--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: security
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package lemonldap-ng
Hi all,
a medium security issue has been reported on upstream repo [1]. I imported
the fix in 2.0.2+ds-6 patch. This unblock also would import 2.0.2+ds-5
changes: autopkgtest improvements.
The full changes are:
- installed files:
* 6 lines added to restore username regexp check
- upstream test files:
* add test corresponding to this change
- debian tests:
* replace libauthen-u2f-perl by libauthen-u2f-tester-perl in build
dependencies (was an error which makes some upstream tests
ignored)
* split autopkgtests to launch upstream component tests on minimal
install (for example portal test are launched with only
liblemonldap-ng-portal-perl dependency instead of lemonldap-ng
meta package)
I think it is low risky to unblock lemonldap-ng since:
- lemonldap-ng has no reverse dependencies.
- changes on installed files are minimal
- build/autopkgtest tests are improved
(and successfully passed with 2.0.2+ds-5: [2])
Cheers,
Xavier
[1]: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1667
[2]: https://ci.debian.net/packages/l/lemonldap-ng/ and
https://tests.reproducible-builds.org/debian/rb-pkg/unstable/amd64/lemonldap-ng.html
unblock lemonldap-ng/2.0.2+ds-6
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (600, 'testing'), (50, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.14.0-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff --git a/debian/changelog b/debian/changelog
index 252619fbb..c4c63a10f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
+lemonldap-ng (2.0.2+ds-6) unstable; urgency=medium
+
+ * Add patch to fix missing userControl calls (little security fix)
+
+ -- Xavier Guimard <yadd@debian.org> Thu, 28 Mar 2019 10:41:14 +0100
+
+lemonldap-ng (2.0.2+ds-5) unstable; urgency=medium
+
+ * Fix bad build dependency: Authen::2F::Tester instead of Authen::2F
+ * Split autopkgtests to test each library separately
+
+ -- Xavier Guimard <yadd@debian.org> Sat, 02 Mar 2019 13:47:29 +0100
+
lemonldap-ng (2.0.2+ds-4) unstable; urgency=medium
* Ignore debci GPG errors (Closes: 922265)
diff --git a/debian/control b/debian/control
index e68a79775..be46d2783 100644
--- a/debian/control
+++ b/debian/control
@@ -8,7 +8,7 @@ Build-Depends: debhelper (>= 11~),
Build-Depends-Indep: gpg,
libapache-session-perl,
libauthen-oath-perl,
- libauthen-u2f-perl,
+ libauthen-u2f-tester-perl,
libcache-cache-perl,
libclone-perl,
libconfig-inifiles-perl,
diff --git a/debian/patches/fix-missing-userControl.diff b/debian/patches/fix-missing-userControl.diff
new file mode 100644
index 000000000..f2952e92e
--- /dev/null
+++ b/debian/patches/fix-missing-userControl.diff
@@ -0,0 +1,56 @@
+Description: Fix missing userControl calls
+Author: Xavier Guimard <yadd@debian.org>
+Origin: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/e0204c6a79e4fffb40751a9cd0f7433b317a5bf9
+Bug: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/issues/1667
+Forwarded: //gitlab.ow2.org/lemonldap-ng/lemonldap-ng/commit/e0204c6a79e4fffb40751a9cd0f7433b317a5bf9
+Last-Update: 2019-03-28
+
+--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
++++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/_WebForm.pm
+@@ -16,6 +16,7 @@
+ PE_OK
+ PE_PASSWORDFORMEMPTY
+ PE_TOKENEXPIRED
++ PE_MALFORMEDUSER
+ );
+
+ our $VERSION = '2.0.0';
+@@ -53,6 +54,13 @@
+ sub extractFormInfo {
+ my ( $self, $req ) = @_;
+
++ if ( $req->param('user') ) {
++ unless ( $req->param('user') =~ /$self->{conf}->{userControl}/o ) {
++ $self->setSecurity($req);
++ return PE_MALFORMEDUSER;
++ }
++ }
++
