forked from openembedded/meta-openembedded
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request openembedded#7 from Aclima/update-samba
Update samba from Yocto Honister branch
- Loading branch information
Showing
7 changed files
with
474 additions
and
8 deletions.
There are no files selected for viewing
103 changes: 103 additions & 0 deletions
103
...ng/recipes-connectivity/samba/samba/0001-Add-options-to-configure-the-use-of-libbsd.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,103 @@ | ||
From 1e8d31c138395122df4cc2a3e0edd6cd3fad736c Mon Sep 17 00:00:00 2001 | ||
From: Peter Kjellerstedt <pkj@axis.com> | ||
Date: Tue, 28 Apr 2020 02:05:33 +0200 | ||
Subject: [PATCH] Add options to configure the use of libbsd | ||
|
||
Upstream-Status: Inappropriate [oe deterministic build specific] | ||
Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> | ||
--- | ||
buildtools/wafsamba/wscript | 7 +++++++ | ||
lib/crypto/wscript_configure | 2 +- | ||
lib/replace/wscript | 29 +++++++++++++++-------------- | ||
lib/texpect/wscript | 7 ++++++- | ||
4 files changed, 29 insertions(+), 16 deletions(-) | ||
|
||
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript | ||
index 7b8fb01..a8e4b0a 100644 | ||
--- a/buildtools/wafsamba/wscript | ||
+++ b/buildtools/wafsamba/wscript | ||
@@ -88,6 +88,13 @@ def options(opt): | ||
help=("Disable use of gettext"), | ||
action="store_true", dest='disable_gettext', default=False) | ||
|
||
+ opt.add_option('--with-libbsd', | ||
+ help=("Enable use of libbsd"), | ||
+ action="store_true", dest='enable_libbsd') | ||
+ opt.add_option('--without-libbsd', | ||
+ help=("Disable use of libbsd"), | ||
+ action="store_false", dest='enable_libbsd', default=False) | ||
+ | ||
gr = opt.option_group('developer options') | ||
|
||
gr.add_option('-C', | ||
diff --git a/lib/crypto/wscript_configure b/lib/crypto/wscript_configure | ||
index 09dfe04..e871718 100644 | ||
--- a/lib/crypto/wscript_configure | ||
+++ b/lib/crypto/wscript_configure | ||
@@ -2,7 +2,7 @@ | ||
from waflib import Options | ||
from waflib import Errors, Logs | ||
|
||
-if not conf.CHECK_FUNCS_IN('MD5Init', 'bsd', headers='bsd/md5.h', | ||
+if not Options.options.enable_libbsd or not conf.CHECK_FUNCS_IN('MD5Init', 'bsd', headers='bsd/md5.h', | ||
checklibc=True): | ||
conf.CHECK_FUNCS_IN('MD5Init', 'md5', headers='sys/md5.h', | ||
checklibc=True) | ||
diff --git a/lib/replace/wscript b/lib/replace/wscript | ||
index 0020d2a..cd9228f 100644 | ||
--- a/lib/replace/wscript | ||
+++ b/lib/replace/wscript | ||
@@ -407,20 +407,21 @@ def configure(conf): | ||
|
||
strlcpy_in_bsd = False | ||
|
||
- # libbsd on some platforms provides strlcpy and strlcat | ||
- if not conf.CHECK_FUNCS('strlcpy strlcat'): | ||
- if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', | ||
- checklibc=True): | ||
- strlcpy_in_bsd = True | ||
- if not conf.CHECK_FUNCS('getpeereid'): | ||
- conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') | ||
- if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): | ||
- conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') | ||
- if not conf.CHECK_FUNCS('setproctitle_init'): | ||
- conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') | ||
- | ||
- if not conf.CHECK_FUNCS('closefrom'): | ||
- conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') | ||
+ if Options.options.enable_libbsd: | ||
+ # libbsd on some platforms provides strlcpy and strlcat | ||
+ if not conf.CHECK_FUNCS('strlcpy strlcat'): | ||
+ if conf.CHECK_FUNCS_IN('strlcpy strlcat', 'bsd', headers='bsd/string.h', | ||
+ checklibc=True): | ||
+ strlcpy_in_bsd = True | ||
+ if not conf.CHECK_FUNCS('getpeereid'): | ||
+ conf.CHECK_FUNCS_IN('getpeereid', 'bsd', headers='sys/types.h bsd/unistd.h') | ||
+ if not conf.CHECK_FUNCS_IN('setproctitle', 'setproctitle', headers='setproctitle.h'): | ||
+ conf.CHECK_FUNCS_IN('setproctitle', 'bsd', headers='sys/types.h bsd/unistd.h') | ||
+ if not conf.CHECK_FUNCS('setproctitle_init'): | ||
+ conf.CHECK_FUNCS_IN('setproctitle_init', 'bsd', headers='sys/types.h bsd/unistd.h') | ||
+ | ||
+ if not conf.CHECK_FUNCS('closefrom'): | ||
+ conf.CHECK_FUNCS_IN('closefrom', 'bsd', headers='bsd/unistd.h') | ||
|
||
conf.CHECK_CODE(''' | ||
struct ucred cred; | ||
diff --git a/lib/texpect/wscript b/lib/texpect/wscript | ||
index e14c048..a91de59 100644 | ||
--- a/lib/texpect/wscript | ||
+++ b/lib/texpect/wscript | ||
@@ -1,7 +1,12 @@ | ||
#!/usr/bin/env python | ||
+from waflib import Options | ||
|
||
def configure(conf): | ||
- conf.CHECK_FUNCS_IN('openpty', 'util', checklibc=True, headers='pty.h util.h bsd/libutil.h libutil.h') | ||
+ hdrs = 'pty.h util.h' | ||
+ if Options.options.enable_libbsd: | ||
+ hdrs += ' bsd/libutil.h' | ||
+ hdrs += ' libutil.h' | ||
+ conf.CHECK_FUNCS_IN('openpty', 'util', checklibc=True, headers=hdrs) | ||
|
||
def build(bld): | ||
bld.SAMBA_BINARY('texpect', 'texpect.c', deps='popt util replace', install=False) |
96 changes: 96 additions & 0 deletions
96
...-connectivity/samba/samba/0001-nsswitch-nsstest.c-Avoid-nss-function-conflicts-with.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,96 @@ | ||
From 9aba5ac17bb822f91f6b214f5b82dd1eb8c47616 Mon Sep 17 00:00:00 2001 | ||
From: Khem Raj <raj.khem@gmail.com> | ||
Date: Wed, 22 Jul 2020 22:42:09 -0700 | ||
Subject: [PATCH] nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h | ||
|
||
glibc 2.32 will define these varibles [1] which results in conflicts | ||
with these static function names, therefore prefix these function names | ||
with samba_ to avoid it | ||
|
||
[1] https://sourceware.org/git/?p=glibc.git;a=commit;h=499a92df8b9fc64a054cf3b7f728f8967fc1da7d | ||
|
||
Upstream-Status: Submitted [https://gitlab.com/samba-team/samba/-/merge_requests/1477] | ||
|
||
Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
--- | ||
nsswitch/nsstest.c | 16 ++++++++-------- | ||
1 file changed, 8 insertions(+), 8 deletions(-) | ||
|
||
diff --git a/nsswitch/nsstest.c b/nsswitch/nsstest.c | ||
index 6d92806..46f9679 100644 | ||
--- a/nsswitch/nsstest.c | ||
+++ b/nsswitch/nsstest.c | ||
@@ -137,7 +137,7 @@ static struct passwd *nss_getpwuid(uid_t uid) | ||
return &pwd; | ||
} | ||
|
||
-static void nss_setpwent(void) | ||
+static void samba_nss_setpwent(void) | ||
{ | ||
NSS_STATUS (*_nss_setpwent)(void) = | ||
(NSS_STATUS(*)(void))find_fn("setpwent"); | ||
@@ -152,7 +152,7 @@ static void nss_setpwent(void) | ||
} | ||
} | ||
|
||
-static void nss_endpwent(void) | ||
+static void samba_nss_endpwent(void) | ||
{ | ||
NSS_STATUS (*_nss_endpwent)(void) = | ||
(NSS_STATUS (*)(void))find_fn("endpwent"); | ||
@@ -284,7 +284,7 @@ again: | ||
return &grp; | ||
} | ||
|
||
-static void nss_setgrent(void) | ||
+static void samba_nss_setgrent(void) | ||
{ | ||
NSS_STATUS (*_nss_setgrent)(void) = | ||
(NSS_STATUS (*)(void))find_fn("setgrent"); | ||
@@ -299,7 +299,7 @@ static void nss_setgrent(void) | ||
} | ||
} | ||
|
||
-static void nss_endgrent(void) | ||
+static void samba_nss_endgrent(void) | ||
{ | ||
NSS_STATUS (*_nss_endgrent)(void) = | ||
(NSS_STATUS (*)(void))find_fn("endgrent"); | ||
@@ -396,7 +396,7 @@ static void nss_test_users(void) | ||
{ | ||
struct passwd *pwd; | ||
|
||
- nss_setpwent(); | ||
+ samba_nss_setpwent(); | ||
/* loop over all users */ | ||
while ((pwd = nss_getpwent())) { | ||
printf("Testing user %s\n", pwd->pw_name); | ||
@@ -418,14 +418,14 @@ static void nss_test_users(void) | ||
printf("initgroups: "); nss_test_initgroups(pwd->pw_name, pwd->pw_gid); | ||
printf("\n"); | ||
} | ||
- nss_endpwent(); | ||
+ samba_nss_endpwent(); | ||
} | ||
|
||
static void nss_test_groups(void) | ||
{ | ||
struct group *grp; | ||
|
||
- nss_setgrent(); | ||
+ samba_nss_setgrent(); | ||
/* loop over all groups */ | ||
while ((grp = nss_getgrent())) { | ||
printf("Testing group %s\n", grp->gr_name); | ||
@@ -446,7 +446,7 @@ static void nss_test_groups(void) | ||
printf("getgrgid: "); print_group(grp); | ||
printf("\n"); | ||
} | ||
- nss_endgrent(); | ||
+ samba_nss_endgrent(); | ||
} | ||
|
||
static void nss_test_errors(void) | ||
-- | ||
2.27.0 | ||
|
142 changes: 142 additions & 0 deletions
142
meta-networking/recipes-connectivity/samba/samba/CVE-2020-14318.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
From ccf53dfdcd39f3526dbc2f20e1245674155380ff Mon Sep 17 00:00:00 2001 | ||
From: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | ||
Date: Fri, 11 Dec 2020 11:32:44 +0900 | ||
Subject: [PATCH] s4: torture: Add smb2.notify.handle-permissions test. | ||
|
||
s3: smbd: Ensure change notifies can't get set unless the | ||
directory handle is open for SEC_DIR_LIST. | ||
|
||
CVE-2020-14318 | ||
|
||
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434 | ||
|
||
Signed-off-by: Jeremy Allison <jra@samba.org> | ||
|
||
Signed-off-by: Zheng Ruoqin <zhengrq.fnst@cn.fujitsu.com> | ||
--- | ||
source3/smbd/notify.c | 8 ++++ | ||
source4/torture/smb2/notify.c | 82 ++++++++++++++++++++++++++++++++++- | ||
2 files changed, 89 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/source3/smbd/notify.c b/source3/smbd/notify.c | ||
index 44c0b09..d23c03b 100644 | ||
--- a/source3/smbd/notify.c | ||
+++ b/source3/smbd/notify.c | ||
@@ -283,6 +283,14 @@ NTSTATUS change_notify_create(struct files_struct *fsp, uint32_t filter, | ||
char fullpath[len+1]; | ||
NTSTATUS status = NT_STATUS_NOT_IMPLEMENTED; | ||
|
||
+ /* | ||
+ * Setting a changenotify needs READ/LIST access | ||
+ * on the directory handle. | ||
+ */ | ||
+ if (!(fsp->access_mask & SEC_DIR_LIST)) { | ||
+ return NT_STATUS_ACCESS_DENIED; | ||
+ } | ||
+ | ||
if (fsp->notify != NULL) { | ||
DEBUG(1, ("change_notify_create: fsp->notify != NULL, " | ||
"fname = %s\n", fsp->fsp_name->base_name)); | ||
diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c | ||
index ebb4f8a..a5c9b94 100644 | ||
--- a/source4/torture/smb2/notify.c | ||
+++ b/source4/torture/smb2/notify.c | ||
@@ -2569,6 +2569,83 @@ done: | ||
return ok; | ||
} | ||
|
||
+/* | ||
+ Test asking for a change notify on a handle without permissions. | ||
+*/ | ||
+ | ||
+#define BASEDIR_HPERM BASEDIR "_HPERM" | ||
+ | ||
+static bool torture_smb2_notify_handle_permissions( | ||
+ struct torture_context *torture, | ||
+ struct smb2_tree *tree) | ||
+{ | ||
+ bool ret = true; | ||
+ NTSTATUS status; | ||
+ union smb_notify notify; | ||
+ union smb_open io; | ||
+ struct smb2_handle h1 = {{0}}; | ||
+ struct smb2_request *req; | ||
+ | ||
+ smb2_deltree(tree, BASEDIR_HPERM); | ||
+ smb2_util_rmdir(tree, BASEDIR_HPERM); | ||
+ | ||
+ torture_comment(torture, | ||
+ "TESTING CHANGE NOTIFY " | ||
+ "ON A HANDLE WITHOUT PERMISSIONS\n"); | ||
+ | ||
+ /* | ||
+ get a handle on the directory | ||
+ */ | ||
+ ZERO_STRUCT(io.smb2); | ||
+ io.generic.level = RAW_OPEN_SMB2; | ||
+ io.smb2.in.create_flags = 0; | ||
+ io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE; | ||
+ io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; | ||
+ io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL; | ||
+ io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ | | ||
+ NTCREATEX_SHARE_ACCESS_WRITE; | ||
+ io.smb2.in.alloc_size = 0; | ||
+ io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE; | ||
+ io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; | ||
+ io.smb2.in.security_flags = 0; | ||
+ io.smb2.in.fname = BASEDIR_HPERM; | ||
+ | ||
+ status = smb2_create(tree, torture, &io.smb2); | ||
+ CHECK_STATUS(status, NT_STATUS_OK); | ||
+ h1 = io.smb2.out.file.handle; | ||
+ | ||
+ /* ask for a change notify, | ||
+ on file or directory name changes */ | ||
+ ZERO_STRUCT(notify.smb2); | ||
+ notify.smb2.level = RAW_NOTIFY_SMB2; | ||
+ notify.smb2.in.buffer_size = 1000; | ||
+ notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME; | ||
+ notify.smb2.in.file.handle = h1; | ||
+ notify.smb2.in.recursive = true; | ||
+ | ||
+ req = smb2_notify_send(tree, ¬ify.smb2); | ||
+ torture_assert_goto(torture, | ||
+ req != NULL, | ||
+ ret, | ||
+ done, | ||
+ "smb2_notify_send failed\n"); | ||
+ | ||
+ /* | ||
+ * Cancel it, we don't really want to wait. | ||
+ */ | ||
+ smb2_cancel(req); | ||
+ status = smb2_notify_recv(req, torture, ¬ify.smb2); | ||
+ /* Handle h1 doesn't have permissions for ChangeNotify. */ | ||
+ CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED); | ||
+ | ||
+done: | ||
+ if (!smb2_util_handle_empty(h1)) { | ||
+ smb2_util_close(tree, h1); | ||
+ } | ||
+ smb2_deltree(tree, BASEDIR_HPERM); | ||
+ return ret; | ||
+} | ||
+ | ||
/* | ||
basic testing of SMB2 change notify | ||
*/ | ||
@@ -2602,7 +2679,10 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx) | ||
torture_smb2_notify_rmdir3); | ||
torture_suite_add_2smb2_test(suite, "rmdir4", | ||
torture_smb2_notify_rmdir4); | ||
- | ||
+ torture_suite_add_1smb2_test(suite, | ||
+ "handle-permissions", | ||
+ torture_smb2_notify_handle_permissions); | ||
+ | ||
suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); | ||
|
||
return suite; | ||
-- | ||
2.25.1 | ||
|
Oops, something went wrong.