Merge ~ahasenack/ubuntu/+source/samba:pam-winbind-1677329 into ~usd-import-team/ubuntu/+source/samba:ubuntu/devel

Proposed by Andreas Hasenack on 2017-05-08
Status: Work in progress
Proposed branch: ~ahasenack/ubuntu/+source/samba:pam-winbind-1677329
Merge into: ~usd-import-team/ubuntu/+source/samba:ubuntu/devel
Diff against target: 59 lines (+30/-2)
2 files modified
debian/changelog (+11/-0)
debian/patches/fix-1584485.patch (+19/-2)
Reviewer Review Type Date Requested Status
Nish Aravamudan 2017-05-08 Needs Fixing on 2017-05-30
Review via email: mp+323767@code.launchpad.net

Description of the Change

Fix patch d/p/fix-1584485.patch to link the wbclient library into the pam_winbind.so module. Without this library, the module lacks certain symbols and fails to load. The patch was also changed to fail the build if there are missing symbols in this particular module. (LP: #1677329)
Added DEP3 header to d/p/fix-1584485.patch

I'm not comfortable with the samba4 build system to assert that my change is the correct one. I would very much like to have the original fix-1584485 patch author to chime in on this change. So far I did a basic auth test (see https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/comments/10) which exercised pam_winbind and nsswinbind in a NT4 style domain join, but there are many more code paths to check here (password changes, AD style joins, kerberos, etc).

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1677329/comments/7 shows the output from dpkg-shlibdeps without this change, and comment 9 shows the same command output after the change. No more unresolved symbols in pam_winbind.so

Some options:
a) upload to artful, exercise there, and do the same for the zesty SRU
b) upload to artful, but for the zesty SRU, remove the fix-1584485.patch until we are happy artful's samba is fine.
c) remove patch from artful and zesty until patch author can chime in

Zesty and Artful currently can't use pam_winbind in any capacity because of this bug.

To post a comment you must log in.
88ffe93... by Marc Deslauriers on 2017-05-19

Import patches-unapplied version 2:4.5.8+dfsg-0ubuntu0.17.04.2 to ubuntu/zesty-security

Imported using git-ubuntu import.

Publish parent: 84a9aa9cdfcd48fee8b98f22ca1ee19ab98e8bb7

New changelog entries:
  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

3af8dd0... by Marc Deslauriers on 2017-05-19

Update ubuntu/devel from 2:4.5.8+dfsg-0ubuntu0.17.04.1 to 2:4.5.8+dfsg-0ubuntu0.17.04.2

Prior ubuntu/devel commit: b7258fc419d667afcbfc4b69d14cd42e25362cb1
New ubuntu/devel commit: 88ffe933ac78bef22c5e227540c7e2cebe1f73ac

0c93c66... by Marc Deslauriers on 2017-05-24

Import patches-unapplied version 2:4.5.8+dfsg-0ubuntu1 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Publish parent: 90e722435dad6dc33223a22b841b1c0be88c9cab

New changelog entries:
  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

1a32148... by Marc Deslauriers on 2017-05-24

Update ubuntu/devel from 2:4.5.8+dfsg-0ubuntu0.17.04.2 to 2:4.5.8+dfsg-0ubuntu1

Prior ubuntu/devel commit: 3af8dd0b5cc581d586422b4b03eff72ae642b84c
New ubuntu/devel commit: 0c93c66bbf24ab40933b247d30bcb16715ff4a43

Nish Aravamudan (nacc) wrote :

I would squash HEAD down to HEAD^.

Also, note that: 2:4.5.8+dfsg-0ubuntu1 is already published in artful, per rmadison.

Finally, I wonder if we should follow our merge workflow here, to ease it later, and make the commit message of a change match it's changelog entry.

Nish Aravamudan (nacc) :
review: Needs Fixing
faa8b34... by Andreas Hasenack on 2017-06-08

  * Fix patch d/p/fix-1584485.patch to link the wbclient library into
    the pam_winbind.so module. Without this library, the module lacks certain
    symbols and fails to load. The patch was also changed to fail the build if
    there are missing symbols in this particular module. (LP: #1677329,
    LP: #1644428, Closes: #833287)

c6cbf55... by Andreas Hasenack on 2017-06-08

changelog

47b7712... by Andreas Hasenack on 2017-06-08

  * Added DEP3 header to d/p/fix-1584485.patch

1588383... by Andreas Hasenack on 2017-06-08

changelog

99588f2... by Andreas Hasenack on 2017-06-13

Updated bug list in the DEP3 header.

Andreas Hasenack (ahasenack) wrote :

I asked upstream (Debian and Samba) for a review of this patch:

https://lists.samba.org/archive/samba-technical/2017-June/121139.html

That could take a while, so until that happens, I'm proposing a different MP to fix this for now and that is to revert the broken patch one more time.

722f2d7... by Andreas Hasenack on 2017-07-13

Updated DEP3 headers

Unmerged commits

722f2d7... by Andreas Hasenack on 2017-07-13

Updated DEP3 headers

99588f2... by Andreas Hasenack on 2017-06-13

Updated bug list in the DEP3 header.

