packages/three-eight-nine-ds-base
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update to 3.1.1 for fix CVE-2024-6237,CVE-2024-5953

Browse Source 
(cherry picked from commit 2d86e3fd11e529f21e08512b3bea32d1ce0f2fe4)
This commit is contained in:
wk333 2024-09-12 16:49:11 +08:00 committed by openeuler-sync-bot
parent 187f886c80
commit f8270345de
9 changed files with 33 additions and 647 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
389-ds-base-2.3.2.tar.bz2 → 389-ds-base-3.1.1.tar.bz2
View File

Binary file not shown.

37
389-ds-base.spec
View File

@ -5,22 +5,16 @@ ExcludeArch: i686
Name: 389-ds-base
Summary: Base 389 Directory Server
Version: 2.3.2
Release: 7
Version: 3.1.1
Release: 1
License: GPLv3+
URL: https://www.port389.org
Source0: https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2
Source1: 389-ds-base-git.sh
Source2: 389-ds-base-devel.README
Patch0: Replace-LegacyVersion-with-DSVersion-to-fix-build-error.patch
Patch1: fix-using-borrow-on-a-double-reference.patch
# Refer: https://github.com/389ds/389-ds-base/pull/5374
Patch2: fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch
Patch3: CVE-2024-1062-1.patch
Patch4: CVE-2024-1062-2.patch
Patch5: CVE-2024-2199.patch
Patch6: CVE-2024-3657.patch
Patch0: fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch
BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@ -32,7 +26,7 @@ BuildRequires: python%{python3_pkgversion}-pyasn1-modules python%{python3_pkgver
BuildRequires: python%{python3_pkgversion}-argcomplete python%{python3_pkgversion}-argparse-manpage
BuildRequires: python%{python3_pkgversion}-libselinux python%{python3_pkgversion}-policycoreutils
BuildRequires: python%{python3_pkgversion}-packaging rsync npm nodejs libtalloc-devel libtevent-devel
BuildRequires: lmdb-devel json-c-devel cargo
BuildRequires: lmdb-devel json-c-devel cargo python3-cryptography
Requires: 389-ds-base-libs = %{version}-%{release}
Requires: python%{python3_pkgversion}-lib389 = %{version}-%{release}
Requires: policycoreutils-python-utils /usr/sbin/semanage libsemanage-python%{python3_pkgversion}
@ -121,6 +115,7 @@ autoreconf -fiv
--with-systemdgroupname=dirsrv.target --libexecdir=%{_libexecdir}/dirsrv \
$NSSARGS $ASAN_FLAGS $RUST_FLAGS $PERL_FLAGS $CLANG_FLAGS $LEGACY_FLAGS --enable-cmocka --enable-perl --with-libldap-r=no
make src/lib389/setup.py
cd ./src/lib389
%py3_build
cd -
@ -326,6 +321,28 @@ exit 0
%{_mandir}/*/*
%changelog
* Thu Aug 01 2024 yaoxin <yao_xin001@hoperun.com> - 3.1.1-1
- Update to 3.1.1
* Security fix for CVE-2024-6237,CVE-2024-5953,CVE-2024-3657,CVE-2024-2199
* Issue 6172 - RFE: improve the performance of evaluation of filter component
when tested against a large valueset (like group members) #6173
* Issue 6181 - RFE - Allow system to manage uid/gid at startup
* Issue 6238 - RFE - add option to write audit log in JSON format
* Issue 6241 - Add support for CRYPT-YESCRYPT #6242
* Issue 5772 - ONE LEVEL search fails to return sub-suffixes #6219
* Issue 6123 - Allow DNA plugin to reuse global config for bind method and connection protocol #6124
* Issue 6155 - ldap-agent fails to start because of permission error #6179
* Issue 6170 - audit log buffering doesnt handle large updates
* Issue 6175 - Referential integrity plugin - in referint_thread_func does not handle null from ldap_utf8strtok #6168
* Issue 6183 - Slow ldif2db import on a newly created BDB backend #6208
* Issue 6199 - unprotected search query during certificate based authentication #6205
* Issue 6224 - d2entry - Could not open id2entry err 0 - at startup when having sub-suffixes #6225
* Issue 6229 - After an initial failure, subsequent online backups fail #6230
* Issue 6254 - Enabling replication for a sub suffix crashes browser #6255
* Issue 6256 - nsslapd-numlisteners limit is not enforced
* Issue 6265 - lmdb - missing entries in range searches #6266
* Please see log - https://www.port389.org/docs/389ds/releases/release-3-1-1
* Wed Jun 05 2024 wangkai <13474090681@163.com> - 2.3.2-7
- Fix CVE-2024-2199 and CVE-2024-3657

116
CVE-2024-1062-1.patch
View File

@ -1,116 +0,0 @@
From db7be9fbea1603202fe5829f7ae46bfb83d951c0 Mon Sep 17 00:00:00 2001
From: progier389 <progier@redhat.com>
Date: Tue, 14 Feb 2023 13:34:10 +0100
Subject: [PATCH] issue 5647 - covscan: memory leak in audit log when adding
entries (#5650)
covscan reported an issue about "vals" variable in auditlog.c:231 and indeed a charray_free is missing.
Issue: 5647
Reviewed by: @mreynolds389, @droideck
---
ldap/servers/slapd/auditlog.c | 71 +++++++++++++++++++----------------
1 file changed, 38 insertions(+), 33 deletions(-)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 68cbc674dc..3128e04974 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -177,6 +177,40 @@ write_auditfail_log_entry(Slapi_PBlock *pb)
slapi_ch_free_string(&audit_config);
}
+/*
+ * Write the attribute values to the audit log as "comments"
+ *
+ * Slapi_Attr *entry - the attribute begin logged.
+ * char *attrname - the attribute name.
+ * lenstr *l - the audit log buffer
+ *
+ * Resulting output in the log:
+ *
+ * #ATTR: VALUE
+ * #ATTR: VALUE
+ */
+static void
+log_entry_attr(Slapi_Attr *entry_attr, char *attrname, lenstr *l)
+{
+ Slapi_Value **vals = attr_get_present_values(entry_attr);
+ for(size_t i = 0; vals && vals[i]; i++) {
+ char log_val[256] = "";
+ const struct berval *bv = slapi_value_get_berval(vals[i]);
+ if (bv->bv_len >= 256) {
+ strncpy(log_val, bv->bv_val, 252);
+ strcpy(log_val+252, "...");
+ } else {
+ strncpy(log_val, bv->bv_val, bv->bv_len);
+ log_val[bv->bv_len] = 0;
+ }
+ addlenstr(l, "#");
+ addlenstr(l, attrname);
+ addlenstr(l, ": ");
+ addlenstr(l, log_val);
+ addlenstr(l, "\n");
+ }
+}
+
/*
* Write "requested" attributes from the entry to the audit log as "comments"
*
@@ -212,21 +246,9 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
for (req_attr = ldap_utf8strtok_r(display_attrs, ", ", &last); req_attr;
req_attr = ldap_utf8strtok_r(NULL, ", ", &last))
{
- char **vals = slapi_entry_attr_get_charray(entry, req_attr);
- for(size_t i = 0; vals && vals[i]; i++) {
- char log_val[256] = {0};
-
- if (strlen(vals[i]) > 256) {
- strncpy(log_val, vals[i], 252);
- strcat(log_val, "...");
- } else {
- strcpy(log_val, vals[i]);
- }
- addlenstr(l, "#");
- addlenstr(l, req_attr);
- addlenstr(l, ": ");
- addlenstr(l, log_val);
- addlenstr(l, "\n");
+ slapi_entry_attr_find(entry, req_attr, &entry_attr);
+ if (entry_attr) {
+ log_entry_attr(entry_attr, req_attr, l);
}
}
} else {
@@ -234,7 +256,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
for (; entry_attr; entry_attr = entry_attr->a_next) {
Slapi_Value **vals = attr_get_present_values(entry_attr);
char *attr = NULL;
- const char *val = NULL;
slapi_attr_get_type(entry_attr, &attr);
if (strcmp(attr, PSEUDO_ATTR_UNHASHEDUSERPASSWORD) == 0) {
@@ -251,23 +272,7 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
addlenstr(l, ": ****************************\n");
continue;
}
-
- for(size_t i = 0; vals && vals[i]; i++) {
- char log_val[256] = {0};
-
- val = slapi_value_get_string(vals[i]);
- if (strlen(val) > 256) {
- strncpy(log_val, val, 252);
- strcat(log_val, "...");
- } else {
- strcpy(log_val, val);
- }
- addlenstr(l, "#");
- addlenstr(l, attr);
- addlenstr(l, ": ");
- addlenstr(l, log_val);
- addlenstr(l, "\n");
- }
+ log_entry_attr(entry_attr, attr, l);
}
}
slapi_ch_free_string(&display_attrs);

