From 18e096dcd4086f4374728c1924cc1c46ef6a3eaa Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Tue, 25 Jan 2022 14:53:00 -0500
Subject: [PATCH] Bump version to 2.0.13-1

Resolves: Bug 2034880 - ipa-restore command is failing when restore after uninstalling the server
Resolves: Bug 2045098 - Demoting a supplier to a consumer crashes the server
---
 .gitignore                                    |  1 +
 ...2021-4091-389-ds-base-double-free-of.patch | 31 +++++++
 389-ds-base-revert-db-home-fix.patch          | 49 -----------
 389-ds-base.spec                              | 83 ++++++++++---------
 sources                                       |  2 +-
 5 files changed, 75 insertions(+), 91 deletions(-)
 create mode 100644 0001-Bug-2027783-CVE-2021-4091-389-ds-base-double-free-of.patch
 delete mode 100644 389-ds-base-revert-db-home-fix.patch

diff --git a/.gitignore b/.gitignore
index db65b7b..cf85396 100644
--- a/.gitignore
+++ b/.gitignore
@@ -207,3 +207,4 @@
 /389-ds-base-2.0.7.tar.bz2
 /389-ds-base-2.0.8.tar.bz2
 /389-ds-base-2.0.11.tar.bz2
+/389-ds-base-2.0.13.tar.bz2
diff --git a/0001-Bug-2027783-CVE-2021-4091-389-ds-base-double-free-of.patch b/0001-Bug-2027783-CVE-2021-4091-389-ds-base-double-free-of.patch
new file mode 100644
index 0000000..ecea5dc
--- /dev/null
+++ b/0001-Bug-2027783-CVE-2021-4091-389-ds-base-double-free-of.patch
@@ -0,0 +1,31 @@
+From d41352806f44c47a9e99f9eb1b0bdfef7b0aa4f4 Mon Sep 17 00:00:00 2001
+From: Mark Reynolds <mreynolds@redhat.com>
+Date: Tue, 25 Jan 2022 12:27:02 -0500
+Subject: [PATCH] Bug 2027783 - CVE-2021-4091 389-ds-base: double-free of the
+ virtual attribute context in persistent search
+
+Description:  Fix double free.  The double free is related to
+persistent search req.   It was introduced with i
+https://pagure.io/389-ds-base/issue/49097
+
+Reviewed by: mreynolds, progier, jchapman
+---
+ ldap/servers/slapd/pblock.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ldap/servers/slapd/pblock.c b/ldap/servers/slapd/pblock.c
+index 94e7c0ab7..56bbfc92e 100644
+--- a/ldap/servers/slapd/pblock.c
++++ b/ldap/servers/slapd/pblock.c
+@@ -330,6 +330,8 @@ slapi_pblock_clone(Slapi_PBlock *pb)
+     if (pb->pb_intplugin != NULL) {
+         _pblock_assert_pb_intplugin(new_pb);
+         *(new_pb->pb_intplugin) = *(pb->pb_intplugin);
++        /* Make sure that only the cloned pblock refers to vattr_context */
++        pb->pb_intplugin->pb_vattr_context = NULL;
+     }
+     if (pb->pb_deprecated != NULL) {
+         _pblock_assert_pb_deprecated(new_pb);
+-- 
+2.31.1
+
diff --git a/389-ds-base-revert-db-home-fix.patch b/389-ds-base-revert-db-home-fix.patch
deleted file mode 100644
index c4f41d9..0000000
--- a/389-ds-base-revert-db-home-fix.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From ec74c73eaa56271ce74e985ab6a69b36e98488e4 Mon Sep 17 00:00:00 2001
-From: Simon Pichugin <spichugi@redhat.com>
-Date: Wed, 24 Nov 2021 08:35:17 -0800
-Subject: [PATCH] Revert "Issue 2790 - Set db home directory by default"
-
-This reverts commit 269f1f8e879a6fc098bb8cff780df6915e8ecb38.
----
- ldap/admin/src/defaults.inf.in      | 2 +-
- src/lib389/lib389/instance/setup.py | 4 ++--
- 2 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ldap/admin/src/defaults.inf.in b/ldap/admin/src/defaults.inf.in
-index 28f908bcd..96a3b3eb1 100644
---- a/ldap/admin/src/defaults.inf.in
-+++ b/ldap/admin/src/defaults.inf.in
-@@ -59,7 +59,7 @@ access_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/access
- audit_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/audit
- error_log = @localstatedir@/log/dirsrv/slapd-{instance_name}/errors
- db_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/db
--db_home_dir = /dev/shm/slapd-{instance_name}
-+db_home_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/db
- backup_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/bak
- ldif_dir = @localstatedir@/lib/dirsrv/slapd-{instance_name}/ldif
- 
-diff --git a/src/lib389/lib389/instance/setup.py b/src/lib389/lib389/instance/setup.py
-index 0669e5856..4cbdda4fc 100644
---- a/src/lib389/lib389/instance/setup.py
-+++ b/src/lib389/lib389/instance/setup.py
-@@ -775,7 +775,7 @@ class SetupDs(object):
-         self.log.info("Create file system structures ...")
-         # Create all the needed paths
-         # we should only need to make bak_dir, cert_dir, config_dir, db_dir, ldif_dir, lock_dir, log_dir, run_dir?
--        for path in ('backup_dir', 'cert_dir', 'db_dir', 'db_home_dir', 'ldif_dir', 'lock_dir', 'log_dir', 'run_dir'):
-+        for path in ('backup_dir', 'cert_dir', 'db_dir', 'ldif_dir', 'lock_dir', 'log_dir', 'run_dir'):
-             self.log.debug("ACTION: creating %s", slapd[path])
-             try:
-                 os.umask(0o007)  # For parent dirs that get created -> sets 770 for perms
-@@ -912,7 +912,7 @@ class SetupDs(object):
-         if general['selinux']:
-             self.log.info("Perform SELinux labeling ...")
-             selinux_paths = ('backup_dir', 'cert_dir', 'config_dir', 'db_dir',
--                             'ldif_dir', 'lock_dir', 'log_dir', 'db_home_dir',
-+                             'ldif_dir', 'lock_dir', 'log_dir',
-                              'run_dir', 'schema_dir', 'tmp_dir')
-             for path in selinux_paths:
-                 selinux_restorecon(slapd[path])
--- 
-2.31.1
-
diff --git a/389-ds-base.spec b/389-ds-base.spec
index 1008486..2ff2959 100644
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@@ -46,9 +46,9 @@ ExcludeArch: i686
 
