[Pkg-sssd-devel] [Git][sssd-team/sssd][ubuntu-xenial] Import Xenial (1.13.4-1ubuntu1.12)

Victor Tapia gitlab at salsa.debian.org
Wed Feb 27 15:44:12 GMT 2019 

Victor Tapia pushed to branch ubuntu-xenial at Debian SSSD packaging / sssd


Commits:
db007427 by Victor Tapia at 2019-02-27T15:43:22Z
Import Xenial (1.13.4-1ubuntu1.12)

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/add-back-pidfile.patch
- + debian/patches/fix-ad-passwd-renewal-fd-leak.diff
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,17 @@
+sssd (1.13.4-1ubuntu1.12) xenial; urgency=medium
+
+  * d/p/add-back-pidfile.patch: Re-add PIDFILE entry to
+    /lib/systemd/system/sssd.service (LP: #1777860)
+
+ -- Karl Stenerud <karl.stenerud at canonical.com>  Wed, 31 Oct 2018 15:41:19 +0100
+
+sssd (1.13.4-1ubuntu1.11) xenial; urgency=medium
+
+  * d/p/fix-ad-passwd-renewal-fd-leak.diff: Fix fd leak triggered by the AD
+    machine password renewal task (LP: #1771805).
+
+ -- Victor Tapia <victor.tapia at canonical.com>  Thu, 17 May 2018 12:49:25 +0200
+
 sssd (1.13.4-1ubuntu1.10) xenial-security; urgency=medium
 
   * SECURITY UPDATE: unsanitized input


=====================================
debian/patches/add-back-pidfile.patch
=====================================
@@ -0,0 +1,26 @@
+Description: SYSTEMD: Clean pid file in corner cases
+ .
+ SSSD can cleanup pid file in case of standard stopping of daemon.
+ It's done in function monitor_cleanup. However monitor does not have a
+ change to cleanup file in case of OOM or sending SIGKILL to monitor.
+ .
+ Even though PIDFile is not necessary for services with Type notify
+ we should let systemd to clean this file in unexpected situations.
+Origin: upstream, https://pagure.io/SSSD/sssd/c/0d34f9df39978a2a2a6fea02b5e2f8db0ce48228
+Bug: https://pagure.io/SSSD/sssd/issue/3528
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/xenial/+source/sssd/+bug/1777860
+Last-Update: 2018-10-31
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+diff --git a/src/sysv/systemd/sssd.service.in b/src/sysv/systemd/sssd.service.in
+index 62fdbd5d..e97f15a6 100644
+--- a/src/sysv/systemd/sssd.service.in
++++ b/src/sysv/systemd/sssd.service.in
+@@ -8,6 +8,7 @@ Wants=nss-user-lookup.target
+ ExecStart=@sbindir@/sssd -i -f
+ Type=notify
+ NotifyAccess=main
++PIDFile=@localstatedir@/run/sssd.pid
+ 
+ [Install]
+ WantedBy=multi-user.target


=====================================
debian/patches/fix-ad-passwd-renewal-fd-leak.diff
=====================================
@@ -0,0 +1,85 @@
+Description: AD: Do not leak file descriptors during machine password renewal
+
+ Resolves:
+ https://fedorahosted.org/sssd/ticket/3017
+
+ The AD renewal task was opening a pipe to write to the child process but
+ never closed it, leaking the fd. This patch uses a desctructor we
+ already use for pipes towards other child processes.
+
+ Reviewed-by: Petr Cech <pcech at redhat.com>
+
+Author: Jakub Hrozek <jhrozek at redhat.com>
+Origin: upstream, https://pagure.io/SSSD/sssd/c/312d211e03b9f3769a0362f1767cc59792e32746
+Bug: https://pagure.io/SSSD/sssd/issue/3017
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1771805
+Index: sssd-1.13.4/src/providers/ad/ad_machine_pw_renewal.c
+===================================================================
+--- sssd-1.13.4.orig/src/providers/ad/ad_machine_pw_renewal.c
++++ sssd-1.13.4/src/providers/ad/ad_machine_pw_renewal.c
+@@ -101,8 +101,7 @@ struct renewal_state {
+     struct tevent_timer *timeout_handler;
+     struct tevent_context *ev;
+ 
+-    int write_to_child_fd;
+-    int read_from_child_fd;
++    struct child_io_fds *io;
+ };
+ 
+ static void ad_machine_account_password_renewal_done(struct tevent_req *subreq);
+@@ -140,8 +139,15 @@ ad_machine_account_password_renewal_send
+ 
+     state->ev = ev;
+     state->child_status = EFAULT;
+-    state->read_from_child_fd = -1;
+-    state->write_to_child_fd = -1;
++    state->io = talloc(state, struct child_io_fds);
++    if (state->io == NULL) {
++        DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n");
++        ret = ENOMEM;
++        goto done;
++    }
++    state->io->write_to_child_fd = -1;
++    state->io->read_from_child_fd = -1;
++    talloc_set_destructor((void *) state->io, child_io_destructor);
+ 
+     server_name = be_fo_get_active_server_name(be_ctx, AD_SERVICE_NAME);
+     talloc_zfree(renewal_data->extra_args[0]);
+@@ -185,13 +191,13 @@ ad_machine_account_password_renewal_send
+         }
+     } else if (child_pid > 0) { /* parent */
+ 
+-        state->read_from_child_fd = pipefd_from_child[0];
++        state->io->read_from_child_fd = pipefd_from_child[0];
+         close(pipefd_from_child[1]);
+-        sss_fd_nonblocking(state->read_from_child_fd);
++        sss_fd_nonblocking(state->io->read_from_child_fd);
+ 
+-        state->write_to_child_fd = pipefd_to_child[1];
++        state->io->write_to_child_fd = pipefd_to_child[1];
+         close(pipefd_to_child[0]);
+-        sss_fd_nonblocking(state->write_to_child_fd);
++        sss_fd_nonblocking(state->io->write_to_child_fd);
+ 
+         /* Set up SIGCHLD handler */
+         ret = child_handler_setup(ev, child_pid, NULL, NULL, &state->child_ctx);
+@@ -212,7 +218,7 @@ ad_machine_account_password_renewal_send
+             goto done;
+         }
+ 
+-        subreq = read_pipe_send(state, ev, state->read_from_child_fd);
++        subreq = read_pipe_send(state, ev, state->io->read_from_child_fd);
+         if (subreq == NULL) {
+             DEBUG(SSSDBG_OP_FAILURE, "read_pipe_send failed.\n");
+             ret = ERR_RENEWAL_CHILD;
+@@ -264,10 +270,6 @@ static void ad_machine_account_password_
+                              "---adcli output end---\n",
+                              (int) buf_len, buf);
+ 
+-    close(state->read_from_child_fd);
+-    state->read_from_child_fd = -1;
+-
+-
+     tevent_req_done(req);
+     return;
+ }


=====================================
debian/patches/series
=====================================
@@ -6,3 +6,5 @@ sanitize_newline.diff
 attempt_ptr_update_on_nonzero_return.diff
 bad-initgroups-results-3045.patch
 CVE-2017-12173.patch
+fix-ad-passwd-renewal-fd-leak.diff
+add-back-pidfile.patch



View it on GitLab: https://salsa.debian.org/sssd-team/sssd/commit/db00742721e919a9a3c4c296364028f50c6de2f1

-- 
View it on GitLab: https://salsa.debian.org/sssd-team/sssd/commit/db00742721e919a9a3c4c296364028f50c6de2f1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-sssd-devel/attachments/20190227/b20b87f7/attachment-0001.html>

More information about the Pkg-sssd-devel mailing list