From b2f8324050e65fb7bb6eddcf7f58a3316cba3c8b Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 25 Sep 2023 15:34:06 +0200 Subject: [PATCH 1/3] overlay net-fs/samba: sync with Gentoo Update net-fs/samba to 4.18.4, mainly to address CVE-2021-44142, CVE-2022-1615. Gentoo ref: 2cecc32967dd95e8c66ded510b89c8aeaf267f90 --- .../coreos-overlay/net-fs/samba/Manifest | 2 +- .../ldb-2.5.2-skip-wav-tevent-check.patch | 12 + ...-15418-windows-update-secure-channel.patch | 56 +++++ ...4.4.0-pam.patch => samba-4.18.4-pam.patch} | 12 +- .../net-fs/samba/files/samba.conf | 11 +- .../coreos-overlay/net-fs/samba/metadata.xml | 4 +- ...a-4.15.4-r4.ebuild => samba-4.18.4.ebuild} | 223 ++++++++++-------- 7 files changed, 210 insertions(+), 110 deletions(-) create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch create mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch rename sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/{samba-4.4.0-pam.patch => samba-4.18.4-pam.patch} (77%) rename sdk_container/src/third_party/coreos-overlay/net-fs/samba/{samba-4.15.4-r4.ebuild => samba-4.18.4.ebuild} (61%) diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest index 315c45a9db3..5c0bcd72096 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest @@ -1 +1 @@ -DIST samba-4.15.4.tar.gz 19280813 BLAKE2B 3106f2f265263e871fe3f82d3eecaac2e5f642925ff5dd2a9d163092fd13e9348a3910e40431d51cb94a1abeb3b9c32c487ce1f8caebe59a8d6d90641b4d9201 SHA512 e55473dd4971816a01880870309ca44f022625cd529511bcf386c865a2e7e79118577ee4866559f607952de47dc0d310d6426bd08dd4293db95ddbbe3982383d +DIST samba-4.18.4.tar.gz 41311410 BLAKE2B 1f1aab7eb933111b9b1c72af8c3dd379fe34014085129e9d5cc400b4e434742e1c08ad4fdf2a98291d6063ce9b2ddc811e9ab5dbb133a85e97f2158f83dd7c96 SHA512 bc8d792b510061556c07b6844a825801a4271eed45e01133a4718c1839d123e2908fa0e31e67af43098500e98a9082eb104052e711a8a034fac23d86e15c29ee diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch new file mode 100644 index 00000000000..4578435064b --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch @@ -0,0 +1,12 @@ +--- ldb-1.3.6/lib/tevent/wscript ++++ ldb-1.3.6/lib/tevent/wscript +@@ -34,8 +34,7 @@ + if conf.CHECK_BUNDLED_SYSTEM_PKG('tevent', minversion=VERSION, + onlyif='talloc', implied_deps='replace talloc'): + conf.define('USING_SYSTEM_TEVENT', 1) +- if not conf.env.disable_python and \ +- conf.CHECK_BUNDLED_SYSTEM_PYTHON('pytevent', 'tevent', minversion=VERSION): ++ if not conf.env.disable_python: + conf.define('USING_SYSTEM_PYTEVENT', 1) + + if conf.CHECK_FUNCS('epoll_create', headers='sys/epoll.h'): diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch new file mode 100644 index 00000000000..1d0d9777fe1 --- /dev/null +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch @@ -0,0 +1,56 @@ +https://bugs.gentoo.org/910306 +https://bugzilla.samba.org/show_bug.cgi?id=15418 + + source3/rpc_server/netlogon/srv_netlog_nt.c | 9 +++++---- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- + 2 files changed, 9 insertions(+), 8 deletions(-) + +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ if (r->in.query_level != 1) { ++ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; ++ return NT_STATUS_NOT_SUPPORTED; ++ } ++ + become_root(); + status = dcesrv_netr_creds_server_step_check(p->dce_call, + p->mem_ctx, +@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, + return status; + } + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + struct netlogon_creds_CredentialState *creds; + NTSTATUS status; + ++ if (r->in.query_level != 1) { ++ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); ++ } ++ + status = dcesrv_netr_creds_server_step_check(dce_call, + mem_ctx, + r->in.computer_name, +@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c + } + NT_STATUS_NOT_OK_RETURN(status); + +- if (r->in.query_level != 1) { +- return NT_STATUS_NOT_SUPPORTED; +- } +- + r->out.capabilities->server_capabilities = creds->negotiate_flags; + + return NT_STATUS_OK; diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.4.0-pam.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-pam.patch similarity index 77% rename from sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.4.0-pam.patch rename to sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-pam.patch index 451601383d4..381f77ccd32 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.4.0-pam.patch +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-pam.patch @@ -1,6 +1,6 @@ ---- samba-4.4.0rc2/source3/wscript -+++ samba-4.4.0rc2/source3/wscript -@@ -870,7 +870,7 @@ +--- a/source3/wscript ++++ b/source3/wscript +@@ -863,7 +863,7 @@ if conf.env.with_iconv: conf.DEFINE('HAVE_ICONV', 1) @@ -9,9 +9,9 @@ use_pam=True conf.CHECK_HEADERS('security/pam_appl.h pam/pam_appl.h') if not conf.CONFIG_SET('HAVE_SECURITY_PAM_APPL_H') and not conf.CONFIG_SET('HAVE_PAM_PAM_APPL_H'): -@@ -943,6 +943,17 @@ - conf.DEFINE('WITH_PAM', 1) - conf.DEFINE('WITH_PAM_MODULES', 1) +@@ -940,6 +940,17 @@ + "or headers not found. Use --without-pam to disable " + "PAM support."); + else: + Logs.warn("PAM disabled") diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf index a7f4946fb07..8e6e9dd8a15 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf @@ -1,3 +1,8 @@ -D /run/samba 0755 root root -D /run/ctdb 0755 root root -D /run/lock/samba 0755 root root +d /run/samba +d /run/ctdb +d /run/lock/samba +d /var/cache/samba +d /var/lib/ctdb +d /var/lib/samba/bind-dns +d /var/lib/samba/private +d /var/log/samba diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml index 0430625e206..0839deab51b 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml @@ -10,7 +10,6 @@ Enable Active Directory Domain Controller support - Enable AD DNS integration Enable Active Directory support Enable support for Ceph distributed filesystem via sys-cluster/ceph Enables the client part @@ -19,7 +18,6 @@ Use app-crypt/gpgme for AD DC Enable json audit support through dev-libs/jansson Enabling iPrint technology by Novell - Enable support for NTVFS fileserver Enables support for collecting profiling data Enables support for user quotas Enable support for regedit command-line tool @@ -29,9 +27,11 @@ bundled heimdal. Use app-crypt/mit-krb5 instead of app-crypt/heimdal. + Enable libunwind usage for backtraces Enables support for the winbind auth daemon cpe:/a:samba:samba + samba-team/samba diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.15.4-r4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild similarity index 61% rename from sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.15.4-r4.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild index b0fa91bbdc5..f8eb9860c24 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.15.4-r4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild @@ -1,36 +1,34 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 -EAPI=7 +EAPI=8 -PYTHON_COMPAT=( python3_{8..11} ) +PYTHON_COMPAT=( python3_{10..11} ) PYTHON_REQ_USE="threads(+),xml(+)" -TMPFILES_OPTIONAL=1 -inherit python-single-r1 waf-utils multilib-minimal linux-info systemd pam tmpfiles +inherit python-single-r1 flag-o-matic waf-utils multilib-minimal linux-info systemd pam tmpfiles DESCRIPTION="Samba Suite Version 4" HOMEPAGE="https://samba.org/" MY_PV="${PV/_rc/rc}" MY_P="${PN}-${MY_PV}" -if [[ ${PV} = *_rc* ]]; then +if [[ ${PV} == *_rc* ]]; then SRC_URI="mirror://samba/rc/${MY_P}.tar.gz" else SRC_URI="mirror://samba/stable/${MY_P}.tar.gz" - KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ppc ppc64 ~riscv sparc x86" + KEYWORDS="~alpha amd64 arm arm64 ~hppa ~ia64 ~loong ppc ppc64 ~riscv sparc x86" fi S="${WORKDIR}/${MY_P}" LICENSE="GPL-3" SLOT="0" -IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam -glusterfs gpg iprint json ldap pam profiling-data python quota +regedit selinux -snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test winbind -zeroconf" -IUSE+=" +minimal" # Flatcar: Only install libraries, not executables. +IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam glusterfs gpg" +IUSE+=" iprint json ldap llvm-libunwind pam profiling-data python quota +regedit selinux" +IUSE+=" snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test unwind winbind" +IUSE+=" zeroconf" REQUIRED_USE="${PYTHON_REQUIRED_USE} - addc? ( python json winbind ) + addc? ( json python !system-mitkrb5 winbind ) ads? ( acl ldap python winbind ) cluster? ( ads ) gpg? ( addc ) @@ -57,37 +55,42 @@ MULTILIB_WRAPPED_HEADERS=( /usr/include/samba-4.0/ctdb_version.h ) +TALLOC_VERSION="2.4.0" +TDB_VERSION="1.4.8" +TEVENT_VERSION="0.14.1" + COMMON_DEPEND=" - >=app-arch/libarchive-3.1.2[${MULTILIB_USEDEP}] - spotlight? ( dev-libs/icu:=[${MULTILIB_USEDEP}] ) + >=app-arch/libarchive-3.1.2:=[${MULTILIB_USEDEP}] + dev-lang/perl:= + dev-libs/icu:=[${MULTILIB_USEDEP}] dev-libs/libbsd[${MULTILIB_USEDEP}] - !minimal? ( dev-libs/libtasn1[${MULTILIB_USEDEP}] ) + dev-libs/libtasn1:=[${MULTILIB_USEDEP}] dev-libs/popt[${MULTILIB_USEDEP}] - >=net-libs/gnutls-3.4.7[${MULTILIB_USEDEP}] + dev-perl/Parse-Yapp + >=net-libs/gnutls-3.4.7:=[${MULTILIB_USEDEP}] >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] - >=sys-libs/ldb-2.4.1[ldap(+)?,${MULTILIB_USEDEP}] - =sys-libs/ldb-2.7.2:=[ldap(+)?,${MULTILIB_USEDEP}] + =sys-libs/talloc-2.3.3[${MULTILIB_USEDEP}] - >=sys-libs/tdb-1.4.4[${MULTILIB_USEDEP}] - >=sys-libs/tevent-0.11.0[${MULTILIB_USEDEP}] + sys-libs/ncurses:= + sys-libs/readline:= + >=sys-libs/talloc-${TALLOC_VERSION}[${MULTILIB_USEDEP}] + >=sys-libs/tdb-${TDB_VERSION}[${MULTILIB_USEDEP}] + >=sys-libs/tevent-${TEVENT_VERSION}[${MULTILIB_USEDEP}] sys-libs/zlib[${MULTILIB_USEDEP}] virtual/libcrypt:=[${MULTILIB_USEDEP}] virtual/libiconv - $(python_gen_cond_dep " + $(python_gen_cond_dep ' addc? ( - dev-python/dnspython:=[\${PYTHON_USEDEP}] - dev-python/markdown[\${PYTHON_USEDEP}] + dev-python/dnspython:=[${PYTHON_USEDEP}] + dev-python/markdown[${PYTHON_USEDEP}] ) ads? ( - dev-python/dnspython:=[\${PYTHON_USEDEP}] + dev-python/dnspython:=[${PYTHON_USEDEP}] net-dns/bind-tools[gssapi] ) - ") - !alpha? ( !sparc? ( sys-libs/libunwind:= ) ) + ') acl? ( virtual/acl ) ceph? ( sys-cluster/ceph ) cluster? ( net-libs/rpcsvc-proto ) @@ -107,18 +110,20 @@ COMMON_DEPEND=" snapper? ( sys-apps/dbus ) system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] ) system-mitkrb5? ( >=app-crypt/mit-krb5-1.19[${MULTILIB_USEDEP}] ) - systemd? ( sys-apps/systemd:0= ) + systemd? ( sys-apps/systemd:= ) + unwind? ( + llvm-libunwind? ( sys-libs/llvm-libunwind:= ) + !llvm-libunwind? ( sys-libs/libunwind:= ) + ) zeroconf? ( net-dns/avahi[dbus] ) " DEPEND="${COMMON_DEPEND} - >=dev-util/cmocka-1.1.3[${MULTILIB_USEDEP}] + dev-perl/JSON net-libs/libtirpc[${MULTILIB_USEDEP}] - || ( - net-libs/rpcsvc-proto - =dev-util/cmocka-1.1.3[${MULTILIB_USEDEP}] $(python_gen_cond_dep "dev-python/subunit[\${PYTHON_USEDEP},${MULTILIB_USEDEP}]" ) !system-mitkrb5? ( >=net-dns/resolv_wrapper-1.1.4 @@ -133,31 +138,29 @@ RDEPEND="${COMMON_DEPEND} selinux? ( sec-policy/selinux-samba ) " BDEPEND="${PYTHON_DEPS} - dev-lang/perl:= - dev-perl/Parse-Yapp app-text/docbook-xsl-stylesheets dev-libs/libxslt virtual/pkgconfig " PATCHES=( - "${FILESDIR}/${PN}-4.4.0-pam.patch" + "${FILESDIR}"/${PN}-4.18.4-pam.patch + "${FILESDIR}"/${PN}-4.18.4-bug-15418-windows-update-secure-channel.patch + "${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch ) -#CONFDIR="${FILESDIR}/$(get_version_component_range 1-2)" CONFDIR="${FILESDIR}/4.4" - WAF_BINARY="${S}/buildtools/bin/waf" - SHAREDMODS="" pkg_setup() { # Package fails to build with distcc export DISTCC_DISABLE=1 + export PYTHONHASHSEED=1 python-single-r1_pkg_setup - SHAREDMODS="$(usex snapper '' '!')vfs_snapper" + SHAREDMODS="$(usev !snapper '!')vfs_snapper" if use cluster ; then SHAREDMODS+=",idmap_rid,idmap_tdb2,idmap_ad" elif use ads ; then @@ -165,36 +168,86 @@ pkg_setup() { fi } +check_samba_dep_versions() { + actual_talloc_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/talloc/wscript || die) + if [[ ${actual_talloc_version} != ${TALLOC_VERSION} ]] ; then + eerror "Source talloc version: ${TALLOC_VERSION}" + eerror "Ebuild talloc version: ${actual_talloc_version}" + die "Ebuild needs to fix TALLOC_VERSION!" + fi + + actual_tdb_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/tdb/wscript || die) + if [[ ${actual_tdb_version} != ${TDB_VERSION} ]] ; then + eerror "Source tdb version: ${TDB_VERSION}" + eerror "Ebuild tdb version: ${actual_tdb_version}" + die "Ebuild needs to fix TDB_VERSION!" + fi + + actual_tevent_version=$(sed -En '/^VERSION =/{s/[^0-9.]//gp}' lib/tevent/wscript || die) + if [[ ${actual_tevent_version} != ${TEVENT_VERSION} ]] ; then + eerror "Source tevent version: ${TEVENT_VERSION}" + eerror "Ebuild tevent version: ${actual_tevent_version}" + die "Ebuild needs to fix TEVENT_VERSION!" + fi +} + src_prepare() { default - # un-bundle dnspython + check_samba_dep_versions + + # Unbundle dnspython sed -i -e '/"dns.resolver":/d' "${S}"/third_party/wscript || die - # unbundle iso8601 unless tests are enabled + # Unbundle iso8601 unless tests are enabled if ! use test ; then sed -i -e '/"iso8601":/d' "${S}"/third_party/wscript || die fi + # Ugly hackaround for bug #592502 + #cp /usr/include/tevent_internal.h "${S}"/lib/tevent/ || die + sed -e 's:::' \ -i source4/dsdb/samdb/ldb_modules/password_hash.c \ || die - # Friggin' WAF shit + # WAF multilib_copy_sources } multilib_src_configure() { - # when specifying libs for samba build you must append NONE to the end to + # When specifying