* Mon Mar 08 2010 Simo Sorce <ssorce@redhat.com> - 3.4.7-50

- Security update to 3.4.7
- Fixes CVE-2010-0728

.cvsignore

@@ -1 +1 @@
-samba-3.3.3.tar.gz
+samba-3.4.6.tar.gz

Makefile

@@ -4,7 +4,7 @@ NAME := samba
 SPECFILE = $(firstword $(wildcard *.spec))
 
 define find-makefile-common
-for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
+for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$d/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
 endef
 
 MAKEFILE_COMMON := $(shell $(find-makefile-common))

branch

@@ -0,0 +1 @@
+F-11

pam_winbind.conf

@@ -7,20 +7,32 @@
 [global]
 
 # turn on debugging
-;debug = yes
+;debug = no
+
+# turn on extended PAM state debugging
+;debug_state = no
 
 # request a cached login if possible
 # (needs "winbind offline logon = yes" in smb.conf)
-;cached_login = yes
+;cached_login = no
 
 # authenticate using kerberos
-;krb5_auth = yes
+;krb5_auth = no
 
 # when using kerberos, request a "FILE" krb5 credential cache type
 # (leave empty to just do krb5 authentication but not have a ticket
 # afterwards)
-;krb5_ccache_type = FILE
+;krb5_ccache_type =
 
 # make successful authentication dependend on membership of one SID
 # (can also take a name)
 ;require_membership_of =
+
+# password expiry warning period in days
+;warn_pwd_expire = 14
+
+# omit pam conversations
+;silent = no
+
+# create homedirectory on the fly
+;mkhomedir = no

samba-3.2.0pre1-grouppwd.patch

@@ -1,5 +1,5 @@
---- samba-3.2.0pre1/source/winbindd/winbindd_group.c.star	2007-10-03 17:40:31.000000000 -0400
-+++ samba-3.2.0pre1/source/winbindd/winbindd_group.c	2007-10-03 17:40:46.000000000 -0400
+--- samba-3.2.0pre1/source3/winbindd/winbindd_group.c.star	2007-10-03 17:40:31.000000000 -0400
++++ samba-3.2.0pre1/source3/winbindd/winbindd_group.c	2007-10-03 17:40:46.000000000 -0400
 @@ -215,7 +215,7 @@
  	/* Group name and password */
  

samba-3.2.0pre1-pipedir.patch

@@ -1,5 +1,5 @@
---- samba-3.2.0pre1/source/nsswitch/winbind_struct_protocol.h.pipedir	2007-10-03 15:32:23.000000000 -0400
-+++ samba-3.2.0pre1/source/nsswitch/winbind_struct_protocol.h	2007-10-03 15:33:13.000000000 -0400
+--- samba-3.2.0pre1/nsswitch/winbind_struct_protocol.h.pipedir	2007-10-03 15:32:23.000000000 -0400
++++ samba-3.2.0pre1/nsswitch/winbind_struct_protocol.h	2007-10-03 15:33:13.000000000 -0400
 @@ -24,7 +24,7 @@
   * is needed for launchd support -- jpeach.
   */

samba-3.2.4-build.patch

@@ -1,21 +0,0 @@
-commit 1f44b4aaa5f700827ee2ab272ae4b59e559b094b
-Author: Günther Deschner <gd@samba.org>
-Date:   Fri Sep 5 14:01:45 2008 +0200
-
-    build: don't install the cifs.upcall binary twice.
-    
-    Guenther
-
-diff --git a/source/Makefile.in b/source/Makefile.in
-index 8b46ab6..b67cfe8 100644
---- a/source/Makefile.in
-+++ b/source/Makefile.in
-@@ -178,7 +178,7 @@ PATH_FLAGS = -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" \
- 
- # Note that all executable programs now provide for an optional executable suffix.
- 
--SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@ @CIFSUPCALL_PROGS@
-+SBIN_PROGS = bin/smbd@EXEEXT@ bin/nmbd@EXEEXT@ @SWAT_SBIN_TARGETS@ @EXTRA_SBIN_PROGS@
- 
- ROOT_SBIN_PROGS = @CIFSMOUNT_PROGS@
- 

samba-3.2.5-inotify.patch

@@ -1,6 +1,6 @@
 === modified file 'source/smbd/notify_inotify.c'
---- source/smbd/notify_inotify.c	2007-03-09 12:07:58 +0000
-+++ source/smbd/notify_inotify.c	2007-04-10 16:27:47 +0000
+--- source3/smbd/notify_inotify.c	2007-03-09 12:07:58 +0000
++++ source3/smbd/notify_inotify.c	2007-04-10 16:27:47 +0000
 @@ -66,6 +66,7 @@
  	struct sys_notify_context *ctx;
  	int fd;

