Date: Wednesday, December 9, 2020 @ 09:33:33 Author: tpowa Revision: 403182
upgpkg: cifs-utils 6.11-2: fix libpcap-ng #68666 Added: cifs-utils/trunk/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch Modified: cifs-utils/trunk/PKGBUILD -----------------------------------------------------------+ PKGBUILD | 11 - cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch | 101 ++++++++++++ 2 files changed, 109 insertions(+), 3 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2020-12-09 09:24:42 UTC (rev 403181) +++ PKGBUILD 2020-12-09 09:33:33 UTC (rev 403182) @@ -1,7 +1,7 @@ # Maintainer: Tobias Powalowski <tp...@archlinux.org> pkgname=cifs-utils pkgver=6.11 -pkgrel=1 +pkgrel=2 pkgdesc="CIFS filesystem user-space tools" arch=(x86_64) url="https://wiki.samba.org/index.php/LinuxCIFS_utils" @@ -8,14 +8,19 @@ license=('GPL') depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam') makedepends=('python-docutils') -source=("https://download.samba.org/pub/linux-cifs/$pkgname/$pkgname-$pkgver.tar.bz2"{,.asc}) +source=("https://download.samba.org/pub/linux-cifs/$pkgname/$pkgname-$pkgver.tar.bz2"{,.asc} + "cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch") + validpgpkeys=('C699981A31F338706C817650DF5BA9D30642D5A0') #cifs-utils Distribution Verification Key <cifs-ut...@samba.org> sha256sums=('b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9' - 'SKIP') + 'SKIP' + '0edcd01eb3e721a5726cc00160667dc2f7c935883bad71711288488081f81e5b') prepare() { # Fix install to honor DESTDIR sed -e 's|\$(man8dir)|$(DESTDIR)$(man8dir)|g' -e 's|cd \$(ROOTSBINDIR)|cd $(DESTDIR)$(ROOTSBINDIR)|g' -i $pkgname-$pkgver/Makefile.am + cd "$srcdir/$pkgname-$pkgver" + patch -Np1 -i $srcdir/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch } build() { Added: cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch =================================================================== --- cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch (rev 0) +++ cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch 2020-12-09 09:33:33 UTC (rev 403182) @@ -0,0 +1,101 @@ +From f4e7c84467152624a288351321c8664dbf3364af Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@archlinux.org> +Date: Sat, 21 Nov 2020 11:41:26 +0100 +Subject: [PATCH 1/2] mount.cifs: update the cap bounding set only when + CAP_SETPCAP is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel <diabo...@archlinux.org> +--- + mount.cifs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 4feb397..88b8b69 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -338,6 +338,8 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src) + static int + drop_capabilities(int parent) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_setpid(getpid()); + capng_clear(CAPNG_SELECT_BOTH); + if (parent) { +@@ -355,7 +357,10 @@ drop_capabilities(int parent) + return EX_SYSERR; + } + } +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + fprintf(stderr, "Unable to apply new capability set.\n"); + return EX_SYSERR; + } +-- +2.29.2 + + +From 64dfbafe7a0639a96d67f0b840b6e6498e1f68a9 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@archlinux.org> +Date: Sat, 21 Nov 2020 11:48:33 +0100 +Subject: [PATCH 2/2] cifs.upall: update the cap bounding set only when + CAP_SETPCAP is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel <diabo...@archlinux.org> +--- + cifs.upcall.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 1559434..af1a0b0 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -88,6 +88,8 @@ typedef enum _sectype { + static int + trim_capabilities(bool need_environ) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_clear(CAPNG_SELECT_BOTH); + + /* SETUID and SETGID to change uid, gid, and grouplist */ +@@ -105,7 +107,10 @@ trim_capabilities(bool need_environ) + return 1; + } + +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); + return 1; + } +-- +2.29.2 +