Bug 217993
| Summary: | net/samba44: Fails to build with new Uses/samba.mk. Update fixes CVE-2017-2619 | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Ports & Packages | Reporter: | dewayne | ||||
| Component: | Individual Port(s) | Assignee: | Timur I. Bakeyev <timur> | ||||
| Status: | Closed FIXED | ||||||
| Severity: | Affects Many People | CC: | me, portmgr, ports-bugs, ports-secteam | ||||
| Priority: | Normal | Keywords: | security | ||||
| Version: | Latest | ||||||
| Hardware: | Any | ||||||
| OS: | Any | ||||||
| Attachments: |
|
||||||
Created attachment 181045 [details]
samba 4.4.11 upgrade
With the attached patch samba44 builds just fine with version 4.4.11
Also, if the net/samba* ports are lagging behind, feel free to contact their maintainer, and if there are newer minor versions, 4.5 and 4.6, feel free to submit patches to add them :-) (In reply to Antoine Brodin from comment #1) Thank-you for looking into this. With the exception of the bind9_11 line in pkg-plist, we're very similar. Perhaps as an aid, I've highlighted (with an asterisk) the differences between a virgin build, where __MAKE_CONF=/dev/null removes the influence of /etc/make.conf and my custom build. There are NO options files, as these are entirely controlled via etc/make.conf # make __MAKE_CONF=/dev/null -C /usr/ports/net/samba44 showconfig | grep =on ACL_SUPPORT=on: File system ACL support ADS=on: Active Directory client support AD_DC=on: Active Directory Domain Controller support * DEBUG=on: Build with debugging support * DNSUPDATE=on: Dynamic DNS update (require ADS) DOCS=on: Build and/or install documentation FAM=on: File Alteration Monitor support LDAP=on: LDAP client support PTHREADPOOL=on: Pthread pool * QUOTAS=on: Disk quota support SYSLOG=on: Syslog logging support UTMP=on: UTMP accounting support What we are using: # make -C /usr/ports/net/samba44 -DUSE_K8 showconfig | grep =on ACL_SUPPORT=on: File system ACL support ADS=on: Active Directory client support AD_DC=on: Active Directory Domain Controller support DOCS=on: Build and/or install documentation FAM=on: File Alteration Monitor support LDAP=on: LDAP client support PTHREADPOOL=on: Pthread pool SYSLOG=on: Syslog logging support * BIND910=on: Use bind910 as AD DC DNS server frontend I've included below, the unique "error"s while using a virgin build, using # make __MAKE_CONF=/dev/null -C /usr/ports/net/samba44 -DBATCH -DMAKE_JOBS_UNSAFE clean package In file included from ../source3/auth/auth_domain.c:29: In file included from ../source3/libsmb/libsmb.h:26: /usr/local/include/client.h:14:8: error: unknown type name 'dlink_list' extern dlink_list user_list; /usr/local/include/client.h:79:10: error: use of undeclared identifier 'NICKLEN' char id[NICKLEN+1]; /usr/local/include/client.h:197:23: error: conflicting types for 'find_service' extern struct client *find_service(const char *name); 5 warnings and 19 errors generated. Waf: Leaving directory `/usr/ports/net/samba44/work/samba-4.4.11/bin' Build failed: -> task failed (err #1): {task: cc auth_domain.c -> auth_domain_11.o} File "buildtools/bin/waf", line 76, in <module> Scripting.prepare(t, cwd, VERSION, wafdir) File "/usr/ports/net/samba44/work/samba-4.4.11/third_party/waf/wafadmin/Scripting.py", line 147, in prepare error(str(e)) *** Error code 1 patch-dynconfig__wscript and for completeness there is no /usr/local/client.h, but # find /usr/ports/net/samba44/work/samba-4.4.11 -name client.h /usr/ports/net/samba44/work/samba-4.4.11/ctdb/client/client.h /usr/ports/net/samba44/work/samba-4.4.11/source3/include/client.h Please note that these are different errors from my build, which did surprise me. I'll need to investigate further as we're also rebuilding FreeBSD 11.Stable 3 evenings a week at the moment (though I strongly doubt that as a cause). And thanks for the suggestion Mathieu. I did try building 4.5 a few weeks ago. Unfortunately its quite challenging, and if you examine both the samba change logs (or monitor the samba technical lists) you'll notice that there are also some changes required to accomodate the os kernel; and jumping to the released samba46 would be better use of effort. ;) Historically Timur has tracked these changes and as you can see from /usr/ports/net/samba44/files many of the FreeBSD customisations for samba are non-trivial; and beyond me (as I have been absent from C programming for 27 years). Try to uninstall irc/ratbox-services, or try to build in a clean room using poudriere. (In reply to dewayne from comment #0) Looks like -L/usr/local/lib slipped in again in front of the other search paths, linking against old libs, installed in the system. Try to remove old Samba* first. A commit references this bug: Author: timur Date: Fri Mar 24 10:19:47 UTC 2017 New revision: 436805 URL: https://svnweb.freebsd.org/changeset/ports/436805 Log: Upgrade Samba 4.4 to the 4.4.12 version to address CVE-2017-2619 PR: 217993 Security: CVE-2017-2619 Changes: head/net/samba44/Makefile head/net/samba44/distinfo head/net/samba44/files/patch-buildtools__wafsamba__samba_pidl.py head/net/samba44/files/patch-third_party__waf__wafadmin__Tools__cc.py head/net/samba44/files/patch-wscript head/net/samba44/files/patch-wscript_build head/net/samba44/pkg-plist Upgraded to the latest and greatest This fix should be MFCd to the quarterly branch. Re-open for merge to quarterly (In reply to Kubilay Kocak from comment #9) Please wait for the update that uses bundled Pidl instead of external one. @Timur, the change fixing the security issue (and unbreaking build) should be merged to the quarterly branch, independent on any other updates. This can be done with "/usr/ports/Tools/scripts/mfh 2017Q1 217993" (In reply to Kubilay Kocak from comment #11) That upcoming update exactly should fix the build issue. One of, at least. https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209787 Merging incompatible versions on the eve of a new quarterly branch makes absolutely no sense. (2017Q1 has no USES=samba) MFH request from Comment 8 is therefore invalid |
Yesterday I modified my samba44/Makefile to build samba 4.4.11. This was built, tested and put into production on two servers. Today I updated via svnlite /usr/ports. Made ONE modification to /etc/make.conf, added samba=4.4 to the list of DEFAULT_VERSIONS. Rebuilt samba4.4 as a precursor to the real item of interest, squid authentication. Unfortunately net/samba44 returned with: default/examples/libsmbclient/testnotify_13.o: In function `main': testnotify.c:(.text.startup+0xf5): undefined reference to `smbc_notify' collect2: error: ld returned 1 exit status Waf: Leaving directory `/var/ports/usr/ports/net/samba44-fileshare/work/samba-4.4.11/bin' Build failed: -> task failed (err #1): {task: cc_link testnotify_13.o -> testnotify} *** Error code 1 I dropped CONFIGURE_ARGS+= --builtin-libraries=smbclient into Uses/samba.mk but that didn't help. Also samba44 is in maintenance mode (as samba4.5 and 4.6 are released), I doubt if the SAMFA_DEFAULT of samba43 is supported upstream? Detail ------ [3514/3747] Linking default/examples/libsmbclient/testnotify runner gcc5 default/examples/libsmbclient/testnotify_13.o -o /var/ports/usr/ports/net/samba44/work/samba-4.4.11/bin/default/examples/libsmbclient/testnotify -fstack-protector-strong -fstack-protector-strong -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -L/usr/local/lib -Wl,-rpath=/usr/local/lib/gcc5 -L/usr/local/lib/gcc5 -pie -Wl,-z,relro,-z,now -lpthread -Wl,-no-undefined -Wl,--export-dynamic -Wl,--as-needed -fstack-protector -Ldefault/libds/common -Ldefault/auth -Ldefault/source4/lib/socket -Ldefault/libcli/nbt -Ldefault/lib/ldb-samba -Ldefault/nsswitch -Ldefault/source4/dsdb -Ldefault/source4/auth/kerberos -Ldefault/source4/lib/events -Ldefault/libcli/registry -Ldefault/source4/libcli/ldap -Ldefault/lib/tdb_wrap -Ldefault/source4/librpc -Ldefault/lib/param -Ldefault/auth/credentials -Ldefault/nsswitch/libwbclient -Ldefault/auth/gensec -Ldefault/libcli/smb -Ldefault/libcli/auth -Ldefault/librpc -Ldefault/lib -Ldefault/lib/krb5_wrap -Ldefault/libcli/ldap -Ldefault/libcli/cldap -Ldefault/lib/dbwrap -Ldefault/lib/socket -Ldefault/libcli/security -Ldefault/libcli/util -Ldefault/source3 -Ldefault/lib/replace -Ldefault/lib/util -Ldefault/lib/addns -Ldefault/source4/heimdal_build -Ldefault/source3/libsmb -Wl,-Bdynamic -lsmbclient -lkrb5-samba4 -laddns-samba4 -lgssapi-samba4 -ltalloc-report-samba4 -ltevent-util -lreplace-samba4 -lmessages-dgm-samba4 -lsamba-errors -llibcli-lsa3-samba4 -lsamba-security-samba4 -lsamba3-util-samba4 -lsys-rw-samba4 -lutil-tdb-samba4 -linterfaces-samba4 -lsamba-util -lmessages-util-samba4 -llibsmb-samba4 -lmsrpc3-samba4 -lserver-id-db-samba4 -ldbwrap-samba4 -lcli-cldap-samba4 -liov-buf-samba4 -lcli-ldap-common-samba4 -lsmbconf -lsamba-cluster-support-samba4 -lkrb5samba-samba4 -lsocket-blocking-samba4 -lmsghdr-samba4 -lsamba-sockets-samba4 -lndr -lheimbase-samba4 -lcom_err-samba4 -lasn1-samba4 -lhx509-samba4 -lhcrypto-samba4 -lroken-samba4 -lwind-samba4 -lsamba-debug-samba4 -lgenrand-samba4 -ldcerpc-samba-samba4 -ltime-basic-samba4 -lutil-setid-samba4 -lcliauth-samba4 -lcli-smb-common-samba4 -lgse-samba4 -lutil-cmdline-samba4 -lgensec-samba4 -lwbclient -lsamba-credentials -lndr-samba-samba4 -lsamba-hostconfig -lndr-nbt -ldcerpc-binding -lndr-samba4 -lndr-standard -ltdb-wrap-samba4 -lcli-ldap-samba4 -lasn1util-samba4 -lsmbregistry-samba4 -lCHARSET3-samba4 -lutil-reg-samba4 -levents-samba4 -lsmb-transport-samba4 -lsecrets3-samba4 -lsamba-modules-samba4 -lauthkrb5-samba4 -lsamdb -lwinbind-client-samba4 -lsamdb-common-samba4 -lldbsamba-samba4 -lndr-krb5pac -lserver-role-samba4 -lcli-nbt-samba4 -lnetif-samba4 -lsmbd-shim-samba4 -lauth-sam-reply-samba4 -lflag-mapping-samba4 -ltevent -ltalloc -lcrypt -ltdb -lexecinfo -lldb -lrt -lutil -liconv -lmd -lz -llber -lldap -lgnutls -lpopt default/examples/libsmbclient/testnotify_13.o: In function `main': testnotify.c:(.text.startup+0xf5): undefined reference to `smbc_notify' collect2: error: ld returned 1 exit status Waf: Leaving directory `/var/ports/usr/ports/net/samba44/work/samba-4.4.11/bin' Build failed: -> task failed (err #1): {task: cc_link testnotify_13.o -> testnotify} *** Error code 1