packages/three-eight-nine-ds-base
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!38 Update to 1.4.3.36

Browse Source 
From: @wk333 
Reviewed-by: @caodongxia 
Signed-off-by: @caodongxia
This commit is contained in:
openeuler-ci-bot 2023-10-25 02:01:56 +00:00 committed by Gitee
commit dd4933da1d
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
7 changed files with 32 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
389-ds-base-1.4.3.20.tar.bz2
View File

Binary file not shown.

BIN
389-ds-base-1.4.3.36.tar.gz Normal file
View File

Binary file not shown.

36
389-ds-base.spec
View File

@ -5,19 +5,16 @@ ExcludeArch: i686
Name: 389-ds-base
Summary: Base 389 Directory Server
Version: 1.4.3.20
Release: 2
Version: 1.4.3.36
Release: 1
License: GPLv3+
URL: https://www.port389.org
Source0: https://releases.pagure.org/389-ds-base/389-ds-base-%{version}.tar.bz2
Source0: https://github.com/389ds/389-ds-base/archive/refs/tags/389-ds-base-%{version}.tar.gz
Source1: 389-ds-base-git.sh
Source2: 389-ds-base-devel.README
Source3: https://github.com/jemalloc/jemalloc/releases/download/5.2.1/jemalloc-5.2.1.tar.bz2
Patch0: CVE-2021-3652.patch
Patch1: CVE-2021-3514.patch
# https://github.com/389ds/389-ds-base/commit/5a18aeb49c357a16c138d37a8251d73d8ed35319
Patch2: Fix-attributeError-type-object-build_manpages.patch
# Refer: https://github.com/389ds/389-ds-base/pull/5374
Patch0: fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch
BuildRequires: nspr-devel nss-devel >= 3.34 perl-generators openldap-devel libdb-devel cyrus-sasl-devel icu
BuildRequires: libicu-devel pcre-devel cracklib-devel gcc-c++ net-snmp-devel lm_sensors-devel bzip2-devel
@ -29,6 +26,7 @@ BuildRequires: python%{python3_pkgversion}-pyasn1-modules python%{python3_pkgver
BuildRequires: python%{python3_pkgversion}-argcomplete python%{python3_pkgversion}-argparse-manpage
BuildRequires: python%{python3_pkgversion}-libselinux python%{python3_pkgversion}-policycoreutils
BuildRequires: python%{python3_pkgversion}-packaging rsync npm nodejs libtalloc-devel libtevent-devel
BuildRequires: python%{python3_pkgversion}-cryptography
Requires: 389-ds-base-libs = %{version}-%{release}
Requires: python%{python3_pkgversion}-lib389 = %{version}-%{release}
Requires: policycoreutils-python-utils /usr/sbin/semanage libsemanage-python%{python3_pkgversion}
@ -108,9 +106,9 @@ Requires: 389-ds-base = %{version}-%{release}
Documentation for 389 Directory Server.
%prep
%autosetup -n 389-ds-base-%{version} -p1
%autosetup -n 389-ds-base-389-ds-base-%{version} -p1
%setup -n 389-ds-base-%{version} -T -D -b 3
%setup -n 389-ds-base-389-ds-base-%{version} -T -D -b 3
cp %{SOURCE2} README.devel
@ -145,7 +143,7 @@ cd ./src/lib389
%py3_build
cd -
for f in "dsconf.8" "dsctl.8" "dsidm.8" "dscreate.8"; do
sed -i "1s/\"1\"/\"8\"/" %{_builddir}/389-ds-base-%{version}/src/lib389/man/$f
sed -i "1s/\"1\"/\"8\"/" %{_builddir}/389-ds-base-389-ds-base-%{version}/src/lib389/man/$f
done
export XCFLAGS=$RPM_OPT_FLAGS
%make_build
@ -157,7 +155,7 @@ install -d %{buildroot}%{_datadir}/cockpit
find %{buildroot}%{_datadir}/cockpit/389-console -type d | sed -e "s@%{buildroot}@@" | sed -e 's/^/\%dir /' > cockpit.list
find %{buildroot}%{_datadir}/cockpit/389-console -type f | sed -e "s@%{buildroot}@@" >> cockpit.list
cp -r %{_builddir}/389-ds-base-%{version}/man/man3 $RPM_BUILD_ROOT/%{_mandir}/man3
cp -r %{_builddir}/389-ds-base-389-ds-base-%{version}/man/man3 $RPM_BUILD_ROOT/%{_mandir}/man3
cd src/lib389
%py3_install
@ -175,8 +173,8 @@ sed -i -e 's|#{{PERL-EXEC}}|#!/usr/bin/perl|' $RPM_BUILD_ROOT%{_datadir}/dirsrv/
cd ../jemalloc-5.2.1
make DESTDIR="$RPM_BUILD_ROOT" install_lib install_bin
cp -pa COPYING ../389-ds-base-%{version}/COPYING.jemalloc
cp -pa README ../389-ds-base-%{version}/README.jemalloc
cp -pa COPYING ../389-ds-base-389-ds-base-%{version}/COPYING.jemalloc
cp -pa README ../389-ds-base-389-ds-base-%{version}/README.jemalloc
cd -
cd $RPM_BUILD_ROOT/usr
@ -188,6 +186,8 @@ cd -
mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
echo "%{_bindir}/%{name}" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
echo "%{_libdir}/%{name}" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
echo "%{_libdir}/dirsrv/plugins" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
echo "%{_libdir}/dirsrv" >> $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf
%check
if ! make DESTDIR="$RPM_BUILD_ROOT" check; then
@ -348,7 +348,7 @@ exit 0
%{_sbindir}/{ldif2ldap,bak2db,db2bak,db2index,db2ldif,dbverify,ldif2db,restart-dirsrv}
%{_sbindir}/{start-dirsrv,status-dirsrv,stop-dirsrv,upgradedb,vlvindex}
%{_sbindir}/{monitor,dbmon.sh,dn2rdn,restoreconfig,saveconfig,suffix2instance,upgradednformat}
%{_libexecdir}/dirsrv/{ds_selinux_enabled,ds_selinux_port_query}
%{_libexecdir}/dirsrv/{ds_selinux_enabled,ds_selinux_port_query,ds_selinux_restorecon.sh}
%{_datadir}/dirsrv/properties/*.res
%{_datadir}/dirsrv/script-templates
%{_datadir}/dirsrv/updates
@ -376,6 +376,12 @@ exit 0
%{_mandir}/*/*
%changelog
* Tue Oct 24 2023 wangkai <13474090681@163.com> - 1.4.3.36-1
- Update to 1.4.3.36
- Fix dsidm user/posixgroup get_dn fails with search_ext()
- Fix unable to add objectclass/attribute without x-origin
- Fix execute dsconf to open pdb
* Mon Aug 7 2023 panchenbo <panchenbo@kylinsec.com.cn> - 1.4.3.20-2
- add support for sw_64 and loongarch64

52
CVE-2021-3514.patch
View File

@ -1,52 +0,0 @@
From 2e5b526012612d1d6ccace46398bee679a730271 Mon Sep 17 00:00:00 2001
From: tbordaz <tbordaz@redhat.com>
Date: Tue, 27 Apr 2021 09:29:32 +0200
Subject: [PATCH] Issue 4711 - SIGSEV with sync_repl (#4738)
Bug description:
sync_repl sends back entries identified with a unique
identifier that is 'nsuniqueid'. If 'nsuniqueid' is
missing, then it may crash
Fix description:
Check a nsuniqueid is available else returns OP_ERR
relates: https://github.com/389ds/389-ds-base/issues/4711
Reviewed by: Pierre Rogier, James Chapman, William Brown (Thanks!)
Platforms tested: F33
---
ldap/servers/plugins/sync/sync_util.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/ldap/servers/plugins/sync/sync_util.c b/ldap/servers/plugins/sync/sync_util.c
index e64d519e1a..3dacee8cad 100644
--- a/ldap/servers/plugins/sync/sync_util.c
+++ b/ldap/servers/plugins/sync/sync_util.c
@@ -127,8 +127,8 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
BerElement *ber;
struct berval *bvp;
char *uuid;
- Slapi_Attr *attr;
- Slapi_Value *val;
+ Slapi_Attr *attr = NULL;
+ Slapi_Value *val = NULL;
if (type == LDAP_SYNC_NONE || ctrlp == NULL || (ber = der_alloc()) == NULL) {
return (LDAP_OPERATIONS_ERROR);
@@ -138,6 +138,14 @@ sync_create_state_control(Slapi_Entry *e, LDAPControl **ctrlp, int type, Sync_Co
slapi_entry_attr_find(e, SLAPI_ATTR_UNIQUEID, &attr);
slapi_attr_first_value(attr, &val);
+ if ((attr == NULL) || (val == NULL)) {
+ /* It may happen with entries in special backends
+ * such like cn=config, cn=shema, cn=monitor...
+ */
+ slapi_log_err(SLAPI_LOG_ERR, SYNC_PLUGIN_SUBSYSTEM,
+ "sync_create_state_control - Entries are missing nsuniqueid. Unable to proceed.\n");
+ return (LDAP_OPERATIONS_ERROR);
+ }
uuid = sync_nsuniqueid2uuid(slapi_value_get_string(val));
if ((rc = ber_printf(ber, "{eo", type, uuid, 16)) != -1) {
if (cookie) {

