rpms
/
sssd
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New upstream release 1.6.4 

Rolls up previous patches applied to the 1.6.3 tarball
Fixes a rare issue causing crashes in the failover logic
Fixes an issue where SSSD would return the wrong PAM error code for users
that it does not recognize.
This commit is contained in:
Stephen Gallagher 2011-12-19 16:13:43 -05:00
parent 5633dc7e99
commit f73d44d40a
6 changed files with 11 additions and 251 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -19,3 +19,4 @@ sssd-1.2.91.tar.gz
/sssd-1.6.1.tar.gz
/sssd-1.6.2.tar.gz
/sssd-1.6.3.tar.gz
/sssd-1.6.4.tar.gz

35
0001-configAPI-Fix-removing-in-old-domain-when-saving-a-n.patch
View File

@ -1,35 +0,0 @@
From cc1bae136c35b0a72c0e39928b0be414e182d375 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 10 Nov 2011 12:36:26 +0100
Subject: [PATCH] configAPI: Fix removing in old domain when saving a new
domain
---
src/config/SSSDConfig.py | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/config/SSSDConfig.py b/src/config/SSSDConfig.py
index 87b1d63..6858ce4 100644
--- a/src/config/SSSDConfig.py
+++ b/src/config/SSSDConfig.py
@@ -1760,7 +1760,7 @@ class SSSDConfig(SSSDChangeConf):
domain.oldname = None;
sectionname = 'domain/%s' % name
- section_subtree = self.findOpts(self.opts, 'section', sectionname)
+ (no, section_subtree) = self.findOpts(self.opts, 'section', sectionname)
if name not in self.list_domains():
self.add_section(sectionname, []);
@@ -1768,7 +1768,7 @@ class SSSDConfig(SSSDChangeConf):
for option in self.options(sectionname):
if option['type'] == 'option':
if option['name'] not in domain.get_all_options():
- self.delete_option_subtree(section_subtree, 'option', option['name'], True)
+ self.delete_option_subtree(section_subtree['values'], 'option', option['name'], True)
for option,value in domain.get_all_options().items():
if (type(value) == list):
--
1.7.7

172
0002-RESPONDER-Ensure-that-all-input-strings-are-valid-UT.patch
View File

@ -1,172 +0,0 @@
From 6bfda68007ef402e2dc94e674df1e5b83686b0b5 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 14 Nov 2011 11:31:37 -0500
Subject: [PATCH 1/4] RESPONDER: Ensure that all input strings are valid UTF-8
---
Makefile.am | 6 ++++--
src/external/libunistring.m4 | 5 +++++
src/responder/common/responder.h | 2 ++
src/responder/common/responder_common.c | 9 +++++++++
src/responder/nss/nsssrv_cmd.c | 21 +++++++++++++++++++++
src/responder/nss/nsssrv_netgroup.c | 7 +++++++
src/responder/pam/pamsrv_cmd.c | 5 +++++
7 files changed, 53 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 916881e17329bc6175888c7e53d3b313f24c92c0..9b438f5a78587eb579f589997bf13db9e6ebfab4 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -409,7 +409,8 @@ sssd_nss_SOURCES = \
sssd_nss_LDADD = \
$(TDB_LIBS) \
$(SSSD_LIBS) \
- libsss_util.la
+ libsss_util.la \
+ -lunistring
sssd_pam_SOURCES = \
src/responder/pam/pam_LOCAL_domain.c \
@@ -420,7 +421,8 @@ sssd_pam_SOURCES = \
sssd_pam_LDADD = \
$(TDB_LIBS) \
$(SSSD_LIBS) \
- libsss_util.la
+ libsss_util.la \
+ -lunistring
sssd_be_SOURCES = \
src/providers/data_provider_be.c \
diff --git a/src/external/libunistring.m4 b/src/external/libunistring.m4
index 69c54fe3faf4bffea120cb30e1d3ed73a2a104c8..18ea3e62a727032a86d248318b5a2a19011ee8ac 100644
--- a/src/external/libunistring.m4
+++ b/src/external/libunistring.m4
@@ -6,4 +6,9 @@ AC_CHECK_HEADERS(unistr.h,
AC_CHECK_HEADERS(unicase.h,
[AC_CHECK_LIB([unistring], [u8_casecmp], [ UNISTRING_LIBS="-lunistring" ], [AC_MSG_ERROR([No usable libunistring library found])])],
[AC_MSG_ERROR([libunistring header files are not installed])]
+)
+
+AC_CHECK_HEADERS(unistr.h,
+ [AC_CHECK_LIB([unistring], [u8_check], [ UNISTRING_LIBS="-lunistring" ], [AC_MSG_ERROR([No usable libunistring library found])])],
+ [AC_MSG_ERROR([libunistring header files are not installed])]
)
\ No newline at end of file
diff --git a/src/responder/common/responder.h b/src/responder/common/responder.h
index 321cedda8f495e38e19fe07b60271d54915316b7..1b39fdd5b6854e05acdf5b7be2c63a2c8381f3c3 100644
--- a/src/responder/common/responder.h
+++ b/src/responder/common/responder.h
@@ -174,4 +174,6 @@ int sss_dp_send_acct_req(struct resp_ctx *rctx, TALLOC_CTX *callback_memctx,
int responder_logrotate(DBusMessage *message,
struct sbus_connection *conn);
+bool sss_utf8_check(const uint8_t *s, size_t n);
+
#endif /* __SSS_RESPONDER_H__ */
diff --git a/src/responder/common/responder_common.c b/src/responder/common/responder_common.c
index 719f2464733faa0498be59226eeb39f5736d0d26..f97ec06fd2d93d9568607c00bb3399792eec397a 100644
--- a/src/responder/common/responder_common.c
+++ b/src/responder/common/responder_common.c
@@ -32,6 +32,7 @@
#include <sys/time.h>
#include <errno.h>
#include <popt.h>
+#include <unistr.h>
#include "util/util.h"
#include "db/sysdb.h"
#include "confdb/confdb.h"
@@ -627,3 +628,11 @@ int responder_logrotate(DBusMessage *message,
return monitor_common_pong(message, conn);
}
+
+bool sss_utf8_check(const uint8_t *s, size_t n)
+{
+ if (u8_check(s, n) == NULL) {
+ return true;
+ }
+ return false;
+}
diff --git a/src/responder/nss/nsssrv_cmd.c b/src/responder/nss/nsssrv_cmd.c
index 56ebe4815b41a2dae158b3028cc03b5e2848ada4..c531ae2c53b4019561092b29f90baf24dd397c76 100644
--- a/src/responder/nss/nsssrv_cmd.c
+++ b/src/responder/nss/nsssrv_cmd.c
@@ -873,6 +873,13 @@ static int nss_cmd_getpwnam(struct cli_ctx *cctx)
ret = EINVAL;
goto done;
}
+
+ /* If the body isn't valid UTF-8, fail */
+ if (!sss_utf8_check(body, blen)) {
+ ret = EINVAL;
+ goto done;
+ }
+
rawname = (const char *)body;
domname = NULL;
@@ -2140,6 +2147,13 @@ static int nss_cmd_getgrnam(struct cli_ctx *cctx)
ret = EINVAL;
goto done;
}
+
+ /* If the body isn't valid UTF-8, fail */
+ if (!sss_utf8_check(body, blen)) {
+ ret = EINVAL;
+ goto done;
+ }
+
rawname = (const char *)body;
domname = NULL;
@@ -3180,6 +3194,13 @@ static int nss_cmd_initgroups(struct cli_ctx *cctx)
ret = EINVAL;
goto done;
}
+
+ /* If the body isn't valid UTF-8, fail */
+ if (!sss_utf8_check(body, blen)) {
+ ret = EINVAL;
+ goto done;
+ }
+
rawname = (const char *)body;
domname = NULL;
diff --git a/src/responder/nss/nsssrv_netgroup.c b/src/responder/nss/nsssrv_netgroup.c
index df3823ed2798e6022c07e1c8af630c2cb8a14028..c8b7bd1d9a1805c7a4688290e3b6fb4c5883bac0 100644
--- a/src/responder/nss/nsssrv_netgroup.c
+++ b/src/responder/nss/nsssrv_netgroup.c
@@ -113,6 +113,13 @@ int nss_cmd_setnetgrent(struct cli_ctx *client)
ret = EINVAL;
goto done;
}
+
+ /* If the body isn't valid UTF-8, fail */
+ if (!sss_utf8_check(body, blen)) {
+ ret = EINVAL;
+ goto done;
+ }
+
rawname = (const char *)body;
req = setnetgrent_send(cmdctx, rawname, cmdctx);
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 3c9d7600a70465cd087950d775d2f7a78a3ab141..cbf22236e1d5ecd8186ed171e59753fca18d0609 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -70,6 +70,11 @@ static int extract_string(char **var, size_t size, uint8_t *body, size_t blen,
if (str[size-1]!='\0') return EINVAL;
+ /* If the string isn't valid UTF-8, fail */
+ if (!sss_utf8_check(str, size)) {
+ return EINVAL;
+ }
+
*c += size;
*var = (char *) str;
--
1.7.7.3

38
0003-LDAP-Try-next-failover-server-on-any-error.patch
View File

@ -1,38 +0,0 @@
From 11f9ae2ef3a4884b5e7750a3d549a58a71abc015 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 28 Nov 2011 11:26:41 -0500
Subject: [PATCH 4/4] LDAP: Try next failover server on any error
---
src/providers/ldap/sdap_async_connection.c | 14 +++++---------
1 files changed, 5 insertions(+), 9 deletions(-)
diff --git a/src/providers/ldap/sdap_async_connection.c b/src/providers/ldap/sdap_async_connection.c
index c69b9bce0f4649e76138168a4883c138ff5c721f..045f009c2f62e4d3d4d906a017508c2f4fbceda9 100644
--- a/src/providers/ldap/sdap_async_connection.c
+++ b/src/providers/ldap/sdap_async_connection.c
@@ -1226,16 +1226,12 @@ static void sdap_cli_connect_done(struct tevent_req *subreq)
ret = sdap_connect_recv(subreq, state, &state->sh);
talloc_zfree(subreq);
if (ret) {
- if (ret == ETIMEDOUT) { /* retry another server */
- fo_set_port_status(state->srv, PORT_NOT_WORKING);
- ret = sdap_cli_resolve_next(req);
- if (ret != EOK) {
- tevent_req_error(req, ret);
- }
- return;
+ /* retry another server */
+ fo_set_port_status(state->srv, PORT_NOT_WORKING);
+ ret = sdap_cli_resolve_next(req);
+ if (ret != EOK) {
+ tevent_req_error(req, ret);
}
-
- tevent_req_error(req, ret);
return;
}
--
1.7.7.3

2
sources
View File

@ -1 +1 @@
835c7fe267d7380fd42876ccc5a98b19 sssd-1.6.3.tar.gz
2087b80443ecaef4fe1e9af1a4b5e76c sssd-1.6.4.tar.gz

14
sssd.spec
View File

@ -18,8 +18,8 @@
%global ldb_version 1.1.4
Name: sssd
Version: 1.6.3
Release: 5%{?dist}
Version: 1.6.4
Release: 1%{?dist}
Group: Applications/System
Summary: System Security Services Daemon
License: GPLv3+
@ -28,9 +28,6 @@ Source0: https://fedorahosted.org/released/sssd/%{name}-%{version}.tar.gz
BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
### Patches ###
Patch0001: 0001-configAPI-Fix-removing-in-old-domain-when-saving-a-n.patch
Patch0002: 0002-RESPONDER-Ensure-that-all-input-strings-are-valid-UT.patch
Patch0003: 0003-LDAP-Try-next-failover-server-on-any-error.patch
### Dependencies ###
@ -378,6 +375,13 @@ fi
%postun -n libipa_hbac -p /sbin/ldconfig
%changelog
* Mon Dec 19 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.6.4-1
- New upstream release 1.6.4
- Rolls up previous patches applied to the 1.6.3 tarball
- Fixes a rare issue causing crashes in the failover logic
- Fixes an issue where SSSD would return the wrong PAM error code for users
that it does not recognize.
* Wed Dec 07 2011 Stephen Gallagher <sgallagh@redhat.com> - 1.6.3-5
- Rebuild against libldb 1.1.4