Bug#863569: marked as done ((pre-approval) unblock: openldap/2.4.44+dfsg-5)

[owner@bugs.debian.org (Debian Bug Tracking System)]

Your message dated Sun, 28 May 2017 21:40:20 +0000
with message-id <E1dF5vA-0001Dk-3J@respighi.debian.org>
and subject line unblock openldap
has caused the Debian Bug report #863569,
regarding (pre-approval) unblock: openldap/2.4.44+dfsg-5
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
863569: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863569
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: (pre-approval) unblock: openldap/2.4.44+dfsg-5
• From: Ryan Tandy <ryan@nardis.ca>
• Date: Sun, 28 May 2017 11:24:00 -0700
• Message-id: <[🔎] 20170528182400.23616.71654.reportbug@kiwi.nardis.ca>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

I would like to upload a late-breaking security fix to openldap:

  * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free
    in the MDB backend on a search including the Paged Results control with a
    page size of 0. (ITS#8655) (Closes: #863563)

A Debian user reported this crash bug in slapd. The default Debian 
configuration uses the MDB backend and allows unauthenticated users to 
search the directory; therefore for us this qualifies as a remote DoS.

With your permission, I'd like to include one additional fix:

  * ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an intermittently
    failing test by waiting for slapd to start before running tests.
    (ITS#8644) (Closes: #770890)

This issue caused some havoc in the last upload; you may remember that 
we ended up re-bootstrapping on ppc64el and binNMUing everywhere. The 
root cause was actually the tight dependency between libldap-2.4-2 and 
libldap-common, but I think revisiting that should wait for buster. For 
now, including this patch will improve the reliability of maintenance 
uploads during stretch's lifetime.

Both patches have already been reviewed upstream and will be included in 
the upcoming 2.4.45 release.

Thanks again for all your work on making stretch great,

Ryan

-- System Information:
Debian Release: 8.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-0.bpo.3-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

diff -Nru openldap-2.4.44+dfsg/debian/changelog openldap-2.4.44+dfsg/debian/changelog
--- openldap-2.4.44+dfsg/debian/changelog	2017-04-16 20:10:43.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/changelog	2017-05-28 09:59:48.000000000 -0700
@@ -1,3 +1,14 @@
+openldap (2.4.44+dfsg-5) unstable; urgency=medium
+
+  * ITS-8644-wait-for-slapd-to-start-in-test064.patch: Fix an intermittently 
+    failing test by waiting for slapd to start before running tests.
+    (ITS#8644) (Closes: #770890)
+  * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free 
+    in the MDB backend on a search including the Paged Results control with a 
+    page size of 0. (ITS#8655) (Closes: #863563)
+
+ -- Ryan Tandy <ryan@nardis.ca>  Sun, 28 May 2017 09:59:46 -0700
+
 openldap (2.4.44+dfsg-4) unstable; urgency=medium
 
   * Improve the slapd/ppolicy_schema_needs_update debconf template. Thanks to 
diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch openldap-2.4.44+dfsg/debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-8644-wait-for-slapd-to-start-in-test064.patch	2017-05-28 09:57:44.000000000 -0700
@@ -0,0 +1,40 @@
+From b622163ecf14a179d932f779164af5e393311dd8 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Tue, 25 Apr 2017 01:28:25 +0000
+Subject: [PATCH] ITS#8644 wait for slapd to start in test064
+
+---
+ tests/scripts/test064-constraint | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/tests/scripts/test064-constraint b/tests/scripts/test064-constraint
+index 94f86be..2ac53ac 100755
+--- a/tests/scripts/test064-constraint
++++ b/tests/scripts/test064-constraint
+@@ -117,6 +117,23 @@ if test $WAIT != 0 ; then
+ fi
+ sleep 1
+ 
++echo "Using ldapsearch to check that slapd is running..."
++for i in 0 1 2 3 4 5; do
++	$LDAPSEARCH -s base -b "$MONITOR" -h $LOCALHOST -p $PORT1 \
++		'objectclass=*' > /dev/null 2>&1
++	RC=$?
++	if test $RC = 0 ; then
++		break
++	fi
++	echo "Waiting 5 seconds for slapd to start..."
++	sleep 5
++done
++if test $RC != 0 ; then
++	echo "ldapsearch failed ($RC)!"
++	test $KILLSERVERS != no && kill -HUP $KILLPIDS
++	exit $RC
++fi
++
+ echo "Adding basic structure..."
+ $LDAPADD -D "$MANAGERDN" -H $URI1 -w $PASSWD -f $ROOTLDIF &>/dev/null
+ RC=$?
+-- 
+2.1.4
+
diff -Nru openldap-2.4.44+dfsg/debian/patches/ITS-8655-paged-results-double-free.patch openldap-2.4.44+dfsg/debian/patches/ITS-8655-paged-results-double-free.patch
--- openldap-2.4.44+dfsg/debian/patches/ITS-8655-paged-results-double-free.patch	1969-12-31 16:00:00.000000000 -0800
+++ openldap-2.4.44+dfsg/debian/patches/ITS-8655-paged-results-double-free.patch	2017-05-28 09:58:07.000000000 -0700
@@ -0,0 +1,28 @@
+From 0cee1ffb6021b1aae3fcc9581699da1c85a6dd6e Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Wed, 17 May 2017 20:07:39 -0700
+Subject: [PATCH] ITS#8655 fix double free on paged search with pagesize 0
+
+Fixes a double free when a search includes the Paged Results control
+with a page size of 0 and the search base matches the filter.
+---
+ servers/slapd/back-mdb/search.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/servers/slapd/back-mdb/search.c b/servers/slapd/back-mdb/search.c
+index 301d1a4..43442aa 100644
+--- a/servers/slapd/back-mdb/search.c
++++ b/servers/slapd/back-mdb/search.c
+@@ -1066,7 +1066,8 @@ notfound:
+ 			/* check size limit */
+ 			if ( get_pagedresults(op) > SLAP_CONTROL_IGNORED ) {
+ 				if ( rs->sr_nentries >= ((PagedResultsState *)op->o_pagedresults_state)->ps_size ) {
+-					mdb_entry_return( op, e );
++					if (e != base)
++						mdb_entry_return( op, e );
+ 					e = NULL;
+ 					send_paged_response( op, rs, &lastid, tentries );
+ 					goto done;
+-- 
+2.1.4
+
diff -Nru openldap-2.4.44+dfsg/debian/patches/series openldap-2.4.44+dfsg/debian/patches/series
--- openldap-2.4.44+dfsg/debian/patches/series	2017-04-16 20:10:43.000000000 -0700
+++ openldap-2.4.44+dfsg/debian/patches/series	2017-05-28 09:58:07.000000000 -0700
@@ -25,3 +25,5 @@
 ITS6035-olcauthzregex-needs-restart.patch
 set-maintainer-name
 ITS-8554-kFreeBSD-is-like-BSD.patch
+ITS-8644-wait-for-slapd-to-start-in-test064.patch
+ITS-8655-paged-results-double-free.patch

--- End Message ---

--- Begin Message ---

• To: 863569-done@bugs.debian.org
• Subject: unblock openldap
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Sun, 28 May 2017 21:40:20 +0000
• Message-id: <E1dF5vA-0001Dk-3J@respighi.debian.org>

Unblocked openldap.

--- End Message ---