118
CVE-2021-3652.patch
View File

@ -1,118 +0,0 @@
From c1926dfc6591b55c4d33f9944de4d7ebe077e964 Mon Sep 17 00:00:00 2001
From: Firstyear <william@blackhats.net.au>
Date: Fri, 9 Jul 2021 11:53:35 +1000
Subject: [PATCH] Issue 4817 - BUG - locked crypt accounts on import may allow
all passwords (#4819)
Bug Description: Due to mishanding of short dbpwd hashes, the
crypt_r algorithm was misused and was only comparing salts
in some cases, rather than checking the actual content
of the password.
Fix Description: Stricter checks on dbpwd lengths to ensure
that content passed to crypt_r has at least 2 salt bytes and
1 hash byte, as well as stricter checks on ct_memcmp to ensure
that compared values are the same length, rather than potentially
allowing overruns/short comparisons.
fixes: https://github.com/389ds/389-ds-base/issues/4817
Author: William Brown <william@blackhats.net.au>
Review by: @mreynolds389
---
.../password/pwd_crypt_asterisk_test.py | 50 +++++++++++++++++++
ldap/servers/plugins/pwdstorage/crypt_pwd.c | 20 +++++---
2 files changed, 64 insertions(+), 6 deletions(-)
create mode 100644 dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
diff --git a/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
new file mode 100644
index 0000000000..d76614db1c
--- /dev/null
+++ b/dirsrvtests/tests/suites/password/pwd_crypt_asterisk_test.py
@@ -0,0 +1,50 @@
+# --- BEGIN COPYRIGHT BLOCK ---
+# Copyright (C) 2021 William Brown <william@blackhats.net.au>
+# All rights reserved.
+#
+# License: GPL (version 3 or any later version).
+# See LICENSE for details.
+# --- END COPYRIGHT BLOCK ---
+#
+import ldap
+import pytest
+from lib389.topologies import topology_st
+from lib389.idm.user import UserAccounts
+from lib389._constants import (DEFAULT_SUFFIX, PASSWORD)
+
+pytestmark = pytest.mark.tier1
+
+def test_password_crypt_asterisk_is_rejected(topology_st):
+ """It was reported that {CRYPT}* was allowing all passwords to be
+ valid in the bind process. This checks that we should be rejecting
+ these as they should represent locked accounts. Similar, {CRYPT}!
+
+ :id: 0b8f1a6a-f3eb-4443-985e-da14d0939dc3
+ :setup: Single instance
+ :steps: 1. Set a password hash in with CRYPT and the content *
+ 2. Test a bind
+ 3. Set a password hash in with CRYPT and the content !
+ 4. Test a bind
+ :expectedresults:
+ 1. Successfully set the values
+ 2. The bind fails
+ 3. Successfully set the values
+ 4. The bind fails
+ """
+ topology_st.standalone.config.set('nsslapd-allow-hashed-passwords', 'on')
+ topology_st.standalone.config.set('nsslapd-enable-upgrade-hash', 'off')
+
+ users = UserAccounts(topology_st.standalone, DEFAULT_SUFFIX)
+ user = users.create_test_user()
+
+ user.set('userPassword', "{CRYPT}*")
+
+ # Attempt to bind with incorrect password.
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ badconn = user.bind('badpassword')
+
+ user.set('userPassword', "{CRYPT}!")
+ # Attempt to bind with incorrect password.
+ with pytest.raises(ldap.INVALID_CREDENTIALS):
+ badconn = user.bind('badpassword')
+
diff --git a/ldap/servers/plugins/pwdstorage/crypt_pwd.c b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
index 9031b21996..1b37d41ede 100644
--- a/ldap/servers/plugins/pwdstorage/crypt_pwd.c
+++ b/ldap/servers/plugins/pwdstorage/crypt_pwd.c
@@ -48,15 +48,23 @@ static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */
int
crypt_pw_cmp(const char *userpwd, const char *dbpwd)
{
- int rc;
- char *cp;
+ int rc = -1;
+ char *cp = NULL;
+ size_t dbpwd_len = strlen(dbpwd);
struct crypt_data data;
data.initialized = 0;
- /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
- cp = crypt_r(userpwd, dbpwd, &data);
- if (cp) {
- rc = slapi_ct_memcmp(dbpwd, cp, strlen(dbpwd));
+ /*
+ * there MUST be at least 2 chars of salt and some pw bytes, else this is INVALID and will
+ * allow any password to bind as we then only compare SALTS.
+ */
+ if (dbpwd_len >= 3) {
+ /* we use salt (first 2 chars) of encoded password in call to crypt_r() */
+ cp = crypt_r(userpwd, dbpwd, &data);
+ }
+ /* If these are not the same length, we can not proceed safely with memcmp. */
+ if (cp && dbpwd_len == strlen(cp)) {
+ rc = slapi_ct_memcmp(dbpwd, cp, dbpwd_len);
} else {
rc = -1;
}

