[Pkg-openldap-devel] Bug#871739: stretch-pu: package openldap/2.4.44+dfsg-5+deb9u1
Ryan Tandy
ryan at nardis.ca
Fri Aug 11 02:02:29 UTC 2017
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org at packages.debian.org
Usertags: pu
I would like to apply a few fixes to openldap in stable. These changes
are all in testing already.
The first two changes are related to making sure the package can be
built reliably in stretch.
* Relax the dependency of libldap-2.4-2 on libldap-common to also permit
later versions. (Closes: #860774)
openldap manages to have a transitive build-dependency on itself, via
heimdal-multidev. What's happened a few times now is that libldap-common
gets built on the fast arch:all buildd and uploaded, then a slower arch
would go BD-Uninstallable because the libldap-common candidate is newer
than what the existing libldap-2.4-2 on that arch requires (apt and w-b
will both only consider the newest available). This relaxes the
dependency to allow pulling in the newer libldap-common.
The problem could happen as well when building this version, because
it's not "fixed" until libldap-2.4-2 is built and installed. If that
happens I will have to ask my sponsor to perform binary-only uploads on
any affected arches, as we did in unstable when fixing it there.
* Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
the underlying kernel bug #866122 is fixed.
A helper program used by this test gets its registers corrupted on
ppc64el when run with stretch's kernel and libc, apparently due to some
interaction between transactional memory (this arch has lock elision
enabled in glibc) and floating point. The kernel bug is still in
progress, so we have no recourse but to disable the test on this one
arch for now. The affected code is in the test suite and is not part of
the binary packages.
* Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
This changes the maintainer scripts to use raw read and fixed grep when
processing LDIF values, to ensure they don't interpret these backslashes
as escapes.
The remaining changes are fixes for upstream bugs or regressions.
* Import upstream patch to avoid reading the value of the
LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory.
(ITS#8385) (Closes: #820244)
The bug report is about replication setups, but theoretically it could
occur in any program that initiates multiple LDAP client connections
using the same TLS context. Occasionally it causes the program to crash,
but more often the symptom is the cert validation option takes on a
"random" value. This is most often noticed when validation is done
despite being configured to a permissive setting ("never" or "allow"),
resulting in negotiation failures in self-signed setups; but in theory
it could also flip the other way, resulting in validation being *less*
permissive than configured, so I also consider it a (minor) security
concern.
* Import upstream patch to fix potential endless replication loop in a
multi-master delta-syncrepl scenario with 3 or more nodes.
(ITS#8432) (Closes: #868753)
This is a regression since jessie. It renders stretch's slapd somewhat
unreliable for production use, if you run an affected configuration.
* Import upstream patches to fix memory corruption caused by calling
sasl_client_init() multiple times and possibly concurrently.
(ITS#8648) (Closes: #860947)
This is a regression in jessie compared to wheezy. There used to be a
mutex around the sasl_client_init() call, but upstream removed it in
2.4.36. Since then, clients that perform SASL binds concurrently on
multiple threads would experience various symptoms including hangs or
crashes. This seems to mostly affect slapd setups with multiple
replication connections (e.g. N-way multi-master) using GSSAPI binds.
-------------- next part --------------
diff -Nru openldap-2.4.44+dfsg/debian/changelog openldap-2.4.44+dfsg/debian/changelog
--- openldap-2.4.44+dfsg/debian/changelog 2017-05-28 09:59:46.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/changelog 2017-08-10 12:12:46.000000000 -0700
@@ -1,3 +1,22 @@
+openldap (2.4.44+dfsg-5+deb9u1) stretch; urgency=medium
+
+ * Relax the dependency of libldap-2.4-2 on libldap-common to also permit
+ later versions. (Closes: #860774)
+ * Disable test060-mt-hot on ppc64el temporarily to avoid failing tests until
+ the underlying kernel bug #866122 is fixed.
+ * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
+ * Import upstream patch to avoid reading the value of the
+ LDAP_OPT_X_TLS_REQUIRE_CERT option from previously freed memory.
