Accepting request 844183 from home:firstyear:branches:network:ldap

- bsc#1175568 CVE-2020-8027 openldap_update_modules_path.sh has a number of issues in it's design that lead to security issues. This file has been removed, from the package, and the %post execution of the install. The function is replaced by /usr/sbin/slapd-ldif-update-crc and /usr/lib/openldap/fixup-modulepath, through the addition of the source files: * fixup-modulepath.sh * slapd-ldif-update-crc.sh * update-crc.sh OBS-URL: https://build.opensuse.org/request/show/844183 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=278
2020-10-27 01:14:55 +00:00
parent fc56a37d6c
commit 617ae2b561
6 changed files with 166 additions and 156 deletions
--- a/openldap2.spec
+++ b/openldap2.spec
@@ -47,9 +47,11 @@ Source12:       slapd.conf.example
 Source13:       start
 Source14:       slapd.service
 Source16:       sysconfig.openldap
-Source17:       openldap_update_modules_path.sh
 Source18:       openldap2.conf
 Source19:       ldap-user.conf
+Source20:       fixup-modulepath.sh
+Source21:       slapd-ldif-update-crc.sh
+Source22:       update-crc.sh
 Patch1:         0001-ITS-8866-slapo-unique-to-return-filter-used-in-diagn.patch
 Patch3:         0003-LDAPI-socket-location.dif
 Patch5:         0005-pie-compile.dif
@@ -80,6 +82,7 @@ BuildRequires:  pkgconfig(systemd)
 %if %{suse_version} < 1500
 %{?systemd_requires}
 %endif
+Requires:       gawk
 Requires:       libldap-2_4-2 = %{version_main}
 Recommends:     cyrus-sasl
 Conflicts:      openldap
@@ -358,12 +361,15 @@ install -m 755 -d %{buildroot}/var/lib/ldap
 chmod a+x %{buildroot}%{_libdir}/liblber.so*
 chmod a+x %{buildroot}%{_libdir}/libldap_r.so*
 install -m 755 %{SOURCE6} %{buildroot}%{_sbindir}/schema2ldif
-install -m 755 %{SOURCE17} %{buildroot}%{_sbindir}
 mkdir -p  %{buildroot}%{_tmpfilesdir}/
 install -m 644 %{SOURCE18} %{buildroot}%{_tmpfilesdir}/
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m 644 %{SOURCE19} %{buildroot}%{_sysusersdir}/

+install -m 755 %{SOURCE19}  ${RPM_BUILD_ROOT}/usr/lib/openldap/fixup-modulepath
+install -m 755 %{SOURCE20}  ${RPM_BUILD_ROOT}/%{_sbindir}/slapd-ldif-update-crc
+install -m 755 %{SOURCE21}  ${RPM_BUILD_ROOT}/usr/lib/openldap/update-crc
+
 # Install ppolicy check module
 make -C contrib/slapd-modules/ppolicy-check-password STRIP="" DESTDIR="%{buildroot}" "sysconfdir=%{_sysconfdir}/openldap" "libdir=%{_libdir}" "libexecdir=%{_libexecdir}" install
 install -m 0644 %{S:202}  %{buildroot}%{_sysconfdir}/openldap/check_password.conf
@@ -433,9 +439,6 @@ gcc -shared -o "%{buildroot}%{_libdir}/libldap-2.4.so.2" -Wl,--no-as-needed \
 %service_add_pre slapd.service

 %post
-if [ ${1:-0} -gt 1 ] && [ ! -f /var/adm/openldap_modules_path_updated ] ; then
-    /usr/sbin/openldap_update_modules_path.sh
-fi
 %{fillup_only -n openldap ldap}
 %tmpfiles_create %{name}.conf
 %service_add_post slapd.service
@@ -468,7 +471,6 @@ fi
 %{_fillupdir}/sysconfig.openldap
 %{_sbindir}/slap*
 %{_sbindir}/rcslapd
-%{_sbindir}/openldap_update_modules_path.sh
 %{_libdir}/openldap/back_bdb*
 %{_libdir}/openldap/back_hdb*
 %{_libdir}/openldap/back_ldap*
@@ -498,6 +500,8 @@ fi
 %{_libdir}/openldap/valsort*
 %{_libdir}/slapd
 /usr/lib/openldap/start
+/usr/lib/openldap/update-crc
+/usr/lib/openldap/fixup-modulepath
 %{_unitdir}/slapd.service
 %{_tmpfilesdir}/%{name}.conf
 %{_sysusersdir}/ldap-user.conf