Date: Wed, 5 Apr 2006 03:04:54 +0200 From: "Timur I. Bakeyev" <timur@gnu.org> To: "FreeBSD gnats submit" <FreeBSD-gnats-submit@FreeBSD.org> Subject: ports/95325: [MAINTAINER] Security update of net/samba3 to 3.0.22 Message-ID: <1144199094.87799@timur.home.bat.ru> Resent-Message-ID: <200604050110.k351AHvs066807@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 95325 >Category: ports >Synopsis: [MAINTAINER] Security update of net/samba3 to 3.0.22 >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Apr 05 01:10:16 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Timur I. Bakeyev >Release: FreeBSD 6.0-STABLE i386 >Organization: >Environment: System: FreeBSD 6.0-STABLE #2: Sun Jan 8 03:29:17 CET 2006 root@timur.home.bat.ru:/usr/src/sys/i386/compile/COMMON >Description: == Subject: Exposed clear text of domain machine == account password in debug logs (log == level >= 5) == CVE ID#: CAN_2006-1059 == == Versions: Samba Samba 3.0.21 - 3.0.21c (inclusive) == == Summary: The winbindd daemon writes the clear text == of the machine trust account password to == log files. These log files are world == readable by default. >How-To-Repeat: >Fix: --- samba3.diff begins here --- Index: Makefile =================================================================== RCS file: /home/ncvs/ports/net/samba3/Makefile,v retrieving revision 1.148 diff -u -r1.148 Makefile --- Makefile 22 Feb 2006 08:46:36 -0000 1.148 +++ Makefile 4 Apr 2006 02:02:41 -0000 @@ -6,7 +6,7 @@ # PORTNAME= samba -PORTVERSION?= 3.0.21b +PORTVERSION?= 3.0.22 PORTREVISION?= 0 PORTEPOCH?= 1 CATEGORIES?= net @@ -70,10 +70,11 @@ SAM_XML "With XML smbpasswd backend" off \ SAM_MYSQL "With MYSQL smbpasswd backend" off \ SAM_PGSQL "With PostgreSQL smbpasswd backend" off \ - SAM_OLD_LDAP "With Samba2.x LDAP smbpasswd backend" off \ + SAM_OLD_LDAP "With Samba2.x LDAP legacy smbpasswd backend" off \ + SMBSH "With SMBSH wrapper for UNIX commands" off \ PAM_SMBPASS "With SMB PAM module" off \ EXP_MODULES "With experimental module(s)" off \ - POPT "With installed POPT library" on + POPT "With system-wide POPT library" on .endif .include <bsd.port.pre.mk> @@ -82,7 +83,8 @@ # Switch off all extra functionality CONFIGURE_ARGS+= --disable-cups --without-winbind --without-syslog \ --without-quotas --without-utmp --without-ldapsam \ - --without-pam --without-pam_smbpass --without-aio-support + --without-pam --without-pam_smbpass \ + --without-aio-support # Dirty hack to work around usage of OPTIONS in slave ports .if exists(${.CURDIR}/Makefile.inc) @@ -210,8 +212,16 @@ .endif .endif +.if defined(WITH_SMBSH) +IGNORE= broken IPC and code +CONFIGURE_ARGS+= --with-smbwrapper +PLIST_SUB+= SMBSH="" +.else +PLIST_SUB+= SMBSH="@comment " +.endif + .if defined(WITH_AIO_SUPPORT) -# Yes, it doesn't work for now +IGNORE= broken kernel API until now (7-CURRENT) CONFIGURE_ARGS+= --without-aio-support .endif @@ -269,12 +279,14 @@ # Samba server itself MAN1= findsmb.1 log2pcap.1 nmblookup.1 ntlm_auth.1 profiles.1 \ rpcclient.1 smbcacls.1 smbclient.1 smbcontrol.1 smbcquotas.1 \ - smbget.1 smbsh.1 