libs for samba build you must append NONE to the end to # stop it automatically including things local bundled_libs="NONE" if ! use system-heimdal && ! use system-mitkrb5 ; then bundled_libs="heimbase,heimntlm,hdb,kdc,krb5,wind,gssapi,hcrypto,hx509,roken,asn1,com_err,NONE" fi - # Flatcar: we need only the mandatory bundled library, ldb by default. - # Without that, configure will fail because of a missing bundled library. - bundled_libs="ldb" + # We "use" bundled cmocka when we're not running tests as we're + # not using it anyway. Means we avoid making users install it for + # no reason. bug #802531 + if ! use test ; then + bundled_libs="cmocka,${bundled_libs}" + fi + + # bug #874633 + if use llvm-libunwind ; then + mkdir -p "${T}"/${ABI}/pkgconfig || die + + local -x PKG_CONFIG_PATH="${T}/${ABI}/pkgconfig:${PKG_CONFIG_PATH}" + + cat <<-EOF > "${T}"/${ABI}/pkgconfig/libunwind-generic.pc || die + exec_prefix=\${prefix} + libdir=/usr/$(get_libdir) + includedir=\${prefix}/include + + Name: libunwind-generic + Description: libunwind generic library + Version: 1.70 + Libs: -L\${libdir} -lunwind + Cflags: -I\${includedir} + EOF + fi local myconf=( --enable-fhs @@ -231,11 +284,12 @@ multilib_src_configure() { $(multilib_native_use_with systemd) --systemd-install-services --with-systemddir="$(systemd_get_systemunitdir)" + $(multilib_native_use_with unwind libunwind) $(multilib_native_use_with winbind) $(multilib_native_usex python '' '--disable-python') $(multilib_native_use_enable zeroconf avahi) $(multilib_native_usex test '--enable-selftest' '') - $(usex system-mitkrb5 "--with-system-mitkrb5 $(multilib_native_usex addc --with-experimental-mit-ad-dc '')" '') + $(usev system-mitkrb5 "--with-system-mitkrb5 $(multilib_native_usex addc --with-experimental-mit-ad-dc '')") $(use_with debug lttng) $(use_with ldap) $(use_with profiling-data) @@ -249,38 +303,50 @@ multilib_src_configure() { myconf+=( --with-shared-modules=DEFAULT,!vfs_snapper ) fi - CPPFLAGS="-I${SYSROOT}${EPREFIX}/usr/include/et ${CPPFLAGS}" \ - waf-utils_src_configure ${myconf[@]} + append-cppflags "-I${ESYSROOT}/usr/include/et" + + waf-utils_src_configure ${myconf[@]} } multilib_src_compile() { waf-utils_src_compile } +multilib_src_test() { + if multilib_is_native_abi ; then + "${WAF_BINARY}" test || die "Test failed" + fi +} + multilib_src_install() { waf-utils_src_install # Make all .so files executable find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die + # smbspool_krb5_wrapper must only be accessible to root, bug #880739 + find "${ED}" -type f -name "smbspool_krb5_wrapper" -exec chmod go-rwx {} + || die + + # Remove empty runtime dirs created by build system (bug #892341) + find "${ED}"/{run,var} -type d -empty -delete || die if multilib_is_native_abi ; then - # install ldap schema for server (bug #491002) + # Install ldap schema for server (bug #491002) if use ldap ; then insinto /etc/openldap/schema doins examples/LDAP/samba.schema fi - # create symlink for cups (bug #552310) + # Create symlink for cups (bug #552310) if use cups ; then dosym ../../../bin/smbspool \ /usr/libexec/cups/backend/smb fi - # install example config file + # Install example config file insinto /etc/samba doins examples/smb.conf.default - # Fix paths in example file (#603964) + # Fix paths in example file (bug #603964) sed \ -e '/log file =/s@/usr/local/samba/var/@/var/log/samba/@' \ -e '/include =/s@/usr/local/samba/lib/@/etc/samba/@' \ @@ -293,7 +359,7 @@ multilib_src_install() { newinitd "${CONFDIR}/samba4.initd-r1" samba newconfd "${CONFDIR}/samba4.confd" samba - use minimal || dotmpfiles "${FILESDIR}"/samba.conf + dotmpfiles "${FILESDIR}"/samba.conf if ! use addc ; then rm "${D}/$(systemd_get_systemunitdir)/samba.service" \ || die @@ -311,47 +377,8 @@ multilib_src_install() { insinto /etc/security doins examples/pam_winbind/pam_winbind.conf fi - - keepdir /var/cache/samba - keepdir /var/lib/ctdb - keepdir /var/lib/samba/{bind-dns,private} - keepdir /var/lock/samba - keepdir /var/log/samba - - - rm -f "${ED%/}"/etc/samba/* - rm -f "${ED%/}"/usr/lib*/samba/ldb/* - if use minimal ; then - mv "${ED%/}"/usr/bin/net "${T}"/ - rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/* - mv "${T}"/net "${ED%/}"/usr/bin/net - rm -rf ${ED%/}/lib*/security - rm -rf ${ED%/}/usr/lib/systemd - rm -rf ${ED%/}/usr/lib*/perl* - rm -rf ${ED%/}/usr/lib*/python* - rm -rf ${ED%/}/var - fi -} - -multilib_src_test() { - if multilib_is_native_abi ; then - "${WAF_BINARY}" test || die "test failed" - fi } pkg_postinst() { - use minimal || tmpfiles_process samba.conf - - if [[ -z ${REPLACING_VERSIONS} ]] ; then - elog "Be aware that this release contains the best of all of Samba's" - elog "technology parts, both a file server (that you can reasonably expect" - elog "to upgrade existing Samba 3.x releases to) and the AD domain" - elog "controller work previously known as 'samba4'." - elog - fi - if [[ "${PV}" != *_rc* ]] ; then - elog "For further information and migration steps make sure to read " - elog "https://samba.org/samba/history/${P}.html " - elog "https://wiki.samba.org/index.php/Samba4/HOWTO " - fi + tmpfiles_process samba.conf } From a5064c2831b2d2c12158e9afd0e2b2c64b8cfb5e Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 25 Sep 2023 16:33:42 +0200 Subject: [PATCH 2/3] net-fs/samba: Apply Flatcar modifications - Add a minimal USE flag for only installing libraries - Change the Perl run-time dep to build-time only - Disable building libraries requiring Python - Disable building Perl JSON libraries - Limit the size of bundled libraries Co-authored-by: Dongsu Park --- .../net-fs/samba/samba-4.18.4.ebuild | 37 +++++++++++++++---- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild index f8eb9860c24..59014f5b8ca 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild @@ -5,6 +5,7 @@ EAPI=8 PYTHON_COMPAT=( python3_{10..11} ) PYTHON_REQ_USE="threads(+),xml(+)" +TMPFILES_OPTIONAL=1 inherit python-single-r1 flag-o-matic waf-utils multilib-minimal linux-info systemd pam tmpfiles DESCRIPTION="Samba Suite Version 4" @@ -26,6 +27,7 @@ IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam glusterf IUSE+=" iprint json ldap llvm-libunwind pam profiling-data python quota +regedit selinux" IUSE+=" snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test unwind winbind" IUSE+=" zeroconf" +IUSE+=" +minimal" # Flatcar: Only install libraries, not executables. REQUIRED_USE="${PYTHON_REQUIRED_USE} addc? ( json python !system-mitkrb5 winbind ) @@ -59,14 +61,13 @@ TALLOC_VERSION="2.4.0" TDB_VERSION="1.4.8" TEVENT_VERSION="0.14.1" +# Flatcar: exclude perl, icu, libtasn1, Parse-Yapp from DEPEND COMMON_DEPEND=" >=app-arch/libarchive-3.1.2:=[${MULTILIB_USEDEP}] - dev-lang/perl:= - dev-libs/icu:=[${MULTILIB_USEDEP}] + spotlight? ( dev-libs/icu:=[${MULTILIB_USEDEP}] ) dev-libs/libbsd[${MULTILIB_USEDEP}] - dev-libs/libtasn1:=[${MULTILIB_USEDEP}] + !minimal? ( dev-libs/libtasn1:=[${MULTILIB_USEDEP}] ) dev-libs/popt[${MULTILIB_USEDEP}] - dev-perl/Parse-Yapp >=net-libs/gnutls-3.4.7:=[${MULTILIB_USEDEP}] >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] >=sys-libs/ldb-2.7.2:=[ldap(+)?,${MULTILIB_USEDEP}] @@ -117,8 +118,9 @@ COMMON_DEPEND=" ) zeroconf? ( net-dns/avahi[dbus] ) " +# Flatcar: pull in JSON only if json is enabled DEPEND="${COMMON_DEPEND} - dev-perl/JSON + json? ( dev-perl/JSON ) net-libs/libtirpc[${MULTILIB_USEDEP}] net-libs/rpcsvc-proto spotlight? ( dev-libs/glib ) @@ -138,6 +140,8 @@ RDEPEND="${COMMON_DEPEND} selinux? ( sec-policy/selinux-samba ) " BDEPEND="${PYTHON_DEPS} + dev-lang/perl:= + dev-perl/Parse-Yapp app-text/docbook-xsl-stylesheets dev-libs/libxslt virtual/pkgconfig @@ -249,6 +253,10 @@ multilib_src_configure() { EOF fi + # Flatcar: we need only the mandatory bundled library, ldb by default. + # Without that, configure will fail because of a missing bundled library. + bundled_libs="ldb" + local myconf=( --enable-fhs --sysconfdir="${EPREFIX}/etc" @@ -359,7 +367,8 @@ multilib_src_install() { newinitd "${CONFDIR}/samba4.initd-r1" samba newconfd "${CONFDIR}/samba4.confd" samba - dotmpfiles "${FILESDIR}"/samba.conf + # Flatcar: do not create samba config if minimal enabled + use minimal || dotmpfiles "${FILESDIR}"/samba.conf if ! use addc ; then rm "${D}/$(systemd_get_systemunitdir)/samba.service" \ || die @@ -377,8 +386,22 @@ multilib_src_install() { insinto /etc/security doins examples/pam_winbind/pam_winbind.conf fi + + # Flatcar: clean up unnecessary files + rm -f "${ED%/}"/etc/samba/* + rm -f "${ED%/}"/usr/lib*/samba/ldb/* + if use minimal ; then + mv "${ED%/}"/usr/bin/net "${T}"/ + rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/* + mv "${T}"/net "${ED%/}"/usr/bin/net + rm -rf ${ED%/}/lib*/security + rm -rf ${ED%/}/usr/lib/systemd + rm -rf ${ED%/}/usr/lib*/perl* + rm -rf ${ED%/}/usr/lib*/python* + rm -rf ${ED%/}/var + fi } pkg_postinst() { - tmpfiles_process samba.conf + use minimal || tmpfiles_process samba.conf } From 8addf0c1471bf84ddcc61205a5444551b38e5cb4 Mon Sep 17 00:00:00 2001 From: Dongsu Park Date: Mon, 25 Sep 2023 16:38:44 +0200 Subject: [PATCH 3/3] changelog: add changelog for samba 4.18.4 --- changelog/security/2023-09-25-samba-4.18.4.md | 1 + changelog/updates/2023-09-25-samba-4.18.4.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 changelog/security/2023-09-25-samba-4.18.4.md create mode 100644 changelog/updates/2023-09-25-samba-4.18.4.md diff --git a/changelog/security/2023-09-25-samba-4.18.4.md b/changelog/security/2023-09-25-samba-4.18.4.md new file mode 100644 index 00000000000..6c25915a269 --- /dev/null +++ b/changelog/security/2023-09-25-samba-4.18.4.md @@ -0,0 +1 @@ +- samba ([CVE-2021-44142](https://nvd.nist.gov/vuln/detail/CVE-2021-44142), [CVE-2022-1615](https://nvd.nist.gov/vuln/detail/CVE-2022-1615)) diff --git a/changelog/updates/2023-09-25-samba-4.18.4.md b/changelog/updates/2023-09-25-samba-4.18.4.md new file mode 100644 index 00000000000..8cd9cdcc70c --- /dev/null +++ b/changelog/updates/2023-09-25-samba-4.18.4.md @@ -0,0 +1 @@ +- samba ([4.18.4](https://wiki.samba.org/index.php/Samba_4.18_Features_added/changed#Samba_4.18.4))