Date: Wed, 27 Mar 2013 01:50:53 +0000 (UTC) From: "Timur I. Bakeyev" <timur@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r315342 - in head/net/samba4: . files Message-ID: <201303270150.r2R1orgx099910@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: timur Date: Wed Mar 27 01:50:53 2013 New Revision: 315342 URL: http://svnweb.freebsd.org/changeset/ports/315342 Log: Update port to the 4.0.4 version, closing CVE-2013-1863. Fix winbindd to retrieve getgroupmembership() list directly, which fixed behaviour of 'id'. Remove obsolete set_var in startup script. Security: CVE-2013-1863 Added: head/net/samba4/files/patch-nsswitch__winbind_nss_freebsd.c (contents, props changed) Modified: head/net/samba4/Makefile head/net/samba4/distinfo head/net/samba4/files/samba4.in Modified: head/net/samba4/Makefile ============================================================================== --- head/net/samba4/Makefile Wed Mar 27 00:34:41 2013 (r315341) +++ head/net/samba4/Makefile Wed Mar 27 01:50:53 2013 (r315342) @@ -20,7 +20,7 @@ MAKE_JOBS_SAFE= yes SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.0.3 +SAMBA4_VERSION= 4.0.4 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -70,6 +70,7 @@ CONFIGURE_ENV+= PTHREAD_CFLAGS="${PTHRE USE_PYTHON_BUILD= -2.7 USE_PERL5_BUILD= yes +USE_GCC= 4.2+ USE_PYTHON= yes USE_ICONV= yes USE_GETTEXT= yes @@ -181,6 +182,7 @@ SUB_LIST+= NSUPDATE="" .endif .if ${PORT_OPTIONS:MDEBUG} +WITH_DEBUG= yes CONFIGURE_ARGS+= --verbose _MAKE_JOBS+= --verbose CONFIGURE_ARGS+= --enable-debug @@ -352,11 +354,11 @@ PLIST_SUB+= LDAP="@comment " .if defined(WANT_EXP_MODULES) && !empty(WANT_EXP_MODULES) SAMBA4_MODULES+= ${WANT_EXP_MODULES} -CONFIGURE_ARGS+= --with-shared-modules="${WANT_EXP_MODULES:Q:C/(\\\\ )+/,/g}" +CONFIGURE_ARGS+= --with-shared-modules="${WANT_EXP_MODULES:Q:C|(\\\\ )+|,|g:S|\\||g}" .endif .if defined(SAMBA4_BUNDLED_LIBS) && !empty(SAMBA4_BUNDLED_LIBS) -CONFIGURE_ARGS+= --bundled-libraries="${SAMBA4_BUNDLED_LIBS:Q:C/(\\\\ )+/,/g}" +CONFIGURE_ARGS+= --bundled-libraries="${SAMBA4_BUNDLED_LIBS:Q:C|(\\\\ )+|,|g:S|\\||g}" .endif # XXX Modified: head/net/samba4/distinfo ============================================================================== --- head/net/samba4/distinfo Wed Mar 27 00:34:41 2013 (r315341) +++ head/net/samba4/distinfo Wed Mar 27 01:50:53 2013 (r315342) @@ -1,2 +1,2 @@ -SHA256 (samba-4.0.3.tar.gz) = ab5d3618632f8869c838c0b2994b3f169da6824885710aad1146738172e44a4b -SIZE (samba-4.0.3.tar.gz) = 22051995 +SHA256 (samba-4.0.4.tar.gz) = 20a84280155543892ce939e70482243396a9a8bfa77dcb4bf58328f7029772c5 +SIZE (samba-4.0.4.tar.gz) = 22055293 Added: head/net/samba4/files/patch-nsswitch__winbind_nss_freebsd.c ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/net/samba4/files/patch-nsswitch__winbind_nss_freebsd.c Wed Mar 27 01:50:53 2013 (r315342) @@ -0,0 +1,100 @@ +--- ./nsswitch/winbind_nss_freebsd.c.orig 2012-10-02 08:24:41.000000000 +0000 ++++ ./nsswitch/winbind_nss_freebsd.c 2013-03-13 09:40:37.285778609 +0000 +@@ -5,6 +5,7 @@ + routines against Samba winbind/Windows NT Domain + + Copyright (C) Aaron Collins 2003 ++ Copyright (C) Timur I. Bakeyev 2013 + + This library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public +@@ -53,6 +54,9 @@ + NSS_METHOD_PROTOTYPE(__nss_compat_getpwent_r); + NSS_METHOD_PROTOTYPE(__nss_compat_setpwent); + NSS_METHOD_PROTOTYPE(__nss_compat_endpwent); ++NSS_METHOD_PROTOTYPE(__nss_compat_endpwent); ++ ++NSS_METHOD_PROTOTYPE(__freebsd_getgroupmembership); + + static ns_mtab methods[] = { + { NSDB_GROUP, "getgrnam_r", __nss_compat_getgrnam_r, _nss_winbind_getgrnam_r }, +@@ -60,6 +64,7 @@ + { NSDB_GROUP, "getgrent_r", __nss_compat_getgrent_r, _nss_winbind_getgrent_r }, + { NSDB_GROUP, "setgrent", __nss_compat_setgrent, _nss_winbind_setgrent }, + { NSDB_GROUP, "endgrent", __nss_compat_endgrent, _nss_winbind_endgrent }, ++{ NSDB_GROUP, "getgroupmembership", __freebsd_getgroupmembership, NULL }, + + { NSDB_PASSWD, "getpwnam_r", __nss_compat_getpwnam_r, _nss_winbind_getpwnam_r }, + { NSDB_PASSWD, "getpwuid_r", __nss_compat_getpwuid_r, _nss_winbind_getpwuid_r }, +@@ -69,6 +74,71 @@ + + }; + ++/* Taken from libc */ ++static int ++gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *grpcnt) ++{ ++ int ret, dupc; ++ ++ /* skip duplicates */ ++ for (dupc = 0; dupc < MIN(maxgrp, *grpcnt); dupc++) { ++ if (groups[dupc] == gid) ++ return 1; ++ } ++ ++ ret = 1; ++ if (*grpcnt < maxgrp) /* add this gid */ ++ groups[*grpcnt] = gid; ++ else ++ ret = 0; ++ ++ (*grpcnt)++; ++ ++ return ret; ++} ++ ++/* ++ rv = _nsdispatch(NULL, dtab, NSDB_GROUP, "getgroupmembership", ++ defaultsrc, uname, agroup, groups, maxgrp, grpcnt); ++*/ ++ ++int ++__freebsd_getgroupmembership(void *retval, void *mdata, va_list ap) ++{ ++ const char *uname = va_arg(ap, const char *); ++ gid_t group = va_arg(ap, gid_t); ++ gid_t *groups = va_arg(ap, gid_t *); ++ int maxgrp = va_arg(ap, int); ++ int *groupc = va_arg(ap, int *); ++ ++ NSS_STATUS ret; ++ long int lcount, lsize; ++ int i, errnop; ++ gid_t *tmpgroups; ++ ++ /* Can be realloc() inside _nss_winbind_initgroups_dyn() */ ++ if ((tmpgroups=calloc(maxgrp, sizeof(gid_t))) == NULL) { ++ errno = ENOMEM; ++ return NS_TRYAGAIN; ++ } ++ ++ lcount = 0; ++ lsize = maxgrp; ++ /* insert primary membership(possibly already there) */ ++ gr_addgid(group, groups, maxgrp, groupc); ++ /* Don't limit number of groups, we want to know total size */ ++ ret = _nss_winbind_initgroups_dyn(uname, group, &lcount, &lsize, ++ &tmpgroups, 0, &errnop); ++ if (ret == NSS_STATUS_SUCCESS) { ++ /* lcount potentially can be bigger than maxgrp, so would groupc */ ++ for (i = 0; i < lcount; i++) ++ gr_addgid(tmpgroups[i], groups, maxgrp, groupc); ++ } ++ free(tmpgroups); ++ /* Let following nsswitch backend(s) add more groups(?) */ ++ return NSS_STATUS_NOTFOUND; ++} ++ + ns_mtab * + nss_module_register(const char *source, unsigned int *mtabsize, + nss_module_unregister_fn *unreg) Modified: head/net/samba4/files/samba4.in ============================================================================== --- head/net/samba4/files/samba4.in Wed Mar 27 00:34:41 2013 (r315341) +++ head/net/samba4/files/samba4.in Wed Mar 27 01:50:53 2013 (r315342) @@ -20,7 +20,7 @@ . /etc/rc.subr name="samba4" -rcvar=$(set_rcvar) +rcvar=${name}_enable load_rc_config "${name}" @@ -30,15 +30,18 @@ samba4_flags=${samba4_flags=--daemon} samba4_config_default="%%SAMBA4_CONFDIR%%/%%SAMBA4_CONFIG%%" samba4_config=${samba4_config=${samba4_config_default}} samba4_configfile_arg=${samba4_config:+--configfile="${samba4_config}"} #" -testparm_command="%%PREFIX%%/bin/testparm --suppress-prompt --verbose ${samba4_configfile_arg}" +testparm_command="%%PREFIX%%/bin/samba-tool testparm --suppress-prompt --verbose ${samba4_configfile_arg}" # Fetch parameters from configuration file +samba4_role=$(${testparm_command} --parameter-name='server role' 2>/dev/null) samba4_lockdir=$(${testparm_command} --parameter-name='lock directory' 2>/dev/null) +samba4_piddir=$(${testparm_command} --parameter-name='pid directory' 2>/dev/null) # Runtime options start_precmd="samba4_prestart" restart_precmd="samba4_checkconfig" command="%%PREFIX%%/sbin/${name}" command_args=${samba4_configfile_arg} +pidfile="%%SAMBA4_RUNDIR%%/samba.pid" # Requirements required_files="${samba4_config}" required_dirs="${samba4_lockdir}"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201303270150.r2R1orgx099910>