[Samba] libldb for security patch 4.12 backport?
Rowland Penny
rpenny at samba.org
Thu Jul 28 18:33:25 UTC 2022
On Fri, 2022-07-29 at 06:27 +1200, Andrew Bartlett wrote:
> On Thu, 2022-07-28 at 18:12 +0100, Rowland Penny via samba wrote:
> > On Thu, 2022-07-28 at 16:37 +0000, Sri Nagasubramanian via samba
> > wrote:
> > > Hello,
> > >
> > > I'm trying to build the 4.12 version of the new security patches
> > > that
> > > were kindly provided (for CVE-2022-2031<
> > > https://www.samba.org/samba/security/CVE-2022-2031.html
> > > > ;, CVE-2022-
> > > 32742<
> > > https://www.samba.org/samba/security/CVE-2022-32742.html
> > > > ;,
> > > CVE-2022-32744<
> > > https://www.samba.org/samba/security/CVE-2022-32744.html
> > > > ;, CVE-2022-
> > > 32745<
> > > https://www.samba.org/samba/security/CVE-2022-32745.html
> > > > and
> > > CVE-2022-32746<
> > > https://www.samba.org/samba/security/CVE-2022-32746.html
> > > ), but am not able to use my usual build procedure because the
> > > patches require libldb 2.1.6 and I haven't been able to locate
> > > the
> > > source code for that. I do see a reference that Andrew Bartlett
> > > made
> > > against one of the related Bugzilla cases (15096) that says that
> > > the
> > > 4.12-related ldb release is unofficial and not been released
> > > upstream
> > > - which would explain why I can't find it in my usual places. Am
> > > I
> > > misunderstanding how to proceed with the 4.12 patches (or perhaps
> > > I'm
> > > out of luck for now)?
> > >
> > > Thanks,
> > > Sri
> >
> > It sounds like you are trying to build Samba 4.12.x with the new
> > Patches, the supplied patches are for 4.14.14, 4.15.9 and 4.16.4,
> > they
> > may not apply to your version and will, as you have found out,
> > require
> > other packages to be updated.
>
> In this case it is more that if building Samba to use a 'system ldb',
> you would also need to build ldb from within the Samba tree, install
> that, then build against it.
>
> There isn't an ldb 2.1.6 tarball, but one could be created with the
> 'make dist' in lib/ldb of the patched tree if needed, but it might be
> better to instead have Samba use an 'internal' ldb.
>
> This reinforces why I think ldb should not be being released as a
> distinct tarball, it just causes too much trouble at security release
> time.
>
> Andrew Bartlett
Hi Andrew,
>From what you say, I agree that ldb shouldn't be separate, but the main
problem is that you keep too much in your head, somewhere no one else
has access to :-D
Rowland
More information about the samba
mailing list