Bug 217993 - net/samba44: Fails to build with new Uses/samba.mk. Update fixes CVE-2017-2619
Summary: net/samba44: Fails to build with new Uses/samba.mk. Update fixes CVE-2017-2619
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Many People
Assignee: Timur I. Bakeyev
URL:
Keywords: security
Depends on:
Blocks:
 
Reported: 2017-03-22 04:31 UTC by dewayne
Modified: 2017-03-31 09:25 UTC (History)
4 users (show)

See Also:


Attachments
samba 4.4.11 upgrade (1.58 KB, patch)
2017-03-22 06:35 UTC, Antoine Brodin
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description dewayne 2017-03-22 04:31:11 UTC
Yesterday I modified my samba44/Makefile to build samba 4.4.11.  This was built, tested and put into production on two servers.  
Today I updated via svnlite /usr/ports.  Made ONE modification to /etc/make.conf, added samba=4.4 to the list of DEFAULT_VERSIONS.  Rebuilt samba4.4 as a precursor to the real item of interest, squid authentication.

Unfortunately net/samba44 returned with:

default/examples/libsmbclient/testnotify_13.o: In function `main':
testnotify.c:(.text.startup+0xf5): undefined reference to `smbc_notify'
collect2: error: ld returned 1 exit status
Waf: Leaving directory `/var/ports/usr/ports/net/samba44-fileshare/work/samba-4.4.11/bin'
Build failed:  -> task failed (err #1):
        {task: cc_link testnotify_13.o -> testnotify}
*** Error code 1

I dropped 
CONFIGURE_ARGS+= --builtin-libraries=smbclient
into Uses/samba.mk but that didn't help.

Also samba44 is in maintenance mode (as samba4.5 and 4.6 are released), I doubt if the SAMFA_DEFAULT of samba43 is supported upstream?

Detail
------
[3514/3747] Linking default/examples/libsmbclient/testnotify
runner gcc5 default/examples/libsmbclient/testnotify_13.o -o /var/ports/usr/ports/net/samba44/work/samba-4.4.11/bin/default/examples/libsmbclient/testnotify -fstack-protector-strong -fstack-protector-strong -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -L/usr/local/lib -Wl,-rpath=/usr/local/lib/gcc5 -L/usr/local/lib/gcc5 -pie -Wl,-z,relro,-z,now -lpthread -Wl,-no-undefined -Wl,--export-dynamic -Wl,--as-needed -fstack-protector -Ldefault/libds/common -Ldefault/auth -Ldefault/source4/lib/socket -Ldefault/libcli/nbt -Ldefault/lib/ldb-samba -Ldefault/nsswitch -Ldefault/source4/dsdb -Ldefault/source4/auth/kerberos -Ldefault/source4/lib/events -Ldefault/libcli/registry -Ldefault/source4/libcli/ldap -Ldefault/lib/tdb_wrap -Ldefault/source4/librpc -Ldefault/lib/param -Ldefault/auth/credentials -Ldefault/nsswitch/libwbclient -Ldefault/auth/gensec -Ldefault/libcli/smb -Ldefault/libcli/auth -Ldefault/librpc -Ldefault/lib -Ldefault/lib/krb5_wrap -Ldefault/libcli/ldap -Ldefault/libcli/cldap -Ldefault/lib/dbwrap -Ldefault/lib/socket -Ldefault/libcli/security -Ldefault/libcli/util -Ldefault/source3 -Ldefault/lib/replace -Ldefault/lib/util -Ldefault/lib/addns -Ldefault/source4/heimdal_build -Ldefault/source3/libsmb -Wl,-Bdynamic -lsmbclient -lkrb5-samba4 -laddns-samba4 -lgssapi-samba4 -ltalloc-report-samba4 -ltevent-util -lreplace-samba4 -lmessages-dgm-samba4 -lsamba-errors -llibcli-lsa3-samba4 -lsamba-security-samba4 -lsamba3-util-samba4 -lsys-rw-samba4 -lutil-tdb-samba4 -linterfaces-samba4 -lsamba-util -lmessages-util-samba4 -llibsmb-samba4 -lmsrpc3-samba4 -lserver-id-db-samba4 -ldbwrap-samba4 -lcli-cldap-samba4 -liov-buf-samba4 -lcli-ldap-common-samba4 -lsmbconf -lsamba-cluster-support-samba4 -lkrb5samba-samba4 -lsocket-blocking-samba4 -lmsghdr-samba4 -lsamba-sockets-samba4 -lndr -lheimbase-samba4 -lcom_err-samba4 -lasn1-samba4 -lhx509-samba4 -lhcrypto-samba4 -lroken-samba4 -lwind-samba4 -lsamba-debug-samba4 -lgenrand-samba4 -ldcerpc-samba-samba4 -ltime-basic-samba4 -lutil-setid-samba4 -lcliauth-samba4 -lcli-smb-common-samba4 -lgse-samba4 -lutil-cmdline-samba4 -lgensec-samba4 -lwbclient -lsamba-credentials -lndr-samba-samba4 -lsamba-hostconfig -lndr-nbt -ldcerpc-binding -lndr-samba4 -lndr-standard -ltdb-wrap-samba4 -lcli-ldap-samba4 -lasn1util-samba4 -lsmbregistry-samba4 -lCHARSET3-samba4 -lutil-reg-samba4 -levents-samba4 -lsmb-transport-samba4 -lsecrets3-samba4 -lsamba-modules-samba4 -lauthkrb5-samba4 -lsamdb -lwinbind-client-samba4 -lsamdb-common-samba4 -lldbsamba-samba4 -lndr-krb5pac -lserver-role-samba4 -lcli-nbt-samba4 -lnetif-samba4 -lsmbd-shim-samba4 -lauth-sam-reply-samba4 -lflag-mapping-samba4 -ltevent -ltalloc -lcrypt -ltdb -lexecinfo -lldb -lrt -lutil -liconv -lmd -lz -llber -lldap -lgnutls -lpopt
default/examples/libsmbclient/testnotify_13.o: In function `main':
testnotify.c:(.text.startup+0xf5): undefined reference to `smbc_notify'
collect2: error: ld returned 1 exit status
Waf: Leaving directory `/var/ports/usr/ports/net/samba44/work/samba-4.4.11/bin'
Build failed:  -> task failed (err #1):
        {task: cc_link testnotify_13.o -> testnotify}
*** Error code 1
Comment 1 Antoine Brodin freebsd_committer 2017-03-22 06:35:54 UTC
Created attachment 181045 [details]
samba 4.4.11 upgrade