24
CVE-2024-1062-2.patch
View File

@ -1,24 +0,0 @@
From fd6b417fc53d1c97675638c5489b122e1cf4f1d6 Mon Sep 17 00:00:00 2001
From: progier389 <progier@redhat.com>
Date: Mon, 20 Feb 2023 16:14:05 +0100
Subject: [PATCH] Issue 5647 - Fix unused variable warning from previous commit
(#5670)
* issue 5647 - memory leak in audit log when adding entries
* Issue 5647 - Fix unused variable warning from previous commit
---
ldap/servers/slapd/auditlog.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/ldap/servers/slapd/auditlog.c b/ldap/servers/slapd/auditlog.c
index 3128e04974..0597ecc6f1 100644
--- a/ldap/servers/slapd/auditlog.c
+++ b/ldap/servers/slapd/auditlog.c
@@ -254,7 +254,6 @@ add_entry_attrs(Slapi_Entry *entry, lenstr *l)
} else {
/* Return all attributes */
for (; entry_attr; entry_attr = entry_attr->a_next) {
- Slapi_Value **vals = attr_get_present_values(entry_attr);
char *attr = NULL;
slapi_attr_get_type(entry_attr, &attr);

110
CVE-2024-2199.patch
View File

@ -1,110 +0,0 @@
Origin: https://git.centos.org/rpms/389-ds-base/raw/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0048-CVE-2024-2199.patch
From 23956cfb86a312318667fb9376322574fa8ec7f4 Mon Sep 17 00:00:00 2001
From: James Chapman <jachapma@redhat.com>
Date: Wed, 1 May 2024 15:01:33 +0100
Subject: [PATCH] CVE-2024-2199
---
.../tests/suites/password/password_test.py | 56 +++++++++++++++++++
ldap/servers/slapd/modify.c | 8 ++-
2 files changed, 62 insertions(+), 2 deletions(-)
diff --git a/dirsrvtests/tests/suites/password/password_test.py b/dirsrvtests/tests/suites/password/password_test.py
index 1245feb31..e4abd9907 100644
--- a/dirsrvtests/tests/suites/password/password_test.py
+++ b/dirsrvtests/tests/suites/password/password_test.py
@@ -63,6 +63,62 @@ def test_password_delete_specific_password(topology_st):
log.info('test_password_delete_specific_password: PASSED')
+def test_password_modify_non_utf8(topology_st):
+ """Attempt a modify of the userPassword attribute with
+ an invalid non utf8 value
+
+ :id: a31af9d5-d665-42b9-8d6e-fea3d0837d36
+ :setup: Standalone instance
+ :steps:
+ 1. Add a user if it doesnt exist and set its password
+ 2. Verify password with a bind
+ 3. Modify userPassword attr with invalid value
+ 4. Attempt a bind with invalid password value
+ 5. Verify original password with a bind
+ :expectedresults:
+ 1. The user with userPassword should be added successfully
+ 2. Operation should be successful
+ 3. Server returns ldap.UNWILLING_TO_PERFORM
+ 4. Server returns ldap.INVALID_CREDENTIALS
+ 5. Operation should be successful
+ """
+
+ log.info('Running test_password_modify_non_utf8...')
+
+ # Create user and set password
+ standalone = topology_st.standalone
+ users = UserAccounts(standalone, DEFAULT_SUFFIX)
+ if not users.exists(TEST_USER_PROPERTIES['uid'][0]):
+ user = users.create(properties=TEST_USER_PROPERTIES)
+ else:
+ user = users.get(TEST_USER_PROPERTIES['uid'][0])
+ user.set('userpassword', PASSWORD)
+
+ # Verify password
+ try:
+ user.bind(PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
+ assert False
+
+ # Modify userPassword with an invalid value
+ password = b'tes\x82t-password' # A non UTF-8 encoded password
+ with pytest.raises(ldap.UNWILLING_TO_PERFORM):
+ user.replace('userpassword', password)
+
+ # Verify a bind fails with invalid pasword
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ user.bind(password)
+
+ # Verify we can still bind with original password
+ try:
+ user.bind(PASSWORD)
+ except ldap.LDAPError as e:
+ log.fatal('Failed to bind as {}, error: '.format(user.dn) + e.args[0]['desc'])
+ assert False
+
+ log.info('test_password_modify_non_utf8: PASSED')
+
if __name__ == '__main__':
# Run isolated
# -s for DEBUG mode
diff --git a/ldap/servers/slapd/modify.c b/ldap/servers/slapd/modify.c
index a20984e0b..fb65d58b3 100644
--- a/ldap/servers/slapd/modify.c
+++ b/ldap/servers/slapd/modify.c
@@ -762,8 +762,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
* flagged - leave mod attributes alone */
if (!repl_op && !skip_modified_attrs && lastmod) {
modify_update_last_modified_attr(pb, &smods);
+ slapi_pblock_set(pb, SLAPI_MODIFY_MODS, slapi_mods_get_ldapmods_byref(&smods));
}
+
if (0 == slapi_mods_get_num_mods(&smods)) {
/* nothing to do - no mods - this is not an error - just
send back LDAP_SUCCESS */
@@ -930,8 +932,10 @@ op_shared_modify(Slapi_PBlock *pb, int pw_change, char *old_pw)
/* encode password */
if (pw_encodevals_ext(pb, sdn, va)) {
- slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s.\n", slapi_entry_get_dn_const(e));
- send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to store attribute \"userPassword\" correctly\n", 0, NULL);
+ slapi_log_err(SLAPI_LOG_CRIT, "op_shared_modify", "Unable to hash userPassword attribute for %s, "
+ "check value is utf8 string.\n", slapi_entry_get_dn_const(e));
+ send_ldap_result(pb, LDAP_UNWILLING_TO_PERFORM, NULL, "Unable to hash \"userPassword\" attribute, "
+ "check value is utf8 string.\n", 0, NULL);
valuearray_free(&va);
goto free_and_return;
}
--
2.41.0