 Summary:          389 Directory Server (base)
 Name:             389-ds-base
-Version:          2.0.11
-Release:          3%{?dist}
-License:          GPLv3+ and ASL 2.0 and MPLv2.0 and Boost
+Version:          2.0.13
+Release:          1%{?dist}
+License:          GPLv3+ and ASL 2.0
 URL:              https://www.port389.org
 Conflicts:        selinux-policy-base < 3.9.8
 Conflicts:        freeipa-server < 4.0.3
@@ -59,7 +59,7 @@ Provides:         ldif2ldbm >= 0
 
 ##### Bundled cargo crates list - START #####
 Provides:  bundled(crate(ahash)) = 0.7.6
-Provides:  bundled(crate(ansi_term)) = 0.11.0
+Provides:  bundled(crate(ansi_term)) = 0.12.1
 Provides:  bundled(crate(atty)) = 0.2.14
 Provides:  bundled(crate(autocfg)) = 1.0.1
 Provides:  bundled(crate(base64)) = 0.13.0
@@ -68,81 +68,82 @@ Provides:  bundled(crate(byteorder)) = 1.4.3
 Provides:  bundled(crate(cbindgen)) = 0.9.1
 Provides:  bundled(crate(cc)) = 1.0.72
 Provides:  bundled(crate(cfg-if)) = 1.0.0
-Provides:  bundled(crate(clap)) = 2.33.3
-Provides:  bundled(crate(concread)) = 0.2.19
+Provides:  bundled(crate(clap)) = 2.34.0
+Provides:  bundled(crate(concread)) = 0.2.21
 Provides:  bundled(crate(crossbeam)) = 0.8.1
-Provides:  bundled(crate(crossbeam-channel)) = 0.5.1
+Provides:  bundled(crate(crossbeam-channel)) = 0.5.2
 Provides:  bundled(crate(crossbeam-deque)) = 0.8.1
-Provides:  bundled(crate(crossbeam-epoch)) = 0.9.5
-Provides:  bundled(crate(crossbeam-queue)) = 0.3.2
-Provides:  bundled(crate(crossbeam-utils)) = 0.8.5
+Provides:  bundled(crate(crossbeam-epoch)) = 0.9.6
+Provides:  bundled(crate(crossbeam-queue)) = 0.3.3
+Provides:  bundled(crate(crossbeam-utils)) = 0.8.6
 Provides:  bundled(crate(entryuuid)) = 0.1.0
 Provides:  bundled(crate(entryuuid_syntax)) = 0.1.0
+Provides:  bundled(crate(fastrand)) = 1.7.0
 Provides:  bundled(crate(fernet)) = 0.1.4
 Provides:  bundled(crate(foreign-types)) = 0.3.2
 Provides:  bundled(crate(foreign-types-shared)) = 0.1.1
-Provides:  bundled(crate(getrandom)) = 0.2.3
+Provides:  bundled(crate(getrandom)) = 0.2.4
 Provides:  bundled(crate(hashbrown)) = 0.11.2
 Provides:  bundled(crate(hermit-abi)) = 0.1.19
 Provides:  bundled(crate(instant)) = 0.1.12
-Provides:  bundled(crate(itoa)) = 0.4.8
+Provides:  bundled(crate(itoa)) = 1.0.1
 Provides:  bundled(crate(jobserver)) = 0.1.24
 Provides:  bundled(crate(lazy_static)) = 1.4.0
-Provides:  bundled(crate(libc)) = 0.2.107
+Provides:  bundled(crate(libc)) = 0.2.113
 Provides:  bundled(crate(librnsslapd)) = 0.1.0
 Provides:  bundled(crate(librslapd)) = 0.1.0
 Provides:  bundled(crate(lock_api)) = 0.4.5
 Provides:  bundled(crate(log)) = 0.4.14
-Provides:  bundled(crate(lru)) = 0.6.6
-Provides:  bundled(crate(memoffset)) = 0.6.4
-Provides:  bundled(crate(once_cell)) = 1.8.0
+Provides:  bundled(crate(lru)) = 0.7.2
+Provides:  bundled(crate(memoffset)) = 0.6.5
+Provides:  bundled(crate(once_cell)) = 1.9.0
 Provides:  bundled(crate(openssl)) = 0.10.38
-Provides:  bundled(crate(openssl-sys)) = 0.9.71
