diff options
| author | Timur I. Bakeyev <timur@FreeBSD.org> | 2016-12-28 02:51:57 +0000 |
|---|---|---|
| committer | Timur I. Bakeyev <timur@FreeBSD.org> | 2016-12-28 02:51:57 +0000 |
| commit | 6980d56b3ab2ca8d5d7e354d1470fe7d2326e0d9 (patch) | |
| tree | f737704db0caa7e97955ff17517820520ac01054 | |
| parent | - Update to 1.3.4 (diff) | |
* Upgrade net/samba43 and net/samba44 to address multiple vulnerabilities
* Switch port to use net/openldap24-sasl-client as some authorization methods don't work with plain openldap24-client.
* Changed namespace used by vfs_fruit to be compatiable with net/netatalk3.
* Removed old DNS crypto patch, as it SEEMS it was superseded by recent code changes. Please, notify me if you see that internal DNS
doesn't handle signed requests properly anymore.
Security: CVE-2016-2123
CVE-2016-2125
CVE-2016-2126
| -rw-r--r-- | net/samba43/Makefile | 14 | ||||
| -rw-r--r-- | net/samba43/distinfo | 6 | ||||
| -rw-r--r-- | net/samba43/files/patch-source3__smbd__close.c | 11 | ||||
| -rw-r--r-- | net/samba43/files/patch-source3__smbd__open.c | 11 | ||||
| -rw-r--r-- | net/samba43/pkg-plist | 8 | ||||
| -rw-r--r-- | net/samba44/Makefile | 16 | ||||
| -rw-r--r-- | net/samba44/distinfo | 6 | ||||
| -rw-r--r-- | net/samba44/files/patch-source3__modules__vfs_fruit.c | 11 | ||||
| -rw-r--r-- | net/samba44/files/patch-source3__smbd__close.c | 11 | ||||
| -rw-r--r-- | net/samba44/files/patch-source3__smbd__open.c | 11 | ||||
| -rw-r--r-- | net/samba44/files/patch-source4__dns_server__dns_crypto.c | 77 | ||||
| -rw-r--r-- | net/samba44/pkg-plist | 9 |
12 files changed, 83 insertions, 108 deletions
diff --git a/net/samba43/Makefile b/net/samba43/Makefile index 96086cafa9e0..50d84398bee8 100644 --- a/net/samba43/Makefile +++ b/net/samba43/Makefile @@ -3,7 +3,7 @@ PORTNAME?= ${SAMBA4_BASENAME}43 PORTVERSION?= ${SAMBA4_VERSION} -PORTREVISION?= 1 +PORTREVISION?= 0 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -19,7 +19,7 @@ CONFLICTS?= *samba3[2-6]-3.* samba4-4.0.* samba41-4.1.* samba42-4.2.* samba44-4 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.3.11 +SAMBA4_VERSION= 4.3.13 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -157,7 +157,6 @@ CONFIGURE_ARGS+= \ --with-sendfile-support \ --builtin-libraries=smbclient \ ${ICONV_CONFIGURE_BASE} - # for libexecinfo: (so that __builtin_frame_address() finds the top of the stack) .if ${ARCH} == "amd64" CFLAGS+= -fno-omit-frame-pointer @@ -192,11 +191,12 @@ GDB_CMD?