Hello community, here is the log from the commit of package cifs-utils for openSUSE:Factory checked in at 2012-04-20 15:11:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cifs-utils (Old) and /work/SRC/openSUSE:Factory/.cifs-utils.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cifs-utils", Maintainer is "sjayara...@suse.com" Changes: -------- --- /work/SRC/openSUSE:Factory/cifs-utils/cifs-utils.changes 2012-02-16 16:12:05.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.cifs-utils.new/cifs-utils.changes 2012-04-20 15:12:01.000000000 +0200 @@ -1,0 +2,37 @@ +Thu Apr 19 19:36:19 UTC 2012 - lmue...@suse.com + +- Don't care at all what the real uid is when we call toggle_dac_capability(). + +------------------------------------------------------------------- +Thu Apr 19 19:03:21 UTC 2012 - lmue...@suse.com + +- Make use of the stored return code in toggle_dac_capability() of mount.cifs. + +------------------------------------------------------------------- +Thu Apr 19 17:29:11 UTC 2012 - lmue...@suse.com + +- Declare krb5_auth_con_set_req_cksumtype if the prototype does not exist. +- Initialize bkupuid and bkupgid. + +------------------------------------------------------------------- +Thu Apr 19 16:07:00 UTC 2012 - lmue...@suse.com + +- BuildRequire pkg-config for post-10.2 systems and else pkgconfig. + +------------------------------------------------------------------- +Thu Apr 19 13:57:12 UTC 2012 - lmue...@suse.com + +- mount.cifs: fix up some -D_FORTIFY_SOURCE=2 warnings + +------------------------------------------------------------------- +Thu Apr 19 10:30:44 UTC 2012 - lmue...@suse.com + +- Update to cifs-utils 5.4. + + the "rootsbindir" can now be specified at configure time + + mount.cifs now supports the -s option by passing "sloppy" to the + kernel in the options string + + cifs.upcall now properly respects the domain_realm section in krb5.conf + + unprivileged users can no longer mount onto dirs into which they + can't chdir (fixes CVE-2012-1586) + +------------------------------------------------------------------- Old: ---- cifs-utils-5.3.tar.bz2 New: ---- 8c6268cbbd4202631e5c4b30297adc0088a1d568.diff bkup-uid-gid-uninitialized.diff cifs-utils-5.4.tar.bz2 krb5_auth_con_set_req_cksumtype-implicit-declaration.diff mount.cifs-toggle_dac_capability-remove-check.diff mount.cifs-toggle_dac_capability-return-stored-returncode.diff ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cifs-utils.spec ++++++ --- /var/tmp/diff_new_pack.Lj7Mvh/_old 2012-04-20 15:12:02.000000000 +0200 +++ /var/tmp/diff_new_pack.Lj7Mvh/_new 2012-04-20 15:12:02.000000000 +0200 @@ -15,8 +15,9 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + Name: cifs-utils -Version: 5.3 +Version: 5.4 Release: 0 Summary: Utilities for doing and managing mounts of the Linux CIFS filesyste License: GPL-3.0+ @@ -26,6 +27,11 @@ Source1: cifs.init Source2: mkinitrd_scripts_boot-cifs.sh Source3: mkinitrd_scripts_setup-cifs.sh +Patch: 8c6268cbbd4202631e5c4b30297adc0088a1d568.diff +Patch1: bkup-uid-gid-uninitialized.diff +Patch2: krb5_auth_con_set_req_cksumtype-implicit-declaration.diff +Patch3: mount.cifs-toggle_dac_capability-return-stored-returncode.diff +Patch4: mount.cifs-toggle_dac_capability-remove-check.diff %if 0%{?suse_version} PreReq: insserv %{?fillup_prereq} mkinitrd %else @@ -57,6 +63,11 @@ %if 0%{?suse_version} > 1020 BuildRequires: libwbclient-devel %endif +%if 0%{?suse_version} > 1020 +BuildRequires: pkg-config +%else +BuildRequires: pkgconfig +%endif %if 0%{?centos_version} || 0%{?fedora_version} || 0%{?rhel_version} BuildRequires: samba-winbind-devel %endif @@ -69,6 +80,11 @@ %prep %setup -q +%patch -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build autoreconf --force --install ++++++ 8c6268cbbd4202631e5c4b30297adc0088a1d568.diff ++++++ commit 8c6268cbbd4202631e5c4b30297adc0088a1d568 Author: Jeff Layton <jlay...@samba.org> Date: Thu Apr 19 07:29:46 2012 -0400 mount.cifs: fix up some -D_FORTIFY_SOURCE=2 warnings ...and add -D_FORTIFY_SOURCE=2 to the default $CFLAGS. Acked-by: Acked-by: Suresh Jayaraman <sjayara...@suse.com> Signed-off-by: Jeff Layton <jlay...@samba.org> diff --git a/Makefile.am b/Makefile.am index d95142a..05729ca 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,4 +1,4 @@ -AM_CFLAGS = -Wall -Wextra -Werror +AM_CFLAGS = -Wall -Wextra -Werror -D_FORTIFY_SOURCE=2 ACLOCAL_AMFLAGS = -I aclocal root_sbindir = $(ROOTSBINDIR) diff --git a/mount.cifs.c b/mount.cifs.c index f0b073e..2c481d8 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -927,11 +927,11 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info) return EX_USAGE; } } else { - /* domain/username%password */ - const int max = MAX_DOMAIN_SIZE + - MAX_USERNAME_SIZE + - MOUNT_PASSWD_SIZE + 2; - if (strnlen(value, max + 1) >= max + 1) { + /* domain/username%password + NULL term. */ + const size_t max = MAX_DOMAIN_SIZE + + MAX_USERNAME_SIZE + + MOUNT_PASSWD_SIZE + 2 + 1; + if (strnlen(value, max) >= max) { fprintf(stderr, "username too long\n"); return EX_USAGE; } @@ -1603,8 +1603,10 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp mountent.mnt_passno = 0; rc = addmntent(pmntfile, &mountent); if (rc) { + int ignore __attribute__((unused)); + fprintf(stderr, "unable to add mount entry to mtab\n"); - ftruncate(fd, statbuf.st_size); + ignore = ftruncate(fd, statbuf.st_size); rc = EX_FILEIO; } tmprc = my_endmntent(pmntfile, statbuf.st_size); diff --git a/mtab.c b/mtab.c index de545b7..3d42ac0 100644 --- a/mtab.c +++ b/mtab.c @@ -271,8 +271,10 @@ my_endmntent(FILE *stream, off_t size) /* truncate file back to "size" -- best effort here */ if (rc) { + int ignore __attribute__((unused)); + rc = errno; - ftruncate(fd, size); + ignore = ftruncate(fd, size); } endmntent(stream); ++++++ bkup-uid-gid-uninitialized.diff ++++++ Author: Lars Mueller <lmue...@suse.com> Subject: cifs-utils build warns bkupuid and bkupgid may be used uninitialized Bugzilla: na Upstream-Reported: http://permalink.gmane.org/gmane.linux.kernel.cifs/5931 Upstream-Acknowledged: Yes Index: cifs-utils-5.4/mount.cifs.c =================================================================== --- cifs-utils-5.4.orig/mount.cifs.c +++ cifs-utils-5.4/mount.cifs.c @@ -863,8 +863,8 @@ parse_options(const char *data, struct p int got_uid = 0; int got_cruid = 0; int got_gid = 0; - uid_t uid, cruid = 0, bkupuid; - gid_t gid, bkupgid; + uid_t uid, cruid = 0, bkupuid = 0; + gid_t gid, bkupgid = 0; char *ep; struct passwd *pw; struct group *gr; ++++++ cifs-utils-5.3.tar.bz2 -> cifs-utils-5.4.tar.bz2 ++++++ ++++ 4776 lines of diff (skipped) ++++++ krb5_auth_con_set_req_cksumtype-implicit-declaration.diff ++++++ Author: Lars Mueller <lmue...@suse.com> Subject: cifs-utils build breaks with krb5 < 1.7 Bugzilla: na Inspiration: https://bugzilla.samba.org/show_bug.cgi?id=6918 Upstream-Reported: http://permalink.gmane.org/gmane.linux.kernel.cifs/5932 Upstream-Acknowledged: Yes Index: cifs-utils-5.4/configure.ac =================================================================== --- cifs-utils-5.4.orig/configure.ac +++ cifs-utils-5.4/configure.ac @@ -178,6 +178,9 @@ if test $enable_cifsupcall != "no"; then AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype]) fi +# MIT krb5 < 1.7 does not have this declaration but does have the symbol +AC_CHECK_DECLS(krb5_auth_con_set_req_cksumtype, [], [], [#include <krb5.h>]) + LIBS=$cu_saved_libs AM_CONDITIONAL(CONFIG_CIFSUPCALL, [test "$enable_cifsupcall" != "no"]) Index: cifs-utils-5.4/cifs.upcall.c =================================================================== --- cifs-utils-5.4.orig/cifs.upcall.c +++ cifs-utils-5.4/cifs.upcall.c @@ -415,6 +415,14 @@ cifs_krb5_get_req(const char *host, cons */ in_data.data = discard_const_p(char, gss_cksum); in_data.length = 24; + + /* MIT krb5 < 1.7 is missing the prototype, but still has the symbol */ +#if !HAVE_DECL_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE + krb5_error_code krb5_auth_con_set_req_cksumtype( + krb5_context context, + krb5_auth_context auth_context, + krb5_cksumtype cksumtype); +#endif ret = krb5_auth_con_set_req_cksumtype(context, auth_context, 0x8003); if (ret) { syslog(LOG_DEBUG, "%s: unable to set 0x8003 checksum", ++++++ mount.cifs-toggle_dac_capability-remove-check.diff ++++++ I'm not sure what I was thinking when I added that check in, but it's been there since the inception. We shouldn't care at all what the real uid is when we call toggle_dac_capability and indeed we don't care with the libcap-ng version. Remove that check. Signed-off-by: Jeff Layton <jlay...@samba.org> --- mount.cifs.c | 3 --- 1 files changed, 0 insertions(+), 3 deletions(-) diff --git a/mount.cifs.c b/mount.cifs.c index 06715dd..c90ce3e 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -552,9 +552,6 @@ toggle_dac_capability(int writable, int enable) cap_t caps; cap_value_t capability = writable ? CAP_DAC_OVERRIDE : CAP_DAC_READ_SEARCH; - if (getuid() != 0) - return 0; - caps = cap_get_proc(); if (caps == NULL) { fprintf(stderr, "Unable to get current capability set: %s\n", -- 1.7.7.6 ++++++ mount.cifs-toggle_dac_capability-return-stored-returncode.diff ++++++ Author: Lars Mueller <lmue...@suse.com> Subject: cifs-utils don't make use of stored return code Bugzilla: na Upstream-Reported: http://permalink.gmane.org/gmane.linux.kernel.cifs/5935 Upstream-Acknowledged: Yes Index: cifs-utils-5.4/mount.cifs.c =================================================================== --- cifs-utils-5.4.orig/mount.cifs.c +++ cifs-utils-5.4/mount.cifs.c @@ -577,7 +577,7 @@ toggle_dac_capability(int writable, int } free_caps: cap_free(caps); - return 0; + return rc; } #else /* HAVE_LIBCAP */ static int -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org