With the attached patch samba44 builds just fine with version 4.4.11
Comment 2 Mathieu Arnold freebsd_committer 2017-03-22 08:12:31 UTC
Also, if the net/samba* ports are lagging behind, feel free to contact their maintainer, and if there are newer minor versions, 4.5 and 4.6, feel free to submit patches to add them :-)
Comment 3 dewayne 2017-03-22 22:35:13 UTC
(In reply to Antoine Brodin from comment #1)
Thank-you for looking into this.  With the exception of the bind9_11 line in pkg-plist, we're very similar.  Perhaps as an aid, I've highlighted (with an asterisk) the differences between a virgin build, where __MAKE_CONF=/dev/null removes the influence of /etc/make.conf and my custom build.  There are NO options files, as these are entirely controlled via etc/make.conf

# make __MAKE_CONF=/dev/null -C /usr/ports/net/samba44 showconfig | grep =on
     ACL_SUPPORT=on: File system ACL support
     ADS=on: Active Directory client support
     AD_DC=on: Active Directory Domain Controller support
  *  DEBUG=on: Build with debugging support
  *  DNSUPDATE=on: Dynamic DNS update (require ADS)
     DOCS=on: Build and/or install documentation
     FAM=on: File Alteration Monitor support
     LDAP=on: LDAP client support
     PTHREADPOOL=on: Pthread pool
  *  QUOTAS=on: Disk quota support
     SYSLOG=on: Syslog logging support
     UTMP=on: UTMP accounting support

What we are using:
# make -C /usr/ports/net/samba44 -DUSE_K8 showconfig | grep =on
     ACL_SUPPORT=on: File system ACL support
     ADS=on: Active Directory client support
     AD_DC=on: Active Directory Domain Controller support
     DOCS=on: Build and/or install documentation
     FAM=on: File Alteration Monitor support
     LDAP=on: LDAP client support
     PTHREADPOOL=on: Pthread pool
     SYSLOG=on: Syslog logging support
  *  BIND910=on: Use bind910 as AD DC DNS server frontend

I've included below, the unique "error"s while using a virgin build, using 
# make __MAKE_CONF=/dev/null -C /usr/ports/net/samba44 -DBATCH -DMAKE_JOBS_UNSAFE clean package

In file included from ../source3/auth/auth_domain.c:29:
In file included from ../source3/libsmb/libsmb.h:26:
/usr/local/include/client.h:14:8: error: unknown type name 'dlink_list'
extern dlink_list user_list;

/usr/local/include/client.h:79:10: error: use of undeclared identifier 'NICKLEN'
        char id[NICKLEN+1];

