Revision bump. Marking stable for all archs for remote vulnerability security bug (CVE-2007-5398)

5 files changed, 373 insertions, 5 deletions

diff --git a/net-fs/samba/ChangeLog b/net-fs/samba/ChangeLog
index 12e67e8492cc..e4850272be44 100644
--- a/net-fs/samba/ChangeLog
+++ b/net-fs/samba/ChangeLog
@@ -1,6 +1,13 @@
 # ChangeLog for net-fs/samba
 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/ChangeLog,v 1.307 2007/11/02 22:09:42 dev-zero Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/ChangeLog,v 1.308 2007/11/15 14:43:59 dev-zero Exp $
+
+*samba-3.0.26a-r2 (15 Nov 2007)
+
+  15 Nov 2007; Tiziano Müller <dev-zero@gentoo.org>
+  +files/3.0.26a-CVE-2007-5398.patch, +samba-3.0.26a-r2.ebuild:
+  Revision bump. Marking stable for all archs for remote vulnerability
+  security bug (CVE-2007-5398)
 
 *samba-3.0.26a-r1 (02 Nov 2007)
 
diff --git a/net-fs/samba/Manifest b/net-fs/samba/Manifest
index bcee49f63db3..6b7afdaf351c 100644
--- a/net-fs/samba/Manifest
+++ b/net-fs/samba/Manifest
@@ -22,6 +22,10 @@ AUX 3.0.25c-py_smp.patch 914 RMD160 455ec69a623fc75a56ca7f26e243873e890360f9 SHA
 MD5 95c1be28c63f32afbac815dd5463a693 files/3.0.25c-py_smp.patch 914
 RMD160 455ec69a623fc75a56ca7f26e243873e890360f9 files/3.0.25c-py_smp.patch 914
 SHA256 676078b5e331b43f426f6cfd10db00d9c70a88df2da436abb2eccad1b49cd0db files/3.0.25c-py_smp.patch 914
+AUX 3.0.26a-CVE-2007-5398.patch 1232 RMD160 b547196a44437d6336495ea727f9abfcfd41e79c SHA1 e2b7d91446e07bf1be5930187417f26841995743 SHA256 37a0181aa647de7feb888d675ea726e135bbe53bc3099076eaf0682fc1b11b05
+MD5 79934d4dcc779a467697e7cf86046631 files/3.0.26a-CVE-2007-5398.patch 1232
+RMD160 b547196a44437d6336495ea727f9abfcfd41e79c files/3.0.26a-CVE-2007-5398.patch 1232
+SHA256 37a0181aa647de7feb888d675ea726e135bbe53bc3099076eaf0682fc1b11b05 files/3.0.26a-CVE-2007-5398.patch 1232
 AUX 3.0.26a-invalid-free-fix.patch 541 RMD160 13e1b0420ae9c06a2e6d4f9a8a0a3af8c32318b9 SHA1 0457c901f55b86b9b3751dc67b86a26cb19ec4e7 SHA256 4a727b9a02cbc7e2efc00190d5068c82e12a0b9fdad2a50869a2f10bc39a06f2
 MD5 1c3431c8feebecfc2e0ae8987afee555 files/3.0.26a-invalid-free-fix.patch 541
 RMD160 13e1b0420ae9c06a2e6d4f9a8a0a3af8c32318b9 files/3.0.26a-invalid-free-fix.patch 541
@@ -99,10 +103,14 @@ EBUILD samba-3.0.26a-r1.ebuild 8770 RMD160 f4223617e3687035ee9e3577ddfa6c444b61e
 MD5 19b0f919c6d15e7ebf07a3f0899bccc0 samba-3.0.26a-r1.ebuild 8770
 RMD160 f4223617e3687035ee9e3577ddfa6c444b61ee2e samba-3.0.26a-r1.ebuild 8770
 SHA256 07a93917ca0d9baf6c1717069981fff449b45ebf136af93242ba1446dbf54e5e samba-3.0.26a-r1.ebuild 8770
-MISC ChangeLog 52511 RMD160 a92f778811e9b000612325c115856a4918e8eb79 SHA1 372d1739a92215c3e86731686d5ffeee88c44b33 SHA256 bed96c8f2a89905a8d9018fc72b9a70122f61439db2cc60c2bfb414676531838
-MD5 1a304b9bfc7a261225c69b1aee371d8b ChangeLog 52511
-RMD160 a92f778811e9b000612325c115856a4918e8eb79 ChangeLog 52511
-SHA256 bed96c8f2a89905a8d9018fc72b9a70122f61439db2cc60c2bfb414676531838 ChangeLog 52511
+EBUILD samba-3.0.26a-r2.ebuild 8827 RMD160 2e668f31f4c351b7fde97bf9cff9062a92ace8d5 SHA1 315b319339bedfc4d2e78bed77dd64e135b64fbb SHA256 8967cd7571aab33026f856a3bf934803a5d29aeb141e05dbe746d93610ed71d2
+MD5 3c44bc7ef1f33b538585be2437da759f samba-3.0.26a-r2.ebuild 8827
+RMD160 2e668f31f4c351b7fde97bf9cff9062a92ace8d5 samba-3.0.26a-r2.ebuild 8827
+SHA256 8967cd7571aab33026f856a3bf934803a5d29aeb141e05dbe746d93610ed71d2 samba-3.0.26a-r2.ebuild 8827
+MISC ChangeLog 52764 RMD160 dc6b567c4a31be9d0e7d2d8498368ebc9026abbe SHA1 59680f56a9e90ff7997c5ca823237491a9e26608 SHA256 504361b96fc9d6a952420da5a0a4c81140ff8badb5823a685970259e795bc89f
+MD5 3ad68922daec7d500b411baa80a44570 ChangeLog 52764
+RMD160 dc6b567c4a31be9d0e7d2d8498368ebc9026abbe ChangeLog 52764
+SHA256 504361b96fc9d6a952420da5a0a4c81140ff8badb5823a685970259e795bc89f ChangeLog 52764
 MISC metadata.xml 489 RMD160 36eed0edca609c521314ae415efd57ca9acfecb4 SHA1 317e61704a10a3bd888d32c6834721f5d40d00ff SHA256 6f35f13dd39bb51d304fd59b5352c92bc35a957c9c9412c5c1f3f58e98519792
 MD5 324855d88a5c326d1b45b5c7719d5536 metadata.xml 489
 RMD160 36eed0edca609c521314ae415efd57ca9acfecb4 metadata.xml 489
@@ -116,3 +124,6 @@ SHA256 6772b5cc291b0f6dbd584253eabd0e7ad75966af1ff8f17c48762a65e4111a9c files/di
 MD5 cdaa94996a44f40213ca611e5ddc5e2e files/digest-samba-3.0.26a-r1 247
 RMD160 eda75ec256c84904565d4fd0c9c69baa95ee7938 files/digest-samba-3.0.26a-r1 247
 SHA256 19fc1538d2f06366e50a6fb6da02b496ae459035c2d650c508d34f1ad970150e files/digest-samba-3.0.26a-r1 247
+MD5 cdaa94996a44f40213ca611e5ddc5e2e files/digest-samba-3.0.26a-r2 247
+RMD160 eda75ec256c84904565d4fd0c9c69baa95ee7938 files/digest-samba-3.0.26a-r2 247
+SHA256 19fc1538d2f06366e50a6fb6da02b496ae459035c2d650c508d34f1ad970150e files/digest-samba-3.0.26a-r2 247
diff --git a/net-fs/samba/files/3.0.26a-CVE-2007-5398.patch b/net-fs/samba/files/3.0.26a-CVE-2007-5398.patch
new file mode 100644
index 000000000000..e27c73e596f9
--- /dev/null
+++ b/net-fs/samba/files/3.0.26a-CVE-2007-5398.patch
@@ -0,0 +1,36 @@
+commit 089a51061b1be809f278ab4e9a741d0a44e52750
+Author: Gerald (Jerry) Carter <jerry@samba.org>
+Date:   Wed Nov 14 20:51:14 2007 -0600
+
+    Fix for CVE-2007-5398.
