import slapi-nis-0.56.6-4.module+el8.5.0+12583+bf7ffcf6

SOURCES/slapi-nis-bz1958909.patch

@@ -0,0 +1,41 @@
+From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Jul 2021 11:37:38 +0300
+Subject: [PATCH] back-sch: reuse backend_should_descend
+
+When backend_search_find_set_dn_cb() is called, use the same logic as in
+other callbacks -- identify whether we should descend into the group by
+using backend_should_descend().
+
+The issue was introduced in 2015 with ID Views support but was masked
+until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
+to the full scan of the groups anyway. with the latter change the
+fell-through part was removed.
+
+Resolves: rhbz#1958909
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
+---
+ src/back-sch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index d806627..0ed06fb 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
+ 
+ 	/* Check the group itself. */
+ 	group_dn = slapi_sdn_new_dn_byval(group);
+-	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
+-				 cbdata->scope) == 1) {
++	if (backend_should_descend(group_dn,
++				   cbdata->target_dn,
++				   cbdata->scope)) {
+ 		cbdata->answer = TRUE;
+ 		slapi_sdn_free(&group_dn);
+ 		return TRUE;
+-- 
+2.31.1
+

SOURCES/slapi-nis-bz1978189.patch

@@ -0,0 +1,52 @@
+From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 16 Jun 2021 11:08:21 +0300
+Subject: [PATCH] back-sch-nss: only loop if asked to try again
+
+slapi-nis uses sss-idmap library to discover user group membership.  Its
+sss_nss_getgrouplist_timeout() function can return timeout errors as
+well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
+will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
+
+Fixes: rhbz#1967179
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch-nss.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index df04a96..b595f3b 100644
+--- a/src/back-sch-nss.c
++++ b/src/back-sch-nss.c
+@@ -589,19 +589,22 @@ repeat:
+ 		return NULL;
+ 	}
+ 
+-	do {
++	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
+ 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
+ 					      grouplist, &ngroups,
+ 					      &lerrno);
+-		if ((rc != NSS_STATUS_SUCCESS)) {
+-			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+-			if (tmp_list == NULL) {
++		if (rc == NSS_STATUS_TRYAGAIN) {
++			tmp_list = NULL;
++			if (lerrno == ERANGE) {
++				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
++			}
++			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
+ 				free(grouplist);
+ 				return NULL;
+ 			}
+ 			grouplist = tmp_list;
+ 		}
+-	} while (rc != NSS_STATUS_SUCCESS);
++	}
+ 
+ 	entries = calloc(ngroups + 1, sizeof(entries[0]));
+ 	if (entries == NULL) {
+-- 
+2.31.1
+

SPECS/slapi-nis.spec

@@ -11,7 +11,7 @@
 
 Name:		slapi-nis
 Version:	0.56.6
-Release:	2.1%{?dist}
+Release:	4%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 Group:		System Environment/Daemons
 License:	GPLv2
@@ -19,7 +19,9 @@ URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
 Patch1: 	cve-2021-3480-fix.patch
-Patch2:         slapi-nis-bz2003607.patch
+Patch2:         slapi-nis-bz1978189.patch
+Patch3:         slapi-nis-bz1958909.patch
+Patch4:         slapi-nis-bz1967906.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -60,6 +62,8 @@ for attributes from multiple entries in the tree.
 %setup -q
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 
 %build
 autoconf --force
@@ -88,8 +92,12 @@ make check
 %{_sbindir}/nisserver-plugin-defs
 
 %changelog
-* Mon Sep 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-2.1
+* Mon Sep 13 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-4
-- Resolves: rhbz#2003607 - fix memory leak in backend_search_cb
+- Resolves: rhbz#1967906 - fix memory leak in backend_search_cb
+
+* Thu Jul 01 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-3
+- Resolves: rhbz#1958909 - fix regression for scoped searches in compat tree
+- Resolves: rhbz#1978189 - better handle error response from libsss_nss_idmap
 
 * Wed Apr 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 0.56.6-2
 - CVE 2021-3480:  idm:DL1/slapi-nis: NULL dereference (DoS) with specially crafted Binding DN