150
CVE-2024-3657.patch
View File

@ -1,150 +0,0 @@
Origin: https://git.centos.org/rpms/389-ds-base/blob/bdd565525ec24ecfb7b354f73b602209e570aee5/f/SOURCES/0049-CVE-2024-3657-7.9.patch
From 7f5ac2097be424a55248e391c6b40635d01b1fa6 Mon Sep 17 00:00:00 2001
From: Pierre Rogier <progier@redhat.com>
Date: Wed, 17 Apr 2024 18:18:04 +0200
Subject: [PATCH] CVE-2024-3657-7.9
---
ldap/servers/slapd/back-ldbm/index.c | 111 ++++++++++++++-------------
1 file changed, 59 insertions(+), 52 deletions(-)
diff --git a/ldap/servers/slapd/back-ldbm/index.c b/ldap/servers/slapd/back-ldbm/index.c
index f0b969ff4..53a041ad1 100644
--- a/ldap/servers/slapd/back-ldbm/index.c
+++ b/ldap/servers/slapd/back-ldbm/index.c
@@ -71,6 +71,32 @@ typedef struct _index_buffer_handle index_buffer_handle;
#define INDEX_BUFFER_FLAG_SERIALIZE 1
#define INDEX_BUFFER_FLAG_STATS 2
+/*
+ * space needed to encode a byte:
+ * 0x00-0x31 and 0x7f-0xff requires 3 bytes: \xx
+ * 0x22 and 0x5C requires 2 bytes: \" and \\
+ * other requires 1 byte: c
+ */
+static char encode_size[] = {
+ /* 0x00 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0x10 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0x20 */ 1, 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x30 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x40 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x50 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, 1, 1, 1,
+ /* 0x60 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ /* 0x70 */ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 3,
+ /* 0x80 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0x90 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xA0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xB0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xC0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xD0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xE0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+ /* 0xF0 */ 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3, 3,
+};
+
+
/* Index buffering functions */
static int
@@ -800,65 +826,46 @@ index_add_mods(
/*
* Convert a 'struct berval' into a displayable ASCII string
+ * returns the printable string
*/
-
-#define SPECIAL(c) (c < 32 || c > 126 || c == '\\' || c == '"')
-
const char *
encode(const struct berval *data, char buf[BUFSIZ])
{
- char *s;
- char *last;
- if (data == NULL || data->bv_len == 0)
- return "";
- last = data->bv_val + data->bv_len - 1;
- for (s = data->bv_val; s < last; ++s) {
- if (SPECIAL(*s)) {
- char *first = data->bv_val;
- char *bufNext = buf;
- size_t bufSpace = BUFSIZ - 4;
- while (1) {
- /* printf ("%lu bytes ASCII\n", (unsigned long)(s - first)); */
- if (bufSpace < (size_t)(s - first))
- s = first + bufSpace - 1;
- if (s != first) {
- memcpy(bufNext, first, s - first);
- bufNext += (s - first);
- bufSpace -= (s - first);
- }
- do {
- if (bufSpace) {
- *bufNext++ = '\\';
- --bufSpace;
- }
- if (bufSpace < 2) {
- memcpy(bufNext, "..", 2);
- bufNext += 2;
- goto bail;
- }
- if (*s == '\\' || *s == '"') {
- *bufNext++ = *s;
- --bufSpace;
- } else {
- sprintf(bufNext, "%02x", (unsigned)*(unsigned char *)s);
- bufNext += 2;
- bufSpace -= 2;
- }
- } while (++s <= last && SPECIAL(*s));
- if (s > last)
- break;
- first = s;
- while (!SPECIAL(*s) && s <= last)
- ++s;
- }
- bail:
- *bufNext = '\0';
- /* printf ("%lu chars in buffer\n", (unsigned long)(bufNext - buf)); */
+ if (!data || !data->bv_val) {
+ strcpy(buf, "<NULL>");
+ return buf;
+ }
+ char *endbuff = &buf[BUFSIZ-4]; /* Reserve space to append "...\0" */
+ char *ptout = buf;
+ unsigned char *ptin = (unsigned char*) data->bv_val;
+ unsigned char *endptin = ptin+data->bv_len;
+
+ while (ptin < endptin) {
+ if (ptout >= endbuff) {
+ /*
+ * BUFSIZ(8K) > SLAPI_LOG_BUFSIZ(2K) so the error log message will be
+ * truncated anyway. So there is no real interrest to test if the original
+ * data contains no special characters and return it as is.
+ */
+ strcpy(endbuff, "...");
return buf;
}
+ switch (encode_size[*ptin]) {
+ case 1:
+ *ptout++ = *ptin++;
+ break;
+ case 2:
+ *ptout++ = '\\';
+ *ptout++ = *ptin++;
+ break;
+ case 3:
+ sprintf(ptout, "\\%02x", *ptin++);
+ ptout += 3;
+ break;
+ }
}
- /* printf ("%lu bytes, all ASCII\n", (unsigned long)(s - data->bv_val)); */
- return data->bv_val;
+ *ptout = 0;
+ return buf;
}
static const char *
--
2.41.0

177
Replace-LegacyVersion-with-DSVersion-to-fix-build-error.patch
View File

@ -1,177 +0,0 @@
From a0ed3c81b0ccb8340e7554a6a53e6a6395fce5dd Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Mon, 13 Feb 2023 18:39:20 +0100
Subject: [PATCH] Issue 5642 - Build fails against setuptools 67.0.0
Bug Description:
`setuptools` 67.0.0 vendors `packaging` 23.0 which dropped `LegacyVersion`.
Fix Description:
Replace `LegacyVersion` with `DSVersion` to compare version strings that are
not compatible with PEP 440 and PEP 508.
Reviewed by: @mreynolds389, @progier389
Fixes: https://github.com/389ds/389-ds-base/issues/5642
---
src/lib389/lib389/nss_ssl.py | 11 +---
src/lib389/lib389/tests/dsversion_test.py | 12 ++++
src/lib389/lib389/utils.py | 80 ++++++++++++++++++++---
3 files changed, 86 insertions(+), 17 deletions(-)
create mode 100644 src/lib389/lib389/tests/dsversion_test.py
diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py
index 9e4ac09f80..d5e5c4679a 100644
--- a/src/lib389/lib389/nss_ssl.py
+++ b/src/lib389/lib389/nss_ssl.py
@@ -23,16 +23,9 @@
from lib389.passwd import password_generate
from lib389._mapped_object_lint import DSLint
from lib389.lint import DSCERTLE0001, DSCERTLE0002
-from lib389.utils import ensure_str, format_cmd_list
+from lib389.utils import ensure_str, format_cmd_list, DSVersion
import uuid
-# Setuptools ships with 'packaging' module, let's use it from there
-try:
- from pkg_resources.extern.packaging.version import LegacyVersion
-# Fallback to a normal 'packaging' module in case 'setuptools' is stripped
-except:
- from packaging.version import LegacyVersion
-
KEYBITS = 4096
CA_NAME = 'Self-Signed-CA'
CERT_NAME = 'Server-Cert'
@@ -249,7 +242,7 @@ def openssl_rehash(self, certdir):
openssl_version = check_output(['/usr/bin/openssl', 'version']).decode('utf-8').strip()
except subprocess.CalledProcessError as e:
raise ValueError(e.output.decode('utf-8').rstrip())
- rehash_available = LegacyVersion(openssl_version.split(' ')[1]) >= LegacyVersion('1.1.0')
+ rehash_available = DSVersion(openssl_version.split(' ')[1]) >= DSVersion('1.1.0')
if rehash_available:
cmd = ['/usr/bin/openssl', 'rehash', certdir]
diff --git a/src/lib389/lib389/tests/dsversion_test.py b/src/lib389/lib389/tests/dsversion_test.py
new file mode 100644
index 0000000000..2a420067fa
--- /dev/null
+++ b/src/lib389/lib389/tests/dsversion_test.py
@@ -0,0 +1,12 @@
+from lib389.utils import DSVersion
+import pytest
+
+versions = [('1.3.10.1', '1.3.2.1'),
+ ('2.3.2', '1.4.4.4'),
+ ('2.3.2.202302121950git1b4f5a5bf', '2.3.2'),
+ ('1.1.0a', '1.1.0')]
+
+@pytest.mark.parametrize("x,y", versions)
+def test_dsversion(x, y):
