e56f54220e
Version 4.11.11 fixed o CVE-2020-10730: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results. o CVE-2020-10745: Parsing and packing of NBT and DNS packets can consume excessive CPU o CVE-2020-10760: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV. o CVE-2020-14303: Empty UDP packet DoS in Samba AD DC nbtd. Version 4.11.12 was a bugfix-only release. Version 4.11.13 fixes CVE-2020-1472. Release notes: https://www.samba.org/samba/history/samba-4.11.11.html https://www.samba.org/samba/history/samba-4.11.12.html https://www.samba.org/samba/security/CVE-2020-1472.html Rebased patches 0001 & 0002. Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de> Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
88 lines
3.5 KiB
Diff
88 lines
3.5 KiB
Diff
From e002d2ef2688d5433d2bd03aa4d77a0ec5ac4e63 Mon Sep 17 00:00:00 2001
|
|
From: Uri Simchoni <uri@samba.org>
|
|
Date: Sun, 20 Oct 2019 00:03:14 +0300
|
|
Subject: [PATCH] build: find pre-built heimdal build tools in case of embedded
|
|
heimdal
|
|
|
|
This patch fixes the case of finding asn1_compile and compile_et for
|
|
building embedded heimdal, by setting
|
|
--bundled-libraries='!asn1_compile,!compile_et' as configure flags.
|
|
|
|
The Heimdal build tools compile_et and asn1_compile are needed *only*
|
|
if we use the embedded heimdal (otherwise we don't build heimdal and
|
|
use headers that have been generated by those tools elsewhere).
|
|
|
|
For cross-compilation with embedded heimdal, it is vital to use host build
|
|
tools, and so asn1_compile and compile_et must be supplied and not
|
|
built. One way of doing this would be to set the COMPILE_ET and
|
|
ASN1_COMPILE env vars to the location of supplied binaries. Another way,
|
|
which is more commonly used, is to exclude asn1_compile and compile_et
|
|
from bundled packages via the switch
|
|
-bundled-libraries='!asn1_compile,!compile_et'. When this is done,
|
|
the build script searches the path for those tools and sets the
|
|
ASN1_COMPILE and COMPILE_ET vars accordingly. (this is admittedly
|
|
kind of a round-about way of doing things but this has become the
|
|
de-facto standard amongst embedded distro builders).
|
|
|
|
In commit 8061983d4882f3ba3f12da71443b035d7b672eec, this process of
|
|
finding the binaris has been moved to be carried out only in the
|
|
system heimdal case. As explained above, we only need these tools,
|
|
and hence the check, in bundled mode.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14164
|
|
|
|
Signed-off-by: Uri Simchoni <uri@samba.org>
|
|
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
|
|
[Bernd: rebased for version 4.11.13]
|
|
---
|
|
wscript_configure_embedded_heimdal | 11 +++++++++++
|
|
wscript_configure_system_heimdal | 11 -----------
|
|
2 files changed, 11 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/wscript_configure_embedded_heimdal b/wscript_configure_embedded_heimdal
|
|
index 8c55ae2a938..4fdae8062c5 100644
|
|
--- a/wscript_configure_embedded_heimdal
|
|
+++ b/wscript_configure_embedded_heimdal
|
|
@@ -1 +1,12 @@
|
|
conf.RECURSE('source4/heimdal_build')
|
|
+
|
|
+def check_system_heimdal_binary(name):
|
|
+ if conf.LIB_MAY_BE_BUNDLED(name):
|
|
+ return False
|
|
+ if not conf.find_program(name, var=name.upper()):
|
|
+ return False
|
|
+ conf.define('USING_SYSTEM_%s' % name.upper(), 1)
|
|
+ return True
|
|
+
|
|
+check_system_heimdal_binary("compile_et")
|
|
+check_system_heimdal_binary("asn1_compile")
|
|
diff --git a/wscript_configure_system_heimdal b/wscript_configure_system_heimdal
|
|
index 0ff6dad2f55..f77c177442f 100644
|
|
--- a/wscript_configure_system_heimdal
|
|
+++ b/wscript_configure_system_heimdal
|
|
@@ -37,14 +37,6 @@ def check_system_heimdal_lib(name, functions='', headers='', onlyif=None):
|
|
conf.define('USING_SYSTEM_%s' % name.upper(), 1)
|
|
return True
|
|
|
|
-def check_system_heimdal_binary(name):
|
|
- if conf.LIB_MAY_BE_BUNDLED(name):
|
|
- return False
|
|
- if not conf.find_program(name, var=name.upper()):
|
|
- return False
|
|
- conf.define('USING_SYSTEM_%s' % name.upper(), 1)
|
|
- return True
|
|
-
|
|
check_system_heimdal_lib("com_err", "com_right_r com_err", "com_err.h")
|
|
|
|
if check_system_heimdal_lib("roken", "rk_socket_set_reuseaddr", "roken.h"):
|
|
@@ -96,7 +96,4 @@
|
|
#if conf.CHECK_BUNDLED_SYSTEM('tommath', checkfunctions='mp_init', headers='tommath.h'):
|
|
# conf.define('USING_SYSTEM_TOMMATH', 1)
|
|
|
|
-check_system_heimdal_binary("compile_et")
|
|
-check_system_heimdal_binary("asn1_compile")
|
|
-
|
|
conf.define('USING_SYSTEM_KRB5', 1)
|
|
--
|
|
2.20.1
|