From 0a0d5e7adcd8f1aa5793d8c181c5ff774fdd9c53 Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Mon, 15 Aug 2016 13:45:14 +0800 Subject: samba: upgrade to 4.4.5 * This is a security release in order to address the following defect: - CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded) * Detail release note: - https://www.samba.org/samba/history/samba-4.4.5.html * Removed part of the 10-use-only-libsystemd.patch which has been fixed in new version. Signed-off-by: Jackie Huang Signed-off-by: Martin Jansa Signed-off-by: Joe MacDonald (cherry picked from commit 35326fa74dee53ffa4bd454e5fc95fdcbf0d5da6) Signed-off-by: Andreas Oberritter --- .../samba-4.4.5/00-fix-typos-in-man-pages.patch | 108 +++++++++++++++++++++ ...006-avoid-using-colon-in-the-checking-msg.patch | 32 ++++++ .../samba/samba-4.4.5/10-use-only-libsystemd.patch | 30 ++++++ .../16-do-not-check-xsltproc-manpages.patch | 43 ++++++++ ...-import-target-module-while-cross-compile.patch | 58 +++++++++++ .../21-add-config-option-without-valgrind.patch | 63 ++++++++++++ .../samba/samba-4.4.5/volatiles.03_samba | 3 + 7 files changed, 337 insertions(+) create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.5/00-fix-typos-in-man-pages.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.5/0006-avoid-using-colon-in-the-checking-msg.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.5/10-use-only-libsystemd.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.5/16-do-not-check-xsltproc-manpages.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.5/20-do-not-import-target-module-while-cross-compile.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.5/21-add-config-option-without-valgrind.patch create mode 100644 meta-networking/recipes-connectivity/samba/samba-4.4.5/volatiles.03_samba (limited to 'meta-networking/recipes-connectivity/samba/samba-4.4.5') diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.5/00-fix-typos-in-man-pages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.5/00-fix-typos-in-man-pages.patch new file mode 100644 index 0000000000..c94bc31857 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.5/00-fix-typos-in-man-pages.patch @@ -0,0 +1,108 @@ +From 1573638212a9733a44939a4d38a226f38dca36f1 Mon Sep 17 00:00:00 2001 +From: Michele Baldessari +Date: Tue, 9 Jul 2013 23:23:33 +0200 +Subject: [PATCH] Fix typos in man-pages + +Fix some typos in the man-pages. + +Signed-off-by: Michele Baldessari +Reviewed-by: Simo Sorce + +Autobuild-User(master): Simo Sorce +Autobuild-Date(master): Wed Jul 10 16:45:07 CEST 2013 on sn-devel-104 +--- + docs-xml/manpages/dbwrap_tool.1.xml | 2 +- + docs-xml/manpages/idmap_autorid.8.xml | 2 +- + docs-xml/manpages/net.8.xml | 2 +- + docs-xml/manpages/pdbedit.8.xml | 2 +- + docs-xml/manpages/samba.7.xml | 2 +- + docs-xml/manpages/smbclient.1.xml | 2 +- + docs-xml/manpages/smbpasswd.5.xml | 2 +- + docs-xml/manpages/vfs_smb_traffic_analyzer.8.xml | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +Index: samba-4.1.11/docs-xml/manpages/smbstatus.1.xml +=================================================================== +--- samba-4.1.11.orig/docs-xml/manpages/smbstatus.1.xml ++++ samba-4.1.11/docs-xml/manpages/smbstatus.1.xml +@@ -137,6 +137,13 @@ + + + ++ ++ -n|--numeric ++ causes smbstatus to display numeric UIDs and GIDs instead of ++ resolving them to names. ++ ++ ++ + + + +Index: samba-4.1.11/docs-xml/manpages/sharesec.1.xml +=================================================================== +--- samba-4.1.11.orig/docs-xml/manpages/sharesec.1.xml ++++ samba-4.1.11/docs-xml/manpages/sharesec.1.xml +@@ -129,6 +129,13 @@ + + + ++ ++ -S|--setsddl=STRING ++ ++ Set security descriptor by providing ACL in SDDL format. ++ ++ ++ + &stdarg.help; + &stdarg.server.debug; + &popt.common.samba; +Index: samba-4.1.11/docs-xml/build/DTD/samba.entities +=================================================================== +--- samba-4.1.11.orig/docs-xml/build/DTD/samba.entities ++++ samba-4.1.11/docs-xml/build/DTD/samba.entities +@@ -270,6 +270,44 @@ file. + &popt.common.samba; + '> + ++ ++-S|--signing on|off|required ++Set the client signing state. ++ ++ ++'> ++ ++ ++-P|--machine-pass ++Use stored machine account password. ++ ++ ++'> ++ ++ ++-e|--encrypt ++ ++This command line parameter requires the remote ++server support the UNIX extensions or that the SMB3 protocol has been selected. ++Requests that the connection be encrypted. Negotiates SMB encryption using either ++SMB3 or POSIX extensions via GSSAPI. Uses the given credentials for ++the encryption negotiation (either kerberos or NTLMv1/v2 if given ++domain/username/password triple. Fails the connection if encryption ++cannot be negotiated. ++ ++ ++'> ++ ++ ++--pw-nt-hash ++The supplied password is the NT hash. ++ ++ ++'> + + diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.5/0006-avoid-using-colon-in-the-checking-msg.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.5/0006-avoid-using-colon-in-the-checking-msg.patch new file mode 100644 index 0000000000..cdf7a38c18 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.5/0006-avoid-using-colon-in-the-checking-msg.patch @@ -0,0 +1,32 @@ +From 5413f97290d3126262eb309ecbcf7769509f2a11 Mon Sep 17 00:00:00 2001 +From: Jackie Huang +Date: Tue, 10 Nov 2015 00:48:35 -0500 +Subject: [PATCH 6/7] avoid using colon in the checking msg + +Upstream-Status: Pending + +colon is used as the separator when parse from +a answers file, the colon here makes it never +get the right answer. + +Signed-off-by: Jackie Huang +--- + wscript_configure_system_mitkrb5 | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5 +index a62d00b..a2d89f0 100644 +--- a/wscript_configure_system_mitkrb5 ++++ b/wscript_configure_system_mitkrb5 +@@ -240,7 +240,7 @@ conf.CHECK_CODE(''' + ''', + 'HAVE_WRFILE_KEYTAB', + headers='krb5.h', lib='krb5', execute=True, +- msg="Checking whether the WRFILE:-keytab is supported"); ++ msg="Checking whether the WRFILE -keytab is supported"); + # Check for KRB5_DEPRECATED handling + conf.CHECK_CODE('''#define KRB5_DEPRECATED 1 + #include ''', +-- +1.9.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.5/10-use-only-libsystemd.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.5/10-use-only-libsystemd.patch new file mode 100644 index 0000000000..0ddc9410cd --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.5/10-use-only-libsystemd.patch @@ -0,0 +1,30 @@ +diff -ur samba-4.4.2/lib/util/debug.c samba-4.4.2/lib/util/debug.c +--- samba-4.4.2/lib/util/debug.c 2016-05-08 18:33:24.000000000 +0200 ++++ samba-4.4.2/lib/util/debug.c 2016-05-08 18:27:09.341481492 +0200 +@@ -102,7 +102,7 @@ + .fd = 2 /* stderr by default */ + }; + +-#if defined(WITH_SYSLOG) || defined(HAVE_LIBSYSTEMD_JOURNAL) ++#if defined(WITH_SYSLOG) || defined(HAVE_LIBSYSTEMD) + static int debug_level_to_priority(int level) + { + /* +@@ -179,7 +179,7 @@ + } + #endif /* WITH_SYSLOG */ + +-#ifdef HAVE_LIBSYSTEMD_JOURNAL ++#ifdef HAVE_LIBSYSTEMD + #include + static void debug_systemd_log(int msg_level, + const char *msg, const char *msg_no_nl) +@@ -251,7 +251,7 @@ + }, + #endif + +-#ifdef HAVE_LIBSYSTEMD_JOURNAL ++#ifdef HAVE_LIBSYSTEMD + { + .name = "systemd", + .log = debug_systemd_log, diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.5/16-do-not-check-xsltproc-manpages.