NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1ac4178f2f
kumquat-buildroot/package/samba4/samba4.mk
Peter Korsgaard 0839e4a85e samba4: security bump to version 4.9.3 
Fixes the following security vulnerabilities:

 - CVE-2018-14629:
   All versions of Samba from 4.0.0 onwards are vulnerable to infinite
   query recursion caused by CNAME loops. Any dns record can be added via
   ldap by an unprivileged user using the ldbadd tool, so this is a
   security issue.

 - CVE-2018-16841:
   When configured to accept smart-card authentication, Samba's KDC will call
   talloc_free() twice on the same memory if the principal in a validly signed
   certificate does not match the principal in the AS-REQ.

   This is only possible after authentication with a trusted certificate.

   talloc is robust against further corruption from a double-free with
   talloc_free() and directly calls abort(), terminating the KDC process.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

 - CVE-2018-16851:
   During the processing of an LDAP search before Samba's AD DC returns
   the LDAP entries to the client, the entries are cached in a single
   memory object with a maximum size of 256MB.  When this size is
   reached, the Samba process providing the LDAP service will follow the
   NULL pointer, terminating the process.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

 - CVE-2018-16852:
   During the processing of an DNS zone in the DNS management DCE/RPC server,
   the internal DNS server or the Samba DLZ plugin for BIND9, if the
   DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
   property is set, the server will follow a NULL pointer and terminate.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

 - CVE-2018-16853:
   A user in a Samba AD domain can crash the KDC when Samba is built in the
   non-default MIT Kerberos configuration.

   With this advisory we clarify that the MIT Kerberos build of the Samba
   AD DC is considered experimental.  Therefore the Samba Team will not
   issue security patches for this configuration.

 - CVE-2018-16857:
   AD DC Configurations watching for bad passwords (to restrict brute forcing
   of passwords) in a window of more than 3 minutes may not watch for bad
   passwords at all.

For more details, see the release notes:

https://www.samba.org/samba/history/samba-4.9.3.html

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2018-11-29 15:48:30 +01:00

183 lines
5.1 KiB
Makefile
Raw Blame History

################################################################################
#
# samba4
#
################################################################################
SAMBA4_VERSION = 4.9.3
SAMBA4_SITE = https://download.samba.org/pub/samba/stable
SAMBA4_SOURCE = samba-$(SAMBA4_VERSION).tar.gz
SAMBA4_INSTALL_STAGING = YES
SAMBA4_LICENSE = GPL-3.0+
SAMBA4_LICENSE_FILES = COPYING
SAMBA4_DEPENDENCIES = \
host-e2fsprogs host-heimdal host-python host-nfs-utils \
e2fsprogs popt python zlib \
$(if $(BR2_PACKAGE_LIBAIO),libaio) \
$(if $(BR2_PACKAGE_LIBCAP),libcap) \
$(if $(BR2_PACKAGE_READLINE),readline) \
$(TARGET_NLS_DEPENDENCIES)
SAMBA4_CFLAGS = $(TARGET_CFLAGS)
SAMBA4_LDFLAGS = $(TARGET_LDFLAGS)
SAMBA4_CONF_ENV = \
CFLAGS="$(SAMBA4_CFLAGS)" \
LDFLAGS="$(SAMBA4_LDFLAGS)"
ifeq ($(BR2_PACKAGE_LIBTIRPC),y)
SAMBA4_CFLAGS += `$(PKG_CONFIG_HOST_BINARY) --cflags libtirpc`
SAMBA4_LDFLAGS += `$(PKG_CONFIG_HOST_BINARY) --libs libtirpc`
SAMBA4_DEPENDENCIES += libtirpc host-pkgconf
endif
ifeq ($(BR2_PACKAGE_ACL),y)
SAMBA4_CONF_OPTS += --with-acl-support
SAMBA4_DEPENDENCIES += acl
else
SAMBA4_CONF_OPTS += --without-acl-support
endif
ifeq ($(BR2_PACKAGE_CUPS),y)
SAMBA4_CONF_ENV += CUPS_CONFIG="$(STAGING_DIR)/usr/bin/cups-config"
SAMBA4_CONF_OPTS += --enable-cups
SAMBA4_DEPENDENCIES += cups
else
SAMBA4_CONF_OPTS += --disable-cups
endif
ifeq ($(BR2_PACKAGE_DBUS),y)
SAMBA4_DEPENDENCIES += dbus
endif
ifeq ($(BR2_PACKAGE_DBUS)$(BR2_PACKAGE_AVAHI_DAEMON),yy)
SAMBA4_CONF_OPTS += --enable-avahi
SAMBA4_DEPENDENCIES += avahi
else
SAMBA4_CONF_OPTS += --disable-avahi
endif
ifeq ($(BR2_PACKAGE_GAMIN),y)
SAMBA4_CONF_OPTS += --with-fam
SAMBA4_DEPENDENCIES += gamin
else
SAMBA4_CONF_OPTS += --without-fam
endif
ifeq ($(BR2_PACKAGE_GNUTLS),y)
SAMBA4_CONF_OPTS += --enable-gnutls
SAMBA4_DEPENDENCIES += gnutls
else
SAMBA4_CONF_OPTS += --disable-gnutls
endif
ifeq ($(BR2_PACKAGE_LIBARCHIVE),y)
SAMBA4_CONF_OPTS += --with-libarchive
SAMBA4_DEPENDENCIES += libarchive
else
SAMBA4_CONF_OPTS += --without-libarchive
endif
ifeq ($(BR2_PACKAGE_NCURSES),y)
SAMBA4_CONF_ENV += NCURSES_CONFIG="$(STAGING_DIR)/usr/bin/$(NCURSES_CONFIG_SCRIPTS)"
SAMBA4_DEPENDENCIES += ncurses
else
SAMBA4_CONF_OPTS += --without-regedit
endif
# The ctdb tests (cluster) need bash and take up some space
# They're normally intended for debugging so remove them
define SAMBA4_REMOVE_CTDB_TESTS
rm -rf $(TARGET_DIR)/usr/lib/ctdb-tests
rm -rf $(TARGET_DIR)/usr/share/ctdb-tests
rm -f $(TARGET_DIR)/usr/bin/ctdb_run_*tests
endef
SAMBA4_POST_INSTALL_TARGET_HOOKS += SAMBA4_REMOVE_CTDB_TESTS
define SAMBA4_CONFIGURE_CMDS
$(INSTALL) -m 0644 package/samba4/samba4-cache.txt $(@D)/cache.txt;
echo 'Checking uname machine type: $(BR2_ARCH)' >>$(@D)/cache.txt;
(cd $(@D); \
PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/python-config" \
python_LDFLAGS="" \
python_LIBDIR="" \
$(TARGET_CONFIGURE_OPTS) \
$(SAMBA4_CONF_ENV) \
./buildtools/bin/waf configure \
--prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var \
--with-libiconv=$(STAGING_DIR)/usr \
--enable-fhs \
--cross-compile \
--cross-answers=$(@D)/cache.txt \
--hostcc=gcc \
--disable-rpath \
--disable-rpath-install \
--disable-iprint \
--without-pam \
--without-dmapi \
--without-gpgme \
--without-ldb-lmdb \
--disable-glusterfs \
--with-cluster-support \
--bundled-libraries='!asn1_compile,!compile_et' \
$(SAMBA4_CONF_OPTS) \
)
endef
define SAMBA4_BUILD_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D)
endef
define SAMBA4_INSTALL_STAGING_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(STAGING_DIR) install
endef
define SAMBA4_INSTALL_TARGET_CMDS
$(TARGET_MAKE_ENV) $(MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
endef
ifeq ($(BR2_PACKAGE_SAMBA4_AD_DC),y)
SAMBA4_DEPENDENCIES += jansson
else
SAMBA4_CONF_OPTS += --without-ad-dc --without-json-audit
endif
ifeq ($(BR2_PACKAGE_SAMBA4_ADS),y)
SAMBA4_CONF_OPTS += --with-ads --with-ldap --with-shared-modules=idmap_ad
SAMBA4_DEPENDENCIES += openldap
else
SAMBA4_CONF_OPTS += --without-ads --without-ldap
endif
ifeq ($(BR2_PACKAGE_SAMBA4_SMBTORTURE),)
define SAMBA4_REMOVE_SMBTORTURE
rm -f $(TARGET_DIR)/usr/bin/smbtorture
endef
SAMBA4_POST_INSTALL_TARGET_HOOKS += SAMBA4_REMOVE_SMBTORTURE
endif
define SAMBA4_INSTALL_INIT_SYSV
$(INSTALL) -m 0755 -D package/samba4/S91smb \
$(TARGET_DIR)/etc/init.d/S91smb
endef
ifeq ($(BR2_INIT_SYSTEMD),y)
SAMBA4_CONF_OPTS += --systemd-install-services
SAMBA4_DEPENDENCIES += systemd
endif
define SAMBA4_INSTALL_INIT_SYSTEMD
mkdir -p $(TARGET_DIR)/etc/systemd/system/multi-user.target.wants
ln -sf ../../../../usr/lib/systemd/system/nmb.service \
$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/nmb.service
ln -sf ../../../../usr/lib/systemd/system/smb.service \
$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/smb.service
ln -sf ../../../../usr/lib/systemd/system/winbind.service \
$(TARGET_DIR)/etc/systemd/system/multi-user.target.wants/winbind.service
$(INSTALL) -D -m 644 $(@D)/packaging/systemd/samba.conf.tmp \
$(TARGET_DIR)/usr/lib/tmpfiles.d/samba.conf
printf "d /var/log/samba 755 root root\n" >>$(TARGET_DIR)/usr/lib/tmpfiles.d/samba.conf
endef
$(eval $(generic-package))
Reference in New Issue View Git Blame Copy Permalink