Re: samba4 package didn't bundle Heimdal
Hi Andrew,
On Thu, Jul 13, 2017 at 09:17:57PM +1200, Andrew Bartlett wrote:
> https://security-tracker.debian.org/tracker/CVE-2017-11103
>
> Back when samba4 (which has been eviscerated to a client) was a
> package, it linked against the system heimdal.
>
> You can see this because it depends on heimdal.
>
> https://packages.debian.org/wheezy/libsamba-credentials0
>
> Additionally, the link the heimdal code has always been dynamic, not
> static, it just changed from dynamic to the system libs to dynamic to
> the vendored lib embedded in our tree with the Samba 4.2 packages.
Thanks for having a look! I just double checked and indeed the build
logs have:
[..snip..]
Checking for program krb5-config.heimdal : /usr/bin/krb5-config.heimdal
...
Selected system Heimdal build
[..snip..]
There is some stuff compiled from heimdal
...
[ 147/2938] Compiling source4/heimdal/lib/vers/print_version.c
[ 148/2938] Compiling source4/heimdal_build/version.c
[ 149/2938] Compiling source4/heimdal/lib/vers/print_version.c
[ 150/2938] Compiling source4/heimdal_build/version.c
[ 151/2938] Compiling source4/heimdal/lib/asn1/main.c
[ 152/2938] Compiling source4/heimdal/lib/asn1/gen.c
[ 153/2938] Compiling source4/heimdal/lib/asn1/gen_copy.c
[ 154/2938] Compiling source4/heimdal/lib/asn1/gen_decode.c
[ 155/2938] Compiling source4/heimdal/lib/asn1/gen_encode.c
[ 156/2938] Compiling source4/heimdal/lib/asn1/gen_free.c
[ 157/2938] Compiling source4/heimdal/lib/asn1/gen_glue.c
[ 158/2938] Compiling source4/heimdal/lib/asn1/gen_length.c
[ 159/2938] Compiling source4/heimdal/lib/asn1/gen_seq.c
[ 160/2938] Compiling source4/heimdal/lib/asn1/gen_template.c
[ 161/2938] Compiling source4/heimdal/lib/asn1/hash.c
[ 162/2938] Compiling source4/heimdal/lib/asn1/symbol.c
[ 163/2938] Compiling source4/heimdal/lib/asn1/asn1parse.c
[ 164/2938] Compiling source4/heimdal/lib/asn1/lex.c
...
but none of the affected code so I've marked samba4 as not affected.
Thanks a lot!
-- Guido
Reply to: