Upgrade package to version 2.3.2

2023-04-24 10:19:35 +08:00 · 2023-04-24 10:19:35 +08:00 · a11251e257
commit a11251e257
parent 0316af576c
8 changed files with 39 additions and 314 deletions
--- a/389-ds-base-1.4.3.20.tar.bz2
+++ b/389-ds-base-1.4.3.20.tar.bz2
--- a/389-ds-base-2.3.2.tar.bz2
+++ b/389-ds-base-2.3.2.tar.bz2
--- a/389-ds-base.spec
+++ b/389-ds-base.spec
@ -5,19 +5,13 @@ ExcludeArch:   i686
 Name:          389-ds-base
 Summary:       Base 389 Directory Server
-Version:       1.4.3.20
+Version:       2.3.2
 Release:       1
 License:       GPLv3+
 URL:           https://www.port389.org
 Source0:       https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2
 Source1:       389-ds-base-git.sh
 Source2:       389-ds-base-devel.README
 Source3:       https://github.com/jemalloc/jemalloc/releases/download/5.2.1/jemalloc-5.2.1.tar.bz2
 Patch0:        CVE-2021-3652.patch
 Patch1:        CVE-2021-3514.patch
 # https://github.com/389ds/389-ds-base/commit/5a18aeb49c357a16c138d37a8251d73d8ed35319
 Patch2:        Fix-attributeError-type-object-build_manpages.patch
 BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
 BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@ -29,6 +23,7 @@ BuildRequires: python%{python3_pkgversion}-pyasn1-modules python%{python3_pkgver
 BuildRequires: python%{python3_pkgversion}-argcomplete python%{python3_pkgversion}-argparse-manpage
 BuildRequires: python%{python3_pkgversion}-libselinux python%{python3_pkgversion}-policycoreutils
 BuildRequires: python%{python3_pkgversion}-packaging rsync npm nodejs libtalloc-devel libtevent-devel
 BuildRequires: lmdb-devel json-c-devel cargo
 Requires:      389-ds-base-libs = %{version}-%{release}
 Requires:      python%{python3_pkgversion}-lib389 = %{version}-%{release}
 Requires:      policycoreutils-python-utils /usr/sbin/semanage libsemanage-python%{python3_pkgversion}
@ -47,19 +42,6 @@ Conflicts:     svrcore selinux-policy-base < 3.9.8 freeipa-server < 4.0.3
 389-ds-base is an LDAPv3 compliant server which includes
 the LDAP server and command line utilities for server administration.
 %package       legacy-tools
 Summary:       Legacy utilities for 389 Directory Server
 Obsoletes:     389-ds-base <= 1.4.0.9
 Requires:      389-ds-base = %{version}-%{release} perl-Socket perl-NetAddr-IP
 Requires:      perl-Mozilla-LDAP bind-utils
 Requires:      perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
 %global __provides_exclude_from %{_libdir}/dirsrv/perl
 %global __requires_exclude perl\\((DSCreate|DSMigration|DSUpdate|DSUtil|Dialog|DialogManager|FileConn|Inf|Migration|Resource|Setup|SetupLog)
 %{?perl_default_filter}
 %description   legacy-tools
 Legacy and deprecated utilities for 389 Directory Server.
 %package       devel
 Summary:       Development libraries for 389 Directory Server
 Requires:      389-ds-base-libs = %{version}-%{release} pkgconfig nspr-devel nss-devel >= 3.34
@ -110,8 +92,6 @@ Documentation for 389 Directory Server.
