rpms/openldap/devel openldap-2.4.18-ldif-buf-overflow.patch, NONE, 1.1 ldap.init, 1.33, 1.34 openldap.spec, 1.149, 1.150

Jan Zeleny jzeleny at fedoraproject.org
Thu Sep 24 11:30:24 UTC 2009 

Author: jzeleny

Update of /cvs/extras/rpms/openldap/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv4558

Modified Files:
	ldap.init openldap.spec 
Added Files:
	openldap-2.4.18-ldif-buf-overflow.patch 
Log Message:
- new configuration schema - directory instead of file
- fixed buffer overflow issue pointed out by new glibc
- fixed behaviour during installation / upgrade caused
  by renamed init script


openldap-2.4.18-ldif-buf-overflow.patch:
 ldif.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- NEW FILE openldap-2.4.18-ldif-buf-overflow.patch ---
--- openldap-2.4.18/servers/slapd/back-ldif/ldif.c.orig	2009-09-24 09:46:01.000000000 +0200
+++ openldap-2.4.18/servers/slapd/back-ldif/ldif.c	2009-09-24 12:41:09.000000000 +0200
@@ -593,9 +593,12 @@ typedef struct bvlist {
 	char *trunc;	/* filename was truncated here */
 	int  inum;		/* num from "attr={num}" in filename, or INT_MIN */
 	char savech;	/* original char at *trunc */
-	char fname;		/* variable length array BVL_NAME(bvl) = &fname */
-#	define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname))
-#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen))
+	char *fname;		/* variable length array BVL_NAME(bvl) = &fname */
+	//char fname;		/* variable length array BVL_NAME(bvl) = &fname */
+#	define BVL_NAME(bvl) ((bvl)->fname)
+#	define BVL_SIZE(namelen) (sizeof(bvlist))
+//#	define BVL_NAME(bvl) ((char *) (bvl) + offsetof(bvlist, fname))
+//#	define BVL_SIZE(namelen) (sizeof(bvlist) + (namelen))
 } bvlist;
 
 static int
@@ -710,6 +713,7 @@ ldif_readdir(
 				*fname_maxlenp = fname_len;
 
 			bvl = SLAP_MALLOC( BVL_SIZE( fname_len ) );
+			bvl->fname = SLAP_MALLOC( fname_len+1 );
 			if ( bvl == NULL ) {
 				rc = LDAP_OTHER;
 				save_errno = errno;


Index: ldap.init
===================================================================
RCS file: /cvs/extras/rpms/openldap/devel/ldap.init,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -p -r1.33 -r1.34
--- ldap.init	16 Sep 2009 14:06:36 -0000	1.33
+++ ldap.init	24 Sep 2009 11:30:24 -0000	1.34
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# ldap	This shell script takes care of starting and stopping
+# slapd	This shell script takes care of starting and stopping
 #	ldap servers (slapd).
 #
 # chkconfig: - 27 73
@@ -42,7 +42,7 @@ fi
 slapd=/usr/sbin/slapd
 slaptest=/usr/sbin/slaptest
 lockfile=/var/lock/subsys/slapd
-configfile=/etc/openldap/slapd.conf
+configdir=/etc/openldap/slapd.d/
 pidfile=/var/run/slapd.pid
 slapd_pidfile=/var/run/openldap/slapd.pid
 
