ANNOUNCE: cifs-utils release 5.4 is ready for download

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since we now have a fix of sorts for CVE-2012-1586, it seems like as
good a time as any to do a new release. Go forth, download and build
cifs-utils-5.4.

Highlights:

 * the "rootsbindir" can now be specified at configure time

 * mount.cifs now supports the -s option by passing "sloppy" to the
   kernel in the options string

 * cifs.upcall now properly respects the domain_realm section in
   krb5.conf

 * unprivileged users can no longer mount onto dirs into which they
   can't chdir (fixes CVE-2012-1586) 

webpage:    https://wiki.samba.org/index.php/LinuxCIFS_utils
tarball:    ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/
git:        git://git.samba.org/cifs-utils.git
gitweb:     http://git.samba.org/?p=cifs-utils.git;a=summary

Detailed list of changes since 5.3:

commit 9d74366169305bd3ea3c4bac036bfc982aa15648
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Sun Feb 12 07:32:27 2012 -0500

    autoconf: set release to 5.3.1 for interim builds
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit f9524f772c62bbfd7c190b8249ed66990ed3227a
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Sun Feb 12 07:33:01 2012 -0500

    autoconf: set release to 5.3.1 for interim builds
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit c753cfe5491cfb1f1f74ca41444706383ab9f0e3
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Sun Feb 12 07:33:05 2012 -0500

    cifs-utils: allow specifying rootsbindir at configure time
    
    ...via the $ROOTSBINDIR environment variable, and AC_ARG_VAR macro.
    The default is to use /sbin for this value, which only currently
    affects the installation location of mount.cifs.
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit 1c2f85a6aecffa7260709e5a44d77335bcade13f
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Mon Feb 20 09:02:54 2012 -0500

    manpage: update wsize= entry to account for change in default wsize
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit f6384b4fe1ffdeebee3e9d73dd533a4fbf83b6d8
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Thu Feb 23 10:42:09 2012 -0500

    mount.cifs: fix tests for strtoul success
    
    The current test just looks to see if errno was 0 after the conversion
    but we need to do a bit more. According to the strtoul manpage:
    
        If there were no digits at all, strtoul() stores the original value
        of nptr in *endptr (and returns 0).
    
    So, if you pass in a string of letters, strtoul will return 0, but
    won't actually have converted anything. Luckily, in most cases, /bin/mount
    papers over this bug by doing uid/gid conversions itself before calling
    mount.cifs.
    
    Fix this by also checking to ensure that strtoul() converted the entire
    string in addition to checking that it didn't set errno. While we're at
    it, fix the test in backupuid/backupgid options as well which don't
    currently check whether errno got set.
    
    Reported-by: Kyle Squizzato <ksquizza@xxxxxxxxxx>
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit b0bc3861bfc7b258045d1d456cf2ef4a43ea9562
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Tue Mar 6 10:54:28 2012 -0500

    mount.cifs: add support for -s option
    
    autofs generally calls mount helpers with '-s'. Handle that the same
    way we do for NFS -- append ",sloppy" option to the mount options.
    
    The kernel can look for that option to decide whether to ignore
    unknown mount options, warn, or error out.
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit c5dcf26c0d87d9e8342d2c946e039066de29d30a
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Thu Mar 29 09:11:29 2012 -0400

    cifs.upcall: use krb5_sname_to_principal to construct principal name
    
    Currently, we build the string by hand then then construct the
    principal name with krb5_parse_name. That bypasses the domain_realm
    section in krb5.conf however.
    
    Switch the code to use krb5_sname_to_principal instead which is more
    suited to this task. In order for that to work, we change a couple of
    calling functions to pass down a hostname instead of a principal
    name, and then pass in "cifs" as the service name.
    
    Reported-and-Tested-by: Nirupama Karandikar <nkarandi@xxxxxxxxxx>
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit fd31a7c0ba7f1282d2d81193d4d100fdc926b99b
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Mon Apr 2 15:28:56 2012 -0400

    mount.cifs: don't allow unprivileged users to mount onto dirs to which they
    can't chdir
    
    If mount.cifs is installed as a setuid root program, then a user can
    use it to gather information about files and directories to which he
    does not have access.
    
    One of the first things that mount.cifs does is to chdir() into the
    mountpoint and then proceeds to perform the mount onto ".". A malicious
    user could exploit this fact to determine information about directories
    to which he does not have access. Specifically, whether the dentry in
    question is a file or directory and whether it exists at all.
    
    This patch fixes this by making the program switch the fsuid to the
    real uid for unprivileged users when mounting.
    
    Note that this is a behavior change. mount.cifs has in the past allowed
    users to mount onto any directory as long as it's listed in /etc/fstab
    as a user mount. With this change, the user must also be able to chdir
    into the mountpoint without needing special privileges. Hopefully not
    many people have such a pathological configuration.
    
    This patch should fix CVE-2012-1586.
    
