Accepting request 93621 from network:ldap

add libtool to buildrequires OBS-URL: https://build.opensuse.org/request/show/93621 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=84
2011-11-25 22:12:27 +00:00 · 2011-11-25 22:12:27 +00:00 · 694fe6ae1e
commit 694fe6ae1e
parent 96fcb67fa0 0f87dd1131
7 changed files with 198 additions and 108 deletions
--- a/0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif
+++ b/0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif
@ -0,0 +1,59 @@
 From 48e44e993656a08424a020347a458148169196ce Mon Sep 17 00:00:00 2001
 From: Howard Chu <hyc@openldap.org>
 Date: Thu, 6 Oct 2011 14:05:31 -0700
 Subject: UTF8StringNormalize overrun on zero-length string (ITS#7059)
 Detected by valgrind
 diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c
 index 67508fc..65a7e2e 100644
 --- a/servers/slapd/schema_init.c
 +++ b/servers/slapd/schema_init.c
@@ -1852,12 +1852,12 @@ UTF8StringNormalize(
 		}
 		nvalue.bv_val[nvalue.bv_len] = '\0';
 -	} else {
 +	} else if ( tmp.bv_len )  {
 		/* string of all spaces is treated as one space */
 		nvalue.bv_val[0] = ' ';
 		nvalue.bv_val[1] = '\0';
 		nvalue.bv_len = 1;
 -	}
 +	}	/* should never be entered with 0-length val */
 	*normalized = nvalue;
 	return LDAP_SUCCESS;
@@ -2331,13 +2331,18 @@ postalAddressNormalize(
 	}
 	lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val;
 -	normalized->bv_len = l;
 +	normalized->bv_len = c = l;
 -	for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) {
 +	for ( l = 0; l <= c; l++ ) {
 		/* NOTE: we directly normalize each line,
 		 * without unescaping the values, since the special
 		 * values '\24' ('$') and '\5C' ('\') are not affected
 		 * by normalization */
 +		if ( !lines[l].bv_len ) {
 +			nlines[l].bv_len = 0;
 +			nlines[l].bv_val = NULL;
 +			continue;
 +		}
 		rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx );
 		if ( rc != LDAP_SUCCESS ) {
 			rc = LDAP_INVALID_SYNTAX;
@@ -2350,7 +2355,7 @@ postalAddressNormalize(
 	normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx );
 	p = normalized->bv_val;
 -	for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) {
 +	for ( l = 0; l <= c ; l++ ) {
 		p = lutil_strbvcopy( p, &nlines[l] );
 		*p++ = '$';
 	}
 -- 
 1.7.6.4
--- a/0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
+++ b/0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
@ -0,0 +1,95 @@
 From 5d9026cf3f93f95dd6f80ad209013e30bbb0d8e6 Mon Sep 17 00:00:00 2001
 From: Ralf Haferkamp <ralf@openldap.org>
 Date: Tue, 18 Oct 2011 17:08:05 +0200
 Subject: ITS#7066 reworked default deny ACL for cn=config
 Dynamically adding ACL for cn=config didn't work correctly, when no
 ACLs where present for that database upon startup. Delete the last
 ACL from the DB could also lead to unexpected results.
 diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c
 index 309668e..7097d72 100644
 --- a/servers/slapd/bconfig.c
 +++ b/servers/slapd/bconfig.c
@@ -84,6 +84,7 @@ static char	*logfileName;
 #ifdef SLAP_AUTH_REWRITE
 static BerVarray authz_rewrites;
 #endif
 +static AccessControl *defacl_parsed = NULL;
 static struct berval cfdir;
@@ -1297,6 +1298,12 @@ config_generic(ConfigArgs *c) {
 				*prev = a->acl_next;
 				acl_free( a );
 			}
 +			if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) {
 +				Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): "
 +						"Last explicit ACL for back-config removed. "
 +						"Using hardcoded default\n", 0, 0, 0 );
 +				c->be->be_acl = defacl_parsed;
 +			}
 			break;
 		case CFG_OC: {
@@ -1792,6 +1799,9 @@ sortval_reject:
 			break;
 		case CFG_ACL:
 +			if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) {
 +				c->be->be_acl = NULL;
 +			}
 			/* Don't append to the global ACL if we're on a specific DB */
 			i = c->valx;
 			if ( c->valx == -1 ) {
@@ -1801,6 +1811,9 @@ sortval_reject:
 					i++;
 			}
 			if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) {
 +				if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) {
 +					c->be->be_acl = defacl_parsed;
 +				}
 				return 1;
 			}
 			break;
@@ -6637,14 +6650,23 @@ config_back_db_open( BackendDB *be, ConfigReply *cr )
 	slap_callback cb = { NULL, slap_null_cb, NULL, NULL };
 	SlapReply rs = {REP_RESULT};
 	void *thrctx = NULL;
 +	AccessControl *save_access;
 	Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0);
 	/* If we have no explicitly configured ACLs, don't just use
 	 * the global ACLs. Explicitly deny access to everything.