@@ -104,14 +104,19 @@ function checkkeytab() {
 
 function configtest() {
 	local user= ldapuid= dbdir= file=
-	[ -f $configfile ] || exit 6
+	[ -d $configdir ] || exit 6
 	# Check for simple-but-common errors.
 	user=ldap
 	prog=`basename ${slapd}`
 	ldapuid=`id -u $user`
 	# Unaccessible database files.
 	slaptestflags=""
-	for dbdir in `LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | sed s,^directory,,` ; do
+	dbdirs=""
+	for configfile in `ls -1 $configdir/cn\=config/olcDatabase*`; do
+		dbdirs=$dbdirs"
+		"`LANG=C egrep '^olcDbDirectory[[:space:]]*:[[:space:]]+[[:print:]]+$' $configfile | sed 's,^olcDbDirectory: ,,'`
+	done
+	for dbdir in $dbdirs; do
 		for file in `find ${dbdir}/ -not -uid $ldapuid -and \( -name "*.dbb" -or -name "*.gdbm" -or -name "*.bdb" -or -name "__db.*" -or -name "log.*" -or -name alock \)` ; do
 			echo -n $"$file is not owned by \"$user\"" ; warning ; echo
 		done
@@ -129,7 +134,7 @@ function configtest() {
 		echo -n $"$file is not readable by \"$user\"" ; warning ; echo
 	fi
 	# Unaccessible TLS configuration files.
-	tlsconfigs=`LANG=C egrep '^(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]' $configfile | awk '{print $2}'`
+	tlsconfigs=`LANG=C egrep '^olc(TLSCACertificateFile|TLSCertificateFile|TLSCertificateKeyFile)[[:space:]]*:[[:space:]]' $configdir/cn\=config.ldif | awk '{print $2}'`
 	for file in $tlsconfigs ; do
 		if ! testasuser $user -r $file ; then
 			echo -n $"$file is not readable by \"$user\"" ; warning ; echo
@@ -151,8 +156,8 @@ function configtest() {
 		echo -n $"Checking configuration files for $prog: " ; failure ; echo
 		echo "$slaptestout"
 		if /sbin/runuser -m -s "$slaptest" -- "$user" "-u" > /dev/null 2> /dev/null ; then
-			dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'`
-			for directory in $dirs ; do
+			#dirs=`LANG=C egrep '^directory[[:space:]]+[[:print:]]+$' $configfile | awk '{print $2}'`
+			for directory in $dbdirs ; do
 				if test -r $directory/__db.001 ; then
 					echo -n $"stale lock files may be present in $directory" ; warning ; echo
 				fi


Index: openldap.spec
===================================================================
RCS file: /cvs/extras/rpms/openldap/devel/openldap.spec,v
retrieving revision 1.149
retrieving revision 1.150
diff -u -p -r1.149 -r1.150
--- openldap.spec	18 Sep 2009 10:01:45 -0000	1.149
+++ openldap.spec	24 Sep 2009 11:30:24 -0000	1.150
@@ -11,7 +11,7 @@
 Summary: LDAP support libraries
 Name: openldap
 Version: %{version}
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: OpenLDAP
 Group: System Environment/Daemons
 Source0: ftp://ftp.OpenLDAP.org/pub/OpenLDAP/openldap-release/openldap-%{version}.tgz
@@ -35,6 +35,7 @@ Patch6: openldap-2.3.19-gethostbyXXXX_r.
 Patch9: openldap-2.3.37-smbk5pwd.patch
 Patch10: openldap-2.4.6-multilib.patch
 Patch11: openldap-2.4.16-doc-cacertdir.patch
+Patch12: openldap-2.4.18-ldif-buf-overflow.patch
 
 # Patches for the evolution library
 Patch200: openldap-2.4.6-evolution-ntlm.patch
@@ -141,6 +142,7 @@ pushd openldap-%{version}
 %patch9 -p1 -b .smbk5pwd
 %patch10 -p1 -b .multilib
 %patch11 -p1 -b .cacertdir
+%patch12 -p1 -b .malloc
 
 cp %{_datadir}/libtool/config/config.{sub,guess} build/
 popd
@@ -425,6 +427,14 @@ if [ "$1" = "2" ]; then
 
     OLD_SLAPD_VERSION=$( rpm -q --qf "%{VERSION}" openldap-servers | sed 's/\.[0-9]*$//' )
     NEW_SLAPD_VERSION=$( echo %{version} | sed 's/\.[0-9]*$//' )
+    # we need to detect how is the init script named
+    # - in older versions ldap
+    # - in newer versions slapd
+    if [ -f %{_initrddir}/ldap ]; then
+        SERVICE_NAME=ldap
+    elif [ -f %{_initrddir}/slapd ]; then
+        SERVICE_NAME=slapd
+    fi
 
     if [ "$OLD_SLAPD_VERSION" != "$NEW_SLAPD_VERSION" ]; then
         # Minor version number has changed -> slapcat/slapadd of the BDB database 
@@ -433,9 +443,9 @@ if [ "$1" = "2" ]; then
         # directory - Just In Case (TM)
 
         # stop the server
-        if /sbin/service ldap status &>/dev/null; then 
+        if /sbin/service $SERVICE_NAME status &>/dev/null; then 
             touch /var/lib/ldap/need_start
-            /sbin/service ldap stop &>/dev/null
+            /sbin/service $SERVICE_NAME stop &>/dev/null
         fi
 
         files=$(echo /var/lib/ldap/{log.*,__db.*,[a]lock})
@@ -456,9 +466,9 @@ if [ "$1" = "2" ]; then
             # Minor version number of bdb has changed -> run db_upgrade in % post script 
     
