From b594db48be190bea4981a9df82e9ac3f9e6f20a0 Mon Sep 17 00:00:00 2001
From: Guenther Deschner <gd@fedoraproject.org>
Date: Wed, 11 Jun 2008 17:10:07 +0000
Subject: [PATCH] - Update to 3.2.0rc2 - resolves: #449522 - resolves: #448107

Guenther
---
 .cvsignore                 |   2 +-
 samba-3.2.0rc1-capget.diff | 113 -------------
 samba-3.2.0rc1-server.diff |  42 -----
 samba-CVE-2008-1105.diff   | 315 -------------------------------------
 samba.spec                 |  19 ++-
 sources                    |   2 +-
 6 files changed, 11 insertions(+), 482 deletions(-)
 delete mode 100644 samba-3.2.0rc1-capget.diff
 delete mode 100644 samba-3.2.0rc1-server.diff
 delete mode 100644 samba-CVE-2008-1105.diff

diff --git a/.cvsignore b/.cvsignore
index 4d964da..3db44ef 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1 +1 @@
-samba-3.2.0rc1.tar.gz
+samba-3.2.0rc2.tar.gz
diff --git a/samba-3.2.0rc1-capget.diff b/samba-3.2.0rc1-capget.diff
deleted file mode 100644
index c1a8614..0000000
--- a/samba-3.2.0rc1-capget.diff
+++ /dev/null
@@ -1,113 +0,0 @@
- source/include/smb.h       |    3 +-
- source/lib/system.c        |    5 ++++
- source/smbd/oplock_linux.c |   48 +------------------------------------------
- 3 files changed, 9 insertions(+), 47 deletions(-)
-
-diff --git a/source/include/smb.h b/source/include/smb.h
-index d6b026d..38d9b7b 100644
---- a/source/include/smb.h
-+++ b/source/include/smb.h
-@@ -1703,7 +1703,8 @@ minimum length == 18.
- 
- enum smbd_capability {
-     KERNEL_OPLOCK_CAPABILITY,
--    DMAPI_ACCESS_CAPABILITY
-+    DMAPI_ACCESS_CAPABILITY,
-+    LEASE_CAPABILITY
- };
- 
- /* if a kernel does support oplocks then a structure of the following
-diff --git a/source/lib/system.c b/source/lib/system.c
-index fa50955..eabb6d6 100644
---- a/source/lib/system.c
-+++ b/source/lib/system.c
-@@ -733,6 +733,11 @@ static bool set_process_capability(enum smbd_capability capability,
- 			cap_vals[num_cap_vals++] = CAP_MKNOD;
- #endif
- 			break;
-+		case LEASE_CAPABILITY:
-+#ifdef CAP_LEASE
-+			cap_vals[num_cap_vals++] = CAP_LEASE;
-+#endif
-+			break;
- 	}
- 
- 	SMB_ASSERT(num_cap_vals <= ARRAY_SIZE(cap_vals));
-diff --git a/source/smbd/oplock_linux.c b/source/smbd/oplock_linux.c
-index fa7cb42..08df228 100644
---- a/source/smbd/oplock_linux.c
-+++ b/source/smbd/oplock_linux.c
-@@ -22,22 +22,6 @@
- 
- #if HAVE_KERNEL_OPLOCKS_LINUX
- 
--/* these can be removed when they are in glibc headers */
--struct  cap_user_header {
--	uint32 version;
--	int pid;
--} header;
--struct cap_user_data {
--	uint32 effective;
--	uint32 permitted;
--	uint32 inheritable;
--} data;
--
--extern int capget(struct cap_user_header * hdrp,
--		  struct cap_user_data * datap);
--extern int capset(struct cap_user_header * hdrp,
--		  const struct cap_user_data * datap);
--
- static SIG_ATOMIC_T signals_received;
- #define FD_PENDING_SIZE 100
- static SIG_ATOMIC_T fd_pending_array[FD_PENDING_SIZE];
-@@ -75,40 +59,12 @@ static void signal_handler(int sig, siginfo_t *info, void *unused)
- 	sys_select_signal(RT_SIGNAL_LEASE);
- }
- 
--/****************************************************************************
-- Try to gain a linux capability.
--****************************************************************************/
--
--static void set_capability(unsigned capability)
--{
--#ifndef _LINUX_CAPABILITY_VERSION
--#define _LINUX_CAPABILITY_VERSION 0x19980330
--#endif
--	header.version = _LINUX_CAPABILITY_VERSION;
--	header.pid = 0;
--
--	if (capget(&header, &data) == -1) {
--		DEBUG(3,("Unable to get kernel capabilities (%s)\n",
--			 strerror(errno)));
--		return;
--	}
--
--	if (0 == (data.effective & (1<<capability))) {
--		data.effective |= (1<<capability);
--
--		if (capset(&header, &data) == -1) {
--			DEBUG(3,("Unable to set %d capability (%s)\n", 
--				 capability, strerror(errno)));
--		}
--	}
--}
--
- /*
-  * public function to get linux lease capability. Needed by some VFS modules (eg. gpfs.c)
-  */
- void linux_set_lease_capability(void)
- {
--	set_capability(CAP_LEASE);
-+	set_effective_capability(LEASE_CAPABILITY);
- }
- 
- /* 
-@@ -136,7 +92,7 @@ int linux_setlease(int fd, int leasetype)
- 
- 	ret = fcntl(fd, F_SETLEASE, leasetype);
- 	if (ret == -1 && errno == EACCES) {
--		set_capability(CAP_LEASE);
-+		set_effective_capability(LEASE_CAPABILITY);
- 		ret = fcntl(fd, F_SETLEASE, leasetype);
- 	}
- 
diff --git a/samba-3.2.0rc1-server.diff b/samba-3.2.0rc1-server.diff
deleted file mode 100644
index c210c8f..0000000
--- a/samba-3.2.0rc1-server.diff
+++ /dev/null
@@ -1,42 +0,0 @@
-commit 779a3af0cd3ecbf82e3de16a4e0aec046c19d869
-Author: Volker Lendecke <vl@samba.org>
-Date:   Fri May 30 11:46:34 2008 +0200
-
-    Fix security=server, bug 5502
-    
-    This has brown paper bag quality and is definitely needed for 3.2.0.
-    
-    Thanks to Orion Poplawski for reporting this!
-    
-    Volker
-
-diff --git a/source/auth/auth_server.c b/source/auth/auth_server.c
-index b07884c..31d1d37 100644
---- a/source/auth/auth_server.c
-+++ b/source/auth/auth_server.c
-@@ -270,13 +270,15 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
- 					 const auth_usersupplied_info *user_info, 
- 					 auth_serversupplied_info **server_info)
- {
-+	struct server_security_state *state = talloc_get_type_abort(
-+		my_private_data, struct server_security_state);
- 	struct cli_state *cli;
- 	static bool tested_password_server = False;
- 	static bool bad_password_server = False;
- 	NTSTATUS nt_status = NT_STATUS_NOT_IMPLEMENTED;
- 	bool locally_made_cli = False;
- 
--	cli = (struct cli_state *)my_private_data;
-+	cli = state->cli;
- 	
- 	if (cli) {
- 	} else {
-@@ -285,7 +287,7 @@ static NTSTATUS check_smbserver_security(const struct auth_context *auth_context
- 	}
- 
- 	if (!cli || !cli->initialised) {
--		DEBUG(1,("password server is not connected (cli not initilised)\n"));
-+		DEBUG(1,("password server is not connected (cli not initialised)\n"));
- 		return NT_STATUS_LOGON_FAILURE;
- 	}  
- 	
diff --git a/samba-CVE-2008-1105.diff b/samba-CVE-2008-1105.diff
deleted file mode 100644
index 19c750a..0000000
--- a/samba-CVE-2008-1105.diff
+++ /dev/null
@@ -1,315 +0,0 @@
-diff --git a/source/client/client.c b/source/client/client.c
-index e08fa89..d684ba8 100644
---- a/source/client/client.c
-+++ b/source/client/client.c
-@@ -4382,7 +4382,7 @@ static void readline_callback(void)
- 
- 		set_smb_read_error(&cli->smb_rw_error, SMB_READ_OK);
- 
--		status = receive_smb_raw(cli->fd, cli->inbuf, 0, 0, &len);
-+		status = receive_smb_raw(cli->fd, cli->inbuf, cli->bufsize, 0, 0, &len);
- 
- 		if (!NT_STATUS_IS_OK(status)) {
- 			DEBUG(0, ("Read from server failed, maybe it closed "
-diff --git a/source/lib/util_sock.c b/source/lib/util_sock.c
-index f252377..df89dc8 100644
---- a/source/lib/util_sock.c
-+++ b/source/lib/util_sock.c
-@@ -1160,7 +1160,7 @@ NTSTATUS read_smb_length(int fd, char *inbuf, unsigned int timeout,
-  Doesn't check the MAC on signed packets.