    Reported-by: Jesus Olmos <jesus.olmos@xxxxxxxxxxx>
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit ea9407fc4ae72a5d4245cbb25f7429f46d664d23
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Sun Apr 15 08:11:53 2012 -0400

    autoconf: fix tests for wbclient to use pkgconfig
    
    Use the pkgconfig file that's included with wbclient to perform the test
    for wbclient usability, and to set the correct CFLAGS and LDADD.
    
    This is particularly necessary on recent Fedora with samba4 since it
    puts the wbclient.h file in a different directory than before.
    
    Also, remove a redundant test for wbclient.h from configure.ac.
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit 730af950428eab6fd131b560a3ee41f4d5fbf405
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Sun Apr 15 08:14:59 2012 -0400

    asn1: fix up some compiler warnings in asn1.c
    
    These have been around for quite some time.
    
    gcc -DHAVE_CONFIG_H -I.    -Wall -Wextra -g -O2 -MT asn1.o -MD -MP -MF
    .deps/asn1.Tpo -c -o asn1.o asn1.c
    asn1.c: In function ‘asn1_write’:
    asn1.c:45:19: warning: comparison between signed and unsigned integer
    expressions [-Wsign-compare]
    asn1.c: In function ‘asn1_peek’:
    asn1.c:411:22: warning: comparison between signed and unsigned integer
    expressions [-Wsign-compare]
    asn1.c: In function ‘asn1_tag_remaining’:
    asn1.c:541:16: warning: comparison between signed and unsigned integer
    expressions [-Wsign-compare]
    asn1.c: In function ‘_ber_read_OID_String_impl’:
    asn1.c:570:22: warning: comparison between signed and unsigned integer
    expressions [-Wsign-compare]
    
    Almost all of these are due to the fact that asn1_data->ofs is a
    signed value, and ->length is unsigned.
    
    This should clear the way to add -Werror to the cflags in the near
    future.
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit dc0dd017a856185422d2f3691062737a9e93ecae
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Mon Apr 16 14:13:14 2012 -0400

    automake: add -Werror to CFLAGS
    
    With the recent patch to fix the warnings in asn1.c, cifs-utils now
    builds without any warnings. Ban them henceforth by adding -Werror for
    builds.
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit 63893320b4c8f0f43da1efd40c4ba4b0af990789
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Wed Apr 18 14:47:47 2012 -0400

    docs: update to project resources in README
    
    ...and add Igor Druzhinin and Pavel Shilovsky to AUTHORS.
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

commit 0d9cbfa3574c5dce0680f1845cd7bee33e7164d6
Author: Jeff Layton <jlayton@xxxxxxxxx>
Date:   Wed Apr 18 15:40:06 2012 -0400

    autoconf: set version to 5.4
    
    Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>

- -- 
Jeff Layton <jlayton@xxxxxxxxx>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)

iQIcBAEBAgAGBQJPjzbzAAoJEAAOaEEZVoIVRQ0P+gJAO0gDXEr4YSuMfN0FTNER
A3qrnrzit3AeWfxtN8KKJuqiPwHD/4tLjDnUNqGEPYZuyqwHATooYBncwTIXpHdf
+GaKrk9XPhsJQ12aaHwUWjWwiplSQlVzHMKsuAk6fZ9zEVzzqEFdXIChZTOIdB/o
WzV8JWBC7SA+h2uLVg/6woU/WFMAf+ONYxhxnOCCQfiBO3AadfHfoS9mdrP4Onmi
wOlRyyctNf8gux4vl8HldVV9YbhW/KN2rb3/0Q42B51eAI5S1iTUk8BZ4B+ooqSz
uTPSgnm8qv2YhVkzjwmrwUmo1g1oFwAhaj291+owFRK+Z/N2bpOTGLOsOdCFg9N4
j1e2pa+x2susR6caH6aq2bjns1UlszO7Avazci5dT8gktYzeVoFwFRuv9lI1WzEv
E9965VzYGcUsHiPzBC+xbuEYqHsb2c9Q67EurODnnsuDbiKPguPygIo78JQEDri+
70VGDNfTwXtbno6Nm8Dglu6ZRIJdbLV2kQjesm0dLsFAncB9/g4V2G4w6+WFa4JQ
1+1g/7zsrGFwGHaLcNYeVtRo8hCM+KAoH4ETgbF8+5nnJY0r212R7jl4+5BKJIxp
xUz7zCDJXZW3gbS/3siwSnQv8fr3q8ZSee0YLltNd4jLVN93BZuoea79koEjcXrC
sXD0I2mB+CZFFO7jmeeh
=11+i
-----END PGP SIGNATURE-----
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



[Linux]     [Info Cyrus]     [LARTC]     [Bugtraq]     [Netfilter]     [Internet Dating Forums]     [RAID]     [Yosemite News]     [Photography]

Add to Google Powered by Linux