Merge pull request #342 from flatcar-linux/sayan/update-cifs-utils-6.15

net-fs/cifs-utils: Sync with Gentoo upstream; updates to 6.15

changelog/security/2022-06-29-cifs-utils-6.15.md

@@ -0,0 +1 @@
+- cifs-utils ([CVE-2022-27239](https://nvd.nist.gov/vuln/detail/CVE-2022-27239), [CVE-2022-29869](https://nvd.nist.gov/vuln/detail/CVE-2022-29869))

changelog/updates/2022-06-29-cifs-utils-6.15.md

@@ -0,0 +1 @@
+- cifs-utils ([6.15](https://lists.samba.org/archive/samba-technical/2022-April/137335.html))

net-fs/cifs-utils/Manifest

@@ -1,2 +1,3 @@
 DIST cifs-utils-6.13-kerberos_mount_regression_fix.patch.xz 4336 BLAKE2B de268f815ee4fbb750bf8b7d7110a69a808682c239a7c9196468ecc4d55a26eed3b63f8d8539569e16131060f57de389ef92e1063283eb2f41e65be00ed21bb1 SHA512 13d1fb8ff7c31100bfa481e647e9d3b90d61633173b3a71683246d7bb4b68c7e147d21697a17b7ad60e1ac8da2d48d6f4b51762370536a32d14da6c9a6db7e5e
 DIST cifs-utils-6.13.tar.bz2 414584 BLAKE2B 5133ea39fc65acaf2a9791f8ac97dee681dd12f509e0abd095542ce663e7c62002b033dcf35f0a8eec214cb9940597fb568fd50d4cfe5271ca4e433afbe1a7bc SHA512 1337ac4b69f0c3e8d0241eb608207ba81dfa35f84c661649d25da78637882c4d73467b0f632be0bd120362e0b786e40eb340bffcf21c8a09629c441100fd10de
+DIST cifs-utils-6.15.tar.bz2 416592 BLAKE2B 8af926bf255c5b3a66bf52ccca99632aacb9ed1c83ad7db5543b32df2f3bcd4be9a9cd17b744ec115d1568d07084e2bd2d03849aa9ab97cff2862f39bcf137b8 SHA512 eedb8066563db584595a8ba7cb7a603e6b763ac2c1261430d605c327fcc5a831acd48b58ea55dd243af778dfdc827ab8c6daf4015764ff550dcffc2182773510

net-fs/cifs-utils/cifs-utils-6.13-r1.ebuild

@@ -1,4 +1,4 @@
-# Copyright 1999-2021 Gentoo Authors
+# Copyright 1999-2022 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=7
@@ -15,7 +15,7 @@ SRC_URI+=" https://dev.gentoo.org/~polynomial-c/${P}-kerberos_mount_regression_f
 
 LICENSE="GPL-3"
 SLOT="0"
-KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ppc ppc64 ~riscv ~s390 sparc x86 ~x86-linux"
+KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~mips ~ppc ppc64 ~riscv ~s390 ~sparc x86 ~x86-linux"
 IUSE="+acl +ads +caps creds pam +python systemd"
 
 RDEPEND="

net-fs/cifs-utils/cifs-utils-6.15.ebuild

@@ -0,0 +1,138 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+PYTHON_COMPAT=( python3_{8..11} )
+
+inherit autotools bash-completion-r1 linux-info pam python-single-r1
+
+DESCRIPTION="Tools for Managing Linux CIFS Client Filesystems"
+HOMEPAGE="https://wiki.samba.org/index.php/LinuxCIFS_utils"
+SRC_URI="https://ftp.samba.org/pub/linux-cifs/${PN}/${P}.tar.bz2"
+
+LICENSE="GPL-3"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~x86-linux"
+IUSE="+acl +ads +caps creds pam +python systemd"
+
+RDEPEND="
+	sys-apps/keyutils:=
+	ads? (
+		sys-libs/talloc
+		virtual/krb5
+	)
+	caps? ( sys-libs/libcap-ng )
+	pam? ( sys-libs/pam )
+	python? ( ${PYTHON_DEPS} )
+"
+DEPEND="${RDEPEND}"
+BDEPEND="dev-python/docutils"
+PDEPEND="
+	acl? ( >=net-fs/samba-4.0.0_alpha1 )
+"
+
+REQUIRED_USE="
+	acl? ( ads )
+	python? ( ${PYTHON_REQUIRED_USE} )
+"
+
+DOCS="doc/linux-cifs-client-guide.odt"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-6.12-ln_in_destdir.patch" #766594
+	"${FILESDIR}/${PN}-6.15-musl.patch"
+)
+
+pkg_setup() {
+	linux-info_pkg_setup
+
+	if ! linux_config_exists || ! linux_chkconfig_present CIFS; then
+		ewarn "You must enable CIFS support in your kernel config, "
+		ewarn "to be able to mount samba shares. You can find it at"
+		ewarn
+		ewarn "  File systems"
+		ewarn "	Network File Systems"
+		ewarn "			CIFS support"
+		ewarn
+		ewarn "and recompile your kernel ..."
+	fi
+
+	python-single-r1_pkg_setup
+}
+
+src_prepare() {
+	default
+
+	if has_version app-crypt/heimdal ; then
+		# https://bugs.gentoo.org/612584
+		eapply "${FILESDIR}/${PN}-6.7-heimdal.patch"
+	fi
+
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--enable-man
+		--enable-smbinfo
+		$(use_enable acl cifsacl cifsidmap)
+		$(use_enable ads cifsupcall)
+		$(use_with caps libcap)
+		$(use_enable creds cifscreds)
+		$(use_enable pam)
+		$(use_with pam pamdir $(getpam_mod_dir))
+		$(use_enable python pythontools)
+		# mount.cifs can get passwords from systemd
+		$(use_enable systemd)
+	)
+	ROOTSBINDIR="${EPREFIX}"/sbin \
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	# remove empty directories
+	find "${ED}" -type d -empty -delete || die
+
+	if use acl ; then
+		dodir /etc/cifs-utils
+		dosym ../../usr/$(get_libdir)/cifs-utils/idmapwb.so \
+			/etc/cifs-utils/idmap-plugin
+		dodir /etc/request-key.d
+		echo 'create cifs.idmap * * /usr/sbin/cifs.idmap %k' \
+			> "${ED}/etc/request-key.d/cifs.idmap.conf"
+	fi
+
+	if use ads ; then
+		dodir /etc/request-key.d
+		echo 'create dns_resolver * * /usr/sbin/cifs.upcall %k' \
+			> "${ED}/etc/request-key.d/cifs.upcall.conf"
+		echo 'create cifs.spnego * * /usr/sbin/cifs.upcall %k' \
+			> "${ED}/etc/request-key.d/cifs.spnego.conf"
+	fi
+
+	dobashcomp bash-completion/smbinfo
+	python_fix_shebang "${ED}"
+}
+
+pkg_postinst() {
+	# Inform about set-user-ID bit of mount.cifs
+	ewarn "setuid use flag was dropped due to multiple security implications"
+	ewarn "such as CVE-2009-2948, CVE-2011-3585 and CVE-2012-1586"
+	ewarn "You are free to set setuid flags by yourself"
+
+	# Inform about upcall usage
+	if use acl ; then
+		einfo "The cifs.idmap utility has been enabled by creating the"
+		einfo "configuration file /etc/request-key.d/cifs.idmap.conf"
+		einfo "This enables you to get and set CIFS acls."
+	fi
+
+	if use ads ; then
+		einfo "The cifs.upcall utility has been enabled by creating the"
+		einfo "configuration file /etc/request-key.d/cifs.upcall.conf"
+		einfo "This enables you to mount DFS shares."
+	fi
+}