+ (ITS#8385) (Closes: #820244)
+ * Import upstream patch to fix potential endless replication loop in a
+ multi-master delta-syncrepl scenario with 3 or more nodes.
+ (ITS#8432) (Closes: #868753)
+ * Import upstream patches to fix memory corruption caused by calling
+ sasl_client_init() multiple times and possibly concurrently.
+ (ITS#8648) (Closes: #860947)
+
+ -- Ryan Tandy <ryan at nardis.ca> Thu, 10 Aug 2017 12:12:46 -0700
+
openldap (2.4.44+dfsg-5) unstable; urgency=medium
* debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an
@@ -5,7 +24,7 @@
tests. (ITS#8644) (Closes: #770890)
* debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free
in the MDB backend on a search including the Paged Results control with a
- page size of 0. (ITS#8655) (Closes: #863563)
+ page size of 0. (ITS#8655) (CVE-2017-9287) (Closes: #863563)
-- Ryan Tandy <ryan at nardis.ca> Sun, 28 May 2017 09:59:46 -0700
diff -Nru openldap-2.4.44+dfsg/debian/control openldap-2.4.44+dfsg/debian/control
--- openldap-2.4.44+dfsg/debian/control 2017-05-20 11:38:45.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/control 2017-08-09 22:07:34.000000000 -0700
@@ -85,7 +85,7 @@
Multi-Arch: same
Conflicts: ldap-utils (<= 2.1.23-1)
Pre-Depends: ${misc:Pre-Depends}
-Depends: ${shlibs:Depends}, ${misc:Depends}, libldap-common (= ${source:Version})
+Depends: ${shlibs:Depends}, ${misc:Depends}, libldap-common (>= ${source:Version})
Replaces: libldap2, libldap-2.3-0
Description: OpenLDAP libraries
These are the run-time libraries for the OpenLDAP (Lightweight Directory
diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8385-Fix-use-after-free-with-GnuTLS.patch openldap-2.4.44+dfsg/debian/patches/ITS-8385-Fix-use-after-free-with-GnuTLS.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-8385-Fix-use-after-free-with-GnuTLS.patch 1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-8385-Fix-use-after-free-with-GnuTLS.patch 2017-08-09 22:07:34.000000000 -0700
@@ -0,0 +1,77 @@
+From 283f3ae1713df449cc170965b311b19157f7b7ea Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc at openldap.org>
+Date: Sat, 12 Mar 2016 11:03:29 +0000
+Subject: [PATCH] ITS#8385 Fix use-after-free with GnuTLS
+
+---
+ libraries/libldap/tls_g.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/libraries/libldap/tls_g.c
++++ b/libraries/libldap/tls_g.c
+@@ -47,11 +47,11 @@
+ #define DH_BITS (1024)
+
+ typedef struct tlsg_ctx {
+- struct ldapoptions *lo;
+ gnutls_certificate_credentials_t cred;
+ gnutls_dh_params_t dh_params;
+ unsigned long verify_depth;
+ int refcount;
++ int reqcert;
+ gnutls_priority_t prios;
+ #ifdef LDAP_R_COMPILE
+ ldap_pvt_thread_mutex_t ref_mutex;
+@@ -143,7 +143,6 @@
+
+ ctx = ber_memcalloc ( 1, sizeof (*ctx) );
+ if ( ctx ) {
+- ctx->lo = lo;
+ if ( gnutls_certificate_allocate_credentials( &ctx->cred )) {
+ ber_memfree( ctx );
+ return NULL;
+@@ -316,6 +315,9 @@
+ gnutls_dh_params_init(&ctx->dh_params);
