- * variables still suck :-). JRA.
+- */
++ /*
++ * smb_read_error may have already been
++ * set. Only set it here if not already set. Global
++ * variables still suck :-). JRA.
++ */
+
+- if (smb_read_error == 0)
+- smb_read_error = READ_ERROR;
+- return False;
+- }
++ if (smb_read_error == 0)
++ smb_read_error = READ_ERROR;
++ return False;
+ }
+
+ if(len > 0) {
+@@ -730,9 +722,9 @@ BOOL receive_smb_raw(int fd, char *buffer, unsigned int timeout)
+ Checks the MAC on signed packets.
+ ****************************************************************************/
+
+-BOOL receive_smb(int fd, char *buffer, unsigned int timeout)
++BOOL receive_smb(int fd, char *buffer, size_t buflen, unsigned int timeout)
+ {
+- if (!receive_smb_raw(fd, buffer, timeout)) {
++ if (!receive_smb_raw(fd, buffer, buflen, timeout)) {
+ return False;
+ }
+
+diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c
+index c6cef08..7d7ab9e 100644
+--- a/source/libsmb/clientgen.c
++++ b/source/libsmb/clientgen.c
+@@ -44,8 +44,7 @@ int cli_set_port(struct cli_state *cli, int port)
+ }
+
+ /****************************************************************************
+- Read an smb from a fd ignoring all keepalive packets. Note that the buffer
+- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
++ Read an smb from a fd ignoring all keepalive packets.
+ The timeout is in milliseconds
+
+ This is exactly the same as receive_smb except that it never returns
+@@ -54,12 +53,12 @@ int cli_set_port(struct cli_state *cli, int port)
+ should never go into a blocking read.
+ ****************************************************************************/
+
+-static BOOL client_receive_smb(int fd,char *buffer, unsigned int timeout)
++static BOOL client_receive_smb(int fd,char *buffer, size_t bufsize, unsigned int timeout)
+ {
+ BOOL ret;
+
+ for(;;) {
+- ret = receive_smb_raw(fd, buffer, timeout);
++ ret = receive_smb_raw(fd, buffer, bufsize, timeout);
+
+ if (!ret) {
+ DEBUG(10,("client_receive_smb failed\n"));
+@@ -88,7 +87,7 @@ BOOL cli_receive_smb(struct cli_state *cli)
+ return False;
+
+ again:
+- ret = client_receive_smb(cli->fd,cli->inbuf,cli->timeout);
++ ret = client_receive_smb(cli->fd,cli->inbuf, cli->bufsize, cli->timeout);
+
+ if (ret) {
+ /* it might be an oplock break request */
+diff --git a/source/smbd/process.c b/source/smbd/process.c
+index 8dec719..3d31c29 100644
+--- a/source/smbd/process.c
++++ b/source/smbd/process.c
+@@ -521,7 +521,8 @@ static BOOL receive_message_or_smb(char *buffer, int buffer_len, int timeout)
+ goto again;
+ }
+
+- return receive_smb(smbd_server_fd(), buffer, 0);
++ return receive_smb(smbd_server_fd(), buffer,
++ BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE, 0);
+ }
+
+ /*
+diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
+index 97d2223..2152e53 100644
+--- a/source/utils/smbfilter.c
++++ b/source/utils/smbfilter.c
+@@ -140,7 +140,7 @@ static void filter_child(int c, struct in_addr dest_ip)
+ if (num <= 0) continue;
+
+ if (c != -1 && FD_ISSET(c, &fds)) {
+- if (!receive_smb(c, packet, 0)) {
++ if (!receive_smb(c, packet, BUFFER_SIZE, 0)) {
+ d_printf("client closed connection\n");
+ exit(0);
+ }
+@@ -151,7 +151,7 @@ static void filter_child(int c, struct in_addr dest_ip)
+ }
+ }
+ if (s != -1 && FD_ISSET(s, &fds)) {
+- if (!receive_smb(s, packet, 0)) {
++ if (!receive_smb(s, packet, BUFFER_SIZE, 0)) {
+ d_printf("server closed connection\n");
+ exit(0);
+ }
diff --git a/net-fs/samba/samba-3.0.28a-r1.ebuild b/net-fs/samba/samba-3.0.28a-r1.ebuild
new file mode 100644
index 000000000000..b549eafffd83
--- /dev/null
+++ b/net-fs/samba/samba-3.0.28a-r1.ebuild
@@ -0,0 +1,322 @@
+# Copyright 1999-2008 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/samba-3.0.28a-r1.ebuild,v 1.1 2008/05/29 06:37:19 dev-zero Exp $
+
+inherit autotools eutils pam python multilib versionator confutils
+
+MY_P=${PN}-${PV/_/}
+
+DESCRIPTION="A suite of SMB and CIFS client/server programs for UNIX"
+HOMEPAGE="http://www.samba.org/"
+SRC_URI="mirror://samba/${MY_P}.tar.gz
+ mirror://samba/old-versions/${MY_P}.tar.gz"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 ~arm hppa ~ia64 ~mips ppc ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd"
+IUSE_LINGUAS="linguas_ja linguas_pl"
+IUSE="${IUSE_LINGUAS} acl ads async automount caps cups doc examples ipv6 kernel_linux ldap fam
+ pam python quotas readline selinux swat syslog winbind"
+
+RDEPEND="dev-libs/popt
+ virtual/libiconv
+ acl? ( kernel_linux? ( sys-apps/acl ) )
+ cups? ( net-print/cups )
+ ipv6? ( sys-apps/xinetd )
+ ads? ( virtual/krb5 )
+ ldap? ( net-nds/openldap )
+ pam? ( virtual/pam )
+ python? ( dev-lang/python )
+ readline? ( sys-libs/readline )
+ selinux? ( sec-policy/selinux-samba )
+ swat? ( sys-apps/xinetd )
+ syslog? ( virtual/logger )
+ fam? ( virtual/fam )
+ caps? ( sys-libs/libcap )"
+DEPEND="${RDEPEND}"
+
+# Tests are broken now :-(
+RESTRICT="test"
+
+S=${WORKDIR}/${MY_P}
+CONFDIR=${FILESDIR}/config
+PRIVATE_DST=/var/lib/samba/private
+
+pkg_setup() {
+ confutils_use_depend_all ads ldap
+}
+
+src_unpack() {
+ unpack ${A}
+ cd "${S}/source"
+
+ # lazyldflags.patch: adds "-Wl,-z,now" to smb{mnt,umount}
+ # invalid-free-fix.patch: Bug #196015 (upstream: #5021)
+
+ epatch \
+ "${FILESDIR}/3.0.26a-lazyldflags.patch" \
+ "${FILESDIR}/3.0.26a-invalid-free-fix.patch" \
+ "${FILESDIR}/3.0.28-libcap_detection.patch" \
+ "${FILESDIR}/3.0.28-fix_broken_readdir_detection.patch" \
+ "${FILESDIR}/3.0.28-autoconf-2.62-fix.patch" \
+ "${FILESDIR}/${PV}-wrong_python_ldflags.patch" \
+ "${FILESDIR}/${PV}-CVE-2008-1105.patch"
+
+ eautoconf -I. -Ilib/replace
+
+ # Ok, agreed, this is ugly. But it avoids a patch we
+ # need for every samba version and we don't need autotools
+ sed -i \
+ -e 's|"lib32" ||' \
+ -e 's|if test -d "$i/$l" ;|if test -d "$i/$l" -o -L "$i/$l";|' \
+ configure || die "sed failed"
+
+ rm "${S}/docs/manpages"/{mount,umount}.cifs.8
+
+}
+
+src_compile() {
+ cd "${S}/source"
+
+ local myconf
+ local mylangs
+ local mymod_shared
+
+ python_version
+ myconf="--with-python=no"
+ use python && myconf="--with-python=${python}"
+
+ mylangs="--with-manpages-langs=en"
+ use linguas_ja && mylangs="${mylangs},ja"
+ use linguas_pl && mylangs="${mylangs},pl"
+
+ use winbind && mymod_shared="--with-shared-modules=idmap_rid"
+ if use ldap ; then
+ myconf="${myconf} $(use_with ads)"
+ use winbind && mymod_shared="${mymod_shared},idmap_ad"
+ fi
+
+ [[ ${CHOST} == *-*bsd* ]] && myconf="${myconf} --disable-pie"
+ use hppa && myconf="${myconf} --disable-pie"
+
