import slapi-nis-0.60.0-1.module+el8.6.0+16878+6c033536

2022-10-25 03:39:52 -04:00 · 2022-10-25 03:39:52 -04:00 · 704922a9dc
commit 704922a9dc
parent f943215ab3
9 changed files with 31 additions and 182 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/slapi-nis-0.56.6.tar.gz
+SOURCES/slapi-nis-0.60.0.tar.gz
--- a/.slapi-nis.metadata
+++ b/.slapi-nis.metadata
@ -1 +1 @@
-c32d869856123cbecd7b3786bc2bd880d01c47ed SOURCES/slapi-nis-0.56.6.tar.gz
+e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz
--- a/SOURCES/cve-2021-3480-fix.patch
+++ b/SOURCES/cve-2021-3480-fix.patch
@ -1,33 +0,0 @@
 From 2f2b7ecd9d6a0f5044c24e4f96464942a1d873db Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 7 Apr 2021 14:40:52 +0300
 Subject: [PATCH] CVE-2021-3480: invalid bind DN crash
 For certain LDAP bind operations 389-ds would pass unvalidated bind DN
 to bind plugins. A first attempt to normalize the DN would find that out
 and should reject the request.
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 src/back-sch.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/src/back-sch.c b/src/back-sch.c
 index a5e4c04..d806627 100644
 --- a/src/back-sch.c
 +++ b/src/back-sch.c
@@ -1988,6 +1988,11 @@ backend_locate_cb(const char *group, const char *set, bool_t flag,
 		rdn = slapi_rdn_new_sdn(cbdata->target_dn);
 		if (rdn != NULL) {
 			rdnstr = slapi_rdn_get_nrdn(rdn);
 +			if (rdnstr == NULL) {
 +				/* normalizing RDN failed, break the search */
 +				slapi_rdn_free(&rdn);
 +				return FALSE;
 +			}
 			if (map_match(cbdata->state, group, set, &flag,
 				      strlen(rdnstr), rdnstr,
 				      &ndnlen, &ndn,
 -- 
 2.31.1
--- a/SOURCES/slapi-nis-0.56.6.tar.gz.asc
+++ b/SOURCES/slapi-nis-0.56.6.tar.gz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl/KPI0ACgkQRxniuKu/
 Yhp7KA//aI0HHAGWn56NjsbLCdk98tpt3YekptGwKpaDiFan7An2JtnJe3CvC71q
 pAWtj1VduHLx+cAxRaRPKSheMkqv9qKrIvhtDHKEgTs9zkxZ02AYa8Emof9x8v6h
 KsnRYMpy5TmKlvT8urnNbrkQXcxGvfjkaBYdaLegT87tSuLsB5vmZpfDbcdMuZ6V
 mfU7JOoKpq0aXg/cYfSc3Br8njZujQXjdUipwKQMBQivNdFzkUk/ly6v8eWXP0O5
