summaryrefslogtreecommitdiff
path: root/source/n/cifs-utils
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2020-11-25 23:25:45 +0000
committerEric Hameleers <alien@slackware.com>2020-11-26 08:59:52 +0100
commit042736eeb574486635e076ffcc36593ac09c72ba (patch)
treed80deda6acecf44b4591168f49716a68bbf50be8 /source/n/cifs-utils
parentd4f3249a812a440339f94607fa9b69fc981a6f4b (diff)
downloadcurrent-042736eeb574486635e076ffcc36593ac09c72ba.tar.gz
Wed Nov 25 23:25:45 UTC 202020201125232545
ap/qpdf-10.0.4-x86_64-1.txz: Upgraded. d/cmake-3.19.1-x86_64-1.txz: Upgraded. n/bind-9.16.9-x86_64-1.txz: Upgraded. This update fixes bugs, including a denial-of-service security issue: After a Negative Trust Anchor (NTA) is added, BIND performs periodic checks to see if it is still necessary. If BIND encountered a failure while creating a query to perform such a check, it attempted to dereference a NULL pointer, resulting in a crash. [GL #2244] (* Security fix *) n/cifs-utils-6.11-x86_64-2.txz: Rebuilt. Patched to fix mounting CIFS shares when linked with libcap-ng-0.8.1. Thanks to marrowsuck.
Diffstat (limited to 'source/n/cifs-utils')
-rwxr-xr-xsource/n/cifs-utils/cifs-utils.SlackBuild7
-rw-r--r--source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch101
2 files changed, 106 insertions, 2 deletions
diff --git a/source/n/cifs-utils/cifs-utils.SlackBuild b/source/n/cifs-utils/cifs-utils.SlackBuild
index 04e7a31c..a7af8f9f 100755
--- a/source/n/cifs-utils/cifs-utils.SlackBuild
+++ b/source/n/cifs-utils/cifs-utils.SlackBuild
@@ -1,6 +1,6 @@
#!/bin/bash
-# Copyright 2012, 2018 Patrick J. Volkerding, Sebeka, Minnesota, USA
+# Copyright 2012, 2018, 2020 Patrick J. Volkerding, Sebeka, Minnesota, USA
# All rights reserved.
#
# Redistribution and use of this script, with or without modification, is
@@ -24,7 +24,7 @@ cd $(dirname $0) ; CWD=$(pwd)
PKGNAM=cifs-utils
VERSION=${VERSION:-$(echo $PKGNAM-*.tar.?z* | rev | cut -f 3- -d . | cut -f 1 -d - | rev)}
-BUILD=${BUILD:-1}
+BUILD=${BUILD:-2}
# Automatically determine the architecture we're building on:
if [ -z "$ARCH" ]; then
@@ -81,6 +81,9 @@ rm -rf $PKGNAM-$VERSION
tar xvf $CWD/$PKGNAM-$VERSION.tar.?z* || exit 1
cd $PKGNAM-$VERSION
+# Fix for new libcap-ng:
+zcat $CWD/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch.gz | patch -p1 --verbose || exit 1
+
chown -R root:root .
find . \
\( -perm 777 -o -perm 775 -o -perm 711 -o -perm 555 -o -perm 511 \) \
diff --git a/source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch b/source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch
new file mode 100644
index 00000000..ed319182
--- /dev/null
+++ b/source/n/cifs-utils/cifs-utils.f4e7c84467152624a288351321c8664dbf3364af.patch
@@ -0,0 +1,101 @@
+From f4e7c84467152624a288351321c8664dbf3364af Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas@archlinux.org>
+Date: Sat, 21 Nov 2020 11:41:26 +0100
+Subject: [PATCH 1/2] mount.cifs: update the cap bounding set only when
+ CAP_SETPCAP is given
+
+libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
+of -4 when trying to update the capability bounding set without having the
+CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
+silently skipped updating the bounding set and only updated the normal
+CAPNG_SELECT_CAPS capabilities instead.
+
+Check beforehand whether we have CAP_SETPCAP, in which case we can use
+CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
+Otherwise, we can at least update the normal capabilities, but refrain from
+trying to update the bounding set to avoid getting an error.
+
+Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
+---
+ mount.cifs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/mount.cifs.c b/mount.cifs.c
+index 4feb397..88b8b69 100644
+--- a/mount.cifs.c
++++ b/mount.cifs.c
+@@ -338,6 +338,8 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src)
+ static int
+ drop_capabilities(int parent)
+ {
++ capng_select_t set = CAPNG_SELECT_CAPS;
++
+ capng_setpid(getpid());
+ capng_clear(CAPNG_SELECT_BOTH);
+ if (parent) {
+@@ -355,7 +357,10 @@ drop_capabilities(int parent)
+ return EX_SYSERR;
+ }
+ }
+- if (capng_apply(CAPNG_SELECT_BOTH)) {
++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
++ set = CAPNG_SELECT_BOTH;
++ }
++ if (capng_apply(set)) {
+ fprintf(stderr, "Unable to apply new capability set.\n");
+ return EX_SYSERR;
+ }
+--
+2.29.2
+
+
+From 64dfbafe7a0639a96d67f0b840b6e6498e1f68a9 Mon Sep 17 00:00:00 2001
+From: Jonas Witschel <diabonas@archlinux.org>
+Date: Sat, 21 Nov 2020 11:48:33 +0100
+Subject: [PATCH 2/2] cifs.upall: update the cap bounding set only when
+ CAP_SETPCAP is given
+
+libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error
+of -4 when trying to update the capability bounding set without having the
+CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng
+silently skipped updating the bounding set and only updated the normal
+CAPNG_SELECT_CAPS capabilities instead.
+
+Check beforehand whether we have CAP_SETPCAP, in which case we can use
+CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set.
+Otherwise, we can at least update the normal capabilities, but refrain from
+trying to update the bounding set to avoid getting an error.
+
+Signed-off-by: Jonas Witschel <diabonas@archlinux.org>
+---
+ cifs.upcall.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index 1559434..af1a0b0 100644
+--- a/cifs.upcall.c
++++ b/cifs.upcall.c
+@@ -88,6 +88,8 @@ typedef enum _sectype {
+ static int
+ trim_capabilities(bool need_environ)
+ {
++ capng_select_t set = CAPNG_SELECT_CAPS;
++
+ capng_clear(CAPNG_SELECT_BOTH);
+
+ /* SETUID and SETGID to change uid, gid, and grouplist */
+@@ -105,7 +107,10 @@ trim_capabilities(bool need_environ)
+ return 1;
+ }
+
+- if (capng_apply(CAPNG_SELECT_BOTH)) {
++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
++ set = CAPNG_SELECT_BOTH;
++ }
++ if (capng_apply(set)) {
+ syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__);
+ return 1;
+ }
+--
+2.29.2
+