mirror of
https://github.com/samba-team/samba.git
synced 2024-12-25 23:21:54 +03:00
Now that CAN-2003-0689 is published officially, we need to make possible
to build on systems with fixed getgrouplist() in GNU libc < 2.3.2. Unfortunately, we can't detect correctness of getgrouplist() functioning in portable way so this is left up to developer/packager. This patch adds --with-good-getgrouplist[=no] switch to configure which packagers on Linux platforms could use to specify in their own builds if they now that glibc on their platform is fixed w.r.t CAN-2003-0689. By default we still think that glibc is vulnerable and perform our version check. ** This patch does not change default behaviour in Samba 3.0 -- by default we are not vulnerable on glibc as we are not using getgrouplist() See http://www.securityfocus.com/bid/8477 for vulnerability description. Right now there are following Linux vendors released glibc updates for CAN-2003-0689: RedHat -- https://rhn.redhat.com/errata/RHSA-2003-249.html ALTLinux -- http://www.altlinux.com/index.php?module=sisyphus&package=glibc
This commit is contained in:
parent
0c35ba2cd6
commit
e53622c114
@ -883,8 +883,23 @@ AC_CHECK_FUNCS(open64 _open64 __open64 creat64)
|
||||
#
|
||||
case "$host_os" in
|
||||
*linux*)
|
||||
# glibc <= 2.3.2 has a broken getgrouplist
|
||||
AC_TRY_RUN([
|
||||
# test if user trusts its own glibc version w.r.t. CAN-2003-0689
|
||||
# Some vendors already provided glibc builds with this fix so getgrouplist() is usable
|
||||
# on those platforms. Unfortunately, we can't get this information from compiling yet.
|
||||
AC_MSG_CHECKING([whether GNU libc has good getgrouplist w.r.t. CAN-2003-0689])
|
||||
AC_ARG_WITH(good-getgrouplist,
|
||||
[ --with-good-getgrouplist[=no] whether GNU libc has good getgrouplist w.r.t. CAN-2003-0689 ],
|
||||
[ case "$with_good_getgrouplist" in
|
||||
yes)
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(HAVE_GETGROUPLIST, 1, [Have good getgrouplist])
|
||||
;;
|
||||
*)
|
||||
AC_MSG_RESULT(no)
|
||||
;;
|
||||
esac],
|
||||
# glibc <= 2.3.2 has a broken getgrouplist
|
||||
AC_TRY_RUN([
|
||||
#include <unistd.h>
|
||||
#include <sys/utsname.h>
|
||||
main() {
|
||||
@ -902,8 +917,12 @@ main() {
|
||||
}
|
||||
], [linux_getgrouplist_ok=yes], [linux_getgrouplist_ok=no])
|
||||
if test x"$linux_getgrouplist_ok" = x"yes"; then
|
||||
AC_MSG_RESULT(yes)
|
||||
AC_DEFINE(HAVE_GETGROUPLIST, 1, [Have good getgrouplist])
|
||||
else
|
||||
AC_MSG_RESULT(no)
|
||||
fi
|
||||
)
|
||||
;;
|
||||
*)
|
||||
AC_CHECK_FUNCS(getgrouplist)
|
||||
|
Loading…
Reference in New Issue
Block a user