             # stop the server
-            if /sbin/service ldap status &>/dev/null; then 
+            if /sbin/service $SERVICE_NAME status &>/dev/null; then 
                 touch /var/lib/ldap/need_start
-                /sbin/service ldap stop &>/dev/null
+                /sbin/service $SERVICE_NAME stop &>/dev/null
             fi
 
             # Ensure, that the database is correct
@@ -472,7 +482,7 @@ exit 0
 
 %post servers
 /sbin/ldconfig
-/sbin/chkconfig --add ldap
+/sbin/chkconfig --add slapd
 # If there's a /var/lib/ldap/upgrade.ldif file, slapadd it and delete it.
 # It was created by the % pre above.
 if [ -f /var/lib/ldap/upgrade.ldif ] ; then
@@ -505,11 +515,34 @@ chmod 640 slapd.pem
 popd
 fi
 
+if [ -f %{_sysconfdir}/openldap/slapd.conf ]; then
+    # if there is no slapd.conf, we probably already have new configuration in place
+    mv %{_sysconfdir}/openldap/slapd.conf %{_sysconfdir}/openldap/slapd.conf.bak
+    mkdir -p %{_sysconfdir}/openldap/slapd.d/
+    lines=`egrep -n '^(database|backend)' %{_sysconfdir}/openldap/slapd.conf.bak | cut -d: -f1 | head -n 1`
+    lines=$(($lines-1))
+    head -n $lines %{_sysconfdir}/openldap/slapd.conf.bak > %{_sysconfdir}/openldap/slapd.conf
+    cat >> %{_sysconfdir}/openldap/slapd.conf << EOF
+database config
+rootdn   "cn=admin,cn=config"
+#rootpw   secret
+EOF
+    lines_r=`wc --lines %{_sysconfdir}/openldap/slapd.conf.bak | cut -f1 -d" "`
+    lines_r=$(($lines_r-$lines))
+    tail -n $lines_r %{_sysconfdir}/openldap/slapd.conf.bak >> %{_sysconfdir}/openldap/slapd.conf
+    slaptest -f %{_sysconfdir}/openldap/slapd.conf -F %{_sysconfdir}/openldap/slapd.d > /dev/null 2> /dev/null
+    chown -R ldap:ldap %{_sysconfdir}/openldap/slapd.d
+    chmod -R 000 %{_sysconfdir}/openldap/slapd.d
+    chmod -R u+rwX %{_sysconfdir}/openldap/slapd.d
+    rm -f %{_sysconfdir}/openldap/slapd.conf
+fi
+
+
 if [ $1 -ge 1 ] ; then
-    /sbin/service ldap condrestart &>/dev/null
-    /sbin/service ldap status &>/dev/null
+    /sbin/service slapd condrestart &>/dev/null
+    /sbin/service slapd status &>/dev/null
     if [ "$?" != "0" -a -f /var/lib/ldap/need_start ]; then
-        /sbin/service ldap start &>/dev/null
+        /sbin/service slapd start &>/dev/null
         rm -f /var/lib/ldap/need_start &>/dev/null 
     fi
 fi
@@ -518,8 +551,8 @@ exit 0
 
 %preun servers
 if [ "$1" = "0" ] ; then
-  /sbin/service ldap stop > /dev/null 2>&1 || :
-  /sbin/chkconfig --del ldap
+  /sbin/service slapd stop > /dev/null 2>&1 || :
+  /sbin/chkconfig --del slapd
 # Openldap-servers are being removed from system.
 # Do not touch the database! Older versions of this
 # package attempted to store database in LDIF format, so
@@ -606,6 +639,12 @@ fi
 %attr(0644,root,root)      %{evolution_connector_libdir}/*.a
 
 %changelog
+* Tue Sep 22 2009 Jan Zeleny <jzeleny at redhat.com> 2.4.18-2
+- changed configuration approach. Instead od slapd.conf slapd
+  is using slapd.d directory now
+- fix of some issues caused by renaming of init script
+- fix of buffer overflow issue in ldif.c pointed out by new glibc
+
 * Fri Sep 18 2009 Jan Zeleny <jzeleny at redhat.com> 2.4.18-1
 - rebase of openldap to 2.4.18
 
@@ -614,6 +653,7 @@ fi
 
 * Wed Sep 16 2009 Jan Zeleny <jzeleny at redhat.com> 2.4.16-6
 - updated init script to be LSB-compliant (#523434)
+- init script renamed to slapd
 
 * Thu Aug 27 2009 Tomas Mraz <tmraz at redhat.com> - 2.4.16-5
 - rebuilt with new openssl

More information about the fedora-extras-commits mailing list