ports/95325: [MAINTAINER] Security update of net/samba3 to 3.0.22
Timur I. Bakeyev
timur at gnu.org
Wed Apr 5 01:10:18 UTC 2006
>Number: 95325
>Category: ports
>Synopsis: [MAINTAINER] Security update of net/samba3 to 3.0.22
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 05 01:10:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Timur I. Bakeyev
>Release: FreeBSD 6.0-STABLE i386
>Organization:
>Environment:
System: FreeBSD 6.0-STABLE #2: Sun Jan 8 03:29:17 CET 2006
root at timur.home.bat.ru:/usr/src/sys/i386/compile/COMMON
>Description:
== Subject: Exposed clear text of domain machine
== account password in debug logs (log
== level >= 5)
== CVE ID#: CAN_2006-1059
==
== Versions: Samba Samba 3.0.21 - 3.0.21c (inclusive)
==
== Summary: The winbindd daemon writes the clear text
== of the machine trust account password to
== log files. These log files are world
== readable by default.
>How-To-Repeat:
>Fix:
--- samba3.diff begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/net/samba3/Makefile,v
retrieving revision 1.148
diff -u -r1.148 Makefile
--- Makefile 22 Feb 2006 08:46:36 -0000 1.148
+++ Makefile 4 Apr 2006 02:02:41 -0000
@@ -6,7 +6,7 @@
#
PORTNAME= samba
-PORTVERSION?= 3.0.21b
+PORTVERSION?= 3.0.22
PORTREVISION?= 0
PORTEPOCH?= 1
CATEGORIES?= net
@@ -70,10 +70,11 @@
SAM_XML "With XML smbpasswd backend" off \
SAM_MYSQL "With MYSQL smbpasswd backend" off \
SAM_PGSQL "With PostgreSQL smbpasswd backend" off \
- SAM_OLD_LDAP "With Samba2.x LDAP smbpasswd backend" off \
+ SAM_OLD_LDAP "With Samba2.x LDAP legacy smbpasswd backend" off \
+ SMBSH "With SMBSH wrapper for UNIX commands" off \
PAM_SMBPASS "With SMB PAM module" off \
EXP_MODULES "With experimental module(s)" off \
- POPT "With installed POPT library" on
+ POPT "With system-wide POPT library" on
.endif
.include <bsd.port.pre.mk>
@@ -82,7 +83,8 @@
# Switch off all extra functionality
CONFIGURE_ARGS+= --disable-cups --without-winbind --without-syslog \
--without-quotas --without-utmp --without-ldapsam \
- --without-pam --without-pam_smbpass --without-aio-support
+ --without-pam --without-pam_smbpass \
+ --without-aio-support
# Dirty hack to work around usage of OPTIONS in slave ports
.if exists(${.CURDIR}/Makefile.inc)
@@ -210,8 +212,16 @@
.endif
.endif
+.if defined(WITH_SMBSH)
+IGNORE= broken IPC and code
+CONFIGURE_ARGS+= --with-smbwrapper
+PLIST_SUB+= SMBSH=""
+.else
+PLIST_SUB+= SMBSH="@comment "
+.endif
+
.if defined(WITH_AIO_SUPPORT)
-# Yes, it doesn't work for now
+IGNORE= broken kernel API until now (7-CURRENT)
CONFIGURE_ARGS+= --without-aio-support
.endif
@@ -269,12 +279,14 @@
# Samba server itself
MAN1= findsmb.1 log2pcap.1 nmblookup.1 ntlm_auth.1 profiles.1 \
rpcclient.1 smbcacls.1 smbclient.1 smbcontrol.1 smbcquotas.1 \
- smbget.1 smbsh.1 smbstatus.1 smbtar.1 smbtree.1 testparm.1 \
- vfstest.1
+ smbget.1 smbstatus.1 smbtar.1 smbtree.1 testparm.1 vfstest.1
MAN5= lmhosts.5 smb.conf.5 smbgetrc.5 smbpasswd.5
