266641 – net/samba413: Backport security fix from 4.14.14

Bug 266641 - net/samba413: Backport security fix from 4.14.14

Summary: net/samba413: Backport security fix from 4.14.14

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Yasuhiro Kimura

URL:
Keywords:

Duplicates (1):	263804 (view as bug list)
Depends on:
Blocks:

Reported:	2022-09-27 03:26 UTC by Yasuhiro Kimura
Modified:	2022-11-04 14:54 UTC (History)
CC List:	3 users (show)

See Also:

Flags:	yasu: maintainer-feedback- yasu: merge-quarterly?

Attachments
Patch file (736.37 KB, patch) 2022-09-27 03:26 UTC, Yasuhiro Kimura	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yasuhiro Kimura freebsd_committer

2022-09-27 03:26:34 UTC

Created attachment 236856 [details]
Patch file

* Backport security fix from 4.14.14.
* Add upstream patch to fix configure error with Python 3.11.
* Fix plist error when AD_DC option is off and PYTHON3 option is on.
* Replace BIND911 option with BIND918 as dns/bind911 is removed from ports tree and dns/bind918 is added instead.

MFH:            2022Q3
Security:       CVE-2022-2031
Security:       CVE-2022-32742
Security:       CVE-2022-32744
Security:       CVE-2022-32745
Security:       CVE-2022-32746

Comment 1 Yasuhiro Kimura freebsd_committer

2022-10-11 05:21:23 UTC

Maintainer timeout. Take.

Comment 2 commit-hook freebsd_committer

2022-10-11 05:34:03 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dfaa714fc960fb4d0a5bc6983d3882a974857f12

commit dfaa714fc960fb4d0a5bc6983d3882a974857f12
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-09-26 23:47:17 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-10-11 05:32:29 +0000

    net/samba413: Backport security fix from 4.14.14

    * Add upstream patch to fix configure error with Python 3.11.
    * Fix plist error when AD_DC option is off and PYTHON3 option is on.
    * Replace BIND911 option with BIND918 as dns/bind911 is removed from
      ports tree and dns/bind918 is added instead.

    PR:             266641
    Approved by:    maintainer timeout
    MFH:            2022Q4
    Security:       f9140ad4-4920-11ed-a07e-080027f5fec9

 net/samba413/Makefile                        |     8 +-
 net/samba413/files/patch-samba-4.14.14 (new) | 13366 +++++++++++++++++++++++++
 net/samba413/files/patch-waf-2.0.20 (new)    |  1663 +++
 net/samba413/files/patch-waf-2.0.21 (new)    |   703 ++
 net/samba413/files/patch-waf-2.0.22 (new)    |   596 ++
 net/samba413/files/patch-waf-2.0.23 (new)    |   877 ++
 net/samba413/files/patch-waf-2.0.24 (new)    |   164 +
 net/samba413/pkg-plist.ad_dc                 |     2 -
 net/samba413/pkg-plist.python                |     3 +
 9 files changed, 17376 insertions(+), 6 deletions(-)

Comment 3 commit-hook freebsd_committer

2022-10-11 05:38:05 UTC

A commit in branch 2022Q4 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e9e5495de10d87602e6e1386c20333754bb0e879

commit e9e5495de10d87602e6e1386c20333754bb0e879
Author:     Yasuhiro Kimura <yasu@FreeBSD.org>
AuthorDate: 2022-09-26 23:47:17 +0000
Commit:     Yasuhiro Kimura <yasu@FreeBSD.org>
CommitDate: 2022-10-11 05:36:47 +0000

    net/samba413: Backport security fix from 4.14.14

    * Add upstream patch to fix configure error with Python 3.11.
    * Fix plist error when AD_DC option is off and PYTHON3 option is on.
    * Replace BIND911 option with BIND918 as dns/bind911 is removed from
      ports tree and dns/bind918 is added instead.

    PR:             266641
    Approved by:    maintainer timeout
    MFH:            2022Q4
    Security:       f9140ad4-4920-11ed-a07e-080027f5fec9

    (cherry picked from commit dfaa714fc960fb4d0a5bc6983d3882a974857f12)

 net/samba413/Makefile                        |     8 +-
 net/samba413/files/patch-samba-4.14.14 (new) | 13366 +++++++++++++++++++++++++
 net/samba413/files/patch-waf-2.0.20 (new)    |  1663 +++
 net/samba413/files/patch-waf-2.0.21 (new)    |   703 ++
 net/samba413/files/patch-waf-2.0.22 (new)    |   596 ++
 net/samba413/files/patch-waf-2.0.23 (new)    |   877 ++
 net/samba413/files/patch-waf-2.0.24 (new)    |   164 +
 net/samba413/pkg-plist.ad_dc                 |     2 -
 net/samba413/pkg-plist.python                |     3 +
 9 files changed, 17376 insertions(+), 6 deletions(-)

Comment 4 shellingfield 2022-10-21 13:12:48 UTC

little bit late, but

> * Replace BIND911 option with BIND918 as dns/bind911 is removed from ports tree and dns/bind918 is added instead.
Samba 4.13.x does not have any support for dlz of bind 9.18.x

in fact, after building net/samba413 with BIND918 option, "samba-tool domain provision --dns-backend=BIND9_DLZ" create wrong named.conf. like below


dlz "AD DNS Zone" {
    # For BIND 9.18.x
    database "dlopen /usr/local/lib/samba4/modules/bind9/dlz_bind9_18.so";
};


this would load non-existence library, then named fail to run.
So should be reverted regarding BIND918 related to avoid any confusion, i think.

regards,

Comment 5 Timur I. Bakeyev freebsd_committer

2022-10-25 21:58:51 UTC

(In reply to shellingfield from comment #4)

Thanks for reporting this!

While 4.13 is deprecated for a while now, it still in use for older versions of FreeBSD.

I've backported Bind support options to cover 9.18 also, but the only thing I can say is that it builds.

Well, give it a try with an updated version of the port.

Comment 6 shellingfield 2022-10-26 05:04:08 UTC

(In reply to Timur I. Bakeyev from comment #5)

> I've backported Bind support options to cover 9.18 also, but the only thing I can say is that it builds.
Great!

So I'll try latest ports net/samba413 with DLZ Bind 9.18 soon, and also report if needed.

again, thank you for your great work!!

Comment 7 Mateusz Piotrowski freebsd_committer

2022-11-04 14:54:56 UTC

*** Bug 263804 has been marked as a duplicate of this bug. ***