+    
+    == Subject:     Remote code execution in Samba's WINS
+    ==              server daemon (nmbd) when processing name
+    ==              registration followed name query requests.
+    ==
+    == CVE ID#:     CVE-2007-5398
+    ==
+    == Versions:    Samba 3.0.0 - 3.0.26a (inclusive)
+    ...
+    Secunia Research reported a vulnerability that allows for
+    the execution of arbitrary code in nmbd.  This defect may
+    only be exploited when the "wins support" parameter has
+    been enabled in smb.conf.
+
+diff --git a/source/nmbd/nmbd_packets.c b/source/nmbd/nmbd_packets.c
+index 87a38b9..bbcc1ec 100644
+--- a/source/nmbd/nmbd_packets.c
++++ b/source/nmbd/nmbd_packets.c
+@@ -963,6 +963,12 @@ for id %hu\n", packet_type, nmb_namestr(&orig_nmb->question.question_name),
+ 	nmb->answers->ttl      = ttl;
+   
+ 	if (data && len) {
++		if (len < 0 || len > sizeof(nmb->answers->rdata)) {
++			DEBUG(5,("reply_netbios_packet: "
++				"invalid packet len (%d)\n",
++				len ));
++			return;
++		}
+ 		nmb->answers->rdlength = len;
+ 		memcpy(nmb->answers->rdata, data, len);
+ 	}
diff --git a/net-fs/samba/files/digest-samba-3.0.26a-r2 b/net-fs/samba/files/digest-samba-3.0.26a-r2
new file mode 100644
index 000000000000..7056d3102e2e
--- /dev/null
+++ b/net-fs/samba/files/digest-samba-3.0.26a-r2
@@ -0,0 +1,3 @@
+MD5 16b47e6add332e5ac4523fc88c381d06 samba-3.0.26a.tar.gz 18180031
+RMD160 9a62ba3ea2747b500ddea56729499524ae4329d2 samba-3.0.26a.tar.gz 18180031
+SHA256 41e11f69288b2291f12f8db093e2c55dc1360555d4542c83c0758c4c7a3d4d37 samba-3.0.26a.tar.gz 18180031
diff --git a/net-fs/samba/samba-3.0.26a-r2.ebuild b/net-fs/samba/samba-3.0.26a-r2.ebuild
new file mode 100644
index 000000000000..2a5f75117cbe
--- /dev/null
+++ b/net-fs/samba/samba-3.0.26a-r2.ebuild
@@ -0,0 +1,311 @@
+# Copyright 1999-2007 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/net-fs/samba/samba-3.0.26a-r2.ebuild,v 1.1 2007/11/15 14:43:59 dev-zero Exp $
+
+inherit eutils pam python multilib versionator confutils
+
+MY_P=${PN}-${PV/_/}
+
+DESCRIPTION="A suite of SMB and CIFS client/server programs for UNIX"
+HOMEPAGE="http://www.samba.org/"
+SRC_URI="mirror://samba/${MY_P}.tar.gz
+	mirror://samba/old-versions/${MY_P}.tar.gz"
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="alpha amd64 ~arm hppa ia64 ~mips ppc ppc64 ~s390 ~sh sparc ~sparc-fbsd x86 ~x86-fbsd"
+IUSE_LINGUAS="linguas_ja linguas_pl"
+IUSE="${IUSE_LINGUAS} acl ads async automount caps cups doc examples ipv6 kernel_linux ldap fam
+	pam python quotas readline selinux swat syslog winbind"
+
+RDEPEND="dev-libs/popt
+	virtual/libiconv
+	acl?       ( kernel_linux? ( sys-apps/acl ) )
+	cups?      ( net-print/cups )
+	ipv6?      ( sys-apps/xinetd )