samba-3.4.5-CVE-2009-3297-mount_cifs.patch

@@ -0,0 +1,628 @@
+From 40520b65fcfba963e90dfcffe87acd63a1760881 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:53 -0500
+Subject: [PATCH 1/5] mount.cifs: directly include sys/stat.h in mtab.c
+
+This file is mysteriously getting included when built via the makefile,
+but when you try to build mtab.o by hand it fails to build. Directly
+include it to remove any ambiguity.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mtab.c |    1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/source3/client/mtab.c b/source3/client/mtab.c
+index 93fbd11..70789bc 100644
+--- a/source3/client/mtab.c
++++ b/source3/client/mtab.c
+@@ -32,6 +32,7 @@
+ #include <errno.h>
+ #include <stdio.h>
+ #include <sys/time.h>
++#include <sys/stat.h>
+ #include <time.h>
+ #include <fcntl.h>
+ #include <mntent.h>
+-- 
+1.6.6
+
+From 59dd0bb8c8b46c875bcc8b55a6c22fee5ea2113b Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:57 -0500
+Subject: [PATCH 2/5] mount.cifs: properly check for mount being in fstab when running setuid root (try#3)
+
+This is the third attempt to clean up the checks when a setuid
+mount.cifs is run by an unprivileged user. The main difference in this
+patch from the last one is that it fixes a bug where the mount might
+have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set.
+
+When mount.cifs is installed setuid root and run as an unprivileged
+user, it does some checks to limit how the mount is used. It checks that
+the mountpoint is owned by the user doing the mount.
+
+These checks however do not match those that /bin/mount does when it is
+called by an unprivileged user. When /bin/mount is called by an
+unprivileged user to do a mount, it checks that the mount in question is
+in /etc/fstab, that it has the "user" option set, etc.
+
+This means that it's currently not possible to set up user mounts the
+standard way (by the admin, in /etc/fstab) and simultaneously protect
+from an unprivileged user calling mount.cifs directly to mount a share
+on any directory that that user owns.
+
+Fix this by making the checks in mount.cifs match those of /bin/mount
+itself. This is a necessary step to make mount.cifs safe to be installed
+as a setuid binary, but not sufficient. For that, we'd need to give
+mount.cifs a proper security audit.
+
+Since some users may be depending on the legacy behavior, this patch
+also adds the ability to build mount.cifs with the older behavior.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |  202 ++++++++++++++++++++++++++++++++++---------
+ 1 files changed, 162 insertions(+), 40 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index 43dc7f6..da2867c 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -39,10 +39,11 @@
+ #include <mntent.h>
+ #include <fcntl.h>
+ #include <limits.h>
++#include <fstab.h>
+ #include "mount.h"
+ 
+ #define MOUNT_CIFS_VERSION_MAJOR "1"
+-#define MOUNT_CIFS_VERSION_MINOR "12"
++#define MOUNT_CIFS_VERSION_MINOR "13"
+ 
+ #ifndef MOUNT_CIFS_VENDOR_SUFFIX
+  #ifdef _SAMBA_BUILD_
+@@ -69,6 +70,10 @@
+ #define MS_BIND 4096
+ #endif
+ 
++/* private flags - clear these before passing to kernel */
++#define MS_USERS	0x40000000
++#define MS_USER		0x80000000
++
+ #define MAX_UNC_LEN 1024
+ 
+ #define CONST_DISCARD(type, ptr)      ((type) ((void *) (ptr)))
+@@ -83,6 +88,27 @@
+ /* currently maximum length of IPv6 address string */
+ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
+ 
++/*
++ * By default, mount.cifs follows the conventions set forth by /bin/mount
++ * for user mounts. That is, it requires that the mount be listed in
++ * /etc/fstab with the "user" option when run as an unprivileged user and
++ * mount.cifs is setuid root.
++ *
++ * Older versions of mount.cifs however were "looser" in this regard. When
++ * made setuid root, a user could run mount.cifs directly and mount any share
++ * on a directory owned by that user.
++ *
++ * The legacy behavior is now disabled by default. To reenable it, set the
++ * following #define to true.
++ */
++#define CIFS_LEGACY_SETUID_CHECK 0
++
++/*
++ * When an unprivileged user runs a setuid mount.cifs, we set certain mount
++ * flags by default. These defaults can be changed here.
++ */
++#define CIFS_SETUID_FLAGS (MS_NOSUID|MS_NODEV)
++
+ const char *thisprogram;
+ int verboseflag = 0;
+ int fakemnt = 0;
+@@ -142,6 +168,99 @@ static size_t strlcat(char *d, const char *s, size_t bufsize)
+ }
+ #endif
+ 
++/*
++ * If an unprivileged user is doing the mounting then we need to ensure
++ * that the entry is in /etc/fstab.
++ */
++static int
++check_mountpoint(const char *progname, char *mountpoint)
++{
++	int err;
++	struct stat statbuf;
++
++	/* does mountpoint exist and is it a directory? */
++	err = stat(mountpoint, &statbuf);
++	if (err) {
++		fprintf(stderr, "%s: failed to stat %s: %s\n", progname,
++				mountpoint, strerror(errno));
++		return EX_USAGE;
++	}
++
++	if (!S_ISDIR(statbuf.st_mode)) {