smbstatus.1 smbtar.1 smbtree.1 testparm.1 \ - vfstest.1 + smbget.1 smbstatus.1 smbtar.1 smbtree.1 testparm.1 vfstest.1 MAN5= lmhosts.5 smb.conf.5 smbgetrc.5 smbpasswd.5 MAN7= samba.7 MAN8= net.8 nmbd.8 pdbedit.8 smbd.8 smbpasswd.8 smbspool.8 \ swat.8 tdbbackup.8 tdbdump.8 +.if defined(WITH_SMBSH) +MAN1+= smbsh.1 +.endif .if !defined(WITHOUT_WINBIND) MAN1+= wbinfo.1 MAN7+= pam_winbind.7 @@ -351,9 +363,14 @@ ${ECHO_CMD} "${SAMBA_LIB}/pam_winbind.so" >> ${TMPPLIST}; .endif .if defined(WITH_PAM_SMBPASS) - @${INSTALL_PROGRAM} ${WRKSRC}/bin/pam_smbpass.so ${SAMBA_LIBDIR} + ${INSTALL_PROGRAM} ${WRKSRC}/bin/pam_smbpass.so ${SAMBA_LIBDIR} ${ECHO_CMD} "${SAMBA_LIB}/pam_smbpass.so" >> ${TMPPLIST}; .endif +# smbwrapper.so +.if defined(WITH_SMBSH) + ${INSTALL_PROGRAM} ${WRKSRC}/bin/smbsh ${PREFIX}/bin + ${INSTALL_PROGRAM} ${WRKSRC}/bin/smbwrapper.so ${SAMBA_LIBDIR}/samba +.endif # Lib @${FIND} ${SAMBA_LIBDIR}/samba -type f | ${SED} -E 's|^${PREFIX}/?||;' | ${EGREP} -F -v -f ${WRKDIR}/.PLIST.exclude | ${SORT} >> ${TMPPLIST} @for d in `${FIND} ${SAMBA_LIBDIR}/samba -type d | ${SORT} -r`; do \ Index: distinfo =================================================================== RCS file: /home/ncvs/ports/net/samba3/distinfo,v retrieving revision 1.68 diff -u -r1.68 distinfo --- distinfo 19 Feb 2006 20:11:09 -0000 1.68 +++ distinfo 1 Apr 2006 00:53:44 -0000 @@ -1,3 +1,3 @@ -MD5 (samba-3.0.21b.tar.gz) = bb73dffb33f4a39386ef9f3e07ae28ff -SHA256 (samba-3.0.21b.tar.gz) = a5e6982024105276d347b3b521897d6937c727e273814e743ada8eddf972e7d0 -SIZE (samba-3.0.21b.tar.gz) = 17539079 +MD5 (samba-3.0.22.tar.gz) = 5c39505af17cf5caf3d6ed8bab135036 +SHA256 (samba-3.0.22.tar.gz) = 781466885804343248afb74dfdd57df0c7165b252ded06a71c0f24827b2a8e2d +SIZE (samba-3.0.22.tar.gz) = 17542657 Index: pkg-plist =================================================================== RCS file: /home/ncvs/ports/net/samba3/pkg-plist,v retrieving revision 1.63 diff -u -r1.63 pkg-plist --- pkg-plist 9 Jan 2006 16:45:33 -0000 1.63 +++ pkg-plist 2 Apr 2006 00:04:25 -0000 @@ -21,6 +21,7 @@ bin/tdbdump bin/tdbtool bin/testparm +%%SMBSH%%bin/smbsh %%WINBIND%%bin/wbinfo @unexec %D/etc/rc.d/samba.sh forcestop 2>/dev/null || true etc/rc.d/samba.sh @@ -592,6 +593,7 @@ share/swat/help/using_samba/samba2_s.gif share/swat/help/using_samba/samba2_xs.gif share/swat/help/using_samba/toc.html +share/swat/help/welcome-no-samba-doc.html share/swat/help/welcome.html share/swat/images/globals.gif share/swat/images/home.gif Index: files/patch-Makefile.in =================================================================== RCS file: /home/ncvs/ports/net/samba3/files/patch-Makefile.in,v retrieving revision 1.6 diff -u -r1.6 patch-Makefile.in --- files/patch-Makefile.in 9 Jan 2006 16:45:33 -0000 1.6 +++ files/patch-Makefile.in 25 Feb 2006 04:31:05 -0000 @@ -1,30 +1,6 @@ ---- Makefile.in.orig Wed Dec 14 13:45:49 2005 -+++ Makefile.in Sun Jan 1 03:35:30 2006 -@@ -676,6 +676,7 @@ - - CAC_PICOBJS = $(CAC_OBJ:.o=.