 %prep
 %autosetup -n 389-ds-base-%{version} -p1
 %setup -n 389-ds-base-%{version} -T -D -b 3
 cp %{SOURCE2} README.devel
 %build
@ -120,11 +100,9 @@ OPENLDAP_FLAG="--with-openldap"
 %{?with_tmpfiles_d: TMPFILES_FLAG="--with-tmpfiles-d=%{with_tmpfiles_d}"}
 NSSARGS="--with-nss-lib=%{_libdir} --with-nss-inc=%{_includedir}/nss3"
 RUST_FLAGS="--enable-rust --enable-rust-offline"
 LEGACY_FLAGS="--enable-legacy --enable-perl"
 cd ../jemalloc-5.2.1
 %configure --libdir=%{_libdir}/dirsrv/lib --bindir=%{_libdir}/dirsrv/bin --enable-prof
 %make_build
 cd -
 %define _strict_symbol_defs_build 1
 autoreconf -fiv
@ -132,7 +110,7 @@ autoreconf -fiv
           --with-systemdsystemunitdir=%{_unitdir} \
           --with-systemdsystemconfdir=%{_sysconfdir}/systemd/system \
           --with-systemdgroupname=dirsrv.target --libexecdir=%{_libexecdir}/dirsrv \
-           $NSSARGS $ASAN_FLAGS $RUST_FLAGS $PERL_FLAGS $CLANG_FLAGS $LEGACY_FLAGS --enable-cmocka --enable-perl
+           $NSSARGS $ASAN_FLAGS $RUST_FLAGS $PERL_FLAGS $CLANG_FLAGS $LEGACY_FLAGS --enable-cmocka --enable-perl --with-libldap-r=no
 cd ./src/lib389
 %py3_build
@ -164,14 +142,6 @@ install -d $RPM_BUILD_ROOT%{_sysconfdir}/systemd/system/dirsrv.target.wants
 %delete_la
 sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/dirsrv/script-templates/template-*.pl
 cd ../jemalloc-5.2.1
 make DESTDIR="$RPM_BUILD_ROOT" install_lib install_bin
 cp -pa COPYING ../389-ds-base-%{version}/COPYING.jemalloc
 cp -pa README ../389-ds-base-%{version}/README.jemalloc
 cd -
 cd  $RPM_BUILD_ROOT/usr
 file `find -type f`| grep -w ELF | awk -F":" '{print $1}' | for i in `xargs`
 do
@ -181,6 +151,8 @@ cd -
 mkdir -p  $RPM_BUILD_ROOT/etc/ld.so.conf.d
 echo "%{_bindir}/%{name}" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 echo "%{_libdir}/%{name}" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 echo "%{_libdir}/dirsrv/plugins" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 echo "%{_libdir}/dirsrv" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %check
 if ! make DESTDIR="$RPM_BUILD_ROOT" check; then
@ -216,35 +188,6 @@ fi
 sysctl --system &> $output; true
 %preun
 if [ $1 -eq 0 ]; then
  rm -rf %{_sysconfdir}/systemd/system/dirsrv.target.wants/* > /dev/null 2>&1 || :
 fi
 %postun
 /sbin/ldconfig
 if [ $1 = 0 ]; then
  rm -rf /var/run/dirsrv
 fi
 %post          snmp
 %systemd_post dirsrv-snmp.service
 %preun         snmp
 %systemd_preun dirsrv-snmp.service dirsrv.target
 %postun        snmp
 %systemd_postun_with_restart dirsrv-snmp.service
 %post          legacy-tools
 if [ -n "$DEBUGPOSTTRANS" ] ; then
    output=$DEBUGPOSTTRANS
    output2=${DEBUGPOSTTRANS}.upgrade
 else
    output=/dev/null
    output2=/dev/null
 fi
 instances=""
 ninst=0
@ -291,14 +234,33 @@ for inst in $instances ; do
    /bin/systemctl start $inst >> $output 2>&1 || :
 done
 %preun
 if [ $1 -eq 0 ]; then
  rm -rf %{_sysconfdir}/systemd/system/dirsrv.target.wants/* > /dev/null 2>&1 || :
 fi
 %postun
 /sbin/ldconfig
 if [ $1 = 0 ]; then
  rm -rf /var/run/dirsrv
 fi
 %post          snmp
 mkdir -p /run/dirsrv
 %systemd_post dirsrv-snmp.service
 %preun         snmp
 %systemd_preun dirsrv-snmp.service dirsrv.target
 %postun        snmp
 %systemd_postun_with_restart dirsrv-snmp.service
 exit 0
 %files
-%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.jemalloc
+%doc LICENSE LICENSE.GPLv3+ LICENSE.openssl
 %license COPYING.jemalloc
 %{_libdir}/libsvrcore.so.*
-%{_libdir}/dirsrv/{libslapd.so.*,libns-dshttpd-*.so,libsds.so.*,libldaputil.so.*,librewriters.so*}
+%{_libdir}/dirsrv/{libslapd.so.*,libns-dshttpd.so.*,libsds.so.*,libldaputil.so.*,librewriters.so*}
 %{_libdir}/dirsrv/lib/libjemalloc.so.2
 %dir %{_sysconfdir}/dirsrv
 %dir %{_sysconfdir}/dirsrv/schema
 %config(noreplace)%{_sysconfdir}/dirsrv/schema/*.ldif
@ -310,7 +272,11 @@ exit 0
 %{_unitdir}
 %{_bindir}/{dbscan,ds-replcheck,ds-logpipe.py,ldclt,logconv.pl,pwdhash,readnsstate}
 %{_sbindir}/ns-slapd
 %{_mandir}/man8/ns-slapd.8.gz
 %{_sbindir}/openldap_to_ds
 %{_mandir}/man8/openldap_to_ds.8.gz
 %{_libexecdir}/dirsrv/ds_systemd_ask_password_acl
 %{_libexecdir}/dirsrv/ds_selinux_restorecon.sh
 %{_libdir}/dirsrv/python
 %dir %{_libdir}/dirsrv/plugins
 %{_libdir}/dirsrv/plugins/*.so
@ -320,35 +286,17 @@ exit 0
 %ghost %dir %{_localstatedir}/lock/dirsrv
 %exclude %{_sbindir}/ldap-agent*
 %exclude %{_unitdir}/dirsrv-snmp.service
 %{_libdir}/dirsrv/lib/
 %{_libdir}/dirsrv/bin/
 %exclude %{_libdir}/dirsrv/bin/{jemalloc-config,jemalloc.sh}
 %exclude %{_libdir}/dirsrv/lib/{libjemalloc.a,libjemalloc.so,libjemalloc_pic.a,pkgconfig}
 %config(noreplace) /etc/ld.so.conf.d/*
 %files         devel
 %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl
 %{_mandir}/man3/*
 %{_includedir}/svrcore.h
 %{_includedir}/dirsrv
 %{_libdir}/libsvrcore.so
 %{_libdir}/dirsrv/{libslapd.so,libns-dshttpd.so,libsds.so,libldaputil.so}
 %{_libdir}/pkgconfig/{svrcore.pc,dirsrv.pc,libsds.pc}
 %files         legacy-tools
 %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl README.devel
 %{_bindir}/{infadd,ldif,migratecred,mmldif,rsearch,repl-monitor,cl-dump}
 %config(noreplace)%{_sysconfdir}/dirsrv/config/template-initconfig
 %{_sbindir}/{ldif2ldap,bak2db,db2bak,db2index,db2ldif,dbverify,ldif2db,restart-dirsrv}
 %{_sbindir}/{start-dirsrv,status-dirsrv,stop-dirsrv,upgradedb,vlvindex}
 %{_sbindir}/{monitor,dbmon.sh,dn2rdn,restoreconfig,saveconfig,suffix2instance,upgradednformat}
 %{_libexecdir}/dirsrv/{ds_selinux_enabled,ds_selinux_port_query}
 %{_datadir}/dirsrv/properties/*.res
 %{_datadir}/dirsrv/script-templates
 %{_datadir}/dirsrv/updates
 %{_bindir}/{repl-monitor.pl,cl-dump.pl,dbgen.pl}
 %{_sbindir}/*.pl
 %{_libdir}/dirsrv/perl
 %files         snmp
 %doc LICENSE LICENSE.GPLv3+ LICENSE.openssl
 %config(noreplace)%{_sysconfdir}/dirsrv/config/ldap-agent.conf
@ -365,10 +313,13 @@ exit 0
 %{_datarootdir}/metainfo/389-console/org.port389.cockpit_console.metainfo.xml
 %files         help
-%doc README.md README.devel README.jemalloc
+%doc README.md README.devel
 %{_mandir}/*/*
 %changelog
 * Fri Apr 21 2023 wulei <wu_lei@hoperun.com> - 2.3.2-1
 - Upgrade package to version 2.3.2
 * Fri Aug 05 2022 wangkai <wangkai385@h-partners.com> - 1.4.3.20-1
 - Update to 1.4.3.20 for fix CVE-2020-35518
--- a/CVE-2021-3514.patch
+++ b/CVE-2021-3514.patch
@ -1,52 +0,0 @@
 From 2e5b526012612d1d6ccace46398bee679a730271 Mon Sep 17 00:00:00 2001
 From: tbordaz <tbordaz@redhat.com>
 Date: Tue, 27 Apr 2021 09:29:32 +0200
 Subject: [PATCH] Issue 4711 - SIGSEV with sync_repl (#4738)
 Bug description:
 	sync_repl sends back entries identified with a unique
 	identifier that is 'nsuniqueid'. If 'nsuniqueid' is
 	missing, then it may crash
 Fix description:
 	Check a nsuniqueid is available else returns OP_ERR
 relates: https://github.com/389ds/389-ds-base/issues/4711
 Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!)
