Merge pull request #1191 from flatcar/dongsu/samba-4.18

net-fs/samba: update to 4.18.4
flatcar · Oct 2, 2023 · 0866b8b · 0866b8b
2 parents 455645c + 8addf0c
commit 0866b8b
Show file tree

Hide file tree

Showing 9 changed files with 212 additions and 87 deletions.
diff --git a/changelog/security/2023-09-25-samba-4.18.4.md b/changelog/security/2023-09-25-samba-4.18.4.md
@@ -0,0 +1 @@
+- samba ([CVE-2021-44142](https://nvd.nist.gov/vuln/detail/CVE-2021-44142), [CVE-2022-1615](https://nvd.nist.gov/vuln/detail/CVE-2022-1615))
diff --git a/changelog/updates/2023-09-25-samba-4.18.4.md b/changelog/updates/2023-09-25-samba-4.18.4.md
@@ -0,0 +1 @@
+- samba ([4.18.4](https://wiki.samba.org/index.php/Samba_4.18_Features_added/changed#Samba_4.18.4))
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/Manifest
@@ -1 +1 @@
-DIST samba-4.15.4.tar.gz 19280813 BLAKE2B 3106f2f265263e871fe3f82d3eecaac2e5f642925ff5dd2a9d163092fd13e9348a3910e40431d51cb94a1abeb3b9c32c487ce1f8caebe59a8d6d90641b4d9201 SHA512 e55473dd4971816a01880870309ca44f022625cd529511bcf386c865a2e7e79118577ee4866559f607952de47dc0d310d6426bd08dd4293db95ddbbe3982383d
+DIST samba-4.18.4.tar.gz 41311410 BLAKE2B 1f1aab7eb933111b9b1c72af8c3dd379fe34014085129e9d5cc400b4e434742e1c08ad4fdf2a98291d6063ce9b2ddc811e9ab5dbb133a85e97f2158f83dd7c96 SHA512 bc8d792b510061556c07b6844a825801a4271eed45e01133a4718c1839d123e2908fa0e31e67af43098500e98a9082eb104052e711a8a034fac23d86e15c29ee
diff --git a/...r/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch b/...r/src/third_party/coreos-overlay/net-fs/samba/files/ldb-2.5.2-skip-wav-tevent-check.patch
@@ -0,0 +1,12 @@
+--- ldb-1.3.6/lib/tevent/wscript
++++ ldb-1.3.6/lib/tevent/wscript
+@@ -34,8 +34,7 @@
+         if conf.CHECK_BUNDLED_SYSTEM_PKG('tevent', minversion=VERSION,
+                                      onlyif='talloc', implied_deps='replace talloc'):
+             conf.define('USING_SYSTEM_TEVENT', 1)
+-            if not conf.env.disable_python and \
+-                conf.CHECK_BUNDLED_SYSTEM_PYTHON('pytevent', 'tevent', minversion=VERSION):
++            if not conf.env.disable_python:
+                 conf.define('USING_SYSTEM_PYTEVENT', 1)
+
+     if conf.CHECK_FUNCS('epoll_create', headers='sys/epoll.h'):
diff --git a/...eos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch b/...eos-overlay/net-fs/samba/files/samba-4.18.4-bug-15418-windows-update-secure-channel.patch
@@ -0,0 +1,56 @@
+https://bugs.gentoo.org/910306
+https://bugzilla.samba.org/show_bug.cgi?id=15418
+
+ source3/rpc_server/netlogon/srv_netlog_nt.c   | 9 +++++----
+ source4/rpc_server/netlogon/dcerpc_netlogon.c | 8 ++++----
+ 2 files changed, 9 insertions(+), 8 deletions(-)
+
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -2284,6 +2284,11 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+
++	if (r->in.query_level != 1) {
++		p->fault_state = DCERPC_NCA_S_FAULT_INVALID_TAG;
++		return NT_STATUS_NOT_SUPPORTED;
++	}
++
+ 	become_root();
+ 	status = dcesrv_netr_creds_server_step_check(p->dce_call,
+ 						p->mem_ctx,
+@@ -2296,10 +2301,6 @@ NTSTATUS _netr_LogonGetCapabilities(struct pipes_struct *p,
+ 		return status;
+ 	}
+
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+
+ 	return NT_STATUS_OK;
+--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
+@@ -2364,6 +2364,10 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	struct netlogon_creds_CredentialState *creds;
+ 	NTSTATUS status;
+
++	if (r->in.query_level != 1) {
++		DCESRV_FAULT(DCERPC_NCA_S_FAULT_INVALID_TAG);
++	}
++
+ 	status = dcesrv_netr_creds_server_step_check(dce_call,
+ 						     mem_ctx,
+ 						     r->in.computer_name,
+@@ -2375,10 +2379,6 @@ static NTSTATUS dcesrv_netr_LogonGetCapabilities(struct dcesrv_call_state *dce_c
+ 	}
+ 	NT_STATUS_NOT_OK_RETURN(status);
+
+-	if (r->in.query_level != 1) {
+-		return NT_STATUS_NOT_SUPPORTED;
+-	}
+-
+ 	r->out.capabilities->server_capabilities = creds->negotiate_flags;
+
+ 	return NT_STATUS_OK;
diff --git a/.../net-fs/samba/files/samba-4.4.0-pam.patch → ...net-fs/samba/files/samba-4.18.4-pam.patch b/.../net-fs/samba/files/samba-4.4.0-pam.patch → ...net-fs/samba/files/samba-4.18.4-pam.patch
@@ -1,6 +1,6 @@
---- samba-4.4.0rc2/source3/wscript
-+++ samba-4.4.0rc2/source3/wscript
-@@ -870,7 +870,7 @@
+--- a/source3/wscript
++++ b/source3/wscript
+@@ -863,7 +863,7 @@
          if conf.env.with_iconv:
              conf.DEFINE('HAVE_ICONV', 1)
 