= ${LOCALBASE}/bin/gdb BUILD_DEPENDS+= ${GDB_CMD}:devel/gdb RUN_DEPENDS+= ${GDB_CMD}:devel/gdb SAMBA4_MODULES+= auth_skel perfcount_test pdb_test vfs_shadow_copy_test vfs_skel_opaque vfs_skel_transparent vfs_fake_acls -CONFIGURE_ARGS+= --enable-developer --enable-selftest -PLIST_SUB+= DEVELOPER="" +CONFIGURE_ARGS+= --enable-developer --enable-selftest --with-ntvfs-fileserver --abi-check-disable +PLIST_SUB+= DEVELOPER="" NTVFS="" .else GDB_CMD= true -PLIST_SUB+= DEVELOPER="@comment " +CONFIGURE_ARGS+= --without-ntvfs-fileserver +PLIST_SUB+= DEVELOPER="@comment " NTVFS="@comment" .endif ############################################################################## # XXX: That will blow up your installation @@ -345,7 +345,7 @@ CONFIGURE_ARGS+= --without-ads .if defined(SAMBA4_WANT_LDAP) USE_OPENLDAP= yes -#WANT_OPENLDAP_SASL= yes +WANT_OPENLDAP_SASL= yes CONFIGURE_ARGS+= --with-ldap PLIST_SUB+= LDAP="" .else diff --git a/net/samba43/distinfo b/net/samba43/distinfo index 0e40bd301e39..ef8d3abc0c3b 100644 --- a/net/samba43/distinfo +++ b/net/samba43/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1468280731 -SHA256 (samba-4.3.11.tar.gz) = 90a967310e34a31d5c9fc5f86855f334fc19815e7e59f5c2d72a9bba23cf4fec -SIZE (samba-4.3.11.tar.gz) = 20573432 +TIMESTAMP = 1482679553 +SHA256 (samba-4.3.13.tar.gz) = 876da00b42cecd340db8bad03aabe78eb34ad6ac9a99876d190be3b39a186a97 +SIZE (samba-4.3.13.tar.gz) = 20590334 diff --git a/net/samba43/files/patch-source3__smbd__close.c b/net/samba43/files/patch-source3__smbd__close.c new file mode 100644 index 000000000000..43135fd721f2 --- /dev/null +++ b/net/samba43/files/patch-source3__smbd__close.c @@ -0,0 +1,11 @@ +--- source3/smbd/close.c.orig 2016-12-25 13:09:22.100676000 +0000 ++++ source3/smbd/close.c 2016-12-25 13:09:59.877256000 +0000 +@@ -168,7 +168,7 @@ + unsigned int num_streams = 0; + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; +- bool saved_posix_pathnames; ++ bool saved_posix_pathnames = false; + + status = vfs_streaminfo(conn, NULL, fname, talloc_tos(), + &num_streams, &stream_info); diff --git a/net/samba43/files/patch-source3__smbd__open.c b/net/samba43/files/patch-source3__smbd__open.c new file mode 100644 index 000000000000..96aa7dfae8aa --- /dev/null +++ b/net/samba43/files/patch-source3__smbd__open.c @@ -0,0 +1,11 @@ +--- source3/smbd/open.c.orig 2016-12-25 13:08:58.349614000 +0000 ++++ source3/smbd/open.c 2016-12-25 13:09:10.968754000 +0000 +@@ -3890,7 +3890,7 @@ + unsigned int num_streams = 0; + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; +- bool saved_posix_pathnames; ++ bool saved_posix_pathnames = false; + + status = vfs_streaminfo(conn, NULL, fname, talloc_tos(), + &num_streams, &stream_info); diff --git a/net/samba43/pkg-plist b/net/samba43/pkg-plist index b44a5a320f0a..6dc160390a49 100644 --- a/net/samba43/pkg-plist +++ b/net/samba43/pkg-plist @@ -222,7 +222,7 @@ lib/nss_wins.so.1 lib/pam_winbind.so lib/winbind_krb5_locator.so %%AD_DC%%lib/samba/libdlz-bind9-for-torture-samba4.so -%%AD_DC%%lib/samba/libntvfs-samba4.so +%%NTVFS%%lib/samba/libntvfs-samba4.so %%AD_DC%%lib/samba/libposix-eadb-samba4.so %%AD_DC%%lib/samba/libprocess-model-samba4.so %%AD_DC%%lib/samba/libservice-samba4.so @@ -328,9 +328,6 @@ lib/samba/libutil-tdb-samba4.so lib/samba/libwinbind-client-samba4.so