+Provides:  bundled(crate(openssl-sys)) = 0.9.72
 Provides:  bundled(crate(parking_lot)) = 0.11.2
 Provides:  bundled(crate(parking_lot_core)) = 0.8.5
 Provides:  bundled(crate(paste)) = 0.1.18
 Provides:  bundled(crate(paste-impl)) = 0.1.18
-Provides:  bundled(crate(pin-project-lite)) = 0.2.7
-Provides:  bundled(crate(pkg-config)) = 0.3.22
-Provides:  bundled(crate(ppv-lite86)) = 0.2.15
+Provides:  bundled(crate(pin-project-lite)) = 0.2.8
+Provides:  bundled(crate(pkg-config)) = 0.3.24
+Provides:  bundled(crate(ppv-lite86)) = 0.2.16
 Provides:  bundled(crate(proc-macro-hack)) = 0.5.19
-Provides:  bundled(crate(proc-macro2)) = 1.0.32
+Provides:  bundled(crate(proc-macro2)) = 1.0.36
 Provides:  bundled(crate(pwdchan)) = 0.1.0
-Provides:  bundled(crate(quote)) = 1.0.10
+Provides:  bundled(crate(quote)) = 1.0.15
 Provides:  bundled(crate(rand)) = 0.8.4
 Provides:  bundled(crate(rand_chacha)) = 0.3.1
 Provides:  bundled(crate(rand_core)) = 0.6.3
 Provides:  bundled(crate(rand_hc)) = 0.3.1
 Provides:  bundled(crate(redox_syscall)) = 0.2.10
 Provides:  bundled(crate(remove_dir_all)) = 0.5.3
-Provides:  bundled(crate(ryu)) = 1.0.5
+Provides:  bundled(crate(ryu)) = 1.0.9
 Provides:  bundled(crate(scopeguard)) = 1.1.0
-Provides:  bundled(crate(serde)) = 1.0.130
-Provides:  bundled(crate(serde_derive)) = 1.0.130
-Provides:  bundled(crate(serde_json)) = 1.0.71
+Provides:  bundled(crate(serde)) = 1.0.135
+Provides:  bundled(crate(serde_derive)) = 1.0.135
+Provides:  bundled(crate(serde_json)) = 1.0.78
 Provides:  bundled(crate(slapd)) = 0.1.0
 Provides:  bundled(crate(slapi_r_plugin)) = 0.1.0
-Provides:  bundled(crate(smallvec)) = 1.7.0
+Provides:  bundled(crate(smallvec)) = 1.8.0
 Provides:  bundled(crate(strsim)) = 0.8.0
-Provides:  bundled(crate(syn)) = 1.0.81
+Provides:  bundled(crate(syn)) = 1.0.86
 Provides:  bundled(crate(synstructure)) = 0.12.6
-Provides:  bundled(crate(tempfile)) = 3.2.0
+Provides:  bundled(crate(tempfile)) = 3.3.0
 Provides:  bundled(crate(textwrap)) = 0.11.0
-Provides:  bundled(crate(tokio)) = 1.14.0
-Provides:  bundled(crate(tokio-macros)) = 1.6.0
+Provides:  bundled(crate(tokio)) = 1.15.0
+Provides:  bundled(crate(tokio-macros)) = 1.7.0
 Provides:  bundled(crate(toml)) = 0.5.8
 Provides:  bundled(crate(unicode-width)) = 0.1.9
 Provides:  bundled(crate(unicode-xid)) = 0.2.2
 Provides:  bundled(crate(uuid)) = 0.8.2
 Provides:  bundled(crate(vcpkg)) = 0.2.15
 Provides:  bundled(crate(vec_map)) = 0.8.2
-Provides:  bundled(crate(version_check)) = 0.9.3
+Provides:  bundled(crate(version_check)) = 0.9.4
 Provides:  bundled(crate(wasi)) = 0.10.2+wasi_snapshot_preview1
 Provides:  bundled(crate(winapi)) = 0.3.9
 Provides:  bundled(crate(winapi-i686-pc-windows-gnu)) = 0.4.0
 Provides:  bundled(crate(winapi-x86_64-pc-windows-gnu)) = 0.4.0
-Provides:  bundled(crate(zeroize)) = 1.4.3
-Provides:  bundled(crate(zeroize_derive)) = 1.2.2
+Provides:  bundled(crate(zeroize)) = 1.5.0
+Provides:  bundled(crate(zeroize_derive)) = 1.3.1
 ##### Bundled cargo crates list - END #####
 