 Platforms tested:  F33
 ---
 ldap/servers/plugins/sync/sync_util.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
 diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c
 index e64d519e1a..3dacee8cad 100644
 --- a/ldap/servers/plugins/sync/sync_util.c
 +++ b/ldap/servers/plugins/sync/sync_util.c
@@ -127,8 +127,8 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
     BerElement *ber;
     struct berval *bvp;
     char *uuid;
 -    Slapi_Attr *attr;
 -    Slapi_Value *val;
 +    Slapi_Attr *attr = NULL;
 +    Slapi_Value *val = NULL;
     if (type == LDAP_SYNC_NONE || ctrlp == NULL || (ber = der_alloc()) == NULL) {
         return (LDAP_OPERATIONS_ERROR);
@@ -138,6 +138,14 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
     slapi_entry_attr_find(e, SLAPI_ATTR_UNIQUEID, &attr);
     slapi_attr_first_value(attr, &val);
 +    if ((attr == NULL) || (val == NULL)) {
 +        /* It may happen with entries in special backends
 +         * such like cn=config, cn=shema, cn=monitor...
 +         */
 +        slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM,
 +		      "sync_create_state_control - Entries are missing nsuniqueid. Unable to proceed.\n");
 +        return (LDAP_OPERATIONS_ERROR);
 +    }
     uuid = sync_nsuniqueid2uuid(slapi_value_get_string(val));
     if ((rc = ber_printf(ber, "{eo", type, uuid, 16)) != -1) {
         if (cookie) {
--- a/CVE-2021-3652.patch
+++ b/CVE-2021-3652.patch
@ -1,118 +0,0 @@
 From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001
 From: Firstyear <william@blackhats.net.au>
 Date: Fri, 9 Jul 2021 11:53:35 +1000
 Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow
 all passwords (#4819)
 Bug Description: Due to mishanding of short dbpwd hashes, the
 crypt_r algorithm was misused and was only comparing salts
 in some cases, rather than checking the actual content
 of the password.
 Fix Description: Stricter checks on dbpwd lengths to ensure
 that content passed to crypt_r has at least 2 salt bytes and
 1 hash byte, as well as stricter checks on ct_memcmp to ensure
 that compared values are the same length, rather than potentially
 allowing overruns/short comparisons.
 fixes: https://github.com/389ds/389-ds-base/issues/4817
 Author: William Brown <william@blackhats.net.au>
 Review by: @mreynolds389
 ---
 .../password/pwd_crypt_asterisk_test.py       | 50 +++++++++++++++++++
 ldap/servers/plugins/pwdstorage/crypt_pwd.c   | 20 +++++---
 2 files changed, 64 insertions(+), 6 deletions(-)
 create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
 diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
 new file mode 100644
 index 0000000000..d76614db1c
 --- /dev/null
 +++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
@@ -0,0 +1,50 @@
 +# --- BEGIN COPYRIGHT BLOCK ---
 +# Copyright (C) 2021 William Brown <william@blackhats.net.au>
 +# All rights reserved.
 +#
 +# License: GPL (version 3 or any later version).
 +# See LICENSE for details.
 +# --- END COPYRIGHT BLOCK ---
 +#
 +import ldap
 +import pytest
 +from lib389.topologies import topology_st
 +from lib389.idm.user import UserAccounts
 +from lib389._constants import (DEFAULT_SUFFIX, PASSWORD)
 +
 +pytestmark = pytest.mark.tier1
 +
 +def test_password_crypt_asterisk_is_rejected(topology_st):
 +    """It was reported that {CRYPT}* was allowing all passwords to be
 +    valid in the bind process. This checks that we should be rejecting
 +    these as they should represent locked accounts. Similar, {CRYPT}!
