debian/changelog

+openldap (2.4.40+dfsg-1+deb8u4) jessie; urgency=medium
+
+  * Fix upgrade failure when olcSuffix contains a backslash. (Closes: #864719)
+  * Import upstream patches to fix memory corruption caused by calling 
+    sasl_client_init() multiple times and possibly concurrently.
+    (ITS#8648) (Closes: #860947)
+
+ -- Ryan Tandy <ryan@nardis.ca>  Tue, 05 Jun 2018 20:16:25 -0700
+
 openldap (2.4.40+dfsg-1+deb8u3) jessie-security; urgency=high
 
   * debian/patches/ITS-8655-paged-results-double-free.patch: Fix a double free 

debian/patches/ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch

+From e437b12277c1cc8ec72e0f78f660137c60ffaad7 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Sun, 7 May 2017 20:16:00 +0000
+Subject: [PATCH] ITS#8648 check result of ldap_int_initialize in
+ ldap_{get,set}_option
+
+---
+ libraries/libldap/options.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/libraries/libldap/options.c
++++ b/libraries/libldap/options.c
+@@ -106,6 +106,8 @@
+ 
+ 	if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ 		ldap_int_initialize(lo, NULL);
++		if ( lo->ldo_valid != LDAP_INITIALIZED )
++			return LDAP_LOCAL_ERROR;
+ 	}
+ 
+ 	if(ld != NULL) {
+@@ -446,6 +448,8 @@
+ 
+ 	if( lo->ldo_valid != LDAP_INITIALIZED ) {
+ 		ldap_int_initialize(lo, dbglvl);
++		if ( lo->ldo_valid != LDAP_INITIALIZED )
++			return LDAP_LOCAL_ERROR;
+ 	}
+ 
+ 	if(ld != NULL) {

debian/patches/ITS-8648-init-SASL-library-in-global-init.patch

+From 431c4af526b18abb4a18c2c4c8655690b753cbe5 Mon Sep 17 00:00:00 2001
+From: Ryan Tandy <ryan@nardis.ca>
+Date: Fri, 5 May 2017 03:08:07 +0000
+Subject: [PATCH] ITS#8648 init SASL library in global init
+
+---
+ libraries/libldap/cyrus.c | 17 +++--------------
+ libraries/libldap/init.c  |  6 ++++++
+ 2 files changed, 9 insertions(+), 14 deletions(-)
+
+--- a/libraries/libldap/cyrus.c
++++ b/libraries/libldap/cyrus.c
+@@ -69,14 +69,11 @@
+ 	{ SASL_CB_LIST_END, NULL, NULL }
+ };
+ 
++/*
++ * ldap_int_initialize is responsible for calling this only once.
++ */
+ int ldap_int_sasl_init( void )
+ {
+-	/* XXX not threadsafe */
+-	static int sasl_initialized = 0;
+-
+-	if ( sasl_initialized ) {
+-		return 0;
+-	}
+ 
+ /* SASL 2 takes care of its own memory completely internally */
+ #if SASL_VERSION_MAJOR < 2 && !defined(CSRIMALLOC)
+@@ -96,7 +93,6 @@
+ #endif
+ 
+ 	if ( sasl_client_init( NULL ) == SASL_OK ) {
+-		sasl_initialized = 1;
+ 		return 0;
+ 	}
+ 
+@@ -307,11 +303,6 @@
+ 		return ld->ld_errno;
+ 	}
+ 
+-	if ( ldap_int_sasl_init() ) {
+-		ld->ld_errno = LDAP_LOCAL_ERROR;
+-		return ld->ld_errno;
+-	}
+-
+ #if SASL_VERSION_MAJOR >= 2
+ 	rc = sasl_client_new( "ldap", host, NULL, NULL,
+ 		client_callbacks, 0, &ctx );
+@@ -891,8 +882,6 @@
+ ldap_int_sasl_get_option( LDAP *ld, int option, void *arg )
+ {
+ 	if ( option == LDAP_OPT_X_SASL_MECHLIST ) {
+-		if ( ldap_int_sasl_init() )
+-			return -1;
+ 		*(char ***)arg = (char **)sasl_global_listmech();
+ 		return 0;
+ 	}
+--- a/libraries/libldap/init.c
++++ b/libraries/libldap/init.c
+@@ -658,6 +658,12 @@
+ 	if ( ldap_int_tblsize == 0 ) ldap_int_ip_init();
+ #endif
+ 
++#ifdef HAVE_CYRUS_SASL
++	if ( ldap_int_sasl_init() != 0 ) {
++		return;
++	}
++#endif
++
+ 	ldap_int_initialize_global_options(gopts, dbglvl);
+ 
+ 	if( getenv("LDAPNOINIT") != NULL ) {

debian/patches/series

@@ -27,3 +27,5 @@ ITS7975-fix-mdb-onelevel-search.patch
 ITS8240-remove-obsolete-assert.patch
 ITS8003-fix-off-by-one-in-LDIF-length.patch
 ITS-8655-paged-results-double-free.patch
+ITS-8648-check-result-of-ldap_int_initialize-in-ldap.patch
+ITS-8648-init-SASL-library-in-global-init.patch