 	 */
 -	if ( !be->bd_self->be_acl ) {
 -		parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 );
 +	save_access = be->bd_self->be_acl;
 +	be->bd_self->be_acl = NULL;
 +	parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 );
 +	defacl_parsed = be->bd_self->be_acl;
 +	if ( save_access ) {
 +		be->bd_self->be_acl = save_access;
 +	} else {
 +		Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: "
 +				"No explicit ACL for back-config configured. "
 +				"Using hardcoded default\n", 0, 0, 0 );
 	}
 	thrctx = ldap_pvt_thread_pool_context();
@@ -6889,6 +6911,11 @@ config_back_db_close( BackendDB *be, ConfigReply *cr )
 		backend_shutdown( &cfb->cb_db );
 	}
 +	if ( defacl_parsed && be->be_acl != defacl_parsed ) {
 +		acl_free( defacl_parsed );
 +		defacl_parsed = NULL;
 +	}
 +
 	return 0;
 }
 -- 
 1.7.6.4
--- a/2
+++ b/2
@ -1,5 +1,7 @@
 set_cachesize 0 15000000 1
 set_lg_regionmax 262144
 set_lg_bsize 2097152
 set_lk_max_locks 30000
 set_lk_max_objects 30000
 set_flags DB_LOG_AUTOREMOVE
--- a/openldap2-client.changes
+++ b/openldap2-client.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Fri Nov 25 10:42:39 UTC 2011 - coolo@suse.com
 - add libtool as buildrequire to avoid implicit dependency
 -------------------------------------------------------------------
 Mon Oct 24 13:57:45 UTC 2011 - rhafer@suse.de
 - ACL changes to the config database only got active after slapd
  restart in certain cases (bnc#716895, ITS#7066).
 - Adjusted default DB_CONFIG to increase max values for locks and
  lock objects (bnc#719803)
 - Fix UTF8StringNormalize overrun on zero-length string
  (bnc#724201, ITS#7059)
 -------------------------------------------------------------------
 Thu Jul  7 14:43:05 UTC 2011 - rhafer@suse.de
--- a/openldap2-client.spec
+++ b/openldap2-client.spec
@ -20,7 +20,7 @@
 %define run_test_suite 1
 Name:           openldap2-client
-BuildRequires:  cyrus-sasl-devel libopenssl-devel
+BuildRequires:  cyrus-sasl-devel libopenssl-devel libtool
 %if %sles_version == 9 || %sles_version == 10
 BuildRequires:  -libopenssl-devel -pwdutils openssl-devel
 %endif
@ -66,6 +66,8 @@ Patch9:         0009-unregister_supported_control-backport.dif
 Patch10:        0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif
 Patch11:        0011-config-delete-overlay-fixes.dif
 Patch12:        0012-backport-ConfigLDAPdel-callback-from-current-master.dif
 Patch13:        0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif
 Patch14:        0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
 Patch100:       openldap-2.3.37.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if "%{name}" == "openldap2"
@ -76,20 +78,8 @@ online directory services. It runs directly over TCP and can be used to
 access a stand-alone LDAP directory service or to access a directory
 service that has an X.500 back-end.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 This package contains the OpenLDAP client utilities.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-back-perl
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Perl Back-End
@ -101,12 +91,6 @@ Group:          Productivity/Networking/LDAP/Servers
 The OpenLDAP Perl back-end allows you to execute Perl code specific to
 different LDAP operations.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-back-meta
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Meta Back-End
@ -121,12 +105,6 @@ respect to a set of remote LDAP servers. The information contained in
 these servers can be presented as belonging to a single Directory
 Information Tree (DIT).
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-back-sql
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP SQL Back-End
@ -139,10 +117,6 @@ The primary purpose of this OpenLDAP backend is to present information
 stored in a Relational (SQL) Database as an LDAP subtree without the need
 to do any programming.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-doc
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Documentation
@ -156,12 +130,6 @@ BuildArch:      noarch
 %description -n openldap2-doc
 The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %else
 %description
@ -170,20 +138,8 @@ online directory services. It runs directly over TCP and can be used to
 access a stand-alone LDAP directory service or to access a directory
 service that has an X.500 back-end.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 This package contains the OpenLDAP client utilities.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-devel
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        Libraries, Header Files and Documentation for OpenLDAP
@ -205,12 +161,6 @@ Group:          Development/Libraries/C and C++
 This package provides the OpenLDAP libraries, header files, and
 documentation.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n libldap-2_4-2
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Client Libraries
@ -220,12 +170,6 @@ Group:          Productivity/Networking/LDAP/Clients
 %description -n libldap-2_4-2
 This package contains the OpenLDAP client libraries.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %endif
 %prep
@ -244,6 +188,8 @@ Authors:
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 cp %{SOURCE5} .
