Comment 1 Arvid Requate 2022-07-18 21:06:52 CEST

Upstream provided combined patches which I added like this:

* 98_CVE-2022-2031+32744.quilt
* 98_CVE-2022-32742.quilt
* 98_CVE-2022-32745+32746.quilt


I've extracted the ldb specific parts of the combined patch set for CVE-2022-32745 and CVE-2022-32746
to patch the ldb package and cherrypicked the packages into the errata5.0-2:

* repo_admin.py --cherrypick --release 5.0-0 --source ucs5.0-2 --releasedest 5.0-0 --dest errata5.0-2 --package ldb
* same for samba

I added the patches for ldb and battled a bit with svn:

r19652 | New upstream patches  ## to ucs5.0-2, so that was wrong path
r19653 | the cherrypick
r19655 | merge patches from 2:2.5.0-1-ucs5.0-2  ## also wrong
r19656 | revert last commit                     ## revert
r19657 | New upstream patches                   ## move patches to correct path
r19660 | Update symbols
r19661 | Update symbols
r19662 | Update symbols

Package: ldb
Version: 2:2.5.1-1A~5.0.0.202207181955
Branch: ucs_5.0-0
Scope: errata5.0-2

And I added the patches for samba and experimented a bit with splitting the patches
to avoid the warnings by patch that files get changed twice by the patches. But then
I decided that it's not worth splitting the patches int 25 parts just for that.

r19654 | the cherrypick
r19658 | New upstream patches
r19659 | rename file to .quilt
r19663 | split patch
r19664 | split patch
r19665 | adjust patch to 34_samba_dns_tomstone.quilt
r19666 | adjust patch to 34_samba_dns_tomstone.quilt
r19667 | re-combine patch
r19668 | re-combine patch

Package: samba
Version: 2:4.16.2-1A~5.0.0.202207182052
Branch: ucs_5.0-0
Scope: errata5.0-2

5659216111 | Advisories

Comment 2 Arvid Requate 2022-07-19 18:23:25 CEST

Package update failed with

> samba-dsdb-modules : Hängt ab von: libldb2 (> 2:2.5.2~) aber 2:2.5.1-1A~5.0.0.202206171844 soll installiert werden

So I've merged the svn patches into the source package and updated the debian/changelog version accordingly.
I've imported the new source package and built it:

Package: ldb
Version: 2:2.5.2-1A~5.0.0.202207191717
Branch: ucs_5.0-0
Scope: errata5.0-2

to be sure I've rebuilt samba again, too:

Package: samba
Version: 2:4.16.2-1A~5.0.0.202207191731
Branch: ucs_5.0-0
Scope: errata5.0-2

c216d4b0a4 | Advisory update

I've also cherrypicked and rebuilt univention-ldb-modules:

Package: univention-ldb-modules
Version: 8.0.0-7A~5.0.0.202207191820
Branch: ucs_5.0-0
Scope: errata5.0-2

180fcd59f5 | Advisory

Comment 3 Erik Damrose 2022-07-25 16:21:04 CEST

We need a specific dependency for "newer or equal than latest" for the samba-dsdb-modules package, otherwise the installation of the latest samba4 app packages fails (i.e. u-samba4 and u-s4-connector)

7b61aedf7c Bug #54994: Add dependency on specific samba-dsdb-modules version
6a3cbd0f4d Bug #54994: yaml

univention-samba4 9.0.8-3A~5.0.0.202207251614

Comment 4 Erik Damrose 2022-07-26 16:47:15 CEST

As discussed, there is one ucs-test failing on UCS 5

53_samba-common/38_printer_special_chars

But it only fails if the complete samba-common section is executed, it cannot be reproduced when executing the test on its own. But after it has failed once, it fails even when run on its own.
Might be a missing cleanup from a test before that, or regression in samba itself, because the test fails only with the latest samba version.

Reopen, to
* re-check the test
* there are still no advisories

Comment 5 Erik Damrose 2022-07-26 17:12:44 CEST

QA results so far:

Patches for the issues are okay and have been applied
98_CVE-2022-2031+32744.quilt
98_CVE-2022-32742.quilt
98_CVE-2022-32745+32746.quilt

samba 2:4.16.2-1A~5.0.0.202207191731
ldb 2:2.5.2-1A~5.0.0.202207191717
univention-ldb-modules 8.0.0-7A~5.0.0.202207191820

Comment 6 Arvid Requate 2022-07-26 22:45:51 CEST

> 53_samba-common/38_printer_special_chars

That test is terribly flaky, as observed before:

https://forge.univention.org/bugzilla/show_bug.cgi?id=48947#c1

Via that bug Florian added a section to 38_printer_special_chars where
printing is done without samba, just directly using lp against cups.
Even that fails sometimes with "CUPS: Nothing has been printed to the output file.",
because previous tests (like 36_printer) don't clean up their netcat-helper process
if they fail.

I've analyzed the issue and adjusted 38_printer_special_chars and 36_printer a bit
so that it worked significantly better in my tests. The main trick seems to be to
wait a bit in 38_printer_special_chars *before* doing the first attempt, otherwise
there seems to be a negative cache that has a ttl of about 5 minutes. 

6f67ce578c | Fix 38_printer_special_chars

Package: ucs-test      
Version: 10.0.7-8A~5.0.0.202207262233
Branch: ucs_5.0-0
Scope: errata5.0-2

I tried to use http://jenkins2022.knut.univention.de/job/PublishUCS5Testing/ but
it seems to ignore my request to "build now". So I ran /usr/sbin/update_ucs5_testing_mirror.sh
manually, but I don't know if it was early enough for the tests.

Comment 7 Arvid Requate 2022-07-27 10:35:56 CEST

My adjustment to `ucs-test/tests/53_samba-common/38_printer_special_chars` didn't make it into last nights tests. Amongst other things (`nc` processes used for printer mocking not getting terminated on failure) the main fix seems to be that it now takes longer for Samba to make available a printershare with a "`very long share name with spaces`" (Bug 48947 Comment 1) and when the test attempts to print to that share before it is ready, then it seems to get some kind of negative cache entry (or at least a stuck data structure, error message: "NT_STATUS_HARDWARE_MEMORY_ERROR opening remote file") for about 5 minutes, before printing on that share starts to work. Simply inserting a 5 second wait before attempting to print was enough on my system to stabilize the test. In ucs-test I've put 10 seconds to be sure. One of the new Samba patches fixes a server memory disclosure via share access, so maybe that changed the timing behavior. From my perspective this depth of analysis is enough for that and I'll not dig further.

Comment 8 Arvid Requate 2022-07-27 14:20:56 CEST

71c07a703a | Advisories

Comment 9 Philipp Hahn 2022-07-27 18:43:13 CEST

OK: errata-announce -V --only samba.yaml
OK: samba.yaml
OK: errata-announce -V --only ldb.yaml
OK: ldb.yaml
OK: errata-announce -V --only univention-ldb-modules.yaml
OK: univention-ldb-modules.yaml


OK: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/AutotestJoin/lastCompletedBuild/testReport/
~OK: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/AutotestUpgrade/lastCompletedBuild/testReport/
OK: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/AutotestJoinReleased/
IGN: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/Installation%20Tests/lastCompletedBuild/testReport/

OK: dpkg-query -W python\*-samba samba\* libunivention-ldb-modules\* ldb-tools libldb\* python\*-ldb
OK: univention-app install samba4
OK: univention-run-diagnostic-checks
OK: systemctl status
OK: less /var/log/samba/log.*

Comment 10 Philipp Hahn 2022-07-28 09:11:31 CEST

<https://errata.software-univention.de/#/?erratum=5.0x367>
<https://errata.software-univention.de/#/?erratum=5.0x368>
<https://errata.software-univention.de/#/?erratum=5.0x369>

Comment 11 Philipp Hahn 2022-08-01 13:18:48 CEST

<https://errata.software-univention.de/#/?erratum=5.0x374>