[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#927425: marked as done (unblock: gosa/2.7.4+reloaded3-8)

Your message dated Sat, 20 Apr 2019 18:05:00 +0000
with message-id <01f14516-13b7-9c2b-c1fe-8617b16a887f@thykier.net>
and subject line Re: Bug#927425: unblock: gosa/2.7.4+reloaded3-8
has caused the Debian Bug report #927425,
regarding unblock: gosa/2.7.4+reloaded3-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
927425: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927425
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package gosa

+  * debian/patches:
+    + Add 1043_smarty-add-on-function-param-types.patch. Fix missing
+      password field, caused by PHP error "parameter 2 expected to be a
+      reference, value given". This happened due to mismatching parameter
+      types whenever the smarty3 template rendering engine called gosa's
+      (slightly not-compliant anymore) smartyAddon functions. (Closes:
+      #918578). The patch also brings some smartyAddon hygiene for
+      the {render} block and the not-used-anymore {tr} block.

-> RC bug, a missing password field on the login page makes gosa unusable.

+    + Add 1044_crypto-transition-without-mcrypt.patch. Make
+      gosa-mcrypt-to-openssl-passwords script independent from php-mcrypt,
+      and thus make it work with Debian buster's php7.3. (Closes: #925138).

-> RC bug, now gosa can be upgraded from stretch -> buster and crypto-transition can happen in buster.

See also: #927306.

+    + Update 1026_fix-deprecated-constructor-format.patch. Drop an
+      unwanted find+replace artefact in class_userFilter.

Regression fix of an earlier applied patch.

+    + Add 1045_dont_use_filter_caching.patch. Disable filter caching via
+      $_SESSION. The filter caching mechanism stores PHP object in ; since
+      php7.0 this has lead to all sorts of unexpected results and flawed
+      rendering of class_management based listings. (Closes: #907815).

-> important bug (in fact possibly a security issue).

+  * debian/control:
+    + Bump Standards-Version: to 4.3.0. No changes needed.

-> some additional formalism

unblock gosa/2.7.4+reloaded3-8

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-2-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru gosa-2.7.4+reloaded3/debian/changelog gosa-2.7.4+reloaded3/debian/changelog
--- gosa-2.7.4+reloaded3/debian/changelog	2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/changelog	2019-04-19 15:24:14.000000000 +0200
@@ -1,3 +1,27 @@
+gosa (2.7.4+reloaded3-8) unstable; urgency=medium
+
+  * debian/patches:
+    + Add 1043_smarty-add-on-function-param-types.patch. Fix missing
+      password field, caused by PHP error "parameter 2 expected to be a
+      reference, value given". This happened due to mismatching parameter
+      types whenever the smarty3 template rendering engine called gosa's
+      (slightly not-compliant anymore) smartyAddon functions. (Closes:
+      #918578). The patch also brings some smartyAddon hygiene for
+      the {render} block and the not-used-anymore {tr} block.
+    + Add 1044_crypto-transition-without-mcrypt.patch. Make
+      gosa-mcrypt-to-openssl-passwords script independent from php-mcrypt,
+      and thus make it work with Debian buster's php7.3. (Closes: #925138).
+    + Update 1026_fix-deprecated-constructor-format.patch. Drop an
+      unwanted find+replace artefact in class_userFilter.
+    + Add 1045_dont_use_filter_caching.patch. Disable filter caching via
+      $_SESSION. The filter caching mechanism stores PHP object in ; since
+      php7.0 this has lead to all sorts of unexpected results and flawed
+      rendering of class_management based listings. (Closes: #907815).
+  * debian/control:
+    + Bump Standards-Version: to 4.3.0. No changes needed.
+
+ -- Mike Gabriel <sunweaver@debian.org>  Fri, 19 Apr 2019 15:24:14 +0200
+
 gosa (2.7.4+reloaded3-7) unstable; urgency=medium
 
   [ Mike Gabriel ]
diff -Nru gosa-2.7.4+reloaded3/debian/control gosa-2.7.4+reloaded3/debian/control
--- gosa-2.7.4+reloaded3/debian/control	2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/control	2019-04-19 15:24:14.000000000 +0200
@@ -9,7 +9,7 @@
  debhelper (>= 11~),
 Build-Depends-Indep:
  po-debconf,
-Standards-Version: 4.2.0
+Standards-Version: 4.3.0
 Homepage: https://oss.gonicus.de/labs/gosa/
 Vcs-Git: https://salsa.debian.org/debian-edu-pkg-team/gosa.git
 Vcs-Browser: https://salsa.debian.org/debian-edu-pkg-team/gosa
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch
--- gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch	2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1026_fix-deprecated-constructor-format.patch	2019-04-19 15:22:28.000000000 +0200
@@ -699,23 +699,6 @@
      $this->dn= $dn;
 --- a/gosa-core/include/class_userFilter.inc
 +++ b/gosa-core/include/class_userFilter.inc
-@@ -16,13 +16,13 @@
-    */
-   static function userFilteringAvailable()
-   {
--    if(!session::is_set('userFilter::userFilteringAvailable')){
-+    if(!session::is_set('userFilter::__constructingAvailable')){
-       global $config;
-       $ldap = $config->get_ldap_link();
-       $ocs = $ldap->get_objectclasses();
--      session::set('userFilter::userFilteringAvailable', isset($ocs['gosaProperties']));
-+      session::set('userFilter::__constructingAvailable', isset($ocs['gosaProperties']));
-     }
--    return(session::get('userFilter::userFilteringAvailable'));
-+    return(session::get('userFilter::__constructingAvailable'));
-   }
-   
-  
 @@ -32,7 +32,7 @@
    {
      // Initialize this plugin with the users dn to gather user defined filters.
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch
--- gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch	1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1043_smarty-add-on-function-param-types.patch	2019-04-19 15:22:28.000000000 +0200
@@ -0,0 +1,91 @@
+Description: Use correct smarty3 API.
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+Forwarded: https://github.com/gosa-project/gosa-core/pull/25
+Abstract.
+ For the {render} add-on block, drop the &$smarty reference parameter
+ entirely.
+ .
+ Drop the complete {tr} add-on block. Not registered as a plugin, not
+ used.
+ .
+ For the add-on image and add-on factory functions, switch from
+ reference &$smarty to value $smarty.
+
+--- a/gosa-core/include/smartyAddons/block.render.php
++++ b/gosa-core/include/smartyAddons/block.render.php
+@@ -1,6 +1,6 @@
+ <?php
+ 
+-function smarty_block_render($params, $text, &$smarty)
++function smarty_block_render($params, $text)
+ {
+ 	/* Skip closing tag </render> */	
+ 	if(empty($text)) {
+--- a/gosa-core/include/smartyAddons/block.tr.php
++++ /dev/null
+@@ -1,25 +0,0 @@
+-<?php
+-function smarty_block_tr($params, $text, &$smarty)
+-{
+-    $plugin = "";
+-    if(!isset($params['domain'])){
+-        if(strlen($text) != 0){
+-            $trace = debug_backtrace();
+-            $base = preg_replace("/\/html/","",getcwd());
+-            foreach($trace as $t_entry){
+-                if(preg_match("/^".preg_quote($base,'/')."\/plugins\//", $t_entry['file'])){
+-                    $plugin = preg_replace("/^".preg_quote($base,'/')."\/plugins\/([^\/]*).*$/", "\\1", $t_entry['file']);
+-                    break;
+-                }
+-            }
+-        }
+-    }
+-  
+- 
+-    if($plugin != ""){ 
+-        return(dgettext($plugin, $text));
+-    }
+-    return(gettext($text));
+-}
+-
+-?>
+--- a/gosa-core/include/smartyAddons/function.factory.php
++++ b/gosa-core/include/smartyAddons/function.factory.php
+@@ -1,6 +1,6 @@
+ <?php
+ 
+-function smarty_function_factory($params, &$smarty)
++function smarty_function_factory($params, $smarty)
+ {
+ 
+     // Capture params
+--- a/gosa-core/include/smartyAddons/function.image.php
++++ b/gosa-core/include/smartyAddons/function.image.php
+@@ -1,6 +1,6 @@
+ <?php
+ 
+-function smarty_function_image($params, &$smarty)