 +
 +    :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3
 +    :setup: Single instance
 +    :steps: 1. Set a password hash in with CRYPT and the content *
 +            2. Test a bind
 +            3. Set a password hash in with CRYPT and the content !
 +            4. Test a bind
 +    :expectedresults:
 +            1. Successfully set the values
 +            2. The bind fails
 +            3. Successfully set the values
 +            4. The bind fails
 +    """
 +    topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
 +    topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off')
 +
 +    users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
 +    user = users.create_test_user()
 +
 +    user.set('userPassword', "{CRYPT}*")
 +
 +    # Attempt to bind with incorrect password.
 +    with pytest.raises(ldap.INVALID_CREDENTIALS):
 +        badconn = user.bind('badpassword')
 +
 +    user.set('userPassword', "{CRYPT}!")
 +    # Attempt to bind with incorrect password.
 +    with pytest.raises(ldap.INVALID_CREDENTIALS):
 +        badconn = user.bind('badpassword')
 +
 diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
 index 9031b21996..1b37d41ede 100644
 --- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
 +++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
 int
 crypt_pw_cmp(const char *userpwd, const char *dbpwd)
 {
 -    int rc;
 -    char *cp;
 +    int rc = -1;
 +    char *cp = NULL;
 +    size_t dbpwd_len = strlen(dbpwd);
     struct crypt_data data;
     data.initialized = 0;
 -    /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
 -    cp = crypt_r(userpwd, dbpwd, &data);
 -    if (cp) {
 -        rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
 +    /*
 +     * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will
 +     * allow any password to bind as we then only compare SALTS.
 +     */
 +    if (dbpwd_len >= 3) {
 +        /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
 +        cp = crypt_r(userpwd, dbpwd, &data);
 +    }
 +    /* If these are not the same length, we can not proceed safely with memcmp. */
 +    if (cp && dbpwd_len == strlen(cp)) {
 +        rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len);
     } else {
         rc = -1;
     }
--- a/Fix-attributeError-type-object-build_manpages.patch
+++ b/Fix-attributeError-type-object-build_manpages.patch
@ -1,52 +0,0 @@
 From 5a18aeb49c357a16c138d37a8251d73d8ed35319 Mon Sep 17 00:00:00 2001
 From: Viktor Ashirov <vashirov@redhat.com>
 Date: Tue, 18 Jan 2022 13:24:53 +0100
 Subject: [PATCH] Issue 5115 -  AttributeError: type object 'build_manpages'
 has no attribute 'build_manpages'
 Bug Description:
 Starting from v2.1, argparse-manpage provides methods build_manpages,
 get_build_py_cmd and get_install_cmd in the top-level module.
 This breaks installation of lib389 on systems with the newer version
 of argparse-manpage.
 Fix Description:
 Update setup.py to be aware of the module version and import methods
 based on it.
 Fixes: https://github.com/389ds/389-ds-base/issues/5115
 Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
 ---
 src/lib389/setup.py | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)
 diff --git a/src/lib389/setup.py b/src/lib389/setup.py
 index cadec25..5974d2c 100644
 --- a/src/lib389/setup.py
 +++ b/src/lib389/setup.py
@@ -14,7 +14,9 @@
 from setuptools import setup, find_packages
 from os import path
 -from build_manpages import build_manpages
 +import build_manpages as bm
 +if bm.__version__ < '2.1':
 +    from build_manpages import build_manpages as bm
 from setuptools.command.build_py import build_py
 here = path.abspath(path.dirname(__file__))
@@ -89,8 +91,8 @@ setup(
     cmdclass={
         # Dynamically build man pages for cli tools
 -        'build_manpages': build_manpages.build_manpages,
 -        'build_py': build_manpages.get_build_py_cmd(build_py),
 +        'build_manpages': bm.build_manpages,
 +        'build_py': bm.get_build_py_cmd(build_py),
     }
 )
 -- 
 2.27.0
--- a/jemalloc-5.2.1.tar.bz2
+++ b/jemalloc-5.2.1.tar.bz2
--- a/jemalloc.yaml
+++ b/jemalloc.yaml
@ -1,4 +0,0 @@
 version_control: github
 src_repo: jemalloc/jemalloc
 tag_prefix: ^
 seperator: .