+ use caps && export ac_cv_header_sys_capability_h=yes || export ac_cv_header_sys_capability_h=no
+
+ # Otherwise we get the whole swat stuff installed
+ if ! use swat ; then
+ sed -i \
+ -e 's/^\(install:.*\)installswat \(.*\)/\1\2/' \
+ Makefile.in || die "sed failed"
+ fi
+
+ econf \
+ --with-fhs \
+ --sysconfdir=/etc/samba \
+ --localstatedir=/var \
+ --with-configdir=/etc/samba \
+ --with-libdir=/usr/$(get_libdir)/samba \
+ --with-pammodulesdir=$(getpam_mod_dir) \
+ --with-swatdir=/usr/share/doc/${PF}/swat \
+ --with-piddir=/var/run/samba \
+ --with-lockdir=/var/cache/samba \
+ --with-logfilebase=/var/log/samba \
+ --with-privatedir=${PRIVATE_DST} \
+ --with-libsmbclient \
+ --without-spinlocks \
+ --enable-socket-wrapper \
+ --with-cifsmount=no \
+ $(use_with acl acl-support) \
+ $(use_with async aio-support) \
+ $(use_with automount) \
+ $(use_enable cups) \
+ $(use_enable fam) \
+ $(use_with ads krb5) \
+ $(use_with ldap) \
+ $(use_with pam) $(use_with pam pam_smbpass) \
+ $(use_with quotas) $(use_with quotas sys-quotas) \
+ $(use_with readline) \
+ $(use_with kernel_linux smbmount) \
+ $(use_with syslog) \
+ $(use_with winbind) \
+ ${myconf} ${mylangs} ${mymod_shared} || die "econf failed"
+
+ emake proto || die "emake proto failed"
+ emake everything || die "emake everything failed"
+
+ if use python ; then
+ emake python_ext || die "emake python_ext failed"
+ fi
+}
+
+src_test() {
+ cd "${S}/source"
+ emake test || die "tests failed"
+}
+
+src_install() {
+ cd "${S}/source"
+
+ emake DESTDIR="${D}" install-everything || die "emake install-everything failed"
+
+ # Extra rpctorture progs
+ local extra_bins="rpctorture"
+ for i in ${extra_bins} ; do
+ [[ -x "${S}/bin/${i}" ]] && dobin "${S}/bin/${i}"
+ done
+
+ # remove .old stuff from /usr/bin:
+ rm -f "${D}"/usr/bin/*.old
+
+ # Removing executable bits from header-files
+ fperms 644 /usr/include/lib{msrpc,smbclient}.h
+
+ # Nsswitch extensions. Make link for wins and winbind resolvers
+ if use winbind ; then
+ dolib.so nsswitch/libnss_wins.so
+ dosym libnss_wins.so /usr/$(get_libdir)/libnss_wins.so.2
+ dolib.so nsswitch/libnss_winbind.so
+ dosym libnss_winbind.so /usr/$(get_libdir)/libnss_winbind.so.2
+ fi
+
+ if use kernel_linux ; then
+ # Warning: this can byte you if /usr is
+ # on a separate volume and you have to mount
+ # a smb volume before the local mount
+ dosym ../usr/bin/smbmount /sbin/mount.smbfs
+ fperms 4755 /usr/bin/smbmnt
+ fperms 4755 /usr/bin/smbumount
+ fi
+
+ # bug #46389: samba doesn't create symlink anymore
+ # beaviour seems to be changed in 3.0.6, see bug #61046
+ dosym samba/libsmbclient.so /usr/$(get_libdir)/libsmbclient.so.0
+ dosym samba/libsmbclient.so /usr/$(get_libdir)/libsmbclient.so
+
+ # make the smb backend symlink for cups printing support (bug #133133)
+ if use cups ; then
+ dodir $(cups-config --serverbin)/backend
+ dosym /usr/bin/smbspool $(cups-config --serverbin)/backend/smb
+ fi
+
+ if use python ; then
+ emake DESTDIR="${D}" python_install || die "emake installpython failed"
+ # We're doing that manually
+ find "${D}/usr/$(get_libdir)/python${PYVER}/site-packages" -iname "*.pyc" -delete
+ fi
+
+ cd "${S}/source"
+
+ # General config files
+ insinto /etc/samba
+ doins "${CONFDIR}"/{smbusers,lmhosts}
+ newins "${CONFDIR}/smb.conf.example-samba3" smb.conf.example