lib/samba/libwind-samba4.so.0 lib/samba/libxattr-tdb-samba4.so -%%DEVELOPER%%lib/samba/libnss_wrapper.so -%%DEVELOPER%%lib/samba/libuid_wrapper.so -%%DEVELOPER%%lib/samba/libsocket_wrapper.so %%AD_DC%%lib/shared-modules/bind9/dlz_bind9.so %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_10.so %%AD_DC%%lib/shared-modules/bind9/dlz_bind9_9.so @@ -385,7 +382,7 @@ lib/samba/libxattr-tdb-samba4.so %%AD_DC%%lib/shared-modules/service/nbtd.so %%AD_DC%%lib/shared-modules/service/ntp_signd.so %%AD_DC%%lib/shared-modules/service/s3fs.so -%%AD_DC%%lib/shared-modules/service/smb.so +%%NTVFS%%lib/shared-modules/service/smb.so %%AD_DC%%lib/shared-modules/service/web.so %%AD_DC%%lib/shared-modules/service/winbindd.so %%AD_DC%%lib/shared-modules/service/wrepl.so @@ -502,7 +499,6 @@ lib/shared-modules/vfs/zfsacl.so %%PKGCONFIGDIR%%/smbclient-raw.pc %%PKGCONFIGDIR%%/torture.pc %%PKGCONFIGDIR%%/wbclient.pc -%%DEVELOPER%%%%PYTHON_SITELIBDIR%%/samba/socket_wrapper.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/dckeytab.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/posix_eadb.so %%AD_DC%%%%PYTHON_SITELIBDIR%%/samba/xattr_native.so diff --git a/net/samba44/Makefile b/net/samba44/Makefile index c5e0a234a228..f4e9a004484e 100644 --- a/net/samba44/Makefile +++ b/net/samba44/Makefile @@ -3,7 +3,7 @@ PORTNAME?= ${SAMBA4_BASENAME}44 PORTVERSION?= ${SAMBA4_VERSION} -PORTREVISION?= 1 +PORTREVISION?= 0 CATEGORIES?= net MASTER_SITES= SAMBA/samba/stable SAMBA/samba/rc DISTNAME= ${SAMBA4_DISTNAME} @@ -19,7 +19,7 @@ CONFLICTS?= *samba3[2-6]-3.* samba4-4.0.* samba41-4.1.* samba42-4.2.* samba43-4 SAMBA4_BASENAME= samba SAMBA4_PORTNAME= ${SAMBA4_BASENAME}4 -SAMBA4_VERSION= 4.4.5 +SAMBA4_VERSION= 4.4.8 SAMBA4_DISTNAME= ${SAMBA4_BASENAME}-${SAMBA4_VERSION:S|.p|pre|:S|.r|rc|:S|.t|tp|:S|.a|alpha|} WRKSRC?= ${WRKDIR}/${DISTNAME} @@ -158,7 +158,6 @@ CONFIGURE_ARGS+= \ --with-sendfile-support \ --builtin-libraries=smbclient \ ${ICONV_CONFIGURE_BASE} - # for libexecinfo: (so that __builtin_frame_address() finds the top of the stack) .if ${ARCH} == "amd64" CFLAGS+= -fno-omit-frame-pointer @@ -193,11 +192,12 @@ GDB_CMD?= ${LOCALBASE}/bin/gdb BUILD_DEPENDS+= ${GDB_CMD}:devel/gdb RUN_DEPENDS+= ${GDB_CMD}:devel/gdb SAMBA4_MODULES+= auth_skel perfcount_test pdb_test vfs_shadow_copy_test vfs_skel_opaque vfs_skel_transparent vfs_fake_acls -CONFIGURE_ARGS+= --enable-developer --enable-selftest --abi-check-disable -PLIST_SUB+= DEVELOPER="" +CONFIGURE_ARGS+= --enable-developer --enable-selftest --with-ntvfs-fileserver --abi-check-disable +PLIST_SUB+= DEVELOPER="" NTVFS="" .else GDB_CMD= true -PLIST_SUB+= DEVELOPER="@comment " +CONFIGURE_ARGS+= --without-ntvfs-fileserver +PLIST_SUB+= DEVELOPER="@comment " NTVFS="@comment" .endif ############################################################################## # XXX: That will blow up your installation @@ -325,13 +325,15 @@ CONFIGURE_ARGS+= --without-utmp .if defined(SAMBA4_WANT_ADS) CONFIGURE_ARGS+= --with-ads +PLIST_SUB+= ADS="" .else CONFIGURE_ARGS+= --without-ads +PLIST_SUB+= ADS="@comment " .endif .if defined(SAMBA4_WANT_LDAP) USE_OPENLDAP= yes -#WANT_OPENLDAP_SASL= yes +WANT_OPENLDAP_SASL= yes CONFIGURE_ARGS+= --with-ldap PLIST_SUB+= LDAP="" .else diff --git a/net/samba44/distinfo b/net/samba44/distinfo index 69d31dd105ca..9fa38ef01142 100644 --- a/net/samba44/distinfo +++ b/net/samba44/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1468271289 -SHA256 (samba-4.4.5.tar.gz) = b876ef2e63f66265490e80a122e66ef2d7616112b839df68f56ac2e1ce17a7bd -SIZE (samba-4.4.5.tar.gz) = 20715838 +TIMESTAMP = 1482669451 +SHA256 (samba-4.4.8.tar.gz) = 0e54de8a22b77f9712578029639331b51f818b70e194766c98475a5b99470fbf +SIZE (samba-4.4.8.tar.gz) = 20743869 diff --git a/net/samba44/files/patch-source3__modules__vfs_fruit.c b/net/samba44/files/patch-source3__modules__vfs_fruit.c new file mode 100644 index 000000000000..48d4b40138de --- /dev/null +++ b/net/samba44/files/patch-source3__modules__vfs_fruit.c @@ -0,0 +1,11 @@ +--- source3/modules/vfs_fruit.c.orig 2016-12-28 02:48:27.478460000 +0000 ++++ source3/modules/vfs_fruit.c 2016-12-28 02:48:58.141967000 +0000 +@@ -105,7 +105,7 @@ + * This is hokey, but what else can we do? + */ + #define NETATALK_META_XATTR "org.netatalk.Metadata" +-#if defined(HAVE_ATTROPEN) || defined(FREEBSD) ++#if defined(HAVE_ATTROPEN) + #define AFPINFO_EA_NETATALK NETATALK_META_XATTR + #define AFPRESOURCE_EA_NETATALK "org.netatalk.ResourceFork" + #else diff --git a/net/samba44/files/patch-source3__smbd__close.c b/net/samba44/files/patch-source3__smbd__close.c new file mode 100644 index 000000000000..43135fd721f2 --- /dev/null +++ b/net/samba44/files/patch-source3__smbd__close.c @@ -0,0 +1,11 @@ +--- source3/smbd/close.c.orig 2016-12-25 13:09:22.100676000 +0000 ++++ source3/smbd/close.c 2016-12-25 13:09:59.877256000 +0000 +@@ -168,7 +168,7 @@ + unsigned int num_streams = 0; + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; +- bool saved_posix_pathnames; ++ bool saved_posix_pathnames = false; + + status = vfs_streaminfo(conn, NULL, fname, talloc_tos(), + &num_streams, &stream_info); diff --git a/net/samba44/files/patch-source3__smbd__open.c b/net/samba44/files/patch-source3__smbd__open.c new file mode 100644 index 000000000000..96aa7dfae8aa --- /dev/null +++ b/net/samba44/files/patch-source3__smbd__open.c @@ -0,0 +1,11 @@ +--- source3/smbd/open.c.orig 2016-12-25 13:08:58.349614000 +0000 ++++ source3/smbd/open.c 2016-12-25 13:09:10.968754000 +0000 +@@ -3890,7 +3890,7 @@ + unsigned int num_streams = 0; + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; +- bool saved_posix_pathnames; ++ bool saved_posix_pathnames = false; + + status = vfs_streaminfo(conn, NULL, fname, talloc_tos(), + &num_streams, &stream_info); diff --git a/net/samba44/files/patch-source4__dns_server__dns_crypto.c