/usr/local/include/client.h:197:23: error: conflicting types for 'find_service'
extern struct client *find_service(const char *name);

5 warnings and 19 errors generated.
Waf: Leaving directory `/usr/ports/net/samba44/work/samba-4.4.11/bin'
Build failed:  -> task failed (err #1):
        {task: cc auth_domain.c -> auth_domain_11.o}
  File "buildtools/bin/waf", line 76, in <module>
        Scripting.prepare(t, cwd, VERSION, wafdir)
  File "/usr/ports/net/samba44/work/samba-4.4.11/third_party/waf/wafadmin/Scripting.py", line 147, in prepare
        error(str(e))
*** Error code 1
patch-dynconfig__wscript

and for completeness there is no /usr/local/client.h, but 

# find /usr/ports/net/samba44/work/samba-4.4.11 -name client.h
/usr/ports/net/samba44/work/samba-4.4.11/ctdb/client/client.h
/usr/ports/net/samba44/work/samba-4.4.11/source3/include/client.h

Please note that these are different errors from my build, which did surprise me.  I'll need to investigate further as we're also rebuilding FreeBSD 11.Stable 3 evenings a week at the moment (though I strongly doubt that as a cause).

And thanks for the suggestion Mathieu.  I did try building 4.5 a few weeks ago.  Unfortunately its quite challenging, and if you examine both the samba change logs (or monitor the samba technical lists) you'll notice that there are also some changes required to accomodate the os kernel; and jumping to the released samba46 would be better use of effort. ;) Historically Timur has tracked these changes and as you can see from /usr/ports/net/samba44/files many of the FreeBSD customisations for samba are non-trivial; and beyond me (as I have been absent from C programming for 27 years).
Comment 4 Antoine Brodin freebsd_committer 2017-03-22 22:51:41 UTC
Try to uninstall irc/ratbox-services, or try to build in a clean room using poudriere.
Comment 5 Timur I. Bakeyev freebsd_committer 2017-03-24 00:15:55 UTC
(In reply to dewayne from comment #0)

Looks like -L/usr/local/lib slipped in again in front of the other search paths, linking against old libs, installed in the system. Try to remove old Samba* first.
Comment 6 commit-hook freebsd_committer 2017-03-24 10:20:53 UTC
A commit references this bug:

Author: timur
Date: Fri Mar 24 10:19:47 UTC 2017
New revision: 436805
URL: https://svnweb.freebsd.org/changeset/ports/436805

Log:
  Upgrade Samba 4.4 to the 4.4.12 version to address  CVE-2017-2619

  PR:		217993
  Security:	CVE-2017-2619

Changes:
  head/net/samba44/Makefile
  head/net/samba44/distinfo
  head/net/samba44/files/patch-buildtools__wafsamba__samba_pidl.py
  head/net/samba44/files/patch-third_party__waf__wafadmin__Tools__cc.py
  head/net/samba44/files/patch-wscript
  head/net/samba44/files/patch-wscript_build
  head/net/samba44/pkg-plist
Comment 7 Timur I. Bakeyev freebsd_committer 2017-03-25 11:16:30 UTC
Upgraded to the latest and greatest
Comment 8 Christian Schwarz 2017-03-25 11:47:15 UTC
This fix should be MFCd to the quarterly branch.
Comment 9 Kubilay Kocak freebsd_committer freebsd_triage 2017-03-30 23:09:27 UTC
Re-open for merge to quarterly
Comment 10 Timur I. Bakeyev freebsd_committer 2017-03-30 23:22:02 UTC
(In reply to Kubilay Kocak from comment #9)

Please wait for the update that uses bundled Pidl instead of external one.
Comment 11 Kubilay Kocak freebsd_committer freebsd_triage 2017-03-30 23:34:01 UTC
@Timur, the change fixing the security issue (and unbreaking build) should be merged to the quarterly branch, independent on any other updates. This can be done with "/usr/ports/Tools/scripts/mfh 2017Q1 217993"
Comment 12 Timur I. Bakeyev freebsd_committer 2017-03-30 23:37:50 UTC
(In reply to Kubilay Kocak from comment #11)
That upcoming update exactly should fix the build issue. One of, at least.

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=209787
Comment 13 Mathieu Arnold freebsd_committer 2017-03-31 06:55:16 UTC
Merging incompatible versions on the eve of a new quarterly branch makes absolutely no sense. (2017Q1 has no USES=samba)
Comment 14 Kubilay Kocak freebsd_committer freebsd_triage 2017-03-31 09:25:29 UTC
MFH request from Comment 8 is therefore invalid