++function smarty_function_image($params, $smarty)
+ {
+   $path = (isset($params['path']))? $params['path'] :"";
+   $action = (isset($params['action']))? $params['action'] :"";
+--- a/gosa-core/include/smartyAddons/function.msgPool.php
++++ b/gosa-core/include/smartyAddons/function.msgPool.php
+@@ -1,6 +1,6 @@
+ <?php
+ 
+-function smarty_function_msgPool($params, &$smarty)
++function smarty_function_msgPool($params, $smarty)
+ {
+ 	if(class_available("msgPool") && isset($params['type'])){
+ 		$parameter = array();
+--- a/gosa-core/include/php_setup.inc
++++ b/gosa-core/include/php_setup.inc
+@@ -317,7 +317,6 @@
+     if(preg_match("/\.php$/", $file)) require_once("$BASE_DIR/include/smartyAddons/{$file}");
+ }
+ 
+-#$smarty->registerPlugin("block", "tr", "smarty_block_tr");
+ $smarty->registerPlugin("block", "t", "smarty_block_t");
+ $smarty->registerPlugin("block", "render", "smarty_block_render");
+ $smarty->registerPlugin("function", "msgPool", "smarty_function_msgPool");
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch
--- gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch	1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1044_crypto-transition-without-mcrypt.patch	2019-04-19 15:22:28.000000000 +0200
@@ -0,0 +1,17 @@
+Description: No need to let this script depend on php-mcrypt
+Author: Dominik George <natureshadow@debian.org>
+Forwarded: https://github.com/gosa-project/gosa-core/pull/27
+
+--- a/gosa-core/bin/gosa-mcrypt-to-openssl-passwords
++++ b/gosa-core/bin/gosa-mcrypt-to-openssl-passwords
+@@ -25,9 +25,7 @@
+ }
+ 
+ function cred_decrypt($input, $password) {
+-  $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
+-  $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
+-  return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING, $iv ), "\0\3\4\n");
++  return rtrim(@openssl_decrypt( pack("H*", $input), "aes-256-ecb" , $password, OPENSSL_RAW_DATA | OPENSSL_ZERO_PADDING ), "\0\3\4\n");
+ }
+ 
+ 
diff -Nru gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch
--- gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch	1970-01-01 01:00:00.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/1045_dont_use_filter_caching.patch	2019-04-19 15:22:28.000000000 +0200
@@ -0,0 +1,27 @@
+Description: Disable flawed filter caching (which works via storing unserialized objects in $_SESSION)
+Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+Forwarded: https://github.com/gosa-project/gosa-core/issues/28
+Abstract:
+ All required information is in the above upstream bug report.
+ .
+ This patch has work-around status. It is no proper solution.
+
+--- a/gosa-core/include/class_management.inc
++++ b/gosa-core/include/class_management.inc
+@@ -131,7 +131,15 @@
+     $this->registerAction("cancelFilter","cancelFilter");
+ 
+     // To temporay disable the filter caching UNcomment this line.
+-    #session::global_un_set(get_class($this)."_filter");
++
++    /*
++     * As a work-around for flawed object storage in the PHP $_SESSION array
++     * the filter caching has been deactivated since gosa 2.7.4+reloaded3-8.
++     *
++     * See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=907815#31 for
++     * details.
++     */
++    session::global_un_set(get_class($this)."_filter");
+   }
+ 
+   
diff -Nru gosa-2.7.4+reloaded3/debian/patches/series gosa-2.7.4+reloaded3/debian/patches/series
--- gosa-2.7.4+reloaded3/debian/patches/series	2018-12-12 16:52:38.000000000 +0100
+++ gosa-2.7.4+reloaded3/debian/patches/series	2019-04-19 15:22:28.000000000 +0200
@@ -60,3 +60,6 @@
 1041_ref_param_error_in_My_Parser.patch
 1042_add_option_to_disable_autocomplete.patch
 0014_latest-gosa-conf.patch
+1043_smarty-add-on-function-param-types.patch
+1044_crypto-transition-without-mcrypt.patch
+1045_dont_use_filter_caching.patch

--- End Message ---
--- Begin Message --- 
Mike Gabriel:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package gosa
> 
> [...]
> 
> unblock gosa/2.7.4+reloaded3-8
> 
> [...]
> 

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: