Bug#925907: marked as done (unblock: lemonldap-ng/2.0.2+ds-6)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 28 Mar 2019 12:13:19 +0100
with message-id <26f7d6a2-2cd5-502b-5fe7-b1f824badab7@debian.org>
and subject line Re: Bug#925907: unblock: lemonldap-ng/2.0.2+ds-6
has caused the Debian Bug report #925907,
regarding unblock: lemonldap-ng/2.0.2+ds-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
925907: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925907
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: lemonldap-ng/2.0.2+ds-6
• From: Xavier Guimard <yadd@debian.org>
• Date: Thu, 28 Mar 2019 11:14:30 +0100
• Message-id: <[🔎] 155376807096.25507.3698222260296350146.reportbug@mac-debian.lemonldap-ng.org>

Package: release.debian.org
Severity: normal
Tags: security
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package lemonldap-ng

Hi all,

a medium security issue has been reported on upstream repo [1]. I imported
the fix in 2.0.2+ds-6 patch. This unblock also would import 2.0.2+ds-5
changes: autopkgtest improvements.

The full changes are:

  - installed files:
    * 6 lines added to restore username regexp check
  - upstream test files:
    * add test corresponding to this change
  - debian tests:
    * replace libauthen-u2f-perl by libauthen-u2f-tester-perl in build
      dependencies (was an error which makes some upstream tests
      ignored)
    * split autopkgtests to launch upstream component tests on minimal
      install (for example portal test are launched with only
      liblemonldap-ng-portal-perl dependency instead of lemonldap-ng
      meta package)

I think it is low risky to unblock lemonldap-ng since:
 - lemonldap-ng has no reverse dependencies.
 - changes on installed files are minimal
 - build/autopkgtest tests are improved
   (and successfully passed with 2.0.2+ds-5: [2])

Cheers,
Xavier

[1]: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1667
[2]: https://ci.debian.net/packages/l/lemonldap-ng/ and
     https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/lemonldap-ng.html

unblock lemonldap-ng/2.0.2+ds-6

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff --git a/debian/changelog b/debian/changelog
index 252619fbb..c4c63a10f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+lemonldap-ng (2.0.2+ds-6) unstable; urgency=medium
+
+  * Add patch to fix missing userControl calls (little security fix)
+
+ -- Xavier Guimard <yadd@debian.org>  Thu, 28 Mar 2019 10:41:14 +0100
+
+lemonldap-ng (2.0.2+ds-5) unstable; urgency=medium
+
+  * Fix bad build dependency: Authen::2F::Tester instead of Authen::2F
+  * Split autopkgtests to test each library separately
+
+ -- Xavier Guimard <yadd@debian.org>  Sat, 02 Mar 2019 13:47:29 +0100
+
 lemonldap-ng (2.0.2+ds-4) unstable; urgency=medium
 
   * Ignore debci GPG errors (Closes: 922265)
diff --git a/debian/control b/debian/control
index e68a79775..be46d2783 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 11~),
 Build-Depends-Indep: gpg,
                      libapache-session-perl,
                      libauthen-oath-perl,
-                     libauthen-u2f-perl,
+                     libauthen-u2f-tester-perl,
                      libcache-cache-perl,
                      libclone-perl,
                      libconfig-inifiles-perl,
diff --git a/debian/patches/fix-missing-userControl.diff b/debian/patches/fix-missing-userControl.diff
new file mode 100644
index 000000000..f2952e92e
--- /dev/null
+++ b/debian/patches/fix-missing-userControl.diff
@@ -0,0 +1,56 @@
+Description: Fix missing userControl calls
+Author: Xavier Guimard <yadd@debian.org>
+Origin: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/e0204c6a79e4fffb40751a9cd0f7433b317a5bf9
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1667
+Forwarded: //gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/e0204c6a79e4fffb40751a9cd0f7433b317a5bf9
+Last-Update: 2019-03-28
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -16,6 +16,7 @@
+   PE_OK
+   PE_PASSWORDFORMEMPTY
+   PE_TOKENEXPIRED
++  PE_MALFORMEDUSER
+ );
+ 
+ our $VERSION = '2.0.0';
+@@ -53,6 +54,13 @@
+ sub extractFormInfo {
+     my ( $self, $req ) = @_;
+ 
++    if ( $req->param('user') ) {
++        unless ( $req->param('user') =~ /$self->{conf}->{userControl}/o ) {
++            $self->setSecurity($req);
++            return PE_MALFORMEDUSER;
++        }
++    }
++
+     # Detect first access and empty forms
+     my $defUser        = defined $req->param('user');
+     my $defPassword    = defined $req->param('password');
+--- a/lemonldap-ng-portal/t/02-Password-Demo.t
++++ b/lemonldap-ng-portal/t/02-Password-Demo.t
+@@ -53,6 +53,22 @@
+ ok(
+     $res = $client->_post(
+         '/',
++        IO::String->new('user=dwho*&password=dwho'),
++        accept => 'text/html',
++        length => 24
++    ),
++    'Auth query'
++);
++ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%,
++    ' PE40 found' )
++  or print STDERR Dumper( $res->[2]->[0] );
++count(2);
++
++# Try yo authenticate
++# -------------------
++ok(
++    $res = $client->_post(
++        '/',
+         IO::String->new('user=dwho&password=dwho'),
+         length => 23
+     ),
diff --git a/debian/patches/series b/debian/patches/series
index 938933442..0d400d144 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 javascript-path.patch
 Avoid-developer-tests.patch
 ignore-gpg-errors.diff
+fix-missing-userControl.diff
diff --git a/debian/tests/control b/debian/tests/control
index 768cc02a4..eeb2fc1ee 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,14 +1,38 @@
 # debian/tests/runner launch pkg-perl-autopkgtest tests for each library
-Test-Command: ./debian/tests/runner build-deps
-Depends: @, @builddeps@, pkg-perl-autopkgtest, libmouse-perl
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-common
+Depends: liblemonldap-ng-common-perl, @builddeps@, pkg-perl-autopkgtest
 