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.5/16-do-not-check-xsltproc-manpages.patch new file mode 100644 index 0000000000..c37cfcde44 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.5/16-do-not-check-xsltproc-manpages.patch @@ -0,0 +1,43 @@ +Don't check xsltproc manpages + +Signed-off-by: Bian Naimeng + +Index: samba-4.4.2/lib/ldb/wscript +=================================================================== +--- samba-4.4.2.orig/lib/ldb/wscript ++++ samba-4.4.2/lib/ldb/wscript +@@ -65,7 +65,7 @@ def configure(conf): + conf.define('USING_SYSTEM_LDB', 1) + + if conf.env.standalone_ldb: +- conf.CHECK_XSLTPROC_MANPAGES() ++ #conf.CHECK_XSLTPROC_MANPAGES() + + # we need this for the ldap backend + if conf.CHECK_FUNCS_IN('ber_flush ldap_open ldap_initialize', 'lber ldap', headers='lber.h ldap.h'): +Index: samba-4.4.2/lib/talloc/wscript +=================================================================== +--- samba-4.4.2.orig/lib/talloc/wscript ++++ samba-4.4.2/lib/talloc/wscript +@@ -56,7 +56,7 @@ def configure(conf): + if conf.env.standalone_talloc: + conf.env.TALLOC_COMPAT1 = Options.options.TALLOC_COMPAT1 + +- conf.CHECK_XSLTPROC_MANPAGES() ++ #conf.CHECK_XSLTPROC_MANPAGES() + + if not conf.env.disable_python: + # also disable if we don't have the python libs installed +Index: samba-4.4.2/lib/tdb/wscript +=================================================================== +--- samba-4.4.2.orig/lib/tdb/wscript ++++ samba-4.4.2/lib/tdb/wscript +@@ -92,7 +92,7 @@ def configure(conf): + not conf.env.disable_tdb_mutex_locking): + conf.define('USE_TDB_MUTEX_LOCKING', 1) + +- conf.CHECK_XSLTPROC_MANPAGES() ++ #conf.CHECK_XSLTPROC_MANPAGES() + + if not conf.env.disable_python: + # also disable if we don't have the python libs installed diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.5/20-do-not-import-target-module-while-cross-compile.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.5/20-do-not-import-target-module-while-cross-compile.patch new file mode 100644 index 0000000000..e112b3b40b --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.5/20-do-not-import-target-module-while-cross-compile.patch @@ -0,0 +1,58 @@ +Some modules such as dynamic library maybe cann't be imported while cross compile, +we just check whether does the module exist. + +Signed-off-by: Bian Naimeng + +Index: samba-4.4.2/buildtools/wafsamba/samba_bundled.py +=================================================================== +--- samba-4.4.2.orig/buildtools/wafsamba/samba_bundled.py ++++ samba-4.4.2/buildtools/wafsamba/samba_bundled.py +@@ -2,6 +2,7 @@ + + import sys + import Build, Options, Logs ++import imp, os + from Configure import conf + from samba_utils import TO_LIST + +@@ -230,17 +231,32 @@ def CHECK_BUNDLED_SYSTEM_PYTHON(conf, li + # versions + minversion = minimum_library_version(conf, libname, minversion) + +- try: +- m = __import__(modulename) +- except ImportError: +- found = False +- else: ++ # Find module in PYTHONPATH ++ stuff = imp.find_module(modulename, [os.environ["PYTHONPATH"]]) ++ if stuff: + try: +- version = m.__version__ +- except AttributeError: ++ m = imp.load_module(modulename, stuff[0], stuff[1], stuff[2]) ++ except ImportError: + found = False ++ ++ if conf.env.CROSS_COMPILE: ++ # Some modules such as dynamic library maybe cann't be imported ++ # while cross compile, we just check whether the module exist ++ Logs.warn('Cross module[%s] has been found, but can not be loaded.' % (stuff[1])) ++ found = True + else: +- found = tuplize_version(version) >= tuplize_version(minversion) ++ try: ++ version = m.