[Pkg-openldap-devel] Bug#901194: jessie-pu: package openldap/2.4.40+dfsg-1+deb8u4

Ryan Tandy ryan at nardis.ca
Sun Jun 10 02:32:02 BST 2018 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org at packages.debian.org
Usertags: pu

Dear OSRM,

Please consider this openldap update for jessie. I apologize for the 
late request and will understand if it doesn't make it.

  * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)

I would like to apply this fix in jessie to ensure that if openldap gets 
a security update during jessie LTS, affected systems will be able to 
install it. As well there may be some users who choose to upgrade from 
wheezy after its LTS ends. I have tested both upgrade scenarios 
(jessie->jessie and wheezy->jessie).

For avoidance of doubt: this includes the changes also proposed for 
stretch in #901192 (the affected code is always executed in 
wheezy->jessie upgrades).

  * Import upstream patches to fix memory corruption caused by calling
    sasl_client_init() multiple times and possibly concurrently.
    (ITS#8648) (Closes: #860947)

This issue affected several slapd users and came with a variety of 
symptoms. A typical example of an affected setup would be a multi-master 
setup where replication is authenticated using Kerberos (SASL/GSSAPI). 
These patches have been applied in stretch (in +deb9u1) and in Ubuntu 
xenial, with no regressions reported.

thanks,
Ryan

-- System Information:
Debian Release: 9.4
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
-------------- next part --------------
diff -u openldap-2.4.40+dfsg/debian/changelog openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium
+
+  * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
+  * Import upstream patches to fix memory corruption caused by calling 
+    sasl_client_init() multiple times and possibly concurrently.
+    (ITS#8648) (Closes: #860947)
+
+ -- Ryan Tandy <ryan at nardis.ca>  Tue, 05 Jun 2018 20:16:25 -0700
+
 openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high
 
   * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free 
diff -u openldap-2.4.40+dfsg/debian/patches/series openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -29,0 +30,2 @@
+ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+ITS-8648-init-SASL-library-in-global-init.patch
diff -u openldap-2.4.40+dfsg/debian/slapd.scripts-common openldap-2.4.40+dfsg/debian/slapd.scripts-common
--- openldap-2.4.40+dfsg/debian/slapd.scripts-common
+++ openldap-2.4.40+dfsg/debian/slapd.scripts-common
@@ -100,7 +100,7 @@
 }
 # }}}
 update_databases_permissions() {	# {{{
-	get_suffix | while read suffix; do
+	get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		update_permissions "$dbdir"
 	done
@@ -163,11 +163,11 @@
 
 	dir=`database_dumping_destdir`
 	echo >&2 "  Dumping to $dir: "
-	(get_suffix | while read suffix; do
+	(get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		if [ -n "$dbdir" ]; then
 			file="$dir/$suffix.ldif"
-			echo -n "  - directory $suffix... " >&2
+			printf '  - directory %s... ' "$suffix" >&2
 			# Need to support slapd.d migration from preinst
 			if [ -f "${SLAPD_CONF}" ]; then
 				slapcat_opts="-g -f ${SLAPD_CONF}"
@@ -194,7 +194,7 @@
 
 	dir=`database_dumping_destdir`
 	echo >&2 "  Loading from $dir: "
-	get_suffix | while read suffix; do
+	get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		if [ -z "$dbdir" ]; then
 			continue
@@ -206,11 +206,11 @@
 		fi
 
 		file="$dir/$suffix.ldif"
-		echo -n "  - directory $suffix... " >&2
+		printf '  - directory %s... ' "$suffix" >&2
 
 		# If there is an old DB_CONFIG file, restore it before
 		# running slapadd
-		backupdir=`compute_backup_path -n "$dbdir" "$suffix"`
+		backupdir="$(compute_backup_path -n "$dbdir" "$suffix")"
 		if [ -e "$backupdir"/DB_CONFIG ]; then
 			cp -a "$backupdir"/DB_CONFIG "$dbdir"/
 		fi
@@ -249,7 +249,7 @@
 # }}}
 move_incompatible_databases_away() {					# {{{
 	echo >&2 "  Moving old database directories to /var/backups:"
-	(get_suffix | while read suffix; do
+	(get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		move_old_database_away "$dbdir" "$suffix" <&5
 	done) 5<&0 </dev/null
@@ -270,7 +270,7 @@
 get_suffix() {							
 	if [ -f "${SLAPD_CONF}" ]; then
 		for f in `get_all_slapd_conf_files`; do
-			sed -n -e's/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/p' $f
+			sed -n -e '/^suffix[[:space:]]/ { s/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/; s/\\\\/\\/g; p }' $f
 		done
 	else
 		grep -h ^olcSuffix ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif | cut -d: -f 2
@@ -279,14 +279,16 @@
 # }}}
 get_directory() {							# {{{
 # Returns the db directory for a given suffix
-	if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then
-		sed -n 's/^olcDbDirectory: *//p' `grep -l "^olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
+	if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -Fq "$1" ; then
+		sed -n 's/^olcDbDirectory: *//p' `grep -Flx "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
 	elif [ -f "${SLAPD_CONF}" ]; then
 		# Extract the directory for the given suffix ($1)
+		# Quote backslashes once for slapd.conf parser, again for awk
+		quoted="$(printf '%s' "$1" | sed 's/\\/\\\\\\\\/g')"
 		for f in `get_all_slapd_conf_files`; do
 		awk  ' BEGIN { DB=0; SUF=""; DIR="" } ;
 		       /^database/ { DB=1; SUF=""; DIR="" } ; 
-		       DB==1 && /^suffix[ \t]+"?'"$1"'"?$/ { SUF=$2 ; } ; 
+		       DB==1 && /^suffix[ \t]+"?'"$quoted"'"?$/ { SUF=$2 ; } ; 
 		       DB==1 && /^directory/ { DIR=$2 ;} ; 
 		       DB==1 && SUF!="" && DIR!="" { sub(/^"/,"",DIR) ; sub(/"$/,"",DIR) ; print DIR; SUF=""; DIR="" }' "${f}" | \
 		sed -e's/\([^\\]\|^\)"/\1/g; s/\\"/"/g; s/\\\\/\\/g'
@@ -352,7 +354,7 @@
 		exit 1
 	fi
 
-	echo "$target"
+	printf '%s' "$target"
 }
 
 # }}}
@@ -380,8 +382,8 @@
 	# include mount points as well anyway, but it's much less likely.
 	db_get slapd/move_old_database
 	if [ "$RET" = true ]; then
-		backupdir=`compute_backup_path "$databasedir" "$suffix"`
-		echo -n "  - directory $suffix... " >&2
+		backupdir="$(compute_backup_path "$databasedir" "$suffix")"
+		printf '  - directory %s... ' "$suffix" >&2
 		mkdir -p "$backupdir"
 		find -H "$databasedir" -mindepth 1 -maxdepth 1 -type f \
 			-exec mv {} "$backupdir" \;
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
@@ -0,0 +1,30 @@
+From e437b12277c1cc8ec72e0f78f660137c60ffaad7 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan at nardis.ca>
+Date: Sun, 7 May 2017 20:16:00 +0000
+Subject: [PATCH] ITS#8648 check result of ldap_int_initialize in
+ ldap_{get,set}_option
+
+---
+ libraries/libldap/options.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/libraries/libldap/options.c
++++ b/libraries/libldap/options.c
+@@ -106,6 +106,8 @@
+ 
+ 	if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ 		ldap_int_initialize(lo, NULL);
++		if ( lo->ldo_valid != LDAP_INITIALIZED )
++			return LDAP_LOCAL_ERROR;
+ 	}
+ 
+ 	if(ld != NULL) {
+@@ -446,6 +448,8 @@
+ 
+ 	if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ 		ldap_int_initialize(lo, dbglvl);
++		if ( lo->ldo_valid != LDAP_INITIALIZED )
++			return LDAP_LOCAL_ERROR;
+ 	}
+ 
+ 	if(ld != NULL) {
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch
@@ -0,0 +1,74 @@
+From 431c4af526b18abb4a18c2c4c8655690b753cbe5 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan at nardis.ca>
+Date: Fri, 5 May 2017 03:08:07 +0000
+Subject: [PATCH] ITS#8648 init SASL library in global init
+
+---
+ libraries/libldap/cyrus.c | 17 +++--------------
+ libraries/libldap/init.c  |  6 ++++++
+ 2 files changed, 9 insertions(+), 14 deletions(-)
+
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -69,14 +69,11 @@
+ 	{ SASL_CB_LIST_END, NULL, NULL }
+ };
+ 
++/*
++ * ldap_int_initialize is responsible for calling this only once.
++ */
+ int ldap_int_sasl_init( void )
+ {
+-	/* XXX not threadsafe */
+-	static int sasl_initialized = 0;
+-
+-	if ( sasl_initialized ) {
+-		return 0;
+-	}
+ 
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+@@ -96,7 +93,6 @@
+ #endif
+ 
+ 	if ( sasl_client_init( NULL ) == SASL_OK ) {
+-		sasl_initialized = 1;
+ 		return 0;
+ 	}
+ 
+@@ -307,11 +303,6 @@
+ 		return ld->ld_errno;
+ 	}
+ 
+-	if ( ldap_int_sasl_init() ) {
+-		ld->ld_errno = LDAP_LOCAL_ERROR;
+-		return ld->ld_errno;
+-	}
+-
+ #if SASL_VERSION_MAJOR >= 2
+ 	rc = sasl_client_new( "ldap", host, NULL, NULL,
+ 		client_callbacks, 0, &ctx );
+@@ -891,8 +882,6 @@
+ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
+ {
+ 	if ( option == LDAP_OPT_X_SASL_MECHLIST ) {
+-		if ( ldap_int_sasl_init() )
+-			return -1;
+ 		*(char ***)arg = (char **)sasl_global_listmech();
+ 		return 0;
+ 	}
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -658,6 +658,12 @@
+ 	if ( ldap_int_tblsize == 0 ) ldap_int_ip_init();
+ #endif
+ 
++#ifdef HAVE_CYRUS_SASL
++	if ( ldap_int_sasl_init() != 0 ) {
++		return;
++	}
++#endif
++
+ 	ldap_int_initialize_global_options(gopts, dbglvl);
+ 
+ 	if( getenv("LDAPNOINIT") != NULL ) {

More information about the Pkg-openldap-devel mailing list