 TlD0Rg8QMcSVgqG8hcLVzka078AHzAlOK1B2hGRuFXfRrnd88mDxPps7UEbEfSy3
 oULXpXdQGVet7kujo8JfUyS5D4yiJOS2q/KmES8IGpIUeiwrV+383/pU2UY+lCUU
 Cjv62t4YAwsFOOo+2z0thmzvpEc6FtP9mMx88JRX01OkSCapThgPaGKMfr8wM5Ez
 /3YK4RC14FybOF6jruoTkvlW0b4d6wsZwPHOKs+IeflO8UzncwfxY8L7GiSwTmC/
 40QYCNrXmo79dyg9MGvXtBhUOnfZ41zSVdpzN3EZ5ulMZvdnsBeRK2ixImgQKLSf
 80uZV0k/+koInWYnUQYMbTpKP1843KxZWnLmfd82w1ju5fAsSoDvu9MnomswiRhp
 PzQdcWBSjcQxWjVxwN4RKXqcLCxm99xywTHYIP1xSCuN22KNOLk=
 =EOmw
 -----END PGP SIGNATURE-----
--- a/SOURCES/slapi-nis-0.60.0.tar.gz.asc
+++ b/SOURCES/slapi-nis-0.60.0.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmMAimgACgkQRxniuKu/
 YhorRw/8D0typYdDLGlalL7nMo57rjSApgy6gA4FKxMsNg/KiN1/7rMoCbu13iG0
 sP6wpeZLjBNI/nWGYLRuQOyi7DSxgXYlNp+8xzJDMKjnNjRSaK+/EjqIcWhdWoEq
 Q1JDjTdJ3hDCWCMQFrA/EBqb/WgQAhdmPdVzMoy6L2GBvX7W+UlCWaSMfpq5hnqg
 9SZe4NpC7i6BVhHrnWUMsQRcApnjdHlC8tQmzqdD0+iNer0asXmJcQGCI9W7EwAs
 MT4be/C2hfLfWgBdaMCZGgefGFYGI1ec+hfM9jyGsJcBsRXQ8Rq+VOLEI7lkD+wc
 nQwq1VVVcAwFkbziQ5JBZqOKdem8lo9Mucn/sQ297EIfIi8NVhlDDZFtkgsYAglT
 gaEeK4+d0QNz2+ViwJxGp2l0mG2inV8GjiyINpntbw8dh+qwI8xLI6/6B7R6wP30
 Kj/90EehX0vFXX2ylrkrvg3d7UGp6PBgsiqeaJT5bL2ItVKJl8FyD0N9JsEL766/
 SKqNHGZjEJv1rzPf2MMqutLHe1aSyTBjq4JBYPJKHAXPdvZluyALLM94erZqA/tJ
 17PCLAf3P+OvixcnyzsUTP9U7SNlLPiMqwyvUB26ul0+CqEqKzZxiTOfpbKQ8p/j
 3QpkrKLn0JbofZN1K7H6x/Mdwe5scdeTP0T8YPJm+ofZq+fBdnI=
 =ZUV6
 -----END PGP SIGNATURE-----
--- a/SOURCES/slapi-nis-bz1958909.patch
+++ b/SOURCES/slapi-nis-bz1958909.patch
@ -1,41 +0,0 @@
 From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Thu, 1 Jul 2021 11:37:38 +0300
 Subject: [PATCH] back-sch: reuse backend_should_descend
 When backend_search_find_set_dn_cb() is called, use the same logic as in
 other callbacks -- identify whether we should descend into the group by
 using backend_should_descend().
 The issue was introduced in 2015 with ID Views support but was masked
 until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
 to the full scan of the groups anyway. with the latter change the
 fell-through part was removed.
