samba: 4.20.8 -> 4.22.3

https://www.samba.org/samba/history/samba-4.21.0.html https://www.samba.org/samba/history/samba-4.21.1.html https://www.samba.org/samba/history/samba-4.21.2.html https://www.samba.org/samba/history/samba-4.21.3.html https://www.samba.org/samba/history/samba-4.21.4.html https://www.samba.org/samba/history/samba-4.21.5.html https://www.samba.org/samba/history/samba-4.22.0.html https://www.samba.org/samba/history/samba-4.22.1.html https://www.samba.org/samba/history/samba-4.22.2.html https://www.samba.org/samba/history/samba-4.22.3.html Fixes: CVE-2025-0620
2025-08-14 01:33:16 +02:00 · 2025-08-14 01:33:16 +02:00 · 9ef8e5d463
commit 9ef8e5d463
parent e8da829059
4 changed files with 24 additions and 66 deletions
--- a/pkgs/servers/samba/4.x-no-persistent-install.patch
+++ b/pkgs/servers/samba/4.x-no-persistent-install.patch
@ -1,6 +1,8 @@
--- a/ctdb/wscript	2019-01-15 02:07:00.000000000 -0800
-+++ b/ctdb/wscript	2019-01-20 20:21:08.800187459 -0800
-@@ -814,7 +814,7 @@
+diff --git a/ctdb/wscript b/ctdb/wscript
+index e9cd89436a3..893b9a4c59e 100644
+--- a/ctdb/wscript
+++ b/ctdb/wscript
+@@ -862,7 +862,7 @@ def build(bld):
     for t in etc_subdirs:
         files = SUBDIR_MODE('%s/%s' % (configdir, t), trim_path=configdir)
         for fmode in files:
@ -9,7 +11,7 @@
                               destname=fmode[0], chmod=fmode[1])
 
     # If this is a direct install and there are no event scripts
-@@ -852,24 +852,20 @@
+@@ -901,17 +901,13 @@ def build(bld):
     ]
 
     for t in etc_scripts:
@ -17,16 +19,8 @@
 +        bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}', 'config/%s' % t,
                           destname=t, chmod=MODE_755)
 
-     bld.SAMBA_GENERATOR('ctdb-sudoers',
-                         source='config/ctdb.sudoers',
-                         target='ctdb.sudoers',
-                         rule='sed %s ${SRC} > ${TGT}' % (sed_cmdline))
-    bld.INSTALL_FILES('${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers',
-+    bld.INSTALL_FILES('${EXEC_PREFIX}${SYSCONFDIR}/sudoers.d', 'ctdb.sudoers',
-                       destname='ctdb')
- 
 -    bld.INSTALL_FILES('${CTDB_ETCDIR}/events/notification',
-+    bld.INSTALL_FILES('${EXEC_PREFIX}${CTDB_ETCDIR}/events/notification',
+    bld.INSTALL_FILES('${EXEC_PREFIX}$${CTDB_ETCDIR}/events/notification',
                       'config/notification.README',
                       destname='README')
 
--- a/pkgs/servers/samba/4.x.nix
+++ b/pkgs/servers/samba/4.x.nix
@ -26,11 +26,11 @@
  talloc,
  jansson,
  ldb,
+  lmdb,
  libtasn1,
  tdb,
  tevent,
  libxcrypt,
-  libxcrypt-legacy,
  cmocka,
  rpcsvc-proto,
  bash,
@ -49,7 +49,6 @@
  avahi,
  enableDomainController ? false,
  gpgme,
-  lmdb,
  enableRegedit ? true,
  ncurses,
  enableCephFS ? false,
@ -66,15 +65,6 @@
 }:

 let
-  # samba-tool requires libxcrypt-legacy algorithms
-  python = python3Packages.python.override {
-    self = python;
-    libxcrypt = libxcrypt-legacy;
-  };
-  wrapPython = python3Packages.wrapPython.override {
-    inherit python;
-  };
-
  inherit (lib) optional optionals;

  needsAnswers =
@ -89,11 +79,11 @@ let
 in
 stdenv.mkDerivation (finalAttrs: {
  pname = "samba";
-  version = "4.20.8";
+  version = "4.22.3";

  src = fetchurl {
    url = "https://download.samba.org/pub/samba/stable/samba-${finalAttrs.version}.tar.gz";
-    hash = "sha256-db4OjTH0UBPpsmD+fPMEo20tgSg5GRR3JXchXsFzqAc=";
+    hash = "sha256-j9cJJimjWW2TXNdWfZNJeflCcpGOw6/9DMgHk07PIro=";
  };

  outputs = [
@ -104,7 +94,6 @@ stdenv.mkDerivation (finalAttrs: {

  patches = [
    ./4.x-no-persistent-install.patch
-    ./patch-source3__libads__kerberos_keytab.c.patch
    ./4.x-no-persistent-install-dynconfig.patch
    ./4.x-fix-makeflags-parsing.patch
    ./build-find-pre-built-heimdal-build-tools-in-case-of-.patch
@ -123,6 +112,7 @@ stdenv.mkDerivation (finalAttrs: {

  nativeBuildInputs = [
    python3Packages.python
+    python3Packages.wrapPython
    wafHook
    pkg-config
    bison
@ -148,8 +138,7 @@ stdenv.mkDerivation (finalAttrs: {

