[Pkg-samba-maint] Debian experimental package for samba4 4.0.3 and required ldb, tdb, talloc. Fixes CVE-2013-0172

Andrew Bartlett abartlet at samba.org
Fri Feb 15 01:22:49 UTC 2013 

On Wed, 2013-02-13 at 16:49 +1100, Andrew Bartlett wrote:
> On Wed, 2013-02-13 at 15:10 +1100, Andrew Bartlett wrote:
> > On Tue, 2013-02-12 at 13:39 +1100, Andrew Bartlett wrote:
> > > I was a little shocked to realise that the package in Wheezy hasn't had
> > > the CVE-2013-0172 fix applied.
> > > 
> > > What I've done is test in a git tree with a backported set of patches,
> > > using the test we designed to check this issue.  I've then bundled these
> > > patches into a debian package, and built it. 
> > > 
> > > The source and binary packages are at:
> > > 
> > > http://abartlet.net/samba4-debian/
> > > 
> > > I've also installed them and watched the (very nice thankyou)
> > > auto-configuration just work.
> > > 
> > > I've then run the same test to prove the security issue is fixed, so
> > > what I'm looking for from where is some help getting this into Debian. 
> > > 
> > > If I've done this all correctly, then I'll rev the experimental package
> > > from 4.0.0 to 4.0.3, catching both the security fix and our first
> > > maintenance release.  
> > > 
> > > Finally, someone will need to port these across to Ubuntu, so I've CC'ed
> > > the ubuntu-motu list in the hope that someone can pick this up, or at
> > > least be aware of the issue. 
> > 
> > I've updated this URL with packages for current ldb, tdb, talloc and
> > samba4.  I've fixed samba4 so that it actually starts in 'ntvfs' mode
> > (required for the current cut-down package). 
> > 
> > The only issue I've found is that on upgrade, the 'samba-tool dbcheck'
> > will fail.  This is actually the right thing - the admin needs to
> > manually ack the changes during a re-run with --fix or --fix --yes (if
> > they are brave).  Of course this can be improved in a number of ways,
> > but I would like someone with more confidence in debconf to help me with
> > that. 
> > 
> > We (upstream) are also still working out the ideal upgrade steps (as
> > user testing contraindicated our initial plan), and I don't want to put
> > anything in the package until we have that concrete. 
> > 
> > In the meantime, I think this is a massive improvement over what we
> > currently have, both by having the security fix, as well as all the
> > other fixes we have made. 
> 
> As the samba4 package uses GIT, I've reflected my changes back into the
> git checkout and this is the patch.  If my package is accepted (or if it
> isn't but someone wants to fix to to be acceptable) this diff should
> help. 
> 
> To give some safe tracking to the files, I've singed the samba4 package
> and uploaded a sha256 checksum list and signature.
> 
> Andrew Bartlett

Jelmer,

I've uploaded new packages based on the git trees you pointed me at, for
samba4, ldb and tdb.  http://abartlet.net/samba4-debian/

I've also prepared debdiff files, they are at the above URL because they
seem pretty large for sending by e-mail (but I can if that's better). 

git://git.debian.org/pkg-samba/samba4
git://git.debian.org/pkg-samba/ldb
git://git.debian.org/pkg-samba/tdb

The talloc git tree seems to be empty at 
git://git.debian.org/pkg-samba/talloc

I've attached the patches for both here.

I hope this means you or Brian can help me get these packages uploaded.
Even just getting the tdb/talloc/tdb changes in would be most helpful.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-New-upstream-release.patch
Type: text/x-patch
Size: 3150 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130215/8ec3c5c0/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Release-1.1.15-as-a-NMU.patch
Type: text/x-patch
Size: 4627 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130215/8ec3c5c0/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-releasing-version-4.0.3-dfsg1-1.1.patch
Type: text/x-patch
Size: 7209 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-samba-maint/attachments/20130215/8ec3c5c0/attachment-0002.bin>

More information about the Pkg-samba-maint mailing list