 cp %{SOURCE6} .
 cd ../openldap-2.3.37
--- a/openldap2.changes
+++ b/openldap2.changes
@ -1,3 +1,18 @@
 -------------------------------------------------------------------
 Fri Nov 25 10:42:39 UTC 2011 - coolo@suse.com
 - add libtool as buildrequire to avoid implicit dependency
 -------------------------------------------------------------------
 Mon Oct 24 13:57:45 UTC 2011 - rhafer@suse.de
 - ACL changes to the config database only got active after slapd
  restart in certain cases (bnc#716895, ITS#7066).
 - Adjusted default DB_CONFIG to increase max values for locks and
  lock objects (bnc#719803)
 - Fix UTF8StringNormalize overrun on zero-length string
  (bnc#724201, ITS#7059)
 -------------------------------------------------------------------
 Thu Jul  7 14:43:05 UTC 2011 - rhafer@suse.de
--- a/openldap2.spec
+++ b/openldap2.spec
@ -20,7 +20,7 @@
 %define run_test_suite 1
 Name:           openldap2
-BuildRequires:  cyrus-sasl-devel libopenssl-devel
+BuildRequires:  cyrus-sasl-devel libopenssl-devel libtool
 %if %sles_version == 9 || %sles_version == 10
 BuildRequires:  -libopenssl-devel -pwdutils openssl-devel
 %endif
@ -33,11 +33,11 @@ BuildRequires:  db-devel openslp-devel tcpd-devel unixODBC-devel
 %if %sles_version == 9 || %sles_version == 10
 BuildRequires:  -db-devel libdb-4_5-devel
 %endif
-Group:          Productivity/Networking/LDAP/Clients
+Group:          Productivity/Networking/LDAP/Servers
 Conflicts:      openldap
 Requires:       libldap-2_4-2 = %{version}
 PreReq:         %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep
-Summary:        The OpenLDAP commandline client tools
+Summary:        The OpenLDAP Server
 %else
 Group:          Productivity/Networking/LDAP/Clients
 Conflicts:      openldap-client
@ -66,6 +66,8 @@ Patch9:         0009-unregister_supported_control-backport.dif
 Patch10:        0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif
 Patch11:        0011-config-delete-overlay-fixes.dif
 Patch12:        0012-backport-ConfigLDAPdel-callback-from-current-master.dif
 Patch13:        0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif
 Patch14:        0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif
 Patch100:       openldap-2.3.37.dif
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if "%{name}" == "openldap2"
@ -76,12 +78,6 @@ online directory services. It runs directly over TCP and can be used to
 access a stand-alone LDAP directory service or to access a directory
 service that has an X.500 back-end.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-back-perl
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Perl Back-End
@ -93,12 +89,6 @@ Group:          Productivity/Networking/LDAP/Servers
 The OpenLDAP Perl back-end allows you to execute Perl code specific to
 different LDAP operations.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-back-meta
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Meta Back-End
@ -113,12 +103,6 @@ respect to a set of remote LDAP servers. The information contained in
 these servers can be presented as belonging to a single Directory
 Information Tree (DIT).
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-back-sql
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP SQL Back-End
@ -131,10 +115,6 @@ The primary purpose of this OpenLDAP backend is to present information
 stored in a Relational (SQL) Database as an LDAP subtree without the need
 to do any programming.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-doc
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Documentation
@ -148,23 +128,11 @@ BuildArch:      noarch
 %description -n openldap2-doc
 The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %else
 %description
 This package contains the OpenLDAP client utilities.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n openldap2-devel
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        Libraries, Header Files and Documentation for OpenLDAP
@ -186,12 +154,6 @@ Group:          Development/Libraries/C and C++
 This package provides the OpenLDAP libraries, header files, and
 documentation.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %package      -n libldap-2_4-2
 License:        BSD3c(or similar) ; openldap 2.8
 Summary:        OpenLDAP Client Libraries
@ -201,12 +163,6 @@ Group:          Productivity/Networking/LDAP/Clients
 %description -n libldap-2_4-2
 This package contains the OpenLDAP client libraries.
 Authors:
 --------
    The OpenLDAP Project <project@openldap.org>
 %endif
 %prep
@ -225,6 +181,8 @@ Authors:
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
 cp %{SOURCE5} .
 cp %{SOURCE6} .
 cd ../openldap-2.3.37