Bug#988607: marked as done (unblock: openldap/2.4.57+dfsg-3)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 18 May 2021 18:37:00 +0000
with message-id <E1lj4aS-0002WO-FW@respighi.debian.org>
and subject line unblock openldap
has caused the Debian Bug report #988607,
regarding unblock: openldap/2.4.57+dfsg-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988607: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988607
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: openldap/2.4.57+dfsg-3
• From: Ryan Tandy <ryan@nardis.ca>
• Date: Sun, 16 May 2021 13:42:12 -0700
• Message-id: <[🔎] 20210516204212.GA5118@t570.nardis.ca>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package openldap

[ Reason ]

Fix bug #988565: slapd-smbk5pwd crashes when initializing Kerberos.

smbk5pwd is a contributed plugin for slapd. It extends LDAP password change operations to also update the attributes used by Samba and Heimdal when their databases are stored in the LDAP directory.

At some point slapd picked up a transitive dependency on libkrb5-3 (via libwrap0). This caused the crash because at runtime smbk5pwd would call the MIT implementation of krb5_init_context and then pass the same context to Heimdal functions.

The two libkrb5 implementations do use symbol versioning, however, smbk5pwd contained references to the bare/unversioned symbols because it was not linking -lkrb5.

The fix is just to add -lkrb5 to the link line for smbk5pwd, which lets it correctly use the versioned symbols such as "krb5_init_context@HEIMDAL_KRB5_2.0". The symbols can be manually inspected via "nm -D /usr/lib/ldap/smbk5pwd.so".

One of the changed lines also occurs as context in another patch, which had to be refreshed to avoid fuzz.

[ Impact ]

slapd crashes on startup, if the smbk5pwd plugin is loaded and its Heimdal integration is enabled. Regression since it works in buster.

[ Tests ]

Upstream has an extensive test suite which runs at build time, however it does not cover the contrib modules such as smbk5pwd.

There is a superficial autopkgtest, which only tests whether the core slapd runs and answers a trivial query.

I manually tested the smbk5pwd plugin with the Samba and Kerberos integrations enabled.

[ Risks ]

I think this is a low risk change. The contrib modules each have their own individual build systems, so the change only affects the smbk5pwd Makefile and not any other component. It should be impossible for this change to impact any core component such as libldap or slapd.

[ Checklist ]

 [✓] all changes are documented in the d/changelog
 [✓] I reviewed all changes and I approve them
 [✓] attach debdiff against the package in testing

unblock openldap/2.4.57+dfsg-3

Thank you,
Ryan

diff -Nru openldap-2.4.57+dfsg/debian/changelog openldap-2.4.57+dfsg/debian/changelog
--- openldap-2.4.57+dfsg/debian/changelog	2021-02-14 09:26:41.000000000 -0800
+++ openldap-2.4.57+dfsg/debian/changelog	2021-05-15 16:03:34.000000000 -0700
@@ -1,3 +1,9 @@
+openldap (2.4.57+dfsg-3) unstable; urgency=medium
+
+  * Link smbk5pwd with -lkrb5. (Closes: #988565)
+
+ -- Ryan Tandy <ryan@nardis.ca>  Sat, 15 May 2021 16:03:34 -0700
+
 openldap (2.4.57+dfsg-2) unstable; urgency=medium
 
   * Fix slapd assertion failure in Certificate List Exact Assertion validation
diff -Nru openldap-2.4.57+dfsg/debian/patches/contrib-makefiles openldap-2.4.57+dfsg/debian/patches/contrib-makefiles
--- openldap-2.4.57+dfsg/debian/patches/contrib-makefiles	2021-02-14 09:26:41.000000000 -0800
+++ openldap-2.4.57+dfsg/debian/patches/contrib-makefiles	2021-05-15 16:03:34.000000000 -0700
@@ -76,8 +76,8 @@
  
 -HEIMDAL_INC = -I/usr/heimdal/include
 -HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
-+HEIMDAL_INC = $(shell krb5-config.heimdal --cflags kadm-server)
-+HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags krb5 kadm-server)
++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
  
  LIBTOOL = $(LDAP_BUILD)/libtool
  CC = gcc
diff -Nru openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage
--- openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage	2021-02-14 09:26:41.000000000 -0800
+++ openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage	2021-05-15 16:03:34.000000000 -0700
@@ -18,7 +18,7 @@
 --- a/contrib/slapd-modules/smbk5pwd/Makefile
 +++ b/contrib/slapd-modules/smbk5pwd/Makefile
 @@ -25,6 +25,7 @@
- HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
+ HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
  
  LIBTOOL = $(LDAP_BUILD)/libtool
 +INSTALL = /usr/bin/install

--- End Message ---

--- Begin Message ---

• To: 988607-done@bugs.debian.org
• Subject: unblock openldap
• From: Sebastian Ramacher <sramacher@respighi.debian.org>
• Date: Tue, 18 May 2021 18:37:00 +0000
• Message-id: <E1lj4aS-0002WO-FW@respighi.debian.org>

Unblocked.

--- End Message ---