net-fs/cifs-utils/files/cifs-utils-6.15-musl.patch

@@ -0,0 +1,80 @@
+https://marc.info/?l=linux-cifs&m=165604639613381&w=2
+
+From c267ecf6a1c2152e640897d30cc0e8f637a8ef76 Mon Sep 17 00:00:00 2001
+From: Sam James <[email protected]>
+Date: Fri, 24 Jun 2022 05:25:23 +0100
+Subject: [PATCH 1/2] getcifsacl, setcifsacl: add missing <linux/limits.h>
+ include for XATTR_SIZE_MAX
+
+Needed to build on musl. It only works on glibc because of transitive includes
+(which could break in future).
+
+Example failure:
+```
+getcifsacl.c: In function 'getcifsacl':
+getcifsacl.c:429:24: error: 'XATTR_SIZE_MAX' undeclared (first use in this function)
+  429 |         if (bufsize >= XATTR_SIZE_MAX) {
+      |                        ^~~~~~~~~~~~~~
+```
+
+Bug: https://bugs.gentoo.org/842195
+Signed-off-by: Sam James <[email protected]>
+--- a/getcifsacl.c
++++ b/getcifsacl.c
+@@ -34,6 +34,7 @@
+ #include <errno.h>
+ #include <limits.h>
+ #include <ctype.h>
++#include <linux/limits.h>
+ #include <sys/xattr.h>
+ #include "cifsacl.h"
+ #include "idmap_plugin.h"
+--- a/setcifsacl.c
++++ b/setcifsacl.c
+@@ -48,6 +48,7 @@
+ #include <errno.h>
+ #include <limits.h>
+ #include <ctype.h>
++#include <linux/limits.h>
+ #include <sys/xattr.h>
+
+ #include "cifsacl.h"
+From d1a36cc4caa541d1f0f9a3426a5202b680cf7ff8 Mon Sep 17 00:00:00 2001
+From: Sam James <[email protected]>
+Date: Fri, 24 Jun 2022 05:26:54 +0100
+Subject: [PATCH 2/2] getcifsacl, setcifsacl: add missing <endian.h> include
+ for le32toh
+
+Needed to fix build on musl libc. It only works by chance on glibc
+because of transitive includes (which could break at any time).
+
+Example failure:
+```
+getcifsacl.c: In function 'print_ace':
+getcifsacl.c:284:16: warning: implicit declaration of function 'le16toh' [-Wimplicit-function-declaration]
+  284 |         size = le16toh(pace->size);
+      |                ^~~~~~~
+```
+
+Bug: https://bugs.gentoo.org/842195
+Signed-off-by: Sam James <[email protected]>
+--- a/getcifsacl.c
++++ b/getcifsacl.c
+@@ -23,6 +23,7 @@
+ #include "config.h"
+ #endif /* HAVE_CONFIG_H */
+
++#include <endian.h>
+ #include <string.h>
+ #include <getopt.h>
+ #include <stdint.h>
+--- a/setcifsacl.c
++++ b/setcifsacl.c
+@@ -38,6 +38,7 @@
+ #include "config.h"
+ #endif /* HAVE_CONFIG_H */
+
++#include <endian.h>
+ #include <string.h>
+ #include <getopt.h>
+ #include <stdint.h>