@PICSUFFIX@) - -+NSS_VERSION=1 - - PAM_SMBPASS_OBJ_0 = pam_smbpass/pam_smb_auth.o pam_smbpass/pam_smb_passwd.o \ - pam_smbpass/pam_smb_acct.o pam_smbpass/support.o \ -@@ -1172,13 +1173,13 @@ - @WINBIND_NSS@: $(WINBIND_NSS_PICOBJS) - @echo "Linking $@" - @$(SHLD) $(WINBIND_NSS_LDSHFLAGS) -o $@ $(WINBIND_NSS_PICOBJS) \ -- @WINBIND_NSS_EXTRA_LIBS@ @SONAMEFLAG@`basename $@` -+ @WINBIND_NSS_EXTRA_LIBS@ @SONAMEFLAG@`basename $@`.$(NSS_VERSION) - - @WINBIND_WINS_NSS@: $(WINBIND_WINS_NSS_PICOBJS) - @echo "Linking $@" - @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_WINS_NSS_PICOBJS) \ - $(LDAP_LIBS) $(KRB5LIBS) -lc \ -- @SONAMEFLAG@`basename $@` -+ @SONAMEFLAG@`basename $@`.$(NSS_VERSION) - - nsswitch/pam_winbind.@SHLIBEXT@: $(PAM_WINBIND_PICOBJ) bin/.dummy - @echo "Linking $@" -@@ -1389,7 +1390,7 @@ +--- Makefile.in.orig Mon Feb 20 21:33:23 2006 ++++ Makefile.in Sat Feb 25 05:30:42 2006 +@@ -1390,7 +1390,7 @@ bin/t_snprintf@EXEEXT@: lib/snprintf.c $(CC) $(FLAGS) @PIE_LDFLAGS@ -o $@ $(DYNEXP) -DTEST_SNPRINTF lib/snprintf.c -lm Index: files/patch-configure.in =================================================================== RCS file: /home/ncvs/ports/net/samba3/files/patch-configure.in,v retrieving revision 1.15 diff -u -r1.15 patch-configure.in --- files/patch-configure.in 19 Feb 2006 20:11:09 -0000 1.15 +++ files/patch-configure.in 25 Feb 2006 04:35:20 -0000 @@ -1,6 +1,6 @@ ---- configure.in.orig Mon Jan 30 15:45:07 2006 -+++ configure.in Sun Feb 19 07:00:42 2006 -@@ -967,6 +967,21 @@ +--- configure.in.orig Mon Feb 20 21:33:23 2006 ++++ configure.in Sat Feb 25 05:34:56 2006 +@@ -968,6 +968,21 @@ AC_DEFINE(HAVE_SIG_ATOMIC_T_TYPE,1,[Whether we have the atomic_t variable type]) fi @@ -22,3 +22,25 @@ AC_CACHE_CHECK([for struct timespec type],samba_cv_struct_timespec, [ AC_TRY_COMPILE([ #include <sys/types.h> +@@ -1408,7 +1423,6 @@ + DYNEXP="-Wl,--export-dynamic" + PICFLAGS="-fPIC" + SONAMEFLAG="-Wl,-soname=" +- SONAMEVERSIONSUFFIX=".2" + AC_DEFINE(STAT_ST_BLOCKSIZE,512) + ;; + *solaris*) AC_DEFINE(SUNOS5,1,[Whether the host os is solaris]) +@@ -4911,11 +4925,13 @@ + + case "$host_os" in + *linux*) ++ SONAMEVERSIONSUFFIX=".2" + WINBIND_NSS_EXTRA_OBJS="nsswitch/winbind_nss_linux.o" + ;; + *freebsd[[5-9]]*) + # FreeBSD winbind client is implemented as a wrapper around + # the Linux version. ++ SONAMEVERSIONSUFFIX=".1" + WINBIND_NSS_EXTRA_OBJS="nsswitch/winbind_nss_freebsd.o \ + nsswitch/winbind_nss_linux.o" + WINBIND_NSS="nsswitch/nss_winbind.$SHLIBEXT" Index: files/samba.sh.sample =================================================================== RCS file: /home/ncvs/ports/net/samba3/files/samba.sh.sample,v retrieving revision 1.12 diff -u -r1.12 samba.sh.sample --- files/samba.sh.sample 9 Jan 2006 16:45:33 -0000 1.12 +++ files/samba.sh.sample 1 Apr 2006 01:17:04 -0000 @@ -88,6 +88,7 @@ load_rc_config $name run_rc_command "$1" +_rc_restart_done=false # smbd name=smbd @@ -103,6 +104,7 @@ load_rc_config $name run_rc_command "$1" +%%WINBIND%%_rc_restart_done=false %%WINBIND%% %%WINBIND%%# winbindd %%WINBIND%%name=winbindd --- samba3.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1144199094.87799>