Bug#658739: nss-ldap, SUID executables, gcrypt

[Thorsten Glaser]

Hi all,

this bug has been brought to my attention by my boss today.
If I understand the situation correctly, the problem is:

• OpenLDAP links against GnuTLS (gnutls26)
• gnutls26 links against gcrypt, which has the bug
• gnutls28 links against nettle, but also gmp which is LGPLv3+
• OpenLDAP thus can’t link against gnutls28, as it has reverse
  dependencies that are not LGPLv3-/GPLv3-compatible
• the package affected is libnss-ldap though

For some reason, neither nscd nor unscd seem to be able to
work around this bug, so it has become rather critical (e.g.
for use in company networks).

Why not do a readline and provide *two* versions of the
OpenLDAP client libraries, keep libldap-2.4-2 linked
against gnutls26 and add another shared library plus
development package (with at least the two shared library
packages coïnstallable) to link against gnutls28 and build
these BOTH from the SAME source package at the SAME time,
so an upload of OpenLDAP will not need another package to
be (re-)built to stay in sync.

Did anyone think of it already and will shoot this idea
down immediately? Or could it work?

bye,
//mirabilos • tg at debian.org
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Elmar Geese