- ****************************************************************************/
- 
--NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
-+NTSTATUS receive_smb_raw(int fd, char *buffer, size_t buflen, unsigned int timeout,
- 			 size_t maxlen, size_t *p_len)
- {
- 	size_t len;
-@@ -1173,17 +1173,10 @@ NTSTATUS receive_smb_raw(int fd, char *buffer, unsigned int timeout,
- 		return status;
- 	}
- 
--	/*
--	 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
--	 * of header. Don't print the error if this fits.... JRA.
--	 */
--
--	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
-+	if (len > buflen) {
- 		DEBUG(0,("Invalid packet length! (%lu bytes).\n",
- 					(unsigned long)len));
--		if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
--			return NT_STATUS_INVALID_PARAMETER;
--		}
-+		return NT_STATUS_INVALID_PARAMETER;
- 	}
- 
- 	if(len > 0) {
-diff --git a/source/libsmb/clientgen.c b/source/libsmb/clientgen.c
-index 6419123..2af4383 100644
---- a/source/libsmb/clientgen.c
-+++ b/source/libsmb/clientgen.c
-@@ -57,8 +57,7 @@ int cli_set_port(struct cli_state *cli, int port)
- }
- 
- /****************************************************************************
-- Read an smb from a fd ignoring all keepalive packets. Note that the buffer 
-- *MUST* be of size BUFFER_SIZE+SAFETY_MARGIN.
-+ Read an smb from a fd ignoring all keepalive packets.
-  The timeout is in milliseconds
- 
-  This is exactly the same as receive_smb except that it never returns
-@@ -76,8 +75,8 @@ static ssize_t client_receive_smb(struct cli_state *cli, size_t maxlen)
- 
- 		set_smb_read_error(&cli->smb_rw_error, SMB_READ_OK);
- 
--		status = receive_smb_raw(cli->fd, cli->inbuf, cli->timeout,
--					 maxlen, &len);
-+		status = receive_smb_raw(cli->fd, cli->inbuf, cli->bufsize,
-+					cli->timeout, maxlen, &len);
- 		if (!NT_STATUS_IS_OK(status)) {
- 			DEBUG(10,("client_receive_smb failed\n"));
- 			show_msg(cli->inbuf);
-@@ -225,93 +224,6 @@ ssize_t cli_receive_smb_data(struct cli_state *cli, char *buffer, size_t len)
- 	return -1;
- }
- 
--/****************************************************************************
-- Read a smb readX header.
-- We can only use this if encryption and signing are off.
--****************************************************************************/
--
--bool cli_receive_smb_readX_header(struct cli_state *cli)
--{
--	ssize_t len, offset;
--
--	if (cli->fd == -1)
--		return false; 
--
-- again:
--
--	/* Read up to the size of a readX header reply. */
--	len = client_receive_smb(cli, (smb_size - 4) + 24);
--	
--	if (len > 0) {
--		/* it might be an oplock break request */
--		if (!(CVAL(cli->inbuf, smb_flg) & FLAG_REPLY) &&
--		    CVAL(cli->inbuf,smb_com) == SMBlockingX &&
--		    SVAL(cli->inbuf,smb_vwv6) == 0 &&
--		    SVAL(cli->inbuf,smb_vwv7) == 0) {
--			ssize_t total_len = smb_len(cli->inbuf);
--
--			if (total_len > CLI_SAMBA_MAX_LARGE_READX_SIZE+SAFETY_MARGIN) {
--				goto read_err;
--			}
--
--			/* Read the rest of the data. */
--			if ((total_len - len > 0) &&
--			    !cli_receive_smb_data(cli,cli->inbuf+len,total_len - len)) {
--				goto read_err;
--			}
--
--			if (cli->oplock_handler) {
--				int fnum = SVAL(cli->inbuf,smb_vwv2);
--				unsigned char level = CVAL(cli->inbuf,smb_vwv3+1);
--				if (!cli->oplock_handler(cli, fnum, level)) return false;
--			}
--			/* try to prevent loops */
--			SCVAL(cli->inbuf,smb_com,0xFF);
--			goto again;
--		}
--	}
--
--	/* If it's not the above size it probably was an error packet. */
--
--	if ((len == (smb_size - 4) + 24) && !cli_is_error(cli)) {
--		/* Check it's a non-chained readX reply. */
--		if (!(CVAL(cli->inbuf, smb_flg) & FLAG_REPLY) ||
--			(CVAL(cli->inbuf,smb_vwv0) != 0xFF) ||
--			(CVAL(cli->inbuf,smb_com) != SMBreadX)) {
--			/* 
--			 * We're not coping here with asnyc replies to
--			 * other calls. Punt here - we need async client
--			 * libs for this.
--			 */
--			goto read_err;
--		}
--
--		/* 
--		 * We know it's a readX reply - ensure we've read the
--		 * padding bytes also.
--		 */
--
--		offset = SVAL(cli->inbuf,smb_vwv6);
--		if (offset > len) {
--			ssize_t ret;
--			size_t padbytes = offset - len;
--			ret = cli_receive_smb_data(cli,smb_buf(cli->inbuf),padbytes);
--			if (ret != padbytes) {
--				goto read_err;
--			}
--		}
--	}
--
--	return true;
--
--  read_err:
--
--	cli->smb_rw_error = SMB_READ_ERROR;
--	close(cli->fd);
--	cli->fd = -1;
--	return false;
--}
--
- static ssize_t write_socket(int fd, const char *buf, size_t len)
- {
-         ssize_t ret=0;
-diff --git a/source/libsmb/clireadwrite.c b/source/libsmb/clireadwrite.c
-index 12ba4b7..487f446 100644
---- a/source/libsmb/clireadwrite.c
-+++ b/source/libsmb/clireadwrite.c
-@@ -472,106 +472,6 @@ ssize_t cli_read(struct cli_state *cli, int fnum, char *buf,
- 	return ret;
- }
- 
--#if 0  /* relies on client_receive_smb(), now a static in libsmb/clientgen.c */
--
--/* This call is INCOMPATIBLE with SMB signing.  If you remove the #if 0
--   you must fix ensure you don't attempt to sign the packets - data
--   *will* be currupted */
--
--/****************************************************************************
--Issue a single SMBreadraw and don't wait for a reply.
--****************************************************************************/
--
--static bool cli_issue_readraw(struct cli_state *cli, int fnum, off_t offset, 
--			   size_t size, int i)
--{
--
--	if (!cli->sign_info.use_smb_signing) {
--		DEBUG(0, ("Cannot use readraw and SMB Signing\n"));
--		return False;
--	}
--	
--	memset(cli->outbuf,'\0',smb_size);
--	memset(cli->inbuf,'\0',smb_size);
--
--	cli_set_message(cli->outbuf,10,0,True);
--		
--	SCVAL(cli->outbuf,smb_com,SMBreadbraw);
--	SSVAL(cli->outbuf,smb_tid,cli->cnum);
--	cli_setup_packet(cli);
--
--	SSVAL(cli->outbuf,smb_vwv0,fnum);
--	SIVAL(cli->outbuf,smb_vwv1,offset);
--	SSVAL(cli->outbuf,smb_vwv2,size);
--	SSVAL(cli->outbuf,smb_vwv3,size);
--	SSVAL(cli->outbuf,smb_mid,cli->mid + i);
--
--	return cli_send_smb(cli);
--}
--
--/****************************************************************************
-- Tester for the readraw call.
--****************************************************************************/
--
--ssize_t cli_readraw(struct cli_state *cli, int fnum, char *buf, off_t offset, size_t size)
--{
--	char *p;
--	int size2;
--	size_t readsize;
--	ssize_t total = 0;
--
--	if (size == 0) 
--		return 0;
--
--	/*
--	 * Set readsize to the maximum size we can handle in one readraw.
--	 */
--
--	readsize = 0xFFFF;
--
--	while (total < size) {
--		readsize = MIN(readsize, size-total);
--
--		/* Issue a read and receive a reply */
--
--		if (!cli_issue_readraw(cli, fnum, offset, readsize, 0))
--			return -1;
--
--		if (!client_receive_smb(cli->fd, cli->inbuf, cli->timeout))
--			return -1;
--
--		size2 = smb_len(cli->inbuf);
--
--		if (size2 > readsize) {
--			DEBUG(5,("server returned more than we wanted!\n"));
--			return -1;
--		} else if (size2 < 0) {
--			DEBUG(5,("read return < 0!\n"));
--			return -1;
--		}
--
--		/* Copy data into buffer */
--
--		if (size2) {
--			p = cli->inbuf + 4;
--			memcpy(buf + total, p, size2);
--		}
--
--		total += size2;
--		offset += size2;
--
--		/*
--		 * If the server returned less than we asked for we're at EOF.
--		 */
--
--		if (size2 < readsize)
--			break;
--	}
--
--	return total;
--}
--#endif
--
- /****************************************************************************
-  Issue a single SMBwrite and don't wait for a reply.
- ****************************************************************************/
-diff --git a/source/smbd/process.c b/source/smbd/process.c
-index 5946989..ed34e9b 100644
---- a/source/smbd/process.c
-+++ b/source/smbd/process.c
-@@ -120,9 +120,7 @@ static bool valid_packet_size(size_t len)
- 	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
- 		DEBUG(0,("Invalid packet length! (%lu bytes).\n",
- 					(unsigned long)len));
--		if (len > BUFFER_SIZE + (SAFETY_MARGIN/2)) {
--			return false;
--		}
-+		return false;
- 	}
- 	return true;
- }
-diff --git a/source/utils/smbfilter.c b/source/utils/smbfilter.c
-index e128e1c..d274e09 100644
---- a/source/utils/smbfilter.c
-+++ b/source/utils/smbfilter.c
-@@ -171,7 +171,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
- 		if (c != -1 && FD_ISSET(c, &fds)) {
- 			size_t len;
- 			if (!NT_STATUS_IS_OK(receive_smb_raw(
--						     c, packet, 0, 0, &len))) {
-+							c, packet, sizeof(packet),
-+							0, 0, &len))) {
- 				d_printf("client closed connection\n");
- 				exit(0);
- 			}
-@@ -184,7 +185,8 @@ static void filter_child(int c, struct sockaddr_storage *dest_ss)
- 		if (s != -1 && FD_ISSET(s, &fds)) {
- 			size_t len;
- 			if (!NT_STATUS_IS_OK(receive_smb_raw(
--						     s, packet, 0, 0, &len))) {
-+							s, packet, sizeof(packet),
-+							0, 0, &len))) {
- 				d_printf("server closed connection\n");
- 				exit(0);
- 			}
diff --git a/samba.spec b/samba.spec
index 568b57d..d192e49 100644
--- a/samba.spec
+++ b/samba.spec
@@ -1,5 +1,5 @@
-%define main_release 15
-%define samba_version 3.2.0rc1
+%define main_release 16
+%define samba_version 3.2.0rc2
 %define tdb_version 1.1.1
 %define talloc_version 1.2.0
 
@@ -7,13 +7,13 @@ Summary: The Samba Suite of programs
 Name: samba
 Epoch: 0
 Version: 3.2.0
-Release: 1.rc1.%{main_release}%{?dist}
+Release: 1.rc2.%{main_release}%{?dist}
 License: GPLv3+ and LGPLv3+
 Group: System Environment/Daemons
 URL: http://www.samba.org/
 
 #TAG: change for non-pre
-Source: http://download.samba.org/samba/ftp/rc/%{name}-%{version}rc1.tar.gz
+Source: http://download.samba.org/samba/ftp/rc/%{name}-%{version}rc2.tar.gz
 #Source: http://www.samba.org/samba/ftp/samba/%{name}-%{version}.tar.gz
 
 # Red Hat specific replacement-files
@@ -46,9 +46,6 @@ Patch107: samba-3.2.0pre1-grouppwd.patch
 Patch110: samba-3.0.21pre1-smbspool.patch
 Patch111: samba-3.0.13-smbclient.patch
 Patch200: samba-3.0.25rc1-inotifiy.patch
-Patch220: samba-3.2.0rc1-capget.diff
-Patch221: samba-CVE-2008-1105.diff
-Patch222: samba-3.2.0rc1-server.diff
 
 Requires(pre): samba-common = %{epoch}:%{version}-%{release}
 Requires: pam >= 0:0.64
@@ -255,9 +252,6 @@ cp %{SOURCE11} packaging/Fedora/
 #%patch110 -p1 -b .smbspool # FIXME: does not apply
 #%patch111 -p1 -b .smbclient # FIXME: does not apply
 #%patch200 -p0 -b .inotify # FIXME: does not compile
-%patch220 -p1 -b .capget
-%patch221 -p1 -b .CVE-2008-1105
-%patch222 -p1 -b .server
 
 mv source/VERSION source/VERSION.orig
 sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{release}\"/' < source/VERSION.orig > source/VERSION
@@ -852,6 +846,11 @@ exit 0
 %{_datadir}/pixmaps/samba/logo-small.png
 
 %changelog
+* Tue Jun 10 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc2.16
+- Update to 3.2.0rc2
+- resolves: #449522
+- resolves: #448107
+
 * Fri May 30 2008 Guenther Deschner <gdeschner@redhat.com> - 3.2.0-1.rc1.15
 - Fix security=server
 - resolves: #449038, #449039
diff --git a/sources b/sources
index 17cbdc2..6c4a975 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-df46b81d4921136af3aaade65c054d31  samba-3.2.0rc1.tar.gz
+a58610bfa60a1f555bae3cd31dacd955  samba-3.2.0rc2.tar.gz