Merge ~ahasenack/ubuntu/+source/libpam-ccreds:artful-libpam-ccreds-init-gcrypt-869166 into ~usd-import-team/ubuntu/+source/libpam-ccreds:ubuntu/devel

Proposed by Andreas Hasenack on 2017-07-20
Status: Merged
Merge reported by: Robie Basak
Merged at revision: cbc97871de400f6b62af5deaffb59fc174441fb3
Proposed branch: ~ahasenack/ubuntu/+source/libpam-ccreds:artful-libpam-ccreds-init-gcrypt-869166
Merge into: ~usd-import-team/ubuntu/+source/libpam-ccreds:ubuntu/devel
Diff against target: 76 lines (+43/-1)
4 files modified
debian/changelog (+7/-0)
debian/control (+2/-1)
debian/patches/0003-initialize-libgcrypt.patch (+33/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Robie Basak 2017-07-25 Approve on 2017-07-28
ChristianEhrhardt 2017-07-20 Approve on 2017-07-21
Review via email: mp+327829@code.launchpad.net

Description of the Change

Initialize libgcrypt before calling any of its functions. The patch was slightly modified by me to check if the library wasn't initialised already using the advice in "2.4 Initializing the library" of the gcrypt info page. Also see https://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html for the same advice.

I forwarded the patch via email to <email address hidden>. The bugzilla link at the bottom of their page just redirects back to the main site.

UPDATE Jul 20th: patch was accepted by upstream: https://github.com/PADL/pam_ccreds/commit/3fa53ee374e4712643f988ef74bd6d52a6fe0c12. Upstream also confirmed via email that the software is essentially unmaintained.

Test instructions:
* in an artful container/kvm, install libpam-ccreds:
$ sudo apt install libpam-ccreds

* in one terminal, tail -f /var/log/syslog

* in another terminal, run:
$ sudo cc_test -store any ubuntu ubuntu
pam_cc_store_credentials: Success

* Observe that the syslog file gets this warning:
Jul 20 19:13:59 artful-ccreds-test cc_test: Libgcrypt warning: missing initialization - please fix the application

* Install the fixed package. Build it yourself and install, or add this ppa (you may have to sudo apt install software-properties-common):
$ sudo add-apt-repository -y -u ppa:ahasenack/pam-ccreds-initialize-gcrypt-869166 && sudo apt install libpam-ccreds

* Rerun the cc_test command. This time there should be no warning in syslog. Also, since you ran this command before with the -store action, you can try it now with the -validate action:
$ sudo cc_test -validate any ubuntu ubuntu
pam_cc_validate_credentials: Success

To post a comment you must log in.
a82dd90... by Andreas Hasenack on 2017-07-20

update-maintainer

ChristianEhrhardt (paelzer) wrote :

Code, Dep8, Changelog all looks good to me.
Thanks to forward the change as well.
Finally I also tested the proposed fix form the ppa and the fix as well as the steps to trigger were perfect.

Also given the update frequency on this in the past it is unlikely we have to merge this very often. And since Debian knows about the bug all is fine.

Thanks Andreas, approving

review: Approve
cbc9787... by Andreas Hasenack on 2017-07-28

  * d/p/0003-initialize-libgcrypt.patch: updated the DEP3 header noting
    via Applied-Upstream that the patch was accepted.

Robie Basak (racb) wrote :

I appreciate the attention to detail - Debian and Ubuntu bug references in both the changelog and dep3 header, and the descriptive explanation in the patch. Thanks!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index e13fdae..f72a10d 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+libpam-ccreds (10-6ubuntu1) artful; urgency=medium
7+
8+ * debian/patches/0003-initialize-libgcrypt.patch: Initialize gcrypt
9+ before usage. Closes: #645229, LP: #869166.
10+
11+ -- Andreas Hasenack <andreas@canonical.com> Thu, 20 Jul 2017 14:54:06 -0300
12+
13 libpam-ccreds (10-6build1) vivid; urgency=medium
14
15 * No-change rebuild for the libgcrypt20 transition.
16diff --git a/debian/control b/debian/control
17index 6c70f42..db04d58 100644
18--- a/debian/control
19+++ b/debian/control
20@@ -1,7 +1,8 @@
21 Source: libpam-ccreds
22 Section: admin
23 Priority: extra
24-Maintainer: Guido Günther <agx@sigxcpu.org>
25+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
26+XSBC-Original-Maintainer: Guido Günther <agx@sigxcpu.org>
27 Build-Depends: debhelper (>= 7), autotools-dev, libgcrypt11-dev, libpam0g-dev, libdb-dev, cdbs
28 Standards-Version: 3.8.4
29 Homepage: http://www.padl.com/OSS/pam_ccreds.html
30diff --git a/debian/patches/0003-initialize-libgcrypt.patch b/debian/patches/0003-initialize-libgcrypt.patch
31new file mode 100644
32index 0000000..17bc64e
33--- /dev/null
34+++ b/debian/patches/0003-initialize-libgcrypt.patch
35@@ -0,0 +1,33 @@
36+Description: Initialize gcrypt before usage
37+ Initialize libgcrypt before calling any of its functions. The patch was
38+ slightly modified by Andreas Hasenack to check if the library wasn't
39+ initialized already using the advice in "2.4 Initializing the library" of the
40+ gcrypt info page. Also see
41+ https://lists.gnupg.org/pipermail/gcrypt-devel/2003-August/000458.html for
42+ the same advice.
43+Author: Juha Sahakangas <juhasa+launchpad@gmail.com>
44+Author: Andreas Hasenack <andreas@canonical.com>
45+Bug-Debian: https://bugs.debian.org/645229
46+Bug-Ubuntu: https://launchpad.net/bugs/869166
47+Forwarded: yes, emailed enquiry@padl.com
48+Applied-Upstream: https://github.com/PADL/pam_ccreds/commit/3fa53ee374e4712643f988ef74bd6d52a6fe0c12
49+Last-Update: 2017-07-28
50+
51+--- a/cc_lib.c
52++++ b/cc_lib.c
53+@@ -38,6 +38,15 @@
54+ #ifdef HAVE_OPENSSL_OPENSSLCONF_H
55+ SHA_CTX sha_ctx;
56+ #else
57++ if (!gcry_control (GCRYCTL_ANY_INITIALIZATION_P)) {
58++ if (!gcry_check_version (NULL)) {
59++ syslog (LOG_ERR, "pam_ccreds: failed to initialize libgcrypt");
60++ return PAM_SERVICE_ERR;
61++ }
62++ gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
63++ gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
64++ }
65++
66+ gcry_md_hd_t handle;
67+ #endif
68+ unsigned char T[4];
69diff --git a/debian/patches/series b/debian/patches/series
70index 9ace237..4ae2da6 100644
71--- a/debian/patches/series
72+++ b/debian/patches/series
73@@ -1,2 +1,3 @@
74 0001-make-sure-we-don-t-overflow-the-data-buffer.patch
75 0002-add-minimum_uid-option.patch
76+0003-initialize-libgcrypt.patch

Subscribers

People subscribed via source and target branches