On Tue, 2013-05-07 at 21:00 +0200, Salvatore Bonaccorso wrote: > Thanks for notifying. Yes, indeed nss-pam-ldapd did not build for > kfreebsd-amd64 and kfreebsd-i386. As the FTBFS is a regression for the > kfreebsd builds when appliying the initial fix for CVE-2013-0288 I > think we should release an updated version targetting squeeze-security > to include the fix for it and send an updated DSA. Thanks. Attached is a debdiff with the version I'd like to upload. As indicated before it also provides a fix for RC bug #700971 which happens on package upgrades in some environments. -- -- arthur - adejong@debian.org - http://people.debian.org/~adejong --
diff -Nru nss-pam-ldapd-0.7.15+squeeze3/debian/changelog nss-pam-ldapd-0.7.15+squeeze4/debian/changelog
--- nss-pam-ldapd-0.7.15+squeeze3/debian/changelog 2013-02-15 23:04:03.000000000 +0100
+++ nss-pam-ldapd-0.7.15+squeeze4/debian/changelog 2013-05-11 20:17:27.000000000 +0200
@@ -1,3 +1,11 @@
+nss-pam-ldapd (0.7.15+squeeze4) stable-security; urgency=low
+
+ * fix FTBFS on kFreeBSD (see #690319)
+ * debian/nslcd.config: handle options that are specified multiple times
+ in nslcd.conf consistently (closes: #700971)
+
+ -- Arthur de Jong <adejong@debian.org> Sat, 11 May 2013 20:00:00 +0200
+
nss-pam-ldapd (0.7.15+squeeze3) stable-security; urgency=high
* SECURITY FIX: Garth Mollett discovered that a file descriptor overflow
diff -Nru nss-pam-ldapd-0.7.15+squeeze3/common/tio.c nss-pam-ldapd-0.7.15+squeeze4/common/tio.c
--- nss-pam-ldapd-0.7.15+squeeze3/common/tio.c 2013-02-12 22:03:06.000000000 +0100
+++ nss-pam-ldapd-0.7.15+squeeze4/common/tio.c 2013-05-02 09:54:49.000000000 +0200
@@ -185,7 +185,7 @@
/* prepare our filedescriptorset */
if (fp->fd>=FD_SETSIZE)
{
- errno=EBADFD;
+ errno=EBADF;
return -1;
}
FD_ZERO(&fdset);
@@ -397,7 +397,7 @@
/* prepare our filedescriptorset */
if (fp->fd>=FD_SETSIZE)
{
- errno=EBADFD;
+ errno=EBADF;
return -1;
}
FD_ZERO(&fdset);
diff -Nru nss-pam-ldapd-0.7.15+squeeze3/debian/nslcd.config nss-pam-ldapd-0.7.15+squeeze4/debian/nslcd.config
--- nss-pam-ldapd-0.7.15+squeeze3/debian/nslcd.config 2012-01-15 09:27:33.000000000 +0100
+++ nss-pam-ldapd-0.7.15+squeeze4/debian/nslcd.config 2013-02-22 21:05:14.000000000 +0100
@@ -78,7 +78,7 @@
if [ -z "$uris" ]
then
hosts=`sed -n 's/^host[[:space:]]*//ip' "$cfgfile"`
- port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | tail -n 1`
+ port=`sed -n 's/^port[[:space:]]*//ip' "$cfgfile" | head -n 1`
for host in $hosts
do
if [ -z "$port" ] || (echo "$host" | grep -q ':' )
@@ -95,21 +95,21 @@
db_get nslcd/ldap-base
if [ -z "$RET" ]
then
- searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | tail -n 1`
+ searchbase=`sed -n 's/^base[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\1/ip' "$cfgfile" | head -n 1`
[ -n "$searchbase" ] && db_set nslcd/ldap-base "$searchbase"
fi
# find binddn
db_get nslcd/ldap-binddn
if [ -z "$RET" ]
then
- binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | tail -n 1`
+ binddn=`sed -n 's/^binddn[[:space:]]*//ip' "$cfgfile" | head -n 1`
db_set nslcd/ldap-binddn "$binddn"
fi
# find bindpw
db_get nslcd/ldap-bindpw
if [ -z "$RET" ]
then
- bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | tail -n 1`
+ bindpw=`sed -n 's/^bindpw[[:space:]]*//ip' "$cfgfile" | head -n 1`
db_set nslcd/ldap-bindpw "$bindpw"
fi
# check ssl option
@@ -128,7 +128,7 @@
db_get nslcd/ldap-reqcert
if [ -z "$RET" ]
then
- reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | tail -n 1`
+ reqcert=`sed -n 's/^tls_\(reqcert\|checkpeer\)[[:space:]]*\([^[:space:]]*\)[[:space:]]*$/\2/ip' "$cfgfile" | head -n 1`
# normalise value
reqcert=`echo "$reqcert" | tr 'A-Z' 'a-z' | sed 's/^no$/never/;s/^yes$/demand/;s/^hard$/demand/'`
[ -n "$reqcert" ] && db_set nslcd/ldap-reqcert "$reqcert"
Attachment:
signature.asc
Description: This is a digitally signed message part