b/net/samba44/files/patch-source4__dns_server__dns_crypto.c deleted file mode 100644 index 96a6d381d346..000000000000 --- a/net/samba44/files/patch-source4__dns_server__dns_crypto.c +++ /dev/null @@ -1,77 +0,0 @@ -From 27b732f6bfcdcd96fd76e89c624f5f18ca944531 Mon Sep 17 00:00:00 2001 -From: Guenter Kukkukk <kukks@samba.org> -Date: Sat, 16 Feb 2013 16:53:16 +0100 -Subject: [PATCH] Fix internal DNS dyn. update, seen as: ; TSIG error with server: tsig verify failure - -The dns update signed response must be handled differently than the TKEY response - -Signed-off-by: Guenter Kukkukk <kukks@samba.org> ---- - source4/dns_server/dns_crypto.c | 44 ++++++++++++++++++++++++++++++++------ - 1 files changed, 37 insertions(+), 7 deletions(-) - -diff --git a/source4/dns_server/dns_crypto.c b/source4/dns_server/dns_crypto.c -index 7604a05..71adf68 100644 ---- ./source4/dns_server/dns_crypto.c.orig 2012-10-02 08:24:46.000000000 +0000 -+++ ./source4/dns_server/dns_crypto.c 2013-11-18 22:45:12.818702284 +0000 -@@ -244,6 +244,8 @@ - DATA_BLOB packet_blob, tsig_blob, sig; - uint8_t *buffer = NULL; - size_t buffer_len = 0; -+ size_t miclen_bytes = 0; -+ size_t mic_size = 0; - struct dns_server_tkey * tkey = NULL; - struct dns_res_rec *tsig = talloc_zero(mem_ctx, struct dns_res_rec); - -@@ -298,16 +300,44 @@ - return DNS_ERR(SERVER_FAILURE); - } - -- buffer_len = packet_blob.length + tsig_blob.length; -- buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len); -- if (buffer == NULL) { -- return WERR_NOMEM; -- } -+ /* DNS update must be handled differently than the TKEY case */ -+ if ((packet->operation & DNS_OPCODE) == DNS_OPCODE_UPDATE) { -+ /* Here the request MIC must be placed in front of the buffer. -+ Calculate the length of the buffer used for the request MIC: -+ 2 bytes (sizeof uint16_t) for the length itself -+ length bytes of the MIC (here 16 + 12 = 28 bytes) */ -+ miclen_bytes = sizeof(state->tsig->rdata.tsig_record.mac_size); -+ mic_size = miclen_bytes + state->tsig->rdata.tsig_record.mac_size; - -- memcpy(buffer, packet_blob.data, packet_blob.length); -- memcpy(buffer+packet_blob.length, tsig_blob.data, tsig_blob.length); -+ buffer_len = mic_size + packet_blob.length + tsig_blob.length; -+ buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len); -+ if (buffer == NULL) { -+ return WERR_NOMEM; -+ } - -+ /* copy the 2 length bytes of request MIC in big-endian order */ -+ RSSVAL(buffer,0,state->tsig->rdata.tsig_record.mac_size); -+ -+ /* copy the request MIC itself */ -+ memcpy(buffer + miclen_bytes, state->tsig->rdata.tsig_record.mac, -+ state->tsig->rdata.tsig_record.mac_size); -+ -+ /* copy the remaining data */ -+ memcpy(buffer + mic_size, packet_blob.data, packet_blob.length); -+ memcpy(buffer + mic_size + packet_blob.length, tsig_blob.data, tsig_blob.length); -+ } else { -+ buffer_len = packet_blob.length + tsig_blob.length; -+ buffer = talloc_zero_array(mem_ctx, uint8_t, buffer_len); -+ if (buffer == NULL) { -+ return WERR_NOMEM; -+ } - -+ memcpy(buffer, packet_blob.data, packet_blob.length); -+ memcpy(buffer+packet_blob.length, tsig_blob.data, tsig_blob.length); -+ } -+ -+ /* FIXME: as in the verify case, some padding is wrong */ -+ buffer_len -=2; - status = gensec_sign_packet(tkey->gensec, mem_ctx, buffer, buffer_len, - buffer, buffer_len, &sig); - if (!NT_STATUS_IS_OK(status)) { diff --git a/net/samba44/pkg-plist b/net/samba44/pkg-plist index 349a129d0449..57d2e6cb8033 100644 --- a/net/samba44/pkg-plist +++ b/net/samba44/pkg-plist @@ -164,8 +164,6 @@ lib/samba4/libsmbconf.so lib/samba4/libsmbconf.so.0 %%LDAP%%lib/samba4/libsmbldap.so %%LDAP%%lib/samba4/libsmbldap.so.0 -lib/samba4/libtevent-unix-util.so -lib/samba4/libtevent-unix-util.so.0 lib/samba4/libtevent-util.so lib/samba4/libtevent-util.so.0 lib/samba4/libwbclient.so @@ -176,7 +174,6 @@ lib/nss_wins.so.1 lib/pam_winbind.so %%CUPS%%libexec/samba/smbspool_krb5_wrapper %%AD_DC%%lib/samba4/private/libdlz-bind9-for-torture-samba4.so -%%AD_DC%%lib/samba4/private/libntvfs-samba4.so %%AD_DC%%lib/samba4/private/libposix-eadb-samba4.so %%AD_DC%%lib/samba4/private/libprocess-model-samba4.so %%AD_DC%%lib/samba4/private/libservice-samba4.so @@ -269,6 +266,7 @@ lib/samba4/private/libsmbd-base-samba4.so lib/samba4/private/libsmbd-conn-samba4.so lib/samba4/private/libsmbd-shim-samba4.so %%LDAP%%lib/samba4/private/libsmbldaphelper-samba4.so +%%NTVFS%%lib/samba4/private/libntvfs-samba4.so lib/samba4/private/libsmbpasswdparser-samba4.so lib/samba4/private/libsmbregistry-samba4.so lib/samba4/private/libsocket-blocking-samba4.so @@ -339,14 +337,14 @@ lib/samba4/private/libxattr-tdb-samba4.so %%AD_DC%%lib/shared-modules/service/nbtd.so %%AD_DC%%lib/shared-modules/service/ntp_signd.so %%AD_DC%%lib/shared-modules/service/s3fs.so -%%DEVELOPER%%%%AD_DC%%lib/shared-modules/service/smb.so +%%NTVFS%%lib/shared-modules/service/smb.so %%AD_DC%%lib/shared-modules/service/web.so %%AD_DC%%lib/shared-modules/service/winbindd.so %%AD_DC%%lib/shared-modules/service/wrepl.so %%AD_DC%%lib/shared-modules/vfs/posix_eadb.so %%DEVELOPER%%lib/shared-modules/vfs/nfs4acl_xattr.so %%DEVELOPER%%lib/shared-modules/vfs/fake_dfq.so -%%LDAP%%lib/shared-modules/idmap/rfc2307.so +%%ADS%%lib/shared-modules/idmap/rfc2307.so %%MODULE_AUTH_SAMBA4%%lib/shared-modules/auth/samba4.so %%MODULE_AUTH_SKEL%%lib/shared-modules/auth/skel.so %%MODULE_AUTH_UNIX%%lib/shared-modules/auth/unix.so @@ -585,6 +583,7 @@ lib/shared-modules/vfs/zfsacl.so %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/testrpc.py %%PYTHON_SITELIBDIR%%/samba/tests/dcerpc/unix.py %%PYTHON_SITELIBDIR%%/samba/tests/dns.py +%%PYTHON_SITELIBDIR%%/samba/tests/dns_tkey.py %%PYTHON_SITELIBDIR%%/samba/tests/docs.py %%PYTHON_SITELIBDIR%%/samba/tests/dsdb.py %%PYTHON_SITELIBDIR%%/samba/tests/gensec.py |