From: Jan Rękorajski <baggins@pld-linux.org>
Date: Thu, 16 Jan 2014 18:55:24 +0000 (+0100)
Subject: - added trigger to fix CVE-2013-4476
X-Git-Tag: auto/th/samba-4.1.4-3~5
X-Git-Url: http://git.pld-linux.org/?a=commitdiff_plain;h=30cb0b6f2030ae201aebf36b8ceebe731e77dfbf;hp=c93984f59ed4815c013dc55cef6aa5b0ea32d6c9;p=packages%2Fsamba.git

- added trigger to fix CVE-2013-4476
---

diff --git a/samba.spec b/samba.spec
index a153f99..63f1250 100644
--- a/samba.spec
+++ b/samba.spec
@@ -675,6 +675,17 @@ fi
 %service samba restart "Samba AD daemons"
 %systemd_post samba.service
 
+%triggerpostun -- samba4 < 1:4.1.1-1
+# CVE-2013-4476
+[ -e %{_sysconfdir}/samba/tls/key.pem ] || exit 0
+PERMS=$(stat -c %a %{_sysconfdir}/samba/tls/key.pem)
+if [ "$PERMS" != "600" ]; then
+	chmod 600 %{_sysconfdir}/samba/tls/key.pem || :
+	echo "Fixed permissions of private key file %{_sysconfdir}/samba/tls/key.pem from $PERMS to 600"
+	echo "Consider regenerating TLS certificate"
+	echo "Removing all tls .pem files will cause an auto-regeneration with the correct permissions"
+fi
+
 %triggerprein common -- samba4
 cp -a %{_sysconfdir}/samba/smb.conf %{_sysconfdir}/samba/smb.conf.samba4