.gitignore

@@ -1 +1,2 @@
 SOURCES/slapi-nis-0.60.0.tar.gz
+/slapi-nis-0.60.0.tar.gz

.slapi-nis.metadata

@@ -1 +1 @@
-e5a84cf93b13b174c6d865de2f735cbfbc950917 SOURCES/slapi-nis-0.60.0.tar.gz
+e5a84cf93b13b174c6d865de2f735cbfbc950917 slapi-nis-0.60.0.tar.gz

0001-support-transition-from-libtirpc-to-libnsl-in-Fedora.patch

@@ -0,0 +1,28 @@
+From 062c157013c5af8714d9015582de898b42d1a981 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 2 May 2018 08:56:15 +0300
+Subject: [PATCH] support transition from libtirpc to libnsl in Fedora 28
+
+libnsl2-devel in Fedora 28 depends on libtirpc-devel internally
+so we can also reduce the dependency in spec
+
+diff --git a/configure.ac b/configure.ac
+index 184a9af..80f2ca2 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -273,6 +273,12 @@ AC_ARG_WITH(tirpc,
+ 	    ])
+ if test $use_tirpc = yes ; then
+ 	PKG_CHECK_MODULES(TIRPC,libtirpc)
++fi
++
++PKG_CHECK_MODULES(NSL,libnsl,[use_libnsl=yes],[use_libnsl=no])
++if test "$use_libnsl" = yes ; then
++	RPC_CFLAGS="$NSL_CFLAGS"
++	RPC_LIBS="$NSL_LIBS"
+ else
+ 	RPC_CFLAGS=
+ 	RPC_LIBS=-lnsl
+-- 
+2.14.3
+

cve-2021-3480-fix.patch

@@ -0,0 +1,33 @@
+From 2f2b7ecd9d6a0f5044c24e4f96464942a1d873db Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 7 Apr 2021 14:40:52 +0300
+Subject: [PATCH] CVE-2021-3480: invalid bind DN crash
+
+For certain LDAP bind operations 389-ds would pass unvalidated bind DN
+to bind plugins. A first attempt to normalize the DN would find that out
+and should reject the request.
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index a5e4c04..d806627 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1988,6 +1988,11 @@ backend_locate_cb(const char *group, const char *set, bool_t flag,
+ 		rdn = slapi_rdn_new_sdn(cbdata->target_dn);
+ 		if (rdn != NULL) {
+ 			rdnstr = slapi_rdn_get_nrdn(rdn);
++			if (rdnstr == NULL) {
++				/* normalizing RDN failed, break the search */
++				slapi_rdn_free(&rdn);
++				return FALSE;
++			}
+ 			if (map_match(cbdata->state, group, set, &flag,
+ 				      strlen(rdnstr), rdnstr,
+ 				      &ndnlen, &ndn,
+-- 
+2.31.1
+

gating.yaml

@@ -0,0 +1,7 @@
+# recipients: abokovoy, frenaud, kaleem, ftrivino
+--- !Policy
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: idm-ci.brew-build.tier1.functional}

slapi-nis-0.56.6.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl/KPI0ACgkQRxniuKu/
+Yhp7KA//aI0HHAGWn56NjsbLCdk98tpt3YekptGwKpaDiFan7An2JtnJe3CvC71q
+pAWtj1VduHLx+cAxRaRPKSheMkqv9qKrIvhtDHKEgTs9zkxZ02AYa8Emof9x8v6h
+KsnRYMpy5TmKlvT8urnNbrkQXcxGvfjkaBYdaLegT87tSuLsB5vmZpfDbcdMuZ6V
+mfU7JOoKpq0aXg/cYfSc3Br8njZujQXjdUipwKQMBQivNdFzkUk/ly6v8eWXP0O5
+TlD0Rg8QMcSVgqG8hcLVzka078AHzAlOK1B2hGRuFXfRrnd88mDxPps7UEbEfSy3
+oULXpXdQGVet7kujo8JfUyS5D4yiJOS2q/KmES8IGpIUeiwrV+383/pU2UY+lCUU
+Cjv62t4YAwsFOOo+2z0thmzvpEc6FtP9mMx88JRX01OkSCapThgPaGKMfr8wM5Ez
+/3YK4RC14FybOF6jruoTkvlW0b4d6wsZwPHOKs+IeflO8UzncwfxY8L7GiSwTmC/
+40QYCNrXmo79dyg9MGvXtBhUOnfZ41zSVdpzN3EZ5ulMZvdnsBeRK2ixImgQKLSf
+80uZV0k/+koInWYnUQYMbTpKP1843KxZWnLmfd82w1ju5fAsSoDvu9MnomswiRhp
+PzQdcWBSjcQxWjVxwN4RKXqcLCxm99xywTHYIP1xSCuN22KNOLk=
+=EOmw
+-----END PGP SIGNATURE-----