 Resolves: rhbz#1958909
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
 ---
 src/back-sch.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/src/back-sch.c b/src/back-sch.c
 index d806627..0ed06fb 100644
 --- a/src/back-sch.c
 +++ b/src/back-sch.c
@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
 	/* Check the group itself. */
 	group_dn = slapi_sdn_new_dn_byval(group);
 -	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
 -				 cbdata->scope) == 1) {
 +	if (backend_should_descend(group_dn,
 +				   cbdata->target_dn,
 +				   cbdata->scope)) {
 		cbdata->answer = TRUE;
 		slapi_sdn_free(&group_dn);
 		return TRUE;
 -- 
 2.31.1
--- a/SOURCES/slapi-nis-bz1978189.patch
+++ b/SOURCES/slapi-nis-bz1978189.patch
@ -1,52 +0,0 @@
 From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Wed, 16 Jun 2021 11:08:21 +0300
 Subject: [PATCH] back-sch-nss: only loop if asked to try again
 slapi-nis uses sss-idmap library to discover user group membership.  Its
 sss_nss_getgrouplist_timeout() function can return timeout errors as
 well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
 will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
 Fixes: rhbz#1967179
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 src/back-sch-nss.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)
 diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
 index df04a96..b595f3b 100644
 --- a/src/back-sch-nss.c
 +++ b/src/back-sch-nss.c
@@ -589,19 +589,22 @@ repeat:
 		return NULL;
 	}
 -	do {
 +	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
 					      grouplist, &ngroups,
 					      &lerrno);
 -		if ((rc != NSS_STATUS_SUCCESS)) {
 -			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
 -			if (tmp_list == NULL) {
 +		if (rc == NSS_STATUS_TRYAGAIN) {
 +			tmp_list = NULL;
 +			if (lerrno == ERANGE) {
 +				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
 +			}
 +			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
 				free(grouplist);
 				return NULL;
 			}
 			grouplist = tmp_list;
 		}
 -	} while (rc != NSS_STATUS_SUCCESS);
 +	}
 	entries = calloc(ngroups + 1, sizeof(entries[0]));
 	if (entries == NULL) {
 -- 
 2.31.1
--- a/SOURCES/slapi-nis-bz2000919.patch
+++ b/SOURCES/slapi-nis-bz2000919.patch
@ -1,27 +0,0 @@
 From 02a9cb46ece79d6205a847e6941a772febe47cff Mon Sep 17 00:00:00 2001
 From: Viktor Ashirov <vashirov@redhat.com>
 Date: Thu, 5 Aug 2021 16:04:49 +0200
 Subject: [PATCH] back-sch: fix memory leak in backend_search_cb()
 Resolves: rhbz#1967906
 Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
 ---
 src/back-sch.c | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/src/back-sch.c b/src/back-sch.c
 index 0ed06fb..172d619 100644
 --- a/src/back-sch.c
 +++ b/src/back-sch.c
@@ -1793,6 +1793,7 @@ backend_search_cb(Slapi_PBlock *pb)
 		slapi_ch_free_string(&target);
 		if (cbdata.answer == FALSE) {
 			/* None of the configured trees in the sets matched the target at all, ignore search */
 +			slapi_sdn_free(&cbdata.target_dn);
 			return 0;
 		}
 	}
 -- 
 2.31.1
--- a/SPECS/slapi-nis.spec
+++ b/SPECS/slapi-nis.spec
@ -10,18 +10,14 @@
 %endif
 Name:		slapi-nis
-Version:	0.56.6
+Version:	0.60.0
-Release:	4%{?dist}
+Release:	1%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 Group:		System Environment/Daemons
-License:	GPLv2
+License:	GPLv3
 URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
 Patch1: 	cve-2021-3480-fix.patch
 Patch2:         slapi-nis-bz1978189.patch
 Patch3:         slapi-nis-bz1958909.patch
 Patch4:         slapi-nis-bz2000919.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -60,10 +56,6 @@ for attributes from multiple entries in the tree.
 %prep
 %setup -q
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
 %build
 autoconf --force
@ -92,6 +84,16 @@ make check
 %{_sbindir}/nisserver-plugin-defs
 %changelog
 * Sat Aug 20 2022 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-1
 - upstream release 0.60.0
 - Change license from GPLv2 to GPLv3+ to follow 389-ds licensing
 - Resolves: rhbz#2121324
  Release adds following fixes:
  - Fix ID views integration
  - Fix base scope lookups
  - Bump NIS max dgram size to 8KB by default instead of 1KB
  - Allow to rebuild the compat tree
 * Mon Sep 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-4
 - Resolves: rhbz#2000919 - memory leak in backend_search_cb
`@ -1 +1 @@`
	`SOURCES/slapi-nis-0.56.6.tar.gz`	`SOURCES/slapi-nis-0.60.0.tar.gz`
`@ -1 +1 @@`
	`c32d869856123cbecd7b3786bc2bd880d01c47ed SOURCES/slapi-nis-0.56.6.tar.gz`	`e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz`