From 843cbaa5c5b361c5db8ae8dd9182be749aaa7fe4 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 1 Nov 2023 15:05:45 +0100 Subject: [PATCH 1/3] net-fs/samba: Sync with Gentoo It's from Gentoo commit 75c0e03f350aa2025ba1b08171fcad66522614b8. --- .../coreos-overlay/net-fs/samba/Manifest | 2 +- ...-15418-windows-update-secure-channel.patch | 56 ------------------- ...amba-4.18.4.ebuild => samba-4.18.8.ebuild} | 40 +++---------- 3 files changed, 9 insertions(+), 89 deletions(-) delete mode 100644 sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch rename sdk_container/src/third_party/coreos-overlay/net-fs/samba/{samba-4.18.4.ebuild => samba-4.18.8.ebuild} (90%) diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest index 5c0bcd7209..c102f302a3 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest @@ -1 +1 @@ -DIST samba-4.18.4.tar.gz 41311410 BLAKE2B 1f1aab7eb933111b9b1c72af8c3dd379fe34014085129e9d5cc400b4e434742e1c08ad4fdf2a98291d6063ce9b2ddc811e9ab5dbb133a85e97f2158f83dd7c96 SHA512 bc8d792b510061556c07b6844a825801a4271eed45e01133a4718c1839d123e2908fa0e31e67af43098500e98a9082eb104052e711a8a034fac23d86e15c29ee +DIST samba-4.18.8.tar.gz 41335959 BLAKE2B d25711f1e781ed16fc224476979a07a5362f92ac943dd0bccfdf445434d0e6838281d5ceae27963267f914720ad6db647078520dc0e78c6ae652faec7d773e73 SHA512 2924c360f6299129527457547b13c1b282e2907a0ecde1036dbca894c752935d693914b4846a9eab436b33798c53c9974692e51fd071301b1174598be944a246 diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch deleted file mode 100644 index 1d0d9777fe..0000000000 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch +++ /dev/null @@ -1,56 +0,0 @@ -https://bugs.gentoo.org/910306 -https://bugzilla.samba.org/show_bug.cgi?id=15418 - - source3/rpc_server/netlogon/srv_netlog_nt.c | 9 +++++---- - source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++---- - 2 files changed, 9 insertions(+), 8 deletions(-) - ---- a/source3/rpc_server/netlogon/srv_netlog_nt.c -+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c -@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, - struct netlogon_creds_CredentialState *creds; - NTSTATUS status; - -+ if (r->in.query_level != 1) { -+ p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG; -+ return NT_STATUS_NOT_SUPPORTED; -+ } -+ - become_root(); - status = dcesrv_netr_creds_server_step_check(p->dce_call, - p->mem_ctx, -@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p, - return status; - } - -- if (r->in.query_level != 1) { -- return NT_STATUS_NOT_SUPPORTED; -- } -- - r->out.capabilities->server_capabilities = creds->negotiate_flags; - - return NT_STATUS_OK; ---- a/source4/rpc_server/netlogon/dcerpc_netlogon.c -+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c -@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c - struct netlogon_creds_CredentialState *creds; - NTSTATUS status; - -+ if (r->in.query_level != 1) { -+ DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG); -+ } -+ - status = dcesrv_netr_creds_server_step_check(dce_call, - mem_ctx, - r->in.computer_name, -@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c - } - NT_STATUS_NOT_OK_RETURN(status); - -- if (r->in.query_level != 1) { -- return NT_STATUS_NOT_SUPPORTED; -- } -- - r->out.capabilities->server_capabilities = creds->negotiate_flags; - - return NT_STATUS_OK; diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild similarity index 90% rename from sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild rename to sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild index 59014f5b8c..c91b4ea775 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.4.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild @@ -5,7 +5,6 @@ EAPI=8 PYTHON_COMPAT=( python3_{10..11} ) PYTHON_REQ_USE="threads(+),xml(+)" -TMPFILES_OPTIONAL=1 inherit python-single-r1 flag-o-matic waf-utils multilib-minimal linux-info systemd pam tmpfiles DESCRIPTION="Samba Suite Version 4" @@ -27,7 +26,6 @@ IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam glusterf IUSE+=" iprint json ldap llvm-libunwind pam profiling-data python quota +regedit selinux" IUSE+=" snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test unwind winbind" IUSE+=" zeroconf" -IUSE+=" +minimal" # Flatcar: Only install libraries, not executables. REQUIRED_USE="${PYTHON_REQUIRED_USE} addc? ( json python !system-mitkrb5 winbind ) @@ -61,13 +59,14 @@ TALLOC_VERSION="2.4.0" TDB_VERSION="1.4.8" TEVENT_VERSION="0.14.1" -# Flatcar: exclude perl, icu, libtasn1, Parse-Yapp from DEPEND COMMON_DEPEND=" >=app-arch/libarchive-3.1.2:=[${MULTILIB_USEDEP}] - spotlight? ( dev-libs/icu:=[${MULTILIB_USEDEP}] ) + dev-lang/perl:= + dev-libs/icu:=[${MULTILIB_USEDEP}] dev-libs/libbsd[${MULTILIB_USEDEP}] - !minimal? ( dev-libs/libtasn1:=[${MULTILIB_USEDEP}] ) + dev-libs/libtasn1:=[${MULTILIB_USEDEP}] dev-libs/popt[${MULTILIB_USEDEP}] + dev-perl/Parse-Yapp >=net-libs/gnutls-3.4.7:=[${MULTILIB_USEDEP}] >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] >=sys-libs/ldb-2.7.2:=[ldap(+)?,${MULTILIB_USEDEP}] @@ -109,7 +108,7 @@ COMMON_DEPEND=" sys-libs/tevent[python,${PYTHON_SINGLE_USEDEP}] ) snapper? ( sys-apps/dbus ) - system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl,${MULTILIB_USEDEP}] ) + system-heimdal? ( >=app-crypt/heimdal-1.5[-ssl(-),${MULTILIB_USEDEP}] ) system-mitkrb5? ( >=app-crypt/mit-krb5-1.19[${MULTILIB_USEDEP}] ) systemd? ( sys-apps/systemd:= ) unwind? ( @@ -118,9 +117,8 @@ COMMON_DEPEND=" ) zeroconf? ( net-dns/avahi[dbus] ) " -# Flatcar: pull in JSON only if json is enabled DEPEND="${COMMON_DEPEND} - json? ( dev-perl/JSON ) + dev-perl/JSON net-libs/libtirpc[${MULTILIB_USEDEP}] net-libs/rpcsvc-proto spotlight? ( dev-libs/glib ) @@ -140,8 +138,6 @@ RDEPEND="${COMMON_DEPEND} selinux? ( sec-policy/selinux-samba ) " BDEPEND="${PYTHON_DEPS} - dev-lang/perl:= - dev-perl/Parse-Yapp app-text/docbook-xsl-stylesheets dev-libs/libxslt virtual/pkgconfig @@ -149,7 +145,6 @@ BDEPEND="${PYTHON_DEPS} PATCHES=( "${FILESDIR}"/${PN}-4.18.4-pam.patch - "${FILESDIR}"/${PN}-4.18.4-bug-15418-windows-update-secure-channel.patch "${FILESDIR}"/ldb-2.5.2-skip-wav-tevent-check.patch ) @@ -253,10 +248,6 @@ multilib_src_configure() { EOF fi - # Flatcar: we need only the mandatory bundled library, ldb by default. - # Without that, configure will fail because of a missing bundled library. - bundled_libs="ldb" - local myconf=( --enable-fhs --sysconfdir="${EPREFIX}/etc" @@ -367,8 +358,7 @@ multilib_src_install() { newinitd "${CONFDIR}/samba4.initd-r1" samba newconfd "${CONFDIR}/samba4.confd" samba - # Flatcar: do not create samba config if minimal enabled - use minimal || dotmpfiles "${FILESDIR}"/samba.conf + dotmpfiles "${FILESDIR}"/samba.conf if ! use addc ; then rm "${D}/$(systemd_get_systemunitdir)/samba.service" \ || die @@ -386,22 +376,8 @@ multilib_src_install() { insinto /etc/security doins examples/pam_winbind/pam_winbind.conf fi - - # Flatcar: clean up unnecessary files - rm -f "${ED%/}"/etc/samba/* - rm -f "${ED%/}"/usr/lib*/samba/ldb/* - if use minimal ; then - mv "${ED%/}"/usr/bin/net "${T}"/ - rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/* - mv "${T}"/net "${ED%/}"/usr/bin/net - rm -rf ${ED%/}/lib*/security - rm -rf ${ED%/}/usr/lib/systemd - rm -rf ${ED%/}/usr/lib*/perl* - rm -rf ${ED%/}/usr/lib*/python* - rm -rf ${ED%/}/var - fi } pkg_postinst() { - use minimal || tmpfiles_process samba.conf + tmpfiles_process samba.conf } From c1bda0bc4272d117efe536e8e238a650a58d7036 Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Mon, 25 Sep 2023 16:33:42 +0200 Subject: [PATCH 2/3] net-fs/samba: Apply Flatcar modifications - Add a minimal USE flag for only installing libraries - Change the Perl run-time dep to build-time only - Disable building libraries requiring Python - Disable building Perl JSON libraries - Limit the size of bundled libraries Co-authored-by: Dongsu Park --- .../net-fs/samba/samba-4.18.8.ebuild | 37 +++++++++++++++---- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild index c91b4ea775..53a4f254e2 100644 --- a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/samba-4.18.8.ebuild @@ -5,6 +5,7 @@ EAPI=8 PYTHON_COMPAT=( python3_{10..11} ) PYTHON_REQ_USE="threads(+),xml(+)" +TMPFILES_OPTIONAL=1 inherit python-single-r1 flag-o-matic waf-utils multilib-minimal linux-info systemd pam tmpfiles DESCRIPTION="Samba Suite Version 4" @@ -26,6 +27,7 @@ IUSE="acl addc ads ceph client cluster cpu_flags_x86_aes cups debug fam glusterf IUSE+=" iprint json ldap llvm-libunwind pam profiling-data python quota +regedit selinux" IUSE+=" snapper spotlight syslog system-heimdal +system-mitkrb5 systemd test unwind winbind" IUSE+=" zeroconf" +IUSE+=" +minimal" # Flatcar: Only install libraries, not executables. REQUIRED_USE="${PYTHON_REQUIRED_USE} addc? ( json python !system-mitkrb5 winbind ) @@ -59,14 +61,13 @@ TALLOC_VERSION="2.4.0" TDB_VERSION="1.4.8" TEVENT_VERSION="0.14.1" +# Flatcar: exclude perl, icu, libtasn1, Parse-Yapp from DEPEND COMMON_DEPEND=" >=app-arch/libarchive-3.1.2:=[${MULTILIB_USEDEP}] - dev-lang/perl:= - dev-libs/icu:=[${MULTILIB_USEDEP}] + spotlight? ( dev-libs/icu:=[${MULTILIB_USEDEP}] ) dev-libs/libbsd[${MULTILIB_USEDEP}] - dev-libs/libtasn1:=[${MULTILIB_USEDEP}] + !minimal? ( dev-libs/libtasn1:=[${MULTILIB_USEDEP}] ) dev-libs/popt[${MULTILIB_USEDEP}] - dev-perl/Parse-Yapp >=net-libs/gnutls-3.4.7:=[${MULTILIB_USEDEP}] >=sys-fs/e2fsprogs-1.46.4-r51[${MULTILIB_USEDEP}] >=sys-libs/ldb-2.7.2:=[ldap(+)?,${MULTILIB_USEDEP}] @@ -117,8 +118,9 @@ COMMON_DEPEND=" ) zeroconf? ( net-dns/avahi[dbus] ) " +# Flatcar: pull in JSON only if json is enabled DEPEND="${COMMON_DEPEND} - dev-perl/JSON + json? ( dev-perl/JSON ) net-libs/libtirpc[${MULTILIB_USEDEP}] net-libs/rpcsvc-proto spotlight? ( dev-libs/glib ) @@ -138,6 +140,8 @@ RDEPEND="${COMMON_DEPEND} selinux? ( sec-policy/selinux-samba ) " BDEPEND="${PYTHON_DEPS} + dev-lang/perl:= + dev-perl/Parse-Yapp app-text/docbook-xsl-stylesheets dev-libs/libxslt virtual/pkgconfig @@ -248,6 +252,10 @@ multilib_src_configure() { EOF fi + # Flatcar: we need only the mandatory bundled library, ldb by default. + # Without that, configure will fail because of a missing bundled library. + bundled_libs="ldb" + local myconf=( --enable-fhs --sysconfdir="${EPREFIX}/etc" @@ -358,7 +366,8 @@ multilib_src_install() { newinitd "${CONFDIR}/samba4.initd-r1" samba newconfd "${CONFDIR}/samba4.confd" samba - dotmpfiles "${FILESDIR}"/samba.conf + # Flatcar: do not create samba config if minimal enabled + use minimal || dotmpfiles "${FILESDIR}"/samba.conf if ! use addc ; then rm "${D}/$(systemd_get_systemunitdir)/samba.service" \ || die @@ -376,8 +385,22 @@ multilib_src_install() { insinto /etc/security doins examples/pam_winbind/pam_winbind.conf fi + + # Flatcar: clean up unnecessary files + rm -f "${ED%/}"/etc/samba/* + rm -f "${ED%/}"/usr/lib*/samba/ldb/* + if use minimal ; then + mv "${ED%/}"/usr/bin/net "${T}"/ + rm -f "${ED%/}"/usr/bin/* "${ED%/}"/usr/sbin/* + mv "${T}"/net "${ED%/}"/usr/bin/net + rm -rf ${ED%/}/lib*/security + rm -rf ${ED%/}/usr/lib/systemd + rm -rf ${ED%/}/usr/lib*/perl* + rm -rf ${ED%/}/usr/lib*/python* + rm -rf ${ED%/}/var + fi } pkg_postinst() { - tmpfiles_process samba.conf + use minimal || tmpfiles_process samba.conf } From 8503d0a9a9c6c8b70e2496c505a18a404758ac3f Mon Sep 17 00:00:00 2001 From: Krzesimir Nowak Date: Wed, 1 Nov 2023 15:16:40 +0100 Subject: [PATCH 3/3] changelog: Add entries --- changelog/security/2023-11-01-samba-update.md | 1 + changelog/updates/2023-11-01-samba-update.md | 1 + 2 files changed, 2 insertions(+) create mode 100644 changelog/security/2023-11-01-samba-update.md create mode 100644 changelog/updates/2023-11-01-samba-update.md diff --git a/changelog/security/2023-11-01-samba-update.md b/changelog/security/2023-11-01-samba-update.md new file mode 100644 index 0000000000..68e197c8ca --- /dev/null +++ b/changelog/security/2023-11-01-samba-update.md @@ -0,0 +1 @@ +- samba ([CVE-2023-4091](https://nvd.nist.gov/vuln/detail/CVE-2023-4091)) diff --git a/changelog/updates/2023-11-01-samba-update.md b/changelog/updates/2023-11-01-samba-update.md new file mode 100644 index 0000000000..8c16f70786 --- /dev/null +++ b/changelog/updates/2023-11-01-samba-update.md @@ -0,0 +1 @@ +- samba ([4.18.8](https://www.samba.org/samba/history/samba-4.18.8.html))