  buildInputs = [
    bash
-    wrapPython
-    python
+    python3Packages.python
    readline
    popt
    dbus
@ -158,6 +147,7 @@ stdenv.mkDerivation (finalAttrs: {
    zlib
    gnutls
    libtasn1
+    lmdb
    tdb
    libxcrypt
  ]
@ -182,7 +172,6 @@ stdenv.mkDerivation (finalAttrs: {
  ++ optional enableMDNS avahi
  ++ optionals enableDomainController [
    gpgme
-    lmdb
    python3Packages.dnspython
  ]
  ++ optional enableRegedit ncurses
@ -230,7 +219,7 @@ stdenv.mkDerivation (finalAttrs: {
    "--disable-rpath"
    # otherwise third_party/waf/waflib/Tools/python.py would
    # get the wrong pythondir from build platform python
-    "--pythondir=${placeholder "out"}/${python.sitePackages}"
+    "--pythondir=${placeholder "out"}/${python3Packages.python.sitePackages}"
    (lib.enableFeature enablePrinting "cups")
  ]
  ++ optional (!enableDomainController) "--without-ad-dc"
@ -245,7 +234,7 @@ stdenv.mkDerivation (finalAttrs: {
  ++ optional enableProfiling "--with-profiling-data"
  ++ optional (!enableAcl) "--without-acl-support"
  ++ optional (!enablePam) "--without-pam"
-  ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) ([
+  ++ optionals (stdenv.hostPlatform != stdenv.buildPlatform) [
    "--bundled-libraries=!asn1_compile,!compile_et"
    "--cross-compile"
    (
@ -254,7 +243,7 @@ stdenv.mkDerivation (finalAttrs: {
      else
        "--cross-answers=answers"
    )
-  ])
+  ]
  ++ optionals stdenv.buildPlatform.is32bit [
    # By default `waf configure` spawns as many as available CPUs. On
    # 32-bit systems with many CPUs (like `i686` chroot on `x86_64`
@ -321,7 +310,7 @@ stdenv.mkDerivation (finalAttrs: {
    # Samba does its own shebang patching, but uses build Python
    find $out/bin -type f -executable | while read file; do
      isScript "$file" || continue
-      sed -i 's^${lib.getBin buildPackages.python3Packages.python}^${lib.getBin python}^' "$file"
+      sed -i 's^${lib.getBin buildPackages.python3Packages.python}^${lib.getBin python3Packages.python}^' "$file"
    done
  '';

@ -349,17 +338,12 @@ stdenv.mkDerivation (finalAttrs: {
    broken = enableGlusterFS;
    maintainers = with maintainers; [ aneeshusa ];
    pkgConfigModules = [
-      "dcerpc_samr"
-      "dcerpc"
      "ndr_krb5pac"
      "ndr_nbt"
      "ndr_standard"
      "ndr"
      "netapi"
-      "samba-credentials"
-      "samba-hostconfig"
      "samba-util"
-      "samdb"
      "smbclient"
      "wbclient"
    ];
--- a/pkgs/servers/samba/build-find-pre-built-heimdal-build-tools-in-case-of-.patch
+++ b/pkgs/servers/samba/build-find-pre-built-heimdal-build-tools-in-case-of-.patch
@ -1,4 +1,4 @@
-From 48f7e6d66e2850088b8922024641173776222242 Mon Sep 17 00:00:00 2001
+From 475ec75a34002aafabc92659f693cf705c96aff4 Mon Sep 17 00:00:00 2001
 From: Nick Cao <nickcao@nichi.co>
 Date: Thu, 21 Nov 2024 15:30:00 -0500
 Subject: [PATCH] build: find pre-built heimdal build tools in case of embedded
@ -35,18 +35,19 @@ Signed-off-by: Uri Simchoni <uri@samba.org>
 Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
 [Bachp: rebased for version 4.15.0]
 [Mats: rebased for version 4.18.5]
+[hexa: rebased for version 4.22.3]
 ---
 wscript_configure_embedded_heimdal | 11 +++++++++++
 1 file changed, 11 insertions(+)

 diff --git a/wscript_configure_embedded_heimdal b/wscript_configure_embedded_heimdal
-index 45f47721de..6c5a4bcf01 100644
+index c1488e5506e..ede28ba7fc3 100644
 --- a/wscript_configure_embedded_heimdal
 +++ b/wscript_configure_embedded_heimdal
-@@ -13,3 +13,14 @@ conf.RECURSE('third_party/heimdal_build')
- # when this will be available also in
- # system libraries...
+@@ -15,3 +15,14 @@ conf.RECURSE('third_party/heimdal_build')
 conf.define('HAVE_CLIENT_GSS_C_CHANNEL_BOUND_FLAG', 1)
+ 
+ conf.define('HAVE_KRB5_INIT_CREDS_STEP', 1)
 +
 +def check_system_heimdal_binary(name):
 +    if conf.LIB_MAY_BE_BUNDLED(name):
@ -59,5 +60,4 @@ index 45f47721de..6c5a4bcf01 100644
 +check_system_heimdal_binary("compile_et")
 +check_system_heimdal_binary("asn1_compile")
 -- 
-2.47.0
-
+2.50.1
--- a/pkgs/servers/samba/patch-source3libadskerberos_keytab.c.patch
+++ b/pkgs/servers/samba/patch-source3libadskerberos_keytab.c.patch
@ -1,20 +0,0 @@
--- old/source3/libads/kerberos_keytab.c	2017-12-23 14:23:53.247467000 +0100
-+++ new/source3/libads/kerberos_keytab.c	2017-12-23 18:57:07.135340000 +0100
-@@ -32,8 +32,6 @@
- 
- #ifdef HAVE_KRB5
- 
-#ifdef HAVE_ADS
-
- /* This MAX_NAME_LEN is a constant defined in krb5.h */
- #ifndef MAX_KEYTAB_NAME_LEN
- #define MAX_KEYTAB_NAME_LEN 1100
-@@ -85,6 +83,8 @@
- 	return ret;
- }
- 
-+#ifdef HAVE_ADS
-+
- /**********************************************************************
-  Adds a single service principal, i.e. 'host' to the system keytab
- ***********************************************************************/