Debian Bug report logs - #682583
pu: package nss-pam-ldapd/0.7.15+squeeze2

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Arthur de Jong <adejong@debian.org>

Date: Mon, 23 Jul 2012 21:51:04 UTC

Severity: normal

Tags: pending

Fixed in version 6.0.6

Done: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Mon, 23 Jul 2012 21:51:07 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Mon, 23 Jul 2012 21:51:07 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Mon, 23 Jul 2012 23:50:15 +0200
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Dear stable release team,

I would like to upload a new release of nss-pam-ldapd for squeeze that
fixes a few bugs. The fixes below (apart from the first one) should all
be very straightforward.

(1) extra checking of overflows of numeric values retrieved from LDAP
    This change was developed and tested by Redhat and has been in
    upstream releases 0.7.16 and 0.8.4 (and is also present in the
    version currently in testing).
    The diff in 0.7.16 which should apply without issues to 0.7.15:
    http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1600&view=revision
    svn diff -c 1600 http://arthurdejong.org/svn/nss-pam-ldapd

(2) fix gecos buffer length and make some other buffers have a
    consistent size (this is #640781)
    This change was in 0.8.5 and is scheduled for a next 0.7 upstream
    release. The bug reporter requested this change to go in a squeeze
    point release.
    The diff:
    http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1727&view=revision
    svn diff -c 1727 http://arthurdejong.org/svn/nss-pam-ldapd

(3) fix two possible NULL pointer dereferences (not very common
    scenario)
    These changes were in 0.8.5 and are scheduled for a next 0.7
    upstream release.
    The diffs:
    http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1728&view=revision
    http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1730&view=revision
    svn diff -c 1728 http://arthurdejong.org/svn/nss-pam-ldapd
    svn diff -c 1730 http://arthurdejong.org/svn/nss-pam-ldapd

(4) increase buffer size for pam_authz_search and ensure log message
    isn't cut short (this is Ubuntu bug #951343)
    These changes were in 0.7.16 and 0.8.7.
    The diffs:
    http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1629&view=revision
    http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1648&view=revision
    svn diff -c 1629 http://arthurdejong.org/svn/nss-pam-ldapd
    svn diff -c 1648 http://arthurdejong.org/svn/nss-pam-ldapd

Do you think any of the above are acceptable or unacceptable for a point
release. If you like I can provide more background information or
prepare a debdiff.

Thanks,

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Wed, 05 Sep 2012 12:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 05 Sep 2012 12:42:03 GMT) Full text and rfc822 format available.

Message #10 received at 682583@bugs.debian.org (full text, mbox):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Arthur de Jong <adejong@debian.org>, 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Wed, 5 Sep 2012 14:40:00 +0200
[Message part 1 (text/plain, inline)]
Hi Stable Release Team

On Mon, Jul 23, 2012 at 11:50:15PM +0200, Arthur de Jong wrote:
> I would like to upload a new release of nss-pam-ldapd for squeeze that
> fixes a few bugs. The fixes below (apart from the first one) should all
> be very straightforward.

I'm really interested seeing these updates (and in particular the one
affecting us) going into a next stable point release. Is there a
chance to get them for the next one?

Regards,
Salvatore
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Fri, 07 Sep 2012 20:57:06 GMT) Full text and rfc822 format available.

Message #13 received at 682583@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Arthur de Jong <adejong@debian.org>, 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Fri, 7 Sep 2012 22:53:50 +0200
[Message part 1 (text/plain, inline)]
Hi,

sorry for the late reply.

On Mon, Jul 23, 2012 at 11:50:15PM +0200, Arthur de Jong wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: pu
> 
> Dear stable release team,
> 
> I would like to upload a new release of nss-pam-ldapd for squeeze that
> fixes a few bugs. The fixes below (apart from the first one) should all
> be very straightforward.
> 
> (1) extra checking of overflows of numeric values retrieved from LDAP
>     This change was developed and tested by Redhat and has been in
>     upstream releases 0.7.16 and 0.8.4 (and is also present in the
>     version currently in testing).
>     The diff in 0.7.16 which should apply without issues to 0.7.15:
>     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1600&view=revision
>     svn diff -c 1600 http://arthurdejong.org/svn/nss-pam-ldapd

What's the consequence if we don't include this? I.e. what does this solve
exactly?

> (2) fix gecos buffer length and make some other buffers have a
>     consistent size (this is #640781)
>     This change was in 0.8.5 and is scheduled for a next 0.7 upstream
>     release. The bug reporter requested this change to go in a squeeze
>     point release.
>     The diff:
>     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1727&view=revision
>     svn diff -c 1727 http://arthurdejong.org/svn/nss-pam-ldapd

ACK.

> (3) fix two possible NULL pointer dereferences (not very common
>     scenario)
>     These changes were in 0.8.5 and are scheduled for a next 0.7
>     upstream release.
>     The diffs:
>     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1728&view=revision
>     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1730&view=revision
>     svn diff -c 1728 http://arthurdejong.org/svn/nss-pam-ldapd

ACK.

