From cf598c5c1ce4fdc0d01f92c15604182c9e913abf Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 10 Sep 2003 13:39:09 +0000 Subject: Now that CAN-2003-0689 is published officially, we need to make possible to build on systems with fixed getgrouplist() in GNU libc < 2.3.2. Unfortunately, we can't detect correctness of getgrouplist() functioning in portable way so this is left up to developer/packager. This patch adds --with-good-getgrouplist[=no] switch to configure which packagers on Linux platforms could use to specify in their own builds if they now that glibc on their platform is fixed w.r.t CAN-2003-0689. By default we still think that glibc is vulnerable and perform our version check. ** This patch does not change default behaviour in Samba 3.0 -- by default we are not vulnerable on glibc as we are not using getgrouplist() See http://www.securityfocus.com/bid/8477 for vulnerability description. Right now there are following Linux vendors released glibc updates for CAN-2003-0689: RedHat -- https://rhn.redhat.com/errata/RHSA-2003-249.html ALTLinux -- http://www.altlinux.com/index.php?module=sisyphus&package=glibc (This used to be commit e53622c114e0368515c50b357567fcdd0b95979e) --- source3/configure.in | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/source3/configure.in b/source3/configure.in index a2e04b5d48..151411feb8 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -883,8 +883,23 @@ AC_CHECK_FUNCS(open64 _open64 __open64 creat64) # case "$host_os" in *linux*) - # glibc <= 2.3.2 has a broken getgrouplist - AC_TRY_RUN([ + # test if user trusts its own glibc version w.r.t. CAN-2003-0689 + # Some vendors already provided glibc builds with this fix so getgrouplist() is usable + # on those platforms. Unfortunately, we can't get this information from compiling yet. + AC_MSG_CHECKING([whether GNU libc has good getgrouplist w.r.t. CAN-2003-0689]) + AC_ARG_WITH(good-getgrouplist, + [ --with-good-getgrouplist[=no] whether GNU libc has good getgrouplist w.r.t. CAN-2003-0689 ], + [ case "$with_good_getgrouplist" in + yes) + AC_MSG_RESULT(yes) + AC_DEFINE(HAVE_GETGROUPLIST, 1, [Have good getgrouplist]) + ;; + *) + AC_MSG_RESULT(no) + ;; + esac], +# glibc <= 2.3.2 has a broken getgrouplist +AC_TRY_RUN([ #include #include main() { @@ -902,8 +917,12 @@ main() { } ], [linux_getgrouplist_ok=yes], [linux_getgrouplist_ok=no]) if test x"$linux_getgrouplist_ok" = x"yes"; then + AC_MSG_RESULT(yes) AC_DEFINE(HAVE_GETGROUPLIST, 1, [Have good getgrouplist]) + else + AC_MSG_RESULT(no) fi +) ;; *) AC_CHECK_FUNCS(getgrouplist) -- cgit