Bug#927425: unblock: gosa/2.7.4+reloaded3-8
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package gosa
+ * debian/patches:
+ + Add 1043_smarty-add-on-function-param-types.patch. Fix missing
+ password field, caused by PHP error "parameter 2 expected to be a
+ reference, value given". This happened due to mismatching parameter
+ types whenever the smarty3 template rendering engine called gosa's
+ (slightly not-compliant anymore) smartyAddon functions. (Closes:
+ #918578). The patch also brings some smartyAddon hygiene for
+ the {render} block and the not-used-anymore {tr} block.
-> RC bug, a missing password field on the login page makes gosa unusable.
+ + Add 1044_crypto-transition-without-mcrypt.patch. Make
+ gosa-mcrypt-to-openssl-passwords script independent from php-mcrypt,
+ and thus make it work with Debian buster's php7.3. (Closes: #925138).
-> RC bug, now gosa can be upgraded from stretch -> buster and crypto-transition can happen in buster.
See also: #927306.
+ + Update 1026_fix-deprecated-constructor-format.patch. Drop an
+ unwanted find+replace artefact in class_userFilter.
Regression fix of an earlier applied patch.
+ + Add 1045_dont_use_filter_caching.patch. Disable filter caching via
+ $_SESSION. The filter caching mechanism stores PHP object in ; since
+ php7.0 this has lead to all sorts of unexpected results and flawed
+ rendering of class_management based listings. (Closes: #907815).
-> important bug (in fact possibly a security issue).
+ * debian/control:
+ + Bump Standards-Version: to 4.3.0. No changes needed.
-> some additional formalism
unblock gosa/2.7.4+reloaded3-8
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru gosa-2.7.4+reloaded3/debian/changelog gosa-2.7.4+reloaded3/debian/changelog
--- gosa-2.7.4+reloaded3/debian/changelog 2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/changelog 2019-04-19 15:24:14.000000000 +0200
@@ -1,3 +1,27 @@
+gosa (2.7.4+reloaded3-8) unstable; urgency=medium
+
+ * debian/patches:
+ + Add 1043_smarty-add-on-function-param-types.patch. Fix missing
+ password field, caused by PHP error "parameter 2 expected to be a
+ reference, value given". This happened due to mismatching parameter
+ types whenever the smarty3 template rendering engine called gosa's
+ (slightly not-compliant anymore) smartyAddon functions. (Closes:
+ #918578). The patch also brings some smartyAddon hygiene for
+ the {render} block and the not-used-anymore {tr} block.
+ + Add 1044_crypto-transition-without-mcrypt.patch. Make
+ gosa-mcrypt-to-openssl-passwords script independent from php-mcrypt,
+ and thus make it work with Debian buster's php7.3. (Closes: #925138).
+ + Update 1026_fix-deprecated-constructor-format.patch. Drop an
+ unwanted find+replace artefact in class_userFilter.
+ + Add 1045_dont_use_filter_caching.patch. Disable filter caching via
+ $_SESSION. The filter caching mechanism stores PHP object in ; since
+ php7.0 this has lead to all sorts of unexpected results and flawed
+ rendering of class_management based listings. (Closes: #907815).
+ * debian/control:
+ + Bump Standards-Version: to 4.3.0. No changes needed.
+
+ -- Mike Gabriel <sunweaver@debian.org> Fri, 19 Apr 2019 15:24:14 +0200
+
gosa (2.7.4+reloaded3-7) unstable; urgency=medium
[ Mike Gabriel ]
diff -Nru gosa-2.7.4+reloaded3/debian/control gosa-2.7.4+reloaded3/debian/control
--- gosa-2.7.4+reloaded3/debian/control 2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/control 2019-04-19 15:24:14.000000000 +0200
@@ -9,7 +9,7 @@
debhelper (>= 11~),
Build-Depends-Indep:
po-debconf,
-Standards-Version: 4.2.0
+Standards-Version: 4.3.0
Homepage: https://oss.gonicus.de/labs/gosa/
Vcs-Git: https://salsa.debian.org/debian-edu-pkg-team/gosa.git
Vcs-Browser: https://salsa.debian.org/debian-edu-pkg-team/gosa
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch
--- gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch 2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch 2019-04-19 15:22:28.000000000 +0200
@@ -699,23 +699,6 @@
$this->dn= $dn;
--- a/gosa-core/include/class_userFilter.inc
+++ b/gosa-core/include/class_userFilter.inc
-@@ -16,13 +16,13 @@
- */
- static function userFilteringAvailable()
- {
-- if(!session::is_set('userFilter::userFilteringAvailable')){
-+ if(!session::is_set('userFilter::__constructingAvailable')){
- global $config;
- $ldap = $config->get_ldap_link();
- $ocs = $ldap->get_objectclasses();
-- session::set('userFilter::userFilteringAvailable', isset($ocs['gosaProperties']));
-+ session::set('userFilter::__constructingAvailable', isset($ocs['gosaProperties']));
- }
-- return(session::get('userFilter::userFilteringAvailable'));
-+ return(session::get('userFilter::__constructingAvailable'));
- }
-
-
@@ -32,7 +32,7 @@
{
// Initialize this plugin with the users dn to gather user defined filters.
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch
--- gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch 1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch 2019-04-19 15:22:28.000000000 +0200
@@ -0,0 +1,91 @@
+Description: Use correct smarty3 API.
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+Forwarded: https://github.com/gosa-project/gosa-core/pull/25
+Abstract.
+ For the {render} add-on block, drop the &$smarty reference parameter
+ entirely.
+ .
+ Drop the complete {tr} add-on block. Not registered as a plugin, not
+ used.
+ .
+ For the add-on image and add-on factory functions, switch from
+ reference &$smarty to value $smarty.
+
+--- a/gosa-core/include/smartyAddons/block.render.php
++++ b/gosa-core/include/smartyAddons/block.render.php
+@@ -1,6 +1,6 @@
+ <?php
+
+-function smarty_block_render($params, $text, &$smarty)
++function smarty_block_render($params, $text)
+ {
+ /* Skip closing tag </render> */
+ if(empty($text)) {
+--- a/gosa-core/include/smartyAddons/block.tr.php
++++ /dev/null
+@@ -1,25 +0,0 @@
+-<?php
+-function smarty_block_tr($params, $text, &$smarty)
+-{
+- $plugin = "";
+- if(!isset($params['domain'])){
+- if(strlen($text) != 0){
+- $trace = debug_backtrace();
+- $base = preg_replace("/\/html/","",getcwd());
+- foreach($trace as $t_entry){
+- if(preg_match("/^".preg_quote($base,'/')."\/plugins\//", $t_entry['file'])){
+- $plugin = preg_replace("/^".preg_quote($base,'/')."\/plugins\/([^\/]*).*$/", "\\1", $t_entry['file']);
+- break;
+- }
+- }
+- }
+- }
+-
+-
+- if($plugin != ""){
+- return(dgettext($plugin, $text));
+- }
+- return(gettext($text));
+-}
+-
+-?>
+--- a/gosa-core/include/smartyAddons/function.factory.php
++++ b/gosa-core/include/smartyAddons/function.factory.php
+@@ -1,6 +1,6 @@
+ <?php
+
+-function smarty_function_factory($params, &$smarty)
++function smarty_function_factory($params, $smarty)
+ {
+
+ // Capture params
+--- a/gosa-core/include/smartyAddons/function.image.php
++++ b/gosa-core/include/smartyAddons/function.image.php
+@@ -1,6 +1,6 @@
+ <?php
+
+-function smarty_function_image($params, &$smarty)
++function smarty_function_image($params, $smarty)
+ {
+ $path = (isset($params['path']))? $params['path'] :"";
+ $action = (isset($params['action']))? $params['action'] :"";
+--- a/gosa-core/include/smartyAddons/function.msgPool.php
++++ b/gosa-core/include/smartyAddons/function.msgPool.php
+@@ -1,6 +1,6 @@
+ <?php
+
+-function smarty_function_msgPool($params, &$smarty)
++function smarty_function_msgPool($params, $smarty)
+ {
+ if(class_available("msgPool") && isset($params['type'])){
+ $parameter = array();
+--- a/gosa-core/include/php_setup.inc
++++ b/gosa-core/include/php_setup.inc
+@@ -317,7 +317,6 @@
+ if(preg_match("/\.php$/", $file)) require_once("$BASE_DIR/include/smartyAddons/{$file}");
+ }
+
+-#$smarty->registerPlugin("block", "tr", "smarty_block_tr");
+ $smarty->registerPlugin("block", "t", "smarty_block_t");
+ $smarty->registerPlugin("block", "render", "smarty_block_render");
+ $smarty->registerPlugin("function", "msgPool", "smarty_function_msgPool");
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch
--- gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch 1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch 2019-04-19 15:22:28.000000000 +0200
@@ -0,0 +1,17 @@
+Description: No need to let this script depend on php-mcrypt
+Author: Dominik George <natureshadow@debian.org>
+Forwarded: https://github.com/gosa-project/gosa-core/pull/27
+
+--- a/gosa-core/bin/gosa-mcrypt-to-openssl-passwords
++++ b/gosa-core/bin/gosa-mcrypt-to-openssl-passwords
+@@ -25,9 +25,7 @@
+ }
+
+ function cred_decrypt($input, $password) {
+- $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
+- $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
+- return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv ), "\0\3\4\n");
++ return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING ), "\0\3\4\n");
+ }
+
+
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch
--- gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch 1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch 2019-04-19 15:22:28.000000000 +0200
@@ -0,0 +1,27 @@
+Description: Disable flawed filter caching (which works via storing unserialized objects in $_SESSION)
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+Forwarded: https://github.com/gosa-project/gosa-core/issues/28
+Abstract:
+ All required information is in the above upstream bug report.
+ .
+ This patch has work-around status. It is no proper solution.
+
+--- a/gosa-core/include/class_management.inc
++++ b/gosa-core/include/class_management.inc
+@@ -131,7 +131,15 @@
+ $this->registerAction("cancelFilter","cancelFilter");
+
+ // To temporay disable the filter caching UNcomment this line.
+- #session::global_un_set(get_class($this)."_filter");
++
++ /*
++ * As a work-around for flawed object storage in the PHP $_SESSION array
++ * the filter caching has been deactivated since gosa 2.7.4+reloaded3-8.
++ *
++ * See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907815#31 for
++ * details.
++ */
++ session::global_un_set(get_class($this)."_filter");
+ }
+
+
diff -Nru gosa-2.7.4+reloaded3/debian/patches/series gosa-2.7.4+reloaded3/debian/patches/series
--- gosa-2.7.4+reloaded3/debian/patches/series 2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/series 2019-04-19 15:22:28.000000000 +0200
@@ -60,3 +60,6 @@
1041_ref_param_error_in_My_Parser.patch
1042_add_option_to_disable_autocomplete.patch
0014_latest-gosa-conf.patch
+1043_smarty-add-on-function-param-types.patch
+1044_crypto-transition-without-mcrypt.patch
+1045_dont_use_filter_caching.patch
Reply to: