Univention Bugzilla – Bug 54994
samba: Multiple issues (5.0)
Last modified: 2022-08-01 13:18:48 CEST
Upstream provided combined patches which I added like this: * 98_CVE-2022-2031+32744.quilt * 98_CVE-2022-32742.quilt * 98_CVE-2022-32745+32746.quilt I've extracted the ldb specific parts of the combined patch set for CVE-2022-32745 and CVE-2022-32746 to patch the ldb package and cherrypicked the packages into the errata5.0-2: * repo_admin.py --cherrypick --release 5.0-0 --source ucs5.0-2 --releasedest 5.0-0 --dest errata5.0-2 --package ldb * same for samba I added the patches for ldb and battled a bit with svn: r19652 | New upstream patches ## to ucs5.0-2, so that was wrong path r19653 | the cherrypick r19655 | merge patches from 2:2.5.0-1-ucs5.0-2 ## also wrong r19656 | revert last commit ## revert r19657 | New upstream patches ## move patches to correct path r19660 | Update symbols r19661 | Update symbols r19662 | Update symbols Package: ldb Version: 2:2.5.1-1A~5.0.0.202207181955 Branch: ucs_5.0-0 Scope: errata5.0-2 And I added the patches for samba and experimented a bit with splitting the patches to avoid the warnings by patch that files get changed twice by the patches. But then I decided that it's not worth splitting the patches int 25 parts just for that. r19654 | the cherrypick r19658 | New upstream patches r19659 | rename file to .quilt r19663 | split patch r19664 | split patch r19665 | adjust patch to 34_samba_dns_tomstone.quilt r19666 | adjust patch to 34_samba_dns_tomstone.quilt r19667 | re-combine patch r19668 | re-combine patch Package: samba Version: 2:4.16.2-1A~5.0.0.202207182052 Branch: ucs_5.0-0 Scope: errata5.0-2 5659216111 | Advisories
Package update failed with > samba-dsdb-modules : Hängt ab von: libldb2 (> 2:2.5.2~) aber 2:2.5.1-1A~5.0.0.202206171844 soll installiert werden So I've merged the svn patches into the source package and updated the debian/changelog version accordingly. I've imported the new source package and built it: Package: ldb Version: 2:2.5.2-1A~5.0.0.202207191717 Branch: ucs_5.0-0 Scope: errata5.0-2 to be sure I've rebuilt samba again, too: Package: samba Version: 2:4.16.2-1A~5.0.0.202207191731 Branch: ucs_5.0-0 Scope: errata5.0-2 c216d4b0a4 | Advisory update I've also cherrypicked and rebuilt univention-ldb-modules: Package: univention-ldb-modules Version: 8.0.0-7A~5.0.0.202207191820 Branch: ucs_5.0-0 Scope: errata5.0-2 180fcd59f5 | Advisory
We need a specific dependency for "newer or equal than latest" for the samba-dsdb-modules package, otherwise the installation of the latest samba4 app packages fails (i.e. u-samba4 and u-s4-connector) 7b61aedf7c Bug #54994: Add dependency on specific samba-dsdb-modules version 6a3cbd0f4d Bug #54994: yaml univention-samba4 9.0.8-3A~5.0.0.202207251614
As discussed, there is one ucs-test failing on UCS 5 53_samba-common/38_printer_special_chars But it only fails if the complete samba-common section is executed, it cannot be reproduced when executing the test on its own. But after it has failed once, it fails even when run on its own. Might be a missing cleanup from a test before that, or regression in samba itself, because the test fails only with the latest samba version. Reopen, to * re-check the test * there are still no advisories
QA results so far: Patches for the issues are okay and have been applied 98_CVE-2022-2031+32744.quilt 98_CVE-2022-32742.quilt 98_CVE-2022-32745+32746.quilt samba 2:4.16.2-1A~5.0.0.202207191731 ldb 2:2.5.2-1A~5.0.0.202207191717 univention-ldb-modules 8.0.0-7A~5.0.0.202207191820
> 53_samba-common/38_printer_special_chars That test is terribly flaky, as observed before: https://forge.univention.org/bugzilla/show_bug.cgi?id=48947#c1 Via that bug Florian added a section to 38_printer_special_chars where printing is done without samba, just directly using lp against cups. Even that fails sometimes with "CUPS: Nothing has been printed to the output file.", because previous tests (like 36_printer) don't clean up their netcat-helper process if they fail. I've analyzed the issue and adjusted 38_printer_special_chars and 36_printer a bit so that it worked significantly better in my tests. The main trick seems to be to wait a bit in 38_printer_special_chars *before* doing the first attempt, otherwise there seems to be a negative cache that has a ttl of about 5 minutes. 6f67ce578c | Fix 38_printer_special_chars Package: ucs-test Version: 10.0.7-8A~5.0.0.202207262233 Branch: ucs_5.0-0 Scope: errata5.0-2 I tried to use http://jenkins2022.knut.univention.de/job/PublishUCS5Testing/ but it seems to ignore my request to "build now". So I ran /usr/sbin/update_ucs5_testing_mirror.sh manually, but I don't know if it was early enough for the tests.
My adjustment to `ucs-test/tests/53_samba-common/38_printer_special_chars` didn't make it into last nights tests. Amongst other things (`nc` processes used for printer mocking not getting terminated on failure) the main fix seems to be that it now takes longer for Samba to make available a printershare with a "`very long share name with spaces`" (Bug 48947 Comment 1) and when the test attempts to print to that share before it is ready, then it seems to get some kind of negative cache entry (or at least a stuck data structure, error message: "NT_STATUS_HARDWARE_MEMORY_ERROR opening remote file") for about 5 minutes, before printing on that share starts to work. Simply inserting a 5 second wait before attempting to print was enough on my system to stabilize the test. In ucs-test I've put 10 seconds to be sure. One of the new Samba patches fixes a server memory disclosure via share access, so maybe that changed the timing behavior. From my perspective this depth of analysis is enough for that and I'll not dig further.
71c07a703a | Advisories
OK: errata-announce -V --only samba.yaml OK: samba.yaml OK: errata-announce -V --only ldb.yaml OK: ldb.yaml OK: errata-announce -V --only univention-ldb-modules.yaml OK: univention-ldb-modules.yaml OK: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/AutotestJoin/lastCompletedBuild/testReport/ ~OK: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/AutotestUpgrade/lastCompletedBuild/testReport/ OK: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/AutotestJoinReleased/ IGN: https://jenkins2022.knut.univention.de/job/UCS-5.0/job/UCS-5.0-2/job/Installation%20Tests/lastCompletedBuild/testReport/ OK: dpkg-query -W python\*-samba samba\* libunivention-ldb-modules\* ldb-tools libldb\* python\*-ldb OK: univention-app install samba4 OK: univention-run-diagnostic-checks OK: systemctl status OK: less /var/log/samba/log.*
<https://errata.software-univention.de/#/?erratum=5.0x367> <https://errata.software-univention.de/#/?erratum=5.0x368> <https://errata.software-univention.de/#/?erratum=5.0x369>
<https://errata.software-univention.de/#/?erratum=5.0x374>