+	ads?       ( virtual/krb5 )
+	ldap?      ( net-nds/openldap )
+	pam?       ( virtual/pam )
+	python?    ( dev-lang/python )
+	readline?  ( sys-libs/readline )
+	selinux?   ( sec-policy/selinux-samba )
+	swat?      ( sys-apps/xinetd )
+	syslog?    ( virtual/logger )
+	fam?       ( virtual/fam )
+	caps?      ( sys-libs/libcap )"
+DEPEND="${RDEPEND}"
+
+S=${WORKDIR}/${MY_P}
+CONFDIR=${FILESDIR}/config
+PRIVATE_DST=/var/lib/samba/private
+
+pkg_setup() {
+	confutils_use_depend_all ads ldap
+}
+
+src_unpack() {
+	unpack ${A}
+	cd "${S}/source"
+
+	# This patch adds "-Wl,-z,now" to smb{mnt,umount}
+	# Please read ... for further informations
+	epatch "${FILESDIR}/${PV}-lazyldflags.patch"
+
+	# Bug #196015 (upstream: #5021)
+	epatch "${FILESDIR}/${PV}-invalid-free-fix.patch"
+
+	# Bug #197519
+	epatch "${FILESDIR}/${PV}-CVE-2007-5398.patch"
+
+	# Ok, agreed, this is ugly. But it avoids a patch we
+	# need for every samba version and we don't need autotools
+	sed -i \
+		-e 's|"lib32" ||' \
+		-e 's|if test -d "$i/$l" ;|if test -d "$i/$l" -o -L "$i/$l";|' \
+		configure || die "sed failed"
+
+	rm "${S}/docs/manpages"/{mount,umount}.cifs.8
+}
+
+src_compile() {
+	cd "${S}/source"
+
+	local myconf
+	local mylangs
+	local mymod_shared
+
+	python_version
+	myconf="--with-python=no"
+	use python && myconf="--with-python=${python}"
+
+	mylangs="--with-manpages-langs=en"
+	use linguas_ja && mylangs="${mylangs},ja"
+	use linguas_pl && mylangs="${mylangs},pl"
+
+	use winbind && mymod_shared="--with-shared-modules=idmap_rid"
+	if use ldap ; then
+		myconf="${myconf} $(use_with ads)"
+		use winbind && mymod_shared="${mymod_shared},idmap_ad"
+	fi
+
+	[[ ${CHOST} == *-*bsd* ]] && myconf="${myconf} --disable-pie"
+	use hppa && myconf="${myconf} --disable-pie"
+
+	use caps && export ac_cv_header_sys_capability_h=yes || export ac_cv_header_sys_capability_h=no
+
+	# Otherwise we get the whole swat stuff installed
+	if ! use swat ; then
+		sed -i \
+			-e 's/^\(install:.*\)installswat \(.*\)/\1\2/' \
+			Makefile.in || die "sed failed"
+	fi
+
+	econf \
+		--with-fhs \
+		--sysconfdir=/etc/samba \
+		--localstatedir=/var \
+		--with-configdir=/etc/samba \
+		--with-libdir=/usr/$(get_libdir)/samba \
+		--with-swatdir=/usr/share/doc/${PF}/swat \
+		--with-piddir=/var/run/samba \
+		--with-lockdir=/var/cache/samba \
+		--with-logfilebase=/var/log/samba \
+		--with-privatedir=${PRIVATE_DST} \
+		--with-libsmbclient \
+		--without-spinlocks \
+		--enable-socket-wrapper \
+		--with-cifsmount=no \
+		$(use_with acl acl-support) \
+		$(use_with async aio-support) \
+		$(use_with automount) \
+		$(use_enable cups) \
+		$(use_enable fam) \
+		$(use_with ads krb5) \
+		$(use_with ldap) \
