Bug#803197: SOGo isn't the only victim, cups breaks as well
Hi Ryan, On 04.01.19 04:17, Ryan Tandy wrote: > Thanks in advance for any testing you're able to do. I verified that cups doesn't crash with your packages on debian stretch. On debian buster, cups doesn't crash even without your patched packages. As far as I can tell this matches the behaviour you observed with the test program. Best Regards, Lukas
Bug#803197: SOGo isn't the only victim, cups breaks as well
Hi Lukas, On Thu, Jan 03, 2019 at 10:20:10PM +0100, Lukas Kramer wrote: I've set up a VM and managed to reproduce the crash. Packages for stretch and buster definitely would help to validate the fix. apt-get install apt-transport-https apt-key adv --keyserver keyring.debian.org --recv-keys 0xCABE1E9E2EBA364F (Also signing this email with the same key.) deb https://studentweb.uvic.ca/~rtandy/bug803197/stretch / deb https://studentweb.uvic.ca/~rtandy/bug803197/sid/ / Thanks in advance for any testing you're able to do. signature.asc Description: PGP signature
Bug#803197: SOGo isn't the only victim, cups breaks as well
Hi Ryan, thanks for fixing this. My organisation has moved to sssd and the cups VM has been upgraded to debian buster since we needed driver for newer printers, so this isn't an issue for us anymore. I've set up a VM and managed to reproduce the crash. Packages for stretch and buster definitely would help to validate the fix. Best Regards, Lukas On 02.01.19 07:35, Ryan Tandy wrote: > Hi Lukas, or anyone else interested, > > I have pushed the patch to git master. It would be great if you could > test it in your environment and confirm everything is OK. > > https://salsa.debian.org/openldap-team/openldap/commit/2b2b26f4b52c10ceaa174a935370acdaf12fd952 > > > I can compile packages for stretch or buster if that would help. > > thanks, > Ryan
Bug#803197: SOGo isn't the only victim, cups breaks as well
Hi Lukas, or anyone else interested, I have pushed the patch to git master. It would be great if you could test it in your environment and confirm everything is OK. https://salsa.debian.org/openldap-team/openldap/commit/2b2b26f4b52c10ceaa174a935370acdaf12fd952 I can compile packages for stretch or buster if that would help. thanks, Ryan
Bug#803197: SOGo isn't the only victim, cups breaks as well
On Sat, Dec 29, 2018 at 05:36:32PM -0800, Ryan Tandy wrote: I have attached a test program Actually attached this time. #include #include #include #include #include #include #include #include #include #include #include #define LDAP_DEPRECATED 1 #include static const char *server_name = "ldap.stanford.edu"; static const char *server_service = "ldaps"; static const char *server_uri = "ldap://ldap.stanford.edu;; static void *libldap; static int (*myldap_initialize)(LDAP **, const char *); static int (*myldap_set_option)(LDAP *, int, const void *); static char *(*myldap_err2string)(int ); static int (*myldap_start_tls_s)(LDAP *, LDAPControl **, LDAPControl **); static int (*myldap_simple_bind_s)(LDAP *, const char *, const char *); static int (*myldap_unbind_s)(LDAP *); #define DLSYM(sym) { my##sym = dlsym(libldap, #sym); chk_dl("dlopen"); } static void chk_g(int rc) { if (rc < 0) { gnutls_perror(rc); exit(EXIT_FAILURE); } } static void chk_dl(const char *s) { const char *err = dlerror(); if (err != NULL) { fprintf(stderr, "%s: %s\n", s, err); exit(EXIT_FAILURE); } } static void chk_ld(int rc, const char *s) { if (rc != LDAP_SUCCESS) { const char *err = myldap_err2string(rc); fprintf(stderr, "%s: %s\n", s, err); exit(EXIT_FAILURE); } } static void chk(int rc, const char *s) { if (rc < 0) { perror(s); exit(EXIT_FAILURE); } } static gnutls_session_t tls_connect(gnutls_certificate_credentials_t cred) { gnutls_session_t session; chk_g(gnutls_init(, GNUTLS_CLIENT)); chk_g(gnutls_set_default_priority(session)); chk_g(gnutls_server_name_set(session, GNUTLS_NAME_DNS, server_name, strlen(server_name))); chk_g(gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, cred)); struct addrinfo *ai; chk(getaddrinfo(server_name, server_service, NULL, ), "getaddrinfo"); int sd = socket(AF_INET, SOCK_STREAM, 0); chk(sd, "socket"); chk(connect(sd, ai->ai_addr, ai->ai_addrlen), "connect"); printf("Connected to %s:%s\n", server_name, server_service); gnutls_transport_set_int(session, sd); int rc; while ((rc = gnutls_handshake(session)) == GNUTLS_E_AGAIN) { printf("gnutls_handshake: %s\n", gnutls_strerror(rc)); } chk_g(rc); printf("TLS established\n"); return session; } static void tls_disconnect(gnutls_session_t session) { int rc = gnutls_bye(session, GNUTLS_SHUT_RDWR); chk_g(rc); gnutls_deinit(session); printf("Disconnected\n"); } static void open_libldap() { libldap = dlopen("libldap.so", RTLD_NOW); chk_dl("dlopen"); DLSYM(ldap_initialize); DLSYM(ldap_set_option); DLSYM(ldap_err2string); DLSYM(ldap_start_tls_s); DLSYM(ldap_simple_bind_s); DLSYM(ldap_unbind_s); } int main(void) { chk_g(gnutls_global_init()); gnutls_certificate_credentials_t cred; chk_g(gnutls_certificate_allocate_credentials()); chk_g(gnutls_certificate_set_x509_system_trust(cred)); gnutls_session_t session = tls_connect(cred); tls_disconnect(session); open_libldap(); LDAP *ld; chk_ld(myldap_initialize(, server_uri), "ldap_initialize"); const int version = 3; chk_ld(myldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, ), "ldap_set_option"); chk_ld(myldap_start_tls_s(ld, NULL, NULL), "ldap_start_tls_s"); chk_ld(myldap_simple_bind_s(ld, NULL, NULL), "ldap_simple_bind_s"); chk_ld(myldap_unbind_s(ld), "ldap_unbind_s"); chk(dlclose(libldap), "dlclose"); session = tls_connect(cred); tls_disconnect(session); gnutls_certificate_free_credentials(cred); gnutls_global_deinit(); exit(EXIT_SUCCESS); }
