Ryan Tandy · Ryan Tandy · 2b2b26f4 · 2b2b26f4 · 2b2b26f4 · 2b2b26f4
--- a/debian/changelog
+++ b/debian/changelog
+openldap (2.4.47+dfsg-2) UNRELEASED; urgency=medium
+
+  * Reintroduce slapi-dev binary package. (Closes: #711469)
+    Thanks to Florian Schlichting.
+  * Do not call gnutls_global_set_mutex(). (Closes: #803197)
+
+ -- Ryan Tandy <ryan@nardis.ca>  Mon, 24 Dec 2018 12:14:43 -0800
+
 openldap (2.4.47+dfsg-1) unstable; urgency=medium

  * New upstream release.

--- a/debian/control
+++ b/debian/control
@@ -101,3 +101,13 @@ Description: OpenLDAP development libraries
 This package allows development of LDAP applications using the OpenLDAP
 libraries. It includes headers, libraries and links to allow static and
 dynamic linking.
+
+Package: slapi-dev
+Section: libdevel
+Architecture: any
+Build-Profiles: <!stage1>
+Depends: slapd (= ${binary:Version}), ${misc:Depends}
+Description: development libraries for OpenLDAP SLAPI plugin interface
+ This package allows development of plugins for the OpenLDAP slapd server
+ using the SLAPI interface.  It includes the headers and libraries needed
+ to build such plugins.
--- a/debian/patches/no-gnutls_global_set_mutex
+++ b/debian/patches/no-gnutls_global_set_mutex
+Description: Do not call gnutls_global_set_mutex()
+ Since GnuTLS moved to implicit initialization on library load, calling 
+ this function deinitializes GnuTLS and then re-initializes it.
+ .
+ When GnuTLS uses /dev/urandom as an entropy source (getrandom() not 
+ available, or older versions of GnuTLS), and the application closed all 
+ file descriptors at startup, this could result in GnuTLS opening 
+ /dev/urandom over one of the application's file descriptors when 
+ re-initialized.
+ .
+ Additionally, the custom mutex functions are never reset, so if libldap 
+ is unloaded (for example via dlclose()) after calling this, its code 
+ may be unmapped and the application could crash when GnuTLS calls the 
+ mutex functions.
+ .
+ The default behaviour of GnuTLS, using pthreads, should be suitable on 
+ all Debian systems, and is probably the same as what libldap uses 
+ anyway.
+Author: Ryan Tandy <ryan@nardis.ca>
+Bug-Debian: https://bugs.debian.org/803197
+Forwarded: no
+
+--- a/libraries/libldap/tls_g.c
+++ b/libraries/libldap/tls_g.c
+@@ -67,51 +67,10 @@
+ 
+ #ifdef LDAP_R_COMPILE
+ 
+-static int
+-tlsg_mutex_init( void **priv )
+-{
+-	int err = 0;
+-	ldap_pvt_thread_mutex_t *lock = LDAP_MALLOC( sizeof( ldap_pvt_thread_mutex_t ));
+-
+-	if ( !lock )
+-		err = ENOMEM;
+-	if ( !err ) {
+-		err = ldap_pvt_thread_mutex_init( lock );
+-		if ( err )
+-			LDAP_FREE( lock );
+-		else
+-			*priv = lock;
+-	}
+-	return err;
+-}
+-
+-static int
+-tlsg_mutex_destroy( void **lock )
+-{
+-	int err = ldap_pvt_thread_mutex_destroy( *lock );
+-	LDAP_FREE( *lock );
+-	return err;
+-}
+-
+-static int
+-tlsg_mutex_lock( void **lock )
+-{
+-	return ldap_pvt_thread_mutex_lock( *lock );
+-}
+-
+-static int
+-tlsg_mutex_unlock( void **lock )
+-{
+-	return ldap_pvt_thread_mutex_unlock( *lock );
+-}
+-
+ static void
+ tlsg_thr_init( void )
+ {
+-	gnutls_global_set_mutex (tlsg_mutex_init,
+-		tlsg_mutex_destroy,
+-		tlsg_mutex_lock,
+-		tlsg_mutex_unlock);
+	/* do nothing */
+ }
+ #endif /* LDAP_R_COMPILE */
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ switch-to-lt_dlopenadvise-to-get-RTLD_GLOBAL-set.diff
 no-bdb-ABI-second-guessing
 ITS6035-olcauthzregex-needs-restart.patch
 set-maintainer-name
+no-gnutls_global_set_mutex