+ # Detect first access and empty forms
+ my $defUser = defined $req->param('user');
+ my $defPassword = defined $req->param('password');
+--- a/lemonldap-ng-portal/t/02-Password-Demo.t
++++ b/lemonldap-ng-portal/t/02-Password-Demo.t
+@@ -53,6 +53,22 @@
+ ok(
+ $res = $client->_post(
+ '/',
++ IO::String->new('user=dwho*&password=dwho'),
++ accept => 'text/html',
++ length => 24
++ ),
++ 'Auth query'
++);
++ok( $res->[2]->[0] =~ m%<span trmsg="40"></span>%,
++ ' PE40 found' )
++ or print STDERR Dumper( $res->[2]->[0] );
++count(2);
++
++# Try yo authenticate
++# -------------------
++ok(
++ $res = $client->_post(
++ '/',
+ IO::String->new('user=dwho&password=dwho'),
+ length => 23
+ ),
diff --git a/debian/patches/series b/debian/patches/series
index 938933442..0d400d144 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
javascript-path.patch
Avoid-developer-tests.patch
ignore-gpg-errors.diff
+fix-missing-userControl.diff
diff --git a/debian/tests/control b/debian/tests/control
index 768cc02a4..eeb2fc1ee 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -1,14 +1,38 @@
# debian/tests/runner launch pkg-perl-autopkgtest tests for each library
-Test-Command: ./debian/tests/runner build-deps
-Depends: @, @builddeps@, pkg-perl-autopkgtest, libmouse-perl
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-common
+Depends: liblemonldap-ng-common-perl, @builddeps@, pkg-perl-autopkgtest
-Test-Command: ./debian/tests/runner runtime-deps
-Depends: @, pkg-perl-autopkgtest, libmouse-perl
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-handler
+Depends: liblemonldap-ng-handler-perl, @builddeps@, pkg-perl-autopkgtest
+
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-portal
+Depends: liblemonldap-ng-portal-perl, @builddeps@, pkg-perl-autopkgtest
+
+Test-Command: ./debian/tests/runner build-deps lemonldap-ng-manager
+Depends: liblemonldap-ng-manager-perl, @builddeps@, pkg-perl-autopkgtest
+
+Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-common
+Depends: liblemonldap-ng-common-perl, pkg-perl-autopkgtest, libmouse-perl
+Restrictions: superficial, skippable
+
+# Disable this one: skipped
+#Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-handler
+#Depends: liblemonldap-ng-handler-perl, pkg-perl-autopkgtest, libmouse-perl
+#Restrictions: superficial, skippable
+
+Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-portal
+Depends: liblemonldap-ng-portal-perl, pkg-perl-autopkgtest, libmouse-perl
+Restrictions: superficial, skippable
+
+Test-Command: ./debian/tests/runner runtime-deps lemonldap-ng-manager
+Depends: liblemonldap-ng-manager-perl, pkg-perl-autopkgtest, libmouse-perl
+Restrictions: superficial, skippable
# Use pkg-perl-autopkgtest test for runtime-deps-and-recommends
# Some portal suggested dependencies are added here
Test-Command: /usr/share/pkg-perl-autopkgtest/runner runtime-deps-and-recommends
Depends: @, @builddeps@, pkg-perl-autopkgtest, libyaml-perl, liblog-log4perl-perl, libauthen-pam-perl, libauthen-radius-perl, libweb-id-perl
+Restrictions: superficial
#Test-Command: ./debian/tests/runner heavy-deps
#Depends: @, pkg-perl-autopkgtest, pkg-perl-autopkgtest-heavy, libmouse-perl
diff --git a/debian/tests/runner b/debian/tests/runner
index 553b39e28..e61c8f46d 100755
--- a/debian/tests/runner
+++ b/debian/tests/runner
@@ -10,8 +10,12 @@ TESTDIR=${BASE}/${TYPE}.d
LLSOURCEDIR=`pwd`
+LIST=$2
+
+test "$LIST" == "" 2>/dev/null && LIST=lemonldap-ng-*
+
EXITCODE=0
-for LLLIB in lemonldap-ng-*; do
+for LLLIB in $LIST; do
mkdir -p $LLSOURCEDIR/$LLLIB/debian/tests/pkg-perl
for llfile in debian/tests/pkg-perl/${LLLIB}*; do
if [ -r $llfile ]; then
--- End Message ---