>     svn diff -c 1730 http://arthurdejong.org/svn/nss-pam-ldapd

ACK.

> (4) increase buffer size for pam_authz_search and ensure log message
>     isn't cut short (this is Ubuntu bug #951343)
>     These changes were in 0.7.16 and 0.8.7.
>     The diffs:
>     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1629&view=revision
>     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1648&view=revision
>     svn diff -c 1629 http://arthurdejong.org/svn/nss-pam-ldapd

That seems gratious and is IMHO not suitable.

>     svn diff -c 1648 http://arthurdejong.org/svn/nss-pam-ldapd

ACK.

Kind regards
Philipp Kern
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Sat, 08 Sep 2012 14:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 08 Sep 2012 14:24:03 GMT) Full text and rfc822 format available.

Message #18 received at 682583@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Philipp Kern <pkern@debian.org>, 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Sat, 08 Sep 2012 16:21:10 +0200
[Message part 1 (text/plain, inline)]
On Fri, 2012-09-07 at 22:53 +0200, Philipp Kern wrote:
> > (1) extra checking of overflows of numeric values retrieved from LDAP
> >     This change was developed and tested by Redhat and has been in
> >     upstream releases 0.7.16 and 0.8.4 (and is also present in the
> >     version currently in testing).
> >     The diff in 0.7.16 which should apply without issues to 0.7.15:
> >     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1600&view=revision
> >     svn diff -c 1600 http://arthurdejong.org/svn/nss-pam-ldapd
> 
> What's the consequence if we don't include this? I.e. what does this solve
> exactly?

It fixes the range checking code that is in place for checking numeric
results from LDAP. For example it should now correctly reject negative
values and some other out of range values instead of silently converting
them to some other value.

This change also includes proper length checking for the uid attribute
(e.g. when the LDAP server would contain a value that would not fit in
uid_t).

> > (4) increase buffer size for pam_authz_search and ensure log message
> >     isn't cut short (this is Ubuntu bug #951343)
> >     These changes were in 0.7.16 and 0.8.7.
> >     The diffs:
> >     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1629&view=revision
> >     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1648&view=revision
> >     svn diff -c 1629 http://arthurdejong.org/svn/nss-pam-ldapd
> 
> That seems gratious and is IMHO not suitable.

Actually, this is the better part of the fix for this problem IMO.

The problem was that only the first part of the string was logged. If
the search was very long it would log:
  pam_authz_search "very log string that will eventually be cut off....
The increase in buffer size ensures that the cut-off is later but some
syslog implementations have also been known to have a limited length for
log messages.

This change also ensures that the core of the message (that the filter
is invalid) is at the front of the log message.

The only downside I see from this is that if you have log filtering
rules that pick up on this they will have to be changed. However, this
error message should only appear if you make specific configuration
errors in /etc/nslcd.conf.

Thanks for reviewing!

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Wed, 19 Sep 2012 19:15:03 GMT) Full text and rfc822 format available.

Message #21 received at 682583@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Arthur de Jong <adejong@debian.org>, 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Wed, 19 Sep 2012 21:12:38 +0200
[Message part 1 (text/plain, inline)]
On Sat, Sep 08, 2012 at 04:21:10PM +0200, Arthur de Jong wrote:
> On Fri, 2012-09-07 at 22:53 +0200, Philipp Kern wrote:
> > > (1) extra checking of overflows of numeric values retrieved from LDAP
> > >     This change was developed and tested by Redhat and has been in
> > >     upstream releases 0.7.16 and 0.8.4 (and is also present in the
> > >     version currently in testing).
> > >     The diff in 0.7.16 which should apply without issues to 0.7.15:
> > >     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1600&view=revision
> > >     svn diff -c 1600 http://arthurdejong.org/svn/nss-pam-ldapd
> > 
> > What's the consequence if we don't include this? I.e. what does this solve
> > exactly?
> 
> It fixes the range checking code that is in place for checking numeric
> results from LDAP. For example it should now correctly reject negative
> values and some other out of range values instead of silently converting
> them to some other value.
> 
> This change also includes proper length checking for the uid attribute
> (e.g. when the LDAP server would contain a value that would not fit in
> uid_t).

ACK.

> > > (4) increase buffer size for pam_authz_search and ensure log message
> > >     isn't cut short (this is Ubuntu bug #951343)
> > >     These changes were in 0.7.16 and 0.8.7.
> > >     The diffs:
> > >     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1629&view=revision
> > >     http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1648&view=revision
> > >     svn diff -c 1629 http://arthurdejong.org/svn/nss-pam-ldapd
> > 
> > That seems gratious and is IMHO not suitable.
> 
> Actually, this is the better part of the fix for this problem IMO.
> 
> The problem was that only the first part of the string was logged. If
> the search was very long it would log:
>   pam_authz_search "very log string that will eventually be cut off....
> The increase in buffer size ensures that the cut-off is later but some
> syslog implementations have also been known to have a limited length for
> log messages.
> 
> This change also ensures that the core of the message (that the filter
> is invalid) is at the front of the log message.
> 
> The only downside I see from this is that if you have log filtering
> rules that pick up on this they will have to be changed. However, this
> error message should only appear if you make specific configuration
> errors in /etc/nslcd.conf.

My focus was indeed on the gratious string change, which would be logged
on every query AFAICS, instead of once when the configuration file is
read.  But I guess the new string makes sense and it's an error
condition which should be induced purely by the configuration file and
not external input.

Hence you can go ahead and prepare a debdiff for the final ACK.

Thanks and sorry for the long waiting period
Philipp Kern
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Thu, 20 Sep 2012 18:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 20 Sep 2012 18:57:03 GMT) Full text and rfc822 format available.

Message #26 received at 682583@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Thu, 20 Sep 2012 20:54:02 +0200
[Message part 1 (text/plain, inline)]
On Wed, 2012-09-19 at 21:12 +0200, Philipp Kern wrote:
> Hence you can go ahead and prepare a debdiff for the final ACK.

Thanks. Attached is the debdiff from 0.7.15+squeeze1 to 0.7.15+squeeze2.

> Thanks and sorry for the long waiting period

No problem. Thanks for reviewing.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[nss-pam-ldapd-0.7.15+squeeze1-2.debdiff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Fri, 21 Sep 2012 07:03:09 GMT) Full text and rfc822 format available.

Message #29 received at 682583@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Arthur de Jong <adejong@debian.org>, 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Fri, 21 Sep 2012 09:00:41 +0200
[Message part 1 (text/plain, inline)]
On Thu, Sep 20, 2012 at 08:54:02PM +0200, Arthur de Jong wrote:
> On Wed, 2012-09-19 at 21:12 +0200, Philipp Kern wrote:
> > Hence you can go ahead and prepare a debdiff for the final ACK.
> Thanks. Attached is the debdiff from 0.7.15+squeeze1 to 0.7.15+squeeze2.
> > Thanks and sorry for the long waiting period
> No problem. Thanks for reviewing.

Basically ACK, but…

> -  char shell[100];
> +  char shell[64];

…unless there's a strong reason to make shell smaller, please don't do it in a
stable upload. (Sorry for not having spotted this earlier.)

Otherwise the diff looks fine. The latest we'd accept it from p-u-NEW would be
Sunday, so it should hit the archive by Saturday. :-)

Thanks for your work!
Philipp Kern
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Fri, 21 Sep 2012 09:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Arthur de Jong <adejong@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 21 Sep 2012 09:09:03 GMT) Full text and rfc822 format available.

Message #34 received at 682583@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Fri, 21 Sep 2012 11:06:22 +0200
[Message part 1 (text/plain, inline)]
On Fri, 2012-09-21 at 09:00 +0200, Philipp Kern wrote:
> Basically ACK, but…
> 
> > -  char shell[100];
> > +  char shell[64];
> 
> …unless there's a strong reason to make shell smaller, please don't do it in a
> stable upload. (Sorry for not having spotted this earlier.)

No problem. It was a consistency change but I've switched the size back
to 100.

> Otherwise the diff looks fine. The latest we'd accept it from p-u-NEW would be
> Sunday, so it should hit the archive by Saturday. :-)

I've just uploaded nss-pam-ldapd_0.7.15+squeeze2 so that should be on
time.

Thanks,

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#682583; Package release.debian.org. (Sat, 22 Sep 2012 00:21:02 GMT) Full text and rfc822 format available.

Message #37 received at 682583@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Arthur de Jong <adejong@debian.org>, 682583@bugs.debian.org
Subject: Re: Bug#682583: pu: package nss-pam-ldapd/0.7.15+squeeze2
Date: Sat, 22 Sep 2012 02:17:32 +0200
[Message part 1 (text/plain, inline)]
Control: tag -1 + pending

On Fri, Sep 21, 2012 at 11:06:22AM +0200, Arthur de Jong wrote:
> No problem. It was a consistency change but I've switched the size back
> to 100.

Thanks.

> > Otherwise the diff looks fine. The latest we'd accept it from p-u-NEW would be
> > Sunday, so it should hit the archive by Saturday. :-)
> I've just uploaded nss-pam-ldapd_0.7.15+squeeze2 so that should be on
> time.

And accepted into proposed-updates. Thank you for your patience and work.

Kind regards
Philipp Kern
[signature.asc (application/pgp-signature, inline)]

Added tag(s) pending. Request was from Philipp Kern <pkern@debian.org> to 682583-submit@bugs.debian.org. (Sat, 22 Sep 2012 00:21:02 GMT) Full text and rfc822 format available.

Marked as fixed in versions 6.0.6. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 05 Oct 2012 09:27:07 GMT) Full text and rfc822 format available.

Marked Bug as done Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 05 Oct 2012 09:27:08 GMT) Full text and rfc822 format available.

Notification sent to Arthur de Jong <adejong@debian.org>:
Bug acknowledged by developer. (Fri, 05 Oct 2012 09:27:08 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sat, 03 Nov 2012 07:28:52 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 23:30:17 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.