1588383... by Andreas Hasenack on 2017-06-08

changelog

47b7712... by Andreas Hasenack on 2017-06-08

  * Added DEP3 header to d/p/fix-1584485.patch

c6cbf55... by Andreas Hasenack on 2017-06-08

changelog

faa8b34... by Andreas Hasenack on 2017-06-08

  * Fix patch d/p/fix-1584485.patch to link the wbclient library into
    the pam_winbind.so module. Without this library, the module lacks certain
    symbols and fails to load. The patch was also changed to fail the build if
    there are missing symbols in this particular module. (LP: #1677329,
    LP: #1644428, Closes: #833287)

1a32148... by Marc Deslauriers on 2017-05-24

Update ubuntu/devel from 2:4.5.8+dfsg-0ubuntu0.17.04.2 to 2:4.5.8+dfsg-0ubuntu1

Prior ubuntu/devel commit: 3af8dd0b5cc581d586422b4b03eff72ae642b84c
New ubuntu/devel commit: 0c93c66bbf24ab40933b247d30bcb16715ff4a43

0c93c66... by Marc Deslauriers on 2017-05-24

Import patches-unapplied version 2:4.5.8+dfsg-0ubuntu1 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Publish parent: 90e722435dad6dc33223a22b841b1c0be88c9cab

New changelog entries:
  * SECURITY UPDATE: remote code execution from a writable share
    - debian/patches/CVE-2017-7494.patch: refuse to open pipe names with a
      slash inside in source3/rpc_server/srv_pipe.c.
    - CVE-2017-7494

90e7224... by Marc Deslauriers on 2017-04-21

Import patches-unapplied version 2:4.5.8+dfsg-0ubuntu0.17.04.1 to ubuntu/artful-proposed

Imported using usd-importer.

Publish parent: 15e3cf274dfab190084d584ff4300aacebaef453
Changelog parent: 84a9aa9cdfcd48fee8b98f22ca1ee19ab98e8bb7

84a9aa9... by Marc Deslauriers on 2017-04-21

Import patches-unapplied version 2:4.5.8+dfsg-0ubuntu0.17.04.1 to ubuntu/zesty-security

Imported using usd-importer.

Publish parent: 607f0090218d9ebd0d6d672e405326932400065c

New changelog entries:
  * SECURITY UPDATE: Symlink race allows access outside share definition
    - Updated to new upstream release 4.5.8.
    - CVE-2017-2619

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 47ac7a3..c6d1960 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,14 @@
6+samba (2:4.5.8+dfsg-0ubuntu2) artful; urgency=medium
7+
8+ * Fix patch d/p/fix-1584485.patch to link the wbclient library into
9+ the pam_winbind.so module. Without this library, the module lacks certain
10+ symbols and fails to load. The patch was also changed to fail the build if
11+ there are missing symbols in this particular module. (LP: #1677329,
12+ LP: #1644428, Closes: #833287)
13+ * Added DEP3 header to d/p/fix-1584485.patch
14+
15+ -- Andreas Hasenack <andreas@canonical.com> Thu, 08 Jun 2017 16:23:49 -0600
16+
17 samba (2:4.5.8+dfsg-0ubuntu1) artful; urgency=medium
18
19 * SECURITY UPDATE: remote code execution from a writable share
20diff --git a/debian/patches/fix-1584485.patch b/debian/patches/fix-1584485.patch
21index 37fa744..6b36319 100644
22--- a/debian/patches/fix-1584485.patch
23+++ b/debian/patches/fix-1584485.patch
24@@ -1,3 +1,20 @@
25+This patch statically links libnss-winbind and libpam-winbind against the
26+samba-libs to prevent upgrade problems with running processes being
27+incompatible with old libraries or the other way around.
28+The original version of this patch produced a pam_winbind.so module that
29+had missing symbols and could not be loaded (LP: #1677329). It was then
30+updated to also link in wbclient, which provided the missing symbols, and
31+allow_undefined_symbols was changed from True to False for the pam module
32+to trigger build failures should this happen again.
33+
34+Author: Jorge Niedbalski <jorge.niedbalski@canonical.com>
35+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833287
36+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1584485
37+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1677329
38+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1644428
39+Last-Update: 2017-05-08
40+Origin: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1584485/comments/17
41+
42 --- samba-4.4.5+dfsg.orig/buildtools/wafsamba/wafsamba.py
43 +++ samba-4.4.5+dfsg/buildtools/wafsamba/wafsamba.py
44 @@ -140,7 +140,8 @@ def SAMBA_LIBRARY(bld, libname, source,
45@@ -83,12 +100,12 @@
46 bld.SAMBA_LIBRARY('pamwinbind',
47 source='pam_winbind.c',
48 - deps='talloc wbclient winbind-client tiniparser pam samba_intl',
49-+ deps='pamwinbind-static',
50++ deps='wbclient pamwinbind-static',
51 cflags='-DLOCALEDIR=\"%s/locale\"' % bld.env.DATADIR,
52 realname='pam_winbind.so',
53 - install_path='${PAMMODULESDIR}'
54 + install_path='${PAMMODULESDIR}',
55-+ allow_undefined_symbols=True
56++ allow_undefined_symbols=False
57 )
58
59 if bld.CONFIG_SET('HAVE_KRB5_LOCATE_PLUGIN_H'):

Subscribers

People subscribed via source and target branches