Merge ~ahasenack/ubuntu/+source/openldap:bionic-openldap-crash-1866303 into ubuntu/+source/openldap:ubuntu/bionic-devel

Proposed by Andreas Hasenack on 2020-07-01
Status: Merged
Approved by: Andreas Hasenack on 2020-07-02
Approved revision: 0479a28d1ecaaa8c6ac86b9e79b78830252f03cd
Merged at revision: da832fe829fc764ad3f2e9e10d9e34205e0ac41c
Proposed branch: ~ahasenack/ubuntu/+source/openldap:bionic-openldap-crash-1866303
Merge into: ubuntu/+source/openldap:ubuntu/bionic-devel
Diff against target: 93 lines (+54/-1)
4 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2020-07-01 Approve on 2020-07-02
Canonical Server Team 2020-07-01 Pending
Review via email: mp+386702@code.launchpad.net

Description of the change

Previously applied to focal, now it's time to SRU the fix to the other ubuntu releases.

The bug contains the SRU template, and testing instructions. The patch is the same one used for focal.

PPA for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/openldap-crash-1866303

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

Reviewed in more detail in the Eoan MP, same change here and CL difference is ok.
+1

review: Approve
Andreas Hasenack (ahasenack) wrote :

Thanks, tagging and uploading 0479a28d1ecaaa8c6ac86b9e79b78830252f03cd

$ git push pkg upload/2.4.45+dfsg-1ubuntu1.6
Enumerating objects: 16, done.
Counting objects: 100% (16/16), done.
Delta compression using up to 4 threads
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.00 KiB | 120.00 KiB/s, done.
Total 11 (delta 7), reused 1 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 * [new tag] upload/2.4.45+dfsg-1ubuntu1.6 -> upload/2.4.45+dfsg-1ubuntu1.6

$ dput ubuntu ../openldap_2.4.45+dfsg-1ubuntu1.6_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.45+dfsg-1ubuntu1.6_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.45+dfsg-1ubuntu1.6.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.45+dfsg-1ubuntu1.6.dsc: done.
  Uploading openldap_2.4.45+dfsg-1ubuntu1.6.debian.tar.xz: done.
  Uploading openldap_2.4.45+dfsg-1ubuntu1.6_source.buildinfo: done.
  Uploading openldap_2.4.45+dfsg-1ubuntu1.6_source.changes: done.
Successfully uploaded packages.

Christian Ehrhardt  (paelzer) wrote :

1557157

Christian Ehrhardt  (paelzer) wrote :

This wasn't accepted in -unapproved yet.
There also are accepted but not yet sponsored MPs for bug 1557157.
Could you combine the SRU cycle for this with an upload combining the two?

Andreas Hasenack (ahasenack) wrote :

I asked for it to be rejected from unapproved, and I included sergio's fix in a new upload.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index 793fa7b..9e1070f 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -1,5 +1,5 @@
6 # vim:syntax=apparmor
7-# Last Modified: Fri Jan 4 15:18:13 2008
8+# Last Modified: Fri Jun 6 13:51:00 2020
9 # Author: Jamie Strandboge <jamie@ubuntu.com>
10
11 #include <tunables/global>
12@@ -49,6 +49,7 @@
13 /{,var/}run/slapd/* w,
14 /{,var/}run/slapd/ldapi rw,
15 /{,var/}run/nslcd/socket rw,
16+ /{,var/}run/saslauthd/mux rw,
17
18 /usr/lib/ldap/ r,
19 /usr/lib/ldap/* mr,
20diff --git a/debian/changelog b/debian/changelog
21index ae9f218..27a22f9 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,16 @@
25+openldap (2.4.45+dfsg-1ubuntu1.6) bionic; urgency=medium
26+
27+ [ Andreas Hasenack ]
28+ * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
29+ patch to fix slapd crashing in certain configurations when a client
30+ attempts a login to a locked account. (LP: #1866303)
31+
32+ [ Sergio Durigan Junior ]
33+ * d/apparmor-profile: Update apparmor profile to grant access to
34+ the saslauthd socket, so that SASL authentication works. (LP: #1557157)
35+
36+ -- Andreas Hasenack <andreas@canonical.com> Wed, 01 Jul 2020 16:38:55 -0300
37+
38 openldap (2.4.45+dfsg-1ubuntu1.5) bionic-security; urgency=medium
39
40 * SECURITY UPDATE: denial of service via nested search filters
41diff --git a/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch b/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch
42new file mode 100644
43index 0000000..deb5418
44--- /dev/null
45+++ b/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch
46@@ -0,0 +1,38 @@
47+From 0f106b550ebc226f788ea1c1a87bc27a84f98e90 Mon Sep 17 00:00:00 2001
48+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
49+Date: Fri, 21 Feb 2020 10:26:53 +0000
50+Subject: [PATCH] ITS#9171 Insert callback in the right place
51+
52+---
53+ servers/slapd/overlays/ppolicy.c | 6 ++----
54+ 1 file changed, 2 insertions(+), 4 deletions(-)
55+
56+diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
57+index a8f8f3073..3c12024bd 100644
58+--- a/servers/slapd/overlays/ppolicy.c
59++++ b/servers/slapd/overlays/ppolicy.c
60+@@ -1323,9 +1323,8 @@ ppolicy_bind( Operation *op, SlapReply *rs )
61+ /* Setup a callback so we can munge the result */
62+
63+ cb->sc_response = ppolicy_bind_response;
64+- cb->sc_next = op->o_callback->sc_next;
65+ cb->sc_private = ppb;
66+- op->o_callback->sc_next = cb;
67++ overlay_callback_after_backover( op, cb, 1 );
68+
69+ /* Did we receive a password policy request control? */
70+ if ( op->o_ctrlflag[ppolicy_cid] ) {
71+@@ -1469,9 +1468,8 @@ ppolicy_compare(
72+ /* Setup a callback so we can munge the result */
73+
74+ cb->sc_response = ppolicy_compare_response;
75+- cb->sc_next = op->o_callback->sc_next;
76+ cb->sc_private = ppb;
77+- op->o_callback->sc_next = cb;
78++ overlay_callback_after_backover( op, cb, 1 );
79+
80+ op->o_bd->bd_info = (BackendInfo *)on;
81+ ppolicy_get( op, e, &ppb->pp );
82+--
83+2.20.1
84+
85diff --git a/debian/patches/series b/debian/patches/series
86index 3e3b889..539e3d3 100644
87--- a/debian/patches/series
88+++ b/debian/patches/series
89@@ -34,3 +34,4 @@ CVE-2019-13057-4.patch
90 CVE-2019-13565.patch
91 rwm-do-not-free-original-filter.patch
92 CVE-2020-12243.patch
93+ITS-9171-Insert-callback-in-the-right-place.patch

Subscribers

People subscribed via source and target branches