Hello community,
here is the log from the commit of package cifs-utils for openSUSE:Factory checked in at 2012-04-20 15:11:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cifs-utils (Old)
and /work/SRC/openSUSE:Factory/.cifs-utils.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cifs-utils", Maintainer is "SJayaraman@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/cifs-utils/cifs-utils.changes 2012-02-16 16:12:05.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.cifs-utils.new/cifs-utils.changes 2012-04-20 15:12:01.000000000 +0200
@@ -1,0 +2,37 @@
+Thu Apr 19 19:36:19 UTC 2012 - lmuelle@suse.com
+
+- Don't care at all what the real uid is when we call toggle_dac_capability().
+
+-------------------------------------------------------------------
+Thu Apr 19 19:03:21 UTC 2012 - lmuelle@suse.com
+
+- Make use of the stored return code in toggle_dac_capability() of mount.cifs.
+
+-------------------------------------------------------------------
+Thu Apr 19 17:29:11 UTC 2012 - lmuelle@suse.com
+
+- Declare krb5_auth_con_set_req_cksumtype if the prototype does not exist.
+- Initialize bkupuid and bkupgid.
+
+-------------------------------------------------------------------
+Thu Apr 19 16:07:00 UTC 2012 - lmuelle@suse.com
+
+- BuildRequire pkg-config for post-10.2 systems and else pkgconfig.
+
+-------------------------------------------------------------------
+Thu Apr 19 13:57:12 UTC 2012 - lmuelle@suse.com
+
+- mount.cifs: fix up some -D_FORTIFY_SOURCE=2 warnings
+
+-------------------------------------------------------------------
+Thu Apr 19 10:30:44 UTC 2012 - lmuelle@suse.com
+
+- Update to cifs-utils 5.4.
+ + the "rootsbindir" can now be specified at configure time
+ + mount.cifs now supports the -s option by passing "sloppy" to the
+ kernel in the options string
+ + cifs.upcall now properly respects the domain_realm section in krb5.conf
+ + unprivileged users can no longer mount onto dirs into which they
+ can't chdir (fixes CVE-2012-1586)
+
+-------------------------------------------------------------------
Old:
----
cifs-utils-5.3.tar.bz2
New:
----
8c6268cbbd4202631e5c4b30297adc0088a1d568.diff
bkup-uid-gid-uninitialized.diff
cifs-utils-5.4.tar.bz2
krb5_auth_con_set_req_cksumtype-implicit-declaration.diff
mount.cifs-toggle_dac_capability-remove-check.diff
mount.cifs-toggle_dac_capability-return-stored-returncode.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cifs-utils.spec ++++++
--- /var/tmp/diff_new_pack.Lj7Mvh/_old 2012-04-20 15:12:02.000000000 +0200
+++ /var/tmp/diff_new_pack.Lj7Mvh/_new 2012-04-20 15:12:02.000000000 +0200
@@ -15,8 +15,9 @@
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
+
Name: cifs-utils
-Version: 5.3
+Version: 5.4
Release: 0
Summary: Utilities for doing and managing mounts of the Linux CIFS filesyste
License: GPL-3.0+
@@ -26,6 +27,11 @@
Source1: cifs.init
Source2: mkinitrd_scripts_boot-cifs.sh
Source3: mkinitrd_scripts_setup-cifs.sh
+Patch: 8c6268cbbd4202631e5c4b30297adc0088a1d568.diff
+Patch1: bkup-uid-gid-uninitialized.diff
+Patch2: krb5_auth_con_set_req_cksumtype-implicit-declaration.diff
+Patch3: mount.cifs-toggle_dac_capability-return-stored-returncode.diff
+Patch4: mount.cifs-toggle_dac_capability-remove-check.diff
%if 0%{?suse_version}
PreReq: insserv %{?fillup_prereq} mkinitrd
%else
@@ -57,6 +63,11 @@
%if 0%{?suse_version} > 1020
BuildRequires: libwbclient-devel
%endif
+%if 0%{?suse_version} > 1020
+BuildRequires: pkg-config
+%else
+BuildRequires: pkgconfig
+%endif
%if 0%{?centos_version} || 0%{?fedora_version} || 0%{?rhel_version}
BuildRequires: samba-winbind-devel
%endif
@@ -69,6 +80,11 @@
%prep
%setup -q
+%patch -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
%build
autoreconf --force --install
++++++ 8c6268cbbd4202631e5c4b30297adc0088a1d568.diff ++++++
commit 8c6268cbbd4202631e5c4b30297adc0088a1d568
Author: Jeff Layton
Date: Thu Apr 19 07:29:46 2012 -0400
mount.cifs: fix up some -D_FORTIFY_SOURCE=2 warnings
...and add -D_FORTIFY_SOURCE=2 to the default $CFLAGS.
Acked-by: Acked-by: Suresh Jayaraman
Signed-off-by: Jeff Layton
diff --git a/Makefile.am b/Makefile.am
index d95142a..05729ca 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,4 +1,4 @@
-AM_CFLAGS = -Wall -Wextra -Werror
+AM_CFLAGS = -Wall -Wextra -Werror -D_FORTIFY_SOURCE=2
ACLOCAL_AMFLAGS = -I aclocal
root_sbindir = $(ROOTSBINDIR)
diff --git a/mount.cifs.c b/mount.cifs.c
index f0b073e..2c481d8 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -927,11 +927,11 @@ parse_options(const char *data, struct parsed_mount_info *parsed_info)
return EX_USAGE;
}
} else {
- /* domain/username%password */
- const int max = MAX_DOMAIN_SIZE +
- MAX_USERNAME_SIZE +
- MOUNT_PASSWD_SIZE + 2;
- if (strnlen(value, max + 1) >= max + 1) {
+ /* domain/username%password + NULL term. */
+ const size_t max = MAX_DOMAIN_SIZE +
+ MAX_USERNAME_SIZE +
+ MOUNT_PASSWD_SIZE + 2 + 1;
+ if (strnlen(value, max) >= max) {
fprintf(stderr, "username too long\n");
return EX_USAGE;
}
@@ -1603,8 +1603,10 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags, const char *fstyp
mountent.mnt_passno = 0;
rc = addmntent(pmntfile, &mountent);
if (rc) {
+ int ignore __attribute__((unused));
+
fprintf(stderr, "unable to add mount entry to mtab\n");
- ftruncate(fd, statbuf.st_size);
+ ignore = ftruncate(fd, statbuf.st_size);
rc = EX_FILEIO;
}
tmprc = my_endmntent(pmntfile, statbuf.st_size);
diff --git a/mtab.c b/mtab.c
index de545b7..3d42ac0 100644
--- a/mtab.c
+++ b/mtab.c
@@ -271,8 +271,10 @@ my_endmntent(FILE *stream, off_t size)
/* truncate file back to "size" -- best effort here */
if (rc) {
+ int ignore __attribute__((unused));
+
rc = errno;
- ftruncate(fd, size);
+ ignore = ftruncate(fd, size);
}
endmntent(stream);
++++++ bkup-uid-gid-uninitialized.diff ++++++
Author: Lars Mueller
Subject: cifs-utils build warns bkupuid and bkupgid may be used uninitialized
Bugzilla: na
Upstream-Reported: http://permalink.gmane.org/gmane.linux.kernel.cifs/5931
Upstream-Acknowledged: Yes
Index: cifs-utils-5.4/mount.cifs.c
===================================================================
--- cifs-utils-5.4.orig/mount.cifs.c
+++ cifs-utils-5.4/mount.cifs.c
@@ -863,8 +863,8 @@ parse_options(const char *data, struct p
int got_uid = 0;
int got_cruid = 0;
int got_gid = 0;
- uid_t uid, cruid = 0, bkupuid;
- gid_t gid, bkupgid;
+ uid_t uid, cruid = 0, bkupuid = 0;
+ gid_t gid, bkupgid = 0;
char *ep;
struct passwd *pw;
struct group *gr;
++++++ cifs-utils-5.3.tar.bz2 -> cifs-utils-5.4.tar.bz2 ++++++
++++ 4776 lines of diff (skipped)
++++++ krb5_auth_con_set_req_cksumtype-implicit-declaration.diff ++++++
Author: Lars Mueller
Subject: cifs-utils build breaks with krb5 < 1.7
Bugzilla: na
Inspiration: https://bugzilla.samba.org/show_bug.cgi?id=6918
Upstream-Reported: http://permalink.gmane.org/gmane.linux.kernel.cifs/5932