+		$(use_with pam) $(use_with pam pam_smbpass) \
+		$(use_with quotas) $(use_with quotas sys-quotas) \
+		$(use_with readline) \
+		$(use_with kernel_linux smbmount) \
+		$(use_with syslog) \
+		$(use_with winbind) \
+		${myconf} ${mylangs} ${mymod_shared} || die "econf failed"
+
+	emake proto || die "emake proto failed"
+	emake everything || die "emake everything failed"
+
+	if use python ; then
+		emake python_ext || die "emake python_ext failed"
+	fi
+}
+
+src_test() {
+	cd "${S}/source"
+	emake test || die "tests failed"
+}
+
+src_install() {
+	cd "${S}/source"
+
+	emake DESTDIR="${D}" install-everything || die "emake install-everything failed"
+
+	# Extra rpctorture progs
+	local extra_bins="rpctorture"
+	for i in ${extra_bins} ; do
+		[[ -x "${S}/bin/${i}" ]] && dobin "${S}/bin/${i}"
+	done
+
+	# remove .old stuff from /usr/bin:
+	rm -f "${D}"/usr/bin/*.old
+
+	# Nsswitch extensions. Make link for wins and winbind resolvers
+	if use winbind ; then
+		dolib.so nsswitch/libnss_wins.so
+		dosym libnss_wins.so /usr/$(get_libdir)/libnss_wins.so.2
+		dolib.so nsswitch/libnss_winbind.so
+		dosym libnss_winbind.so /usr/$(get_libdir)/libnss_winbind.so.2
+	fi
+
+	if use pam ; then
+		dopammod bin/pam_smbpass.so
+		use winbind && dopammod bin/pam_winbind.so
+	fi
+
+	if use kernel_linux ; then
+		# Warning: this can byte you if /usr is
+		# on a separate volume and you have to mount
+		# a smb volume before the local mount
+		dosym ../usr/bin/smbmount /sbin/mount.smbfs
+		fperms 4755 /usr/bin/smbmnt
+		fperms 4755 /usr/bin/smbumount
+	fi
+
+	# bug #46389: samba doesn't create symlink anymore
+	# beaviour seems to be changed in 3.0.6, see bug #61046
+	dosym samba/libsmbclient.so /usr/$(get_libdir)/libsmbclient.so.0
+	dosym samba/libsmbclient.so /usr/$(get_libdir)/libsmbclient.so
+
+	# make the smb backend symlink for cups printing support (bug #133133)
+	if use cups ; then
+		dodir $(cups-config --serverbin)/backend
+		dosym /usr/bin/smbspool $(cups-config --serverbin)/backend/smb
+	fi
+
+	if use python ; then
+		emake DESTDIR="${D}" python_install || die "emake installpython failed"
+		# We're doing that manually
+		find "${D}/usr/$(get_libdir)/python${PYVER}/site-packages" -iname "*.pyc" -delete
+	fi
+
+	cd "${S}/source"
+
+	# General config files
+	insinto /etc/samba
+	doins "${CONFDIR}"/{smbusers,lmhosts}
+	newins "${CONFDIR}/smb.conf.example-samba3" smb.conf.example
+
+	newpamd "${CONFDIR}/samba.pam" samba
+	use winbind && doins ${CONFDIR}/system-auth-winbind
+	if use swat ; then
+		insinto /etc/xinetd.d
+		newins "${CONFDIR}/swat.xinetd" swat
+	else
+		rm -f "${D}/usr/sbin/swat"
+		rm -f "${D}/usr/share/man/man8/swat.8"
+	fi
+
+	newinitd "${FILESDIR}/samba-init" samba
+	newconfd "${FILESDIR}/samba-conf" samba