+ assert DSVersion(x) > DSVersion(y)
+
diff --git a/src/lib389/lib389/utils.py b/src/lib389/lib389/utils.py
index 4e58341f4e..3d90560d08 100644
--- a/src/lib389/lib389/utils.py
+++ b/src/lib389/lib389/utils.py
@@ -42,12 +42,6 @@ def wait(self):
import subprocess
import math
import errno
-# Setuptools ships with 'packaging' module, let's use it from there
-try:
- from pkg_resources.extern.packaging.version import LegacyVersion
-# Fallback to a normal 'packaging' module in case 'setuptools' is stripped
-except:
- from packaging.version import LegacyVersion
from socket import getfqdn
from ldapurl import LDAPUrl
from contextlib import closing
@@ -1215,6 +1209,76 @@ def generate_ds_params(inst_num, role=ReplicaRole.STANDALONE):
return instance_data
+class DSVersion():
+ def __init__(self, version):
+ self._version = str(version)
+ self._key = _cmpkey(self._version)
+
+ def __str__(self):
+ return self._version
+
+ def __repr__(self):
+ return f"<DSVersion('{self}')>"
+
+ def __hash__(self):
+ return hash(self._key)
+
+ def __lt__(self, other):
+ if not isinstance(other, DSVersion):
+ return NotImplemented
+
+ return self._key < other._key
+
+ def __le__(self, other):
+ if not isinstance(other, DSVersion):
+ return NotImplemented
+
+ return self._key <= other._key
+
+ def __eq__(self, other):
+ if not isinstance(other, DSVersion):
+ return NotImplemented
+
+ return self._key == other._key
+
+ def __ge__(self, other):
+ if not isinstance(other, DSVersion):
+ return NotImplemented
+
+ return self._key >= other._key
+
+ def __gt__(self, other):
+ if not isinstance(other, DSVersion):
+ return NotImplemented
+
+ return self._key > other._key
+
+ def __ne__(self, other):
+ if not isinstance(other, DSVersion):
+ return NotImplemented
+
+ return self._key != other._key
+
+
+def _parse_version_parts(s):
+ for part in re.compile(r"(\d+ | [a-z]+ | \. | -)", re.VERBOSE).split(s):
+
+ if not part or part == ".":
+ continue
+
+ if part[:1] in "0123456789":
+ # pad for numeric comparison
+ yield part.zfill(8)
+ else:
+ yield "*" + part
+
+def _cmpkey(version):
+ parts = []
+ for part in _parse_version_parts(version.lower()):
+ parts.append(part)
+
+ return tuple(parts)
+
def get_ds_version(paths=None):
"""
@@ -1242,9 +1306,9 @@ def ds_is_related(relation, *ver, instance=None):
if len(ver) > 1:
for cmp_ver in ver:
if cmp_ver.startswith(ds_ver[:3]):
- return ops[relation](LegacyVersion(ds_ver),LegacyVersion(cmp_ver))
+ return ops[relation](DSVersion(ds_ver), DSVersion(cmp_ver))
else:
- return ops[relation](LegacyVersion(ds_ver), LegacyVersion(ver[0]))
+ return ops[relation](DSVersion(ds_ver), DSVersion(ver[0]))
def ds_is_older(*ver, instance=None):

11
fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch
View File

@ -1,11 +1,12 @@
--- 389-ds-base-2.3.2/src/lib389/lib389/cli_idm/posixgroup.py 2022-09-28 22:32:51.000000000 +0800
+++ 389-ds-base-2.3.2/src/lib389/lib389/cli_idm/posixgroup.py_bak 2023-10-27 09:52:31.896331122 +0800
@@ -34,7 +34,7 @@
_generic_get(inst, basedn, log.getChild('_generic_get'), MANY, rdn, args)
diff -Naur a/src/lib389/lib389/cli_idm/posixgroup.py b/src/lib389/lib389/cli_idm/posixgroup.py
--- a/src/lib389/lib389/cli_idm/posixgroup.py 2024-08-01 15:51:12.699551420 +0800
+++ b/src/lib389/lib389/cli_idm/posixgroup.py 2024-08-01 15:52:34.075551420 +0800
@@ -38,7 +38,7 @@
def get_dn(inst, basedn, log, args):
- dn = lambda args: _get_arg( args.dn, msg="Enter dn to retrieve")
+ dn = _get_arg( args.dn, msg="Enter dn to retrieve")
_generic_get_dn(inst, basedn, log.getChild('_generic_get_dn'), MANY, dn, args)
def create(inst, basedn, log, args):

55
fix-using-borrow-on-a-double-reference.patch
View File

@ -1,55 +0,0 @@
From 1d5586780b7144b3e1fa17b827f461b10f076be4 Mon Sep 17 00:00:00 2001
From: Simon Pichugin <spichugi@redhat.com>
Date: Mon, 24 Jul 2023 15:42:11 -0700
Subject: [PATCH] fix using borrow() on a double reference
Reference: https://github.com/389ds/389-ds-base/pull/5854
error: using `.borrow()` on a double reference, which returns
`&concread::cowcell::CowCellReadTxn<CacheStats>` instead of borrowing the inner type
We're getting the error about borrowing a double reference because
we're trying to borrow a type that is already a reference.
Fix - use the type directly.
---
src/librslapd/src/cache.rs | 4 +---
src/slapi_r_plugin/src/value.rs | 2 +-
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/src/librslapd/src/cache.rs b/src/librslapd/src/cache.rs
index 092c81d..b025c83 100644
--- a/src/librslapd/src/cache.rs
+++ b/src/librslapd/src/cache.rs
@@ -1,6 +1,5 @@
// This exposes C-FFI capable bindings for the concread concurrently readable cache.
use concread::arcache::{ARCache, ARCacheBuilder, ARCacheReadTxn, ARCacheWriteTxn};
-use std::borrow::Borrow;
use std::convert::TryInto;
use std::ffi::{CStr, CString};
use std::os::raw::c_char;
@@ -56,8 +55,7 @@ pub extern "C" fn cache_char_stats(
debug_assert!(!cache.is_null());
&(*cache) as &ARCacheChar
};
- let stat_rguard = cache_ref.inner.view_stats();
- let stats = stat_rguard.borrow();
+ let stats = cache_ref.inner.view_stats();
*reader_hits = stats.reader_hits.try_into().unwrap();
*reader_includes = stats.reader_includes.try_into().unwrap();
*write_hits = stats.write_hits.try_into().unwrap();
diff --git a/src/slapi_r_plugin/src/value.rs b/src/slapi_r_plugin/src/value.rs
index cd56529..2fd35c8 100644
--- a/src/slapi_r_plugin/src/value.rs
+++ b/src/slapi_r_plugin/src/value.rs
@@ -182,7 +182,7 @@ impl From<&Uuid> for Value {
let s_ptr = cstr.as_ptr();
Box::leak(cstr);
- let mut v = unsafe { slapi_value_new() };
+ let v = unsafe { slapi_value_new() };
unsafe {
(*v).bv.len = len;
(*v).bv.data = s_ptr as *const u8;
--
2.27.0