slapi-nis-bz1958909.patch

@@ -0,0 +1,41 @@
+From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Jul 2021 11:37:38 +0300
+Subject: [PATCH] back-sch: reuse backend_should_descend
+
+When backend_search_find_set_dn_cb() is called, use the same logic as in
+other callbacks -- identify whether we should descend into the group by
+using backend_should_descend().
+
+The issue was introduced in 2015 with ID Views support but was masked
+until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
+to the full scan of the groups anyway. with the latter change the
+fell-through part was removed.
+
+Resolves: rhbz#1958909
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
+---
+ src/back-sch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index d806627..0ed06fb 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
+ 
+ 	/* Check the group itself. */
+ 	group_dn = slapi_sdn_new_dn_byval(group);
+-	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
+-				 cbdata->scope) == 1) {
++	if (backend_should_descend(group_dn,
++				   cbdata->target_dn,
++				   cbdata->scope)) {
+ 		cbdata->answer = TRUE;
+ 		slapi_sdn_free(&group_dn);
+ 		return TRUE;
+-- 
+2.31.1
+

slapi-nis-bz1978189.patch

@@ -0,0 +1,52 @@
+From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 16 Jun 2021 11:08:21 +0300
+Subject: [PATCH] back-sch-nss: only loop if asked to try again
+
+slapi-nis uses sss-idmap library to discover user group membership.  Its
+sss_nss_getgrouplist_timeout() function can return timeout errors as
+well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
+will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
+
+Fixes: rhbz#1967179
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch-nss.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index df04a96..b595f3b 100644
+--- a/src/back-sch-nss.c
++++ b/src/back-sch-nss.c
+@@ -589,19 +589,22 @@ repeat:
+ 		return NULL;
+ 	}
+ 
+-	do {
++	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
+ 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
+ 					      grouplist, &ngroups,
+ 					      &lerrno);
+-		if ((rc != NSS_STATUS_SUCCESS)) {
+-			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+-			if (tmp_list == NULL) {
++		if (rc == NSS_STATUS_TRYAGAIN) {
++			tmp_list = NULL;
++			if (lerrno == ERANGE) {
++				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
++			}
++			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
+ 				free(grouplist);
+ 				return NULL;
+ 			}
+ 			grouplist = tmp_list;
+ 		}
+-	} while (rc != NSS_STATUS_SUCCESS);
++	}
+ 
+ 	entries = calloc(ngroups + 1, sizeof(entries[0]));
+ 	if (entries == NULL) {
+-- 
+2.31.1
+

slapi-nis-bz1979619.patch

@@ -0,0 +1,52 @@
+From 0f700cf71f5531fb6c863990216aa1eb88970dc8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 16 Jun 2021 11:08:21 +0300
+Subject: [PATCH] back-sch-nss: only loop if asked to try again
+
+slapi-nis uses sss-idmap library to discover user group membership.  Its
+sss_nss_getgrouplist_timeout() function can return timeout errors as
+well which might cause a busy looping.  sss_nss_getgrouplist_timeout()
+will return ERANGE which is translated by slapi-nis to NSS_STATUS_TRYAGAIN.
+
+Fixes: rhbz#1967179
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ src/back-sch-nss.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/src/back-sch-nss.c b/src/back-sch-nss.c
+index df04a96..b595f3b 100644
+--- a/src/back-sch-nss.c
++++ b/src/back-sch-nss.c
+@@ -589,19 +589,22 @@ repeat:
+ 		return NULL;
+ 	}
+ 
+-	do {
++	for(rc = NSS_STATUS_TRYAGAIN; rc == NSS_STATUS_TRYAGAIN;) {
+ 		rc = backend_nss_getgrouplist(ctx, user_name, pwd.pw_gid,
+ 					      grouplist, &ngroups,
+ 					      &lerrno);
+-		if ((rc != NSS_STATUS_SUCCESS)) {
+-			tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
+-			if (tmp_list == NULL) {
++		if (rc == NSS_STATUS_TRYAGAIN) {
++			tmp_list = NULL;
++			if (lerrno == ERANGE) {
++				tmp_list = realloc(grouplist, ngroups * sizeof(gid_t));
++			}
++			if ((tmp_list == NULL) || (lerrno == ENOMEM)) {
+ 				free(grouplist);
+ 				return NULL;
+ 			}
+ 			grouplist = tmp_list;
+ 		}
+-	} while (rc != NSS_STATUS_SUCCESS);
++	}
+ 
+ 	entries = calloc(ngroups + 1, sizeof(entries[0]));
+ 	if (entries == NULL) {
+-- 
+2.31.1
+