Upstream-Acknowledged: Yes
Index: cifs-utils-5.4/configure.ac
===================================================================
--- cifs-utils-5.4.orig/configure.ac
+++ cifs-utils-5.4/configure.ac
@@ -178,6 +178,9 @@ if test $enable_cifsupcall != "no"; then
AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype])
fi
+# MIT krb5 < 1.7 does not have this declaration but does have the symbol
+AC_CHECK_DECLS(krb5_auth_con_set_req_cksumtype, [], [], [#include ])
+
LIBS=$cu_saved_libs
AM_CONDITIONAL(CONFIG_CIFSUPCALL, [test "$enable_cifsupcall" != "no"])
Index: cifs-utils-5.4/cifs.upcall.c
===================================================================
--- cifs-utils-5.4.orig/cifs.upcall.c
+++ cifs-utils-5.4/cifs.upcall.c
@@ -415,6 +415,14 @@ cifs_krb5_get_req(const char *host, cons
*/
in_data.data = discard_const_p(char, gss_cksum);
in_data.length = 24;
+
+ /* MIT krb5 < 1.7 is missing the prototype, but still has the symbol */
+#if !HAVE_DECL_KRB5_AUTH_CON_SET_REQ_CKSUMTYPE
+ krb5_error_code krb5_auth_con_set_req_cksumtype(
+ krb5_context context,
+ krb5_auth_context auth_context,
+ krb5_cksumtype cksumtype);
+#endif
ret = krb5_auth_con_set_req_cksumtype(context, auth_context, 0x8003);
if (ret) {
syslog(LOG_DEBUG, "%s: unable to set 0x8003 checksum",
++++++ mount.cifs-toggle_dac_capability-remove-check.diff ++++++
I'm not sure what I was thinking when I added that check in, but it's
been there since the inception. We shouldn't care at all what the
real uid is when we call toggle_dac_capability and indeed we don't
care with the libcap-ng version. Remove that check.
Signed-off-by: Jeff Layton
---
mount.cifs.c | 3 ---
1 files changed, 0 insertions(+), 3 deletions(-)
diff --git a/mount.cifs.c b/mount.cifs.c
index 06715dd..c90ce3e 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -552,9 +552,6 @@ toggle_dac_capability(int writable, int enable)
cap_t caps;
cap_value_t capability = writable ? CAP_DAC_OVERRIDE : CAP_DAC_READ_SEARCH;
- if (getuid() != 0)
- return 0;
-
caps = cap_get_proc();
if (caps == NULL) {
fprintf(stderr, "Unable to get current capability set: %s\n",
--
1.7.7.6
++++++ mount.cifs-toggle_dac_capability-return-stored-returncode.diff ++++++
Author: Lars Mueller
Subject: cifs-utils don't make use of stored return code
Bugzilla: na
Upstream-Reported: http://permalink.gmane.org/gmane.linux.kernel.cifs/5935
Upstream-Acknowledged: Yes
Index: cifs-utils-5.4/mount.cifs.c
===================================================================
--- cifs-utils-5.4.orig/mount.cifs.c
+++ cifs-utils-5.4/mount.cifs.c
@@ -577,7 +577,7 @@ toggle_dac_capability(int writable, int
}
free_caps:
cap_free(caps);
- return 0;
+ return rc;
}
#else /* HAVE_LIBCAP */
static int
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org