+ gnutls_dh_params_generate2(ctx->dh_params, DH_BITS);
+ }
++
++ ctx->reqcert = lo->ldo_tls_require_cert;
++
+ return 0;
+ }
+
+@@ -337,10 +339,10 @@
+
+ if ( is_server ) {
+ int flag = 0;
+- if ( c->lo->ldo_tls_require_cert ) {
++ if ( c->reqcert ) {
+ flag = GNUTLS_CERT_REQUEST;
+- if ( c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_DEMAND ||
+- c->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_HARD )
++ if ( c->reqcert == LDAP_OPT_X_TLS_DEMAND ||
++ c->reqcert == LDAP_OPT_X_TLS_HARD )
+ flag = GNUTLS_CERT_REQUIRE;
+ gnutls_certificate_server_set_request( session->session, flag );
+ }
+@@ -355,17 +357,17 @@
+ int rc;
+
+ rc = gnutls_handshake( s->session );
+- if ( rc == 0 && s->ctx->lo->ldo_tls_require_cert != LDAP_OPT_X_TLS_NEVER ) {
++ if ( rc == 0 && s->ctx->reqcert != LDAP_OPT_X_TLS_NEVER ) {
+ const gnutls_datum_t *peer_cert_list;
+ unsigned int list_size;
+
+ peer_cert_list = gnutls_certificate_get_peers( s->session,
+ &list_size );
+- if ( !peer_cert_list && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_TRY )
++ if ( !peer_cert_list && s->ctx->reqcert == LDAP_OPT_X_TLS_TRY )
+ rc = 0;
+ else {
+ rc = tlsg_cert_verify( s );
+- if ( rc && s->ctx->lo->ldo_tls_require_cert == LDAP_OPT_X_TLS_ALLOW )
++ if ( rc && s->ctx->reqcert == LDAP_OPT_X_TLS_ALLOW )
+ rc = 0;
+ }
+ }
diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8432-fix-infinite-looping-mods-in-delta-mmr.patch openldap-2.4.44+dfsg/debian/patches/ITS-8432-fix-infinite-looping-mods-in-delta-mmr.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-8432-fix-infinite-looping-mods-in-delta-mmr.patch 1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-8432-fix-infinite-looping-mods-in-delta-mmr.patch 2017-08-09 22:07:34.000000000 -0700
@@ -0,0 +1,64 @@
+From 92724fd39e3c6a65d460ad7a08d3acc3c16656e3 Mon Sep 17 00:00:00 2001
+From: Howard Chu <hyc at openldap.org>
+Date: Thu, 9 Jun 2016 22:37:54 +0100
+Subject: [PATCH] ITS#8432 fix infinite looping mods in delta-mmr
+
+---
+ servers/slapd/syncrepl.c | 32 ++++++++++++++++++++++++++++++++
+ 1 file changed, 32 insertions(+)
+
+--- a/servers/slapd/syncrepl.c
++++ b/servers/slapd/syncrepl.c
+@@ -934,6 +934,10 @@
+ check_syncprov( op, si );
+ ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_mutex );
+ for ( i =0; i<si->si_cookieState->cs_num; i++ ) {
++#ifdef CHATTY_SYNCLOG
++ Debug( LDAP_DEBUG_SYNC, "do_syncrep2: %s CSN for sid %d: %s\n",
++ si->si_ridtxt, i, si->si_cookieState->cs_vals[i].bv_val );
++#endif
+ /* new SID */
+ if ( sid < si->si_cookieState->cs_sids[i] )
+ break;
+@@ -2064,6 +2068,33 @@
+ if ( !mod )
+ return SLAP_CB_CONTINUE;
+
++ {
++ int i, sid;
++ sid = slap_parse_csn_sid( &mod->sml_nvalues[0] );
++ ldap_pvt_thread_mutex_lock( &si->si_cookieState->cs_mutex );
++ for ( i =0; i<si->si_cookieState->cs_num; i++ ) {
++#ifdef CHATTY_SYNCLOG
++ Debug( LDAP_DEBUG_SYNC, "syncrepl_op_modify: %s CSN for sid %d: %s\n",