@@ -9,9 +9,9 @@
          use_pam=True
          conf.CHECK_HEADERS('security/pam_appl.h pam/pam_appl.h')
          if not conf.CONFIG_SET('HAVE_SECURITY_PAM_APPL_H') and not conf.CONFIG_SET('HAVE_PAM_PAM_APPL_H'):
-@@ -943,6 +943,17 @@
-             conf.DEFINE('WITH_PAM', 1)
-             conf.DEFINE('WITH_PAM_MODULES', 1)
+@@ -940,6 +940,17 @@
+                        "or headers not found. Use --without-pam to disable "
+                        "PAM support.");
 
 +    else:
 +        Logs.warn("PAM disabled")

diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/files/samba.conf
@@ -1,3 +1,8 @@
-D /run/samba 0755 root root
-D /run/ctdb 0755 root root
-D /run/lock/samba 0755 root root
+d /run/samba
+d /run/ctdb
+d /run/lock/samba
+d /var/cache/samba
+d /var/lib/ctdb
+d /var/lib/samba/bind-dns
+d /var/lib/samba/private
+d /var/log/samba
diff --git a/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml b/sdk_container/src/third_party/coreos-overlay/net-fs/samba/metadata.xml
@@ -10,7 +10,6 @@
 	</longdescription>
 	<use>
 		<flag name="addc">Enable Active Directory Domain Controller support</flag>
-		<flag name="addns">Enable AD DNS integration</flag>
 		<flag name="ads">Enable Active Directory support</flag>
 		<flag name="ceph">Enable support for Ceph distributed filesystem via <pkg>sys-cluster/ceph</pkg></flag>
 		<flag name="client">Enables the client part</flag>
@@ -19,7 +18,6 @@
 		<flag name="gpg">Use <pkg>app-crypt/gpgme</pkg> for AD DC</flag>
 		<flag name="json">Enable json audit support through <pkg>dev-libs/jansson</pkg></flag>
 		<flag name="iprint">Enabling iPrint technology by Novell</flag>
-		<flag name="ntvfs">Enable support for NTVFS fileserver</flag>
 		<flag name="profiling-data">Enables support for collecting profiling data</flag>
 		<flag name="quota">Enables support for user quotas</flag>
 		<flag name="regedit">Enable support for regedit command-line tool</flag>
@@ -29,9 +27,11 @@
 			bundled heimdal.</flag>
 		<flag name="system-mitkrb5">Use <pkg>app-crypt/mit-krb5</pkg> instead of
 			<pkg>app-crypt/heimdal</pkg>.</flag>
+		<flag name="unwind">Enable libunwind usage for backtraces</flag>
 		<flag name="winbind">Enables support for the winbind auth daemon</flag>
 	</use>
 	<upstream>
 		<remote-id type="cpe">cpe:/a:samba:samba</remote-id>
+		<remote-id type="gitlab">samba-team/samba</remote-id>
 	</upstream>
 </pkgmetadata>