Patches for GOsa

Mike Gabriel sunweaver at
Mon Jul 23 15:08:17 BST 2018

HI Theral,

sorry for the late reply.

On  Di 10 Jul 2018 02:03:32 CEST, Theral Mackey wrote:

> Hi, I have a few patches for Gosa I feel could/should be incorporated
> to the debian pkg (and upstream, if thats still alive?). If possible,
> could I get PR access to the project on salsa to submit these?
> (username currently tmack0-guest)

Please file PRs on against the approprivate upstream repo.  
We will discuss patch inclusion there and I will then cherry-pick  
stuff into the Debian package.

> We here at Evernote have been using these (along with a few custom
> mods for stuff like TOTP integration) for a number of years now:

Nice. (Is TOTP integration not something for upstream?).

> 1. base64() encode passwords sent to shell via hook calls


> 2. add support for CRYPT sha256 and sha512 passwords


> The second one above I can't take full credit for, I think I pieced it

Are you eligible to file a PR then? Can you get in touch with the  
original author? Or do you know the license of the patch? If so, we  
can simply add the patch (if it is GPL'ish) and give credits to the  
original author. Other ideas?

> together from forum posts if not out-right copy/pasta, but allows
> using more secure hashing functions available in openldap.

That would be nice to have. If the patch has been modified by you  
sufficiently, it would be ok to take full credits for it.

> The first we implemented because the escapeshellarg code used in Gosa
> seemed to be applied inconsistently, causing breakage if certain
> characters were used, and lead to our sec team being able to use it
> for RCE. Passing through base64() encoded values bypasses this much
> the same way the other patches for NTLM/perl stuff did (0006, 0007 and
> 1004). Its likely all variables in hooks could be exploited this way
> tbh, passwords are just the quickest way to notice due to the charsets
> involved.

Understood. Please explain the situation in detail on the upstream  
tracker (

> Related to which, another patch I am putting together now from our
> code, moves the NTLM/LM hashing to native php, removing that
> shell/perl call all together. (we eventually stripped out LM
> completely as we have no use for it, and NTLM is all of 3 lines).

That would be nice-to-have, too. Please keep us posted.

> Thanks for your time!
> -Theral Mackey

Once you have filed the PRs upstream, please ping me and I nudge the  
upstream maintainer from GONICUS to review it within the next weeks.



mike gabriel aka sunweaver (Debian Developer)
mobile: +49 (1520) 1976 148
landline: +49 (4354) 8390 139

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: sunweaver at,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: Digitale PGP-Signatur
URL: <>

More information about the Debian-edu-pkg-team mailing list