+
+ newpamd "${CONFDIR}/samba.pam" samba
+ use winbind && dopamd "${CONFDIR}/system-auth-winbind"
+ if use swat ; then
+ insinto /etc/xinetd.d
+ newins "${CONFDIR}/swat.xinetd" swat
+ else
+ rm -f "${D}/usr/sbin/swat"
+ rm -f "${D}/usr/share/man/man8/swat.8"
+ fi
+
+ newinitd "${FILESDIR}/samba-init" samba
+ newconfd "${FILESDIR}/samba-conf" samba
+
+ if use ldap ; then
+ insinto /etc/openldap/schema
+ doins "${S}/examples/LDAP/samba.schema"
+ fi
+
+ if use ipv6 ; then
+ insinto /etc/xinetd.d
+ newins "${FILESDIR}/samba-xinetd" smb
+ fi
+
+ # dirs
+ diropts -m0700 ; keepdir "${PRIVATE_DST}"
+ diropts -m1777 ; keepdir /var/spool/samba
+
+ diropts -m0755
+ keepdir /var/{log,run,cache}/samba
+ keepdir /var/lib/samba/{netlogon,profiles}
+ keepdir /var/lib/samba/printers/{W32X86,WIN40,W32ALPHA,W32MIPS,W32PPC,X64,IA64,COLOR}
+ keepdir /usr/$(get_libdir)/samba/{rpc,idmap,auth}
+
+ # docs
+ dodoc "${FILESDIR}/README.gentoo"
+ dodoc "${S}"/{MAINTAINERS,README,Roadmap,WHATSNEW.txt}
+ dodoc "${CONFDIR}/nsswitch.conf-wins"
+ use winbind && dodoc "${CONFDIR}/nsswitch.conf-winbind"
+
+ if use examples ; then
+ insinto /usr/share/doc/${PF}
+ doins -r "${S}/examples/"
+ find "${D}/usr/share/doc/${PF}" -type d -print0 | xargs -0 chmod 755
+ find "${D}/usr/share/doc/${PF}/examples" ! -type d -print0 | xargs -0 chmod 644
+ if use python ; then
+ insinto /usr/share/doc/${PF}/python
+ doins -r "${S}/source/python/examples"
+ fi
+ fi
+
+ if ! use doc ; then
+ if ! use swat ; then
+ rm -rf "${D}/usr/share/doc/${PF}/swat"
+ else
+ rm -rf "${D}/usr/share/doc/${PF}/swat/help"/{guide,howto,devel}
+ rm -rf "${D}/usr/share/doc/${PF}/swat/using_samba"
+ fi
+ fi
+
+}
+
+pkg_preinst() {
+ local PRIVATE_SRC=/etc/samba/private
+ if [[ ! -r "${ROOT}/${PRIVATE_DST}/secrets.tdb" \
+ && -r "${ROOT}/${PRIVATE_SRC}/secrets.tdb" ]] ; then
+ ebegin "Copying ${ROOT}/${PRIVATE_SRC}/* to ${ROOT}/${PRIVATE_DST}/"
+ mkdir -p "${D}/${PRIVATE_DST}"
+ cp -pPRf "${ROOT}/${PRIVATE_SRC}"/* "${D}/${PRIVATE_DST}/"
+ eend $?
+ fi
+
+ if [[ ! -f "${ROOT}/etc/samba/smb.conf" ]] ; then
+ touch "${D}/etc/samba/smb.conf"
+ fi
+}
+
+pkg_postinst() {
+ if use python ; then
+ python_version
+ python_mod_optimize /usr/$(get_libdir)/python${PYVER}/site-packages/samba
+ fi
+
+ if use swat ; then
+ einfo "swat must be enabled by xinetd:"
+ einfo " change the /etc/xinetd.d/swat configuration"
+ fi
+
+ if use ipv6 ; then
+ einfo "ipv6 support must be enabled by xinetd:"
+ einfo " change the /etc/xinetd.d/smb configuration"
+ fi
+
+ elog "It is possible to start/stop daemons separately:"
+ elog " Create a symlink from /etc/init.d/samba.{smbd,nmbd,winbind} to"
+ elog " /etc/init.d/samba. Calling /etc/init.d/samba directly will start"
+ elog " the daemons configured in /etc/conf.d/samba"
+
+ elog "The mount/umount.cifs helper applications are not included anymore."
+ elog "Please install net-fs/mount-cifs instead."
+
+ ewarn "If you're upgrading from 3.0.24 or earlier, please make sure to"
+ ewarn "restart your clients to clear any cached information about the server."
+ ewarn "Otherwise they might not be able to connect to the volumes."
+}
+
+pkg_postrm() {
+ if use python ; then
+ python_version
+ python_mod_cleanup /usr/$(get_libdir)/python${PYVER}/site-packages/samba
+ fi
+}