Update to version 4.21.3

- related: RHEL-59777
2025-01-07 10:58:22 +01:00 · 2025-01-07 10:58:22 +01:00 · 7128f7ceca
commit 7128f7ceca
parent 4718ec99f1
4 changed files with 209 additions and 880 deletions
--- a/.gitignore
+++ b/.gitignore
@ -369,3 +369,5 @@ samba-3.6.0pre1.tar.gz
 /samba-4.21.1.tar.xz
 /samba-4.21.2.tar.asc
 /samba-4.21.2.tar.xz
+/samba-4.21.3.tar.asc
+/samba-4.21.3.tar.xz
--- a/redhat-4.21.patch
+++ b/redhat-4.21.patch
@ -1,7 +1,7 @@
 From 2d9ab68f501f5796bdf4662a058a2adff30d497e Mon Sep 17 00:00:00 2001
 From: Andreas Schneider <asn@samba.org>
 Date: Mon, 22 Jul 2024 12:26:55 +0200
-Subject: [PATCH] s3:notifyd: Use a watcher per db record
+Subject: [PATCH 1/2] s3:notifyd: Use a watcher per db record
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
@ -509,5 +509,157 @@ index 36c08f47c54..db8e6e1c005 100644
 
 #endif
 -- 
-2.46.1
+2.47.1
+
+
+From 7da7ec8baccf75e801ac65e2177d67f1618681e0 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Thu, 5 Dec 2024 16:35:51 +1300
+Subject: [PATCH 2/2] util: add a crypt wrapper, derived from
+ dsdb:password_hash
+
+This is going to be used by the dsdb password_hash module, and exposed
+to Python via pyglue.
+
+We're doing this because Python 3.13 has dropped crypt from the Python
+standard library.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15756
+
+Reviewed-by: Andreas Schneider <asn@samba.org>
+(cherry picked from commit 93bc860e8f344a96d0496edbc5d463f2c5411fcd)
+---
+ lib/util/util_crypt.c  | 90 ++++++++++++++++++++++++++++++++++++++++++
+ lib/util/util_crypt.h  |  5 +++
+ lib/util/wscript_build |  6 +++
+ 3 files changed, 101 insertions(+)
+ create mode 100644 lib/util/util_crypt.c
+ create mode 100644 lib/util/util_crypt.h
+
+diff --git a/lib/util/util_crypt.c b/lib/util/util_crypt.c
+new file mode 100644
+index 00000000000..0f7b2d0fd31
+--- /dev/null
+++ b/lib/util/util_crypt.c
+@@ -0,0 +1,90 @@
+#include <replace.h>
+#include "data_blob.h"
+#include <talloc.h>
+#include <crypt.h>
+#include "util_crypt.h"
+
+
+static int crypt_as_best_we_can(const char *phrase,
+				const char *setting,
+				const char **hashp)
+{
+	int ret = 0;
+	const char *hash = NULL;
+
+#if defined(HAVE_CRYPT_R) || defined(HAVE_CRYPT_RN)
+	struct crypt_data crypt_data = {
+		.initialized = 0        /* working storage used by crypt */
+	};
+#endif
+
+	/*
+	 * crypt_r() and crypt() may return a null pointer upon error
+	 * depending on how libcrypt was configured, so we prefer
+	 * crypt_rn() from libcrypt / libxcrypt which always returns
+	 * NULL on error.
+	 *
+	 * POSIX specifies returning a null pointer and setting
+	 * errno.
+	 *
+	 * RHEL 7 (which does not use libcrypt / libxcrypt) returns a
+	 * non-NULL pointer from crypt_r() on success but (always?)
+	 * sets errno during internal processing in the NSS crypto
+	 * subsystem.
+	 *