++ si->si_ridtxt, i, si->si_cookieState->cs_vals[i].bv_val );
++#endif
++ /* new SID */
++ if ( sid < si->si_cookieState->cs_sids[i] )
++ break;
++ if ( si->si_cookieState->cs_sids[i] == sid ) {
++ if ( ber_bvcmp( &mod->sml_nvalues[0], &si->si_cookieState->cs_vals[i] ) <= 0 ) {
++ Debug( LDAP_DEBUG_SYNC, "syncrepl_op_modify: %s entryCSN too old, ignoring %s (%s)\n",
++ si->si_ridtxt, mod->sml_nvalues[0].bv_val, op->o_req_dn.bv_val );
++ ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_mutex );
++ slap_graduate_commit_csn( op );
++ /* tell accesslog this was a failure */
++ rs->sr_err = LDAP_TYPE_OR_VALUE_EXISTS;
++ return LDAP_SUCCESS;
++ }
++ }
++ }
++ ldap_pvt_thread_mutex_unlock( &si->si_cookieState->cs_mutex );
++ }
++
+ rc = overlay_entry_get_ov( op, &op->o_req_ndn, NULL, NULL, 0, &e, on );
+ if ( rc == 0 ) {
+ Attribute *a;
+@@ -2077,6 +2108,7 @@
+ }
+ /* equal? Should never happen */
+ if ( match == 0 ) {
++ slap_graduate_commit_csn( op );
+ /* tell accesslog this was a failure */
+ rs->sr_err = LDAP_TYPE_OR_VALUE_EXISTS;
+ return LDAP_SUCCESS;
diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch openldap-2.4.44+dfsg/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch 1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch 2017-08-09 22:07:34.000000000 -0700
@@ -0,0 +1,30 @@
+From e437b12277c1cc8ec72e0f78f660137c60ffaad7 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan at nardis.ca>
+Date: Sun, 7 May 2017 20:16:00 +0000
+Subject: [PATCH] ITS#8648 check result of ldap_int_initialize in
+ ldap_{get,set}_option
+
+---
+ libraries/libldap/options.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/libraries/libldap/options.c
++++ b/libraries/libldap/options.c
+@@ -106,6 +106,8 @@
+
+ if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ ldap_int_initialize(lo, NULL);
++ if ( lo->ldo_valid != LDAP_INITIALIZED )
++ return LDAP_LOCAL_ERROR;
+ }
+
+ if(ld != NULL) {
+@@ -446,6 +448,8 @@
+
+ if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ ldap_int_initialize(lo, dbglvl);
++ if ( lo->ldo_valid != LDAP_INITIALIZED )
++ return LDAP_LOCAL_ERROR;
+ }
+
+ if(ld != NULL) {
diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch openldap-2.4.44+dfsg/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch 1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch 2017-08-09 22:07:34.000000000 -0700
@@ -0,0 +1,74 @@
+From 431c4af526b18abb4a18c2c4c8655690b753cbe5 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan at nardis.ca>
+Date: Fri, 5 May 2017 03:08:07 +0000
+Subject: [PATCH] ITS#8648 init SASL library in global init
+
+---
+ libraries/libldap/cyrus.c | 17 +++--------------
+ libraries/libldap/init.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 14 deletions(-)
+
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -69,14 +69,11 @@
+ { SASL_CB_LIST_END, NULL, NULL }
+ };
+
++/*
++ * ldap_int_initialize is responsible for calling this only once.