MAN7= samba.7
MAN8= net.8 nmbd.8 pdbedit.8 smbd.8 smbpasswd.8 smbspool.8 \
swat.8 tdbbackup.8 tdbdump.8
+.if defined(WITH_SMBSH)
+MAN1+= smbsh.1
+.endif
.if !defined(WITHOUT_WINBIND)
MAN1+= wbinfo.1
MAN7+= pam_winbind.7
@@ -351,9 +363,14 @@
${ECHO_CMD} "${SAMBA_LIB}/pam_winbind.so" >> ${TMPPLIST};
.endif
.if defined(WITH_PAM_SMBPASS)
- @${INSTALL_PROGRAM} ${WRKSRC}/bin/pam_smbpass.so ${SAMBA_LIBDIR}
+ ${INSTALL_PROGRAM} ${WRKSRC}/bin/pam_smbpass.so ${SAMBA_LIBDIR}
${ECHO_CMD} "${SAMBA_LIB}/pam_smbpass.so" >> ${TMPPLIST};
.endif
+# smbwrapper.so
+.if defined(WITH_SMBSH)
+ ${INSTALL_PROGRAM} ${WRKSRC}/bin/smbsh ${PREFIX}/bin
+ ${INSTALL_PROGRAM} ${WRKSRC}/bin/smbwrapper.so ${SAMBA_LIBDIR}/samba
+.endif
# Lib
@${FIND} ${SAMBA_LIBDIR}/samba -type f | ${SED} -E 's|^${PREFIX}/?||;' | ${EGREP} -F -v -f ${WRKDIR}/.PLIST.exclude | ${SORT} >> ${TMPPLIST}
@for d in `${FIND} ${SAMBA_LIBDIR}/samba -type d | ${SORT} -r`; do \
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/net/samba3/distinfo,v
retrieving revision 1.68
diff -u -r1.68 distinfo
--- distinfo 19 Feb 2006 20:11:09 -0000 1.68
+++ distinfo 1 Apr 2006 00:53:44 -0000
@@ -1,3 +1,3 @@
-MD5 (samba-3.0.21b.tar.gz) = bb73dffb33f4a39386ef9f3e07ae28ff
-SHA256 (samba-3.0.21b.tar.gz) = a5e6982024105276d347b3b521897d6937c727e273814e743ada8eddf972e7d0
-SIZE (samba-3.0.21b.tar.gz) = 17539079
+MD5 (samba-3.0.22.tar.gz) = 5c39505af17cf5caf3d6ed8bab135036
+SHA256 (samba-3.0.22.tar.gz) = 781466885804343248afb74dfdd57df0c7165b252ded06a71c0f24827b2a8e2d
+SIZE (samba-3.0.22.tar.gz) = 17542657
Index: pkg-plist
===================================================================
RCS file: /home/ncvs/ports/net/samba3/pkg-plist,v
retrieving revision 1.63
diff -u -r1.63 pkg-plist
--- pkg-plist 9 Jan 2006 16:45:33 -0000 1.63
+++ pkg-plist 2 Apr 2006 00:04:25 -0000
@@ -21,6 +21,7 @@
bin/tdbdump
bin/tdbtool
bin/testparm
+%%SMBSH%%bin/smbsh
%%WINBIND%%bin/wbinfo
@unexec %D/etc/rc.d/samba.sh forcestop 2>/dev/null || true
etc/rc.d/samba.sh
@@ -592,6 +593,7 @@
share/swat/help/using_samba/samba2_s.gif
share/swat/help/using_samba/samba2_xs.gif
share/swat/help/using_samba/toc.html
+share/swat/help/welcome-no-samba-doc.html
share/swat/help/welcome.html
share/swat/images/globals.gif
share/swat/images/home.gif
Index: files/patch-Makefile.in
===================================================================
RCS file: /home/ncvs/ports/net/samba3/files/patch-Makefile.in,v
retrieving revision 1.6
diff -u -r1.6 patch-Makefile.in
--- files/patch-Makefile.in 9 Jan 2006 16:45:33 -0000 1.6
+++ files/patch-Makefile.in 25 Feb 2006 04:31:05 -0000
@@ -1,30 +1,6 @@
---- Makefile.in.orig Wed Dec 14 13:45:49 2005
-+++ Makefile.in Sun Jan 1 03:35:30 2006
-@@ -676,6 +676,7 @@
-
- CAC_PICOBJS = $(CAC_OBJ:.o=. at PICSUFFIX@)
-
-+NSS_VERSION=1
-
- PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \
- pam_smbpass/pam_smb_acct.o pam_smbpass/support.o \
-@@ -1172,13 +1173,13 @@
- @WINBIND_NSS@: $(WINBIND_NSS_PICOBJS)