52
Fix-attributeError-type-object-build_manpages.patch
View File

@ -1,52 +0,0 @@
From 5a18aeb49c357a16c138d37a8251d73d8ed35319 Mon Sep 17 00:00:00 2001
From: Viktor Ashirov <vashirov@redhat.com>
Date: Tue, 18 Jan 2022 13:24:53 +0100
Subject: [PATCH] Issue 5115 - AttributeError: type object 'build_manpages'
has no attribute 'build_manpages'
Bug Description:
Starting from v2.1, argparse-manpage provides methods build_manpages,
get_build_py_cmd and get_install_cmd in the top-level module.
This breaks installation of lib389 on systems with the newer version
of argparse-manpage.
Fix Description:
Update setup.py to be aware of the module version and import methods
based on it.
Fixes: https://github.com/389ds/389-ds-base/issues/5115
Reviewed by: @tbordaz, @mreynolds389 (Thanks!)
---
src/lib389/setup.py | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/lib389/setup.py b/src/lib389/setup.py
index cadec25..5974d2c 100644
--- a/src/lib389/setup.py
+++ b/src/lib389/setup.py
@@ -14,7 +14,9 @@
from setuptools import setup, find_packages
from os import path
-from build_manpages import build_manpages
+import build_manpages as bm
+if bm.__version__ < '2.1':
+ from build_manpages import build_manpages as bm
from setuptools.command.build_py import build_py
here = path.abspath(path.dirname(__file__))
@@ -89,8 +91,8 @@ setup(
cmdclass={
# Dynamically build man pages for cli tools
- 'build_manpages': build_manpages.build_manpages,
- 'build_py': build_manpages.get_build_py_cmd(build_py),
+ 'build_manpages': bm.build_manpages,
+ 'build_py': bm.get_build_py_cmd(build_py),
}
)
--
2.27.0

11
fix-dsidm-posixgroup-get_dn-fails-with-search_ext.patch Normal file
View File

@ -0,0 +1,11 @@
--- 389-ds-base-1.4.3.36/src/lib389/lib389/cli_idm/posixgroup.py 2023-06-14 22:32:48.000000000 +0800
+++ 389-ds-base-1.4.3.36/src/lib389/lib389/cli_idm/posixgroup.py_bak 2023-10-23 19:21:19.427980741 +0800
@@ -38,7 +38,7 @@
def get_dn(inst, basedn, log, args):
- dn = lambda args: _get_arg( args.dn, msg="Enter dn to retrieve")
+ dn = _get_arg( args.dn, msg="Enter dn to retrieve")
_generic_get_dn(inst, basedn, log.getChild('_generic_get_dn'), MANY, dn, args)