++ */
+ int ldap_int_sasl_init( void )
+ {
+- /* XXX not threadsafe */
+- static int sasl_initialized = 0;
+-
+- if ( sasl_initialized ) {
+- return 0;
+- }
+
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+@@ -96,7 +93,6 @@
+ #endif
+
+ if ( sasl_client_init( NULL ) == SASL_OK ) {
+- sasl_initialized = 1;
+ return 0;
+ }
+
+@@ -307,11 +303,6 @@
+ return ld->ld_errno;
+ }
+
+- if ( ldap_int_sasl_init() ) {
+- ld->ld_errno = LDAP_LOCAL_ERROR;
+- return ld->ld_errno;
+- }
+-
+ #if SASL_VERSION_MAJOR >= 2
+ rc = sasl_client_new( "ldap", host, NULL, NULL,
+ client_callbacks, 0, &ctx );
+@@ -891,8 +882,6 @@
+ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
+ {
+ if ( option == LDAP_OPT_X_SASL_MECHLIST ) {
+- if ( ldap_int_sasl_init() )
+- return -1;
+ *(char ***)arg = (char **)sasl_global_listmech();
+ return 0;
+ }
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -658,6 +658,12 @@
+ if ( ldap_int_tblsize == 0 ) ldap_int_ip_init();
+ #endif
+
++#ifdef HAVE_CYRUS_SASL
++ if ( ldap_int_sasl_init() != 0 ) {
++ return;
++ }
++#endif
++
+ ldap_int_initialize_global_options(gopts, dbglvl);
+
+ if( getenv("LDAPNOINIT") != NULL ) {
diff -Nru openldap-2.4.44+dfsg/debian/patches/series openldap-2.4.44+dfsg/debian/patches/series
--- openldap-2.4.44+dfsg/debian/patches/series 2017-05-28 09:58:07.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/patches/series 2017-08-09 22:07:34.000000000 -0700
@@ -27,3 +27,7 @@
ITS-8554-kFreeBSD-is-like-BSD.patch
ITS-8644-wait-for-slapd-to-start-in-test064.patch
ITS-8655-paged-results-double-free.patch
+ITS-8385-Fix-use-after-free-with-GnuTLS.patch
+ITS-8432-fix-infinite-looping-mods-in-delta-mmr.patch
+ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+ITS-8648-init-SASL-library-in-global-init.patch
diff -Nru openldap-2.4.44+dfsg/debian/rules openldap-2.4.44+dfsg/debian/rules
--- openldap-2.4.44+dfsg/debian/rules 2017-05-20 11:38:45.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/rules 2017-08-09 22:07:34.000000000 -0700
@@ -13,6 +13,7 @@
DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE)
DEB_HOST_ARCH_OS ?= $(shell dpkg-architecture -qDEB_HOST_ARCH_OS)
+DEB_HOST_ARCH ?= $(shell dpkg-architecture -qDEB_HOST_ARCH)
CONFIG = $(shell grep -v "^\#" debian/configure.options)
ifeq ($(DEB_HOST_ARCH_OS),hurd)
@@ -108,6 +109,13 @@
$(MAKE) -C contrib/slapd-modules/passwd/sha2 CC=$(CC)
endif
+override_dh_auto_test:
+ifeq ($(DEB_HOST_ARCH),ppc64el)
+ # Disable test060-mt-host on ppc64el until #866122 is fixed.
+ rm -f tests/scripts/test060-mt-hot
+endif
+ dh_auto_test
+
override_dh_auto_install:
dh_auto_install -- $(MAKEVARS)
ifeq ($(filter stage1,$(DEB_BUILD_PROFILES)),)
diff -Nru openldap-2.4.44+dfsg/debian/slapd.scripts-common openldap-2.4.44+dfsg/debian/slapd.scripts-common
--- openldap-2.4.44+dfsg/debian/slapd.scripts-common 2017-05-20 11:38:45.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/slapd.scripts-common 2017-08-09 22:07:34.000000000 -0700
@@ -105,7 +105,7 @@
}
# }}}
update_databases_permissions() { # {{{
- get_suffix | while read suffix; do
+ get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
update_permissions "$dbdir"
done
@@ -296,8 +296,8 @@
# }}}
get_directory() { # {{{
# Returns the db directory for a given suffix
- if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then
- sed -n 's/^olcDbDirectory: *//p' `grep -l "^olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
+ if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -Fq "$1" ; then
+ sed -n 's/^olcDbDirectory: *//p' `grep -Fl "^olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
elif [ -f "${SLAPD_CONF}" ]; then
# Extract the directory for the given suffix ($1)
for f in `get_all_slapd_conf_files`; do
More information about the Pkg-openldap-devel
mailing list