--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Dear OSRM,
Please consider this openldap update for jessie. I apologize for the
late request and will understand if it doesn't make it.
* Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
I would like to apply this fix in jessie to ensure that if openldap gets
a security update during jessie LTS, affected systems will be able to
install it. As well there may be some users who choose to upgrade from
wheezy after its LTS ends. I have tested both upgrade scenarios
(jessie->jessie and wheezy->jessie).
For avoidance of doubt: this includes the changes also proposed for
stretch in #901192 (the affected code is always executed in
wheezy->jessie upgrades).
* Import upstream patches to fix memory corruption caused by calling
sasl_client_init() multiple times and possibly concurrently.
(ITS#8648) (Closes: #860947)
This issue affected several slapd users and came with a variety of
symptoms. A typical example of an affected setup would be a multi-master
setup where replication is authenticated using Kerberos (SASL/GSSAPI).
These patches have been applied in stretch (in +deb9u1) and in Ubuntu
xenial, with no regressions reported.
thanks,
Ryan
-- System Information:
Debian Release: 9.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-6-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
diff -u openldap-2.4.40+dfsg/debian/changelog openldap-2.4.40+dfsg/debian/changelog
--- openldap-2.4.40+dfsg/debian/changelog
+++ openldap-2.4.40+dfsg/debian/changelog
@@ -1,3 +1,12 @@
+openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium
+
+ * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
+ * Import upstream patches to fix memory corruption caused by calling
+ sasl_client_init() multiple times and possibly concurrently.
+ (ITS#8648) (Closes: #860947)
+
+ -- Ryan Tandy <ryan@nardis.ca> Tue, 05 Jun 2018 20:16:25 -0700
+
openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high
* debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free
diff -u openldap-2.4.40+dfsg/debian/patches/series openldap-2.4.40+dfsg/debian/patches/series
--- openldap-2.4.40+dfsg/debian/patches/series
+++ openldap-2.4.40+dfsg/debian/patches/series
@@ -29,0 +30,2 @@
+ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+ITS-8648-init-SASL-library-in-global-init.patch
diff -u openldap-2.4.40+dfsg/debian/slapd.scripts-common openldap-2.4.40+dfsg/debian/slapd.scripts-common
--- openldap-2.4.40+dfsg/debian/slapd.scripts-common
+++ openldap-2.4.40+dfsg/debian/slapd.scripts-common
@@ -100,7 +100,7 @@
}
# }}}
update_databases_permissions() { # {{{
- get_suffix | while read suffix; do
+ get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
update_permissions "$dbdir"
done
@@ -163,11 +163,11 @@
dir=`database_dumping_destdir`
echo >&2 " Dumping to $dir: "
- (get_suffix | while read suffix; do
+ (get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -n "$dbdir" ]; then
file="$dir/$suffix.ldif"
- echo -n " - directory $suffix... " >&2
+ printf ' - directory %s... ' "$suffix" >&2
# Need to support slapd.d migration from preinst
if [ -f "${SLAPD_CONF}" ]; then
slapcat_opts="-g -f ${SLAPD_CONF}"
@@ -194,7 +194,7 @@
dir=`database_dumping_destdir`
echo >&2 " Loading from $dir: "
- get_suffix | while read suffix; do
+ get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
if [ -z "$dbdir" ]; then
continue
@@ -206,11 +206,11 @@
fi
file="$dir/$suffix.ldif"
- echo -n " - directory $suffix... " >&2
+ printf ' - directory %s... ' "$suffix" >&2
# If there is an old DB_CONFIG file, restore it before
# running slapadd
- backupdir=`compute_backup_path -n "$dbdir" "$suffix"`
+ backupdir="$(compute_backup_path -n "$dbdir" "$suffix")"
if [ -e "$backupdir"/DB_CONFIG ]; then
cp -a "$backupdir"/DB_CONFIG "$dbdir"/
fi
@@ -249,7 +249,7 @@
# }}}
move_incompatible_databases_away() { # {{{
echo >&2 " Moving old database directories to /var/backups:"
- (get_suffix | while read suffix; do
+ (get_suffix | while read -r suffix; do
dbdir=`get_directory "$suffix"`
move_old_database_away "$dbdir" "$suffix" <&5
done) 5<&0 </dev/null
@@ -270,7 +270,7 @@
get_suffix() {
if [ -f "${SLAPD_CONF}" ]; then
for f in `get_all_slapd_conf_files`; do
- sed -n -e's/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/p' $f
+ sed -n -e '/^suffix[[:space:]]/ { s/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/; s/\\\\/\\/g; p }' $f
done
else
grep -h ^olcSuffix ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif | cut -d: -f 2
@@ -279,14 +279,16 @@
# }}}
get_directory() { # {{{
# Returns the db directory for a given suffix
- if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then
- sed -n 's/^olcDbDirectory: *//p' `grep -l "^olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
+ if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -Fq "$1" ; then
+ sed -n 's/^olcDbDirectory: *//p' `grep -Flx "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
elif [ -f "${SLAPD_CONF}" ]; then
# Extract the directory for the given suffix ($1)
+ # Quote backslashes once for slapd.conf parser, again for awk
+ quoted="$(printf '%s' "$1" | sed 's/\\/\\\\\\\\/g')"
for f in `get_all_slapd_conf_files`; do
awk ' BEGIN { DB=0; SUF=""; DIR="" } ;
/^database/ { DB=1; SUF=""; DIR="" } ;
- DB==1 && /^suffix[ \t]+"?'"$1"'"?$/ { SUF=$2 ; } ;
+ DB==1 && /^suffix[ \t]+"?'"$quoted"'"?$/ { SUF=$2 ; } ;
DB==1 && /^directory/ { DIR=$2 ;} ;
DB==1 && SUF!="" && DIR!="" { sub(/^"/,"",DIR) ; sub(/"$/,"",DIR) ; print DIR; SUF=""; DIR="" }' "${f}" | \
sed -e's/\([^\\]\|^\)"/\1/g; s/\\"/"/g; s/\\\\/\\/g'
@@ -352,7 +354,7 @@
exit 1
fi
- echo "$target"
+ printf '%s' "$target"
}
# }}}
@@ -380,8 +382,8 @@
# include mount points as well anyway, but it's much less likely.
db_get slapd/move_old_database
if [ "$RET" = true ]; then
- backupdir=`compute_backup_path "$databasedir" "$suffix"`
- echo -n " - directory $suffix... " >&2
+ backupdir="$(compute_backup_path "$databasedir" "$suffix")"
+ printf ' - directory %s... ' "$suffix" >&2
mkdir -p "$backupdir"
find -H "$databasedir" -mindepth 1 -maxdepth 1 -type f \
-exec mv {} "$backupdir" \;
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
@@ -0,0 +1,30 @@
+From e437b12277c1cc8ec72e0f78f660137c60ffaad7 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Sun, 7 May 2017 20:16:00 +0000
+Subject: [PATCH] ITS#8648 check result of ldap_int_initialize in
+ ldap_{get,set}_option
+
+---
+ libraries/libldap/options.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/libraries/libldap/options.c
++++ b/libraries/libldap/options.c
+@@ -106,6 +106,8 @@
+
+ if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ ldap_int_initialize(lo, NULL);
++ if ( lo->ldo_valid != LDAP_INITIALIZED )
++ return LDAP_LOCAL_ERROR;
+ }
+
+ if(ld != NULL) {
+@@ -446,6 +448,8 @@
+
+ if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ ldap_int_initialize(lo, dbglvl);
++ if ( lo->ldo_valid != LDAP_INITIALIZED )
++ return LDAP_LOCAL_ERROR;
+ }
+
+ if(ld != NULL) {
only in patch2:
unchanged:
--- openldap-2.4.40+dfsg.orig/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch
+++ openldap-2.4.40+dfsg/debian/patches/ITS-8648-init-SASL-library-in-global-init.patch
@@ -0,0 +1,74 @@
+From 431c4af526b18abb4a18c2c4c8655690b753cbe5 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Fri, 5 May 2017 03:08:07 +0000
+Subject: [PATCH] ITS#8648 init SASL library in global init
+
+---
+ libraries/libldap/cyrus.c | 17 +++--------------
+ libraries/libldap/init.c | 6 ++++++
+ 2 files changed, 9 insertions(+), 14 deletions(-)
+
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -69,14 +69,11 @@
+ { SASL_CB_LIST_END, NULL, NULL }
+ };
+
++/*
++ * ldap_int_initialize is responsible for calling this only once.
++ */
+ int ldap_int_sasl_init( void )
+ {
+- /* XXX not threadsafe */
+- static int sasl_initialized = 0;
+-
+- if ( sasl_initialized ) {
+- return 0;
+- }
+
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+@@ -96,7 +93,6 @@
+ #endif
+
+ if ( sasl_client_init( NULL ) == SASL_OK ) {
+- sasl_initialized = 1;
+ return 0;
+ }
+
+@@ -307,11 +303,6 @@
+ return ld->ld_errno;
+ }
+
+- if ( ldap_int_sasl_init() ) {
+- ld->ld_errno = LDAP_LOCAL_ERROR;
+- return ld->ld_errno;
+- }
+-
+ #if SASL_VERSION_MAJOR >= 2
+ rc = sasl_client_new( "ldap", host, NULL, NULL,
+ client_callbacks, 0, &ctx );
+@@ -891,8 +882,6 @@
+ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
+ {
+ if ( option == LDAP_OPT_X_SASL_MECHLIST ) {
+- if ( ldap_int_sasl_init() )
+- return -1;
+ *(char ***)arg = (char **)sasl_global_listmech();
+ return 0;
+ }
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -658,6 +658,12 @@
+ if ( ldap_int_tblsize == 0 ) ldap_int_ip_init();
+ #endif
+
++#ifdef HAVE_CYRUS_SASL
++ if ( ldap_int_sasl_init() != 0 ) {
++ return;
++ }
++#endif
++
+ ldap_int_initialize_global_options(gopts, dbglvl);
+
+ if( getenv("LDAPNOINIT") != NULL ) {
--- End Message ---