Bug#803197: SOGo isn't the only victim, cups breaks as well
Upon reviewing this bug, I've found that in stretch and later, GnuTLS actually uses getrandom() instead of opening /dev/urandom. This was introduced in GnuTLS 3.5.3 and requires Linux 3.18 and Glibc 2.25. The fd-clobber program that I attached to an earlier comment [1] demonstrates the issue in jessie, but works without issue in stretch and buster. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=803197;filename=fd-clobber.c;msg=25 You can observe this by running any LDAP client with GNUTLS_DEBUG_LEVEL=2: gnutls[2]: getrandom random generator was detected Based on that, I believe that the issue originally reported was actually resolved by that change, and the fd closing could probably be reinstated for systems where getrandom() is available. I will try to patch that back into SOGo and see what happens on a current system. As for the cupsd issue you reported: I haven't been able to reproduce the segfault in cupsd, but I have attached a test program that I think demonstrates the issue as you described it. However, it crashes consistently in stretch but not in buster. :) Not sure whether that is a functional change or just luck of memory layout. I need to do some more testing, but I think I will be OK with removing the gnutls_global_set_mutex() calls in the next upload. But even so, please do migrate to nss-pam-ldapd! Your point about libldap messing with global state is valid, but in the specific case of PAM modules we already have a solution, as Howard did point out to you.
Bug#803197: SOGo isn't the only victim, cups breaks as well
On Fri, Nov 23, 2018 at 10:31:58PM +0100, Lukas Kramer wrote: *bump* What are the chances of this patch landing in debian buster? Thanks for the ping. I have no time to work on Debian in the next few weeks but I'll try to follow up during my upcoming vacation. Can't make any promises one way or the other right now, sorry.
Bug#803197: [Pkg-openldap-devel] Bug#803197: SOGo isn't the only victim, cups breaks as well
On Sun, 10 Jun 2018 08:51:47 -0700 Ryan Tandy wrote: > Thanks for the followup. Yes, fixing it as a Debian patch is probably > the best path for now, and maybe trying upstream again at a later date. > To a certain extent it's easier here because we have a more homogeneous > platform than upstream does. *bump* What are the chances of this patch landing in debian buster?
Bug#803197: [Pkg-openldap-devel] Bug#803197: SOGo isn't the only victim, cups breaks as well
On 10.06.2018 17:51, Ryan Tandy wrote: > I never did get around to re-asking GnuTLS upstream about adding a > workaround on their end, but I suspect there's no point; after all > libldap is doing the very things their documentation explicitly says a > library should never do. GnuTLS upstream really isn't at fault, they'll most likely tell us that libldap is doing the wrong thing. Maybe debian and other distros patching this convinces openldap upstream to fix this or add a compile-time option to turn off this behaviour.
Bug#803197: [Pkg-openldap-devel] Bug#803197: SOGo isn't the only victim, cups breaks as well
On Tue, Jun 05, 2018 at 10:25:35PM +0200, Lukas Kramer wrote: Openldap calling gnutls_global_set_mutex also breaks cups when using pam_ldap: http://www.openldap.org/its/index.cgi?findid=8797 As upstream is unwilling to fix this and the calling gnutls_global_set_mutex isn't really necessary, how about patching this in the debian package? Thanks for the followup. Yes, fixing it as a Debian patch is probably the best path for now, and maybe trying upstream again at a later date. To a certain extent it's easier here because we have a more homogeneous platform than upstream does. I never did get around to re-asking GnuTLS upstream about adding a workaround on their end, but I suspect there's no point; after all libldap is doing the very things their documentation explicitly says a library should never do.
Bug#803197: SOGo isn't the only victim, cups breaks as well
Openldap calling gnutls_global_set_mutex also breaks cups when using pam_ldap: http://www.openldap.org/its/index.cgi?findid=8797 As upstream is unwilling to fix this and the calling gnutls_global_set_mutex isn't really necessary, how about patching this in the debian package?