debian/slapd.scripts-common

@@ -100,7 +100,7 @@ update_permissions() {	# {{{
 }
 # }}}
 update_databases_permissions() {	# {{{
-	get_suffix | while read suffix; do
+	get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		update_permissions "$dbdir"
 	done
@@ -163,11 +163,11 @@ dump_databases() {							# {{{
 
 	dir=`database_dumping_destdir`
 	echo >&2 "  Dumping to $dir: "
-	(get_suffix | while read suffix; do
+	(get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		if [ -n "$dbdir" ]; then
 			file="$dir/$suffix.ldif"
-			echo -n "  - directory $suffix... " >&2
+			printf '  - directory %s... ' "$suffix" >&2
 			# Need to support slapd.d migration from preinst
 			if [ -f "${SLAPD_CONF}" ]; then
 				slapcat_opts="-g -f ${SLAPD_CONF}"
@@ -194,7 +194,7 @@ load_databases() {							# {{{
 
 	dir=`database_dumping_destdir`
 	echo >&2 "  Loading from $dir: "
-	get_suffix | while read suffix; do
+	get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		if [ -z "$dbdir" ]; then
 			continue
@@ -206,11 +206,11 @@ load_databases() {							# {{{
 		fi
 
 		file="$dir/$suffix.ldif"
-		echo -n "  - directory $suffix... " >&2
+		printf '  - directory %s... ' "$suffix" >&2
 
 		# If there is an old DB_CONFIG file, restore it before
 		# running slapadd
-		backupdir=`compute_backup_path -n "$dbdir" "$suffix"`
+		backupdir="$(compute_backup_path -n "$dbdir" "$suffix")"
 		if [ -e "$backupdir"/DB_CONFIG ]; then
 			cp -a "$backupdir"/DB_CONFIG "$dbdir"/
 		fi
@@ -249,7 +249,7 @@ EOF
 # }}}
 move_incompatible_databases_away() {					# {{{
 	echo >&2 "  Moving old database directories to /var/backups:"
-	(get_suffix | while read suffix; do
+	(get_suffix | while read -r suffix; do
 		dbdir=`get_directory "$suffix"`
 		move_old_database_away "$dbdir" "$suffix" <&5
 	done) 5<&0 </dev/null
@@ -270,7 +270,7 @@ move_incompatible_databases_away() {					# {{{
 get_suffix() {							
 	if [ -f "${SLAPD_CONF}" ]; then
 		for f in `get_all_slapd_conf_files`; do
-			sed -n -e's/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/p' $f
+			sed -n -e '/^suffix[[:space:]]/ { s/^suffix[[:space:]]\+"*\([^"]\+\)"*/\1/; s/\\\\/\\/g; p }' $f
 		done
 	else
 		grep -h ^olcSuffix ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif | cut -d: -f 2
@@ -279,14 +279,16 @@ get_suffix() {
 # }}}
 get_directory() {							# {{{
 # Returns the db directory for a given suffix
-	if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -q "$1" ; then
-		sed -n 's/^olcDbDirectory: *//p' `grep -l "^olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
+	if [ -d "${SLAPD_CONF}" ] && get_suffix | grep -Fq "$1" ; then
+		sed -n 's/^olcDbDirectory: *//p' `grep -Flx "olcSuffix: $1" ${SLAPD_CONF}/cn\=config/olcDatabase*.ldif`
 	elif [ -f "${SLAPD_CONF}" ]; then
 		# Extract the directory for the given suffix ($1)
+		# Quote backslashes once for slapd.conf parser, again for awk
+		quoted="$(printf '%s' "$1" | sed 's/\\/\\\\\\\\/g')"
 		for f in `get_all_slapd_conf_files`; do
 		awk  ' BEGIN { DB=0; SUF=""; DIR="" } ;
 		       /^database/ { DB=1; SUF=""; DIR="" } ; 
-		       DB==1 && /^suffix[ \t]+"?'"$1"'"?$/ { SUF=$2 ; } ; 
+		       DB==1 && /^suffix[ \t]+"?'"$quoted"'"?$/ { SUF=$2 ; } ; 
 		       DB==1 && /^directory/ { DIR=$2 ;} ; 
 		       DB==1 && SUF!="" && DIR!="" { sub(/^"/,"",DIR) ; sub(/"$/,"",DIR) ; print DIR; SUF=""; DIR="" }' "${f}" | \
 		sed -e's/\([^\\]\|^\)"/\1/g; s/\\"/"/g; s/\\\\/\\/g'
@@ -352,7 +354,7 @@ compute_backup_path() {							# {{{
 		exit 1
 	fi
 
-	echo "$target"
+	printf '%s' "$target"
 }
 
 # }}}
@@ -380,8 +382,8 @@ move_old_database_away() {						# {{{
 	# include mount points as well anyway, but it's much less likely.
 	db_get slapd/move_old_database
 	if [ "$RET" = true ]; then
-		backupdir=`compute_backup_path "$databasedir" "$suffix"`
-		echo -n "  - directory $suffix... " >&2
+		backupdir="$(compute_backup_path "$databasedir" "$suffix")"
+		printf '  - directory %s... ' "$suffix" >&2
 		mkdir -p "$backupdir"
 		find -H "$databasedir" -mindepth 1 -maxdepth 1 -type f \
 			-exec mv {} "$backupdir" \;