slapi-nis-bz1979623.patch

@@ -0,0 +1,41 @@
+From d18b1d105c928363eddec87af37fda0757cfb440 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 1 Jul 2021 11:37:38 +0300
+Subject: [PATCH] back-sch: reuse backend_should_descend
+
+When backend_search_find_set_dn_cb() is called, use the same logic as in
+other callbacks -- identify whether we should descend into the group by
+using backend_should_descend().
+
+The issue was introduced in 2015 with ID Views support but was masked
+until 61ea8f6a104da25329e301a8f56944f860de8177 as we always felt through
+to the full scan of the groups anyway. with the latter change the
+fell-through part was removed.
+
+Resolves: rhbz#1958909
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Signed-off-by: Thierry Bordaz <tbordaz@redhat.com>
+---
+ src/back-sch.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index d806627..0ed06fb 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1369,8 +1369,9 @@ backend_search_find_set_dn_cb(const char *group, void *cb_data)
+ 
+ 	/* Check the group itself. */
+ 	group_dn = slapi_sdn_new_dn_byval(group);
+-	if (slapi_sdn_scope_test(group_dn, cbdata->target_dn,
+-				 cbdata->scope) == 1) {
++	if (backend_should_descend(group_dn,
++				   cbdata->target_dn,
++				   cbdata->scope)) {
+ 		cbdata->answer = TRUE;
+ 		slapi_sdn_free(&group_dn);
+ 		return TRUE;
+-- 
+2.31.1
+

slapi-nis-bz2000919.patch

@@ -0,0 +1,27 @@
+From 02a9cb46ece79d6205a847e6941a772febe47cff Mon Sep 17 00:00:00 2001
+From: Viktor Ashirov <vashirov@redhat.com>
+Date: Thu, 5 Aug 2021 16:04:49 +0200
+Subject: [PATCH] back-sch: fix memory leak in backend_search_cb()
+
+Resolves: rhbz#1967906
+
+Signed-off-by: Viktor Ashirov <vashirov@redhat.com>
+---
+ src/back-sch.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/back-sch.c b/src/back-sch.c
+index 0ed06fb..172d619 100644
+--- a/src/back-sch.c
++++ b/src/back-sch.c
+@@ -1793,6 +1793,7 @@ backend_search_cb(Slapi_PBlock *pb)
+ 		slapi_ch_free_string(&target);
+ 		if (cbdata.answer == FALSE) {
+ 			/* None of the configured trees in the sets matched the target at all, ignore search */
++			slapi_sdn_free(&cbdata.target_dn);
+ 			return 0;
+ 		}
+ 	}
+-- 
+2.31.1
+

slapi-nis.spec

@@ -11,7 +11,7 @@
 
 Name:		slapi-nis
 Version:	0.60.0
-Release:	4%{?dist}.alma.1
+Release:	4%{?dist}
 Summary:	NIS Server and Schema Compatibility plugins for Directory Server
 Group:		System Environment/Daemons
 License:	GPLv3
@@ -19,9 +19,6 @@ URL:		http://pagure.io/slapi-nis/
 Source0:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz
 Source1:	https://releases.pagure.org/slapi-nis/slapi-nis-%{version}.tar.gz.asc
 Patch0:         slapi-nis-bz2183469.patch
-
-# Patches were taken from:
-# https://gitlab.com/redhat/centos-stream/rpms/slapi-nis/-/commit/0c099f8456d77e063b51c39fac7c70105816855a
 Patch1:         slapi-nis-RHEL-5134.patch
 
 BuildRequires:  make
@@ -92,10 +89,10 @@ make check
 %{_sbindir}/nisserver-plugin-defs
 
 %changelog
-* Wed Nov 15 2023 Eduard Abdullin <eabdullin@almalinux.org> - 0.60.0-4.alma.1
+* Tue Oct 10 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-4
 - Ignore updates from non-tracked subtrees during modify/modrdn/update
   to avoid deadlocks with retro changelog
-
+- Resolves: RHEL-5134
 
 * Mon Apr 24 2023 Alexander Bokovoy <abokovoy@redhat.com> - 0.60.0-3
 - Also handle base searches within the compat tree

sources

@@ -0,0 +1 @@
+SHA512 (slapi-nis-0.60.0.tar.gz) = 15fe7f821c6b7eea5f93edb46adcc8ba8ac8369e47b607bd56db23bbaf3e0a3e35da412bcc3665aa35bfd01d3863222d926d661adb70491f3ecce1204bc4b6e7