 BuildRequires:    nspr-devel
@@ -261,9 +262,7 @@ Source2:          %{name}-devel.README
 %if %{bundle_jemalloc}
 Source3:          https://github.com/jemalloc/%{jemalloc_name}/releases/download/%{jemalloc_ver}/%{jemalloc_name}-%{jemalloc_ver}.tar.bz2
 %endif
-
-# The patch should be removed after selinux-policy bz2015928 is fixed
-Patch0: 389-ds-base-revert-db-home-fix.patch
+Patch01:          0001-Bug-2027783-CVE-2021-4091-389-ds-base-double-free-of.patch
 
 %description
 389 Directory Server is an LDAPv3 compliant server.  The base package includes
@@ -633,6 +632,7 @@ exit 0
 %{_sbindir}/openldap_to_ds
 %{_mandir}/man8/openldap_to_ds.8.gz
 %{_libexecdir}/%{pkgname}/ds_systemd_ask_password_acl
+%{_libexecdir}/%{pkgname}/ds_selinux_restorecon.sh
 %{_mandir}/man5/99user.ldif.5.gz
 %{_mandir}/man5/certmap.conf.5.gz
 %{_mandir}/man5/slapd-collations.conf.5.gz
@@ -712,11 +712,12 @@ exit 0
 %endif
 
 %changelog
-* Thu Nov 25 2021 Viktor Ashirov <vashirov@redhat.com> - 2.0.11-3
-- Bump version to 2.0.11-3
-- rebuilt
+* Tue Jan 25 2022 Mark Reynolds <mreynolds@redhat.com> - 2.0.13-1
+- Bump version to 2.0.13-1
+- Resolves: Bug 2034880 - ipa-restore command is failing when restore after uninstalling the server
+- Resolves: Bug 2045098 - Demoting a supplier to a consumer crashes the server
 
-* Thu Nov 25 2021 Thierry Bordaz <tbordaz@redhat.com> - 2.0.11-2
+* Wed Nov 24 2021 Simon Pichugin <spichugi@redhat.com> - 2.0.11-2
 - Bump version to 2.0.11-2
 - Revert commit "Set db home directory by default"
 
diff --git a/sources b/sources
index cf3d3b5..7786e23 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (389-ds-base-2.0.11.tar.bz2) = 44aaf422505ec543752f79292d3fc15a49940f48035e8cfb1c4e646251aaf8f1be3fde5bcb1e3e8c7df220fda3e1af173a16ff88696761056abf59feb550578d
+SHA512 (389-ds-base-2.0.13.tar.bz2) = ab9429b391b32d4a09ea5fb0ce15fcf31f7c13e781588ce5587a0ed169959938ce59bff857dbf58bb9413208f6c35792c127cad27c7aca6aa53ef66ef4c36196
 SHA512 (jemalloc-5.2.1.tar.bz2) = 0bbb77564d767cef0c6fe1b97b705d368ddb360d55596945aea8c3ba5889fbce10479d85ad492c91d987caacdbbdccc706aa3688e321460069f00c05814fae02