-Test-Command: ./debian/tests/runner runtime-deps
-Depends: @, pkg-perl-autopkgtest, libmouse-perl
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-handler
+Depends: liblemonldap-ng-handler-perl, @builddeps@, pkg-perl-autopkgtest
+
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-portal
+Depends: liblemonldap-ng-portal-perl, @builddeps@, pkg-perl-autopkgtest
+
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-manager
+Depends: liblemonldap-ng-manager-perl, @builddeps@, pkg-perl-autopkgtest
+
+Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-common
+Depends: liblemonldap-ng-common-perl, pkg-perl-autopkgtest, libmouse-perl
+Restrictions: superficial, skippable
+
+# Disable this one: skipped
+#Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-handler
+#Depends: liblemonldap-ng-handler-perl, pkg-perl-autopkgtest, libmouse-perl
+#Restrictions: superficial, skippable
+
+Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-portal
+Depends: liblemonldap-ng-portal-perl, pkg-perl-autopkgtest, libmouse-perl
+Restrictions: superficial, skippable
+
+Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-manager
+Depends: liblemonldap-ng-manager-perl, pkg-perl-autopkgtest, libmouse-perl
+Restrictions: superficial, skippable
 
 # Use pkg-perl-autopkgtest test for runtime-deps-and-recommends
 # Some portal suggested dependencies are added here
 Test-Command: /usr/share/pkg-perl-autopkgtest/runner runtime-deps-and-recommends
 Depends: @, @builddeps@, pkg-perl-autopkgtest, libyaml-perl, liblog-log4perl-perl, libauthen-pam-perl, libauthen-radius-perl, libweb-id-perl
+Restrictions: superficial
 
 #Test-Command: ./debian/tests/runner heavy-deps
 #Depends: @, pkg-perl-autopkgtest, pkg-perl-autopkgtest-heavy, libmouse-perl
diff --git a/debian/tests/runner b/debian/tests/runner
index 553b39e28..e61c8f46d 100755
--- a/debian/tests/runner
+++ b/debian/tests/runner
@@ -10,8 +10,12 @@ TESTDIR=${BASE}/${TYPE}.d
 
 LLSOURCEDIR=`pwd`
 
+LIST=$2
+
+test "$LIST" == "" 2>/dev/null && LIST=lemonldap-ng-*
+
 EXITCODE=0
-for LLLIB in lemonldap-ng-*; do
+for LLLIB in $LIST; do
     mkdir -p $LLSOURCEDIR/$LLLIB/debian/tests/pkg-perl
     for llfile in debian/tests/pkg-perl/${LLLIB}*; do
         if [ -r $llfile ]; then

--- End Message ---

--- Begin Message ---

• To: Xavier Guimard <yadd@debian.org>, 925907-done@bugs.debian.org
• Subject: Re: Bug#925907: unblock: lemonldap-ng/2.0.2+ds-6
• From: Paul Gevers <elbrus@debian.org>
• Date: Thu, 28 Mar 2019 12:13:19 +0100
• Message-id: <26f7d6a2-2cd5-502b-5fe7-b1f824badab7@debian.org>
• In-reply-to: <[🔎] 155376807096.25507.3698222260296350146.reportbug@mac-debian.lemonldap-ng.org>
• References: <[🔎] 155376807096.25507.3698222260296350146.reportbug@mac-debian.lemonldap-ng.org>

Hi yadd,

On 28-03-2019 11:14, Xavier Guimard wrote:
> Please unblock package lemonldap-ng

unblocked, thanks

Paul

--- End Message ---