++		fprintf(stderr, "%s: %s is not a directory!", progname,
++				mountpoint);
++		return EX_USAGE;
++	}
++
++#if CIFS_LEGACY_SETUID_CHECK
++	/* do extra checks on mountpoint for legacy setuid behavior */
++	if (!getuid() || geteuid())
++		return 0;
++
++	if (statbuf.st_uid != getuid()) {
++		fprintf(stderr, "%s: %s is not owned by user\n", progname,
++			mountpoint);
++		return EX_USAGE;
++	}
++
++	if ((statbuf.st_mode & S_IRWXU) != S_IRWXU) {
++		fprintf(stderr, "%s: invalid permissions on %s\n", progname,
++			mountpoint);
++		return EX_USAGE;
++	}
++#endif /* CIFS_LEGACY_SETUID_CHECK */
++
++	return 0;
++}
++
++#if CIFS_LEGACY_SETUID_CHECK
++static int
++check_fstab(const char *progname, char *mountpoint, char *devname,
++	    char **options)
++{
++	return 0;
++}
++#else /* CIFS_LEGACY_SETUID_CHECK */
++static int
++check_fstab(const char *progname, char *mountpoint, char *devname,
++	    char **options)
++{
++	FILE *fstab;
++	struct mntent *mnt;
++
++	/* make sure this mount is listed in /etc/fstab */
++	fstab = setmntent(_PATH_FSTAB, "r");
++	if (!fstab) {
++		fprintf(stderr, "Couldn't open %s for reading!\n",
++				_PATH_FSTAB);
++		return EX_FILEIO;
++	}
++
++	while((mnt = getmntent(fstab))) {
++		if (!strcmp(mountpoint, mnt->mnt_dir))
++			break;
++	}
++	endmntent(fstab);
++
++	if (mnt == NULL || strcmp(mnt->mnt_fsname, devname)) {
++		fprintf(stderr, "%s: permission denied: no match for "
++				"%s found in %s\n", progname, mountpoint,
++				_PATH_FSTAB);
++		return EX_USAGE;
++	}
++
++	/*
++	 * 'mount' munges the options from fstab before passing them
++	 * to us. It is non-trivial to test that we have the correct
++	 * set of options. We don't want to trust what the user
++	 * gave us, so just take whatever is in /etc/fstab.
++	 */
++	free(*options);
++	*options = strdup(mnt->mnt_opts);
++	return 0;
++}
++#endif /* CIFS_LEGACY_SETUID_CHECK */
++
+ /* BB finish BB
+ 
+         cifs_umount
+@@ -373,7 +492,7 @@ static int get_password_from_file(int file_descript, char * filename)
+ 	return rc;
+ }
+ 
+-static int parse_options(char ** optionsp, int * filesys_flags)
++static int parse_options(char ** optionsp, unsigned long * filesys_flags)
+ {
+ 	const char * data;
+ 	char * percent_char = NULL;
+@@ -423,6 +542,7 @@ static int parse_options(char ** optionsp, int * filesys_flags)
+ 
+ 		if (strncmp(data, "users",5) == 0) {
+ 			if(!value || !*value) {
++				*filesys_flags |= MS_USERS;
+ 				goto nocopy;
+ 			}
+ 		} else if (strncmp(data, "user_xattr",10) == 0) {
+@@ -431,10 +551,7 @@ static int parse_options(char ** optionsp, int * filesys_flags)
+ 
+ 			if (!value || !*value) {
+ 				if(data[4] == '\0') {
+-					if(verboseflag)
+-						printf("\nskipping empty user mount parameter\n");
+-					/* remove the parm since it would otherwise be confusing
+-					to the kernel code which would think it was a real username */
++					*filesys_flags |= MS_USER;
+ 					goto nocopy;
+ 				} else {
+ 					printf("username specified with no parameter\n");
+@@ -1046,7 +1163,7 @@ static void print_cifs_mount_version(void)
+ int main(int argc, char ** argv)
+ {
+ 	int c;
+-	int flags = MS_MANDLOCK; /* no need to set legacy MS_MGC_VAL */
++	unsigned long flags = MS_MANDLOCK;
+ 	char * orgoptions = NULL;
+ 	char * share_name = NULL;
+ 	const char * ipaddr = NULL;
+@@ -1069,7 +1186,6 @@ int main(int argc, char ** argv)
+ 	size_t current_len;
+ 	int retry = 0; /* set when we have to retry mount with uppercase */
+ 	struct addrinfo *addrhead = NULL, *addr;
+-	struct stat statbuf;
+ 	struct utsname sysinfo;
+ 	struct mntent mountent;
+ 	struct sockaddr_in *addr4;
+@@ -1127,8 +1243,8 @@ int main(int argc, char ** argv)
+ 		exit(EX_USAGE);
+ 	}
+ 
+-	/* add sharename in opts string as unc= parm */
+ 
++	/* add sharename in opts string as unc= parm */
+ 	while ((c = getopt_long (argc, argv, "afFhilL:no:O:rsSU:vVwt:",
+ 			 longopts, NULL)) != -1) {
+ 		switch (c) {
+@@ -1266,6 +1382,22 @@ int main(int argc, char ** argv)
+ 		exit(EX_USAGE);
+ 	}
+ 
++	/* make sure mountpoint is legit */
++	rc = check_mountpoint(thisprogram, mountpoint);
++	if (rc)
++		goto mount_exit;
++
++	/* sanity check for unprivileged mounts */
++	if (getuid()) {
++		rc = check_fstab(thisprogram, mountpoint, dev_name,
++				 &orgoptions);
++		if (rc)
++			goto mount_exit;
++
++		/* enable any default user mount flags */
++		flags |= CIFS_SETUID_FLAGS;
++	}
++
+ 	if (getenv("PASSWD")) {
+ 		if(mountpassword == NULL)
+ 			mountpassword = (char *)calloc(MOUNT_PASSWD_SIZE+1,1);
+@@ -1283,6 +1415,27 @@ int main(int argc, char ** argv)
+                 rc = EX_USAGE;
+ 		goto mount_exit;
+ 	}
++
++	if (getuid()) {
++#if !CIFS_LEGACY_SETUID_CHECK
++		if (!(flags & (MS_USERS|MS_USER))) {
++			fprintf(stderr, "%s: permission denied\n", thisprogram);
++			rc = EX_USAGE;
++			goto mount_exit;
++		}
++#endif /* !CIFS_LEGACY_SETUID_CHECK */
++		
++		if (geteuid()) {
++			fprintf(stderr, "%s: not installed setuid - \"user\" "
