[Pkg-openldap-devel] Bug#803197: SOGo isn't the only victim, cups breaks as well

[Ryan Tandy]

Upon reviewing this bug, I've found that in stretch and later, GnuTLS 
actually uses getrandom() instead of opening /dev/urandom. This was 
introduced in GnuTLS 3.5.3 and requires Linux 3.18 and Glibc 2.25. The 
fd-clobber program that I attached to an earlier comment [1] 
demonstrates the issue in jessie, but works without issue in stretch and 
buster.

[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=803197;filename=fd-clobber.c;msg=25

You can observe this by running any LDAP client with 
GNUTLS_DEBUG_LEVEL=2:

gnutls[2]: getrandom random generator was detected

Based on that, I believe that the issue originally reported was actually 
resolved by that change, and the fd closing could probably be reinstated 
for systems where getrandom() is available. I will try to patch that 
back into SOGo and see what happens on a current system.

As for the cupsd issue you reported: I haven't been able to reproduce 
the segfault in cupsd, but I have attached a test program that I think 
demonstrates the issue as you described it. However, it crashes 
consistently in stretch but not in buster. :) Not sure whether that is a 
functional change or just luck of memory layout.

I need to do some more testing, but I think I will be OK with removing 
the gnutls_global_set_mutex() calls in the next upload. But even so, 
please do migrate to nss-pam-ldapd! Your point about libldap messing 
with global state is valid, but in the specific case of PAM modules we 
already have a solution, as Howard did point out to you.