__version__ ++ except AttributeError: ++ found = False ++ else: ++ found = tuplize_version(version) >= tuplize_version(minversion) ++ finally: ++ if stuff[0]: ++ stuff[0].close() ++ else: ++ found = False ++ + if not found and not conf.LIB_MAY_BE_BUNDLED(libname): + Logs.error('ERROR: Python module %s of version %s not found, and bundling disabled' % (libname, minversion)) + sys.exit(1) diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.5/21-add-config-option-without-valgrind.patch b/meta-networking/recipes-connectivity/samba/samba-4.4.5/21-add-config-option-without-valgrind.patch new file mode 100644 index 0000000000..025ac2775f --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.5/21-add-config-option-without-valgrind.patch @@ -0,0 +1,63 @@ +From 9a2d6315ff206b2a47100dfd85afe3af56576995 Mon Sep 17 00:00:00 2001 +From: Wenzong Fan +Date: Thu, 10 Dec 2015 04:20:51 -0500 +Subject: [PATCH] Add config option without-valgrind + +Upstream-Status: Pending + +Signed-off-by: Wenzong Fan +--- + lib/replace/wscript | 4 +++- + source3/wscript | 5 ++++- + wscript | 4 ++++ + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/lib/replace/wscript b/lib/replace/wscript +index f0040b1..aca73af 100644 +--- a/lib/replace/wscript ++++ b/lib/replace/wscript +@@ -101,7 +101,9 @@ struct foo bar = { .y = 'X', .x = 1 }; + + conf.CHECK_CODE('', headers='rpc/rpc.h rpcsvc/yp_prot.h', define='HAVE_RPCSVC_YP_PROT_H') + +- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ if not Options.options.disable_valgrind: ++ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ + conf.CHECK_HEADERS('nss_common.h nsswitch.h ns_api.h') + conf.CHECK_HEADERS('sys/extattr.h sys/ea.h sys/proplist.h sys/cdefs.h') + conf.CHECK_HEADERS('utmp.h utmpx.h lastlog.h malloc.h') +diff --git a/source3/wscript b/source3/wscript +index bac3dd5..a5c51ea 100644 +--- a/source3/wscript ++++ b/source3/wscript +@@ -1016,7 +1016,10 @@ syscall(SYS_setgroups32, 0, NULL); + Logs.warn("--with-dnsupdate=yes but gssapi support not sufficient") + else: + conf.DEFINE('WITH_DNS_UPDATES', 1) +- conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ ++ if not Options.options.disable_valgrind: ++ conf.CHECK_HEADERS('valgrind.h valgrind/valgrind.h valgrind/memcheck.h') ++ + if Options.options.developer: + if conf.CONFIG_SET('HAVE_VALGRIND_H') or conf.CONFIG_SET('HAVE_VALGRIND_VALGRIND_H'): + conf.DEFINE('VALGRIND', '1') +diff --git a/wscript b/wscript +index 7679c0f..681ac17 100644 +--- a/wscript ++++ b/wscript +@@ -72,6 +72,10 @@ def set_options(opt): + help=("Disable systemd integration"), + action='store_false', dest='enable_systemd') + ++ opt.add_option('--without-valgrind', ++ help=("Disable use of the valgrind headers"), ++ action="store_true", dest='disable_valgrind', default=False) ++ + gr = opt.option_group('developer options') + + opt.tool_options('python') # options for disabling pyc or pyo compilation +-- +1.9.1 + diff --git a/meta-networking/recipes-connectivity/samba/samba-4.4.5/volatiles.03_samba b/meta-networking/recipes-connectivity/samba/samba-4.4.5/volatiles.03_samba new file mode 100644 index 0000000000..4bdfa7d2c9 --- /dev/null +++ b/meta-networking/recipes-connectivity/samba/samba-4.4.5/volatiles.03_samba @@ -0,0 +1,3 @@ +# +d root root 0755 /var/log/samba none +d root root 0755 /var/run/samba none -- cgit 1.2.3-korg