- @echo "Linking $@"
- @$(SHLD) $(WINBIND_NSS_LDSHFLAGS) -o $@ $(WINBIND_NSS_PICOBJS) \
-- @WINBIND_NSS_EXTRA_LIBS@ @SONAMEFLAG@`basename $@`
-+ @WINBIND_NSS_EXTRA_LIBS@ @SONAMEFLAG@`basename $@`.$(NSS_VERSION)
-
- @WINBIND_WINS_NSS@: $(WINBIND_WINS_NSS_PICOBJS)
- @echo "Linking $@"
- @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_WINS_NSS_PICOBJS) \
- $(LDAP_LIBS) $(KRB5LIBS) -lc \
-- @SONAMEFLAG@`basename $@`
-+ @SONAMEFLAG@`basename $@`.$(NSS_VERSION)
-
- nsswitch/pam_winbind. at SHLIBEXT@: $(PAM_WINBIND_PICOBJ) bin/.dummy
- @echo "Linking $@"
-@@ -1389,7 +1390,7 @@
+--- Makefile.in.orig Mon Feb 20 21:33:23 2006
++++ Makefile.in Sat Feb 25 05:30:42 2006
+@@ -1390,7 +1390,7 @@
bin/t_snprintf at EXEEXT@: lib/snprintf.c
$(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) -DTEST_SNPRINTF lib/snprintf.c -lm
Index: files/patch-configure.in
===================================================================
RCS file: /home/ncvs/ports/net/samba3/files/patch-configure.in,v
retrieving revision 1.15
diff -u -r1.15 patch-configure.in
--- files/patch-configure.in 19 Feb 2006 20:11:09 -0000 1.15
+++ files/patch-configure.in 25 Feb 2006 04:35:20 -0000
@@ -1,6 +1,6 @@
---- configure.in.orig Mon Jan 30 15:45:07 2006
-+++ configure.in Sun Feb 19 07:00:42 2006
-@@ -967,6 +967,21 @@
+--- configure.in.orig Mon Feb 20 21:33:23 2006
++++ configure.in Sat Feb 25 05:34:56 2006
+@@ -968,6 +968,21 @@
AC_DEFINE(HAVE_SIG_ATOMIC_T_TYPE,1,[Whether we have the atomic_t variable type])
fi
@@ -22,3 +22,25 @@
AC_CACHE_CHECK([for struct timespec type],samba_cv_struct_timespec, [
AC_TRY_COMPILE([
#include <sys/types.h>
+@@ -1408,7 +1423,6 @@
+ DYNEXP="-Wl,--export-dynamic"
+ PICFLAGS="-fPIC"
+ SONAMEFLAG="-Wl,-soname="
+- SONAMEVERSIONSUFFIX=".2"
+ AC_DEFINE(STAT_ST_BLOCKSIZE,512)
+ ;;
+ *solaris*) AC_DEFINE(SUNOS5,1,[Whether the host os is solaris])
+@@ -4911,11 +4925,13 @@
+
+ case "$host_os" in
+ *linux*)
++ SONAMEVERSIONSUFFIX=".2"
+ WINBIND_NSS_EXTRA_OBJS="nsswitch/winbind_nss_linux.o"
+ ;;
+ *freebsd[[5-9]]*)
+ # FreeBSD winbind client is implemented as a wrapper around
+ # the Linux version.
++ SONAMEVERSIONSUFFIX=".1"
+ WINBIND_NSS_EXTRA_OBJS="nsswitch/winbind_nss_freebsd.o \
+ nsswitch/winbind_nss_linux.o"
+ WINBIND_NSS="nsswitch/nss_winbind.$SHLIBEXT"
Index: files/samba.sh.sample
===================================================================
RCS file: /home/ncvs/ports/net/samba3/files/samba.sh.sample,v
retrieving revision 1.12
diff -u -r1.12 samba.sh.sample
--- files/samba.sh.sample 9 Jan 2006 16:45:33 -0000 1.12
+++ files/samba.sh.sample 1 Apr 2006 01:17:04 -0000
@@ -88,6 +88,7 @@
load_rc_config $name
run_rc_command "$1"
+_rc_restart_done=false
# smbd
name=smbd
@@ -103,6 +104,7 @@
load_rc_config $name
run_rc_command "$1"
+%%WINBIND%%_rc_restart_done=false
%%WINBIND%%
%%WINBIND%%# winbindd
%%WINBIND%%name=winbindd
--- samba3.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list