diff --git a/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch b/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch new file mode 100644 index 0000000..9543a1b --- /dev/null +++ b/SOURCES/0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch @@ -0,0 +1,48 @@ +From 49ca93665ac6c2faf6077d6a8dc33cbea6bd0fc9 Mon Sep 17 00:00:00 2001 +From: Thierry Bordaz +Date: Tue, 4 Apr 2017 10:44:55 +0200 +Subject: [PATCH] Ticket 49209 - Hang due to omitted replica lock release + +Bug Description: + When an operation is canceled (failure), its csn is aborted + and removed from the pending list. + If at that time the pending list is empty or the csn is not found + in that list, the cancel callback forgots to release the replica lock + +Fix Description: + Release replica lock systematically, whether cnsplRemove fails or not + +https://pagure.io/389-ds-base/issue/49209 + +Reviewed by: Mark Reynolds (thanks Mark !!) + +Platforms tested: F23 + +Flag Day: no + +Doc impact: no + +(cherry picked from commit 7dc991b16b97bacb69ddb334358e27e1220ca27b) +(cherry picked from commit 071cadabb035fbca354a233adbeba82616be3d19) +--- + ldap/servers/plugins/replication/repl5_replica.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ldap/servers/plugins/replication/repl5_replica.c b/ldap/servers/plugins/replication/repl5_replica.c +index 602653a..9b3cec5 100644 +--- a/ldap/servers/plugins/replication/repl5_replica.c ++++ b/ldap/servers/plugins/replication/repl5_replica.c +@@ -3669,7 +3669,9 @@ abort_csn_callback(const CSN *csn, void *data) + { + int rc = csnplRemove(r->min_csn_pl, csn); + if (rc) { +- slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, "csnplRemove failed"); ++ slapi_log_error(SLAPI_LOG_FATAL, repl_plugin_name, ++ "abort_csn_callback - csnplRemove failed"); ++ replica_unlock(r->repl_lock); + return; + } + } +-- +2.9.3 + diff --git a/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch b/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch new file mode 100644 index 0000000..e3a6454 --- /dev/null +++ b/SOURCES/0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch @@ -0,0 +1,38 @@ +From fea1b0b59b8c3a2bfdb294b274b6572d42075a00 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 17 Apr 2017 17:06:19 -0400 +Subject: [PATCH] Issue 49221 - During an upgrade the provided localhost name + is ignored + +Description: If the FullMachine name, or localhost, is provided in an INF + it is ignored during the upgrade the value of nsslapd-localhost + from the current server is used instead. We should only override + the localhost value if it is missing. + +https://pagure.io/389-ds-base/issue/49221 + +Reviewed by: nhosoi(Thanks!) + +(cherry picked from commit 8979cc699a7bd0459a9285f66dca472e8108b1ad) +--- + ldap/admin/src/scripts/DSUpdate.pm.in | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/ldap/admin/src/scripts/DSUpdate.pm.in b/ldap/admin/src/scripts/DSUpdate.pm.in +index e84a9a9..8b24b47 100644 +--- a/ldap/admin/src/scripts/DSUpdate.pm.in ++++ b/ldap/admin/src/scripts/DSUpdate.pm.in +@@ -435,7 +435,9 @@ sub initInfFromInst { + my $servid = $inst; + $servid =~ s/slapd-//; + +- $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost"); ++ if (!$inf->{General}->{FullMachineName}) { ++ $inf->{General}->{FullMachineName} = $entry->getValue("nsslapd-localhost"); ++ } + $inf->{General}->{SuiteSpotUserID} = $entry->getValue("nsslapd-localuser"); + $inf->{slapd}->{ServerPort} = $entry->getValue("nsslapd-port"); + $inf->{slapd}->{ldapifilepath} = $entry->getValue("nsslapd-ldapifilepath"); +-- +2.9.3 + diff --git a/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch b/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch new file mode 100644 index 0000000..b7cb112 --- /dev/null +++ b/SOURCES/0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch @@ -0,0 +1,36 @@ +From c101544797e0b563bc0955934a74a4dc25a5b467 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Wed, 22 Mar 2017 10:18:13 -0400 +Subject: [PATCH] Issue 49188 - retrocl can crash server at shutdown + +Description: We