+
+	if use ldap ; then
+		insinto /etc/openldap/schema
+		doins "${S}/examples/LDAP/samba.schema"
+	fi
+
+	if use ipv6 ; then
+		insinto /etc/xinetd.d
+		newins "${FILESDIR}/samba-xinetd" smb
+	fi
+
+	# dirs
+	diropts -m0700 ; keepdir ${PRIVATE_DST}
+	diropts -m1777 ; keepdir /var/spool/samba
+
+	diropts -m0755
+	keepdir /var/{log,run,cache}/samba
+	keepdir /var/lib/samba/{netlogon,profiles}
+	keepdir /var/lib/samba/printers/{W32X86,WIN40,W32ALPHA,W32MIPS,W32PPC}
+	keepdir /usr/$(get_libdir)/samba/{rpc,idmap,auth}
+
+	# docs
+	dodoc "${FILESDIR}/README.gentoo"
+	dodoc "${S}"/{README,Roadmap,WHATSNEW.txt}
+	dodoc "${CONFDIR}/nsswitch.conf-wins"
+	use winbind && dodoc "${CONFDIR}/nsswitch.conf-winbind"
+
+	if use examples ; then
+		insinto /usr/share/doc/${PF}
+		doins -r "${S}/examples/"
+		find "${D}/usr/share/doc/${PF}" -type d -print0 | xargs -0 chmod 755
+		find "${D}/usr/share/doc/${PF}/examples" ! -type d -print0 | xargs -0 chmod 644
+		if use python ; then
+			insinto /usr/share/doc/${PF}/python
+			doins -r "${S}/source/python/examples"
+		fi
+	fi
+
+	if ! use doc ; then
+		if ! use swat ; then
+			rm -rf "${D}/usr/share/doc/${PF}/swat"
+		else
+			rm -rf "${D}/usr/share/doc/${PF}/swat/help"/{guide,howto,devel}
+			rm -rf "${D}/usr/share/doc/${PF}/swat/using_samba"
+		fi
+	fi
+
+}
+
+pkg_preinst() {
+	local PRIVATE_SRC=/etc/samba/private
+	if [[ ! -r "${ROOT}/${PRIVATE_DST}/secrets.tdb" \
+		&& -r "${ROOT}/${PRIVATE_SRC}/secrets.tdb" ]] ; then
+		ebegin "Copying ${ROOT}/${PRIVATE_SRC}/* to ${ROOT}/${PRIVATE_DST}/"
+			mkdir -p "${D}/${PRIVATE_DST}"
+			cp -pPRf "${ROOT}/${PRIVATE_SRC}"/* "${D}/${PRIVATE_DST}/"
+		eend $?
+	fi
+
+	if [[ ! -f "${ROOT}/etc/samba/smb.conf" ]] ; then
+		touch "${D}/etc/samba/smb.conf"
+	fi
+}
+
+pkg_postinst() {
+	if use python ; then
+		python_version
+		python_mod_optimize /usr/$(get_libdir)/python${PYVER}/site-packages/samba
+	fi
+
+	if use swat ; then
+		einfo "swat must be enabled by xinetd:"
+		einfo "  change the /etc/xinetd.d/swat configuration"
+	fi
+
+	if use ipv6 ; then
+		einfo "ipv6 support must be enabled by xinetd:"
+		einfo "  change the /etc/xinetd.d/smb configuration"
+	fi
+
+	elog "It is possible to start/stop daemons seperately:"
+	elog "  Create a symlink from /etc/init.d/samba.{smbd,nmbd,winbind} to"
+	elog "  /etc/init.d/samba. Calling /etc/init.d/samba directly will start"
+	elog "  the daemons configured in /etc/conf.d/samba"
+
+	elog "The mount/umount.cifs helper applications are not included anymore."
+	elog "Please install net-fs/mount-cifs instead."
+}
+
+pkg_postrm() {
+	if use python ; then
+		python_version
+		python_mod_cleanup /usr/$(get_libdir)/python${PYVER}/site-packages/samba
+	fi
+}