Merge ~ahasenack/ubuntu/+source/openldap:eoan-openldap-crash-1866303 into ubuntu/+source/openldap:ubuntu/eoan-devel

Proposed by Andreas Hasenack on 2020-07-01
Status: Merged
Approved by: Andreas Hasenack on 2020-07-02
Approved revision: 4c5ecabfab50cad1d6501e015f6dd31d07f41e43
Merged at revision: a986a6dfaabcb75ca0fbd7f923a0807b3fac63da
Proposed branch: ~ahasenack/ubuntu/+source/openldap:eoan-openldap-crash-1866303
Merge into: ubuntu/+source/openldap:ubuntu/eoan-devel
Diff against target: 93 lines (+54/-1)
4 files modified
debian/apparmor-profile (+2/-1)
debian/changelog (+13/-0)
debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch (+38/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  2020-07-01 Approve on 2020-07-02
Canonical Server Team 2020-07-01 Pending
Review via email: mp+386703@code.launchpad.net

Description of the change

Previously applied to focal, now it's time to SRU the fix to the other ubuntu releases.

The bug contains the SRU template, and testing instructions. The patch is the same one used for focal.

I know eoan is EOL this month, but we had this patch available for a while now and it's easy enough to include and test. While the original bug was open, we already dropped disco, so let's keep eoan at least if you agree.

PPA for testing: https://launchpad.net/~ahasenack/+archive/ubuntu/openldap-crash-1866303

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

I'd have complained about a miss in dep-3 headers, but I can second the approach to take the patch exactly as it got into 2.4.49+dfsg-2 since it applies as-is.

Got into Ubuntu with 2.4.49+dfsg-2ubuntu1 = >=Focal, so that is also ok.

Changelog ok, SRU Template ok.

+1 overall

review: Approve
Andreas Hasenack (ahasenack) wrote :

Thanks, tagging and uploading 4c5ecabfab50cad1d6501e015f6dd31d07f41e43

$ git push pkg upload/2.4.48+dfsg-1ubuntu1.2
Enumerating objects: 16, done.
Counting objects: 100% (16/16), done.
Delta compression using up to 4 threads
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.00 KiB | 107.00 KiB/s, done.
Total 11 (delta 7), reused 1 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 * [new tag] upload/2.4.48+dfsg-1ubuntu1.2 -> upload/2.4.48+dfsg-1ubuntu1.2

$ dput ubuntu ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.dsc: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.debian.tar.xz: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.buildinfo: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: done.
Successfully uploaded packages.

Christian Ehrhardt  (paelzer) wrote :

This wasn't accepted in -unapproved yet.
There also are accepted but not yet sponsored MPs for bug 1557157.
Could you combine the SRU cycle for this with an upload combining the two?

Andreas Hasenack (ahasenack) wrote :

I asked for this to be rejected from unapproved, and prepared a new one containing sergio's fix. Just waiting for eoan to finish testing, since Sergio hadn't planned for an eoan sru.

Andreas Hasenack (ahasenack) wrote :

Bileto green.

Tagging and uploading a986a6dfaabcb75ca0fbd7f923a0807b3fac63da from https://code.launchpad.net/~ahasenack/ubuntu/+source/openldap/+git/openldap/+ref/eoan-openldap-crash-1866303

$ git push pkg upload/2.4.48+dfsg-1ubuntu1.2 -f
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 4 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.19 KiB | 1.19 MiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/openldap
 + a62d72e2dc...69064dc7a6 upload/2.4.48+dfsg-1ubuntu1.2 -> upload/2.4.48+dfsg-1ubuntu1.2 (forced update)

$ dput -f ubuntu ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes
Checking signature on .changes
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../openldap_2.4.48+dfsg-1ubuntu1.2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.dsc: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2.debian.tar.xz: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.buildinfo: done.
  Uploading openldap_2.4.48+dfsg-1ubuntu1.2_source.changes: done.
Successfully uploaded packages.

(with -f because of the previous upload, which was rejected)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/apparmor-profile b/debian/apparmor-profile
index 793fa7b..9e1070f 100644
--- a/debian/apparmor-profile
+++ b/debian/apparmor-profile
@@ -1,5 +1,5 @@
1# vim:syntax=apparmor1# vim:syntax=apparmor
2# Last Modified: Fri Jan 4 15:18:13 20082# Last Modified: Fri Jun 6 13:51:00 2020
3# Author: Jamie Strandboge <jamie@ubuntu.com>3# Author: Jamie Strandboge <jamie@ubuntu.com>
44
5#include <tunables/global>5#include <tunables/global>
@@ -49,6 +49,7 @@
49 /{,var/}run/slapd/* w,49 /{,var/}run/slapd/* w,
50 /{,var/}run/slapd/ldapi rw,50 /{,var/}run/slapd/ldapi rw,
51 /{,var/}run/nslcd/socket rw,51 /{,var/}run/nslcd/socket rw,
52 /{,var/}run/saslauthd/mux rw,
5253
53 /usr/lib/ldap/ r,54 /usr/lib/ldap/ r,
54 /usr/lib/ldap/* mr,55 /usr/lib/ldap/* mr,
diff --git a/debian/changelog b/debian/changelog
index 77a1b60..6782535 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,16 @@
1openldap (2.4.48+dfsg-1ubuntu1.2) eoan; urgency=medium
2
3 [ Andreas Hasenack ]
4 * d/p/ITS-9171-Insert-callback-in-the-right-place.patch: Import upstream
5 patch to fix slapd crashing in certain configurations when a client
6 attempts a login to a locked account. (LP: #1866303)
7
8 [ Sergio Durigan Junior ]
9 * d/apparmor-profile: Update apparmor profile to grant access to
10 the saslauthd socket, so that SASL authentication works. (LP: #1557157)
11
12 -- Andreas Hasenack <andreas@canonical.com> Wed, 01 Jul 2020 16:43:06 -0300
13
1openldap (2.4.48+dfsg-1ubuntu1.1) eoan-security; urgency=medium14openldap (2.4.48+dfsg-1ubuntu1.1) eoan-security; urgency=medium
215
3 * SECURITY UPDATE: denial of service via nested search filters16 * SECURITY UPDATE: denial of service via nested search filters
diff --git a/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch b/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch
4new file mode 10064417new file mode 100644
index 0000000..deb5418
--- /dev/null
+++ b/debian/patches/ITS-9171-Insert-callback-in-the-right-place.patch
@@ -0,0 +1,38 @@
1From 0f106b550ebc226f788ea1c1a87bc27a84f98e90 Mon Sep 17 00:00:00 2001
2From: =?UTF-8?q?Ond=C5=99ej=20Kuzn=C3=ADk?= <ondra@mistotebe.net>
3Date: Fri, 21 Feb 2020 10:26:53 +0000
4Subject: [PATCH] ITS#9171 Insert callback in the right place
5
6---
7 servers/slapd/overlays/ppolicy.c | 6 ++----
8 1 file changed, 2 insertions(+), 4 deletions(-)
9
10diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
11index a8f8f3073..3c12024bd 100644
12--- a/servers/slapd/overlays/ppolicy.c
13+++ b/servers/slapd/overlays/ppolicy.c
14@@ -1323,9 +1323,8 @@ ppolicy_bind( Operation *op, SlapReply *rs )
15 /* Setup a callback so we can munge the result */
16
17 cb->sc_response = ppolicy_bind_response;
18- cb->sc_next = op->o_callback->sc_next;
19 cb->sc_private = ppb;
20- op->o_callback->sc_next = cb;
21+ overlay_callback_after_backover( op, cb, 1 );
22
23 /* Did we receive a password policy request control? */
24 if ( op->o_ctrlflag[ppolicy_cid] ) {
25@@ -1469,9 +1468,8 @@ ppolicy_compare(
26 /* Setup a callback so we can munge the result */
27
28 cb->sc_response = ppolicy_compare_response;
29- cb->sc_next = op->o_callback->sc_next;
30 cb->sc_private = ppb;
31- op->o_callback->sc_next = cb;
32+ overlay_callback_after_backover( op, cb, 1 );
33
34 op->o_bd->bd_info = (BackendInfo *)on;
35 ppolicy_get( op, e, &ppb->pp );
36--
372.20.1
38
diff --git a/debian/patches/series b/debian/patches/series
index d4506cf..870630a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ set-maintainer-name
23no-gnutls_global_set_mutex23no-gnutls_global_set_mutex
24fix-ldap-distribution.patch24fix-ldap-distribution.patch
25CVE-2020-12243.patch25CVE-2020-12243.patch
26ITS-9171-Insert-callback-in-the-right-place.patch

Subscribers

People subscribed via source and target branches