do not calloc enough elements when processing nsslapd-attribute + from the retrocl plugin configuration. This causes invalid memory + to be freed at shutdown(via slapi_ch_array_free). + +https://pagure.io/389-ds-base/issue/49188 + +Reviewed by: mreynolds(one line commit rule) + +(cherry picked from commit b2f76abe10bfbe621308410a1e7f41287cf2ff9e) +--- + ldap/servers/plugins/retrocl/retrocl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ldap/servers/plugins/retrocl/retrocl.c b/ldap/servers/plugins/retrocl/retrocl.c +index 0b336d5..6167e88 100644 +--- a/ldap/servers/plugins/retrocl/retrocl.c ++++ b/ldap/servers/plugins/retrocl/retrocl.c +@@ -468,8 +468,8 @@ static int retrocl_start (Slapi_PBlock *pb) + + retrocl_nattributes = n; + +- retrocl_attributes = (char **)slapi_ch_calloc(n, sizeof(char *)); +- retrocl_aliases = (char **)slapi_ch_calloc(n, sizeof(char *)); ++ retrocl_attributes = (char **)slapi_ch_calloc(n + 1, sizeof(char *)); ++ retrocl_aliases = (char **)slapi_ch_calloc(n + 1, sizeof(char *)); + + slapi_log_error(SLAPI_LOG_PLUGIN, RETROCL_PLUGIN_NAME, "Attributes:\n"); + +-- +2.9.3 + diff --git a/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch b/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch new file mode 100644 index 0000000..0805c10 --- /dev/null +++ b/SOURCES/0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch @@ -0,0 +1,159 @@ +From 9f1d12e3de174964b02e6507494fe3de1aca1766 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 20 Mar 2017 15:08:45 -0400 +Subject: [PATCH] Issue 49095 - targetattr wildcard evaluation is incorrectly + case sensitive + +Description: When processing an aci that uses a wildcard targetattr, the + comparision should be done using case insensitive functions. + +https://pagure.io/389-ds-base/issue/49095 + +Reviewed by: firstyear(Thanks!) + +(cherry picked from commit fdf78dca6c34b32522443c82ddd4c3c7ef04da80) +--- + dirsrvtests/tests/tickets/ticket49095_test.py | 85 +++++++++++++++++++++++++++ + ldap/servers/plugins/acl/acl.c | 10 ++-- + 2 files changed, 90 insertions(+), 5 deletions(-) + create mode 100644 dirsrvtests/tests/tickets/ticket49095_test.py + +diff --git a/dirsrvtests/tests/tickets/ticket49095_test.py b/dirsrvtests/tests/tickets/ticket49095_test.py +new file mode 100644 +index 0000000..04f92b2 +--- /dev/null ++++ b/dirsrvtests/tests/tickets/ticket49095_test.py +@@ -0,0 +1,85 @@ ++import time ++import ldap ++import logging ++import pytest ++from lib389 import DirSrv, Entry, tools, tasks ++from lib389.tools import DirSrvTools ++from lib389._constants import * ++from lib389.properties import * ++from lib389.tasks import * ++from lib389.utils import * ++from lib389.topologies import topology_st as topo ++ ++DEBUGGING = os.getenv("DEBUGGING", default=False) ++if DEBUGGING: ++ logging.getLogger(__name__).setLevel(logging.DEBUG) ++else: ++ logging.getLogger(__name__).setLevel(logging.INFO) ++log = logging.getLogger(__name__) ++ ++USER_DN = 'uid=testuser,dc=example,dc=com' ++acis = ['(targetattr != "tele*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', ++ '(targetattr != "TELE*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', ++ '(targetattr != "telephonenum*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)', ++ '(targetattr != "TELEPHONENUM*") (version 3.0;acl "test case";allow (read,compare,search)(userdn = "ldap:///anyone");)'] ++ ++ ++def test_ticket49095(topo): ++ """Check that target attrbiutes with wildcards are case insensitive ++ """ ++ ++ # Add an entry ++ try: ++ topo.standalone.add_s(Entry((USER_DN, { ++ 'objectclass': 'top extensibleObject'.split(), ++ 'uid': 'testuser', ++ 'telephonenumber': '555-555-5555' ++ }))) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to add test user: ' + e.message['desc']) ++ assert False ++ ++ for aci in acis: ++ # Add ACI ++ try: ++ topo.standalone.modify_s(DEFAULT_SUFFIX, ++ [(ldap.MOD_REPLACE, 'aci', aci)]) ++ ++ except ldap.LDAPError as e: ++ log.fatal('Failed to set aci: ' + aci + ': ' + e.message['desc']) ++ assert False ++ ++ # Set Anonymous Bind to test aci ++ try: ++ topo.standalone.simple_bind_s("", "") ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind anonymously: ' + e.message['desc']) ++ assert False ++ ++ # Search for entry - should not get any results ++ try: ++ entry = topo.standalone.search_s(DEFAULT_SUFFIX, ldap.SCOPE_BASE, ++ 'telephonenumber=*') ++ if entry: ++ log.fatal('The entry was incorrectly returned') ++ assert False ++ except ldap.LDAPError as e: ++ log.fatal('Failed to search anonymously: ' + e.message['desc']) ++ assert False ++ ++ # Set root DN Bind so we can update aci's ++ try: ++ topo.standalone.simple_bind_s(DN_DM, PASSWORD) ++ except ldap.LDAPError as e: ++ log.fatal('Failed to bind anonymously: ' + e.message['desc']) ++ assert False ++ ++ log.info("Test Passed") ++ ++ ++if __name__ == '__main__': ++ # Run isolated ++ # -s for DEBUG mode ++ CURRENT_FILE = os.path.realpath(__file__) ++ pytest.main("-s %s" % CURRENT_FILE) ++ +diff --git a/ldap/servers/plugins/acl/acl.c b/ldap/servers/plugins/acl/acl.c +index ba6b774..1caa88a 100644 +--- a/ldap/servers/plugins/acl/acl.c ++++ b/ldap/servers/plugins/acl/acl.c +@@ -3407,19 +3407,19 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) + } + + /* this assumes that str and the filter components are already +- * normalized. If not, it shoul be done ++ * normalized. If not, it should be done + */ + if ( initial != NULL) { + len = strlen(initial); + if (exact_match) { +- int rc = strncmp(p, initial, len); ++ int rc = strncasecmp(p, initial, len); + if (rc) { + return ACL_FALSE; + } else { + p += len; + } + } else { +- p = strstr(p, initial); ++ p = strcasestr(p, initial); + if (p) { + p += len; + } else { +@@ -3430,7 +3430,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) + + if ( any != NULL) { + for (i = 0; any && any[i] != NULL; i++) { +- p = strstr(p, any[i]); ++ p = strcasestr(p, any[i]); + if (p) { + p += strlen(any[i]); + } else { +@@ -3444,7 +3444,7 @@ acl_match_substring ( Slapi_Filter *f, char *str, int exact_match) + len = strlen(final); + tlen = strlen(p); + if (len > tlen) return ACL_FALSE; +- if (strcmp(p+tlen-len, final)) return ACL_FALSE; ++ if (strcasecmp(p+tlen-len, final)) return ACL_FALSE; + } + + return ACL_TRUE; +-- +2.9.3 + diff --git a/SPECS/389-ds-base.spec b/SPECS/389-ds-base.spec index 14f5c8e..d73444d 100644 --- a/SPECS/389-ds-base.spec +++ b/SPECS/389-ds-base.spec @@ -34,7 +34,7 @@ Summary: 389 Directory Server (base) Name: 389-ds-base Version: 1.3.5.10 -Release: %{?relprefix}20%{?prerel}%{?dist} +Release: %{?relprefix}21%{?prerel}%{?dist} License: GPLv3+ URL: https://www.port389.org/ Group: System Environment/Daemons @@ -208,6 +208,10 @@ Patch69: 0069-fix-for-reg-in-49008-check-if-ruv-element-exists.patch Patch70: 0070-Ticket-49121-ns-slapd-crashes-in-ldif_sput-due-to-th.patch Patch71: 0071-Issue-49122-Filtered-nsrole-that-uses-nsrole-crashes.patch Patch72: 0072-fix-for-cve-2017-2668-simple-return-text-if-suffix-n.patch +Patch73: 0073-Ticket-49209-Hang-due-to-omitted-replica-lock-releas.patch +Patch74: 0074-Issue-49221-During-an-upgrade-the-provided-localhost.patch +Patch75: 0075-Issue-49188-retrocl-can-crash-server-at-shutdown.patch +Patch76: 0076-Issue-49095-targetattr-wildcard-evaluation-is-incorr.patch %description 389 Directory Server is an LDAPv3 compliant server. The base package includes @@ -366,6 +370,10 @@ cp %{SOURCE2} README.devel %patch70 -p1 %patch71 -p1 %patch72 -p1 +%patch73 -p1 +%patch74 -p1 +%patch75 -p1 +%patch76 -p1 %build %if %{use_nunc_stans} @@ -603,6 +611,13 @@ fi %{_sysconfdir}/%{pkgname}/dirsrvtests %changelog +* Mon Apr 24 2017 Mark Reynolds - 1.3.5.10-21 +- Bump verison to 1.3.5.10-21 +- Resolves: Bug 1440654 - Possible deadlock while installing an ipa replica +- Resolves: Bug 1445178 - Silent install localhost issue +- Resolves: Bug 1445177 - retrocl crash at shutdown +- Resolves: Bug 1445176 - case sensitivity in acl + * Mon Apr 3 2017 Mark Reynolds - 1.3.5.10-20 - Bump version to 1.3.5.10-20 - Resolves: bug 1437005 - CVE-2017-2668 389-ds-base: Remote crash via crafted LDAP messages