Update samba to 4.6.8 to address 3 CVEs
ClosedPublic

Authored by kyrios123 on Sep 20 2017, 1:54 PM.

Details

Summary

This is a security release in order to address the following defects:

  • CVE-2017-12150 (SMB1/2/3 connections may not require signing where they should)
  • CVE-2017-12151 (SMB3 connections don't keep encryption across DFS redirects)
  • CVE-2017-12163 (Server memory information leak over SMB1)

Signed-off-by: Pierre-Yves <pyu@riseup.net>

Test Plan

Could connect to my NAS.

Diff Detail

Repository
R2842 samba
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.
kyrios123 created this revision.Sep 20 2017, 1:54 PM

Although there is a symbolic link, I changed the cups path to set the same as the ones created by the cups package.

ikey added a subscriber: ikey.Sep 20 2017, 4:47 PM

Although there is a symbolic link, I changed the cups path to set the same as the ones created by the cups package.

Created where/how? And you've not explained why this is necessary. Truthfully it looks janky to me and I don't want to land without knowing why.

In D1045#16164, @ikey wrote:

Although there is a symbolic link, I changed the cups path to set the same as the ones created by the cups package.

Created where/how? And you've not explained why this is necessary. Truthfully it looks janky to me and I don't want to land without knowing why.

Well created by you /usr/lib -> /usr/lib64:

lrwxrwxrwx   1 root root     5 15 aoû 10:44 lib -> lib64

If you look at the cups package, you'll see that the backends are under /usr/lib and not in /usr/lib64 :

$ eopkg info -F cups | grep backend
/usr/lib/cups/backend/dnssd
/usr/lib/cups/backend/http
/usr/lib/cups/backend/ipp
/usr/lib/cups/backend/lpd
/usr/lib/cups/backend/snmp
/usr/lib/cups/backend/socket
/usr/lib/cups/backend/usb

Since cups is the "master package" and it uses /usr/lib for the cups backends, personally I find it cleaner to use the same for additional cups backends although it doesn't make any difference because of the symbolic link.

# cups
install -D -d -m 00755 $installdir/usr/lib/cups/backend
ln -sv /usr/bin/smbspool $installdir/usr/lib/cups/backend/smb

although it doesn't make any difference because of the symbolic link.

Then why change it? It will just have to be undone in future (therefore creating future work) and it fixes nothing...

kyrios123 added a comment.EditedSep 21 2017, 12:25 AM

although it doesn't make any difference because of the symbolic link.

Then why change it? It will just have to be undone in future (therefore creating future work) and it fixes nothing...

The tmpfiles.d just above or the systemd just below will have to be changed too... find & replace does the same magic with 2,3,4 or 5,... matching patterns, doesn't it? And as from the moment there is just a single path that is changed, the package has to be rebuild anyway so it doesn't create any extra future work. By the way why is this cups path an issue for you guys and not the tmpfiles.d or the systemd ones ???

My logic is very simple: the "cups backend path" is "owned" by the cups package which uses lib and not lib64.

And my update fixed the double / issue caused by $installdir/%libdir% (instead of $installdir%libdir%) :P

kyrios123 updated this revision to Diff 2618.Sep 25 2017, 4:58 PM

use %libdir% for cups and tmpfiles.d paths

This revision was automatically updated to reflect the committed changes.