++					"CIFS mounts not supported.",
++					thisprogram);
++			rc = EX_FAIL;
++			goto mount_exit;
++		}
++	}
++
++	flags &= ~(MS_USERS|MS_USER);
++
+ 	addrhead = addr = parse_server(&share_name);
+ 	if((addrhead == NULL) && (got_ip == 0)) {
+ 		printf("No ip address specified and hostname not found\n");
+@@ -1299,37 +1452,6 @@ int main(int argc, char ** argv)
+ 			mountpoint = resolved_path; 
+ 		}
+ 	}
+-	if(chdir(mountpoint)) {
+-		printf("mount error: can not change directory into mount target %s\n",mountpoint);
+-		rc = EX_USAGE;
+-		goto mount_exit;
+-	}
+-
+-	if(stat (".", &statbuf)) {
+-		printf("mount error: mount point %s does not exist\n",mountpoint);
+-		rc = EX_USAGE;
+-		goto mount_exit;
+-	}
+-
+-	if (S_ISDIR(statbuf.st_mode) == 0) {
+-		printf("mount error: mount point %s is not a directory\n",mountpoint);
+-		rc = EX_USAGE;
+-		goto mount_exit;
+-	}
+-
+-	if((getuid() != 0) && (geteuid() == 0)) {
+-		if((statbuf.st_uid == getuid()) && (S_IRWXU == (statbuf.st_mode & S_IRWXU))) {
+-#ifndef CIFS_ALLOW_USR_SUID
+-			/* Do not allow user mounts to control suid flag
+-			for mount unless explicitly built that way */
+-			flags |= MS_NOSUID | MS_NODEV;
+-#endif						
+-		} else {
+-			printf("mount error: permission denied or not superuser and mount.cifs not installed SUID\n"); 
+-			exit(EX_USAGE);
+-		}
+-	}
+-
+ 	if(got_user == 0) {
+ 		/* Note that the password will not be retrieved from the
+ 		   USER env variable (ie user%password form) as there is
+-- 
+1.6.6
+
+From a92fa34e73b988ca84fe15df6f67ea4879a6aa2e Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:58 -0500
+Subject: [PATCH 3/5] mount.cifs: take extra care that mountpoint isn't changed during mount
+
+It's possible to trick mount.cifs into mounting onto the wrong directory
+by replacing the mountpoint with a symlink to a directory. mount.cifs
+attempts to check the validity of the mountpoint, but there's still a
+possible race between those checks and the mount(2) syscall.
+
+To guard against this, chdir to the mountpoint very early, and only deal
+with it as "." from then on out.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |   34 ++++++++++++++++++++++++++--------
+ 1 files changed, 26 insertions(+), 8 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index da2867c..53d1dad 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -179,7 +179,7 @@ check_mountpoint(const char *progname, char *mountpoint)
+ 	struct stat statbuf;
+ 
+ 	/* does mountpoint exist and is it a directory? */
+-	err = stat(mountpoint, &statbuf);
++	err = stat(".", &statbuf);
+ 	if (err) {
+ 		fprintf(stderr, "%s: failed to stat %s: %s\n", progname,
+ 				mountpoint, strerror(errno));
+@@ -1383,6 +1383,14 @@ int main(int argc, char ** argv)
+ 	}
+ 
+ 	/* make sure mountpoint is legit */
++	rc = chdir(mountpoint);
++	if (rc) {
++		fprintf(stderr, "Couldn't chdir to %s: %s\n", mountpoint,
++				strerror(errno));
++		rc = EX_USAGE;
++		goto mount_exit;
++	}
++
+ 	rc = check_mountpoint(thisprogram, mountpoint);
+ 	if (rc)
+ 		goto mount_exit;
+@@ -1445,13 +1453,23 @@ int main(int argc, char ** argv)
+ 	
+ 	/* BB save off path and pop after mount returns? */
+ 	resolved_path = (char *)malloc(PATH_MAX+1);
+-	if(resolved_path) {
+-		/* Note that if we can not canonicalize the name, we get
+-		another chance to see if it is valid when we chdir to it */
+-		if (realpath(mountpoint, resolved_path)) {
+-			mountpoint = resolved_path; 
+-		}
++	if (!resolved_path) {
++		fprintf(stderr, "Unable to allocate memory.\n");
++		rc = EX_SYSERR;
++		goto mount_exit;
+ 	}
++
++	/* Note that if we can not canonicalize the name, we get
++	   another chance to see if it is valid when we chdir to it */
++	if(!realpath(".", resolved_path)) {
++		fprintf(stderr, "Unable to resolve %s to canonical path: %s\n",
++				mountpoint, strerror(errno));
++		rc = EX_SYSERR;
++		goto mount_exit;
++	}
++
++	mountpoint = resolved_path; 
++
+ 	if(got_user == 0) {
+ 		/* Note that the password will not be retrieved from the
+ 		   USER env variable (ie user%password form) as there is
+@@ -1585,7 +1603,7 @@ mount_retry:
+ 	if (verboseflag)
+ 		fprintf(stderr, "\n");
+ 
+-	if (!fakemnt && mount(dev_name, mountpoint, "cifs", flags, options)) {
++	if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
+ 		switch (errno) {
+ 		case ECONNREFUSED:
+ 		case EHOSTUNREACH:
+-- 
+1.6.6
+
+From bcdb9dc5d7daef6e93b742462e6dd056c0d1ed91 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:58 -0500
+Subject: [PATCH 4/5] mount.cifs: check for invalid characters in device name and mountpoint
+
+It's apparently possible to corrupt the mtab if you pass embedded
+newlines to addmntent. Apparently tabs are also a problem with certain
+earlier glibc versions. Backslashes are also a minor issue apparently,
+but we can't reasonably filter those.
+
+Make sure that neither the devname or mountpoint contain any problematic
+characters before allowing the mount to proceed.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |   34 ++++++++++++++++++++++++++++++++++
+ 1 files changed, 34 insertions(+), 0 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index 53d1dad..85be62b 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -1160,6 +1160,36 @@ static void print_cifs_mount_version(void)
+ 		MOUNT_CIFS_VENDOR_SUFFIX);
+ }
+ 
++/*
++ * This function borrowed from fuse-utils...
++ *
++ * glibc's addmntent (at least as of 2.10 or so) doesn't properly encode
++ * newlines embedded within the text fields. To make sure no one corrupts
++ * the mtab, fail the mount if there are embedded newlines.
++ */
++static int check_newline(const char *progname, const char *name)
++{
++    char *s;
++    for (s = "\n"; *s; s++) {
++        if (strchr(name, *s)) {
++            fprintf(stderr, "%s: illegal character 0x%02x in mount entry\n",
++                    progname, *s);
++            return EX_USAGE;
++        }
++    }
++    return 0;
++}
++
++static int check_mtab(const char *progname, const char *devname,
++			const char *dir)
++{
++	if (check_newline(progname, devname) == -1 ||
++	    check_newline(progname, dir) == -1)
++		return EX_USAGE;
++	return 0;
++}
++
++
+ int main(int argc, char ** argv)
+ {
+ 	int c;
+@@ -1603,6 +1633,10 @@ mount_retry:
+ 	if (verboseflag)
+ 		fprintf(stderr, "\n");
+ 
++	rc = check_mtab(thisprogram, dev_name, mountpoint);
++	if (rc)
++		goto mount_exit;
++
+ 	if (!fakemnt && mount(dev_name, ".", "cifs", flags, options)) {
+ 		switch (errno) {
+ 		case ECONNREFUSED:
+-- 
+1.6.6
+
+From ea8a30a9d217127eb2e5a0e0cd27d943cae7d13a Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@redhat.com>
+Date: Tue, 26 Jan 2010 08:45:58 -0500
+Subject: [PATCH 5/5] mount.cifs: don't allow it to be run as setuid root program
+
+mount.cifs has been the subject of several "security" fire drills due to
+distributions installing it as a setuid root program. This program has
+not been properly audited for security and the Samba team highly
+recommends that it not be installed as a setuid root program at this
+time.
+
+To make that abundantly clear, this patch forcibly disables the ability
+for mount.cifs to run as a setuid root program. People are welcome to
+trivially patch this out, but they do so at their own peril.
+
+A security audit and redesign of this program is in progress and we hope
+that we'll be able to remove this in the near future.
+
+Signed-off-by: Jeff Layton <jlayton@redhat.com>
+---
+ source3/client/mount.cifs.c |   39 ++++++++++++++++++++++++++++++++++++++-
+ 1 files changed, 38 insertions(+), 1 deletions(-)
+
+diff --git a/source3/client/mount.cifs.c b/source3/client/mount.cifs.c
+index 85be62b..f29e1e6 100644
+--- a/source3/client/mount.cifs.c
++++ b/source3/client/mount.cifs.c
+@@ -43,7 +43,7 @@
+ #include "mount.h"
+ 
+ #define MOUNT_CIFS_VERSION_MAJOR "1"
+-#define MOUNT_CIFS_VERSION_MINOR "13"
++#define MOUNT_CIFS_VERSION_MINOR "14"
+ 
+ #ifndef MOUNT_CIFS_VENDOR_SUFFIX
+  #ifdef _SAMBA_BUILD_
+@@ -89,6 +89,17 @@
+ #define MAX_ADDRESS_LEN INET6_ADDRSTRLEN
+ 
+ /*
++ * mount.cifs has been the subject of many "security" bugs that have arisen
++ * because of users and distributions installing it as a setuid root program.
++ * mount.cifs has not been audited for security. Thus, we strongly recommend
++ * that it not be installed setuid root. To make that abundantly clear,
++ * mount.cifs now check whether it's running setuid root and exit with an
++ * error if it is. If you wish to disable this check, then set the following
++ * #define to 1, but please realize that you do so at your own peril.
++ */
++#define CIFS_DISABLE_SETUID_CHECK 0
++
++/*
+  * By default, mount.cifs follows the conventions set forth by /bin/mount
+  * for user mounts. That is, it requires that the mount be listed in
+  * /etc/fstab with the "user" option when run as an unprivileged user and
+@@ -213,6 +224,29 @@ check_mountpoint(const char *progname, char *mountpoint)
+ 	return 0;
+ }
+ 
++#if CIFS_DISABLE_SETUID_CHECK
++static int
++check_setuid(void)
++{
++	return 0;
++}
++#else /* CIFS_DISABLE_SETUID_CHECK */
++static int
++check_setuid(void)
++{
++	if (getuid() && !geteuid()) {
++		printf("This mount.cifs program has been built with the "
++			"ability to run as a setuid root program disabled.\n"
++			"mount.cifs has not been well audited for security "
++			"holes. Therefore the Samba team does not recommend "
++			"installing it as a setuid root program.\n");
++		return 1;
++	}
++
++	return 0;
++}
++#endif /* CIFS_DISABLE_SETUID_CHECK */
++
+ #if CIFS_LEGACY_SETUID_CHECK
+ static int
+ check_fstab(const char *progname, char *mountpoint, char *devname,
+@@ -1222,6 +1256,9 @@ int main(int argc, char ** argv)
+ 	struct sockaddr_in6 *addr6;
+ 	FILE * pmntfile;
+ 
++	if (check_setuid())
++		return EX_USAGE;
++
+ 	/* setlocale(LC_ALL, "");
+ 	bindtextdomain(PACKAGE, LOCALEDIR);
+ 	textdomain(PACKAGE); */
+-- 
+1.6.6
+

