Hello community, here is the log from the commit of package openldap2 for openSUSE:Factory checked in at 2011-11-25 23:12:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openldap2 (Old) and /work/SRC/openSUSE:Factory/.openldap2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2", Maintainer is "[email protected]" Changes: -------- --- /work/SRC/openSUSE:Factory/openldap2/openldap2-client.changes 2011-09-23 12:20:38.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.openldap2.new/openldap2-client.changes 2011-11-25 23:05:26.000000000 +0100 @@ -1,0 +2,15 @@ +Fri Nov 25 10:42:39 UTC 2011 - [email protected] + +- add libtool as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Mon Oct 24 13:57:45 UTC 2011 - [email protected] + +- ACL changes to the config database only got active after slapd + restart in certain cases (bnc#716895, ITS#7066). +- Adjusted default DB_CONFIG to increase max values for locks and + lock objects (bnc#719803) +- Fix UTF8StringNormalize overrun on zero-length string + (bnc#724201, ITS#7059) + +------------------------------------------------------------------- openldap2.changes: same change New: ---- 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openldap2-client.spec ++++++ --- /var/tmp/diff_new_pack.ahPj0i/_old 2011-11-25 23:05:28.000000000 +0100 +++ /var/tmp/diff_new_pack.ahPj0i/_new 2011-11-25 23:05:28.000000000 +0100 @@ -20,7 +20,7 @@ %define run_test_suite 1 Name: openldap2-client -BuildRequires: cyrus-sasl-devel libopenssl-devel +BuildRequires: cyrus-sasl-devel libopenssl-devel libtool %if %sles_version == 9 || %sles_version == 10 BuildRequires: -libopenssl-devel -pwdutils openssl-devel %endif @@ -66,6 +66,8 @@ Patch10: 0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif Patch11: 0011-config-delete-overlay-fixes.dif Patch12: 0012-backport-ConfigLDAPdel-callback-from-current-master.dif +Patch13: 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif +Patch14: 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif Patch100: openldap-2.3.37.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" @@ -76,20 +78,8 @@ access a stand-alone LDAP directory service or to access a directory service that has an X.500 back-end. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - This package contains the OpenLDAP client utilities. - -Authors: --------- - The OpenLDAP Project <[email protected]> - - %package -n openldap2-back-perl License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Perl Back-End @@ -101,12 +91,6 @@ The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n openldap2-back-meta License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Meta Back-End @@ -121,12 +105,6 @@ these servers can be presented as belonging to a single Directory Information Tree (DIT). - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n openldap2-back-sql License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP SQL Back-End @@ -139,10 +117,6 @@ stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n openldap2-doc License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Documentation @@ -156,12 +130,6 @@ %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts -Authors: --------- - The OpenLDAP Project <[email protected]> - - - %else %description @@ -170,20 +138,8 @@ access a stand-alone LDAP directory service or to access a directory service that has an X.500 back-end. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - This package contains the OpenLDAP client utilities. - -Authors: --------- - The OpenLDAP Project <[email protected]> - - %package -n openldap2-devel License: BSD3c(or similar) ; openldap 2.8 Summary: Libraries, Header Files and Documentation for OpenLDAP @@ -205,12 +161,6 @@ This package provides the OpenLDAP libraries, header files, and documentation. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n libldap-2_4-2 License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Client Libraries @@ -220,12 +170,6 @@ %description -n libldap-2_4-2 This package contains the OpenLDAP client libraries. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %endif %prep @@ -244,6 +188,8 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37 ++++++ openldap2.spec ++++++ --- /var/tmp/diff_new_pack.ahPj0i/_old 2011-11-25 23:05:28.000000000 +0100 +++ /var/tmp/diff_new_pack.ahPj0i/_new 2011-11-25 23:05:28.000000000 +0100 @@ -20,7 +20,7 @@ %define run_test_suite 1 Name: openldap2 -BuildRequires: cyrus-sasl-devel libopenssl-devel +BuildRequires: cyrus-sasl-devel libopenssl-devel libtool %if %sles_version == 9 || %sles_version == 10 BuildRequires: -libopenssl-devel -pwdutils openssl-devel %endif @@ -33,11 +33,11 @@ %if %sles_version == 9 || %sles_version == 10 BuildRequires: -db-devel libdb-4_5-devel %endif -Group: Productivity/Networking/LDAP/Clients +Group: Productivity/Networking/LDAP/Servers Conflicts: openldap Requires: libldap-2_4-2 = %{version} PreReq: %insserv_prereq %fillup_prereq /usr/sbin/useradd /usr/sbin/groupadd /usr/bin/grep -Summary: The OpenLDAP commandline client tools +Summary: The OpenLDAP Server %else Group: Productivity/Networking/LDAP/Clients Conflicts: openldap-client @@ -66,6 +66,8 @@ Patch10: 0010-Fix-exposure-of-SSS-VLV-controls-ITS-6647.dif Patch11: 0011-config-delete-overlay-fixes.dif Patch12: 0012-backport-ConfigLDAPdel-callback-from-current-master.dif +Patch13: 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif +Patch14: 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif Patch100: openldap-2.3.37.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build %if "%{name}" == "openldap2" @@ -76,12 +78,6 @@ access a stand-alone LDAP directory service or to access a directory service that has an X.500 back-end. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n openldap2-back-perl License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Perl Back-End @@ -93,12 +89,6 @@ The OpenLDAP Perl back-end allows you to execute Perl code specific to different LDAP operations. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n openldap2-back-meta License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Meta Back-End @@ -113,12 +103,6 @@ these servers can be presented as belonging to a single Directory Information Tree (DIT). - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n openldap2-back-sql License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP SQL Back-End @@ -131,10 +115,6 @@ stored in a Relational (SQL) Database as an LDAP subtree without the need to do any programming. -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n openldap2-doc License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Documentation @@ -148,23 +128,11 @@ %description -n openldap2-doc The OpenLDAP Admin Guide plus a set of OpenLDAP related IETF internet drafts -Authors: --------- - The OpenLDAP Project <[email protected]> - - - %else %description This package contains the OpenLDAP client utilities. - -Authors: --------- - The OpenLDAP Project <[email protected]> - - %package -n openldap2-devel License: BSD3c(or similar) ; openldap 2.8 Summary: Libraries, Header Files and Documentation for OpenLDAP @@ -186,12 +154,6 @@ This package provides the OpenLDAP libraries, header files, and documentation. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %package -n libldap-2_4-2 License: BSD3c(or similar) ; openldap 2.8 Summary: OpenLDAP Client Libraries @@ -201,12 +163,6 @@ %description -n libldap-2_4-2 This package contains the OpenLDAP client libraries. - - -Authors: --------- - The OpenLDAP Project <[email protected]> - %endif %prep @@ -225,6 +181,8 @@ %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 +%patch14 -p1 cp %{SOURCE5} . cp %{SOURCE6} . cd ../openldap-2.3.37 ++++++ 0013-UTF8StringNormalize-overrun-on-zero-length-string-ITS-.dif ++++++ >From 48e44e993656a08424a020347a458148169196ce Mon Sep 17 00:00:00 2001 From: Howard Chu <[email protected]> Date: Thu, 6 Oct 2011 14:05:31 -0700 Subject: UTF8StringNormalize overrun on zero-length string (ITS#7059) Detected by valgrind diff --git a/servers/slapd/schema_init.c b/servers/slapd/schema_init.c index 67508fc..65a7e2e 100644 --- a/servers/slapd/schema_init.c +++ b/servers/slapd/schema_init.c @@ -1852,12 +1852,12 @@ UTF8StringNormalize( } nvalue.bv_val[nvalue.bv_len] = '\0'; - } else { + } else if ( tmp.bv_len ) { /* string of all spaces is treated as one space */ nvalue.bv_val[0] = ' '; nvalue.bv_val[1] = '\0'; nvalue.bv_len = 1; - } + } /* should never be entered with 0-length val */ *normalized = nvalue; return LDAP_SUCCESS; @@ -2331,13 +2331,18 @@ postalAddressNormalize( } lines[l].bv_len = &val->bv_val[c] - lines[l].bv_val; - normalized->bv_len = l; + normalized->bv_len = c = l; - for ( l = 0; !BER_BVISNULL( &lines[l] ); l++ ) { + for ( l = 0; l <= c; l++ ) { /* NOTE: we directly normalize each line, * without unescaping the values, since the special * values '\24' ('$') and '\5C' ('\') are not affected * by normalization */ + if ( !lines[l].bv_len ) { + nlines[l].bv_len = 0; + nlines[l].bv_val = NULL; + continue; + } rc = UTF8StringNormalize( usage, NULL, xmr, &lines[l], &nlines[l], ctx ); if ( rc != LDAP_SUCCESS ) { rc = LDAP_INVALID_SYNTAX; @@ -2350,7 +2355,7 @@ postalAddressNormalize( normalized->bv_val = slap_sl_malloc( normalized->bv_len + 1, ctx ); p = normalized->bv_val; - for ( l = 0; !BER_BVISNULL( &nlines[l] ); l++ ) { + for ( l = 0; l <= c ; l++ ) { p = lutil_strbvcopy( p, &nlines[l] ); *p++ = '$'; } -- 1.7.6.4 ++++++ 0014-ITS-7066-reworked-default-deny-ACL-for-cn-config.dif ++++++ >From 5d9026cf3f93f95dd6f80ad209013e30bbb0d8e6 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp <[email protected]> Date: Tue, 18 Oct 2011 17:08:05 +0200 Subject: ITS#7066 reworked default deny ACL for cn=config Dynamically adding ACL for cn=config didn't work correctly, when no ACLs where present for that database upon startup. Delete the last ACL from the DB could also lead to unexpected results. diff --git a/servers/slapd/bconfig.c b/servers/slapd/bconfig.c index 309668e..7097d72 100644 --- a/servers/slapd/bconfig.c +++ b/servers/slapd/bconfig.c @@ -84,6 +84,7 @@ static char *logfileName; #ifdef SLAP_AUTH_REWRITE static BerVarray authz_rewrites; #endif +static AccessControl *defacl_parsed = NULL; static struct berval cfdir; @@ -1297,6 +1298,12 @@ config_generic(ConfigArgs *c) { *prev = a->acl_next; acl_free( a ); } + if ( SLAP_CONFIG( c->be ) && !c->be->be_acl ) { + Debug( LDAP_DEBUG_CONFIG, "config_generic (CFG_ACL): " + "Last explicit ACL for back-config removed. " + "Using hardcoded default\n", 0, 0, 0 ); + c->be->be_acl = defacl_parsed; + } break; case CFG_OC: { @@ -1792,6 +1799,9 @@ sortval_reject: break; case CFG_ACL: + if ( SLAP_CONFIG( c->be ) && c->be->be_acl == defacl_parsed) { + c->be->be_acl = NULL; + } /* Don't append to the global ACL if we're on a specific DB */ i = c->valx; if ( c->valx == -1 ) { @@ -1801,6 +1811,9 @@ sortval_reject: i++; } if ( parse_acl(c->be, c->fname, c->lineno, c->argc, c->argv, i ) ) { + if ( SLAP_CONFIG( c->be ) && !c->be->be_acl) { + c->be->be_acl = defacl_parsed; + } return 1; } break; @@ -6637,14 +6650,23 @@ config_back_db_open( BackendDB *be, ConfigReply *cr ) slap_callback cb = { NULL, slap_null_cb, NULL, NULL }; SlapReply rs = {REP_RESULT}; void *thrctx = NULL; + AccessControl *save_access; Debug( LDAP_DEBUG_TRACE, "config_back_db_open\n", 0, 0, 0); /* If we have no explicitly configured ACLs, don't just use * the global ACLs. Explicitly deny access to everything. */ - if ( !be->bd_self->be_acl ) { - parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 ); + save_access = be->bd_self->be_acl; + be->bd_self->be_acl = NULL; + parse_acl(be->bd_self, "config_back_db_open", 0, 6, (char **)defacl, 0 ); + defacl_parsed = be->bd_self->be_acl; + if ( save_access ) { + be->bd_self->be_acl = save_access; + } else { + Debug( LDAP_DEBUG_CONFIG, "config_back_db_open: " + "No explicit ACL for back-config configured. " + "Using hardcoded default\n", 0, 0, 0 ); } thrctx = ldap_pvt_thread_pool_context(); @@ -6889,6 +6911,11 @@ config_back_db_close( BackendDB *be, ConfigReply *cr ) backend_shutdown( &cfb->cb_db ); } + if ( defacl_parsed && be->be_acl != defacl_parsed ) { + acl_free( defacl_parsed ); + defacl_parsed = NULL; + } + return 0; } -- 1.7.6.4 ++++++ DB_CONFIG ++++++ --- /var/tmp/diff_new_pack.ahPj0i/_old 2011-11-25 23:05:28.000000000 +0100 +++ /var/tmp/diff_new_pack.ahPj0i/_new 2011-11-25 23:05:28.000000000 +0100 @@ -1,5 +1,7 @@ set_cachesize 0 15000000 1 set_lg_regionmax 262144 set_lg_bsize 2097152 +set_lk_max_locks 30000 +set_lk_max_objects 30000 set_flags DB_LOG_AUTOREMOVE -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
