Merge ~ahasenack/ubuntu/+source/openldap:eoan-openldap-crash-1866303 into ubuntu/+source/openldap:ubuntu/eoan-devel

Proposed by Andreas Hasenack
Status: Merged
Approved by: Andreas Hasenack
Approved revision: 4c5ecabfab50cad1d6501e015f6dd31d07f41e43
Merged at revision: a986a6dfaabcb75ca0fbd7f923a0807b3fac63da
Proposed branch: ~ahasenack/ubuntu/+source/openldap:eoan-openldap-crash-1866303
Merge into: ubuntu/+source/openldap:ubuntu/eoan-devel
Diff against target: 93 lines (+54/-1)
4 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  Approve
Canonical Server Team Pending
Review via email: mp+386703@code.launchpad.net

Description of the change

Previously applied to focal, now it's time to SRU the fix to the other ubuntu releases.

The bug contains the SRU template, and testing instructions. The patch is the same one used for focal.

I know eoan is EOL this month, but we had this patch available for a while now and it's easy enough to include and test. While the original bug was open, we already dropped disco, so let's keep eoan at least if you agree.

PPA for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/openldap-crash-1866303

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

I'd have complained about a miss in dep-3 headers, but I can second the approach to take the patch exactly as it got into 2.4.49+dfsg-2 since it applies as-is.

Got into Ubuntu with 2.4.49+dfsg-2ubuntu1 = >=Focal, so that is also ok.

Changelog ok, SRU Template ok.

+1 overall

review: Approve
Andreas Hasenack (ahasenack) wrote :

Thanks, tagging and uploading 4c5ecabfab50cad1d6501e015f6dd31d07f41e43

$ git push pkg upload/2.4.48+dfsg-1ubuntu1.2
Enumerating objects: 16, done.
Counting objects: 100% (16/16), done.
Delta compression using up to 4 threads
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.00 KiB | 107.00 KiB/s, done.
Total 11 (delta 7), reused 1 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 * [new tag] upload/2.4.48+dfsg-1ubuntu1.2 -> upload/2.4.48+dfsg-1ubuntu1.2

$ dput ubuntu ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.dsc: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.debian.tar.xz: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.buildinfo: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: done.
Successfully uploaded packages.

Christian Ehrhardt  (paelzer) wrote :

This wasn't accepted in -unapproved yet.
There also are accepted but not yet sponsored MPs for bug 1557157.
Could you combine the SRU cycle for this with an upload combining the two?

Andreas Hasenack (ahasenack) wrote :

I asked for this to be rejected from unapproved, and prepared a new one containing sergio's fix. Just waiting for eoan to finish testing, since Sergio hadn't planned for an eoan sru.

Andreas Hasenack (ahasenack) wrote :

Bileto green.

Tagging and uploading a986a6dfaabcb75ca0fbd7f923a0807b3fac63da from https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+ref/eoan-openldap-crash-1866303

$ git push pkg upload/2.4.48+dfsg-1ubuntu1.2 -f
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 4 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.19 KiB | 1.19 MiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 + a62d72e2dc...69064dc7a6 upload/2.4.48+dfsg-1ubuntu1.2 -> upload/2.4.48+dfsg-1ubuntu1.2 (forced update)

$ dput -f ubuntu ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.dsc: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.debian.tar.xz: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.buildinfo: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: done.
Successfully uploaded packages.

(with -f because of the previous upload, which was rejected)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index 793fa7b..9e1070f 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -1,5 +1,5 @@
6 # vim:syntax=apparmor
7-# Last Modified: Fri Jan 4 15:18:13 2008
8+# Last Modified: Fri Jun 6 13:51:00 2020
9 # Author: Jamie Strandboge <jamie@ubuntu.com>
10
11 #include <tunables/global>
12@@ -49,6 +49,7 @@
13 /{,var/}run/slapd/* w,
14 /{,var/}run/slapd/ldapi rw,
15 /{,var/}run/nslcd/socket rw,
16+ /{,var/}run/saslauthd/mux rw,
17
18 /usr/lib/ldap/ r,
19 /usr/lib/ldap/* mr,
20diff --git a/debian/changelog b/debian/changelog
21index 77a1b60..6782535 100644
22--- a/debian/changelog
23+++ b/debian/changelog
24@@ -1,3 +1,16 @@
25+openldap (2.4.48+dfsg-1ubuntu1.2) eoan; urgency=medium
26+
27+ [ Andreas Hasenack ]
28+ * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
29+ patch to fix slapd crashing in certain configurations when a client
30+ attempts a login to a locked account. (LP: #1866303)
31+
32+ [ Sergio Durigan Junior ]
33+ * d/apparmor-profile: Update apparmor profile to grant access to
34+ the saslauthd socket, so that SASL authentication works. (LP: #1557157)
35+
36+ -- Andreas Hasenack <andreas@canonical.com> Wed, 01 Jul 2020 16:43:06 -0300
37+
38 openldap (2.4.48+dfsg-1ubuntu1.1) eoan-security; urgency=medium
39
40 * SECURITY UPDATE: denial of service via nested search filters
41diff --git a/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch b/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch
42new file mode 100644
43index 0000000..deb5418
44--- /dev/null
45+++ b/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch
46@@ -0,0 +1,38 @@
47+From 0f106b550ebc226f788ea1c1a87bc27a84f98e90 Mon Sep 17 00:00:00 2001
48+From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
49+Date: Fri, 21 Feb 2020 10:26:53 +0000
50+Subject: [PATCH] ITS#9171 Insert callback in the right place
51+
52+---
53+ servers/slapd/overlays/ppolicy.c | 6 ++----
54+ 1 file changed, 2 insertions(+), 4 deletions(-)
55+
56+diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
57+index a8f8f3073..3c12024bd 100644
58+--- a/servers/slapd/overlays/ppolicy.c
59++++ b/servers/slapd/overlays/ppolicy.c
60+@@ -1323,9 +1323,8 @@ ppolicy_bind( Operation *op, SlapReply *rs )
61+ /* Setup a callback so we can munge the result */
62+
63+ cb->sc_response = ppolicy_bind_response;
64+- cb->sc_next = op->o_callback->sc_next;
65+ cb->sc_private = ppb;
66+- op->o_callback->sc_next = cb;
67++ overlay_callback_after_backover( op, cb, 1 );
68+
69+ /* Did we receive a password policy request control? */
70+ if ( op->o_ctrlflag[ppolicy_cid] ) {
71+@@ -1469,9 +1468,8 @@ ppolicy_compare(
72+ /* Setup a callback so we can munge the result */
73+
74+ cb->sc_response = ppolicy_compare_response;
75+- cb->sc_next = op->o_callback->sc_next;
76+ cb->sc_private = ppb;
77+- op->o_callback->sc_next = cb;
78++ overlay_callback_after_backover( op, cb, 1 );
79+
80+ op->o_bd->bd_info = (BackendInfo *)on;
81+ ppolicy_get( op, e, &ppb->pp );
82+--
83+2.20.1
84+
85diff --git a/debian/patches/series b/debian/patches/series
86index d4506cf..870630a 100644
87--- a/debian/patches/series
88+++ b/debian/patches/series
89@@ -23,3 +23,4 @@ set-maintainer-name
90 no-gnutls_global_set_mutex
91 fix-ldap-distribution.patch
92 CVE-2020-12243.patch
93+ITS-9171-Insert-callback-in-the-right-place.patch

Subscribers

People subscribed via source and target branches