[Pkg-samba-maint] Debian experimental package for samba4 4.0.3 and required ldb, tdb, talloc. Fixes CVE-2013-0172

Andrew Bartlett abartlet at samba.org
Wed Feb 13 05:49:16 UTC 2013 

On Wed, 2013-02-13 at 15:10 +1100, Andrew Bartlett wrote:
> On Tue, 2013-02-12 at 13:39 +1100, Andrew Bartlett wrote:
> > I was a little shocked to realise that the package in Wheezy hasn't had
> > the CVE-2013-0172 fix applied.
> > 
> > What I've done is test in a git tree with a backported set of patches,
> > using the test we designed to check this issue.  I've then bundled these
> > patches into a debian package, and built it. 
> > 
> > The source and binary packages are at:
> > 
> > http://abartlet.net/samba4-debian/
> > 
> > I've also installed them and watched the (very nice thankyou)
> > auto-configuration just work.
> > 
> > I've then run the same test to prove the security issue is fixed, so
> > what I'm looking for from where is some help getting this into Debian. 
> > 
> > If I've done this all correctly, then I'll rev the experimental package
> > from 4.0.0 to 4.0.3, catching both the security fix and our first
> > maintenance release.  
> > 
> > Finally, someone will need to port these across to Ubuntu, so I've CC'ed
> > the ubuntu-motu list in the hope that someone can pick this up, or at
> > least be aware of the issue. 
> 
> I've updated this URL with packages for current ldb, tdb, talloc and
> samba4.  I've fixed samba4 so that it actually starts in 'ntvfs' mode
> (required for the current cut-down package). 
> 
> The only issue I've found is that on upgrade, the 'samba-tool dbcheck'
> will fail.  This is actually the right thing - the admin needs to
> manually ack the changes during a re-run with --fix or --fix --yes (if
> they are brave).  Of course this can be improved in a number of ways,
> but I would like someone with more confidence in debconf to help me with
> that. 
> 
> We (upstream) are also still working out the ideal upgrade steps (as
> user testing contraindicated our initial plan), and I don't want to put
> anything in the package until we have that concrete. 
> 
> In the meantime, I think this is a massive improvement over what we
> currently have, both by having the security fix, as well as all the
> other fixes we have made. 

As the samba4 package uses GIT, I've reflected my changes back into the
git checkout and this is the patch.  If my package is accepted (or if it
isn't but someone wants to fix to to be acceptable) this diff should
help. 

To give some safe tracking to the files, I've singed the samba4 package
and uploaded a sha256 checksum list and signature.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-releasing-version-4.0.3-dfsg1-1.1.patch
Type: text/x-patch
Size: 7396 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130213/700e1013/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130213/700e1013/attachment.pgp>

More information about the Pkg-samba-maint mailing list