Jeff Layton
2012-Apr-18 21:49 UTC
[Samba] ANNOUNCE: cifs-utils release 5.4 is ready for download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Since we now have a fix of sorts for CVE-2012-1586, it seems like as
good a time as any to do a new release. Go forth, download and build
cifs-utils-5.4.
Highlights:
* the "rootsbindir" can now be specified at configure time
* mount.cifs now supports the -s option by passing "sloppy" to the
kernel in the options string
* cifs.upcall now properly respects the domain_realm section in
krb5.conf
* unprivileged users can no longer mount onto dirs into which they
can't chdir (fixes CVE-2012-1586)
webpage: https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git: git://git.samba.org/cifs-utils.git
gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary
Detailed list of changes since 5.3:
commit 9d74366169305bd3ea3c4bac036bfc982aa15648
Author: Jeff Layton <jlayton at samba.org>
Date: Sun Feb 12 07:32:27 2012 -0500
autoconf: set release to 5.3.1 for interim builds
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit f9524f772c62bbfd7c190b8249ed66990ed3227a
Author: Jeff Layton <jlayton at samba.org>
Date: Sun Feb 12 07:33:01 2012 -0500
autoconf: set release to 5.3.1 for interim builds
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit c753cfe5491cfb1f1f74ca41444706383ab9f0e3
Author: Jeff Layton <jlayton at samba.org>
Date: Sun Feb 12 07:33:05 2012 -0500
cifs-utils: allow specifying rootsbindir at configure time
...via the $ROOTSBINDIR environment variable, and AC_ARG_VAR macro.
The default is to use /sbin for this value, which only currently
affects the installation location of mount.cifs.
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit 1c2f85a6aecffa7260709e5a44d77335bcade13f
Author: Jeff Layton <jlayton at samba.org>
Date: Mon Feb 20 09:02:54 2012 -0500
manpage: update wsize= entry to account for change in default wsize
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit f6384b4fe1ffdeebee3e9d73dd533a4fbf83b6d8
Author: Jeff Layton <jlayton at samba.org>
Date: Thu Feb 23 10:42:09 2012 -0500
mount.cifs: fix tests for strtoul success
The current test just looks to see if errno was 0 after the conversion
but we need to do a bit more. According to the strtoul manpage:
If there were no digits at all, strtoul() stores the original value
of nptr in *endptr (and returns 0).
So, if you pass in a string of letters, strtoul will return 0, but
won't actually have converted anything. Luckily, in most cases,
/bin/mount
papers over this bug by doing uid/gid conversions itself before calling
mount.cifs.
Fix this by also checking to ensure that strtoul() converted the entire
string in addition to checking that it didn't set errno. While we're
at
it, fix the test in backupuid/backupgid options as well which don't
currently check whether errno got set.
Reported-by: Kyle Squizzato <ksquizza at redhat.com>
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit b0bc3861bfc7b258045d1d456cf2ef4a43ea9562
Author: Jeff Layton <jlayton at samba.org>
Date: Tue Mar 6 10:54:28 2012 -0500
mount.cifs: add support for -s option
autofs generally calls mount helpers with '-s'. Handle that the same
way we do for NFS -- append ",sloppy" option to the mount options.
The kernel can look for that option to decide whether to ignore
unknown mount options, warn, or error out.
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit c5dcf26c0d87d9e8342d2c946e039066de29d30a
Author: Jeff Layton <jlayton at samba.org>
Date: Thu Mar 29 09:11:29 2012 -0400
cifs.upcall: use krb5_sname_to_principal to construct principal name
Currently, we build the string by hand then then construct the
principal name with krb5_parse_name. That bypasses the domain_realm
section in krb5.conf however.
Switch the code to use krb5_sname_to_principal instead which is more
suited to this task. In order for that to work, we change a couple of
calling functions to pass down a hostname instead of a principal
name, and then pass in "cifs" as the service name.
Reported-and-Tested-by: Nirupama Karandikar <nkarandi at redhat.com>
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit fd31a7c0ba7f1282d2d81193d4d100fdc926b99b
Author: Jeff Layton <jlayton at samba.org>
Date: Mon Apr 2 15:28:56 2012 -0400
mount.cifs: don't allow unprivileged users to mount onto dirs to which
they
can't chdir
If mount.cifs is installed as a setuid root program, then a user can
use it to gather information about files and directories to which he
does not have access.
One of the first things that mount.cifs does is to chdir() into the
mountpoint and then proceeds to perform the mount onto ".". A
malicious
user could exploit this fact to determine information about directories
to which he does not have access. Specifically, whether the dentry in
question is a file or directory and whether it exists at all.
This patch fixes this by making the program switch the fsuid to the
real uid for unprivileged users when mounting.
Note that this is a behavior change. mount.cifs has in the past allowed
users to mount onto any directory as long as it's listed in /etc/fstab
as a user mount. With this change, the user must also be able to chdir
into the mountpoint without needing special privileges. Hopefully not
many people have such a pathological configuration.
This patch should fix CVE-2012-1586.
Reported-by: Jesus Olmos <jesus.olmos at blueliv.com>
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit ea9407fc4ae72a5d4245cbb25f7429f46d664d23
Author: Jeff Layton <jlayton at samba.org>
Date: Sun Apr 15 08:11:53 2012 -0400
autoconf: fix tests for wbclient to use pkgconfig
Use the pkgconfig file that's included with wbclient to perform the test
for wbclient usability, and to set the correct CFLAGS and LDADD.
This is particularly necessary on recent Fedora with samba4 since it
puts the wbclient.h file in a different directory than before.
Also, remove a redundant test for wbclient.h from configure.ac.
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit 730af950428eab6fd131b560a3ee41f4d5fbf405
Author: Jeff Layton <jlayton at samba.org>
Date: Sun Apr 15 08:14:59 2012 -0400
asn1: fix up some compiler warnings in asn1.c
These have been around for quite some time.
gcc -DHAVE_CONFIG_H -I. -Wall -Wextra -g -O2 -MT asn1.o -MD -MP -MF
.deps/asn1.Tpo -c -o asn1.o asn1.c
asn1.c: In function ?asn1_write?:
asn1.c:45:19: warning: comparison between signed and unsigned integer
expressions [-Wsign-compare]
asn1.c: In function ?asn1_peek?:
asn1.c:411:22: warning: comparison between signed and unsigned integer
expressions [-Wsign-compare]
asn1.c: In function ?asn1_tag_remaining?:
asn1.c:541:16: warning: comparison between signed and unsigned integer
expressions [-Wsign-compare]
asn1.c: In function ?_ber_read_OID_String_impl?:
asn1.c:570:22: warning: comparison between signed and unsigned integer
expressions [-Wsign-compare]
Almost all of these are due to the fact that asn1_data->ofs is a
signed value, and ->length is unsigned.
This should clear the way to add -Werror to the cflags in the near
future.
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit dc0dd017a856185422d2f3691062737a9e93ecae
Author: Jeff Layton <jlayton at samba.org>
Date: Mon Apr 16 14:13:14 2012 -0400
automake: add -Werror to CFLAGS
With the recent patch to fix the warnings in asn1.c, cifs-utils now
builds without any warnings. Ban them henceforth by adding -Werror for
builds.
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit 63893320b4c8f0f43da1efd40c4ba4b0af990789
Author: Jeff Layton <jlayton at samba.org>
Date: Wed Apr 18 14:47:47 2012 -0400
docs: update to project resources in README
...and add Igor Druzhinin and Pavel Shilovsky to AUTHORS.
Signed-off-by: Jeff Layton <jlayton at samba.org>
commit 0d9cbfa3574c5dce0680f1845cd7bee33e7164d6
Author: Jeff Layton <jlayton at samba.org>
Date: Wed Apr 18 15:40:06 2012 -0400
autoconf: set version to 5.4
Signed-off-by: Jeff Layton <jlayton at samba.org>
- --
Jeff Layton <jlayton at samba.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
iQIcBAEBAgAGBQJPjzbzAAoJEAAOaEEZVoIVRQ0P+gJAO0gDXEr4YSuMfN0FTNER
A3qrnrzit3AeWfxtN8KKJuqiPwHD/4tLjDnUNqGEPYZuyqwHATooYBncwTIXpHdf
+GaKrk9XPhsJQ12aaHwUWjWwiplSQlVzHMKsuAk6fZ9zEVzzqEFdXIChZTOIdB/o
WzV8JWBC7SA+h2uLVg/6woU/WFMAf+ONYxhxnOCCQfiBO3AadfHfoS9mdrP4Onmi
wOlRyyctNf8gux4vl8HldVV9YbhW/KN2rb3/0Q42B51eAI5S1iTUk8BZ4B+ooqSz
uTPSgnm8qv2YhVkzjwmrwUmo1g1oFwAhaj291+owFRK+Z/N2bpOTGLOsOdCFg9N4
j1e2pa+x2susR6caH6aq2bjns1UlszO7Avazci5dT8gktYzeVoFwFRuv9lI1WzEv
E9965VzYGcUsHiPzBC+xbuEYqHsb2c9Q67EurODnnsuDbiKPguPygIo78JQEDri+
70VGDNfTwXtbno6Nm8Dglu6ZRIJdbLV2kQjesm0dLsFAncB9/g4V2G4w6+WFa4JQ
1+1g/7zsrGFwGHaLcNYeVtRo8hCM+KAoH4ETgbF8+5nnJY0r212R7jl4+5BKJIxp
xUz7zCDJXZW3gbS/3siwSnQv8fr3q8ZSee0YLltNd4jLVN93BZuoea79koEjcXrC
sXD0I2mB+CZFFO7jmeeh
=11+i
-----END PGP SIGNATURE-----
Apparently Analagous Threads
Wisdom of the Ancients
