Bug#893043: stretch-pu: package nss-pam-ldapd/0.9.7-2+deb9u1
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu
Hi Stable release managers,
X-Debbugs-CC explicitly to Arthur, Debian maintainer of nss-pam-ldapd
*and* upstream.
src:nss-pam-ldapd is affected in stable (and alrady fixed
correspondigly in unstable and testing) by #890508, which under
certian circumstances (like the ones outlined in the bug, pam stack
configured with pam_ldap, UseDNS=yes in sshd_config, and a remote
hostname which is longer than 64 bytes), can lead to authentication
failure. That is just one way to trigger the issue. It would be as
well by any rhost value which matches the problem.
Debian Bug report at: https://bugs.debian.org/890508
Upstream report: https://github.com/arthurdejong/nss-pam-ldapd/issues/22
Upstream commit message:
> Increase size of hostname buffer
>
> This increases the host name buffer to support host names (that
> include FQDNs) to 255 characters and removes the reliance on
> HOST_NAME_MAX and _POSIX_HOST_NAME_MAX which may be smaller in some
> situations.
Attached is the proposed (NMU) debdiff for the upload, but if you ack
the changes and Arthur would like to do the actual upload, then I'm
happy to withdrawn my debdiff.
Can you please consider the change to be accepted for the next stretch
point release?
Regards,
Salvatore
diff -Nru nss-pam-ldapd-0.9.7/debian/changelog nss-pam-ldapd-0.9.7/debian/changelog
--- nss-pam-ldapd-0.9.7/debian/changelog 2017-01-22 16:00:00.000000000 +0100
+++ nss-pam-ldapd-0.9.7/debian/changelog 2018-03-08 14:11:25.000000000 +0100
@@ -1,3 +1,14 @@
+nss-pam-ldapd (0.9.7-2+deb9u1) stretch; urgency=medium
+
+ * Non-maintainer upload.
+ * Increase size of hostname buffer.
+ This increases the host name buffer to support host names (that include
+ FQDNs) to 255 characters and removes the reliance on HOST_NAME_MAX and
+ _POSIX_HOST_NAME_MAX which may be smaller in some situations.
+ (Closes: #890508)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Thu, 08 Mar 2018 14:11:25 +0100
+
nss-pam-ldapd (0.9.7-2) unstable; urgency=medium
* recommend ca-certificate which is needed due to adding tls_cacertfile by
diff -Nru nss-pam-ldapd-0.9.7/debian/patches/Increase-size-of-hostname-buffer.patch nss-pam-ldapd-0.9.7/debian/patches/Increase-size-of-hostname-buffer.patch
--- nss-pam-ldapd-0.9.7/debian/patches/Increase-size-of-hostname-buffer.patch 1970-01-01 01:00:00.000000000 +0100
+++ nss-pam-ldapd-0.9.7/debian/patches/Increase-size-of-hostname-buffer.patch 2018-03-08 14:11:25.000000000 +0100
@@ -0,0 +1,61 @@
+From: Arthur de Jong <arthur@arthurdejong.org>
+Date: Fri, 16 Feb 2018 22:13:19 +0100
+Subject: Increase size of hostname buffer
+Origin: https://github.com/arthurdejong/nss-pam-ldapd/commit/c05e3265b7f62b83937f204119555c6a73f29b29
+Bug-Debian: https://bugs.debian.org/890508
+Bug: https://github.com/arthurdejong/nss-pam-ldapd/issues/22
+
+This increases the host name buffer to support host names (that include
+FQDNs) to 255 characters and removes the reliance on HOST_NAME_MAX and
+_POSIX_HOST_NAME_MAX which may be smaller in some situations.
+
+Closes https://github.com/arthurdejong/nss-pam-ldapd/issues/22
+---
+ nslcd/cfg.c | 4 ++--
+ nslcd/common.h | 13 ++-----------
+ 2 files changed, 4 insertions(+), 13 deletions(-)
+
+diff --git a/nslcd/cfg.c b/nslcd/cfg.c
+index 60d860e..348e800 100644
+--- a/nslcd/cfg.c
++++ b/nslcd/cfg.c
+@@ -425,7 +425,7 @@ static void add_uris_from_dns(const char *filename, int lnr,
+ {
+ int rc;
+ char *hostlist = NULL, *nxt;
+- char buf[HOST_NAME_MAX + sizeof("ldap://";)];
++ char buf[BUFLEN_HOSTNAME + sizeof("ldap://";)];
+ log_log(LOG_DEBUG, "query %s for SRV records", domain);
+ rc = ldap_domain2hostlist(domain, &hostlist);
+ if (rc != LDAP_SUCCESS)
+diff --git a/nslcd/common.h b/nslcd/common.h
+index ffa07ba..26fcf48 100644
+--- a/nslcd/common.h
++++ b/nslcd/common.h
+@@ -150,15 +150,6 @@ int invalidator_start(void);
+ /* signal invalidator to invalidate the selected external cache */
+ void invalidator_do(enum ldap_map_selector map);
+
+-/* fallback definition of HOST_NAME_MAX */
+-#ifndef HOST_NAME_MAX
+-#ifdef _POSIX_HOST_NAME_MAX
+-#define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
+-#else
+-#define HOST_NAME_MAX 255
+-#endif /* _POSIX_HOST_NAME_MAX */
+-#endif /* not HOST_NAME_MAX */
+-
+ /* common buffer lengths */
+ #define BUFLEN_NAME 256 /* user, group names and such */
+ #define BUFLEN_SAFENAME 300 /* escaped name */
+@@ -167,7 +158,7 @@ void invalidator_do(enum ldap_map_selector map);
+ #define BUFLEN_DN 512 /* distinguished names */
+ #define BUFLEN_SAFEDN 600 /* escapedd dn */
+ #define BUFLEN_FILTER 4096 /* search filters */
+-#define BUFLEN_HOSTNAME (HOST_NAME_MAX + 1) /* host names (+ escaped) */
++#define BUFLEN_HOSTNAME 256 /* host names or FQDN (and safe version) */
+ #define BUFLEN_MESSAGE 1024 /* message strings */
+
+ /* provide strtouid() function alias */
+--
+2.16.2
diff -Nru nss-pam-ldapd-0.9.7/debian/patches/series nss-pam-ldapd-0.9.7/debian/patches/series
--- nss-pam-ldapd-0.9.7/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ nss-pam-ldapd-0.9.7/debian/patches/series 2018-03-08 14:11:25.000000000 +0100
@@ -0,0 +1 @@
+Increase-size-of-hostname-buffer.patch
Reply to: