Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package openldap
[ Reason ]
Fix bug #988565: slapd-smbk5pwd crashes when initializing Kerberos.
smbk5pwd is a contributed plugin for slapd. It extends LDAP password
change operations to also update the attributes used by Samba and
Heimdal when their databases are stored in the LDAP directory.
At some point slapd picked up a transitive dependency on libkrb5-3 (via
libwrap0). This caused the crash because at runtime smbk5pwd would call
the MIT implementation of krb5_init_context and then pass the same
context to Heimdal functions.
The two libkrb5 implementations do use symbol versioning, however,
smbk5pwd contained references to the bare/unversioned symbols because it
was not linking -lkrb5.
The fix is just to add -lkrb5 to the link line for smbk5pwd, which lets
it correctly use the versioned symbols such as
"krb5_init_context@HEIMDAL_KRB5_2.0". The symbols can be manually
inspected via "nm -D /usr/lib/ldap/smbk5pwd.so".
One of the changed lines also occurs as context in another patch, which
had to be refreshed to avoid fuzz.
[ Impact ]
slapd crashes on startup, if the smbk5pwd plugin is loaded and its
Heimdal integration is enabled. Regression since it works in buster.
[ Tests ]
Upstream has an extensive test suite which runs at build time, however
it does not cover the contrib modules such as smbk5pwd.
There is a superficial autopkgtest, which only tests whether the core
slapd runs and answers a trivial query.
I manually tested the smbk5pwd plugin with the Samba and Kerberos
integrations enabled.
[ Risks ]
I think this is a low risk change. The contrib modules each have their
own individual build systems, so the change only affects the smbk5pwd
Makefile and not any other component. It should be impossible for this
change to impact any core component such as libldap or slapd.
[ Checklist ]
[✓] all changes are documented in the d/changelog
[✓] I reviewed all changes and I approve them
[✓] attach debdiff against the package in testing
unblock openldap/2.4.57+dfsg-3
Thank you,
Ryan
diff -Nru openldap-2.4.57+dfsg/debian/changelog
openldap-2.4.57+dfsg/debian/changelog
--- openldap-2.4.57+dfsg/debian/changelog 2021-02-14 09:26:41.000000000
-0800
+++ openldap-2.4.57+dfsg/debian/changelog 2021-05-15 16:03:34.000000000
-0700
@@ -1,3 +1,9 @@
+openldap (2.4.57+dfsg-3) unstable; urgency=medium
+
+ * Link smbk5pwd with -lkrb5. (Closes: #988565)
+
+ -- Ryan Tandy <r...@nardis.ca> Sat, 15 May 2021 16:03:34 -0700
+
openldap (2.4.57+dfsg-2) unstable; urgency=medium
* Fix slapd assertion failure in Certificate List Exact Assertion validation
diff -Nru openldap-2.4.57+dfsg/debian/patches/contrib-makefiles
openldap-2.4.57+dfsg/debian/patches/contrib-makefiles
--- openldap-2.4.57+dfsg/debian/patches/contrib-makefiles 2021-02-14
09:26:41.000000000 -0800
+++ openldap-2.4.57+dfsg/debian/patches/contrib-makefiles 2021-05-15
16:03:34.000000000 -0700
@@ -76,8 +76,8 @@
-HEIMDAL_INC = -I/usr/heimdal/include
-HEIMDAL_LIB = -L/usr/heimdal/lib -lkrb5 -lkadm5srv
-+HEIMDAL_INC = $(shell krb5-config.heimdal --cflags kadm-server)
-+HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
++HEIMDAL_INC = $(shell krb5-config.heimdal --cflags krb5 kadm-server)
++HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
LIBTOOL = $(LDAP_BUILD)/libtool
CC = gcc
diff -Nru openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage
openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage
--- openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage
2021-02-14 09:26:41.000000000 -0800
+++ openldap-2.4.57+dfsg/debian/patches/smbk5pwd-makefile-manpage
2021-05-15 16:03:34.000000000 -0700
@@ -18,7 +18,7 @@
--- a/contrib/slapd-modules/smbk5pwd/Makefile
+++ b/contrib/slapd-modules/smbk5pwd/Makefile
@@ -25,6 +25,7 @@
- HEIMDAL_LIB = $(shell krb5-config.heimdal --libs kadm-server)
+ HEIMDAL_LIB = $(shell krb5-config.heimdal --libs krb5 kadm-server)
LIBTOOL = $(LDAP_BUILD)/libtool
+INSTALL = /usr/bin/install