samba.spec

@@ -1,7 +1,7 @@
-%define main_release 34
-%define samba_version 3.3.3
-%define tdb_version 1.1.2
-%define talloc_version 1.2.0
+%define main_release 50
+%define samba_version 3.4.7
+%define tdb_version 1.1.3
+%define talloc_version 1.3.0
 %define pre_release %nil
 
 %define samba_release 0%{pre_release}.%{main_release}%{?dist}
@@ -9,6 +9,7 @@
 %define enable_talloc 0
 %define enable_tdb    0
 
+%define samba_source source3
 Summary: Server and Client software to interoperate with Windows machines
 Name: samba
 Epoch: 0
@@ -46,6 +47,7 @@ Patch104: samba-3.0.0rc3-nmbd-netbiosname.patch
 # The passwd part has been applied, but not the group part
 Patch107: samba-3.2.0pre1-grouppwd.patch
 Patch200: samba-3.2.5-inotify.patch
+Patch202: samba-3.4.5-CVE-2009-3297-mount_cifs.patch
 
 Requires(pre): samba-common = %{epoch}:%{samba_version}-%{release}
 Requires: pam >= 0:0.64
@@ -55,6 +57,12 @@ Requires(post): /sbin/chkconfig, /sbin/service
 Requires(preun): /sbin/chkconfig, /sbin/service
 BuildRequires: pam-devel, readline-devel, ncurses-devel, libacl-devel, krb5-devel, openldap-devel, openssl-devel, cups-devel, ctdb-devel
 BuildRequires: autoconf, gawk, popt-devel, gtk2-devel, libcap-devel
+%if ! %enable_talloc
+BuildRequires: libtalloc-devel >= %{talloc_version}
+%endif
+%if ! %enable_tdb
+BuildRequires: libtdb-devel >= %{tdb_version}
+%endif
 
 # Working around perl dependency problem from docs
 %define __perl_requires %{SOURCE999}
@@ -250,10 +258,11 @@ cp %{SOURCE11} packaging/Fedora/
 #%patch104 -p1 -b .nmbd-netbiosname # FIXME: does not apply
 %patch107 -p1 -b .grouppwd
 %patch200 -p0 -b .inotify
+%patch202 -p1 -b .CVE-2009-3297-mount_cifs
 
-mv source/VERSION source/VERSION.orig
-sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < source/VERSION.orig > source/VERSION
-cd source
+mv %samba_source/VERSION %samba_source/VERSION.orig
+sed -e 's/SAMBA_VERSION_VENDOR_SUFFIX=$/&\"%{samba_release}\"/' < %samba_source/VERSION.orig > %samba_source/VERSION
+cd %samba_source
 script/mkversion.sh
 cd ..
 
@@ -262,7 +271,7 @@ rm -fr examples/LDAP/smbldap-tools-*/
 
 
 %build
-cd source
+cd %samba_source
 sh autogen.sh
 %ifarch i386 sparc
 RPM_OPT_FLAGS="$RPM_OPT_FLAGS -D_FILE_OFFSET_BITS=64"
@@ -301,26 +310,23 @@ CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -DLDAP_DEPRECATED" %configure \
 	--with-configdir=%{_sysconfdir}/samba \
 	--with-pammodulesdir=%{_lib}/security \
 	--with-swatdir=%{_datadir}/swat \
-	--with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash \
+	--with-shared-modules=idmap_ad,idmap_rid,idmap_adex,idmap_hash,idmap_tdb2 \
 	--with-cifsupcall \
 	--with-cluster-support
-
 #	--with-aio-support \
 
 
-make  CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -DLDAP_DEPRECATED" \
-	pch
+make  pch
 
-make  LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}/source/bin \
-	CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -DLDAP_DEPRECATED" %{?_smp_mflags} \
-	all nsswitch/libnss_wins.so modules test_pam_modules test_nss_modules test_shlibs
+make  LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}%{pre_release}/%samba_source/bin \
+	%{?_smp_mflags} \
+	all ../nsswitch/libnss_wins.so modules test_pam_modules test_nss_modules test_shlibs
 
-make  LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}/source/bin \
-	CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE -DLDAP_DEPRECATED" %{?_smp_mflags} \
+make  LD_LIBRARY_PATH=$RPM_BUILD_DIR/%{name}-%{samba_version}%{pre_release}/%samba_source/bin \
+	%{?_smp_mflags} \
 	-C lib/netapi/examples
 
-make  CFLAGS="$RPM_OPT_FLAGS -D_GNU_SOURCE" \
-	debug2html smbfilter bin/cifs.upcall
+make  debug2html smbfilter bin/cifs.upcall
 
 
 %install
@@ -342,7 +348,7 @@ mkdir -p $RPM_BUILD_ROOT/var/run/winbindd
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/samba
 mkdir -p $RPM_BUILD_ROOT/%{_libdir}/pkgconfig
 
-cd source
+cd %samba_source
 
 %makeinstall \
 	BINDIR=$RPM_BUILD_ROOT%{_bindir} \
@@ -366,7 +372,7 @@ cd ..
 
 # Install other stuff
 install -m644 packaging/Fedora/smb.conf.default $RPM_BUILD_ROOT%{_sysconfdir}/samba/smb.conf
-install -m755 source/script/mksmbpasswd.sh $RPM_BUILD_ROOT%{_bindir}
+install -m755 %samba_source/script/mksmbpasswd.sh $RPM_BUILD_ROOT%{_bindir}
 install -m644 packaging/Fedora/smbusers $RPM_BUILD_ROOT%{_sysconfdir}/samba/smbusers
 install -m755 packaging/Fedora/smbprint $RPM_BUILD_ROOT%{_bindir}
 install -m755 packaging/Fedora/smb.init $RPM_BUILD_ROOT%{_initrddir}/smb
@@ -382,39 +388,39 @@ install -m644 examples/LDAP/samba.schema $RPM_BUILD_ROOT%{_sysconfdir}/openldap/
 
 # winbind
 mkdir -p $RPM_BUILD_ROOT%{_libdir}
-install -m 755 source/nsswitch/libnss_winbind.so $RPM_BUILD_ROOT/%{_lib}/libnss_winbind.so.2
+install -m 755 nsswitch/libnss_winbind.so $RPM_BUILD_ROOT/%{_lib}/libnss_winbind.so.2
 ln -sf /%{_lib}/libnss_winbind.so.2  $RPM_BUILD_ROOT%{_libdir}/libnss_winbind.so
-install -m 755 source/nsswitch/libnss_wins.so $RPM_BUILD_ROOT/%{_lib}/libnss_wins.so.2
+install -m 755 nsswitch/libnss_wins.so $RPM_BUILD_ROOT/%{_lib}/libnss_wins.so.2
 ln -sf /%{_lib}/libnss_wins.so.2  $RPM_BUILD_ROOT%{_libdir}/libnss_wins.so
 
 # libraries {
 mkdir -p $RPM_BUILD_ROOT%{_libdir} $RPM_BUILD_ROOT%{_includedir}
+build_libdir="$RPM_BUILD_ROOT%{_libdir}"
 
 %if %enable_talloc
 # talloc
-cd source/lib/talloc
+cd lib/talloc
 # just to get the correct .pc file generated
 ./autogen.sh && ./configure --prefix=%{_prefix} --libdir=%{_libdir}
-cd ../../..
-install -m 644 source/lib/talloc/talloc.pc $build_libdir/pkgconfig/
+cd ../..
+install -m 644 lib/talloc/talloc.pc $build_libdir/pkgconfig/
 %endif
 
 %if %enable_tdb
 # tdb
-cd source/lib/tdb
+cd lib/tdb
 # just to get the correct .pc file generated
 ./autogen.sh && ./configure --prefix=%{_prefix} --libdir=%{_libdir}
-cd ../../..
-install -m 644 source/lib/tdb/tdb.pc $build_libdir/pkgconfig/
+cd ../..
+install -m 644 lib/tdb/tdb.pc $build_libdir/pkgconfig/
 %endif
 
 # make install puts libraries in the wrong place
 # (but at least gets the versioning right now)
 
 list="smbclient smbsharemodes netapi talloc tdb wbclient"
-build_libdir="$RPM_BUILD_ROOT%{_libdir}"
 for i in $list; do
-	install -m 644 source/pkgconfig/$i.pc $build_libdir/pkgconfig/ || true
+	install -m 644 %samba_source/pkgconfig/$i.pc $build_libdir/pkgconfig/ || true
 done
 
 
@@ -430,11 +436,11 @@ install -m644 %{SOURCE4} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/samba
 install -m755 $RPM_BUILD_ROOT/usr/sbin/mount.cifs $RPM_BUILD_ROOT/sbin/mount.cifs
 install -m755 $RPM_BUILD_ROOT/usr/sbin/umount.cifs $RPM_BUILD_ROOT/sbin/umount.cifs
 
-install -m 755 source/lib/netapi/examples/bin/netdomjoin-gui $RPM_BUILD_ROOT/%{_sbindir}/netdomjoin-gui
+install -m 755 %samba_source/lib/netapi/examples/bin/netdomjoin-gui $RPM_BUILD_ROOT/%{_sbindir}/netdomjoin-gui
 mkdir -p $RPM_BUILD_ROOT%{_datadir}/pixmaps/%{name}
-install -m 644 source/lib/netapi/examples/netdomjoin-gui/samba.ico $RPM_BUILD_ROOT/%{_datadir}/pixmaps/%{name}/samba.ico
-install -m 644 source/lib/netapi/examples/netdomjoin-gui/logo.png $RPM_BUILD_ROOT/%{_datadir}/pixmaps/%{name}/logo.png
-install -m 644 source/lib/netapi/examples/netdomjoin-gui/logo-small.png $RPM_BUILD_ROOT/%{_datadir}/pixmaps/%{name}/logo-small.png
+install -m 644 %samba_source/lib/netapi/examples/netdomjoin-gui/samba.ico $RPM_BUILD_ROOT/%{_datadir}/pixmaps/%{name}/samba.ico
+install -m 644 %samba_source/lib/netapi/examples/netdomjoin-gui/logo.png $RPM_BUILD_ROOT/%{_datadir}/pixmaps/%{name}/logo.png
+install -m 644 %samba_source/lib/netapi/examples/netdomjoin-gui/logo-small.png $RPM_BUILD_ROOT/%{_datadir}/pixmaps/%{name}/logo-small.png
 
 rm -f $RPM_BUILD_ROOT/%{_mandir}/man1/editreg.1*
 rm -f $RPM_BUILD_ROOT%{_mandir}/man1/log2pcap.1*
@@ -814,7 +820,7 @@ exit 0
 %{_initrddir}/winbind
 %{_mandir}/man1/ntlm_auth.1*
 %{_mandir}/man1/wbinfo.1*
-%{_mandir}/man7/pam_winbind.7*
+%{_mandir}/man8/pam_winbind.8*
 %{_mandir}/man7/winbind_krb5_locator.7*
 %{_mandir}/man8/winbindd.8*
 %{_mandir}/man8/idmap_*.8*
@@ -879,6 +885,63 @@ exit 0
 %{_datadir}/pixmaps/samba/logo-small.png
 
 %changelog
+* Mon Mar 08 2010 Simo Sorce <ssorce@redhat.com> - 3.4.7-50
+- Security update to 3.4.7
+- Fixes CVE-2010-0728
+
+* Wed Feb 24 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.6-0.49
+- Update to 3.4.6
+
+* Wed Feb 17 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-0.48
+- Fix crash in cifs.upcall
+- resolves: #565446
+- Fix crash in pdbedit
+- resolves: #541267
+
+* Wed Jan 26 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-0.47
+- Security Release, fixes CVE-2009-3297
+- resolves: #532940
+
+* Tue Jan 19 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.5-0.46
+- Update to 3.4.5
+
+* Thu Jan 07 2010 Guenther Deschner <gdeschner@redhat.com> - 3.4.4-0.45
+- Update to 3.4.4
+
+* Thu Oct 29 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.3-0.44
+- Update to 3.4.3
+
+* Wed Oct 07 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.2-0.43
+- Fix required talloc version
+- resolves: #527806
+
+* Thu Oct 01 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.2-0.42
+- Update to 3.4.2
+- Security Release, fixes CVE-2009-2813, CVE-2009-2948 and CVE-2009-2906
+
+* Wed Sep 09 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.1.0-41
+- Update to 3.4.1
+
+* Fri Jul 17 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0-0.40
+- Fix Bug #6551 (vuid and tid not set in sessionsetupX and tconX)
+- Specify required talloc and tdb version for BuildRequires
+
+* Wed Jul 15 2009 Guenther Deschner <gdeschner@redhat.com> - 3.4.0-0.39
+- Update to 3.4.0
+- resolves: #510558
+
+* Fri Jun 19 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.5-0.38
+- Fix password expiry calculation in pam_winbind
+
+* Tue Jun 16 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.5-0.37
+- Update to 3.3.5
+
+* Wed Apr 29 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.4-0.36
+- Update to 3.3.4
+
+* Mon Apr 20 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.3-0.35
+- Enable build of idmap_tdb2 for clustered setups
+
 * Wed Apr  1 2009 Guenther Deschner <gdeschner@redhat.com> - 3.3.3-0.34
 - Update to 3.3.3
 

sources

@@ -1 +1 @@
-4d5835817416d1ffa30783af45c5a9ed  samba-3.3.3.tar.gz
+f5e11690d54466c143f4598bcce2a8bb  samba-3.4.7.tar.gz