+	 * By preferring crypt_rn we avoid the 'return non-NULL but
+	 * set-errno' that we otherwise cannot tell apart from the
+	 * RHEL 7 behaviour.
+	 */
+	errno = 0;
+
+#ifdef HAVE_CRYPT_RN
+	hash = crypt_rn(phrase, setting,
+			&crypt_data,
+			sizeof(crypt_data));
+#elif HAVE_CRYPT_R
+	hash = crypt_r(phrase, setting, &crypt_data);
+#else
+	/*
+	 * No crypt_r falling back to crypt, which is NOT thread safe
+	 * Thread safety MT-Unsafe race:crypt
+	 */
+	hash = crypt(phrase, setting);
+#endif
+	/*
+	* On error, crypt() and crypt_r() may return a null pointer,
+	* or a pointer to an invalid hash beginning with a '*'.
+	*/
+	ret = errno;
+	errno = 0;
+	if (hash == NULL || hash[0] == '*') {
+		if (ret == 0) {
+			/* this is annoying */
+			ret = ENOTRECOVERABLE;
+		}
+	}
+
+	*hashp = hash;
+	return ret;
+}
+
+
+int talloc_crypt_blob(TALLOC_CTX *mem_ctx,
+		      const char *phrase,
+		      const char *setting,
+		      DATA_BLOB *blob)
+{
+	const char *hash = NULL;
+	int ret = crypt_as_best_we_can(phrase, setting, &hash);
+	if (ret != 0) {
+		blob->data = NULL;
+		blob->length = 0;
+		return ret;
+	}
+	blob->length = strlen(hash);
+	blob->data = talloc_memdup(mem_ctx, hash, blob->length);
+	if (blob->data == NULL) {
+		return ENOMEM;
+	}
+	return 0;
+}
+diff --git a/lib/util/util_crypt.h b/lib/util/util_crypt.h
+new file mode 100644
+index 00000000000..8c289e489e8
+--- /dev/null
+++ b/lib/util/util_crypt.h
+@@ -0,0 +1,5 @@
+
+int talloc_crypt_blob(TALLOC_CTX *mem_ctx,
+		      const char *phrase,
+		      const char *cmd,
+		      DATA_BLOB *blob);
+diff --git a/lib/util/wscript_build b/lib/util/wscript_build
+index b4fcfeaba07..7de9c0b7b17 100644
+--- a/lib/util/wscript_build
+++ b/lib/util/wscript_build
+@@ -253,6 +253,12 @@ else:
+                       private_library=True,
+                       local_include=False)
+ 
+    bld.SAMBA_LIBRARY('util_crypt',
+                      source='util_crypt.c',
+                      deps='talloc crypt',
+                      private_library=True,
+                      local_include=False)
+
+ 
+     bld.SAMBA_SUBSYSTEM('UNIX_PRIVS',
+                         source='unix_privs.c',
+-- 
+2.47.1

--- a/samba.spec
+++ b/samba.spec
--- a/4
+++ b/4
@ -1,2 +1,2 @@
-SHA512 (samba-4.21.2.tar.asc) = f3da123d2e86a7e07c4fcb83924edd29195d865091d80125f3531c463662a8a38ba6d8c467932af8cd065d0cc4467131c83a4e3783573b757f6ed9c2bde0befc
-SHA512 (samba-4.21.2.tar.xz) = c26311a60d3994561aa12c36e54bc37d1161ec1063aa9876ea03dee24984e9c827e5836dc86bc392e37193010275a642b960e775b5a9e029246ba56ae1697682
+SHA512 (samba-4.21.3.tar.asc) = 11e40d32b783b7d57d3f35fe96a17e897719f65d796d965b371dfb58b8cf1f8ffe60c3047bea8c2b2b0d475fa55cd25237b9ba84d44b3d65a8cd53c6af760957
+SHA512 (samba-4.21.3.tar.xz) = 62eb3bfe1aa1cc8aa68055d4caf21bdea6d6f5b0f767566bef1da210100b5dd17b7d60f5c47da01b0123d3a2c1c3689b1960ef2c2cbd4f804ff998ead994fc3f